K3S-Cluster/home-cluster-ops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #441 from 3dwardch3ng/rework

Browse Source 
Rework
This commit is contained in:
Edward Cheng
2024-07-14 19:00:20 +10:00
committed by GitHub
parent b7da360fe7 c1305ea2c5
commit 8ae0880ea7
199 changed files with 333 additions and 19868 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
apps/argocd/base/kustomization.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts:
- name: argo-cd
repo: oci://ghcr.io/argoproj/argo-helm
version: 7.3.6
releaseName: argocd
# apiVersions:
# - monitoring.coreos.com/v1
valuesFile: values.yaml

49
apps/argocd/base/values.yaml Normal file
View File

@@ -0,0 +1,49 @@
global:
domain: argocd.cluster.edward.sydney
configs:
params:
server.insecure: true
controller:
replicas: 1
redis-ha:
enabled: true
server:
serviceType: NodePort
httpNodePort: 30080
httpsNodePort: 30443
autoscaling:
enabled: true
minReplicas: 2
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
# nginx.ingress.kubernetes.io/ssl-redirect: "false"
# nginx.ingress.kubernetes.io/use-regex: "true"
ingressClassName: nginx
hostname: argocd.cluster.edward.sydney
extraTls:
- hosts:
- argocd.cluster.edward.sydney
# Based on the ingress controller used secret might be optional
secretName: wildcard-tls
ingressGrpc:
enabled: true
ingressClassName: contour-internal
extraTls:
- hosts:
- grpc.argocd.cluster.edward.sydney
secretName: wildcard-tls
repoServer:
autoscaling:
enabled: true
minReplicas: 2
applicationSet:
replicas: 2

3
kubernetes/infrastructure/cilium/kustomization.yaml → apps/argocd/env/k3s-cluster/kustomization.yaml vendored
View File

@@ -1,4 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- cilium.yaml - ../../base

49
apps/argocd/env/k3s-cluster/values.yaml vendored Normal file
View File

@@ -0,0 +1,49 @@
global:
domain: argocd.cluster.edward.sydney
configs:
params:
server.insecure: true
controller:
replicas: 1
redis-ha:
enabled: true
server:
serviceType: NodePort
httpNodePort: 30080
httpsNodePort: 30443
autoscaling:
enabled: true
minReplicas: 2
# ingress:
# enabled: true
# annotations:
# nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
# nginx.ingress.kubernetes.io/ssl-passthrough: "true"
# nginx.ingress.kubernetes.io/ssl-redirect: "false"
# nginx.ingress.kubernetes.io/use-regex: "true"
ingressClassName: nginx
hostname: argocd.cluster.edward.sydney
extraTls:
- hosts:
- argocd.cluster.edward.sydney
# Based on the ingress controller used secret might be optional
secretName: wildcard-tls
ingressGrpc:
enabled: true
ingressClassName: contour-internal
extraTls:
- hosts:
- grpc.argocd.cluster.edward.sydney
secretName: wildcard-tls
repoServer:
autoscaling:
enabled: true
minReplicas: 2
applicationSet:
replicas: 2

8
apps/ingress-nginx/base/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts:
- name: ingress-nginx
repo: https://kubernetes.github.io/ingress-nginx
version: 4.10.1
releaseName: ingress-nginx
valuesFile: values.yaml

55
apps/ingress-nginx/base/values.yaml Normal file
View File

@@ -0,0 +1,55 @@
rbac:
create: true
controller:
priorityClassName: system-cluster-critical
extraArgs:
update-status-on-shutdown: "false"
allowSnippetAnnotations: true
config:
proxy-buffer-size: 16k
use-gzip: ${use_gzip:=true}
enable-brotli: ${enable_brotli:=true}
hsts-max-age: ${hsts_max_age:=31536000}
hsts-preload: ${hsts_preload:=true}
disable-ipv6: ${disable_ipv6:=false}
disable-ipv6-dns: ${disable_ipv6_dns:=false}
keep-alive-requests: ${keep_alive_requests:=1000}
use-geoip2: ${use_geoip2:=true}
custom-http-errors: 401,403,404,500,501,502,503,504
addHeaders:
Referrer-Policy: same-origin, strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
ingressClassResource:
default: true
service:
externalTrafficPolicy: Cluster
ipFamilyPolicy: SingleStack
metrics:
enabled: ${metrics_enabled:=false}
# serviceMonitor:
# enabled: ${metrics_enabled:=false}
# scrapeInterval: 1m
defaultBackend:
enabled: true
image:
repository: ghcr.io/tarampampam/error-pages
tag: 2.27.0@sha256:40e2631173b1a407c18fe7d1ba8104d995cf9e4780d123eeadfa1d57c68eaf4f
pullPolicy: IfNotPresent
extraEnvs:
- name: TEMPLATE_NAME
value: connection
- name: SHOW_DETAILS
value: "true"
- name: READ_BUFFER_SIZE
value: "8192"

23
apps/ingress-nginx/env/k3s-cluster/configmap.yaml vendored Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-nginx-values
namespace: ingress-nginx
data:
use_geoip2: "false"
disable_ipv6: "true"
disable_ipv6_dns: "true"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: tcp-services
namespace: ingress-nginx
data: {}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: udp-services
namespace: ingress-nginx
data: {}

4
kubernetes/infrastructure/repositories/kustomization.yaml → apps/ingress-nginx/env/k3s-cluster/kustomization.yaml vendored
View File

@@ -1,4 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- repositories.yaml - ./configmap.yaml
- ../../base

75
apps/ingress-nginx/env/k3s-cluster/values.yaml vendored Normal file
View File

@@ -0,0 +1,75 @@
rbac:
create: true
controller:
priorityClassName: system-cluster-critical
extraArgs:
update-status-on-shutdown: "false"
tcp-services-configmap: "ingress-nginx/tcp-services"
udp-services-configmap: "ingress-nginx/udp-services"
allowSnippetAnnotations: true
config:
proxy-buffer-size: 16k
use-gzip: ${use_gzip:=true}
enable-brotli: ${enable_brotli:=true}
hsts-max-age: ${hsts_max_age:=31536000}
hsts-preload: ${hsts_preload:=true}
disable-ipv6: ${disable_ipv6:=false}
disable-ipv6-dns: ${disable_ipv6_dns:=false}
keep-alive-requests: ${keep_alive_requests:=1000}
use-geoip2: ${use_geoip2:=true}
custom-http-errors: 401,403,404,500,501,502,503,504
extraEnvs:
- name: TZ
value: Australia/Sydney
addHeaders:
Referrer-Policy: same-origin, strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
ingressClassResource:
default: true
service:
externalTrafficPolicy: Cluster
ipFamilyPolicy: SingleStack
metrics:
enabled: ${metrics_enabled:=false}
# serviceMonitor:
# enabled: ${metrics_enabled:=false}
# scrapeInterval: 1m
spec:
template:
spec:
containers:
volumeMounts:
- mountPath: /etc/nginx/template
name: nginx-template-volume
readOnly: true
volumes:
- name: nginx-template-volume
hostPath:
path: /mnt/nfs/AppData/ingress-nginx/etc/nginx/template
type: Directory
defaultBackend:
enabled: true
image:
repository: ghcr.io/tarampampam/error-pages
tag: 2.27.0@sha256:40e2631173b1a407c18fe7d1ba8104d995cf9e4780d123eeadfa1d57c68eaf4f
pullPolicy: IfNotPresent
extraEnvs:
- name: TEMPLATE_NAME
value: connection
- name: SHOW_DETAILS
value: "true"
- name: READ_BUFFER_SIZE
value: "8192"

39
appsets/k3s-cluster-appset.yaml Normal file
View File

@@ -0,0 +1,39 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: k3s-cluster-appset
namespace: argocd
spec:
goTemplate: true
goTemplateOptions: ["missingkey=error"]
generators:
- git:
repoURL: https://github.com/3dwardch3ng/home-cluster-ops.git
revision: HEAD
directories:
- path: apps/*/envs/k3s-cluster
template:
metadata:
name: '{{index .path.segments 1}}-{{index .path.segments 3}}'
spec:
# The project the application belongs to.
project: k3s-cluster-ops
# Source of the application manifests
source:
repoURL: https://github.com/3dwardch3ng/home-cluster-ops.git
targetRevision: HEAD
path: '{{.path.path}}'
# Destination cluster and namespace to deploy the application
destination:
server: https://kubernetes.default.svc
namespace: '{{index .path.segments 1}}-{{index .path.segments 3}}'
# Sync policy
syncPolicy:
syncOptions:
- CreateNamespace=true
automated: # automated sync by default retries failed attempts 5 times with following delays between attempts ( 5s, 10s, 20s, 40s, 80s ); retry controlled using `retry` field.
prune: true # Specifies if resources should be pruned during auto-syncing ( false by default ).
selfHeal: true # Specifies if partial app sync should be executed when resources are changed only in target Kubernetes cluster and no git change detected ( false by default ).

15
kubernetes/apps/adguard-home/adguard-home.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: adguard-home
namespace: adguard-home
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/adguard-home/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

86
kubernetes/apps/adguard-home/app/deployment.yaml
View File

@@ -1,86 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: adguard-home
namespace: adguard-home
labels:
app.kubernetes.io/name: adguard-home
spec:
selector:
matchLabels:
app.kubernetes.io/name: adguard-home
template:
metadata:
labels:
app.kubernetes.io/name: adguard-home
rpi5.cluster.policy/egress-kubeapi: "true"
rpi5.cluster.policy/egress-namespace: "true"
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-namespace: "true"
rpi5.cluster.policy/ingress-nginx: "true"
rpi5.cluster.policy/ingress-nodes: "true"
rpi5.cluster.policy/ingress-world: "true"
spec:
containers:
- name: adguard-home
image: adguard/adguardhome:v0.107.51
ports:
- protocol: TCP
containerPort: 53
name: dns-tcp
- protocol: UDP
containerPort: 53
name: dns-udp
- protocol: UDP
containerPort: 67
name: dhcps-udp
- protocol: UDP
containerPort: 68
name: dhcpc-udp
- protocol: TCP
containerPort: 80
name: http-tcp
- protocol: TCP
containerPort: 443
name: https-tcp
- protocol: UDP
containerPort: 443
name: https-udp
- protocol: TCP
containerPort: 853
name: dns-tls-tcp
- protocol: UDP
containerPort: 853
name: dns-tls-udp
- protocol: TCP
containerPort: 3000
name: http-alt-tcp
- protocol: UDP
containerPort: 3000
name: http-alt-udp
- protocol: TCP
containerPort: 5443
name: dnscrypt-tcp
- protocol: UDP
containerPort: 5443
name: dnscrypt-udp
- protocol: TCP
containerPort: 6060
name: http-pprof
env:
- name: TZ
value: Australia/Sydney
volumeMounts:
- name: adguard-home-data
mountPath: /opt/adguardhome/work
- name: adguard-home-config
mountPath: /opt/adguardhome/conf
volumes:
- name: adguard-home-data
hostPath:
path: /mnt/nfs/AppData/adguardhome/work
type: Directory
- name: adguard-home-config
hostPath:
path: /mnt/nfs/AppData/adguardhome/conf
type: Directory

61
kubernetes/apps/adguard-home/app/ingress.yaml
View File

@@ -1,61 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: adguard-home-ingress
namespace: adguard-home
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "adguard-home.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: adguard-home
port:
number: 10080
- host: "adguard-home.cluster.local"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: adguard-home
port:
number: 10080
- host: "setup.adguard-home.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: adguard-home
port:
number: 13000
- host: "setup.adguard-home.cluster.local"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: adguard-home
port:
number: 13000
- host: "doh.adguard-home.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: adguard-home
port:
number: 443

69
kubernetes/apps/adguard-home/app/service.yaml
View File

@@ -1,69 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: adguard-home
namespace: adguard-home
labels:
app.kubernetes.io/name: adguard-home
spec:
selector:
app.kubernetes.io/name: adguard-home
type: ClusterIP
internalTrafficPolicy: Cluster
ports:
- protocol: TCP
port: 53
targetPort: 53
name: dns-tcp
- protocol: UDP
port: 53
targetPort: 53
name: dns-udp
- protocol: UDP
port: 67
targetPort: 67
name: dhcps-udp
- protocol: UDP
port: 68
targetPort: 68
name: dhcpc-udp
- protocol: TCP
port: 10080
targetPort: 80
name: http-tcp
- protocol: TCP
port: 443
targetPort: 443
name: https-tcp
- protocol: UDP
port: 443
targetPort: 443
name: https-udp
- protocol: TCP
port: 853
targetPort: 853
name: dns-tls-tcp
- protocol: UDP
port: 853
targetPort: 853
name: dns-tls-udp
- protocol: TCP
port: 13000
targetPort: 3000
name: https-alt-tcp
- protocol: UDP
port: 13000
targetPort: 3000
name: https-alt-udp
- protocol: TCP
port: 5443
targetPort: 5443
name: dnscrypt-tcp
- protocol: UDP
port: 5443
targetPort: 5443
name: dnscrypt-udp
- protocol: TCP
port: 6060
targetPort: 6060
name: https-pprof

38
kubernetes/apps/adguard-home/scripts/ingress-nginx-svc-controller-patch.yaml
View File

@@ -1,38 +0,0 @@
spec:
ports:
- name: dns-tcp
port: 53
targetPort: 53
protocol: TCP
- name: dns-udp
port: 53
targetPort: 53
protocol: UDP
- name: dhcps-udp
port: 67
targetPort: 67
protocol: UDP
- name: dhcpc-udp
port: 68
targetPort: 68
protocol: UDP
- name: dns-tls-tcp
port: 853
targetPort: 853
protocol: TCP
- name: dns-tls-udp
port: 853
targetPort: 853
protocol: UDP
- name: dnscrypt-tcp
port: 5443
targetPort: 5443
protocol: TCP
- name: dnscrypt-udp
port: 5443
targetPort: 5443
protocol: UDP
- name: https-pprof
port: 6060
targetPort: 6060
protocol: TCP

4
kubernetes/apps/adguard-home/scripts/patch-ingress-nginx.sh
View File

@@ -1,4 +0,0 @@
#!/bin/bash
set -e
kubectl patch service ingress-nginx-controller -n ingress-nginx --patch "$(cat ingress-nginx-svc-controller-patch.yaml)"

21
kubernetes/apps/capacitor/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: capacitor-ingress
namespace: capacitor
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "capacitor.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: capacitor
port:
number: 9000

84
kubernetes/apps/capacitor/app/manifest.yaml
View File

@@ -1,84 +0,0 @@
---
# Source: onechart/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: capacitor
namespace: capacitor
labels:
helm.sh/chart: onechart-0.63.0
app.kubernetes.io/name: onechart
app.kubernetes.io/instance: capacitor
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- port: 9000
targetPort: 9000
protocol: TCP
name: http
selector:
app.kubernetes.io/name: onechart
app.kubernetes.io/instance: capacitor
---
# Source: onechart/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: capacitor
namespace: capacitor
labels:
helm.sh/chart: onechart-0.63.0
app.kubernetes.io/name: onechart
app.kubernetes.io/instance: capacitor
app.kubernetes.io/managed-by: Helm
annotations:
kubectl.kubernetes.io/default-container: capacitor
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: onechart
app.kubernetes.io/instance: capacitor
template:
metadata:
annotations:
checksum/config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
labels:
app.kubernetes.io/name: onechart
app.kubernetes.io/instance: capacitor
rpi5.cluster.policy/egress-kubeapi: "true"
rpi5.cluster.policy/egress-namespace: "true"
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-namespace: "true"
rpi5.cluster.policy/ingress-nginx: "true"
rpi5.cluster.policy/ingress-nodes: "true"
rpi5.cluster.policy/ingress-world: "true"
spec:
containers:
- image: ghcr.io/gimlet-io/capacitor:v0.4.2
imagePullPolicy: IfNotPresent
name: capacitor
ports:
- containerPort: 9000
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /
port: 9000
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 3
resources:
requests:
cpu: 200m
memory: 200Mi
securityContext: {}
initContainers: null
securityContext:
fsGroup: 999
serviceAccountName: capacitor

58
kubernetes/apps/capacitor/app/rbac.yaml
View File

@@ -1,58 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: capacitor
namespace: capacitor
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: capacitor
rules:
- apiGroups:
- networking.k8s.io
- apps
- ""
resources:
- pods
- pods/log
- ingresses
- deployments
- services
- secrets
- events
- configmaps
verbs:
- get
- watch
- list
- apiGroups:
- source.toolkit.fluxcd.io
- kustomize.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
resources:
- gitrepositories
- ocirepositories
- buckets
- helmrepositories
- helmcharts
- kustomizations
- helmreleases
verbs:
- get
- watch
- list
- patch # to allow force reconciling by adding an annotation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: capacitor
subjects:
- kind: ServiceAccount
name: capacitor
namespace: flux-system
roleRef:
kind: ClusterRole
name: capacitor
apiGroup: rbac.authorization.k8s.io

29
kubernetes/apps/capacitor/capacitor.yaml
View File

@@ -1,29 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: capacitor
namespace: capacitor
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/capacitor/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
patches:
- target:
kind: (Service|Deployment)
name: capacitor
namespace: flux-system
patch: |
- op: replace
path: "/metadata/labels/app.kubernetes.io~1managed-by"
value: Flux
- op: remove
path: "/metadata/labels/helm.sh~1chart"
- op: add
path: "/metadata/labels/patched"
value: "true"

21
kubernetes/apps/code-server/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: code-server-ingress
namespace: code-server
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "code-server.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: code-server
port:
number: 8443

46
kubernetes/apps/code-server/app/pvc.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: code-server-pv
namespace: code-server
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/code-server"
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: code-server-pvc
namespace: code-server
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: code-server-pvc
namespace: code-server
labels:
name: code-server-pvc
spec:
storageClassName: local-path
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi

31
kubernetes/apps/code-server/app/release.yaml
View File

@@ -1,31 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: code-server
namespace: code-server
spec:
releaseName: code-server
targetNamespace: code-server
chart:
spec:
chart: code-server
sourceRef:
kind: HelmRepository
name: nicholaswilde
namespace: flux-system
interval: 1h
install:
remediation:
retries: 3
values:
secret:
PASSWORD: ${password}
SUDO_PASSWORD: ${sudo_password}
env:
TZ: "Australia/Sydney"
persistence:
config:
enabled: true
existingClaim: code-server-pvc

47
kubernetes/apps/code-server/code-server.yaml
View File

@@ -1,47 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: code-server-secrets
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: code-server
path: ./code-server
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: code-server
namespace: code-server
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: code-server
path: ./kubernetes/apps/code-server/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: code-server-secrets
namespace: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: code-server-secrets

31
kubernetes/apps/dokuwiki/app/ingress.yaml
View File

@@ -1,31 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dokuwiki-ingress
namespace: dokuwiki
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "dokuwiki.cluster.local"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: dokuwiki-dokuwiki
port:
number: 18000
- host: "dokuwiki.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: dokuwiki-dokuwiki
port:
number: 18000

34
kubernetes/apps/dokuwiki/app/release.yaml
View File

@@ -1,34 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: dokuwiki
namespace: dokuwiki
spec:
targetNamespace: dokuwiki
chart:
spec:
chart: dokuwiki
sourceRef:
kind: HelmRepository
name: bitnami
namespace: flux-system
interval: 1h
install:
remediation:
retries: 3
values:
dokuwikiUsername: ${username}
dokuwikiPassword: ${password}
dokuwikiEmail: ${email}
dokuwikiFullName: "Edward Cheng"
dokuwikiWikiName: My Doku Wiki
containerPorts:
http: 18000
https: 18443
persistence:
existingClaim: "dokuwiki-pvc"
service:
type: ClusterIP
ports:
http: 18000
https: 18443

46
kubernetes/apps/dokuwiki/app/volume.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: dokuwiki-pv
namespace: dokuwiki
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 12Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/dokuwiki"
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: dokuwiki-pvc
namespace: dokuwiki
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: dokuwiki-pvc
namespace: dokuwiki
labels:
name: dokuwiki-pvc
spec:
storageClassName: local-path
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 12Gi

46
kubernetes/apps/dokuwiki/dokuwiki.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: dokuwiki-secrets
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: dokuwiki
path: ./dokuwiki
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: dokuwiki
namespace: dokuwiki
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/dokuwiki/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: dokuwiki-secrets
namespace: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: dokuwiki-secrets

32
kubernetes/apps/gitea/app/ingress.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-ingress
namespace: gitea
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
spec:
ingressClassName: nginx
rules:
- host: "gitea.cluster.local"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: gitea-gitea
port:
number: 10080
- host: "gitea.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: gitea-gitea
port:
number: 10080

56
kubernetes/apps/gitea/app/release.yaml
View File

@@ -1,56 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gitea
namespace: gitea
spec:
targetNamespace: gitea
chart:
spec:
chart: gitea
sourceRef:
kind: HelmRepository
name: bitnami
namespace: flux-system
interval: 1h
install:
remediation:
retries: 3
values:
image:
debug: true
updateStrategy:
type: Recreate
livenessProbe:
enabled: true
initialDelaySeconds: 600
periodSeconds: 60
timeoutSeconds: 30
failureThreshold: 5
successThreshold: 1
readinessProbe:
enabled: true
path: /
initialDelaySeconds: 30
periodSeconds: 60
timeoutSeconds: 30
failureThreshold: 5
successThreshold: 1
adminUsername: ${admin_username}
adminPassword: ${admin_password}
adminEmail: ${admin_email}
appName: app_name
persistence:
existingClaim: gitea-pvc
service:
ports:
http: 10080
ssh: 10022
postgresql:
enabled: false
externalDatabase:
host: ${db_host}
port: ${db_port}
user: ${db_user}
database: ${db_name}
password: ${db_password}

46
kubernetes/apps/gitea/app/volume.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: gitea-pv
namespace: gitea
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 32Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/gitea"
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: gitea-pvc
namespace: gitea
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-pvc
namespace: gitea
labels:
name: gitea-pvc
spec:
storageClassName: local-path
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 32Gi

47
kubernetes/apps/gitea/gitea.yaml
View File

@@ -1,47 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: gitea-secrets
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: gitea
path: ./gitea
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: gitea
namespace: gitea
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/gitea/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: gitea-secrets
namespace: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: gitea-secrets

43
kubernetes/apps/homer/app/development.yaml
View File

@@ -1,43 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: homer
namespace: homer
labels:
app.kubernetes.io/name: homer
spec:
selector:
matchLabels:
app.kubernetes.io/name: homer
template:
metadata:
labels:
app.kubernetes.io/name: homer
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-world: "true"
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
containers:
- name: homer
image: b4bz/homer:v24.05.1
securityContext:
allowPrivilegeEscalation: false
env:
- name: PORT
value: "8088"
- name: INIT_ASSETS
value: "0"
ports:
- protocol: TCP
containerPort: 8088
name: http
volumeMounts:
- name: assets
mountPath: /www/assets
volumes:
- name: assets
hostPath:
path: /mnt/nfs/AppData/homer/www/assets
type: Directory

21
kubernetes/apps/homer/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: homer-ingress
namespace: homer
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "home.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: homer
port:
number: 8088

17
kubernetes/apps/homer/app/service.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: homer
namespace: homer
labels:
app.kubernetes.io/name: homer
spec:
selector:
app.kubernetes.io/name: homer
type: ClusterIP
internalTrafficPolicy: Cluster
ports:
- protocol: TCP
port: 8088
targetPort: 8088
name: http

15
kubernetes/apps/homer/homer.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: homer
namespace: homer
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/homer/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

31
kubernetes/apps/jellyfin/app/ingress.yaml
View File

@@ -1,31 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jellyfin-ingress
namespace: jellyfin
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "jellyfin.cluster.local"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: jellyfin
port:
number: 8096
- host: "jellyfin.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: jellyfin
port:
number: 8096

51
kubernetes/apps/jellyfin/app/pvc.yaml
View File

@@ -1,51 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: jellyfin-config
namespace: jellyfin
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 250Mi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/jellyfin/config"
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: jellyfin-data
namespace: jellyfin
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 2Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/jellyfin/data"
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2

169
kubernetes/apps/jellyfin/app/release.yaml
View File

@@ -1,169 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: jellyfin
namespace: jellyfin
spec:
releaseName: jellyfin
targetNamespace: jellyfin
chart:
spec:
chart: jellyfin
sourceRef:
kind: HelmRepository
name: beluga-cloud
namespace: flux-system
interval: 1h
install:
remediation:
retries: 3
values:
persistence:
config:
enabled: true
volumeClaimSpec:
accessModes:
- ReadWriteOnce
volumeName: jellyfin-config
storageClassName: local-path
data:
enabled: true
volumeClaimSpec:
accessModes:
- ReadWriteOnce
volumeName: jellyfin-data
storageClassName: local-path
jellyfin:
mediaVolumes:
- name: movies
readOnly: false
volumeSpec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: jellyfin-mediavol-movies
namespace: jellyfin
hostPath:
path: "/mnt/nfs/AppData/jellyfin/media/movies"
type: "Directory"
- name: series
readOnly: false
volumeSpec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: jellyfin-mediavol-series
namespace: jellyfin
hostPath:
path: "/mnt/nfs/AppData/jellyfin/media/series"
type: "Directory"
- name: music-videos
readOnly: false
volumeSpec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: jellyfin-mediavol-music-videos
namespace: jellyfin
hostPath:
path: "/mnt/nfs/AppData/jellyfin/media/music-videos"
type: "Directory"
- name: short-videos
readOnly: false
volumeSpec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: jellyfin-mediavol-short-videos
namespace: jellyfin
hostPath:
path: "/mnt/nfs/AppData/jellyfin/media/short-videos"
type: "Directory"
- name: gv
readOnly: false
volumeSpec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: jellyfin-mediavol-gv
namespace: jellyfin
hostPath:
path: "/mnt/nfs/AppData/jellyfin/media/gv"
type: "Directory"
persistentTranscodes: true

16
kubernetes/apps/jellyfin/jellyfin.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: jellyfin
namespace: jellyfin
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/jellyfin/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

58
kubernetes/apps/kavita/app/development.yaml
View File

@@ -1,58 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: kavita
namespace: kavita
labels:
app.kubernetes.io/name: kavita
app.kubernetes.io/instance: kavita
annotations:
kubectl.kubernetes.io/default-container: kavita
spec:
selector:
matchLabels:
app.kubernetes.io/name: kavita
app.kubernetes.io/instance: kavita
template:
metadata:
labels:
app.kubernetes.io/name: kavita
app.kubernetes.io/instance: kavita
spec:
containers:
- image: jvmilazz0/kavita:0.8.1
imagePullPolicy: IfNotPresent
name: kavita
ports:
- containerPort: 5000
name: http
protocol: TCP
env:
- name: TZ
value: Australia/Sydney
volumeMounts:
- name: kavita-config
mountPath: /kavita/config
- name: kavita-manga
mountPath: /manga
- name: kavita-book
mountPath: /book
- name: kavita-doc
mountPath: /doc
volumes:
- name: kavita-config
hostPath:
path: /mnt/nfs/AppData/kavita/config
type: Directory
- name: kavita-manga
hostPath:
path: /mnt/nfs/AppData/kavita/manga
type: Directory
- name: kavita-book
hostPath:
path: /mnt/nfs/AppData/kavita/book
type: Directory
- name: kavita-doc
hostPath:
path: /mnt/nfs/AppData/kavita/doc
type: Directory

21
kubernetes/apps/kavita/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kavita-ingress
namespace: kavita
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "kavita.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: kavita
port:
number: 5000

18
kubernetes/apps/kavita/app/service.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: kavita
namespace: kavita
labels:
app.kubernetes.io/name: kavita
app.kubernetes.io/instance: kavita
spec:
type: ClusterIP
ports:
- port: 5000
targetPort: 5000
protocol: TCP
name: http
selector:
app.kubernetes.io/name: kavita
app.kubernetes.io/instance: kavita

16
kubernetes/apps/kavita/kavita.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: kavita
namespace: kavita
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/kavita/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

19
kubernetes/apps/kustomization.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./adguard-home/adguard-home.yaml
- ./capacitor/capacitor.yaml
- ./code-server/code-server.yaml
- ./dokuwiki/dokuwiki.yaml
- ./gitea/gitea.yaml
- ./homer/homer.yaml
- ./jellyfin/jellyfin.yaml
- ./kavita/kavita.yaml
- ./nexus/nexus.yaml
- ./podinfo/podinfo.yaml
- ./qbittorrent/qbittorrent.yaml
- ./snippet-box/snippet-box.yaml
- ./sonarqube/sonarqube.yaml
- ./uptime-kuma/uptime-kuma.yaml
- ./vaultwarden/vaultwarden.yaml
- ./weave-gitops/weave-gitops.yaml

38
kubernetes/apps/nexus/app/deployment.yaml
View File

@@ -1,38 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nexus
namespace: nexus
spec:
replicas: 1
selector:
matchLabels:
app: nexus
template:
metadata:
labels:
app: nexus
spec:
securityContext:
runAsUser: 0
runAsGroup: 0
containers:
- name: nexus
image: klo2k/nexus3:3.68.1-02
resources:
limits:
memory: "3Gi"
cpu: "1"
requests:
memory: "2Gi"
cpu: "500m"
ports:
- containerPort: 8081
volumeMounts:
- name: nexus-data
mountPath: /nexus-data
volumes:
- name: nexus-data
hostPath:
path: /mnt/nfs/AppData/nexus
type: Directory

17
kubernetes/apps/nexus/app/service.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: nexus
namespace: nexus
annotations:
prometheus.io/scrape: 'true'
prometheus.io/path: /
prometheus.io/port: '8081'
spec:
selector:
app: nexus
type: NodePort
ports:
- port: 8081
targetPort: 8081
nodePort: 32000

15
kubernetes/apps/nexus/nexus.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: nexus
namespace: nexus
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/nexus/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

27
kubernetes/apps/podinfo/app/release.yaml
View File

@@ -1,27 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: podinfo
namespace: podinfo
spec:
releaseName: podinfo
chart:
spec:
chart: podinfo
sourceRef:
kind: HelmRepository
name: podinfo
interval: 50m
install:
remediation:
retries: 3
# Default values
# https://github.com/stefanprodan/podinfo/blob/master/charts/podinfo/values.yaml
values:
redis:
enabled: true
repository: public.ecr.aws/docker/library/redis
tag: 7.0.6
ingress:
enabled: true
className: nginx

8
kubernetes/apps/podinfo/app/repository.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: podinfo
namespace: podinfo
spec:
interval: 5m
url: https://stefanprodan.github.io/podinfo

16
kubernetes/apps/podinfo/podinfo.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: podinfo
namespace: podinfo
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/podinfo/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

21
kubernetes/apps/qbittorrent/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: qbittorrent-ingress
namespace: qbittorrent
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "qbittorrent.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: qbittorrent-qbittorrent-web
port:
number: 8888

32
kubernetes/apps/qbittorrent/app/release.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: qbittorrent
namespace: qbittorrent
spec:
targetNamespace: qbittorrent
chart:
spec:
chart: qbittorrent
sourceRef:
kind: HelmRepository
name: adminafk
namespace: flux-system
interval: 1h
install:
remediation:
retries: 3
values:
service:
web:
port: 8888
torrent:
port: 8388
config:
persistence:
name: config
storageClass: local-path
size: 5Gi
volumeMounts:
- name: download
mountPath: /download

93
kubernetes/apps/qbittorrent/app/volume.yaml
View File

@@ -1,93 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: config
namespace: qbittorrent
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/qbittorrent/config"
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: config
namespace: qbittorrent
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
---
#apiVersion: v1
#kind: PersistentVolumeClaim
#metadata:
# name: qbittorrent-config-pvc
# namespace: qbittorrent
# labels:
# name: qbittorrent-config-pvc
#spec:
# storageClassName: local-path
# volumeMode: Filesystem
# accessModes:
# - ReadWriteOnce
# resources:
# requests:
# storage: 5Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: download
namespace: qbittorrent
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 64Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/qbittorrent/download"
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: download
namespace: qbittorrent
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: download
namespace: qbittorrent
labels:
name: download
spec:
storageClassName: local-path
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 64Gi

16
kubernetes/apps/qbittorrent/qbittorrent.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: qbittorrent
namespace: qbittorrent
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/qbittorrent/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

10
kubernetes/apps/qbittorrent/scripts/ingress-nginx-svc-controller-patch.yaml
View File

@@ -1,10 +0,0 @@
spec:
ports:
- name: torrent-tcp
port: 8388
targetPort: 8388
protocol: TCP
- name: torrent-udp
port: 8388
targetPort: 8388
protocol: UDP

4
kubernetes/apps/qbittorrent/scripts/patch-ingress-nginx.sh
View File

@@ -1,4 +0,0 @@
#!/bin/bash
set -e
kubectl patch service ingress-nginx-controller -n ingress-nginx --patch "$(cat kubernetes/apps/qbittorrent/scripts/ingress-nginx-svc-controller-patch.yaml)"

34
kubernetes/apps/snippet-box/app/development.yaml
View File

@@ -1,34 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: snippet-box
namespace: snippet-box
labels:
app.kubernetes.io/name: snippet-box
spec:
selector:
matchLabels:
app.kubernetes.io/name: snippet-box
template:
metadata:
labels:
app.kubernetes.io/name: snippet-box
spec:
containers:
- name: snippet-box
image: pawelmalak/snippet-box:arm
ports:
- protocol: TCP
containerPort: 5000
name: snippet-box
env:
- name: TZ
value: Australia/Sydney
volumeMounts:
- name: snippet-box-data
mountPath: /app/data
volumes:
- name: snippet-box-data
hostPath:
path: /mnt/nfs/AppData/snippet-box
type: Directory

21
kubernetes/apps/snippet-box/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: snippet-box-ingress
namespace: snippet-box
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "snippet-box.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: snippet-box
port:
number: 5000

17
kubernetes/apps/snippet-box/app/service.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: snippet-box
namespace: snippet-box
labels:
app.kubernetes.io/name: snippet-box
spec:
selector:
app.kubernetes.io/name: snippet-box
type: ClusterIP
internalTrafficPolicy: Cluster
ports:
- protocol: TCP
port: 5000
targetPort: 5000
name: snippet-box

15
kubernetes/apps/snippet-box/snippet-box.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: snippet-box
namespace: snippet-box
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/snippet-box/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

47
kubernetes/apps/sonarqube/app/release.yaml
View File

@@ -1,47 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: sonarqube
namespace: sonarqube
spec:
releaseName: sonarqube
chart:
spec:
chart: sonarqube
sourceRef:
kind: HelmRepository
name: bitnami
namespace: flux-system
interval: 1h
install:
remediation:
retries: 3
values:
sonarqubeUsername: ${sonarqube_username}
sonarqubePassword: ${sonarqube_password}
sonarqubeEmail: ${sonarqube_email}
smtpHost: ${smtp_host}
smtpPort: ${smtp_port}
smtpUser: ${smtp_user}
smtpPassword: ${smtp_password}
smtpProtocol: ${smtp_protocol}
service:
ports:
http: 8090
elastic: 9091
nodePorts:
http: 30080
elastic: 30091
persistence:
enabled: true
storageClass: local-path
size: "32Gi"
existingClaim: "sonarqube-pvc"
postgresql:
enabled: false
externalDatabase:
host: ${db_host}
user: ${db_user}
password: ${db_password}
database: ${db_name}
port: ${db_port}

46
kubernetes/apps/sonarqube/app/volume.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: sonarqube-pv
namespace: sonarqube
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 32Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/sonarqube"
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: sonarqube-pvc
namespace: sonarqube
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: sonarqube-pvc
namespace: sonarqube
labels:
name: sonarqube-pvc
spec:
storageClassName: local-path
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 32Gi

46
kubernetes/apps/sonarqube/sonarqube.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: sonarqube-secrets
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: sonarqube
path: ./sonarqube
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: sonarqube
namespace: sonarqube
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/sonarqube/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: sonarqube-secrets
namespace: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: sonarqube-secrets

21
kubernetes/apps/uptime-kuma/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: uptime-kuma-ingress
namespace: uptime-kuma
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "uptime-kuma.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: uptime-kuma
port:
number: 3001

46
kubernetes/apps/uptime-kuma/app/pvc.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: uptime-kuma-pv
namespace: uptime-kuma
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 4Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/uptime-kuma"
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: uptime-kuma-pvc
namespace: uptime-kuma
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-1
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: uptime-kuma-pvc
namespace: uptime-kuma
labels:
name: uptime-kuma-pvc
spec:
storageClassName: local-path
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4Gi

26
kubernetes/apps/uptime-kuma/app/release.yaml
View File

@@ -1,26 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: uptime-kuma
namespace: uptime-kuma
spec:
releaseName: uptime-kuma
targetNamespace: uptime-kuma
chart:
spec:
chart: uptime-kuma
version: 2.18.1
sourceRef:
kind: HelmRepository
name: irsigler
namespace: flux-system
interval: 1h
install:
remediation:
retries: 3
values:
volume:
enabled: true
accessMode: ReadWriteOnce
size: 4Gi
existingClaim: "uptime-kuma-pvc"

15
kubernetes/apps/uptime-kuma/uptime-kuma.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: uptime-kuma
namespace: uptime-kuma
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/uptime-kuma/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

48
kubernetes/apps/vaultwarden/app/deployment.yaml
View File

@@ -1,48 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: vaultwarden
namespace: vaultwarden
labels:
app.kubernetes.io/name: vaultwarden
spec:
selector:
matchLabels:
app.kubernetes.io/name: vaultwarden
template:
metadata:
labels:
app.kubernetes.io/name: vaultwarden
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-world: "true"
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
containers:
- securityContext:
runAsUser: 1000
runAsNonRoot: true
runAsGroup: 1000
name: vaultwarden
image: vaultwarden/server:1.31.0
env:
- name: DOMAIN
value: https://vaultwarden.cluster.edward.sydney
- name: SIGNUPS_ALLOWED
value: "true"
- name: DATABASE_URL
value: postgresql://${db_username}:${db_password}@${db_host}:5432/${db_name}
ports:
- protocol: TCP
containerPort: 80
name: http
volumeMounts:
- name: vaultwarden-data
mountPath: /data
volumes:
- name: vaultwarden-data
hostPath:
path: /mnt/nfs/AppData/vaultwarden/data
type: Directory

21
kubernetes/apps/vaultwarden/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vaultwarden-ingress
namespace: vaultwarden
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "vaultwarden.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: vaultwarden
port:
number: 11080

17
kubernetes/apps/vaultwarden/app/service.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: vaultwarden
namespace: vaultwarden
labels:
app.kubernetes.io/name: vaultwarden
spec:
selector:
app.kubernetes.io/name: vaultwarden
type: ClusterIP
internalTrafficPolicy: Cluster
ports:
- protocol: TCP
port: 11080
targetPort: 80
name: http

46
kubernetes/apps/vaultwarden/vaultwarden.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: vaultwarden-secrets
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: vaultwarden
path: ./vaultwarden
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: vaultwarden
namespace: vaultwarden
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/vaultwarden/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: vaultwarden-secrets
namespace: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: vaultwarden-secrets

31
kubernetes/apps/weave-gitops/app/ingress.yaml
View File

@@ -1,31 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: weave-gitops-ingress
namespace: flux-system
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "weave-gitops.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: ww-gitops-weave-gitops
port:
number: 9001
- host: "weave-gitops.cluster.local"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: ww-gitops-weave-gitops
port:
number: 9001

41
kubernetes/apps/weave-gitops/app/release.yaml
View File

@@ -1,41 +0,0 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
annotations:
metadata.weave.works/description: This is the source location for the Weave GitOps
Dashboard's helm chart.
labels:
app.kubernetes.io/component: ui
app.kubernetes.io/created-by: weave-gitops-cli
app.kubernetes.io/name: weave-gitops-dashboard
app.kubernetes.io/part-of: weave-gitops
name: ww-gitops
namespace: flux-system
spec:
interval: 1h0m0s
type: oci
url: oci://ghcr.io/weaveworks/charts
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
annotations:
metadata.weave.works/description: This is the Weave GitOps Dashboard. It provides
a simple way to get insights into your GitOps workloads.
name: ww-gitops
namespace: flux-system
spec:
chart:
spec:
chart: weave-gitops
sourceRef:
kind: HelmRepository
name: ww-gitops
interval: 1h0m0s
values:
adminUser:
create: true
passwordHash: $2a$10$gnPEHsFzIJXg/eron5LiQ.teGZkKETxuA2WAyKSbxHvxpkzWJvbDe
username: admin

15
kubernetes/apps/weave-gitops/weave-gitops.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: weave-gitops
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/weave-gitops/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

44
kubernetes/infrastructure/cert-manager/app/release.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 1h
driftDetection:
mode: enabled
chart:
spec:
chart: cert-manager
version: v1.15.0
sourceRef:
kind: HelmRepository
namespace: cert-manager
name: cert-manager
interval: 1h
install:
crds: Create
upgrade:
crds: CreateReplace
values:
installCRDs: true
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
rpi5.cluster.policy/egress-namespace: "true"
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-namespace: "true"
webhook:
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
cainjector:
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
global:
priorityClassName: system-cluster-critical
podDnsConfig:
nameservers:
- 1.1.1.1
- 1.0.0.1

8
kubernetes/infrastructure/cert-manager/app/repository.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 1h
url: https://charts.jetstack.io

125
kubernetes/infrastructure/cert-manager/cert-manager.yaml
View File

@@ -1,125 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: cert-manager
path: ./kubernetes/infrastructure/cert-manager/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: namespaces
namespace: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: clusterissuer-secrets
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: cert-manager
path: ./clusterissuer
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: namespaces
namespace: flux-system
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: clusterissuer
namespace: cert-manager
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: cert-manager
path: ./kubernetes/infrastructure/cert-manager/clusterissuer
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: clusterissuer-secrets
namespace: flux-system
- name: cert-manager
namespace: cert-manager
postBuild:
substituteFrom:
- kind: Secret
name: clusterissuer-secrets
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: certificate-secrets
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: cert-manager
path: ./certificates
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: namespaces
namespace: flux-system
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: certificates
namespace: cert-manager
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: cert-manager
path: ./kubernetes/infrastructure/cert-manager/certificates
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: certificate-secrets
namespace: flux-system
- name: cert-manager
namespace: cert-manager
- name: clusterissuer
namespace: cert-manager
postBuild:
substituteFrom:
- kind: Secret
name: certificate-secrets

64
kubernetes/infrastructure/cert-manager/certificates/adguard-home.yaml
View File

@@ -1,64 +0,0 @@
#apiVersion: cert-manager.io/v1
#kind: Certificate
#metadata:
# name: adguard-home-cert
# namespace: cert-manager
#spec:
# # Secret names are always required.
# secretName: adguard-home.cluster.edward.sydney-tls
#
# privateKey:
# algorithm: RSA
# encoding: PKCS1
# size: 2048
#
# # keystores allows adding additional output formats. This is an example for reference only.
# keystores:
# pkcs12:
# create: true
# passwordSecretRef:
# name: adguard-home-tls-keystore
# key: ${adguard_home_certificate_tls_keystore_password}
# profile: Modern2023
#
# duration: 2160h # 90d
# renewBefore: 360h # 15d
#
# isCA: false
# usages:
# - server auth
# - client auth
#
# subject:
# organizations:
# - edward.sydney
#
# # The literalSubject field is exclusive with subject and commonName. It allows
# # specifying the subject directly as a string. This is useful for when the order
# # of the subject fields is important or when the subject contains special types
# # which can be specified by their OID.
# #
# # literalSubject: "O=jetstack, CN=example.com, 2.5.4.42=John, 2.5.4.4=Doe"
#
# # At least one of commonName (possibly through literalSubject), dnsNames, uris, emailAddresses, ipAddresses or otherNames is required.
# dnsNames:
# - "${adguard_home_certificate_dns_name}"
# - "*.${adguard_home_certificate_dns_name}"
# emailAddresses:
# - ${adguard_home_certificate_email}
#
# # Issuer references are always required.
# issuerRef:
# name: clusterissuer
# # We can reference ClusterIssuers by changing the kind here.
# # The default value is Issuer (i.e. a locally namespaced Issuer)
# kind: ClusterIssuer
# # This is optional since cert-manager will default to this value however
# # if you are using an external issuer, change this to that issuer group.
# group: cert-manager.io
#The certificate request has failed to complete and will be retried:
# Failed to wait for order resource "adguard-home-cert-1-1931876784" to become
# ready: order is in "errored" state: Failed to create Order: 429 urn:ietf:params:acme:error:rateLimited:
# Error creating new order :: too many certificates already issued for "edward.sydney".
# Retry after 2024-06-25T21:00:00Z: see https://letsencrypt.org/docs/rate-limits/

22
kubernetes/infrastructure/cert-manager/clusterissuer/clusterissuer-cloudflare.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: clusterissuer
namespace: cert-manager
spec:
acme:
email: ${email}
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: cluster-issuer-account-key
solvers:
- dns01:
cloudflare:
email: ${email}
apiTokenSecretRef:
name: clusterissuer-secrets
key: cloudflare_api_token
selector:
dnsNames:
- "${cluster_cert_domain}"
- "*.${cluster_cert_domain}"

43
kubernetes/infrastructure/cilium/app/release.yaml
View File

@@ -1,43 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cilium
namespace: kube-system
spec:
chart:
spec:
chart: cilium
version: 1.15.5
sourceRef:
kind: HelmRepository
namespace: kube-system
name: cilium
install:
crds: Create
upgrade:
crds: CreateReplace
interval: 1h
driftDetection:
mode: enabled
values:
global:
encryption:
enabled: true
nodeEncryption: true
policyEnforcementMode: default
operator:
replicas: 1
ipam:
mode: cluster-pool
operator:
clusterPoolIPv4PodCIDRList: [10.42.0.0/16]
clusterPoolIPv4MaskSize: 24
dnsProxy:
dnsRejectResponseCode: nameError
cni:
exclusive: false

35
kubernetes/infrastructure/cilium/cilium.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cilium
namespace: kube-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/infrastructure/cilium/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cilium-networkpolicies
namespace: kube-system
spec:
suspend: false
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/infrastructure/cilium/networkpolicies
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: ingress-nginx
namespace: ingress-nginx

21
kubernetes/infrastructure/cilium/networkpolicies/coredns.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: coredns
namespace: kube-system
spec:
endpointSelector:
matchLabels:
k8s-app: kube-dns
egress:
- toEntities:
- world
toPorts:
- ports:
- port: "53"
- toEntities:
- host
- remote-node
toPorts:
- ports:
- port: "6443"

20
kubernetes/infrastructure/cilium/networkpolicies/egress-kube-dns.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-kube-dns
namespace: kube-system
spec:
endpointSelector:
matchExpressions:
- key: rpi5.cluster.policy/egress-kube-dns
operator: NotIn
values:
- "false"
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"

22
kubernetes/infrastructure/cilium/networkpolicies/egress-kubeapi.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-kubeapi
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
egress:
- toEntities:
- host
- remote-node
toPorts:
- ports:
- port: "6443"
- toEntities:
- kube-apiserver
toPorts:
- ports:
- port: "443"
- port: "6443"

12
kubernetes/infrastructure/cilium/networkpolicies/egress-namespace.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-namespace
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-namespace: "true"
egress:
- toEndpoints:
- {}

13
kubernetes/infrastructure/cilium/networkpolicies/egress-nodes.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-nodes
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-nodes: "true"
egress:
- toEntities:
- host
- remote-node

12
kubernetes/infrastructure/cilium/networkpolicies/egress-world.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-world
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-world: "true"
egress:
- toCIDRSet:
- cidr: 0.0.0.0/0

12
kubernetes/infrastructure/cilium/networkpolicies/ingress-namespace.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: ingress-namespace
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/ingress-namespace: "true"
ingress:
- fromEndpoints:
- {}

67
kubernetes/infrastructure/cilium/networkpolicies/ingress-nginx.yaml
View File

@@ -1,67 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: ingress-ingress
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/ingress-ingress: "true"
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: ingress-nginx
namespace: kube-system
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
egress:
- toEndpoints:
- matchLabels:
rpi5.cluster.policy/ingress-ingress: "true"
matchExpressions:
- key: io.kubernetes.pod.namespace
operator: Exists
---
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-ingress
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-ingress: "true"
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: egress-nginx
namespace: kube-system
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
ingress:
- fromEndpoints:
- matchLabels:
rpi5.cluster.policy/egress-ingress: "true"
matchExpressions:
- key: io.kubernetes.pod.namespace
operator: Exists

13
kubernetes/infrastructure/cilium/networkpolicies/ingress-nodes.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: ingress-nodes
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/ingress-nodes: "true"
ingress:
- fromEntities:
- host
- remote-node

12
kubernetes/infrastructure/cilium/networkpolicies/ingress-world.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: ingress-world
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/ingress-world: "true"
ingress:
- fromEntities:
- world

16
kubernetes/infrastructure/cilium/networkpolicies/local-path-provisioner.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: local-path-provisioner
namespace: kube-system
spec:
endpointSelector:
matchLabels:
app: local-path-provisioner
egress:
- toEntities:
- host
- remote-node
toPorts:
- ports:
- port: "6443"

16
kubernetes/infrastructure/consul/app/service.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: consul
namespace: consul
labels:
app: consul
spec:
ports:
- name: http
protocol: TCP
port: 8500
targetPort: 8500
selector:
app: consul
type: ClusterIP

46
kubernetes/infrastructure/consul/app/statefulset.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: consul
namespace: consul
labels:
app: consul
spec:
replicas: 1
selector:
matchLabels:
app: consul
template:
metadata:
labels:
app: consul
spec:
containers:
- name: consul
image: 'consul:1.15.4'
args:
- agent
ports:
- name: http
containerPort: 8500
protocol: TCP
env:
- name: TZ
value: Australia/Sydney
volumeMounts:
- name: consul-data
mountPath: /consul/data
- name: consul-config
mountPath: /consul/config
imagePullPolicy: IfNotPresent
volumes:
- name: consul-data
hostPath:
path: /mnt/nfs/AppData/consul/data
type: Directory
- name: consul-config
hostPath:
path: /mnt/nfs/AppData/consul/config
type: Directory
restartPolicy: Always
serviceName: consul

18
kubernetes/infrastructure/consul/consul.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: consul
namespace: consul
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/infrastructure/consul/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: namespaces
namespace: flux-system

50
kubernetes/infrastructure/grafana-dashboards/grafana-dashboards.yaml
View File

@@ -1,50 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: grafana-dashboards-secrets
namespace: flux-system
spec:
suspend: true
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: prometheus
path: ./grafana-dashboards
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: grafana-dashboards
namespace: prometheus
spec:
suspend: true
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/infrastructure/grafana-dashboards/dashboards
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: namespaces
namespace: flux-system
- name: grafana-dashboards-secrets
namespace: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: grafana-dashboards-secrets

113
kubernetes/infrastructure/ingress-nginx/app/release.yaml
View File

@@ -1,113 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
interval: 1h
driftDetection:
mode: enabled
chart:
spec:
chart: ingress-nginx
version: 4.10.1
sourceRef:
kind: HelmRepository
namespace: ingress-nginx
name: ingress-nginx
interval: 1h
values:
rbac:
create: true
controller:
priorityClassName: system-cluster-critical
extraArgs:
update-status-on-shutdown: "false"
tcp-services-configmap: "ingress-nginx/tcp-services"
udp-services-configmap: "ingress-nginx/udp-services"
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
rpi5.cluster.policy/egress-namespace: "true"
rpi5.cluster.policy/egress-world-with-lan: "true"
rpi5.cluster.policy/ingress-nodes: "true"
rpi5.cluster.policy/ingress-prometheus: "true"
rpi5.cluster.policy/ingress-world: "true"
allowSnippetAnnotations: true
# maxmindLicenseKey: ${geoip_license_key}
config:
proxy-buffer-size: 16k
use-gzip: ${use_gzip:=true}
enable-brotli: ${enable_brotli:=true}
hsts-max-age: ${hsts_max_age:=31536000}
hsts-preload: ${hsts_preload:=true}
disable-ipv6: ${disable_ipv6:=false}
disable-ipv6-dns: ${disable_ipv6_dns:=false}
keep-alive-requests: ${keep_alive_requests:=1000}
use-geoip2: ${use_geoip2:=true}
custom-http-errors: 401,403,404,500,501,502,503,504
extraEnvs:
- name: TZ
value: Australia/Sydney
addHeaders:
Referrer-Policy: same-origin, strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
ingressClassResource:
default: true
service:
externalTrafficPolicy: Cluster
ipFamilyPolicy: SingleStack
metrics:
enabled: ${metrics_enabled:=false}
# serviceMonitor:
# enabled: ${metrics_enabled:=false}
# scrapeInterval: 1m
admissionWebhooks:
labels:
rpi5.cluster.policy/egress-kubeapi: "true"
patch:
labels:
rpi5.cluster.policy/egress-kubeapi: "true"
spec:
template:
spec:
containers:
volumeMounts:
- mountPath: /etc/nginx/template
name: nginx-template-volume
readOnly: true
volumes:
- name: nginx-template-volume
hostPath:
path: /mnt/nfs/AppData/ingress-nginx/etc/nginx/template
type: Directory
defaultBackend:
enabled: true
image:
repository: ghcr.io/tarampampam/error-pages
tag: 2.27.0@sha256:40e2631173b1a407c18fe7d1ba8104d995cf9e4780d123eeadfa1d57c68eaf4f
pullPolicy: IfNotPresent
extraEnvs:
- name: TEMPLATE_NAME
value: connection
- name: SHOW_DETAILS
value: "true"
- name: READ_BUFFER_SIZE
value: "8192"
podLabels:
rpi5.cluster.policy/ingress-namespace: "true"

8
kubernetes/infrastructure/ingress-nginx/app/repository.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
interval: 1h
url: https://kubernetes.github.io/ingress-nginx

24
kubernetes/infrastructure/ingress-nginx/config/ingress-configmap.yaml
View File

@@ -1,24 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: tcp-services
namespace: ingress-nginx
data:
"53": "adguard-home/adguard-home:53"
"853": "adguard-home/adguard-home:853"
"5443": "adguard-home/adguard-home:5443"
"6060": "adguard-home/adguard-home:6060"
"8388": "qbittorrent/qbittorrent-qbittorrent-torrent:8388"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: udp-services
namespace: ingress-nginx
data:
"53": "adguard-home/adguard-home:53"
"67": "adguard-home/adguard-home:67"
"68": "adguard-home/adguard-home:68"
"853": "adguard-home/adguard-home:853"
"5443": "adguard-home/adguard-home:5443"
"8388": "qbittorrent/qbittorrent-qbittorrent-torrent:8388"

Some files were not shown because too many files have changed in this diff Show More