adding ingress for testing

Misc

kubernetes/apps/adguard-home/adguard-home.yaml

@@ -2,11 +2,12 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: adguard-home
-  namespace: flux-system
+  namespace: adguard-home
 spec:
-  interval: 1h
+  interval: 10m
-  targetNamespace: flux-system
+  timeout: 1m30s
-  path: ./kubernetes/apps/adguard-home
+  retryInterval: 30s
+  path: ./kubernetes/apps/adguard-home/app
   prune: true
   sourceRef:
     kind: GitRepository

kubernetes/apps/adguard-home/app/deployment.yaml

@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: adguard-home
+  namespace: adguard-home
+  labels:
+    app.kubernetes.io/name: adguard-home
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: adguard-home
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: adguard-home
+        rpi5.cluster.policy/egress-kubeapi: "true"
+        rpi5.cluster.policy/egress-namespace: "true"
+        rpi5.cluster.policy/egress-world: "true"
+        rpi5.cluster.policy/ingress-namespace: "true"
+        rpi5.cluster.policy/ingress-nginx: "true"
+        rpi5.cluster.policy/ingress-nodes: "true"
+        rpi5.cluster.policy/ingress-world: "true"
+    spec:
+      containers:
+        - name: adguard-home
+          image: adguard/adguardhome:v0.107.51
+          ports:
+            - protocol: TCP
+              containerPort: 53
+              name: dns-tcp
+            - protocol: UDP
+              containerPort: 53
+              name: dns-udp
+            - protocol: UDP
+              containerPort: 67
+              name: dhcps-udp
+            - protocol: UDP
+              containerPort: 68
+              name: dhcpc-udp
+            - protocol: TCP
+              containerPort: 80
+              name: http-tcp
+            - protocol: TCP
+              containerPort: 443
+              name: https-tcp
+            - protocol: UDP
+              containerPort: 443
+              name: https-udp
+            - protocol: TCP
+              containerPort: 853
+              name: dns-tls-tcp
+            - protocol: UDP
+              containerPort: 853
+              name: dns-tls-udp
+            - protocol: TCP
+              containerPort: 3000
+              name: http-alt-tcp
+            - protocol: UDP
+              containerPort: 3000
+              name: http-alt-udp
+            - protocol: TCP
+              containerPort: 5443
+              name: dnscrypt-tcp
+            - protocol: UDP
+              containerPort: 5443
+              name: dnscrypt-udp
+            - protocol: TCP
+              containerPort: 6060
+              name: http-pprof
+          env:
+            - name: TZ
+              value: Australia/Sydney
+          volumeMounts:
+            - name: adguard-home-data
+              mountPath: /opt/adguardhome/work
+            - name: adguard-home-config
+              mountPath: /opt/adguardhome/conf
+      volumes:
+        - name: adguard-home-data
+          hostPath:
+            path: /mnt/nfs/AppData/adguardhome/work
+            type: Directory
+        - name: adguard-home-config
+          hostPath:
+            path: /mnt/nfs/AppData/adguardhome/conf
+            type: Directory

kubernetes/apps/adguard-home/app/ingress.yaml

@@ -0,0 +1,61 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: adguard-home-ingress
+  namespace: adguard-home
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "adguard-home.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: adguard-home
+                port:
+                  number: 10080
+    - host: "adguard-home.cluster.local"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: adguard-home
+                port:
+                  number: 10080
+    - host: "setup.adguard-home.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: adguard-home
+                port:
+                  number: 13000
+    - host: "setup.adguard-home.cluster.local"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: adguard-home
+                port:
+                  number: 13000
+    - host: "doh.adguard-home.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: adguard-home
+                port:
+                  number: 443

kubernetes/apps/adguard-home/app/service.yaml

@@ -0,0 +1,69 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: adguard-home
+  namespace: adguard-home
+  labels:
+    app.kubernetes.io/name: adguard-home
+spec:
+  selector:
+    app.kubernetes.io/name: adguard-home
+  type: ClusterIP
+  internalTrafficPolicy: Cluster
+  ports:
+    - protocol: TCP
+      port: 53
+      targetPort: 53
+      name: dns-tcp
+    - protocol: UDP
+      port: 53
+      targetPort: 53
+      name: dns-udp
+    - protocol: UDP
+      port: 67
+      targetPort: 67
+      name: dhcps-udp
+    - protocol: UDP
+      port: 68
+      targetPort: 68
+      name: dhcpc-udp
+    - protocol: TCP
+      port: 10080
+      targetPort: 80
+      name: http-tcp
+    - protocol: TCP
+      port: 443
+      targetPort: 443
+      name: https-tcp
+    - protocol: UDP
+      port: 443
+      targetPort: 443
+      name: https-udp
+    - protocol: TCP
+      port: 853
+      targetPort: 853
+      name: dns-tls-tcp
+    - protocol: UDP
+      port: 853
+      targetPort: 853
+      name: dns-tls-udp
+    - protocol: TCP
+      port: 13000
+      targetPort: 3000
+      name: https-alt-tcp
+    - protocol: UDP
+      port: 13000
+      targetPort:  3000
+      name: https-alt-udp
+    - protocol: TCP
+      port: 5443
+      targetPort: 5443
+      name: dnscrypt-tcp
+    - protocol: UDP
+      port: 5443
+      targetPort: 5443
+      name: dnscrypt-udp
+    - protocol: TCP
+      port: 6060
+      targetPort: 6060
+      name: https-pprof

kubernetes/apps/adguard-home/release.yaml

@@ -1,53 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: adguard-home
-  namespace: adguard-home
-spec:
-  releaseName: adguard-home
-  chart:
-    spec:
-      chart: adguard-home
-      sourceRef:
-        kind: HelmRepository
-        name: truecharts
-        namespace: flux-system
-  interval: 5m
-  install:
-    remediation:
-      retries: 3
-  values:
-    service:
-      main:
-        ports:
-          main:
-            port: 10080
-            protocol: http
-      setup:
-        enabled: true
-        ports:
-          setup:
-            enabled: true
-            port: 13000
-            targetPort: 3000
-    persistence:
-      config:
-        enabled: true
-        hostPath: /mnt/nfs/AppData/adguardhome/conf
-        type: Directory
-      work:
-        enabled: true
-        hostPath: /mnt/nfs/AppData/adguardhome/work
-        type: Directory
-    portal:
-      open:
-        enabled: true
-    container:
-      volumeMounts:
-        - name: work
-          mountPath: /opt/adguardhome/work
-          readOnly: false
-        - name: config
-          mountPath: /opt/adguardhome/conf
-          readOnly: false
-

kubernetes/apps/adguard-home/scripts/ingress-nginx-svc-controller-patch.yaml

@@ -0,0 +1,38 @@
+spec:
+  ports:
+    - name: dns-tcp
+      port: 53
+      targetPort: 53
+      protocol: TCP
+    - name: dns-udp
+      port: 53
+      targetPort: 53
+      protocol: UDP
+    - name: dhcps-udp
+      port: 67
+      targetPort: 67
+      protocol: UDP
+    - name: dhcpc-udp
+      port: 68
+      targetPort: 68
+      protocol: UDP
+    - name: dns-tls-tcp
+      port: 853
+      targetPort: 853
+      protocol: TCP
+    - name: dns-tls-udp
+      port: 853
+      targetPort: 853
+      protocol: UDP
+    - name: dnscrypt-tcp
+      port: 5443
+      targetPort: 5443
+      protocol: TCP
+    - name: dnscrypt-udp
+      port: 5443
+      targetPort: 5443
+      protocol: UDP
+    - name: https-pprof
+      port: 6060
+      targetPort: 6060
+      protocol: TCP

kubernetes/apps/adguard-home/scripts/patch-ingress-nginx.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+
+kubectl patch service ingress-nginx-controller -n ingress-nginx --patch "$(cat ingress-nginx-svc-controller-patch.yaml)"

kubernetes/apps/capacitor/app/ingress.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: capacitor-ingress
+  namespace: capacitor
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "capacitor.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: capacitor
+                port:
+                  number: 9000

kubernetes/apps/capacitor/app/manifest.yaml

@@ -0,0 +1,84 @@
+---
+# Source: onechart/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: capacitor
+  namespace: capacitor
+  labels:
+    helm.sh/chart: onechart-0.63.0
+    app.kubernetes.io/name: onechart
+    app.kubernetes.io/instance: capacitor
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  ports:
+    - port: 9000
+      targetPort: 9000
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: onechart
+    app.kubernetes.io/instance: capacitor
+---
+# Source: onechart/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: capacitor
+  namespace: capacitor
+  labels:
+    helm.sh/chart: onechart-0.63.0
+    app.kubernetes.io/name: onechart
+    app.kubernetes.io/instance: capacitor
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    kubectl.kubernetes.io/default-container: capacitor
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: onechart
+      app.kubernetes.io/instance: capacitor
+  template:
+    metadata:
+      annotations:
+        checksum/config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      labels:
+        app.kubernetes.io/name: onechart
+        app.kubernetes.io/instance: capacitor
+        rpi5.cluster.policy/egress-kubeapi: "true"
+        rpi5.cluster.policy/egress-namespace: "true"
+        rpi5.cluster.policy/egress-world: "true"
+        rpi5.cluster.policy/ingress-namespace: "true"
+        rpi5.cluster.policy/ingress-nginx: "true"
+        rpi5.cluster.policy/ingress-nodes: "true"
+        rpi5.cluster.policy/ingress-world: "true"
+    spec:
+      containers:
+        - image: ghcr.io/gimlet-io/capacitor:v0.4.2
+          imagePullPolicy: IfNotPresent
+          name: capacitor
+          ports:
+            - containerPort: 9000
+              name: http
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 9000
+              scheme: HTTP
+            initialDelaySeconds: 0
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 3
+          resources:
+            requests:
+              cpu: 200m
+              memory: 200Mi
+          securityContext: {}
+      initContainers: null
+      securityContext:
+        fsGroup: 999
+      serviceAccountName: capacitor

kubernetes/apps/capacitor/app/rbac.yaml

@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: capacitor
+  namespace: capacitor
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: capacitor
+rules:
+  - apiGroups:
+      - networking.k8s.io
+      - apps
+      - ""
+    resources:
+      - pods
+      - pods/log
+      - ingresses
+      - deployments
+      - services
+      - secrets
+      - events
+      - configmaps
+    verbs:
+      - get
+      - watch
+      - list
+  - apiGroups:
+      - source.toolkit.fluxcd.io
+      - kustomize.toolkit.fluxcd.io
+      - helm.toolkit.fluxcd.io
+    resources:
+      - gitrepositories
+      - ocirepositories
+      - buckets
+      - helmrepositories
+      - helmcharts
+      - kustomizations
+      - helmreleases
+    verbs:
+      - get
+      - watch
+      - list
+      - patch # to allow force reconciling by adding an annotation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: capacitor
+subjects:
+  - kind: ServiceAccount
+    name: capacitor
+    namespace: flux-system
+roleRef:
+  kind: ClusterRole
+  name: capacitor
+  apiGroup: rbac.authorization.k8s.io

kubernetes/apps/capacitor/capacitor.yaml

@@ -1,27 +1,29 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: OCIRepository
-metadata:
-  name: capacitor
-  namespace: flux-system
-spec:
-  interval: 12h
-  url: oci://ghcr.io/gimlet-io/capacitor-manifests
-  ref:
-    semver: ">=0.1.0"
----
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: capacitor
-  namespace: flux-system
+  namespace: capacitor
 spec:
-  targetNamespace: flux-system
+  interval: 10m
-  interval: 1h
+  timeout: 1m30s
-  retryInterval: 2m
+  retryInterval: 30s
-  timeout: 5m
+  path: ./kubernetes/apps/capacitor/app
-  wait: true
   prune: true
-  path: "./"
   sourceRef:
-    kind: OCIRepository
+    kind: GitRepository
-    name: capacitor
+    namespace: flux-system
+    name: flux-system
+  patches:
+    - target:
+        kind: (Service|Deployment)
+        name: capacitor
+        namespace: flux-system
+      patch: |
+        - op: replace
+          path: "/metadata/labels/app.kubernetes.io~1managed-by"
+          value: Flux
+        - op: remove
+          path: "/metadata/labels/helm.sh~1chart"
+        - op: add
+          path: "/metadata/labels/patched"
+          value: "true"

kubernetes/apps/cert-manager-old/cert-manager.yaml

@@ -1,65 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: cert-manager-secrets
-  namespace: flux-system
-spec:
-  suspend: true
-  interval: 1h
-  path: ./cert-manager
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    namespace: flux-system
-    name: home-cluster-ops-secrets
-  dependsOn:
-    - name: repositories
-      namespace: flux-system
-    - name: cert-manager
-      namespace: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: cert-manager
-  namespace: flux-system
-spec:
-  suspend: true
-  interval: 1h
-  targetNamespace: cert-manager
-  path: ./kubernetes/templates/apps/cert-manager/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    namespace: flux-system
-    name: flux-system
-  postBuild:
-    substituteFrom:
-      - kind: Secret
-        name: cert-manager-secrets
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: cert-manager-issuers
-  namespace: flux-system
-spec:
-  suspend: true
-  interval: 1h
-  targetNamespace: cert-manager
-  path: ./kubernetes/templates/apps/cert-manager/issuers
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    namespace: flux-system
-    name: flux-system
-  dependsOn:
-    - name: cert-manager-secrets
-  postBuild:
-    substituteFrom:
-      - kind: Secret
-        name: cert-manager-secrets

kubernetes/apps/cert-manager/release.yaml

@@ -1,35 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: cert-manager
-  namespace: cert-manager
-spec:
-  releaseName: cert-manager
-  chart:
-    spec:
-      chart: cert-manager
-      sourceRef:
-        kind: HelmRepository
-        name: truecharts
-        namespace: flux-system
-  interval: 5m
-  install:
-    remediation:
-      retries: 3
-  values:
-    service:
-      main:
-        enabled: true
-        ports:
-          main:
-            enabled: true
-    workload:
-      main:
-        enabled: true
-    portal:
-      open:
-        enabled: true
-    certmanager:
-      prometheus:
-        servicemonitor:
-          enabled: false

kubernetes/apps/clusterissuer/release.yaml

@@ -1,82 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: clusterissuer
-  namespace: clusterissuer
-spec:
-  releaseName: clusterissuer
-  chart:
-    spec:
-      chart: clusterissuer
-      sourceRef:
-        kind: HelmRepository
-        name: truecharts
-        namespace: flux-system
-  interval: 5m
-  install:
-    remediation:
-      retries: 3
-  dependsOn:
-    - name: cert-manager
-      namespace: flux-system
-    - name: repositories
-      namespace: flux-system
-  values:
-    image:
-      repository: hello-world
-      tag: latest@sha256:266b191e926f65542fa8daaec01a192c4d292bff79426f47300a046e1bc576fd
-      pullPolicy: IfNotPresent
-    manifestManager:
-      enabled: true
-    workload:
-      main:
-        enabled: true
-        podSpec:
-          containers:
-            main:
-              enabled: true
-              probes:
-                liveness:
-                  enabled: false
-                readiness:
-                  enabled: false
-                startup:
-                  enabled: false
-    service:
-      main:
-        enabled: true
-        ports:
-          main:
-            enabled: true
-            port: 9999
-    portal:
-      open:
-        enabled: true
-    operator:
-      cert-manager:
-        namespace: cert-manager
-
-    clusterIssuer:
-      ACME:
-      - name: letsencrypt
-        # Used for both logging in to the DNS provider AND ACME registration
-        email: ${email}
-        server: 'https://acme-v02.api.letsencrypt.org/directory'
-        # Used primarily for the SCALE GUI
-        customServer: 'https://acme-v02.api.letsencrypt.org/directory'
-        # Options: HTTP01, cloudflare, route53, akamai, digitalocean, rfc2136, acmedns
-        type: "cloudflare"
-        # for cloudflare
-        cfapitoken: ${cloudflare_api_token}
-
-    clusterCertificates:
-      # Namespaces in which the certificates must be available
-      # Accepts comma-separated regex expressions
-      # replicationNamespaces: 'ix-.*'
-      certificates:
-      - name: cluster-certificate
-        enabled: true
-        certificateIssuer: ACME
-        hosts:
-          - ${cluster_cert_domain}
-          - ${cluster_cert_domain_wildcard}

kubernetes/apps/clusterissuer/secret.yaml

@@ -1,21 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: clusterissuer-secrets
-  namespace: flux-system
-spec:
-  suspend: true
-  interval: 1d
-  path: ./clusterissuer
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    namespace: flux-system
-    name: home-cluster-ops-secrets
-  dependsOn:
-    - name: repositories
-      namespace: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age

kubernetes/apps/code-server/app/ingress.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: code-server-ingress
+  namespace: code-server
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "code-server.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: code-server
+                port:
+                  number: 8443

kubernetes/apps/code-server/app/pvc.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: code-server-pv
+  namespace: code-server
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 8Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/code-server"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: code-server-pvc
+    namespace: code-server
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-3
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: code-server-pvc
+  namespace: code-server
+  labels:
+    name: code-server-pvc
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 8Gi

kubernetes/apps/code-server/app/release.yaml

@@ -0,0 +1,31 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: code-server
+  namespace: code-server
+spec:
+  releaseName: code-server
+  targetNamespace: code-server
+  chart:
+    spec:
+      chart: code-server
+      sourceRef:
+        kind: HelmRepository
+        name: nicholaswilde
+        namespace: flux-system
+  interval: 1h
+  install:
+    remediation:
+      retries: 3
+  values:
+    secret:
+      PASSWORD: ${password}
+      SUDO_PASSWORD: ${sudo_password}
+
+    env:
+      TZ: "Australia/Sydney"
+
+    persistence:
+      config:
+        enabled: true
+        existingClaim: code-server-pvc

kubernetes/apps/code-server/code-server.yaml

@@ -0,0 +1,47 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: code-server-secrets
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: code-server
+  path: ./code-server
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops-secrets
+  dependsOn:
+    - name: repositories
+      namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: code-server
+  namespace: code-server
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: code-server
+  path: ./kubernetes/apps/code-server/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: code-server-secrets
+      namespace: flux-system
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: code-server-secrets

kubernetes/apps/dokuwiki/app/ingress.yaml

@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dokuwiki-ingress
+  namespace: dokuwiki
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "dokuwiki.cluster.local"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: dokuwiki-dokuwiki
+                port:
+                  number: 18000
+    - host: "dokuwiki.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: dokuwiki-dokuwiki
+                port:
+                  number: 18000

kubernetes/apps/dokuwiki/app/release.yaml

@@ -0,0 +1,34 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: dokuwiki
+  namespace: dokuwiki
+spec:
+  targetNamespace: dokuwiki
+  chart:
+    spec:
+      chart: dokuwiki
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami
+        namespace: flux-system
+  interval: 1h
+  install:
+    remediation:
+      retries: 3
+  values:
+    dokuwikiUsername: ${username}
+    dokuwikiPassword: ${password}
+    dokuwikiEmail: ${email}
+    dokuwikiFullName: "Edward Cheng"
+    dokuwikiWikiName: My Doku Wiki
+    containerPorts:
+      http: 18000
+      https: 18443
+    persistence:
+      existingClaim: "dokuwiki-pvc"
+    service:
+      type: ClusterIP
+      ports:
+        http: 18000
+        https: 18443

kubernetes/apps/dokuwiki/app/volume.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: dokuwiki-pv
+  namespace: dokuwiki
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 12Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/dokuwiki"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: dokuwiki-pvc
+    namespace: dokuwiki
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-3
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: dokuwiki-pvc
+  namespace: dokuwiki
+  labels:
+    name: dokuwiki-pvc
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 12Gi

kubernetes/apps/dokuwiki/dokuwiki.yaml

@@ -0,0 +1,46 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: dokuwiki-secrets
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: dokuwiki
+  path: ./dokuwiki
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops-secrets
+  dependsOn:
+    - name: repositories
+      namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: dokuwiki
+  namespace: dokuwiki
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/apps/dokuwiki/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: dokuwiki-secrets
+      namespace: flux-system
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: dokuwiki-secrets

kubernetes/apps/gitea/app/ingress.yaml

@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea-ingress
+  namespace: gitea
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "gitea.cluster.local"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: gitea-gitea
+                port:
+                  number: 10080
+    - host: "gitea.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: gitea-gitea
+                port:
+                  number: 10080

kubernetes/apps/gitea/app/release.yaml

@@ -0,0 +1,56 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: gitea
+  namespace: gitea
+spec:
+  targetNamespace: gitea
+  chart:
+    spec:
+      chart: gitea
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami
+        namespace: flux-system
+  interval: 1h
+  install:
+    remediation:
+      retries: 3
+  values:
+    image:
+      debug: true
+    updateStrategy:
+      type: Recreate
+    livenessProbe:
+      enabled: true
+      initialDelaySeconds: 600
+      periodSeconds: 60
+      timeoutSeconds: 30
+      failureThreshold: 5
+      successThreshold: 1
+    readinessProbe:
+      enabled: true
+      path: /
+      initialDelaySeconds: 30
+      periodSeconds: 60
+      timeoutSeconds: 30
+      failureThreshold: 5
+      successThreshold: 1
+    adminUsername: ${admin_username}
+    adminPassword: ${admin_password}
+    adminEmail: ${admin_email}
+    appName: app_name
+    persistence:
+      existingClaim: gitea-pvc
+    service:
+      ports:
+        http: 10080
+        ssh: 10022
+    postgresql:
+      enabled: false
+    externalDatabase:
+      host: ${db_host}
+      port: ${db_port}
+      user: ${db_user}
+      database: ${db_name}
+      password: ${db_password}

kubernetes/apps/gitea/app/volume.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: gitea-pv
+  namespace: gitea
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 32Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/gitea"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: gitea-pvc
+    namespace: gitea
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-3
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-pvc
+  namespace: gitea
+  labels:
+    name: gitea-pvc
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 32Gi

kubernetes/apps/gitea/gitea.yaml

@@ -1,11 +1,14 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: clusterissuer-secrets
+  name: gitea-secrets
   namespace: flux-system
 spec:
-  interval: 1h
+  interval: 10m
-  path: ./clusterissuer
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: gitea
+  path: ./gitea
   prune: true
   sourceRef:
     kind: GitRepository
@@ -14,8 +17,6 @@ spec:
   dependsOn:
     - name: repositories
       namespace: flux-system
-    - name: cert-manager
-      namespace: flux-system
   decryption:
     provider: sops
     secretRef:
@@ -24,21 +25,23 @@ spec:
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: clusterissuer
+  name: gitea
-  namespace: flux-system
+  namespace: gitea
 spec:
-  suspend: false
+  interval: 10m
-  interval: 1h
+  timeout: 1m30s
-  targetNamespace: cert-manager
+  retryInterval: 30s
-  path: ./kubernetes/apps/clusterissuer
+  path: ./kubernetes/apps/gitea/app
   prune: true
   sourceRef:
     kind: GitRepository
     namespace: flux-system
     name: flux-system
   dependsOn:
-    - name: clusterissuer-secrets
+    - name: gitea-secrets
+      namespace: flux-system
   postBuild:
     substituteFrom:
       - kind: Secret
-        name: clusterissuer-secrets
+        name: gitea-secrets
+

kubernetes/apps/homer/app/development.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: homer
+  namespace: homer
+  labels:
+    app.kubernetes.io/name: homer
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: homer
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: homer
+        rpi5.cluster.policy/egress-world: "true"
+        rpi5.cluster.policy/ingress-world: "true"
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+      containers:
+        - name: homer
+          image: b4bz/homer:v24.05.1
+          securityContext:
+            allowPrivilegeEscalation: false
+          env:
+            - name: PORT
+              value: "8088"
+            - name: INIT_ASSETS
+              value: "0"
+          ports:
+            - protocol: TCP
+              containerPort: 8088
+              name: http
+          volumeMounts:
+            - name: assets
+              mountPath: /www/assets
+      volumes:
+        - name: assets
+          hostPath:
+            path: /mnt/nfs/AppData/homer/www/assets
+            type: Directory

kubernetes/apps/homer/app/ingress.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: homer-ingress
+  namespace: homer
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "home.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: homer
+                port:
+                  number: 8088

kubernetes/apps/homer/app/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: homer
+  namespace: homer
+  labels:
+    app.kubernetes.io/name: homer
+spec:
+  selector:
+    app.kubernetes.io/name: homer
+  type: ClusterIP
+  internalTrafficPolicy: Cluster
+  ports:
+    - protocol: TCP
+      port: 8088
+      targetPort: 8088
+      name: http

kubernetes/apps/homer/homer.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: homer
+  namespace: homer
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/apps/homer/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system

kubernetes/apps/jellyfin/app/ingress.yaml

@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jellyfin-ingress
+  namespace: jellyfin
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "jellyfin.cluster.local"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: jellyfin
+                port:
+                  number: 8096
+    - host: "jellyfin.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: jellyfin
+                port:
+                  number: 8096

kubernetes/apps/jellyfin/app/pvc.yaml

@@ -0,0 +1,51 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: jellyfin-config
+  namespace: jellyfin
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 250Mi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/jellyfin/config"
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-3
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: jellyfin-data
+  namespace: jellyfin
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 2Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/jellyfin/data"
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-3

kubernetes/apps/jellyfin/app/release.yaml

@@ -0,0 +1,169 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: jellyfin
+  namespace: jellyfin
+spec:
+  releaseName: jellyfin
+  targetNamespace: jellyfin
+  chart:
+    spec:
+      chart: jellyfin
+      sourceRef:
+        kind: HelmRepository
+        name: beluga-cloud
+        namespace: flux-system
+  interval: 1h
+  install:
+    remediation:
+      retries: 3
+  values:
+    persistence:
+      config:
+        enabled: true
+        volumeClaimSpec:
+          accessModes:
+            - ReadWriteOnce
+          volumeName: jellyfin-config
+          storageClassName: local-path
+      data:
+        enabled: true
+        volumeClaimSpec:
+          accessModes:
+            - ReadWriteOnce
+          volumeName: jellyfin-data
+          storageClassName: local-path
+    jellyfin:
+      mediaVolumes:
+        - name: movies
+          readOnly: false
+          volumeSpec:
+            storageClassName: local-path
+            volumeMode: Filesystem
+            capacity:
+              storage: 8Gi
+            accessModes:
+              - ReadWriteOnce
+            persistentVolumeReclaimPolicy: Retain
+            nodeAffinity:
+              required:
+                nodeSelectorTerms:
+                  - matchExpressions:
+                      - key: kubernetes.io/hostname
+                        operator: In
+                        values:
+                          - rpi5-cluster-node-3
+            claimRef:
+              apiVersion: v1
+              kind: PersistentVolumeClaim
+              name: jellyfin-mediavol-movies
+              namespace: jellyfin
+            hostPath:
+              path: "/mnt/nfs/AppData/jellyfin/media/movies"
+              type: "Directory"
+        - name: series
+          readOnly: false
+          volumeSpec:
+            storageClassName: local-path
+            volumeMode: Filesystem
+            capacity:
+              storage: 8Gi
+            accessModes:
+              - ReadWriteOnce
+            persistentVolumeReclaimPolicy: Retain
+            nodeAffinity:
+              required:
+                nodeSelectorTerms:
+                  - matchExpressions:
+                      - key: kubernetes.io/hostname
+                        operator: In
+                        values:
+                          - rpi5-cluster-node-3
+            claimRef:
+              apiVersion: v1
+              kind: PersistentVolumeClaim
+              name: jellyfin-mediavol-series
+              namespace: jellyfin
+            hostPath:
+              path: "/mnt/nfs/AppData/jellyfin/media/series"
+              type: "Directory"
+        - name: music-videos
+          readOnly: false
+          volumeSpec:
+            storageClassName: local-path
+            volumeMode: Filesystem
+            capacity:
+              storage: 8Gi
+            accessModes:
+              - ReadWriteOnce
+            persistentVolumeReclaimPolicy: Retain
+            nodeAffinity:
+              required:
+                nodeSelectorTerms:
+                  - matchExpressions:
+                      - key: kubernetes.io/hostname
+                        operator: In
+                        values:
+                          - rpi5-cluster-node-3
+            claimRef:
+              apiVersion: v1
+              kind: PersistentVolumeClaim
+              name: jellyfin-mediavol-music-videos
+              namespace: jellyfin
+            hostPath:
+              path: "/mnt/nfs/AppData/jellyfin/media/music-videos"
+              type: "Directory"
+        - name: short-videos
+          readOnly: false
+          volumeSpec:
+            storageClassName: local-path
+            volumeMode: Filesystem
+            capacity:
+              storage: 8Gi
+            accessModes:
+              - ReadWriteOnce
+            persistentVolumeReclaimPolicy: Retain
+            nodeAffinity:
+              required:
+                nodeSelectorTerms:
+                  - matchExpressions:
+                      - key: kubernetes.io/hostname
+                        operator: In
+                        values:
+                          - rpi5-cluster-node-3
+            claimRef:
+              apiVersion: v1
+              kind: PersistentVolumeClaim
+              name: jellyfin-mediavol-short-videos
+              namespace: jellyfin
+            hostPath:
+              path: "/mnt/nfs/AppData/jellyfin/media/short-videos"
+              type: "Directory"
+        - name: gv
+          readOnly: false
+          volumeSpec:
+            storageClassName: local-path
+            volumeMode: Filesystem
+            capacity:
+              storage: 8Gi
+            accessModes:
+              - ReadWriteOnce
+            persistentVolumeReclaimPolicy: Retain
+            nodeAffinity:
+              required:
+                nodeSelectorTerms:
+                  - matchExpressions:
+                      - key: kubernetes.io/hostname
+                        operator: In
+                        values:
+                          - rpi5-cluster-node-3
+            claimRef:
+              apiVersion: v1
+              kind: PersistentVolumeClaim
+              name: jellyfin-mediavol-gv
+              namespace: jellyfin
+            hostPath:
+              path: "/mnt/nfs/AppData/jellyfin/media/gv"
+              type: "Directory"
+      persistentTranscodes: true
+

kubernetes/apps/jellyfin/jellyfin.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: jellyfin
+  namespace: jellyfin
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/apps/jellyfin/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+

kubernetes/apps/kavita/app/development.yaml

@@ -0,0 +1,58 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kavita
+  namespace: kavita
+  labels:
+    app.kubernetes.io/name: kavita
+    app.kubernetes.io/instance: kavita
+  annotations:
+    kubectl.kubernetes.io/default-container: kavita
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kavita
+      app.kubernetes.io/instance: kavita
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: kavita
+        app.kubernetes.io/instance: kavita
+    spec:
+      containers:
+        - image: jvmilazz0/kavita:0.8.1
+          imagePullPolicy: IfNotPresent
+          name: kavita
+          ports:
+            - containerPort: 5000
+              name: http
+              protocol: TCP
+          env:
+            - name: TZ
+              value: Australia/Sydney
+          volumeMounts:
+            - name: kavita-config
+              mountPath: /kavita/config
+            - name: kavita-manga
+              mountPath: /manga
+            - name: kavita-book
+              mountPath: /book
+            - name: kavita-doc
+              mountPath: /doc
+      volumes:
+        - name: kavita-config
+          hostPath:
+            path: /mnt/nfs/AppData/kavita/config
+            type: Directory
+        - name: kavita-manga
+          hostPath:
+            path: /mnt/nfs/AppData/kavita/manga
+            type: Directory
+        - name: kavita-book
+          hostPath:
+            path: /mnt/nfs/AppData/kavita/book
+            type: Directory
+        - name: kavita-doc
+          hostPath:
+            path: /mnt/nfs/AppData/kavita/doc
+            type: Directory

kubernetes/apps/kavita/app/ingress.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: kavita-ingress
+  namespace: kavita
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "kavita.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: kavita
+                port:
+                  number: 5000

kubernetes/apps/kavita/app/service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kavita
+  namespace: kavita
+  labels:
+    app.kubernetes.io/name: kavita
+    app.kubernetes.io/instance: kavita
+spec:
+  type: ClusterIP
+  ports:
+    - port: 5000
+      targetPort: 5000
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: kavita
+    app.kubernetes.io/instance: kavita

kubernetes/apps/kavita/kavita.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: kavita
+  namespace: kavita
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/apps/kavita/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+

kubernetes/apps/kustomization.yaml

@@ -3,6 +3,16 @@ kind: Kustomization
 resources:
   - ./adguard-home/adguard-home.yaml
   - ./capacitor/capacitor.yaml
-  - ./cert-manager/cert-manager.yaml
+  - ./code-server/code-server.yaml
-  - ./clusterissuer/clusterissuer.yaml
+  - ./dokuwiki/dokuwiki.yaml
+  - ./gitea/gitea.yaml
+  - ./homer/homer.yaml
+  - ./jellyfin/jellyfin.yaml
+  - ./kavita/kavita.yaml
+  - ./nexus/nexus.yaml
   - ./podinfo/podinfo.yaml
+  - ./qbittorrent/qbittorrent.yaml
+  - ./snippet-box/snippet-box.yaml
+  - ./sonarqube/sonarqube.yaml
+  - ./uptime-kuma/uptime-kuma.yaml
+  - ./weave-gitops/weave-gitops.yaml

kubernetes/apps/nexus/app/deployment.yaml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nexus
+  namespace: nexus
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nexus
+  template:
+    metadata:
+      labels:
+        app: nexus
+    spec:
+      securityContext:
+        runAsUser: 0
+        runAsGroup: 0
+      containers:
+        - name: nexus
+          image: klo2k/nexus3:3.68.1-02
+          resources:
+            limits:
+              memory: "3Gi"
+              cpu: "1"
+            requests:
+              memory: "2Gi"
+              cpu: "500m"
+          ports:
+            - containerPort: 8081
+          volumeMounts:
+            - name: nexus-data
+              mountPath: /nexus-data
+      volumes:
+        - name: nexus-data
+          hostPath:
+            path: /mnt/nfs/AppData/nexus
+            type: Directory

kubernetes/apps/nexus/app/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nexus
+  namespace: nexus
+  annotations:
+    prometheus.io/scrape: 'true'
+    prometheus.io/path:   /
+    prometheus.io/port:   '8081'
+spec:
+  selector:
+    app: nexus
+  type: NodePort
+  ports:
+    - port: 8081
+      targetPort: 8081
+      nodePort: 32000

kubernetes/apps/nexus/nexus.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: nexus
+  namespace: nexus
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/apps/nexus/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system

kubernetes/apps/podinfo/podinfo.yaml

@@ -2,10 +2,12 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: podinfo
-  namespace: flux-system
+  namespace: podinfo
 spec:
-  interval: 1h
+  interval: 10m
-  path: ./kubernetes/apps/podinfo
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/apps/podinfo/app
   prune: true
   sourceRef:
     kind: GitRepository

kubernetes/apps/qbittorrent/app/ingress.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: qbittorrent-ingress
+  namespace: qbittorrent
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "qbittorrent.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: qbittorrent
+                port:
+                  number: 8888

kubernetes/apps/qbittorrent/app/release.yaml

@@ -0,0 +1,30 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: qbittorrent
+  namespace: qbittorrent
+spec:
+  targetNamespace: qbittorrent
+  chart:
+    spec:
+      chart: qbittorrent
+      sourceRef:
+        kind: HelmRepository
+        name: adminafk
+        namespace: flux-system
+  interval: 1h
+  install:
+    remediation:
+      retries: 3
+  values:
+    service:
+      web:
+        port: 8888
+      torrent:
+        port: 8388
+    config:
+      persistence:
+        name: "qbittorrent-config-pvc"
+    volumeMounts:
+      - name: qbittorrent-download-pvc
+        mountPath: /download

kubernetes/apps/qbittorrent/app/volume.yaml

@@ -0,0 +1,93 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: qbittorrent-config
+  namespace: qbittorrent
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/qbittorrent/config"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: qbittorrent-config-pvc
+    namespace: qbittorrent
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-3
+---
+#apiVersion: v1
+#kind: PersistentVolumeClaim
+#metadata:
+#  name: qbittorrent-config-pvc
+#  namespace: qbittorrent
+#  labels:
+#    name: qbittorrent-config-pvc
+#spec:
+#  storageClassName: local-path
+#  volumeMode: Filesystem
+#  accessModes:
+#    - ReadWriteOnce
+#  resources:
+#    requests:
+#      storage: 5Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: qbittorrent-download
+  namespace: qbittorrent
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/qbittorrent/download"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: qbittorrent-download-pvc
+    namespace: qbittorrent
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-3
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: qbittorrent-download-pvc
+  namespace: qbittorrent
+  labels:
+    name: qbittorrent-download-pvc
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 64Gi

kubernetes/apps/qbittorrent/qbittorrent.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: qbittorrent
+  namespace: qbittorrent
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/apps/qbittorrent/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+

kubernetes/apps/qbittorrent/scripts/ingress-nginx-svc-controller-patch.yaml

@@ -0,0 +1,10 @@
+spec:
+  ports:
+    - name: torrent-tcp
+      port: 8388
+      targetPort: 8388
+      protocol: TCP
+    - name: torrent-udp
+      port: 8388
+      targetPort: 8388
+      protocol: UDP

kubernetes/apps/qbittorrent/scripts/patch-ingress-nginx.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+
+kubectl patch service ingress-nginx-controller -n ingress-nginx --patch "$(cat kubernetes/apps/qbittorrent/scripts/ingress-nginx-svc-controller-patch.yaml)"

kubernetes/apps/snippet-box/app/development.yaml

@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: snippet-box
+  namespace: snippet-box
+  labels:
+    app.kubernetes.io/name: snippet-box
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: snippet-box
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: snippet-box
+    spec:
+      containers:
+        - name: snippet-box
+          image: pawelmalak/snippet-box:arm
+          ports:
+            - protocol: TCP
+              containerPort: 5000
+              name: snippet-box
+          env:
+            - name: TZ
+              value: Australia/Sydney
+          volumeMounts:
+            - name: snippet-box-data
+              mountPath: /app/data
+      volumes:
+        - name: snippet-box-data
+          hostPath:
+            path: /mnt/nfs/AppData/snippet-box
+            type: Directory

kubernetes/apps/snippet-box/app/ingress.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: snippet-box-ingress
+  namespace: snippet-box
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "snippet-box.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: snippet-box
+                port:
+                  number: 5000

kubernetes/apps/snippet-box/app/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: snippet-box
+  namespace: snippet-box
+  labels:
+    app.kubernetes.io/name: snippet-box
+spec:
+  selector:
+    app.kubernetes.io/name: snippet-box
+  type: ClusterIP
+  internalTrafficPolicy: Cluster
+  ports:
+    - protocol: TCP
+      port: 5000
+      targetPort: 5000
+      name: snippet-box

kubernetes/apps/snippet-box/snippet-box.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: snippet-box
+  namespace: snippet-box
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/apps/snippet-box/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system

kubernetes/apps/sonarqube/app/release.yaml

@@ -0,0 +1,47 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: sonarqube
+  namespace: sonarqube
+spec:
+  releaseName: sonarqube
+  chart:
+    spec:
+      chart: sonarqube
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami
+        namespace: flux-system
+  interval: 1h
+  install:
+    remediation:
+      retries: 3
+  values:
+    sonarqubeUsername: ${sonarqube_username}
+    sonarqubePassword: ${sonarqube_password}
+    sonarqubeEmail: ${sonarqube_email}
+    smtpHost: ${smtp_host}
+    smtpPort: ${smtp_port}
+    smtpUser: ${smtp_user}
+    smtpPassword: ${smtp_password}
+    smtpProtocol: ${smtp_protocol}
+    service:
+      ports:
+        http: 8090
+        elastic: 9091
+      nodePorts:
+        http: 30080
+        elastic: 30091
+    persistence:
+      enabled: true
+      storageClass: local-path
+      size: "32Gi"
+      existingClaim: "sonarqube-pvc"
+    postgresql:
+      enabled: false
+    externalDatabase:
+      host: ${db_host}
+      user: ${db_user}
+      password: ${db_password}
+      database: ${db_name}
+      port: ${db_port}

kubernetes/apps/sonarqube/app/volume.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: sonarqube-pv
+  namespace: sonarqube
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 32Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/sonarqube"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: sonarqube-pvc
+    namespace: sonarqube
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-3
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: sonarqube-pvc
+  namespace: sonarqube
+  labels:
+    name: sonarqube-pvc
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 32Gi

kubernetes/apps/sonarqube/sonarqube.yaml

@@ -0,0 +1,46 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: sonarqube-secrets
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: sonarqube
+  path: ./sonarqube
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops-secrets
+  dependsOn:
+    - name: repositories
+      namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: sonarqube
+  namespace: sonarqube
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/apps/sonarqube/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: sonarqube-secrets
+      namespace: flux-system
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: sonarqube-secrets

kubernetes/apps/uptime-kuma/app/ingress.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: uptime-kuma-ingress
+  namespace: uptime-kuma
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "uptime-kuma.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: uptime-kuma
+                port:
+                  number: 3001

kubernetes/apps/uptime-kuma/app/pvc.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: uptime-kuma-pv
+  namespace: uptime-kuma
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 4Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/uptime-kuma"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: uptime-kuma-pvc
+    namespace: uptime-kuma
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-1
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: uptime-kuma-pvc
+  namespace: uptime-kuma
+  labels:
+    name: uptime-kuma-pvc
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 4Gi

kubernetes/apps/uptime-kuma/app/release.yaml

@@ -0,0 +1,26 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: uptime-kuma
+  namespace: uptime-kuma
+spec:
+  releaseName: uptime-kuma
+  targetNamespace: uptime-kuma
+  chart:
+    spec:
+      chart: uptime-kuma
+      version: 2.18.1
+      sourceRef:
+        kind: HelmRepository
+        name: irsigler
+        namespace: flux-system
+  interval: 1h
+  install:
+    remediation:
+      retries: 3
+  values:
+    volume:
+      enabled: true
+      accessMode: ReadWriteOnce
+      size: 4Gi
+      existingClaim: "uptime-kuma-pvc"

kubernetes/apps/uptime-kuma/uptime-kuma.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: uptime-kuma
+  namespace: uptime-kuma
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/apps/uptime-kuma/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system

kubernetes/apps/weave-gitops/app/ingress.yaml

@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: weave-gitops-ingress
+  namespace: flux-system
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "weave-gitops.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: ww-gitops-weave-gitops
+                port:
+                  number: 9001
+    - host: "weave-gitops.cluster.local"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: ww-gitops-weave-gitops
+                port:
+                  number: 9001

kubernetes/apps/weave-gitops/app/release.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  annotations:
+    metadata.weave.works/description: This is the source location for the Weave GitOps
+      Dashboard's helm chart.
+  labels:
+    app.kubernetes.io/component: ui
+    app.kubernetes.io/created-by: weave-gitops-cli
+    app.kubernetes.io/name: weave-gitops-dashboard
+    app.kubernetes.io/part-of: weave-gitops
+  name: ww-gitops
+  namespace: flux-system
+spec:
+  interval: 1h0m0s
+  type: oci
+  url: oci://ghcr.io/weaveworks/charts
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  annotations:
+    metadata.weave.works/description: This is the Weave GitOps Dashboard.  It provides
+      a simple way to get insights into your GitOps workloads.
+  name: ww-gitops
+  namespace: flux-system
+spec:
+  chart:
+    spec:
+      chart: weave-gitops
+      sourceRef:
+        kind: HelmRepository
+        name: ww-gitops
+  interval: 1h0m0s
+  values:
+    adminUser:
+      create: true
+      passwordHash: $2a$10$gnPEHsFzIJXg/eron5LiQ.teGZkKETxuA2WAyKSbxHvxpkzWJvbDe
+      username: admin
+

kubernetes/apps/weave-gitops/weave-gitops.yaml

@@ -1,12 +1,13 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: cert-manager
+  name: weave-gitops
   namespace: flux-system
 spec:
-  interval: 1h
+  interval: 10m
-  targetNamespace: flux-system
+  timeout: 1m30s
-  path: ./kubernetes/apps/cert-manager
+  retryInterval: 30s
+  path: ./kubernetes/apps/weave-gitops/app
   prune: true
   sourceRef:
     kind: GitRepository

kubernetes/infrastructure/cert-manager/cert-manager.yaml

@@ -0,0 +1,125 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: cert-manager
+  path: ./kubernetes/infrastructure/cert-manager/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: namespaces
+      namespace: flux-system
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: clusterissuer-secrets
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: cert-manager
+  path: ./clusterissuer
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops-secrets
+  dependsOn:
+    - name: namespaces
+      namespace: flux-system
+    - name: repositories
+      namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: clusterissuer
+  namespace: cert-manager
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: cert-manager
+  path: ./kubernetes/infrastructure/cert-manager/clusterissuer
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: clusterissuer-secrets
+      namespace: flux-system
+    - name: cert-manager
+      namespace: cert-manager
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: clusterissuer-secrets
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: certificate-secrets
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: cert-manager
+  path: ./certificates
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops-secrets
+  dependsOn:
+    - name: namespaces
+      namespace: flux-system
+    - name: repositories
+      namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: certificates
+  namespace: cert-manager
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: cert-manager
+  path: ./kubernetes/infrastructure/cert-manager/certificates
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: certificate-secrets
+      namespace: flux-system
+    - name: cert-manager
+      namespace: cert-manager
+    - name: clusterissuer
+      namespace: cert-manager
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: certificate-secrets

kubernetes/infrastructure/cert-manager/certificates/adguard-home.yaml

@@ -0,0 +1,64 @@
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: adguard-home-cert
+#  namespace: cert-manager
+#spec:
+#  # Secret names are always required.
+#  secretName: adguard-home.cluster.edward.sydney-tls
+#
+#  privateKey:
+#    algorithm: RSA
+#    encoding: PKCS1
+#    size: 2048
+#
+#  # keystores allows adding additional output formats. This is an example for reference only.
+#  keystores:
+#    pkcs12:
+#      create: true
+#      passwordSecretRef:
+#        name: adguard-home-tls-keystore
+#        key: ${adguard_home_certificate_tls_keystore_password}
+#      profile: Modern2023
+#
+#  duration: 2160h # 90d
+#  renewBefore: 360h # 15d
+#
+#  isCA: false
+#  usages:
+#    - server auth
+#    - client auth
+#
+#  subject:
+#    organizations:
+#      - edward.sydney
+#
+#  # The literalSubject field is exclusive with subject and commonName. It allows
+#  # specifying the subject directly as a string. This is useful for when the order
+#  # of the subject fields is important or when the subject contains special types
+#  # which can be specified by their OID.
+#  #
+#  # literalSubject: "O=jetstack, CN=example.com, 2.5.4.42=John, 2.5.4.4=Doe"
+#
+#  # At least one of commonName (possibly through literalSubject), dnsNames, uris, emailAddresses, ipAddresses or otherNames is required.
+#  dnsNames:
+#    - "${adguard_home_certificate_dns_name}"
+#    - "*.${adguard_home_certificate_dns_name}"
+#  emailAddresses:
+#    - ${adguard_home_certificate_email}
+#
+#  # Issuer references are always required.
+#  issuerRef:
+#    name: clusterissuer
+#    # We can reference ClusterIssuers by changing the kind here.
+#    # The default value is Issuer (i.e. a locally namespaced Issuer)
+#    kind: ClusterIssuer
+#    # This is optional since cert-manager will default to this value however
+#    # if you are using an external issuer, change this to that issuer group.
+#    group: cert-manager.io
+
+#The certificate request has failed to complete and will be retried:
+#  Failed to wait for order resource "adguard-home-cert-1-1931876784" to become
+#  ready: order is in "errored" state: Failed to create Order: 429 urn:ietf:params:acme:error:rateLimited:
+#  Error creating new order :: too many certificates already issued for "edward.sydney".
+#  Retry after 2024-06-25T21:00:00Z: see https://letsencrypt.org/docs/rate-limits/

kubernetes/infrastructure/cert-manager/clusterissuer/clusterissuer-cloudflare.yaml

@@ -0,0 +1,22 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: clusterissuer
+  namespace: cert-manager
+spec:
+  acme:
+    email: ${email}
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: cluster-issuer-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            email: ${email}
+            apiTokenSecretRef:
+              name: clusterissuer-secrets
+              key: cloudflare_api_token
+        selector:
+          dnsNames:
+            - "${cluster_cert_domain}"
+            - "*.${cluster_cert_domain}"

kubernetes/infrastructure/cilium/cilium.yaml

@@ -1,16 +1,18 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: cilium
+ name: cilium
-  namespace: kube-system
+ namespace: kube-system
 spec:
-  interval: 1h
+ interval: 10m
-  path: ./kubernetes/infrastructure/cilium/app
+ timeout: 1m30s
-  prune: true
+ retryInterval: 30s
-  sourceRef:
+ path: ./kubernetes/infrastructure/cilium/app
-    kind: GitRepository
+ prune: true
-    namespace: flux-system
+ sourceRef:
-    name: flux-system
+   kind: GitRepository
+   namespace: flux-system
+   name: flux-system
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
@@ -18,7 +20,10 @@ metadata:
   name: cilium-networkpolicies
   namespace: kube-system
 spec:
-  interval: 1h
+  suspend: false
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
   path: ./kubernetes/infrastructure/cilium/networkpolicies
   prune: true
   sourceRef:
@@ -26,7 +31,5 @@ spec:
     namespace: flux-system
     name: flux-system
   dependsOn:
-    - name: cilium
-      namespace: kube-system
     - name: ingress-nginx
-      namespace: flux-system
+      namespace: ingress-nginx

kubernetes/infrastructure/cilium/networkpolicies/egress-world-with-lan.yaml

@@ -1,12 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: egress-world-with-lan
-  namespace: kube-system
-spec:
-  endpointSelector:
-    matchLabels:
-      rpi5.cluster.policy/egress-world-with-lan: "true"
-  egress:
-    - toCIDRSet:
-        - cidr: 0.0.0.0/0

kubernetes/infrastructure/cilium/networkpolicies/egress-world.yaml

@@ -10,7 +10,3 @@ spec:
   egress:
     - toCIDRSet:
         - cidr: 0.0.0.0/0
-          except:
-            - 192.168.1.0/24
-            - 192.168.2.0/24
-            - 100.64.0.0/10

kubernetes/infrastructure/cilium/networkpolicies/ingress-nginx.yaml

@@ -2,7 +2,7 @@ apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
 metadata:
   name: ingress-ingress
-  namespace: ingress-nginx
+  namespace: kube-system
 spec:
   endpointSelector:
     matchLabels:
@@ -18,7 +18,7 @@ apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
   name: ingress-nginx
-  namespace: ingress-nginx
+  namespace: kube-system
 spec:
   endpointSelector:
     matchLabels:
@@ -36,7 +36,7 @@ apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
 metadata:
   name: egress-ingress
-  namespace: ingress-nginx
+  namespace: kube-system
 spec:
   endpointSelector:
     matchLabels:
@@ -52,7 +52,7 @@ apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
   name: egress-nginx
-  namespace: ingress-nginx
+  namespace: kube-system
 spec:
   endpointSelector:
     matchLabels:

kubernetes/infrastructure/consul/app/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: consul
+  namespace: consul
+  labels:
+    app: consul
+spec:
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8500
+      targetPort: 8500
+  selector:
+    app: consul
+  type: ClusterIP

kubernetes/infrastructure/consul/app/statefulset.yaml

@@ -0,0 +1,46 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: consul
+  namespace: consul
+  labels:
+    app: consul
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: consul
+  template:
+    metadata:
+      labels:
+        app: consul
+    spec:
+      containers:
+        - name: consul
+          image: 'consul:1.15.4'
+          args:
+            - agent
+          ports:
+            - name: http
+              containerPort: 8500
+              protocol: TCP
+          env:
+            - name: TZ
+              value: Australia/Sydney
+          volumeMounts:
+            - name: consul-data
+              mountPath: /consul/data
+            - name: consul-config
+              mountPath: /consul/config
+          imagePullPolicy: IfNotPresent
+      volumes:
+        - name: consul-data
+          hostPath:
+            path: /mnt/nfs/AppData/consul/data
+            type: Directory
+        - name: consul-config
+          hostPath:
+            path: /mnt/nfs/AppData/consul/config
+            type: Directory
+      restartPolicy: Always
+  serviceName: consul

kubernetes/infrastructure/consul/consul.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: consul
+  namespace: consul
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/infrastructure/consul/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: namespaces
+      namespace: flux-system

kubernetes/infrastructure/grafana-dashboards/dashboards/8919-node-exporter-20240520.yaml

@@ -0,0 +1,113 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: flask-consul
+  namespace: consul
+  labels:
+    app: flask-consul
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: flask-consul
+  template:
+    metadata:
+      labels:
+        app: flask-consul
+    spec:
+      initContainers:
+        - name: wait-for-consul
+          image: busybox
+          command:
+            - sh
+            - '-c'
+            - >-
+              for i in \$(seq 1 60); do nc -z -w3 consul 8500 && exit 0 ||
+              sleep 5; done; exit 1
+          imagePullPolicy: IfNotPresent
+      containers:
+        - name: flask-consul
+          image: 'edeedeeed/flask_consul:v0.1.0'
+          ports:
+            - name: http-2026
+              containerPort: 2026
+              protocol: TCP
+          env:
+            - name: admin_passwd
+              value: ${dashboard_8919_admin_passwd}
+            - name: consul_token
+              value: ${dashboard_8919_consul_token}
+            - name: consul_url
+              value: 'http://consul:8500/v1'
+            - name: log_level
+              value: INFO
+            - name: TZ
+              value: Australia/Sydney
+          imagePullPolicy: Always
+      restartPolicy: Always
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: flask-consul
+  namespace: consul
+  labels:
+    app: flask-consul
+spec:
+  ports:
+    - name: http-2026
+      protocol: TCP
+      port: 2026
+      targetPort: 2026
+  selector:
+    app: flask-consul
+  type: ClusterIP
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: nginx-consul
+  namespace: consul
+  labels:
+    app: nginx-consul
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx-consul
+  template:
+    metadata:
+      labels:
+        app: nginx-consul
+    spec:
+      containers:
+        - name: nginx-consul
+          image: 'nicholasjackson/nginx-consul:v0.1.0'
+          ports:
+            - name: http-1026
+              containerPort: 1026
+              protocol: TCP
+          env:
+            - name: TZ
+              value: Australia/Sydney
+          imagePullPolicy: Always
+      restartPolicy: Always
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: nginx-consul
+  namespace: consul
+  labels:
+    app: consul
+spec:
+  ports:
+    - name: nginx-consul
+      protocol: TCP
+      port: 1026
+      targetPort: 1026
+      nodePort: 31026
+  selector:
+    app: nginx-consul
+  type: NodePort
+  externalTrafficPolicy: Cluster

kubernetes/infrastructure/grafana-dashboards/grafana-dashboards.yaml

@@ -0,0 +1,48 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: grafana-dashboards-secrets
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: prometheus
+  path: ./grafana-dashboards
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops-secrets
+  dependsOn:
+    - name: repositories
+      namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: grafana-dashboards
+  namespace: prometheus
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/infrastructure/grafana-dashboards/dashboards
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: namespaces
+      namespace: flux-system
+    - name: grafana-dashboards-secrets
+      namespace: flux-system
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: grafana-dashboards-secrets

kubernetes/infrastructure/ingress-nginx/app/release.yaml

@@ -82,6 +82,20 @@ spec:
           labels:
             rpi5.cluster.policy/egress-kubeapi: "true"
 
+      spec:
+        template:
+          spec:
+            containers:
+              volumeMounts:
+                - mountPath: /etc/nginx/template
+                  name: nginx-template-volume
+                  readOnly: true
+            volumes:
+              - name: nginx-template-volume
+                hostPath:
+                  path: /mnt/nfs/AppData/ingress-nginx/etc/nginx/template
+                  type: Directory
+
     defaultBackend:
       enabled: true
       image:

kubernetes/infrastructure/ingress-nginx/config/ingress-configmap.yaml

@@ -4,14 +4,13 @@ metadata:
   name: tcp-services
   namespace: ingress-nginx
 data:
-  "53": "adguard-home/adguard-home:53"
+  "53": "flux-system/adguard-home:53"
-  "853": "adguard-home/adguard-home:853"
+  "853": "flux-system/adguard-home:853"
-  "5443": "adguard-home/adguard-home:5443"
+  "5432": "postgresql/postgresql-primary:5432"
-  "6060": "adguard-home/adguard-home:6060"
+  "5433": "postgresql/postgresql-replica:5432"
-  "9099": "flux-system/capacitor:9000"
+  "5443": "flux-system/adguard-home:5443"
-  "10080": "adguard-home/adguard-home:80"
+  "6060": "flux-system/adguard-home:6060"
-  "10443": "adguard-home/adguard-home:443"
+  "8388": "qbittorrent/qbittorrent-torrent:8388"
-  "13000": "adguard-home/adguard-home::3000"
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -19,10 +18,9 @@ metadata:
   name: udp-services
   namespace: ingress-nginx
 data:
-  "53": "adguard-home/adguard-home:53"
+  "53": "flux-system/adguard-home:53"
-  "67": "adguard-home/adguard-home:67"
+  "67": "flux-system/adguard-home:67"
-  "68": "adguard-home/adguard-home:68"
+  "68": "flux-system/adguard-home:68"
-  "853": "adguard-home/adguard-home:853"
+  "853": "flux-system/adguard-home:853"
-  "5443": "adguard-home/adguard-home:5443"
+  "5443": "flux-system/adguard-home:5443"
-  "10443": "adguard-home/adguard-home:443"
+  "8388": "qbittorrent/qbittorrent-torrent:8388"
-  "13000": "adguard-home/adguard-home:3000"

kubernetes/infrastructure/ingress-nginx/config/values.yaml

@@ -2,9 +2,8 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: ingress-nginx-values
-  namespace: flux-system
+  namespace: ingress-nginx
 data:
   use_geoip2: "false"
-  metrics_enabled: "true"
   disable_ipv6: "true"
   disable_ipv6_dns: "true"

kubernetes/infrastructure/ingress-nginx/ingress-nginx-config.yaml

@@ -2,11 +2,11 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: ingress-nginx-config
-  namespace: flux-system
+  namespace: ingress-nginx
 spec:
-  interval: 1h
+  interval: 10m
-  timeout: 5m
+  timeout: 1m30s
-  retryInterval: 5m
+  retryInterval: 30s
   path: ./kubernetes/infrastructure/ingress-nginx/config
   prune: true
   sourceRef:

kubernetes/infrastructure/ingress-nginx/ingress-nginx.yaml

@@ -2,13 +2,13 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: ingress-nginx
-  namespace: flux-system
+  namespace: ingress-nginx
 spec:
-  interval: 1h
+  interval: 10m
-  timeout: 5m
+  timeout: 1m30s
-  retryInterval: 5m
+  retryInterval: 30s
   targetNamespace: ingress-nginx
-  path: ./kubernetes/templates/apps/ingress-nginx
+  path: ./kubernetes/infrastructure/ingress-nginx/app
   prune: true
   sourceRef:
     kind: GitRepository
@@ -29,7 +29,63 @@ spec:
         - op: add
           path: /spec/ports/-
           value:
-            name: proxied-tcp-9099
+            name: dns-tcp
-            port: 9099
+            port: 53
-            targetPort: 9099
+            targetPort: 53
+            protocol: TCP
+        - op: add
+          path: /spec/ports/-
+          value:
+            name: dns-udp
+            port: 53
+            targetPort: 53
+            protocol: UDP
+        - op: add
+          path: /spec/ports/-
+          value:
+            name: dhcps-udp
+            port: 67
+            targetPort: 67
+            protocol: UDP
+        - op: add
+          path: /spec/ports/-
+          value:
+            name: dhcpc-udp
+            port: 68
+            targetPort: 68
+            protocol: UDP
+        - op: add
+          path: /spec/ports/-
+          value:
+            name: dns-tls-tcp
+            port: 853
+            targetPort: 853
+            protocol: TCP
+        - op: add
+          path: /spec/ports/-
+          value:
+            name: dns-tls-udp
+            port: 853
+            targetPort: 853
+            protocol: UDP
+        - op: add
+          path: /spec/ports/-
+          value:
+            name: dnscrypt-tcp
+            port: 5443
+            targetPort: 5443
+            protocol: TCP
+        - op: add
+          path: /spec/ports/-
+          value:
+            name: dnscrypt-udp
+            port: 5443
+            targetPort: 5443
+            protocol: UDP
+        - op: add
+          path: /spec/ports/-
+          value:
+            name: https-pprof
+            port: 6060
+            targetPort: 6060
             protocol: TCP

kubernetes/infrastructure/kustomization.yaml

@@ -1,6 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./repositories/repositories.yaml
+  - ./cert-manager/cert-manager.yaml
-  - ./cilium/cilium.yaml
+  #  - ./cilium/cilium.yaml
+  - ./consul/consul.yaml
+  - ./grafana-dashboards/grafana-dashboards.yaml
   - ./ingress-nginx/ingress-nginx.yaml
+  - ./ingress-nginx/ingress-nginx-config.yaml
+  - ./local-path-provisioner/local-path-provisioner.yaml
+  - ./minio/minio.yaml
+  - ./namespaces/namespaces.yaml
+  - ./postgresql/postgresql.yaml
+  - ./prometheus/prometheus.yaml
+  - ./prometheus-alertmanager/prometheus-alertmanager.yaml
+  - ./prometheus-exporters/prometheus-exporters.yaml
+  - ./redis/redis.yaml
+  - ./repositories/repositories.yaml

kubernetes/infrastructure/local-path-provisioner/app/local-path-provisioner.yaml

@@ -0,0 +1,149 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: local-path-provisioner-service-account
+  namespace: local-path-storage
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: local-path-provisioner-role
+  namespace: local-path-storage
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch", "create", "patch", "update", "delete" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: local-path-provisioner-role
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "nodes", "persistentvolumeclaims", "configmaps", "pods", "pods/log" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumes" ]
+    verbs: [ "get", "list", "watch", "create", "patch", "update", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "events" ]
+    verbs: [ "create", "patch" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "storageclasses" ]
+    verbs: [ "get", "list", "watch" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: local-path-provisioner-bind
+  namespace: local-path-storage
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: local-path-provisioner-role
+subjects:
+  - kind: ServiceAccount
+    name: local-path-provisioner-service-account
+    namespace: local-path-storage
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: local-path-provisioner-bind
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: local-path-provisioner-role
+subjects:
+  - kind: ServiceAccount
+    name: local-path-provisioner-service-account
+    namespace: local-path-storage
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: local-path-provisioner
+  namespace: local-path-storage
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: local-path-provisioner
+  template:
+    metadata:
+      labels:
+        app: local-path-provisioner
+    spec:
+      serviceAccountName: local-path-provisioner-service-account
+      containers:
+        - name: local-path-provisioner
+          image: rancher/local-path-provisioner:v0.0.28
+          imagePullPolicy: IfNotPresent
+          command:
+            - local-path-provisioner
+            - --debug
+            - start
+            - --config
+            - /etc/config/config.json
+          volumeMounts:
+            - name: config-volume
+              mountPath: /etc/config/
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: CONFIG_MOUNT_PATH
+              value: /etc/config/
+      volumes:
+        - name: config-volume
+          configMap:
+            name: local-path-config
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: local-path
+provisioner: rancher.io/local-path
+volumeBindingMode: WaitForFirstConsumer
+reclaimPolicy: Retain
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: local-path-config
+  namespace: local-path-storage
+data:
+  config.json: |-
+    {
+      "nodePathMap": [
+        {
+          "node": "DEFAULT_PATH_FOR_NON_LISTED_NODES",
+          "paths": [
+            "/opt/local-path-provisioner"]
+        }
+      ]
+    }
+  setup: |-
+    #!/bin/sh
+    set -eu
+    mkdir -m 0777 -p "$VOL_DIR"
+  teardown: |-
+    #!/bin/sh
+    set -eu
+    rm -rf "$VOL_DIR"
+  helperPod.yaml: |-
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: helper-pod
+    spec:
+      priorityClassName: system-node-critical
+      tolerations:
+        - key: node.kubernetes.io/disk-pressure
+          operator: Exists
+          effect: NoSchedule
+      containers:
+        - name: helper-pod
+          image: busybox
+          imagePullPolicy: IfNotPresent

kubernetes/infrastructure/local-path-provisioner/local-path-provisioner.yaml

@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/gitrepository_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: local-path-provisioner
+  namespace: local-path-storage
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/infrastructure/local-path-provisioner/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: namespaces
+      namespace: flux-system

kubernetes/infrastructure/minio/app/ingress.yaml

@@ -0,0 +1,51 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: minio-ingress
+  namespace: minio
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "minio.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: minio
+                port:
+                  number: 19001
+    - host: "api.minio.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: minio
+                port:
+                  number: 19000
+    - host: "minio.cluster.local"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: minio
+                port:
+                  number: 19001
+    - host: "api.minio.cluster.local"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: minio
+                port:
+                  number: 19000

kubernetes/infrastructure/minio/app/release.yaml

@@ -0,0 +1,31 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: minio
+  namespace: minio
+spec:
+  releaseName: minio
+  chart:
+    spec:
+      chart: minio
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami
+        namespace: flux-system
+  interval: 1h
+  install:
+    remediation:
+      retries: 3
+  values:
+    clusterDomain: minio.cluster.edward.sydney
+    auth:
+      rootUser: ${root_user}
+      rootPassword: ${root_password}
+    nodeSelector:
+      kubernetes.io/hostname: rpi5-cluster-node-3
+    service:
+      ports:
+        api: 19000
+        console: 19001
+    persistence:
+      existingClaim: "minio-pvc"

kubernetes/infrastructure/minio/app/volume.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: minio-pv
+  namespace: minio
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 256Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/minio"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: minio-pvc
+    namespace: minio
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-3
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: minio-pvc
+  namespace: minio
+  labels:
+    name: minio-pvc
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 256Gi

kubernetes/infrastructure/minio/minio.yaml

@@ -0,0 +1,50 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: minio-secrets
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: minio
+  path: ./minio
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops-secrets
+  dependsOn:
+    - name: repositories
+      namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: minio
+  namespace: minio
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/infrastructure/minio/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: namespaces
+      namespace: flux-system
+    - name: minio-secrets
+      namespace: flux-system
+    - name: local-path-provisioner
+      namespace: local-path-storage
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: minio-secrets

kubernetes/infrastructure/namespaces/namespaces.yaml

@@ -0,0 +1,16 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/gitrepository_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: namespaces
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/infrastructure/namespaces/namespaces
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system

kubernetes/infrastructure/namespaces/namespaces/capacitor.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: capacitor

kubernetes/infrastructure/namespaces/namespaces/code-server.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: code-server

kubernetes/infrastructure/namespaces/namespaces/consul.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: consul

kubernetes/infrastructure/namespaces/namespaces/dokuwiki.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dokuwiki