K3S-Cluster/home-cluster-ops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

reset project

Browse Source
This commit is contained in:
Edward Cheng
2024-07-14 18:51:53 +10:00
parent b7da360fe7
commit f81ba3d62c
190 changed files with 0 additions and 19874 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
kubernetes/apps/adguard-home/adguard-home.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: adguard-home
namespace: adguard-home
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/adguard-home/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

86
kubernetes/apps/adguard-home/app/deployment.yaml
View File

@@ -1,86 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: adguard-home
namespace: adguard-home
labels:
app.kubernetes.io/name: adguard-home
spec:
selector:
matchLabels:
app.kubernetes.io/name: adguard-home
template:
metadata:
labels:
app.kubernetes.io/name: adguard-home
rpi5.cluster.policy/egress-kubeapi: "true"
rpi5.cluster.policy/egress-namespace: "true"
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-namespace: "true"
rpi5.cluster.policy/ingress-nginx: "true"
rpi5.cluster.policy/ingress-nodes: "true"
rpi5.cluster.policy/ingress-world: "true"
spec:
containers:
- name: adguard-home
image: adguard/adguardhome:v0.107.51
ports:
- protocol: TCP
containerPort: 53
name: dns-tcp
- protocol: UDP
containerPort: 53
name: dns-udp
- protocol: UDP
containerPort: 67
name: dhcps-udp
- protocol: UDP
containerPort: 68
name: dhcpc-udp
- protocol: TCP
containerPort: 80
name: http-tcp
- protocol: TCP
containerPort: 443
name: https-tcp
- protocol: UDP
containerPort: 443
name: https-udp
- protocol: TCP
containerPort: 853
name: dns-tls-tcp
- protocol: UDP
containerPort: 853
name: dns-tls-udp
- protocol: TCP
containerPort: 3000
name: http-alt-tcp
- protocol: UDP
containerPort: 3000
name: http-alt-udp
- protocol: TCP
containerPort: 5443
name: dnscrypt-tcp
- protocol: UDP
containerPort: 5443
name: dnscrypt-udp
- protocol: TCP
containerPort: 6060
name: http-pprof
env:
- name: TZ
value: Australia/Sydney
volumeMounts:
- name: adguard-home-data
mountPath: /opt/adguardhome/work
- name: adguard-home-config
mountPath: /opt/adguardhome/conf
volumes:
- name: adguard-home-data
hostPath:
path: /mnt/nfs/AppData/adguardhome/work
type: Directory
- name: adguard-home-config
hostPath:
path: /mnt/nfs/AppData/adguardhome/conf
type: Directory

61
kubernetes/apps/adguard-home/app/ingress.yaml
View File

@@ -1,61 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: adguard-home-ingress
namespace: adguard-home
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "adguard-home.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: adguard-home
port:
number: 10080
- host: "adguard-home.cluster.local"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: adguard-home
port:
number: 10080
- host: "setup.adguard-home.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: adguard-home
port:
number: 13000
- host: "setup.adguard-home.cluster.local"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: adguard-home
port:
number: 13000
- host: "doh.adguard-home.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: adguard-home
port:
number: 443

69
kubernetes/apps/adguard-home/app/service.yaml
View File

@@ -1,69 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: adguard-home
namespace: adguard-home
labels:
app.kubernetes.io/name: adguard-home
spec:
selector:
app.kubernetes.io/name: adguard-home
type: ClusterIP
internalTrafficPolicy: Cluster
ports:
- protocol: TCP
port: 53
targetPort: 53
name: dns-tcp
- protocol: UDP
port: 53
targetPort: 53
name: dns-udp
- protocol: UDP
port: 67
targetPort: 67
name: dhcps-udp
- protocol: UDP
port: 68
targetPort: 68
name: dhcpc-udp
- protocol: TCP
port: 10080
targetPort: 80
name: http-tcp
- protocol: TCP
port: 443
targetPort: 443
name: https-tcp
- protocol: UDP
port: 443
targetPort: 443
name: https-udp
- protocol: TCP
port: 853
targetPort: 853
name: dns-tls-tcp
- protocol: UDP
port: 853
targetPort: 853
name: dns-tls-udp
- protocol: TCP
port: 13000
targetPort: 3000
name: https-alt-tcp
- protocol: UDP
port: 13000
targetPort: 3000
name: https-alt-udp
- protocol: TCP
port: 5443
targetPort: 5443
name: dnscrypt-tcp
- protocol: UDP
port: 5443
targetPort: 5443
name: dnscrypt-udp
- protocol: TCP
port: 6060
targetPort: 6060
name: https-pprof

38
kubernetes/apps/adguard-home/scripts/ingress-nginx-svc-controller-patch.yaml
View File

@@ -1,38 +0,0 @@
spec:
ports:
- name: dns-tcp
port: 53
targetPort: 53
protocol: TCP
- name: dns-udp
port: 53
targetPort: 53
protocol: UDP
- name: dhcps-udp
port: 67
targetPort: 67
protocol: UDP
- name: dhcpc-udp
port: 68
targetPort: 68
protocol: UDP
- name: dns-tls-tcp
port: 853
targetPort: 853
protocol: TCP
- name: dns-tls-udp
port: 853
targetPort: 853
protocol: UDP
- name: dnscrypt-tcp
port: 5443
targetPort: 5443
protocol: TCP
- name: dnscrypt-udp
port: 5443
targetPort: 5443
protocol: UDP
- name: https-pprof
port: 6060
targetPort: 6060
protocol: TCP

4
kubernetes/apps/adguard-home/scripts/patch-ingress-nginx.sh
View File

@@ -1,4 +0,0 @@
#!/bin/bash
set -e
kubectl patch service ingress-nginx-controller -n ingress-nginx --patch "$(cat ingress-nginx-svc-controller-patch.yaml)"

21
kubernetes/apps/capacitor/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: capacitor-ingress
namespace: capacitor
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "capacitor.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: capacitor
port:
number: 9000

84
kubernetes/apps/capacitor/app/manifest.yaml
View File

@@ -1,84 +0,0 @@
---
# Source: onechart/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: capacitor
namespace: capacitor
labels:
helm.sh/chart: onechart-0.63.0
app.kubernetes.io/name: onechart
app.kubernetes.io/instance: capacitor
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- port: 9000
targetPort: 9000
protocol: TCP
name: http
selector:
app.kubernetes.io/name: onechart
app.kubernetes.io/instance: capacitor
---
# Source: onechart/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: capacitor
namespace: capacitor
labels:
helm.sh/chart: onechart-0.63.0
app.kubernetes.io/name: onechart
app.kubernetes.io/instance: capacitor
app.kubernetes.io/managed-by: Helm
annotations:
kubectl.kubernetes.io/default-container: capacitor
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: onechart
app.kubernetes.io/instance: capacitor
template:
metadata:
annotations:
checksum/config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
labels:
app.kubernetes.io/name: onechart
app.kubernetes.io/instance: capacitor
rpi5.cluster.policy/egress-kubeapi: "true"
rpi5.cluster.policy/egress-namespace: "true"
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-namespace: "true"
rpi5.cluster.policy/ingress-nginx: "true"
rpi5.cluster.policy/ingress-nodes: "true"
rpi5.cluster.policy/ingress-world: "true"
spec:
containers:
- image: ghcr.io/gimlet-io/capacitor:v0.4.2
imagePullPolicy: IfNotPresent
name: capacitor
ports:
- containerPort: 9000
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /
port: 9000
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 3
resources:
requests:
cpu: 200m
memory: 200Mi
securityContext: {}
initContainers: null
securityContext:
fsGroup: 999
serviceAccountName: capacitor

58
kubernetes/apps/capacitor/app/rbac.yaml
View File

@@ -1,58 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: capacitor
namespace: capacitor
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: capacitor
rules:
- apiGroups:
- networking.k8s.io
- apps
- ""
resources:
- pods
- pods/log
- ingresses
- deployments
- services
- secrets
- events
- configmaps
verbs:
- get
- watch
- list
- apiGroups:
- source.toolkit.fluxcd.io
- kustomize.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
resources:
- gitrepositories
- ocirepositories
- buckets
- helmrepositories
- helmcharts
- kustomizations
- helmreleases
verbs:
- get
- watch
- list
- patch # to allow force reconciling by adding an annotation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: capacitor
subjects:
- kind: ServiceAccount
name: capacitor
namespace: flux-system
roleRef:
kind: ClusterRole
name: capacitor
apiGroup: rbac.authorization.k8s.io

29
kubernetes/apps/capacitor/capacitor.yaml
View File

@@ -1,29 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: capacitor
namespace: capacitor
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/capacitor/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
patches:
- target:
kind: (Service|Deployment)
name: capacitor
namespace: flux-system
patch: |
- op: replace
path: "/metadata/labels/app.kubernetes.io~1managed-by"
value: Flux
- op: remove
path: "/metadata/labels/helm.sh~1chart"
- op: add
path: "/metadata/labels/patched"
value: "true"

21
kubernetes/apps/code-server/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: code-server-ingress
namespace: code-server
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "code-server.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: code-server
port:
number: 8443

46
kubernetes/apps/code-server/app/pvc.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: code-server-pv
namespace: code-server
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/code-server"
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: code-server-pvc
namespace: code-server
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: code-server-pvc
namespace: code-server
labels:
name: code-server-pvc
spec:
storageClassName: local-path
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi

31
kubernetes/apps/code-server/app/release.yaml
View File

@@ -1,31 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: code-server
namespace: code-server
spec:
releaseName: code-server
targetNamespace: code-server
chart:
spec:
chart: code-server
sourceRef:
kind: HelmRepository
name: nicholaswilde
namespace: flux-system
interval: 1h
install:
remediation:
retries: 3
values:
secret:
PASSWORD: ${password}
SUDO_PASSWORD: ${sudo_password}
env:
TZ: "Australia/Sydney"
persistence:
config:
enabled: true
existingClaim: code-server-pvc

47
kubernetes/apps/code-server/code-server.yaml
View File

@@ -1,47 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: code-server-secrets
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: code-server
path: ./code-server
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: code-server
namespace: code-server
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: code-server
path: ./kubernetes/apps/code-server/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: code-server-secrets
namespace: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: code-server-secrets

31
kubernetes/apps/dokuwiki/app/ingress.yaml
View File

@@ -1,31 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dokuwiki-ingress
namespace: dokuwiki
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "dokuwiki.cluster.local"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: dokuwiki-dokuwiki
port:
number: 18000
- host: "dokuwiki.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: dokuwiki-dokuwiki
port:
number: 18000

34
kubernetes/apps/dokuwiki/app/release.yaml
View File

@@ -1,34 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: dokuwiki
namespace: dokuwiki
spec:
targetNamespace: dokuwiki
chart:
spec:
chart: dokuwiki
sourceRef:
kind: HelmRepository
name: bitnami
namespace: flux-system
interval: 1h
install:
remediation:
retries: 3
values:
dokuwikiUsername: ${username}
dokuwikiPassword: ${password}
dokuwikiEmail: ${email}
dokuwikiFullName: "Edward Cheng"
dokuwikiWikiName: My Doku Wiki
containerPorts:
http: 18000
https: 18443
persistence:
existingClaim: "dokuwiki-pvc"
service:
type: ClusterIP
ports:
http: 18000
https: 18443

46
kubernetes/apps/dokuwiki/app/volume.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: dokuwiki-pv
namespace: dokuwiki
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 12Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/dokuwiki"
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: dokuwiki-pvc
namespace: dokuwiki
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: dokuwiki-pvc
namespace: dokuwiki
labels:
name: dokuwiki-pvc
spec:
storageClassName: local-path
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 12Gi

46
kubernetes/apps/dokuwiki/dokuwiki.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: dokuwiki-secrets
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: dokuwiki
path: ./dokuwiki
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: dokuwiki
namespace: dokuwiki
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/dokuwiki/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: dokuwiki-secrets
namespace: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: dokuwiki-secrets

32
kubernetes/apps/gitea/app/ingress.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-ingress
namespace: gitea
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
spec:
ingressClassName: nginx
rules:
- host: "gitea.cluster.local"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: gitea-gitea
port:
number: 10080
- host: "gitea.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: gitea-gitea
port:
number: 10080

56
kubernetes/apps/gitea/app/release.yaml
View File

@@ -1,56 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gitea
namespace: gitea
spec:
targetNamespace: gitea
chart:
spec:
chart: gitea
sourceRef:
kind: HelmRepository
name: bitnami
namespace: flux-system
interval: 1h
install:
remediation:
retries: 3
values:
image:
debug: true
updateStrategy:
type: Recreate
livenessProbe:
enabled: true
initialDelaySeconds: 600
periodSeconds: 60
timeoutSeconds: 30
failureThreshold: 5
successThreshold: 1
readinessProbe:
enabled: true
path: /
initialDelaySeconds: 30
periodSeconds: 60
timeoutSeconds: 30
failureThreshold: 5
successThreshold: 1
adminUsername: ${admin_username}
adminPassword: ${admin_password}
adminEmail: ${admin_email}
appName: app_name
persistence:
existingClaim: gitea-pvc
service:
ports:
http: 10080
ssh: 10022
postgresql:
enabled: false
externalDatabase:
host: ${db_host}
port: ${db_port}
user: ${db_user}
database: ${db_name}
password: ${db_password}

46
kubernetes/apps/gitea/app/volume.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: gitea-pv
namespace: gitea
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 32Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/gitea"
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: gitea-pvc
namespace: gitea
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-pvc
namespace: gitea
labels:
name: gitea-pvc
spec:
storageClassName: local-path
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 32Gi

47
kubernetes/apps/gitea/gitea.yaml
View File

@@ -1,47 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: gitea-secrets
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: gitea
path: ./gitea
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: gitea
namespace: gitea
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/gitea/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: gitea-secrets
namespace: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: gitea-secrets

43
kubernetes/apps/homer/app/development.yaml
View File

@@ -1,43 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: homer
namespace: homer
labels:
app.kubernetes.io/name: homer
spec:
selector:
matchLabels:
app.kubernetes.io/name: homer
template:
metadata:
labels:
app.kubernetes.io/name: homer
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-world: "true"
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
containers:
- name: homer
image: b4bz/homer:v24.05.1
securityContext:
allowPrivilegeEscalation: false
env:
- name: PORT
value: "8088"
- name: INIT_ASSETS
value: "0"
ports:
- protocol: TCP
containerPort: 8088
name: http
volumeMounts:
- name: assets
mountPath: /www/assets
volumes:
- name: assets
hostPath:
path: /mnt/nfs/AppData/homer/www/assets
type: Directory

21
kubernetes/apps/homer/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: homer-ingress
namespace: homer
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "home.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: homer
port:
number: 8088

17
kubernetes/apps/homer/app/service.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: homer
namespace: homer
labels:
app.kubernetes.io/name: homer
spec:
selector:
app.kubernetes.io/name: homer
type: ClusterIP
internalTrafficPolicy: Cluster
ports:
- protocol: TCP
port: 8088
targetPort: 8088
name: http

15
kubernetes/apps/homer/homer.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: homer
namespace: homer
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/homer/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

31
kubernetes/apps/jellyfin/app/ingress.yaml
View File

@@ -1,31 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jellyfin-ingress
namespace: jellyfin
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "jellyfin.cluster.local"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: jellyfin
port:
number: 8096
- host: "jellyfin.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: jellyfin
port:
number: 8096

51
kubernetes/apps/jellyfin/app/pvc.yaml
View File

@@ -1,51 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: jellyfin-config
namespace: jellyfin
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 250Mi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/jellyfin/config"
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: jellyfin-data
namespace: jellyfin
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 2Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/jellyfin/data"
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2

169
kubernetes/apps/jellyfin/app/release.yaml
View File

@@ -1,169 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: jellyfin
namespace: jellyfin
spec:
releaseName: jellyfin
targetNamespace: jellyfin
chart:
spec:
chart: jellyfin
sourceRef:
kind: HelmRepository
name: beluga-cloud
namespace: flux-system
interval: 1h
install:
remediation:
retries: 3
values:
persistence:
config:
enabled: true
volumeClaimSpec:
accessModes:
- ReadWriteOnce
volumeName: jellyfin-config
storageClassName: local-path
data:
enabled: true
volumeClaimSpec:
accessModes:
- ReadWriteOnce
volumeName: jellyfin-data
storageClassName: local-path
jellyfin:
mediaVolumes:
- name: movies
readOnly: false
volumeSpec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: jellyfin-mediavol-movies
namespace: jellyfin
hostPath:
path: "/mnt/nfs/AppData/jellyfin/media/movies"
type: "Directory"
- name: series
readOnly: false
volumeSpec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: jellyfin-mediavol-series
namespace: jellyfin
hostPath:
path: "/mnt/nfs/AppData/jellyfin/media/series"
type: "Directory"
- name: music-videos
readOnly: false
volumeSpec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: jellyfin-mediavol-music-videos
namespace: jellyfin
hostPath:
path: "/mnt/nfs/AppData/jellyfin/media/music-videos"
type: "Directory"
- name: short-videos
readOnly: false
volumeSpec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: jellyfin-mediavol-short-videos
namespace: jellyfin
hostPath:
path: "/mnt/nfs/AppData/jellyfin/media/short-videos"
type: "Directory"
- name: gv
readOnly: false
volumeSpec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: jellyfin-mediavol-gv
namespace: jellyfin
hostPath:
path: "/mnt/nfs/AppData/jellyfin/media/gv"
type: "Directory"
persistentTranscodes: true

16
kubernetes/apps/jellyfin/jellyfin.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: jellyfin
namespace: jellyfin
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/jellyfin/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

58
kubernetes/apps/kavita/app/development.yaml
View File

@@ -1,58 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: kavita
namespace: kavita
labels:
app.kubernetes.io/name: kavita
app.kubernetes.io/instance: kavita
annotations:
kubectl.kubernetes.io/default-container: kavita
spec:
selector:
matchLabels:
app.kubernetes.io/name: kavita
app.kubernetes.io/instance: kavita
template:
metadata:
labels:
app.kubernetes.io/name: kavita
app.kubernetes.io/instance: kavita
spec:
containers:
- image: jvmilazz0/kavita:0.8.1
imagePullPolicy: IfNotPresent
name: kavita
ports:
- containerPort: 5000
name: http
protocol: TCP
env:
- name: TZ
value: Australia/Sydney
volumeMounts:
- name: kavita-config
mountPath: /kavita/config
- name: kavita-manga
mountPath: /manga
- name: kavita-book
mountPath: /book
- name: kavita-doc
mountPath: /doc
volumes:
- name: kavita-config
hostPath:
path: /mnt/nfs/AppData/kavita/config
type: Directory
- name: kavita-manga
hostPath:
path: /mnt/nfs/AppData/kavita/manga
type: Directory
- name: kavita-book
hostPath:
path: /mnt/nfs/AppData/kavita/book
type: Directory
- name: kavita-doc
hostPath:
path: /mnt/nfs/AppData/kavita/doc
type: Directory

21
kubernetes/apps/kavita/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kavita-ingress
namespace: kavita
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "kavita.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: kavita
port:
number: 5000

18
kubernetes/apps/kavita/app/service.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: kavita
namespace: kavita
labels:
app.kubernetes.io/name: kavita
app.kubernetes.io/instance: kavita
spec:
type: ClusterIP
ports:
- port: 5000
targetPort: 5000
protocol: TCP
name: http
selector:
app.kubernetes.io/name: kavita
app.kubernetes.io/instance: kavita

16
kubernetes/apps/kavita/kavita.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: kavita
namespace: kavita
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/kavita/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

19
kubernetes/apps/kustomization.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./adguard-home/adguard-home.yaml
- ./capacitor/capacitor.yaml
- ./code-server/code-server.yaml
- ./dokuwiki/dokuwiki.yaml
- ./gitea/gitea.yaml
- ./homer/homer.yaml
- ./jellyfin/jellyfin.yaml
- ./kavita/kavita.yaml
- ./nexus/nexus.yaml
- ./podinfo/podinfo.yaml
- ./qbittorrent/qbittorrent.yaml
- ./snippet-box/snippet-box.yaml
- ./sonarqube/sonarqube.yaml
- ./uptime-kuma/uptime-kuma.yaml
- ./vaultwarden/vaultwarden.yaml
- ./weave-gitops/weave-gitops.yaml

38
kubernetes/apps/nexus/app/deployment.yaml
View File

@@ -1,38 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nexus
namespace: nexus
spec:
replicas: 1
selector:
matchLabels:
app: nexus
template:
metadata:
labels:
app: nexus
spec:
securityContext:
runAsUser: 0
runAsGroup: 0
containers:
- name: nexus
image: klo2k/nexus3:3.68.1-02
resources:
limits:
memory: "3Gi"
cpu: "1"
requests:
memory: "2Gi"
cpu: "500m"
ports:
- containerPort: 8081
volumeMounts:
- name: nexus-data
mountPath: /nexus-data
volumes:
- name: nexus-data
hostPath:
path: /mnt/nfs/AppData/nexus
type: Directory

17
kubernetes/apps/nexus/app/service.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: nexus
namespace: nexus
annotations:
prometheus.io/scrape: 'true'
prometheus.io/path: /
prometheus.io/port: '8081'
spec:
selector:
app: nexus
type: NodePort
ports:
- port: 8081
targetPort: 8081
nodePort: 32000

15
kubernetes/apps/nexus/nexus.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: nexus
namespace: nexus
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/nexus/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

27
kubernetes/apps/podinfo/app/release.yaml
View File

@@ -1,27 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: podinfo
namespace: podinfo
spec:
releaseName: podinfo
chart:
spec:
chart: podinfo
sourceRef:
kind: HelmRepository
name: podinfo
interval: 50m
install:
remediation:
retries: 3
# Default values
# https://github.com/stefanprodan/podinfo/blob/master/charts/podinfo/values.yaml
values:
redis:
enabled: true
repository: public.ecr.aws/docker/library/redis
tag: 7.0.6
ingress:
enabled: true
className: nginx

8
kubernetes/apps/podinfo/app/repository.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: podinfo
namespace: podinfo
spec:
interval: 5m
url: https://stefanprodan.github.io/podinfo

16
kubernetes/apps/podinfo/podinfo.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: podinfo
namespace: podinfo
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/podinfo/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

21
kubernetes/apps/qbittorrent/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: qbittorrent-ingress
namespace: qbittorrent
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "qbittorrent.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: qbittorrent-qbittorrent-web
port:
number: 8888

32
kubernetes/apps/qbittorrent/app/release.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: qbittorrent
namespace: qbittorrent
spec:
targetNamespace: qbittorrent
chart:
spec:
chart: qbittorrent
sourceRef:
kind: HelmRepository
name: adminafk
namespace: flux-system
interval: 1h
install:
remediation:
retries: 3
values:
service:
web:
port: 8888
torrent:
port: 8388
config:
persistence:
name: config
storageClass: local-path
size: 5Gi
volumeMounts:
- name: download
mountPath: /download

93
kubernetes/apps/qbittorrent/app/volume.yaml
View File

@@ -1,93 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: config
namespace: qbittorrent
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/qbittorrent/config"
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: config
namespace: qbittorrent
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
---
#apiVersion: v1
#kind: PersistentVolumeClaim
#metadata:
# name: qbittorrent-config-pvc
# namespace: qbittorrent
# labels:
# name: qbittorrent-config-pvc
#spec:
# storageClassName: local-path
# volumeMode: Filesystem
# accessModes:
# - ReadWriteOnce
# resources:
# requests:
# storage: 5Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: download
namespace: qbittorrent
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 64Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/qbittorrent/download"
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: download
namespace: qbittorrent
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: download
namespace: qbittorrent
labels:
name: download
spec:
storageClassName: local-path
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 64Gi

16
kubernetes/apps/qbittorrent/qbittorrent.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: qbittorrent
namespace: qbittorrent
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/qbittorrent/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

10
kubernetes/apps/qbittorrent/scripts/ingress-nginx-svc-controller-patch.yaml
View File

@@ -1,10 +0,0 @@
spec:
ports:
- name: torrent-tcp
port: 8388
targetPort: 8388
protocol: TCP
- name: torrent-udp
port: 8388
targetPort: 8388
protocol: UDP

4
kubernetes/apps/qbittorrent/scripts/patch-ingress-nginx.sh
View File

@@ -1,4 +0,0 @@
#!/bin/bash
set -e
kubectl patch service ingress-nginx-controller -n ingress-nginx --patch "$(cat kubernetes/apps/qbittorrent/scripts/ingress-nginx-svc-controller-patch.yaml)"

34
kubernetes/apps/snippet-box/app/development.yaml
View File

@@ -1,34 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: snippet-box
namespace: snippet-box
labels:
app.kubernetes.io/name: snippet-box
spec:
selector:
matchLabels:
app.kubernetes.io/name: snippet-box
template:
metadata:
labels:
app.kubernetes.io/name: snippet-box
spec:
containers:
- name: snippet-box
image: pawelmalak/snippet-box:arm
ports:
- protocol: TCP
containerPort: 5000
name: snippet-box
env:
- name: TZ
value: Australia/Sydney
volumeMounts:
- name: snippet-box-data
mountPath: /app/data
volumes:
- name: snippet-box-data
hostPath:
path: /mnt/nfs/AppData/snippet-box
type: Directory

21
kubernetes/apps/snippet-box/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: snippet-box-ingress
namespace: snippet-box
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "snippet-box.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: snippet-box
port:
number: 5000

17
kubernetes/apps/snippet-box/app/service.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: snippet-box
namespace: snippet-box
labels:
app.kubernetes.io/name: snippet-box
spec:
selector:
app.kubernetes.io/name: snippet-box
type: ClusterIP
internalTrafficPolicy: Cluster
ports:
- protocol: TCP
port: 5000
targetPort: 5000
name: snippet-box

15
kubernetes/apps/snippet-box/snippet-box.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: snippet-box
namespace: snippet-box
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/snippet-box/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

47
kubernetes/apps/sonarqube/app/release.yaml
View File

@@ -1,47 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: sonarqube
namespace: sonarqube
spec:
releaseName: sonarqube
chart:
spec:
chart: sonarqube
sourceRef:
kind: HelmRepository
name: bitnami
namespace: flux-system
interval: 1h
install:
remediation:
retries: 3
values:
sonarqubeUsername: ${sonarqube_username}
sonarqubePassword: ${sonarqube_password}
sonarqubeEmail: ${sonarqube_email}
smtpHost: ${smtp_host}
smtpPort: ${smtp_port}
smtpUser: ${smtp_user}
smtpPassword: ${smtp_password}
smtpProtocol: ${smtp_protocol}
service:
ports:
http: 8090
elastic: 9091
nodePorts:
http: 30080
elastic: 30091
persistence:
enabled: true
storageClass: local-path
size: "32Gi"
existingClaim: "sonarqube-pvc"
postgresql:
enabled: false
externalDatabase:
host: ${db_host}
user: ${db_user}
password: ${db_password}
database: ${db_name}
port: ${db_port}

46
kubernetes/apps/sonarqube/app/volume.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: sonarqube-pv
namespace: sonarqube
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 32Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/sonarqube"
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: sonarqube-pvc
namespace: sonarqube
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-2
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: sonarqube-pvc
namespace: sonarqube
labels:
name: sonarqube-pvc
spec:
storageClassName: local-path
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 32Gi

46
kubernetes/apps/sonarqube/sonarqube.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: sonarqube-secrets
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: sonarqube
path: ./sonarqube
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: sonarqube
namespace: sonarqube
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/sonarqube/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: sonarqube-secrets
namespace: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: sonarqube-secrets

21
kubernetes/apps/uptime-kuma/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: uptime-kuma-ingress
namespace: uptime-kuma
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "uptime-kuma.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: uptime-kuma
port:
number: 3001

46
kubernetes/apps/uptime-kuma/app/pvc.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: uptime-kuma-pv
namespace: uptime-kuma
labels:
type: local
spec:
storageClassName: local-path
volumeMode: Filesystem
capacity:
storage: 4Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
local:
path: "/mnt/nfs/AppData/uptime-kuma"
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: uptime-kuma-pvc
namespace: uptime-kuma
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- rpi5-cluster-node-1
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: uptime-kuma-pvc
namespace: uptime-kuma
labels:
name: uptime-kuma-pvc
spec:
storageClassName: local-path
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4Gi

26
kubernetes/apps/uptime-kuma/app/release.yaml
View File

@@ -1,26 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: uptime-kuma
namespace: uptime-kuma
spec:
releaseName: uptime-kuma
targetNamespace: uptime-kuma
chart:
spec:
chart: uptime-kuma
version: 2.18.1
sourceRef:
kind: HelmRepository
name: irsigler
namespace: flux-system
interval: 1h
install:
remediation:
retries: 3
values:
volume:
enabled: true
accessMode: ReadWriteOnce
size: 4Gi
existingClaim: "uptime-kuma-pvc"

15
kubernetes/apps/uptime-kuma/uptime-kuma.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: uptime-kuma
namespace: uptime-kuma
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/uptime-kuma/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

48
kubernetes/apps/vaultwarden/app/deployment.yaml
View File

@@ -1,48 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: vaultwarden
namespace: vaultwarden
labels:
app.kubernetes.io/name: vaultwarden
spec:
selector:
matchLabels:
app.kubernetes.io/name: vaultwarden
template:
metadata:
labels:
app.kubernetes.io/name: vaultwarden
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-world: "true"
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
containers:
- securityContext:
runAsUser: 1000
runAsNonRoot: true
runAsGroup: 1000
name: vaultwarden
image: vaultwarden/server:1.31.0
env:
- name: DOMAIN
value: https://vaultwarden.cluster.edward.sydney
- name: SIGNUPS_ALLOWED
value: "true"
- name: DATABASE_URL
value: postgresql://${db_username}:${db_password}@${db_host}:5432/${db_name}
ports:
- protocol: TCP
containerPort: 80
name: http
volumeMounts:
- name: vaultwarden-data
mountPath: /data
volumes:
- name: vaultwarden-data
hostPath:
path: /mnt/nfs/AppData/vaultwarden/data
type: Directory

21
kubernetes/apps/vaultwarden/app/ingress.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vaultwarden-ingress
namespace: vaultwarden
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "vaultwarden.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: vaultwarden
port:
number: 11080

17
kubernetes/apps/vaultwarden/app/service.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: vaultwarden
namespace: vaultwarden
labels:
app.kubernetes.io/name: vaultwarden
spec:
selector:
app.kubernetes.io/name: vaultwarden
type: ClusterIP
internalTrafficPolicy: Cluster
ports:
- protocol: TCP
port: 11080
targetPort: 80
name: http

46
kubernetes/apps/vaultwarden/vaultwarden.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: vaultwarden-secrets
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: vaultwarden
path: ./vaultwarden
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: vaultwarden
namespace: vaultwarden
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/vaultwarden/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: vaultwarden-secrets
namespace: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: vaultwarden-secrets

31
kubernetes/apps/weave-gitops/app/ingress.yaml
View File

@@ -1,31 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: weave-gitops-ingress
namespace: flux-system
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "weave-gitops.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: ww-gitops-weave-gitops
port:
number: 9001
- host: "weave-gitops.cluster.local"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: ww-gitops-weave-gitops
port:
number: 9001

41
kubernetes/apps/weave-gitops/app/release.yaml
View File

@@ -1,41 +0,0 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
annotations:
metadata.weave.works/description: This is the source location for the Weave GitOps
Dashboard's helm chart.
labels:
app.kubernetes.io/component: ui
app.kubernetes.io/created-by: weave-gitops-cli
app.kubernetes.io/name: weave-gitops-dashboard
app.kubernetes.io/part-of: weave-gitops
name: ww-gitops
namespace: flux-system
spec:
interval: 1h0m0s
type: oci
url: oci://ghcr.io/weaveworks/charts
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
annotations:
metadata.weave.works/description: This is the Weave GitOps Dashboard. It provides
a simple way to get insights into your GitOps workloads.
name: ww-gitops
namespace: flux-system
spec:
chart:
spec:
chart: weave-gitops
sourceRef:
kind: HelmRepository
name: ww-gitops
interval: 1h0m0s
values:
adminUser:
create: true
passwordHash: $2a$10$gnPEHsFzIJXg/eron5LiQ.teGZkKETxuA2WAyKSbxHvxpkzWJvbDe
username: admin

15
kubernetes/apps/weave-gitops/weave-gitops.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: weave-gitops
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/apps/weave-gitops/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

44
kubernetes/infrastructure/cert-manager/app/release.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 1h
driftDetection:
mode: enabled
chart:
spec:
chart: cert-manager
version: v1.15.0
sourceRef:
kind: HelmRepository
namespace: cert-manager
name: cert-manager
interval: 1h
install:
crds: Create
upgrade:
crds: CreateReplace
values:
installCRDs: true
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
rpi5.cluster.policy/egress-namespace: "true"
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-namespace: "true"
webhook:
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
cainjector:
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
global:
priorityClassName: system-cluster-critical
podDnsConfig:
nameservers:
- 1.1.1.1
- 1.0.0.1

8
kubernetes/infrastructure/cert-manager/app/repository.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 1h
url: https://charts.jetstack.io

125
kubernetes/infrastructure/cert-manager/cert-manager.yaml
View File

@@ -1,125 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: cert-manager
path: ./kubernetes/infrastructure/cert-manager/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: namespaces
namespace: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: clusterissuer-secrets
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: cert-manager
path: ./clusterissuer
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: namespaces
namespace: flux-system
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: clusterissuer
namespace: cert-manager
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: cert-manager
path: ./kubernetes/infrastructure/cert-manager/clusterissuer
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: clusterissuer-secrets
namespace: flux-system
- name: cert-manager
namespace: cert-manager
postBuild:
substituteFrom:
- kind: Secret
name: clusterissuer-secrets
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: certificate-secrets
namespace: flux-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: cert-manager
path: ./certificates
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: namespaces
namespace: flux-system
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: certificates
namespace: cert-manager
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: cert-manager
path: ./kubernetes/infrastructure/cert-manager/certificates
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: certificate-secrets
namespace: flux-system
- name: cert-manager
namespace: cert-manager
- name: clusterissuer
namespace: cert-manager
postBuild:
substituteFrom:
- kind: Secret
name: certificate-secrets

64
kubernetes/infrastructure/cert-manager/certificates/adguard-home.yaml
View File

@@ -1,64 +0,0 @@
#apiVersion: cert-manager.io/v1
#kind: Certificate
#metadata:
# name: adguard-home-cert
# namespace: cert-manager
#spec:
# # Secret names are always required.
# secretName: adguard-home.cluster.edward.sydney-tls
#
# privateKey:
# algorithm: RSA
# encoding: PKCS1
# size: 2048
#
# # keystores allows adding additional output formats. This is an example for reference only.
# keystores:
# pkcs12:
# create: true
# passwordSecretRef:
# name: adguard-home-tls-keystore
# key: ${adguard_home_certificate_tls_keystore_password}
# profile: Modern2023
#
# duration: 2160h # 90d
# renewBefore: 360h # 15d
#
# isCA: false
# usages:
# - server auth
# - client auth
#
# subject:
# organizations:
# - edward.sydney
#
# # The literalSubject field is exclusive with subject and commonName. It allows
# # specifying the subject directly as a string. This is useful for when the order
# # of the subject fields is important or when the subject contains special types
# # which can be specified by their OID.
# #
# # literalSubject: "O=jetstack, CN=example.com, 2.5.4.42=John, 2.5.4.4=Doe"
#
# # At least one of commonName (possibly through literalSubject), dnsNames, uris, emailAddresses, ipAddresses or otherNames is required.
# dnsNames:
# - "${adguard_home_certificate_dns_name}"
# - "*.${adguard_home_certificate_dns_name}"
# emailAddresses:
# - ${adguard_home_certificate_email}
#
# # Issuer references are always required.
# issuerRef:
# name: clusterissuer
# # We can reference ClusterIssuers by changing the kind here.
# # The default value is Issuer (i.e. a locally namespaced Issuer)
# kind: ClusterIssuer
# # This is optional since cert-manager will default to this value however
# # if you are using an external issuer, change this to that issuer group.
# group: cert-manager.io
#The certificate request has failed to complete and will be retried:
# Failed to wait for order resource "adguard-home-cert-1-1931876784" to become
# ready: order is in "errored" state: Failed to create Order: 429 urn:ietf:params:acme:error:rateLimited:
# Error creating new order :: too many certificates already issued for "edward.sydney".
# Retry after 2024-06-25T21:00:00Z: see https://letsencrypt.org/docs/rate-limits/

22
kubernetes/infrastructure/cert-manager/clusterissuer/clusterissuer-cloudflare.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: clusterissuer
namespace: cert-manager
spec:
acme:
email: ${email}
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: cluster-issuer-account-key
solvers:
- dns01:
cloudflare:
email: ${email}
apiTokenSecretRef:
name: clusterissuer-secrets
key: cloudflare_api_token
selector:
dnsNames:
- "${cluster_cert_domain}"
- "*.${cluster_cert_domain}"

43
kubernetes/infrastructure/cilium/app/release.yaml
View File

@@ -1,43 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cilium
namespace: kube-system
spec:
chart:
spec:
chart: cilium
version: 1.15.5
sourceRef:
kind: HelmRepository
namespace: kube-system
name: cilium
install:
crds: Create
upgrade:
crds: CreateReplace
interval: 1h
driftDetection:
mode: enabled
values:
global:
encryption:
enabled: true
nodeEncryption: true
policyEnforcementMode: default
operator:
replicas: 1
ipam:
mode: cluster-pool
operator:
clusterPoolIPv4PodCIDRList: [10.42.0.0/16]
clusterPoolIPv4MaskSize: 24
dnsProxy:
dnsRejectResponseCode: nameError
cni:
exclusive: false

35
kubernetes/infrastructure/cilium/cilium.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cilium
namespace: kube-system
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/infrastructure/cilium/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cilium-networkpolicies
namespace: kube-system
spec:
suspend: false
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/infrastructure/cilium/networkpolicies
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: ingress-nginx
namespace: ingress-nginx

4
kubernetes/infrastructure/cilium/kustomization.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cilium.yaml

21
kubernetes/infrastructure/cilium/networkpolicies/coredns.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: coredns
namespace: kube-system
spec:
endpointSelector:
matchLabels:
k8s-app: kube-dns
egress:
- toEntities:
- world
toPorts:
- ports:
- port: "53"
- toEntities:
- host
- remote-node
toPorts:
- ports:
- port: "6443"

20
kubernetes/infrastructure/cilium/networkpolicies/egress-kube-dns.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-kube-dns
namespace: kube-system
spec:
endpointSelector:
matchExpressions:
- key: rpi5.cluster.policy/egress-kube-dns
operator: NotIn
values:
- "false"
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"

22
kubernetes/infrastructure/cilium/networkpolicies/egress-kubeapi.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-kubeapi
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
egress:
- toEntities:
- host
- remote-node
toPorts:
- ports:
- port: "6443"
- toEntities:
- kube-apiserver
toPorts:
- ports:
- port: "443"
- port: "6443"

12
kubernetes/infrastructure/cilium/networkpolicies/egress-namespace.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-namespace
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-namespace: "true"
egress:
- toEndpoints:
- {}

13
kubernetes/infrastructure/cilium/networkpolicies/egress-nodes.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-nodes
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-nodes: "true"
egress:
- toEntities:
- host
- remote-node

12
kubernetes/infrastructure/cilium/networkpolicies/egress-world.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-world
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-world: "true"
egress:
- toCIDRSet:
- cidr: 0.0.0.0/0

12
kubernetes/infrastructure/cilium/networkpolicies/ingress-namespace.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: ingress-namespace
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/ingress-namespace: "true"
ingress:
- fromEndpoints:
- {}

67
kubernetes/infrastructure/cilium/networkpolicies/ingress-nginx.yaml
View File

@@ -1,67 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: ingress-ingress
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/ingress-ingress: "true"
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: ingress-nginx
namespace: kube-system
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
egress:
- toEndpoints:
- matchLabels:
rpi5.cluster.policy/ingress-ingress: "true"
matchExpressions:
- key: io.kubernetes.pod.namespace
operator: Exists
---
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-ingress
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-ingress: "true"
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: egress-nginx
namespace: kube-system
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
ingress:
- fromEndpoints:
- matchLabels:
rpi5.cluster.policy/egress-ingress: "true"
matchExpressions:
- key: io.kubernetes.pod.namespace
operator: Exists

13
kubernetes/infrastructure/cilium/networkpolicies/ingress-nodes.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: ingress-nodes
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/ingress-nodes: "true"
ingress:
- fromEntities:
- host
- remote-node

12
kubernetes/infrastructure/cilium/networkpolicies/ingress-world.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: ingress-world
namespace: kube-system
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/ingress-world: "true"
ingress:
- fromEntities:
- world

16
kubernetes/infrastructure/cilium/networkpolicies/local-path-provisioner.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: local-path-provisioner
namespace: kube-system
spec:
endpointSelector:
matchLabels:
app: local-path-provisioner
egress:
- toEntities:
- host
- remote-node
toPorts:
- ports:
- port: "6443"

16
kubernetes/infrastructure/consul/app/service.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: consul
namespace: consul
labels:
app: consul
spec:
ports:
- name: http
protocol: TCP
port: 8500
targetPort: 8500
selector:
app: consul
type: ClusterIP

46
kubernetes/infrastructure/consul/app/statefulset.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: consul
namespace: consul
labels:
app: consul
spec:
replicas: 1
selector:
matchLabels:
app: consul
template:
metadata:
labels:
app: consul
spec:
containers:
- name: consul
image: 'consul:1.15.4'
args:
- agent
ports:
- name: http
containerPort: 8500
protocol: TCP
env:
- name: TZ
value: Australia/Sydney
volumeMounts:
- name: consul-data
mountPath: /consul/data
- name: consul-config
mountPath: /consul/config
imagePullPolicy: IfNotPresent
volumes:
- name: consul-data
hostPath:
path: /mnt/nfs/AppData/consul/data
type: Directory
- name: consul-config
hostPath:
path: /mnt/nfs/AppData/consul/config
type: Directory
restartPolicy: Always
serviceName: consul

18
kubernetes/infrastructure/consul/consul.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: consul
namespace: consul
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/infrastructure/consul/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: namespaces
namespace: flux-system

50
kubernetes/infrastructure/grafana-dashboards/grafana-dashboards.yaml
View File

@@ -1,50 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: grafana-dashboards-secrets
namespace: flux-system
spec:
suspend: true
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: prometheus
path: ./grafana-dashboards
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: grafana-dashboards
namespace: prometheus
spec:
suspend: true
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/infrastructure/grafana-dashboards/dashboards
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: namespaces
namespace: flux-system
- name: grafana-dashboards-secrets
namespace: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: grafana-dashboards-secrets

113
kubernetes/infrastructure/ingress-nginx/app/release.yaml
View File

@@ -1,113 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
interval: 1h
driftDetection:
mode: enabled
chart:
spec:
chart: ingress-nginx
version: 4.10.1
sourceRef:
kind: HelmRepository
namespace: ingress-nginx
name: ingress-nginx
interval: 1h
values:
rbac:
create: true
controller:
priorityClassName: system-cluster-critical
extraArgs:
update-status-on-shutdown: "false"
tcp-services-configmap: "ingress-nginx/tcp-services"
udp-services-configmap: "ingress-nginx/udp-services"
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
rpi5.cluster.policy/egress-namespace: "true"
rpi5.cluster.policy/egress-world-with-lan: "true"
rpi5.cluster.policy/ingress-nodes: "true"
rpi5.cluster.policy/ingress-prometheus: "true"
rpi5.cluster.policy/ingress-world: "true"
allowSnippetAnnotations: true
# maxmindLicenseKey: ${geoip_license_key}
config:
proxy-buffer-size: 16k
use-gzip: ${use_gzip:=true}
enable-brotli: ${enable_brotli:=true}
hsts-max-age: ${hsts_max_age:=31536000}
hsts-preload: ${hsts_preload:=true}
disable-ipv6: ${disable_ipv6:=false}
disable-ipv6-dns: ${disable_ipv6_dns:=false}
keep-alive-requests: ${keep_alive_requests:=1000}
use-geoip2: ${use_geoip2:=true}
custom-http-errors: 401,403,404,500,501,502,503,504
extraEnvs:
- name: TZ
value: Australia/Sydney
addHeaders:
Referrer-Policy: same-origin, strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
ingressClassResource:
default: true
service:
externalTrafficPolicy: Cluster
ipFamilyPolicy: SingleStack
metrics:
enabled: ${metrics_enabled:=false}
# serviceMonitor:
# enabled: ${metrics_enabled:=false}
# scrapeInterval: 1m
admissionWebhooks:
labels:
rpi5.cluster.policy/egress-kubeapi: "true"
patch:
labels:
rpi5.cluster.policy/egress-kubeapi: "true"
spec:
template:
spec:
containers:
volumeMounts:
- mountPath: /etc/nginx/template
name: nginx-template-volume
readOnly: true
volumes:
- name: nginx-template-volume
hostPath:
path: /mnt/nfs/AppData/ingress-nginx/etc/nginx/template
type: Directory
defaultBackend:
enabled: true
image:
repository: ghcr.io/tarampampam/error-pages
tag: 2.27.0@sha256:40e2631173b1a407c18fe7d1ba8104d995cf9e4780d123eeadfa1d57c68eaf4f
pullPolicy: IfNotPresent
extraEnvs:
- name: TEMPLATE_NAME
value: connection
- name: SHOW_DETAILS
value: "true"
- name: READ_BUFFER_SIZE
value: "8192"
podLabels:
rpi5.cluster.policy/ingress-namespace: "true"

8
kubernetes/infrastructure/ingress-nginx/app/repository.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
interval: 1h
url: https://kubernetes.github.io/ingress-nginx

24
kubernetes/infrastructure/ingress-nginx/config/ingress-configmap.yaml
View File

@@ -1,24 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: tcp-services
namespace: ingress-nginx
data:
"53": "adguard-home/adguard-home:53"
"853": "adguard-home/adguard-home:853"
"5443": "adguard-home/adguard-home:5443"
"6060": "adguard-home/adguard-home:6060"
"8388": "qbittorrent/qbittorrent-qbittorrent-torrent:8388"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: udp-services
namespace: ingress-nginx
data:
"53": "adguard-home/adguard-home:53"
"67": "adguard-home/adguard-home:67"
"68": "adguard-home/adguard-home:68"
"853": "adguard-home/adguard-home:853"
"5443": "adguard-home/adguard-home:5443"
"8388": "qbittorrent/qbittorrent-qbittorrent-torrent:8388"

9
kubernetes/infrastructure/ingress-nginx/config/values.yaml
View File

@@ -1,9 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-nginx-values
namespace: ingress-nginx
data:
use_geoip2: "false"
disable_ipv6: "true"
disable_ipv6_dns: "true"

15
kubernetes/infrastructure/ingress-nginx/ingress-nginx-config.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: ingress-nginx-config
namespace: ingress-nginx
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/infrastructure/ingress-nginx/config
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system

91
kubernetes/infrastructure/ingress-nginx/ingress-nginx.yaml
View File

@@ -1,91 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
targetNamespace: ingress-nginx
path: ./kubernetes/infrastructure/ingress-nginx/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: ingress-nginx-config
postBuild:
substituteFrom:
- kind: ConfigMap
name: ingress-nginx-values
patches:
- target:
kind: Service
name: ingress-nginx-controller
namespace: ingress-nginx
patch: |
- op: add
path: /spec/ports/-
value:
name: dns-tcp
port: 53
targetPort: 53
protocol: TCP
- op: add
path: /spec/ports/-
value:
name: dns-udp
port: 53
targetPort: 53
protocol: UDP
- op: add
path: /spec/ports/-
value:
name: dhcps-udp
port: 67
targetPort: 67
protocol: UDP
- op: add
path: /spec/ports/-
value:
name: dhcpc-udp
port: 68
targetPort: 68
protocol: UDP
- op: add
path: /spec/ports/-
value:
name: dns-tls-tcp
port: 853
targetPort: 853
protocol: TCP
- op: add
path: /spec/ports/-
value:
name: dns-tls-udp
port: 853
targetPort: 853
protocol: UDP
- op: add
path: /spec/ports/-
value:
name: dnscrypt-tcp
port: 5443
targetPort: 5443
protocol: TCP
- op: add
path: /spec/ports/-
value:
name: dnscrypt-udp
port: 5443
targetPort: 5443
protocol: UDP
- op: add
path: /spec/ports/-
value:
name: https-pprof
port: 6060
targetPort: 6060
protocol: TCP

5
kubernetes/infrastructure/ingress-nginx/kustomization.yaml
View File

@@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ingress-nginx.yaml
- ingress-nginx-config.yaml

22
kubernetes/infrastructure/kustomization.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./cert-manager/cert-manager.yaml
# - ./cilium/cilium.yaml
- ./consul/consul.yaml
# - ./grafana-dashboards/grafana-dashboards.yaml
- ./ingress-nginx/ingress-nginx.yaml
- ./ingress-nginx/ingress-nginx-config.yaml
- ./local-path-provisioner/local-path-provisioner.yaml
- ./logstash/logstash.yaml
- ./minio/minio.yaml
# - ./mongodb/mongodb.yaml
- ./namespaces/namespaces.yaml
- ./new-relic/new-relic.yaml
- ./postgresql/postgresql.yaml
- ./prometheus/prometheus.yaml
- ./prometheus-alertmanager/prometheus-alertmanager.yaml
- ./prometheus-exporters/prometheus-exporters.yaml
- ./redis/redis.yaml
# - ./renovate/renovate.yaml
- ./repositories/repositories.yaml

149
kubernetes/infrastructure/local-path-provisioner/app/local-path-provisioner.yaml
View File

@@ -1,149 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: local-path-provisioner-service-account
namespace: local-path-storage
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: local-path-provisioner-role
namespace: local-path-storage
rules:
- apiGroups: [ "" ]
resources: [ "pods" ]
verbs: [ "get", "list", "watch", "create", "patch", "update", "delete" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: local-path-provisioner-role
rules:
- apiGroups: [ "" ]
resources: [ "nodes", "persistentvolumeclaims", "configmaps", "pods", "pods/log" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "" ]
resources: [ "persistentvolumes" ]
verbs: [ "get", "list", "watch", "create", "patch", "update", "delete" ]
- apiGroups: [ "" ]
resources: [ "events" ]
verbs: [ "create", "patch" ]
- apiGroups: [ "storage.k8s.io" ]
resources: [ "storageclasses" ]
verbs: [ "get", "list", "watch" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: local-path-provisioner-bind
namespace: local-path-storage
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: local-path-provisioner-role
subjects:
- kind: ServiceAccount
name: local-path-provisioner-service-account
namespace: local-path-storage
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: local-path-provisioner-bind
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: local-path-provisioner-role
subjects:
- kind: ServiceAccount
name: local-path-provisioner-service-account
namespace: local-path-storage
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: local-path-provisioner
namespace: local-path-storage
spec:
replicas: 1
selector:
matchLabels:
app: local-path-provisioner
template:
metadata:
labels:
app: local-path-provisioner
spec:
serviceAccountName: local-path-provisioner-service-account
containers:
- name: local-path-provisioner
image: rancher/local-path-provisioner:v0.0.28
imagePullPolicy: IfNotPresent
command:
- local-path-provisioner
- --debug
- start
- --config
- /etc/config/config.json
volumeMounts:
- name: config-volume
mountPath: /etc/config/
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_MOUNT_PATH
value: /etc/config/
volumes:
- name: config-volume
configMap:
name: local-path-config
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: local-path
provisioner: rancher.io/local-path
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: Retain
---
kind: ConfigMap
apiVersion: v1
metadata:
name: local-path-config
namespace: local-path-storage
data:
config.json: |-
{
"nodePathMap": [
{
"node": "DEFAULT_PATH_FOR_NON_LISTED_NODES",
"paths": [
"/opt/local-path-provisioner"]
}
]
}
setup: |-
#!/bin/sh
set -eu
mkdir -m 0777 -p "$VOL_DIR"
teardown: |-
#!/bin/sh
set -eu
rm -rf "$VOL_DIR"
helperPod.yaml: |-
apiVersion: v1
kind: Pod
metadata:
name: helper-pod
spec:
priorityClassName: system-node-critical
tolerations:
- key: node.kubernetes.io/disk-pressure
operator: Exists
effect: NoSchedule
containers:
- name: helper-pod
image: busybox
imagePullPolicy: IfNotPresent

19
kubernetes/infrastructure/local-path-provisioner/local-path-provisioner.yaml
View File

@@ -1,19 +0,0 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/gitrepository_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: local-path-provisioner
namespace: local-path-storage
spec:
interval: 10m
timeout: 1m30s
retryInterval: 30s
path: ./kubernetes/infrastructure/local-path-provisioner/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: namespaces
namespace: flux-system

31
kubernetes/infrastructure/logstash/app/ingress.yaml
View File

@@ -1,31 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: logstash-ingress
namespace: logstash
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: "omada.logstash.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: logstash
port:
number: 8008
- host: "logstash.cluster.edward.sydney"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: logstash
port:
number: 9600

46
kubernetes/infrastructure/logstash/app/pipelines.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: logstash-pipelines
namespace: logstash
data:
pipelines.yaml: |
- pipeline.id: omada
path.config: "/opt/bitnami/logstash/config/omada.conf"
- pipeline.id: misc
path.config: "/opt/bitnami/logstash/config/misc.conf"
omada.conf: |
input {
tcp {
port => 1514
type => syslog
}
udp {
port => 1514
type => syslog
}
http {
port => 8008
}
}
output {
s3 {
access_key_id => ${omada_s3_access_key_id}
bucket => "logstash"
canned_acl => "bucket-owner-read"
endpoint => "http://minio.minio.svc.cluster.local:19000"
prefix => "omada/%{+YYYY}/%{+MM}/%{+dd}"
region: "ap-southeast-2"
secret_access_key => ${omada_s3_secret_access_key}
time_file => 60
}
}
misc.conf: |
input {
file {
path => "/tmp/misc"
}
}
output {
stdout { }
}

Some files were not shown because too many files have changed in this diff Show More