adding ingress for testing

update values for the kubernetes-event-exporter
2024-06-27 16:43:25 +10:00 · 2024-06-27 16:18:09 +10:00 · 2024-06-27 15:55:19 +10:00 · 2024-06-27 15:38:50 +10:00 · 2024-06-27 15:11:11 +10:00 · 2024-06-27 14:28:41 +10:00
165 changed files with 4302 additions and 252 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,4 +1,5 @@
 creation_rules:
  - path_regex: \.ya?ml$
    encrypted_regex: ^(data|stringData)$
    pgp: 6CEA91DDB1964869C94DCEC7AF6E3BB1B44F669B
    age: age1d47q8mlty404pxx378q49hr93aqexca4mkeqtdm00w4gjd09xd0qhxcdcz
--- a/kubernetes/apps/adguard-home/adguard-home.yaml
+++ b/kubernetes/apps/adguard-home/adguard-home.yaml
@@ -0,0 +1,15 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: adguard-home
  namespace: adguard-home
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/apps/adguard-home/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
--- a/kubernetes/apps/adguard-home/app/deployment.yaml
+++ b/kubernetes/apps/adguard-home/app/deployment.yaml
@@ -0,0 +1,86 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: adguard-home
  namespace: adguard-home
  labels:
    app.kubernetes.io/name: adguard-home
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: adguard-home
  template:
    metadata:
      labels:
        app.kubernetes.io/name: adguard-home
        rpi5.cluster.policy/egress-kubeapi: "true"
        rpi5.cluster.policy/egress-namespace: "true"
        rpi5.cluster.policy/egress-world: "true"
        rpi5.cluster.policy/ingress-namespace: "true"
        rpi5.cluster.policy/ingress-nginx: "true"
        rpi5.cluster.policy/ingress-nodes: "true"
        rpi5.cluster.policy/ingress-world: "true"
    spec:
      containers:
        - name: adguard-home
          image: adguard/adguardhome:v0.107.51
          ports:
            - protocol: TCP
              containerPort: 53
              name: dns-tcp
            - protocol: UDP
              containerPort: 53
              name: dns-udp
            - protocol: UDP
              containerPort: 67
              name: dhcps-udp
            - protocol: UDP
              containerPort: 68
              name: dhcpc-udp
            - protocol: TCP
              containerPort: 80
              name: http-tcp
            - protocol: TCP
              containerPort: 443
              name: https-tcp
            - protocol: UDP
              containerPort: 443
              name: https-udp
            - protocol: TCP
              containerPort: 853
              name: dns-tls-tcp
            - protocol: UDP
              containerPort: 853
              name: dns-tls-udp
            - protocol: TCP
              containerPort: 3000
              name: http-alt-tcp
            - protocol: UDP
              containerPort: 3000
              name: http-alt-udp
            - protocol: TCP
              containerPort: 5443
              name: dnscrypt-tcp
            - protocol: UDP
              containerPort: 5443
              name: dnscrypt-udp
            - protocol: TCP
              containerPort: 6060
              name: http-pprof
          env:
            - name: TZ
              value: Australia/Sydney
          volumeMounts:
            - name: adguard-home-data
              mountPath: /opt/adguardhome/work
            - name: adguard-home-config
              mountPath: /opt/adguardhome/conf
      volumes:
        - name: adguard-home-data
          hostPath:
            path: /mnt/nfs/AppData/adguardhome/work
            type: Directory
        - name: adguard-home-config
          hostPath:
            path: /mnt/nfs/AppData/adguardhome/conf
            type: Directory
--- a/kubernetes/apps/adguard-home/app/ingress.yaml
+++ b/kubernetes/apps/adguard-home/app/ingress.yaml
@@ -0,0 +1,61 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: adguard-home-ingress
  namespace: adguard-home
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
  ingressClassName: nginx
  rules:
    - host: "adguard-home.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: adguard-home
                port:
                  number: 10080
    - host: "adguard-home.cluster.local"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: adguard-home
                port:
                  number: 10080
    - host: "setup.adguard-home.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: adguard-home
                port:
                  number: 13000
    - host: "setup.adguard-home.cluster.local"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: adguard-home
                port:
                  number: 13000
    - host: "doh.adguard-home.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: adguard-home
                port:
                  number: 443
--- a/kubernetes/apps/adguard-home/app/service.yaml
+++ b/kubernetes/apps/adguard-home/app/service.yaml
@@ -0,0 +1,69 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: adguard-home
  namespace: adguard-home
  labels:
    app.kubernetes.io/name: adguard-home
 spec:
  selector:
    app.kubernetes.io/name: adguard-home
  type: ClusterIP
  internalTrafficPolicy: Cluster
  ports:
    - protocol: TCP
      port: 53
      targetPort: 53
      name: dns-tcp
    - protocol: UDP
      port: 53
      targetPort: 53
      name: dns-udp
    - protocol: UDP
      port: 67
      targetPort: 67
      name: dhcps-udp
    - protocol: UDP
      port: 68
      targetPort: 68
      name: dhcpc-udp
    - protocol: TCP
      port: 10080
      targetPort: 80
      name: http-tcp
    - protocol: TCP
      port: 443
      targetPort: 443
      name: https-tcp
    - protocol: UDP
      port: 443
      targetPort: 443
      name: https-udp
    - protocol: TCP
      port: 853
      targetPort: 853
      name: dns-tls-tcp
    - protocol: UDP
      port: 853
      targetPort: 853
      name: dns-tls-udp
    - protocol: TCP
      port: 13000
      targetPort: 3000
      name: https-alt-tcp
    - protocol: UDP
      port: 13000
      targetPort:  3000
      name: https-alt-udp
    - protocol: TCP
      port: 5443
      targetPort: 5443
      name: dnscrypt-tcp
    - protocol: UDP
      port: 5443
      targetPort: 5443
      name: dnscrypt-udp
    - protocol: TCP
      port: 6060
      targetPort: 6060
      name: https-pprof
--- a/kubernetes/apps/adguard-home/scripts/ingress-nginx-svc-controller-patch.yaml
+++ b/kubernetes/apps/adguard-home/scripts/ingress-nginx-svc-controller-patch.yaml
@@ -0,0 +1,38 @@
 spec:
  ports:
    - name: dns-tcp
      port: 53
      targetPort: 53
      protocol: TCP
    - name: dns-udp
      port: 53
      targetPort: 53
      protocol: UDP
    - name: dhcps-udp
      port: 67
      targetPort: 67
      protocol: UDP
    - name: dhcpc-udp
      port: 68
      targetPort: 68
      protocol: UDP
    - name: dns-tls-tcp
      port: 853
      targetPort: 853
      protocol: TCP
    - name: dns-tls-udp
      port: 853
      targetPort: 853
      protocol: UDP
    - name: dnscrypt-tcp
      port: 5443
      targetPort: 5443
      protocol: TCP
    - name: dnscrypt-udp
      port: 5443
      targetPort: 5443
      protocol: UDP
    - name: https-pprof
      port: 6060
      targetPort: 6060
      protocol: TCP
--- a/kubernetes/apps/adguard-home/scripts/patch-ingress-nginx.sh
+++ b/kubernetes/apps/adguard-home/scripts/patch-ingress-nginx.sh
@@ -0,0 +1,4 @@
 #!/bin/bash
 set -e
 kubectl patch service ingress-nginx-controller -n ingress-nginx --patch "$(cat ingress-nginx-svc-controller-patch.yaml)"
--- a/kubernetes/apps/capacitor/app/ingress.yaml
+++ b/kubernetes/apps/capacitor/app/ingress.yaml
@@ -0,0 +1,21 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: capacitor-ingress
  namespace: capacitor
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
  ingressClassName: nginx
  rules:
    - host: "capacitor.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: capacitor
                port:
                  number: 9000
--- a/kubernetes/apps/capacitor/app/manifest.yaml
+++ b/kubernetes/apps/capacitor/app/manifest.yaml
@@ -0,0 +1,84 @@
 ---
 # Source: onechart/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: capacitor
  namespace: capacitor
  labels:
    helm.sh/chart: onechart-0.63.0
    app.kubernetes.io/name: onechart
    app.kubernetes.io/instance: capacitor
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 9000
      targetPort: 9000
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: onechart
    app.kubernetes.io/instance: capacitor
 ---
 # Source: onechart/templates/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: capacitor
  namespace: capacitor
  labels:
    helm.sh/chart: onechart-0.63.0
    app.kubernetes.io/name: onechart
    app.kubernetes.io/instance: capacitor
    app.kubernetes.io/managed-by: Helm
  annotations:
    kubectl.kubernetes.io/default-container: capacitor
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: onechart
      app.kubernetes.io/instance: capacitor
  template:
    metadata:
      annotations:
        checksum/config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
      labels:
        app.kubernetes.io/name: onechart
        app.kubernetes.io/instance: capacitor
        rpi5.cluster.policy/egress-kubeapi: "true"
        rpi5.cluster.policy/egress-namespace: "true"
        rpi5.cluster.policy/egress-world: "true"
        rpi5.cluster.policy/ingress-namespace: "true"
        rpi5.cluster.policy/ingress-nginx: "true"
        rpi5.cluster.policy/ingress-nodes: "true"
        rpi5.cluster.policy/ingress-world: "true"
    spec:
      containers:
        - image: ghcr.io/gimlet-io/capacitor:v0.4.2
          imagePullPolicy: IfNotPresent
          name: capacitor
          ports:
            - containerPort: 9000
              name: http
              protocol: TCP
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /
              port: 9000
              scheme: HTTP
            initialDelaySeconds: 0
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 3
          resources:
            requests:
              cpu: 200m
              memory: 200Mi
          securityContext: {}
      initContainers: null
      securityContext:
        fsGroup: 999
      serviceAccountName: capacitor
--- a/kubernetes/apps/capacitor/app/rbac.yaml
+++ b/kubernetes/apps/capacitor/app/rbac.yaml
@@ -0,0 +1,58 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: capacitor
  namespace: capacitor
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: capacitor
 rules:
  - apiGroups:
      - networking.k8s.io
      - apps
      - ""
    resources:
      - pods
      - pods/log
      - ingresses
      - deployments
      - services
      - secrets
      - events
      - configmaps
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - source.toolkit.fluxcd.io
      - kustomize.toolkit.fluxcd.io
      - helm.toolkit.fluxcd.io
    resources:
      - gitrepositories
      - ocirepositories
      - buckets
      - helmrepositories
      - helmcharts
      - kustomizations
      - helmreleases
    verbs:
      - get
      - watch
      - list
      - patch # to allow force reconciling by adding an annotation
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: capacitor
 subjects:
  - kind: ServiceAccount
    name: capacitor
    namespace: flux-system
 roleRef:
  kind: ClusterRole
  name: capacitor
  apiGroup: rbac.authorization.k8s.io
--- a/kubernetes/apps/capacitor/capacitor.yaml
+++ b/kubernetes/apps/capacitor/capacitor.yaml
@@ -1,28 +1,29 @@
 ---
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: OCIRepository
 metadata:
  name: capacitor
  namespace: flux-system
 spec:
  interval: 12h
  url: oci://ghcr.io/gimlet-io/capacitor-manifests
  ref:
    semver: ">=0.1.0"
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: capacitor
-  namespace: flux-system
+  namespace: capacitor
 spec:
-  targetNamespace: flux-system
+  interval: 10m
-  interval: 1h
+  timeout: 1m30s
-  retryInterval: 2m
+  retryInterval: 30s
-  timeout: 5m
+  path: ./kubernetes/apps/capacitor/app
  wait: true
  prune: true
  path: "./"
  sourceRef:
-    kind: OCIRepository
+    kind: GitRepository
    namespace: flux-system
    name: flux-system
  patches:
    - target:
        kind: (Service|Deployment)
        name: capacitor
        namespace: flux-system
      patch: |
        - op: replace
          path: "/metadata/labels/app.kubernetes.io~1managed-by"
          value: Flux
        - op: remove
          path: "/metadata/labels/helm.sh~1chart"
        - op: add
          path: "/metadata/labels/patched"
          value: "true"
--- a/kubernetes/apps/cert-manager/app/cert-manager-secrets.yaml
+++ b/kubernetes/apps/cert-manager/app/cert-manager-secrets.yaml
@@ -1,28 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: cert-manager-secrets
 type: Opaque
 stringData:
  email: ENC[AES256_GCM,data:Xw/DA/QTahksfab9o/XImDyJiQ==,iv:SUGIiGcRNW3pTWIlyndKaY2gkLNPpbL76/TOdgqcFF8=,tag:6Z1P6XM0tBLiGs8N0zVoQw==,type:str]
  cert-manager-dns01: ENC[AES256_GCM,data:g5UrPhYrktJgDw8LONrvm3h/UktN9UKVj8x7mGLSnhiefjT85sS5yg==,iv:BsDhztKm97ASx4TIun0Wb8u5LHdurD8cPjI9quaHIik=,tag:e8k26dyJPxkdLXeWwTLgVw==,type:str]
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: age1d47q8mlty404pxx378q49hr93aqexca4mkeqtdm00w4gjd09xd0qhxcdcz
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZHZoMEZwdmhCRFdtc2Zk
        Rm1ZTWloQkJpVWpUeTdqMTJvZDcrOENpYjFJCmQwNWk5emNyaGpweXZyNEZyWnFv
        RU5mQ2dUSjBQbHBQY3B5SkxWZUdESk0KLS0tIDQwWm5BVStDM2REb1lES3VhODRr
        aG5mUXBRTlJwMVdiZTF1N2krczMrSDgKLsi0MxNuhDarP4jUGoZzsr/d4ImHOEAR
        Yj/WU7xy/LUY1JEhPLrByuUj0i0N127EmLdBQ8KN47xAdsa69t0y/Q==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2024-06-10T02:25:43Z"
  mac: ENC[AES256_GCM,data:8VdnAOpbpEBGjnGR1x2wejQ/zv8Q9IHZiawKGFS4wvrBt3e9Jb1d1Eiwv59ix0BnswJLPPoZiiYXcYy8DBYRAilaQ/URxFTzP1o0QlAoadUab84NEn0ysYoRz22pQ6fdZXFkZithQD81Le37tI8gkcddP0PsPg/6LfkaPHsLQgs=,iv:/EzcGl8quaMZwUcDO+hSnnhrnNLExllB5Ly+Y4n9jZY=,tag:Hery5vjzHXuYaAAweMjwvg==,type:str]
  pgp: []
  encrypted_regex: ^(data|stringData)$
  version: 3.8.1
--- a/kubernetes/apps/cert-manager/cert-manager.yaml
+++ b/kubernetes/apps/cert-manager/cert-manager.yaml
@@ -1,54 +0,0 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: cert-manager-secrets
  namespace: flux-system
 spec:
  interval: 1h
  path: ./kubernetes/apps/cert-manager/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: home-cluster-ops
  decryption:
    provider: sops
    secretRef:
      name: sops-age
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: cert-manager
  namespace: cert-manager
 spec:
  interval: 1h
  targetNamespace: cert-manager
  path: ./kubernetes/templates/apps/cert-manager/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: home-cluster-ops
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: cert-manager-issuers
  namespace: cert-manager
 spec:
  interval: 1h
  targetNamespace: cert-manager
  path: ./kubernetes/templates/apps/cert-manager/issuers
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: home-cluster-ops
  dependsOn:
    - name: cert-manager-secrets
    - name: cert-manager
  postBuild:
    substituteFrom:
      - kind: Secret
        name: cert-manager-secrets
--- a/kubernetes/apps/cert-manager/kustomization.yaml
+++ b/kubernetes/apps/cert-manager/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - cert-manager.yaml
--- a/kubernetes/apps/cilium/networkpolicies/egress-world-with-lan.yaml
+++ b/kubernetes/apps/cilium/networkpolicies/egress-world-with-lan.yaml
@@ -1,11 +0,0 @@
 apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
 metadata:
  name: egress-world-with-lan
 spec:
  endpointSelector:
    matchLabels:
      rpi5.cluster.policy/egress-world-with-lan: "true"
  egress:
    - toCIDRSet:
        - cidr: 0.0.0.0/0
--- a/kubernetes/apps/code-server/app/ingress.yaml
+++ b/kubernetes/apps/code-server/app/ingress.yaml
@@ -0,0 +1,21 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: code-server-ingress
  namespace: code-server
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
  ingressClassName: nginx
  rules:
    - host: "code-server.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: code-server
                port:
                  number: 8443
--- a/kubernetes/apps/code-server/app/pvc.yaml
+++ b/kubernetes/apps/code-server/app/pvc.yaml
@@ -0,0 +1,46 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: code-server-pv
  namespace: code-server
  labels:
    type: local
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  capacity:
    storage: 8Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  local:
    path: "/mnt/nfs/AppData/code-server"
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: code-server-pvc
    namespace: code-server
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/hostname
              operator: In
              values:
                - rpi5-cluster-node-3
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: code-server-pvc
  namespace: code-server
  labels:
    name: code-server-pvc
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
--- a/kubernetes/apps/code-server/app/release.yaml
+++ b/kubernetes/apps/code-server/app/release.yaml
@@ -0,0 +1,31 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: code-server
  namespace: code-server
 spec:
  releaseName: code-server
  targetNamespace: code-server
  chart:
    spec:
      chart: code-server
      sourceRef:
        kind: HelmRepository
        name: nicholaswilde
        namespace: flux-system
  interval: 1h
  install:
    remediation:
      retries: 3
  values:
    secret:
      PASSWORD: ${password}
      SUDO_PASSWORD: ${sudo_password}
    env:
      TZ: "Australia/Sydney"
    persistence:
      config:
        enabled: true
        existingClaim: code-server-pvc
--- a/kubernetes/apps/code-server/code-server.yaml
+++ b/kubernetes/apps/code-server/code-server.yaml
@@ -0,0 +1,47 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: code-server-secrets
  namespace: flux-system
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  targetNamespace: code-server
  path: ./code-server
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: home-cluster-ops-secrets
  dependsOn:
    - name: repositories
      namespace: flux-system
  decryption:
    provider: sops
    secretRef:
      name: sops-age
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: code-server
  namespace: code-server
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  targetNamespace: code-server
  path: ./kubernetes/apps/code-server/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
  dependsOn:
    - name: code-server-secrets
      namespace: flux-system
  postBuild:
    substituteFrom:
      - kind: Secret
        name: code-server-secrets
--- a/kubernetes/apps/dokuwiki/app/ingress.yaml
+++ b/kubernetes/apps/dokuwiki/app/ingress.yaml
@@ -0,0 +1,31 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: dokuwiki-ingress
  namespace: dokuwiki
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
  ingressClassName: nginx
  rules:
    - host: "dokuwiki.cluster.local"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: dokuwiki-dokuwiki
                port:
                  number: 18000
    - host: "dokuwiki.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: dokuwiki-dokuwiki
                port:
                  number: 18000
--- a/kubernetes/apps/dokuwiki/app/release.yaml
+++ b/kubernetes/apps/dokuwiki/app/release.yaml
@@ -0,0 +1,34 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: dokuwiki
  namespace: dokuwiki
 spec:
  targetNamespace: dokuwiki
  chart:
    spec:
      chart: dokuwiki
      sourceRef:
        kind: HelmRepository
        name: bitnami
        namespace: flux-system
  interval: 1h
  install:
    remediation:
      retries: 3
  values:
    dokuwikiUsername: ${username}
    dokuwikiPassword: ${password}
    dokuwikiEmail: ${email}
    dokuwikiFullName: "Edward Cheng"
    dokuwikiWikiName: My Doku Wiki
    containerPorts:
      http: 18000
      https: 18443
    persistence:
      existingClaim: "dokuwiki-pvc"
    service:
      type: ClusterIP
      ports:
        http: 18000
        https: 18443
--- a/kubernetes/apps/dokuwiki/app/volume.yaml
+++ b/kubernetes/apps/dokuwiki/app/volume.yaml
@@ -0,0 +1,46 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: dokuwiki-pv
  namespace: dokuwiki
  labels:
    type: local
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  capacity:
    storage: 12Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  local:
    path: "/mnt/nfs/AppData/dokuwiki"
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: dokuwiki-pvc
    namespace: dokuwiki
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/hostname
              operator: In
              values:
                - rpi5-cluster-node-3
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: dokuwiki-pvc
  namespace: dokuwiki
  labels:
    name: dokuwiki-pvc
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 12Gi
--- a/kubernetes/apps/dokuwiki/dokuwiki.yaml
+++ b/kubernetes/apps/dokuwiki/dokuwiki.yaml
@@ -0,0 +1,46 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: dokuwiki-secrets
  namespace: flux-system
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  targetNamespace: dokuwiki
  path: ./dokuwiki
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: home-cluster-ops-secrets
  dependsOn:
    - name: repositories
      namespace: flux-system
  decryption:
    provider: sops
    secretRef:
      name: sops-age
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: dokuwiki
  namespace: dokuwiki
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/apps/dokuwiki/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
  dependsOn:
    - name: dokuwiki-secrets
      namespace: flux-system
  postBuild:
    substituteFrom:
      - kind: Secret
        name: dokuwiki-secrets
--- a/kubernetes/apps/gitea/app/ingress.yaml
+++ b/kubernetes/apps/gitea/app/ingress.yaml
@@ -0,0 +1,32 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: gitea-ingress
  namespace: gitea
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
 spec:
  ingressClassName: nginx
  rules:
    - host: "gitea.cluster.local"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: gitea-gitea
                port:
                  number: 10080
    - host: "gitea.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: gitea-gitea
                port:
                  number: 10080
--- a/kubernetes/apps/gitea/app/release.yaml
+++ b/kubernetes/apps/gitea/app/release.yaml
@@ -0,0 +1,56 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: gitea
  namespace: gitea
 spec:
  targetNamespace: gitea
  chart:
    spec:
      chart: gitea
      sourceRef:
        kind: HelmRepository
        name: bitnami
        namespace: flux-system
  interval: 1h
  install:
    remediation:
      retries: 3
  values:
    image:
      debug: true
    updateStrategy:
      type: Recreate
    livenessProbe:
      enabled: true
      initialDelaySeconds: 600
      periodSeconds: 60
      timeoutSeconds: 30
      failureThreshold: 5
      successThreshold: 1
    readinessProbe:
      enabled: true
      path: /
      initialDelaySeconds: 30
      periodSeconds: 60
      timeoutSeconds: 30
      failureThreshold: 5
      successThreshold: 1
    adminUsername: ${admin_username}
    adminPassword: ${admin_password}
    adminEmail: ${admin_email}
    appName: app_name
    persistence:
      existingClaim: gitea-pvc
    service:
      ports:
        http: 10080
        ssh: 10022
    postgresql:
      enabled: false
    externalDatabase:
      host: ${db_host}
      port: ${db_port}
      user: ${db_user}
      database: ${db_name}
      password: ${db_password}
--- a/kubernetes/apps/gitea/app/volume.yaml
+++ b/kubernetes/apps/gitea/app/volume.yaml
@@ -0,0 +1,46 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: gitea-pv
  namespace: gitea
  labels:
    type: local
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  capacity:
    storage: 32Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  local:
    path: "/mnt/nfs/AppData/gitea"
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: gitea-pvc
    namespace: gitea
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/hostname
              operator: In
              values:
                - rpi5-cluster-node-3
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: gitea-pvc
  namespace: gitea
  labels:
    name: gitea-pvc
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 32Gi
--- a/kubernetes/apps/gitea/gitea.yaml
+++ b/kubernetes/apps/gitea/gitea.yaml
@@ -0,0 +1,47 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: gitea-secrets
  namespace: flux-system
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  targetNamespace: gitea
  path: ./gitea
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: home-cluster-ops-secrets
  dependsOn:
    - name: repositories
      namespace: flux-system
  decryption:
    provider: sops
    secretRef:
      name: sops-age
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: gitea
  namespace: gitea
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/apps/gitea/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
  dependsOn:
    - name: gitea-secrets
      namespace: flux-system
  postBuild:
    substituteFrom:
      - kind: Secret
        name: gitea-secrets
--- a/kubernetes/apps/homer/app/development.yaml
+++ b/kubernetes/apps/homer/app/development.yaml
@@ -0,0 +1,43 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: homer
  namespace: homer
  labels:
    app.kubernetes.io/name: homer
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: homer
  template:
    metadata:
      labels:
        app.kubernetes.io/name: homer
        rpi5.cluster.policy/egress-world: "true"
        rpi5.cluster.policy/ingress-world: "true"
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
      containers:
        - name: homer
          image: b4bz/homer:v24.05.1
          securityContext:
            allowPrivilegeEscalation: false
          env:
            - name: PORT
              value: "8088"
            - name: INIT_ASSETS
              value: "0"
          ports:
            - protocol: TCP
              containerPort: 8088
              name: http
          volumeMounts:
            - name: assets
              mountPath: /www/assets
      volumes:
        - name: assets
          hostPath:
            path: /mnt/nfs/AppData/homer/www/assets
            type: Directory
--- a/kubernetes/apps/homer/app/ingress.yaml
+++ b/kubernetes/apps/homer/app/ingress.yaml
@@ -0,0 +1,21 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: homer-ingress
  namespace: homer
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
  ingressClassName: nginx
  rules:
    - host: "home.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: homer
                port:
                  number: 8088
--- a/kubernetes/apps/homer/app/service.yaml
+++ b/kubernetes/apps/homer/app/service.yaml
@@ -0,0 +1,17 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: homer
  namespace: homer
  labels:
    app.kubernetes.io/name: homer
 spec:
  selector:
    app.kubernetes.io/name: homer
  type: ClusterIP
  internalTrafficPolicy: Cluster
  ports:
    - protocol: TCP
      port: 8088
      targetPort: 8088
      name: http
--- a/kubernetes/apps/cilium/cilium.yaml
+++ b/kubernetes/apps/cilium/cilium.yaml
@@ -1,13 +1,15 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: cilium-networkpolicies
+  name: homer
-  namespace: kube-system
+  namespace: homer
 spec:
-  interval: 1h
+  interval: 10m
-  path: ./kubernetes/apps/cilium/networkpolicies
+  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/apps/homer/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
-    name: home-cluster-ops
+    name: flux-system
--- a/kubernetes/apps/jellyfin/app/ingress.yaml
+++ b/kubernetes/apps/jellyfin/app/ingress.yaml
@@ -0,0 +1,31 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: jellyfin-ingress
  namespace: jellyfin
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
  ingressClassName: nginx
  rules:
    - host: "jellyfin.cluster.local"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: jellyfin
                port:
                  number: 8096
    - host: "jellyfin.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: jellyfin
                port:
                  number: 8096
--- a/kubernetes/apps/jellyfin/app/pvc.yaml
+++ b/kubernetes/apps/jellyfin/app/pvc.yaml
@@ -0,0 +1,51 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: jellyfin-config
  namespace: jellyfin
  labels:
    type: local
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  capacity:
    storage: 250Mi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  local:
    path: "/mnt/nfs/AppData/jellyfin/config"
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/hostname
              operator: In
              values:
                - rpi5-cluster-node-3
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: jellyfin-data
  namespace: jellyfin
  labels:
    type: local
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  capacity:
    storage: 2Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  local:
    path: "/mnt/nfs/AppData/jellyfin/data"
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/hostname
              operator: In
              values:
                - rpi5-cluster-node-3
--- a/kubernetes/apps/jellyfin/app/release.yaml
+++ b/kubernetes/apps/jellyfin/app/release.yaml
@@ -0,0 +1,169 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: jellyfin
  namespace: jellyfin
 spec:
  releaseName: jellyfin
  targetNamespace: jellyfin
  chart:
    spec:
      chart: jellyfin
      sourceRef:
        kind: HelmRepository
        name: beluga-cloud
        namespace: flux-system
  interval: 1h
  install:
    remediation:
      retries: 3
  values:
    persistence:
      config:
        enabled: true
        volumeClaimSpec:
          accessModes:
            - ReadWriteOnce
          volumeName: jellyfin-config
          storageClassName: local-path
      data:
        enabled: true
        volumeClaimSpec:
          accessModes:
            - ReadWriteOnce
          volumeName: jellyfin-data
          storageClassName: local-path
    jellyfin:
      mediaVolumes:
        - name: movies
          readOnly: false
          volumeSpec:
            storageClassName: local-path
            volumeMode: Filesystem
            capacity:
              storage: 8Gi
            accessModes:
              - ReadWriteOnce
            persistentVolumeReclaimPolicy: Retain
            nodeAffinity:
              required:
                nodeSelectorTerms:
                  - matchExpressions:
                      - key: kubernetes.io/hostname
                        operator: In
                        values:
                          - rpi5-cluster-node-3
            claimRef:
              apiVersion: v1
              kind: PersistentVolumeClaim
              name: jellyfin-mediavol-movies
              namespace: jellyfin
            hostPath:
              path: "/mnt/nfs/AppData/jellyfin/media/movies"
              type: "Directory"
        - name: series
          readOnly: false
          volumeSpec:
            storageClassName: local-path
            volumeMode: Filesystem
            capacity:
              storage: 8Gi
            accessModes:
              - ReadWriteOnce
            persistentVolumeReclaimPolicy: Retain
            nodeAffinity:
              required:
                nodeSelectorTerms:
                  - matchExpressions:
                      - key: kubernetes.io/hostname
                        operator: In
                        values:
                          - rpi5-cluster-node-3
            claimRef:
              apiVersion: v1
              kind: PersistentVolumeClaim
              name: jellyfin-mediavol-series
              namespace: jellyfin
            hostPath:
              path: "/mnt/nfs/AppData/jellyfin/media/series"
              type: "Directory"
        - name: music-videos
          readOnly: false
          volumeSpec:
            storageClassName: local-path
            volumeMode: Filesystem
            capacity:
              storage: 8Gi
            accessModes:
              - ReadWriteOnce
            persistentVolumeReclaimPolicy: Retain
            nodeAffinity:
              required:
                nodeSelectorTerms:
                  - matchExpressions:
                      - key: kubernetes.io/hostname
                        operator: In
                        values:
                          - rpi5-cluster-node-3
            claimRef:
              apiVersion: v1
              kind: PersistentVolumeClaim
              name: jellyfin-mediavol-music-videos
              namespace: jellyfin
            hostPath:
              path: "/mnt/nfs/AppData/jellyfin/media/music-videos"
              type: "Directory"
        - name: short-videos
          readOnly: false
          volumeSpec:
            storageClassName: local-path
            volumeMode: Filesystem
            capacity:
              storage: 8Gi
            accessModes:
              - ReadWriteOnce
            persistentVolumeReclaimPolicy: Retain
            nodeAffinity:
              required:
                nodeSelectorTerms:
                  - matchExpressions:
                      - key: kubernetes.io/hostname
                        operator: In
                        values:
                          - rpi5-cluster-node-3
            claimRef:
              apiVersion: v1
              kind: PersistentVolumeClaim
              name: jellyfin-mediavol-short-videos
              namespace: jellyfin
            hostPath:
              path: "/mnt/nfs/AppData/jellyfin/media/short-videos"
              type: "Directory"
        - name: gv
          readOnly: false
          volumeSpec:
            storageClassName: local-path
            volumeMode: Filesystem
            capacity:
              storage: 8Gi
            accessModes:
              - ReadWriteOnce
            persistentVolumeReclaimPolicy: Retain
            nodeAffinity:
              required:
                nodeSelectorTerms:
                  - matchExpressions:
                      - key: kubernetes.io/hostname
                        operator: In
                        values:
                          - rpi5-cluster-node-3
            claimRef:
              apiVersion: v1
              kind: PersistentVolumeClaim
              name: jellyfin-mediavol-gv
              namespace: jellyfin
            hostPath:
              path: "/mnt/nfs/AppData/jellyfin/media/gv"
              type: "Directory"
      persistentTranscodes: true
--- a/kubernetes/apps/jellyfin/jellyfin.yaml
+++ b/kubernetes/apps/jellyfin/jellyfin.yaml
@@ -0,0 +1,16 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: jellyfin
  namespace: jellyfin
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/apps/jellyfin/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
--- a/kubernetes/apps/kavita/app/development.yaml
+++ b/kubernetes/apps/kavita/app/development.yaml
@@ -0,0 +1,58 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: kavita
  namespace: kavita
  labels:
    app.kubernetes.io/name: kavita
    app.kubernetes.io/instance: kavita
  annotations:
    kubectl.kubernetes.io/default-container: kavita
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: kavita
      app.kubernetes.io/instance: kavita
  template:
    metadata:
      labels:
        app.kubernetes.io/name: kavita
        app.kubernetes.io/instance: kavita
    spec:
      containers:
        - image: jvmilazz0/kavita:0.8.1
          imagePullPolicy: IfNotPresent
          name: kavita
          ports:
            - containerPort: 5000
              name: http
              protocol: TCP
          env:
            - name: TZ
              value: Australia/Sydney
          volumeMounts:
            - name: kavita-config
              mountPath: /kavita/config
            - name: kavita-manga
              mountPath: /manga
            - name: kavita-book
              mountPath: /book
            - name: kavita-doc
              mountPath: /doc
      volumes:
        - name: kavita-config
          hostPath:
            path: /mnt/nfs/AppData/kavita/config
            type: Directory
        - name: kavita-manga
          hostPath:
            path: /mnt/nfs/AppData/kavita/manga
            type: Directory
        - name: kavita-book
          hostPath:
            path: /mnt/nfs/AppData/kavita/book
            type: Directory
        - name: kavita-doc
          hostPath:
            path: /mnt/nfs/AppData/kavita/doc
            type: Directory
--- a/kubernetes/apps/kavita/app/ingress.yaml
+++ b/kubernetes/apps/kavita/app/ingress.yaml
@@ -0,0 +1,21 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: kavita-ingress
  namespace: kavita
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
  ingressClassName: nginx
  rules:
    - host: "kavita.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: kavita
                port:
                  number: 5000
--- a/kubernetes/apps/kavita/app/service.yaml
+++ b/kubernetes/apps/kavita/app/service.yaml
@@ -0,0 +1,18 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: kavita
  namespace: kavita
  labels:
    app.kubernetes.io/name: kavita
    app.kubernetes.io/instance: kavita
 spec:
  type: ClusterIP
  ports:
    - port: 5000
      targetPort: 5000
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: kavita
    app.kubernetes.io/instance: kavita
--- a/kubernetes/apps/kavita/kavita.yaml
+++ b/kubernetes/apps/kavita/kavita.yaml
@@ -0,0 +1,16 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: kavita
  namespace: kavita
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/apps/kavita/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
--- a/kubernetes/apps/kustomization.yaml
+++ b/kubernetes/apps/kustomization.yaml
@@ -1,7 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./adguard-home/adguard-home.yaml
  - ./capacitor/capacitor.yaml
-  - ./cert-manager/cert-manager.yaml
+  - ./code-server/code-server.yaml
-  - ./cilium/cilium.yaml
+  - ./dokuwiki/dokuwiki.yaml
  - ./gitea/gitea.yaml
  - ./homer/homer.yaml
  - ./jellyfin/jellyfin.yaml
  - ./kavita/kavita.yaml
  - ./nexus/nexus.yaml
  - ./podinfo/podinfo.yaml
  - ./qbittorrent/qbittorrent.yaml
  - ./snippet-box/snippet-box.yaml
  - ./sonarqube/sonarqube.yaml
  - ./uptime-kuma/uptime-kuma.yaml
  - ./weave-gitops/weave-gitops.yaml
--- a/kubernetes/apps/nexus/app/deployment.yaml
+++ b/kubernetes/apps/nexus/app/deployment.yaml
@@ -0,0 +1,38 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: nexus
  namespace: nexus
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: nexus
  template:
    metadata:
      labels:
        app: nexus
    spec:
      securityContext:
        runAsUser: 0
        runAsGroup: 0
      containers:
        - name: nexus
          image: klo2k/nexus3:3.68.1-02
          resources:
            limits:
              memory: "3Gi"
              cpu: "1"
            requests:
              memory: "2Gi"
              cpu: "500m"
          ports:
            - containerPort: 8081
          volumeMounts:
            - name: nexus-data
              mountPath: /nexus-data
      volumes:
        - name: nexus-data
          hostPath:
            path: /mnt/nfs/AppData/nexus
            type: Directory
--- a/kubernetes/apps/nexus/app/service.yaml
+++ b/kubernetes/apps/nexus/app/service.yaml
@@ -0,0 +1,17 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: nexus
  namespace: nexus
  annotations:
    prometheus.io/scrape: 'true'
    prometheus.io/path:   /
    prometheus.io/port:   '8081'
 spec:
  selector:
    app: nexus
  type: NodePort
  ports:
    - port: 8081
      targetPort: 8081
      nodePort: 32000
--- a/kubernetes/apps/nexus/nexus.yaml
+++ b/kubernetes/apps/nexus/nexus.yaml
@@ -0,0 +1,15 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: nexus
  namespace: nexus
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/apps/nexus/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
--- a/kubernetes/apps/podinfo/app/release.yaml
+++ b/kubernetes/apps/podinfo/app/release.yaml
--- a/kubernetes/apps/podinfo/app/repository.yaml
+++ b/kubernetes/apps/podinfo/app/repository.yaml
--- a/kubernetes/apps/podinfo/podinfo.yaml
+++ b/kubernetes/apps/podinfo/podinfo.yaml
@@ -4,11 +4,13 @@ metadata:
  name: podinfo
  namespace: podinfo
 spec:
-  interval: 1h
+  interval: 10m
-  path: ./kubernetes/apps/podinfo
+  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/apps/podinfo/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
-    name: home-cluster-ops
+    name: flux-system
--- a/kubernetes/apps/qbittorrent/app/ingress.yaml
+++ b/kubernetes/apps/qbittorrent/app/ingress.yaml
@@ -0,0 +1,21 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: qbittorrent-ingress
  namespace: qbittorrent
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
  ingressClassName: nginx
  rules:
    - host: "qbittorrent.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: qbittorrent
                port:
                  number: 8888
--- a/kubernetes/apps/qbittorrent/app/release.yaml
+++ b/kubernetes/apps/qbittorrent/app/release.yaml
@@ -0,0 +1,30 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: qbittorrent
  namespace: qbittorrent
 spec:
  targetNamespace: qbittorrent
  chart:
    spec:
      chart: qbittorrent
      sourceRef:
        kind: HelmRepository
        name: adminafk
        namespace: flux-system
  interval: 1h
  install:
    remediation:
      retries: 3
  values:
    service:
      web:
        port: 8888
      torrent:
        port: 8388
    config:
      persistence:
        name: "qbittorrent-config-pvc"
    volumeMounts:
      - name: qbittorrent-download-pvc
        mountPath: /download
--- a/kubernetes/apps/qbittorrent/app/volume.yaml
+++ b/kubernetes/apps/qbittorrent/app/volume.yaml
@@ -0,0 +1,93 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: qbittorrent-config
  namespace: qbittorrent
  labels:
    type: local
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  local:
    path: "/mnt/nfs/AppData/qbittorrent/config"
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: qbittorrent-config-pvc
    namespace: qbittorrent
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/hostname
              operator: In
              values:
                - rpi5-cluster-node-3
 ---
 #apiVersion: v1
 #kind: PersistentVolumeClaim
 #metadata:
 #  name: qbittorrent-config-pvc
 #  namespace: qbittorrent
 #  labels:
 #    name: qbittorrent-config-pvc
 #spec:
 #  storageClassName: local-path
 #  volumeMode: Filesystem
 #  accessModes:
 #    - ReadWriteOnce
 #  resources:
 #    requests:
 #      storage: 5Gi
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: qbittorrent-download
  namespace: qbittorrent
  labels:
    type: local
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  local:
    path: "/mnt/nfs/AppData/qbittorrent/download"
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: qbittorrent-download-pvc
    namespace: qbittorrent
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/hostname
              operator: In
              values:
                - rpi5-cluster-node-3
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: qbittorrent-download-pvc
  namespace: qbittorrent
  labels:
    name: qbittorrent-download-pvc
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 64Gi
--- a/kubernetes/apps/qbittorrent/qbittorrent.yaml
+++ b/kubernetes/apps/qbittorrent/qbittorrent.yaml
@@ -0,0 +1,16 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: qbittorrent
  namespace: qbittorrent
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/apps/qbittorrent/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
--- a/kubernetes/apps/qbittorrent/scripts/ingress-nginx-svc-controller-patch.yaml
+++ b/kubernetes/apps/qbittorrent/scripts/ingress-nginx-svc-controller-patch.yaml
@@ -0,0 +1,10 @@
 spec:
  ports:
    - name: torrent-tcp
      port: 8388
      targetPort: 8388
      protocol: TCP
    - name: torrent-udp
      port: 8388
      targetPort: 8388
      protocol: UDP
--- a/kubernetes/apps/qbittorrent/scripts/patch-ingress-nginx.sh
+++ b/kubernetes/apps/qbittorrent/scripts/patch-ingress-nginx.sh
@@ -0,0 +1,4 @@
 #!/bin/bash
 set -e
 kubectl patch service ingress-nginx-controller -n ingress-nginx --patch "$(cat kubernetes/apps/qbittorrent/scripts/ingress-nginx-svc-controller-patch.yaml)"
--- a/kubernetes/apps/snippet-box/app/development.yaml
+++ b/kubernetes/apps/snippet-box/app/development.yaml
@@ -0,0 +1,34 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: snippet-box
  namespace: snippet-box
  labels:
    app.kubernetes.io/name: snippet-box
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: snippet-box
  template:
    metadata:
      labels:
        app.kubernetes.io/name: snippet-box
    spec:
      containers:
        - name: snippet-box
          image: pawelmalak/snippet-box:arm
          ports:
            - protocol: TCP
              containerPort: 5000
              name: snippet-box
          env:
            - name: TZ
              value: Australia/Sydney
          volumeMounts:
            - name: snippet-box-data
              mountPath: /app/data
      volumes:
        - name: snippet-box-data
          hostPath:
            path: /mnt/nfs/AppData/snippet-box
            type: Directory
--- a/kubernetes/apps/snippet-box/app/ingress.yaml
+++ b/kubernetes/apps/snippet-box/app/ingress.yaml
@@ -0,0 +1,21 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: snippet-box-ingress
  namespace: snippet-box
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
  ingressClassName: nginx
  rules:
    - host: "snippet-box.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: snippet-box
                port:
                  number: 5000
--- a/kubernetes/apps/snippet-box/app/service.yaml
+++ b/kubernetes/apps/snippet-box/app/service.yaml
@@ -0,0 +1,17 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: snippet-box
  namespace: snippet-box
  labels:
    app.kubernetes.io/name: snippet-box
 spec:
  selector:
    app.kubernetes.io/name: snippet-box
  type: ClusterIP
  internalTrafficPolicy: Cluster
  ports:
    - protocol: TCP
      port: 5000
      targetPort: 5000
      name: snippet-box
--- a/kubernetes/apps/snippet-box/snippet-box.yaml
+++ b/kubernetes/apps/snippet-box/snippet-box.yaml
@@ -0,0 +1,15 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: snippet-box
  namespace: snippet-box
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/apps/snippet-box/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
--- a/kubernetes/apps/sonarqube/app/release.yaml
+++ b/kubernetes/apps/sonarqube/app/release.yaml
@@ -0,0 +1,47 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: sonarqube
  namespace: sonarqube
 spec:
  releaseName: sonarqube
  chart:
    spec:
      chart: sonarqube
      sourceRef:
        kind: HelmRepository
        name: bitnami
        namespace: flux-system
  interval: 1h
  install:
    remediation:
      retries: 3
  values:
    sonarqubeUsername: ${sonarqube_username}
    sonarqubePassword: ${sonarqube_password}
    sonarqubeEmail: ${sonarqube_email}
    smtpHost: ${smtp_host}
    smtpPort: ${smtp_port}
    smtpUser: ${smtp_user}
    smtpPassword: ${smtp_password}
    smtpProtocol: ${smtp_protocol}
    service:
      ports:
        http: 8090
        elastic: 9091
      nodePorts:
        http: 30080
        elastic: 30091
    persistence:
      enabled: true
      storageClass: local-path
      size: "32Gi"
      existingClaim: "sonarqube-pvc"
    postgresql:
      enabled: false
    externalDatabase:
      host: ${db_host}
      user: ${db_user}
      password: ${db_password}
      database: ${db_name}
      port: ${db_port}
--- a/kubernetes/apps/sonarqube/app/volume.yaml
+++ b/kubernetes/apps/sonarqube/app/volume.yaml
@@ -0,0 +1,46 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: sonarqube-pv
  namespace: sonarqube
  labels:
    type: local
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  capacity:
    storage: 32Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  local:
    path: "/mnt/nfs/AppData/sonarqube"
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: sonarqube-pvc
    namespace: sonarqube
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/hostname
              operator: In
              values:
                - rpi5-cluster-node-3
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: sonarqube-pvc
  namespace: sonarqube
  labels:
    name: sonarqube-pvc
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 32Gi
--- a/kubernetes/apps/sonarqube/sonarqube.yaml
+++ b/kubernetes/apps/sonarqube/sonarqube.yaml
@@ -0,0 +1,46 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: sonarqube-secrets
  namespace: flux-system
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  targetNamespace: sonarqube
  path: ./sonarqube
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: home-cluster-ops-secrets
  dependsOn:
    - name: repositories
      namespace: flux-system
  decryption:
    provider: sops
    secretRef:
      name: sops-age
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: sonarqube
  namespace: sonarqube
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/apps/sonarqube/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
  dependsOn:
    - name: sonarqube-secrets
      namespace: flux-system
  postBuild:
    substituteFrom:
      - kind: Secret
        name: sonarqube-secrets
--- a/kubernetes/apps/uptime-kuma/app/ingress.yaml
+++ b/kubernetes/apps/uptime-kuma/app/ingress.yaml
@@ -0,0 +1,21 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: uptime-kuma-ingress
  namespace: uptime-kuma
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
  ingressClassName: nginx
  rules:
    - host: "uptime-kuma.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: uptime-kuma
                port:
                  number: 3001
--- a/kubernetes/apps/uptime-kuma/app/pvc.yaml
+++ b/kubernetes/apps/uptime-kuma/app/pvc.yaml
@@ -0,0 +1,46 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: uptime-kuma-pv
  namespace: uptime-kuma
  labels:
    type: local
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  capacity:
    storage: 4Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  local:
    path: "/mnt/nfs/AppData/uptime-kuma"
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: uptime-kuma-pvc
    namespace: uptime-kuma
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/hostname
              operator: In
              values:
                - rpi5-cluster-node-1
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: uptime-kuma-pvc
  namespace: uptime-kuma
  labels:
    name: uptime-kuma-pvc
 spec:
  storageClassName: local-path
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 4Gi
--- a/kubernetes/apps/uptime-kuma/app/release.yaml
+++ b/kubernetes/apps/uptime-kuma/app/release.yaml
@@ -0,0 +1,26 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: uptime-kuma
  namespace: uptime-kuma
 spec:
  releaseName: uptime-kuma
  targetNamespace: uptime-kuma
  chart:
    spec:
      chart: uptime-kuma
      version: 2.18.1
      sourceRef:
        kind: HelmRepository
        name: irsigler
        namespace: flux-system
  interval: 1h
  install:
    remediation:
      retries: 3
  values:
    volume:
      enabled: true
      accessMode: ReadWriteOnce
      size: 4Gi
      existingClaim: "uptime-kuma-pvc"
--- a/kubernetes/apps/uptime-kuma/uptime-kuma.yaml
+++ b/kubernetes/apps/uptime-kuma/uptime-kuma.yaml
@@ -0,0 +1,15 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: uptime-kuma
  namespace: uptime-kuma
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/apps/uptime-kuma/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
--- a/kubernetes/apps/weave-gitops/app/ingress.yaml
+++ b/kubernetes/apps/weave-gitops/app/ingress.yaml
@@ -0,0 +1,31 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: weave-gitops-ingress
  namespace: flux-system
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
  ingressClassName: nginx
  rules:
    - host: "weave-gitops.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: ww-gitops-weave-gitops
                port:
                  number: 9001
    - host: "weave-gitops.cluster.local"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: ww-gitops-weave-gitops
                port:
                  number: 9001
--- a/kubernetes/apps/weave-gitops/app/release.yaml
+++ b/kubernetes/apps/weave-gitops/app/release.yaml
@@ -0,0 +1,41 @@
 ---
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
  annotations:
    metadata.weave.works/description: This is the source location for the Weave GitOps
      Dashboard's helm chart.
  labels:
    app.kubernetes.io/component: ui
    app.kubernetes.io/created-by: weave-gitops-cli
    app.kubernetes.io/name: weave-gitops-dashboard
    app.kubernetes.io/part-of: weave-gitops
  name: ww-gitops
  namespace: flux-system
 spec:
  interval: 1h0m0s
  type: oci
  url: oci://ghcr.io/weaveworks/charts
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  annotations:
    metadata.weave.works/description: This is the Weave GitOps Dashboard.  It provides
      a simple way to get insights into your GitOps workloads.
  name: ww-gitops
  namespace: flux-system
 spec:
  chart:
    spec:
      chart: weave-gitops
      sourceRef:
        kind: HelmRepository
        name: ww-gitops
  interval: 1h0m0s
  values:
    adminUser:
      create: true
      passwordHash: $2a$10$gnPEHsFzIJXg/eron5LiQ.teGZkKETxuA2WAyKSbxHvxpkzWJvbDe
      username: admin
--- a/kubernetes/apps/weave-gitops/weave-gitops.yaml
+++ b/kubernetes/apps/weave-gitops/weave-gitops.yaml
@@ -0,0 +1,15 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: weave-gitops
  namespace: flux-system
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/apps/weave-gitops/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
--- a/kubernetes/templates/apps/cert-manager/app/helmrelease.yaml
+++ b/kubernetes/templates/apps/cert-manager/app/helmrelease.yaml
@@ -16,7 +16,6 @@ spec:
        namespace: cert-manager
        name: cert-manager
      interval: 1h
  installCRDs: true
  install:
    crds: Create
  upgrade:
--- a/kubernetes/templates/apps/cert-manager/app/helmrepository.yaml
+++ b/kubernetes/templates/apps/cert-manager/app/helmrepository.yaml
--- a/kubernetes/infrastructure/cert-manager/cert-manager.yaml
+++ b/kubernetes/infrastructure/cert-manager/cert-manager.yaml
@@ -0,0 +1,125 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: cert-manager
  namespace: cert-manager
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  targetNamespace: cert-manager
  path: ./kubernetes/infrastructure/cert-manager/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
  dependsOn:
    - name: namespaces
      namespace: flux-system
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: clusterissuer-secrets
  namespace: flux-system
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  targetNamespace: cert-manager
  path: ./clusterissuer
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: home-cluster-ops-secrets
  dependsOn:
    - name: namespaces
      namespace: flux-system
    - name: repositories
      namespace: flux-system
  decryption:
    provider: sops
    secretRef:
      name: sops-age
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: clusterissuer
  namespace: cert-manager
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  targetNamespace: cert-manager
  path: ./kubernetes/infrastructure/cert-manager/clusterissuer
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
  dependsOn:
    - name: clusterissuer-secrets
      namespace: flux-system
    - name: cert-manager
      namespace: cert-manager
  postBuild:
    substituteFrom:
      - kind: Secret
        name: clusterissuer-secrets
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: certificate-secrets
  namespace: flux-system
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  targetNamespace: cert-manager
  path: ./certificates
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: home-cluster-ops-secrets
  dependsOn:
    - name: namespaces
      namespace: flux-system
    - name: repositories
      namespace: flux-system
  decryption:
    provider: sops
    secretRef:
      name: sops-age
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: certificates
  namespace: cert-manager
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  targetNamespace: cert-manager
  path: ./kubernetes/infrastructure/cert-manager/certificates
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
  dependsOn:
    - name: certificate-secrets
      namespace: flux-system
    - name: cert-manager
      namespace: cert-manager
    - name: clusterissuer
      namespace: cert-manager
  postBuild:
    substituteFrom:
      - kind: Secret
        name: certificate-secrets
--- a/kubernetes/infrastructure/cert-manager/certificates/adguard-home.yaml
+++ b/kubernetes/infrastructure/cert-manager/certificates/adguard-home.yaml
@@ -0,0 +1,64 @@
 #apiVersion: cert-manager.io/v1
 #kind: Certificate
 #metadata:
 #  name: adguard-home-cert
 #  namespace: cert-manager
 #spec:
 #  # Secret names are always required.
 #  secretName: adguard-home.cluster.edward.sydney-tls
 #
 #  privateKey:
 #    algorithm: RSA
 #    encoding: PKCS1
 #    size: 2048
 #
 #  # keystores allows adding additional output formats. This is an example for reference only.
 #  keystores:
 #    pkcs12:
 #      create: true
 #      passwordSecretRef:
 #        name: adguard-home-tls-keystore
 #        key: ${adguard_home_certificate_tls_keystore_password}
 #      profile: Modern2023
 #
 #  duration: 2160h # 90d
 #  renewBefore: 360h # 15d
 #
 #  isCA: false
 #  usages:
 #    - server auth
 #    - client auth
 #
 #  subject:
 #    organizations:
 #      - edward.sydney
 #
 #  # The literalSubject field is exclusive with subject and commonName. It allows
 #  # specifying the subject directly as a string. This is useful for when the order
 #  # of the subject fields is important or when the subject contains special types
 #  # which can be specified by their OID.
 #  #
 #  # literalSubject: "O=jetstack, CN=example.com, 2.5.4.42=John, 2.5.4.4=Doe"
 #
 #  # At least one of commonName (possibly through literalSubject), dnsNames, uris, emailAddresses, ipAddresses or otherNames is required.
 #  dnsNames:
 #    - "${adguard_home_certificate_dns_name}"
 #    - "*.${adguard_home_certificate_dns_name}"
 #  emailAddresses:
 #    - ${adguard_home_certificate_email}
 #
 #  # Issuer references are always required.
 #  issuerRef:
 #    name: clusterissuer
 #    # We can reference ClusterIssuers by changing the kind here.
 #    # The default value is Issuer (i.e. a locally namespaced Issuer)
 #    kind: ClusterIssuer
 #    # This is optional since cert-manager will default to this value however
 #    # if you are using an external issuer, change this to that issuer group.
 #    group: cert-manager.io
 #The certificate request has failed to complete and will be retried:
 #  Failed to wait for order resource "adguard-home-cert-1-1931876784" to become
 #  ready: order is in "errored" state: Failed to create Order: 429 urn:ietf:params:acme:error:rateLimited:
 #  Error creating new order :: too many certificates already issued for "edward.sydney".
 #  Retry after 2024-06-25T21:00:00Z: see https://letsencrypt.org/docs/rate-limits/
--- a/kubernetes/infrastructure/cert-manager/clusterissuer/clusterissuer-cloudflare.yaml
+++ b/kubernetes/infrastructure/cert-manager/clusterissuer/clusterissuer-cloudflare.yaml
@@ -0,0 +1,22 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: clusterissuer
  namespace: cert-manager
 spec:
  acme:
    email: ${email}
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: cluster-issuer-account-key
    solvers:
      - dns01:
          cloudflare:
            email: ${email}
            apiTokenSecretRef:
              name: clusterissuer-secrets
              key: cloudflare_api_token
        selector:
          dnsNames:
            - "${cluster_cert_domain}"
            - "*.${cluster_cert_domain}"
--- a/kubernetes/infrastructure/cilium/app/release.yaml
+++ b/kubernetes/infrastructure/cilium/app/release.yaml
@@ -0,0 +1,43 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: cilium
  namespace: kube-system
 spec:
  chart:
    spec:
      chart: cilium
      version: 1.15.5
      sourceRef:
        kind: HelmRepository
        namespace: kube-system
        name: cilium
  install:
    crds: Create
  upgrade:
    crds: CreateReplace
  interval: 1h
  driftDetection:
    mode: enabled
  values:
    global:
      encryption:
        enabled: true
        nodeEncryption: true
    policyEnforcementMode: default
    operator:
      replicas: 1
    ipam:
      mode: cluster-pool
      operator:
        clusterPoolIPv4PodCIDRList: [10.42.0.0/16]
        clusterPoolIPv4MaskSize: 24
    dnsProxy:
      dnsRejectResponseCode: nameError
    cni:
      exclusive: false
--- a/kubernetes/infrastructure/cilium/cilium.yaml
+++ b/kubernetes/infrastructure/cilium/cilium.yaml
@@ -0,0 +1,35 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
 name: cilium
 namespace: kube-system
 spec:
 interval: 10m
 timeout: 1m30s
 retryInterval: 30s
 path: ./kubernetes/infrastructure/cilium/app
 prune: true
 sourceRef:
   kind: GitRepository
   namespace: flux-system
   name: flux-system
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: cilium-networkpolicies
  namespace: kube-system
 spec:
  suspend: false
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/infrastructure/cilium/networkpolicies
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
  dependsOn:
    - name: ingress-nginx
      namespace: ingress-nginx
--- a/kubernetes/infrastructure/cilium/kustomization.yaml
+++ b/kubernetes/infrastructure/cilium/kustomization.yaml
--- a/kubernetes/infrastructure/cilium/networkpolicies/coredns.yaml
+++ b/kubernetes/infrastructure/cilium/networkpolicies/coredns.yaml
--- a/kubernetes/infrastructure/cilium/networkpolicies/egress-kube-dns.yaml
+++ b/kubernetes/infrastructure/cilium/networkpolicies/egress-kube-dns.yaml
@@ -2,6 +2,7 @@ apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
 metadata:
  name: egress-kube-dns
  namespace: kube-system
 spec:
  endpointSelector:
    matchExpressions:
--- a/kubernetes/infrastructure/cilium/networkpolicies/egress-kubeapi.yaml
+++ b/kubernetes/infrastructure/cilium/networkpolicies/egress-kubeapi.yaml
@@ -2,6 +2,7 @@ apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
 metadata:
  name: egress-kubeapi
  namespace: kube-system
 spec:
  endpointSelector:
    matchLabels:
--- a/kubernetes/infrastructure/cilium/networkpolicies/egress-namespace.yaml
+++ b/kubernetes/infrastructure/cilium/networkpolicies/egress-namespace.yaml
@@ -2,6 +2,7 @@ apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
 metadata:
  name: egress-namespace
  namespace: kube-system
 spec:
  endpointSelector:
    matchLabels:
--- a/kubernetes/infrastructure/cilium/networkpolicies/egress-nodes.yaml
+++ b/kubernetes/infrastructure/cilium/networkpolicies/egress-nodes.yaml
@@ -2,6 +2,7 @@ apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
 metadata:
  name: egress-nodes
  namespace: kube-system
 spec:
  endpointSelector:
    matchLabels:
--- a/kubernetes/infrastructure/cilium/networkpolicies/egress-world.yaml
+++ b/kubernetes/infrastructure/cilium/networkpolicies/egress-world.yaml
@@ -2,6 +2,7 @@ apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
 metadata:
  name: egress-world
  namespace: kube-system
 spec:
  endpointSelector:
    matchLabels:
@@ -9,7 +10,3 @@ spec:
  egress:
    - toCIDRSet:
        - cidr: 0.0.0.0/0
          except:
            - 192.168.1.0/24
            - 192.168.2.0/24
            - 100.64.0.0/10
--- a/kubernetes/infrastructure/cilium/networkpolicies/ingress-namespace.yaml
+++ b/kubernetes/infrastructure/cilium/networkpolicies/ingress-namespace.yaml
@@ -2,6 +2,7 @@ apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
 metadata:
  name: ingress-namespace
  namespace: kube-system
 spec:
  endpointSelector:
    matchLabels:
--- a/kubernetes/infrastructure/cilium/networkpolicies/ingress-nginx.yaml
+++ b/kubernetes/infrastructure/cilium/networkpolicies/ingress-nginx.yaml
@@ -2,6 +2,7 @@ apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
 metadata:
  name: ingress-ingress
  namespace: kube-system
 spec:
  endpointSelector:
    matchLabels:
@@ -17,7 +18,7 @@ apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: ingress-nginx
-  namespace: ingress-nginx
+  namespace: kube-system
 spec:
  endpointSelector:
    matchLabels:
@@ -35,6 +36,7 @@ apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
 metadata:
  name: egress-ingress
  namespace: kube-system
 spec:
  endpointSelector:
    matchLabels:
@@ -50,7 +52,7 @@ apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: egress-nginx
-  namespace: ingress-nginx
+  namespace: kube-system
 spec:
  endpointSelector:
    matchLabels:
--- a/kubernetes/infrastructure/cilium/networkpolicies/ingress-nodes.yaml
+++ b/kubernetes/infrastructure/cilium/networkpolicies/ingress-nodes.yaml
@@ -2,6 +2,7 @@ apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
 metadata:
  name: ingress-nodes
  namespace: kube-system
 spec:
  endpointSelector:
    matchLabels:
--- a/kubernetes/infrastructure/cilium/networkpolicies/ingress-world.yaml
+++ b/kubernetes/infrastructure/cilium/networkpolicies/ingress-world.yaml
@@ -2,6 +2,7 @@ apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
 metadata:
  name: ingress-world
  namespace: kube-system
 spec:
  endpointSelector:
    matchLabels:
--- a/kubernetes/infrastructure/cilium/networkpolicies/local-path-provisioner.yaml
+++ b/kubernetes/infrastructure/cilium/networkpolicies/local-path-provisioner.yaml
--- a/kubernetes/infrastructure/consul/app/service.yaml
+++ b/kubernetes/infrastructure/consul/app/service.yaml
@@ -0,0 +1,16 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: consul
  namespace: consul
  labels:
    app: consul
 spec:
  ports:
    - name: http
      protocol: TCP
      port: 8500
      targetPort: 8500
  selector:
    app: consul
  type: ClusterIP
--- a/kubernetes/infrastructure/consul/app/statefulset.yaml
+++ b/kubernetes/infrastructure/consul/app/statefulset.yaml
@@ -0,0 +1,46 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: consul
  namespace: consul
  labels:
    app: consul
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: consul
  template:
    metadata:
      labels:
        app: consul
    spec:
      containers:
        - name: consul
          image: 'consul:1.15.4'
          args:
            - agent
          ports:
            - name: http
              containerPort: 8500
              protocol: TCP
          env:
            - name: TZ
              value: Australia/Sydney
          volumeMounts:
            - name: consul-data
              mountPath: /consul/data
            - name: consul-config
              mountPath: /consul/config
          imagePullPolicy: IfNotPresent
      volumes:
        - name: consul-data
          hostPath:
            path: /mnt/nfs/AppData/consul/data
            type: Directory
        - name: consul-config
          hostPath:
            path: /mnt/nfs/AppData/consul/config
            type: Directory
      restartPolicy: Always
  serviceName: consul
--- a/kubernetes/infrastructure/consul/consul.yaml
+++ b/kubernetes/infrastructure/consul/consul.yaml
@@ -0,0 +1,18 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: consul
  namespace: consul
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/infrastructure/consul/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
  dependsOn:
    - name: namespaces
      namespace: flux-system
--- a/kubernetes/infrastructure/grafana-dashboards/dashboards/8919-node-exporter-20240520.yaml
+++ b/kubernetes/infrastructure/grafana-dashboards/dashboards/8919-node-exporter-20240520.yaml
@@ -0,0 +1,113 @@
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  name: flask-consul
  namespace: consul
  labels:
    app: flask-consul
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: flask-consul
  template:
    metadata:
      labels:
        app: flask-consul
    spec:
      initContainers:
        - name: wait-for-consul
          image: busybox
          command:
            - sh
            - '-c'
            - >-
              for i in \$(seq 1 60); do nc -z -w3 consul 8500 && exit 0 ||
              sleep 5; done; exit 1
          imagePullPolicy: IfNotPresent
      containers:
        - name: flask-consul
          image: 'edeedeeed/flask_consul:v0.1.0'
          ports:
            - name: http-2026
              containerPort: 2026
              protocol: TCP
          env:
            - name: admin_passwd
              value: ${dashboard_8919_admin_passwd}
            - name: consul_token
              value: ${dashboard_8919_consul_token}
            - name: consul_url
              value: 'http://consul:8500/v1'
            - name: log_level
              value: INFO
            - name: TZ
              value: Australia/Sydney
          imagePullPolicy: Always
      restartPolicy: Always
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: flask-consul
  namespace: consul
  labels:
    app: flask-consul
 spec:
  ports:
    - name: http-2026
      protocol: TCP
      port: 2026
      targetPort: 2026
  selector:
    app: flask-consul
  type: ClusterIP
 ---
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  name: nginx-consul
  namespace: consul
  labels:
    app: nginx-consul
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-consul
  template:
    metadata:
      labels:
        app: nginx-consul
    spec:
      containers:
        - name: nginx-consul
          image: 'nicholasjackson/nginx-consul:v0.1.0'
          ports:
            - name: http-1026
              containerPort: 1026
              protocol: TCP
          env:
            - name: TZ
              value: Australia/Sydney
          imagePullPolicy: Always
      restartPolicy: Always
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: nginx-consul
  namespace: consul
  labels:
    app: consul
 spec:
  ports:
    - name: nginx-consul
      protocol: TCP
      port: 1026
      targetPort: 1026
      nodePort: 31026
  selector:
    app: nginx-consul
  type: NodePort
  externalTrafficPolicy: Cluster
--- a/kubernetes/infrastructure/grafana-dashboards/grafana-dashboards.yaml
+++ b/kubernetes/infrastructure/grafana-dashboards/grafana-dashboards.yaml
@@ -0,0 +1,48 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: grafana-dashboards-secrets
  namespace: flux-system
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  targetNamespace: prometheus
  path: ./grafana-dashboards
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: home-cluster-ops-secrets
  dependsOn:
    - name: repositories
      namespace: flux-system
  decryption:
    provider: sops
    secretRef:
      name: sops-age
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: grafana-dashboards
  namespace: prometheus
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/infrastructure/grafana-dashboards/dashboards
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
  dependsOn:
    - name: namespaces
      namespace: flux-system
    - name: grafana-dashboards-secrets
      namespace: flux-system
  postBuild:
    substituteFrom:
      - kind: Secret
        name: grafana-dashboards-secrets
--- a/kubernetes/infrastructure/ingress-nginx/app/release.yaml
+++ b/kubernetes/infrastructure/ingress-nginx/app/release.yaml
@@ -0,0 +1,113 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: ingress-nginx
  namespace: ingress-nginx
 spec:
  interval: 1h
  driftDetection:
    mode: enabled
  chart:
    spec:
      chart: ingress-nginx
      version: 4.10.1
      sourceRef:
        kind: HelmRepository
        namespace: ingress-nginx
        name: ingress-nginx
      interval: 1h
  values:
    rbac:
      create: true
    controller:
      priorityClassName: system-cluster-critical
      extraArgs:
        update-status-on-shutdown: "false"
        tcp-services-configmap: "ingress-nginx/tcp-services"
        udp-services-configmap: "ingress-nginx/udp-services"
      podLabels:
        rpi5.cluster.policy/egress-kubeapi: "true"
        rpi5.cluster.policy/egress-namespace: "true"
        rpi5.cluster.policy/egress-world-with-lan: "true"
        rpi5.cluster.policy/ingress-nodes: "true"
        rpi5.cluster.policy/ingress-prometheus: "true"
        rpi5.cluster.policy/ingress-world: "true"
      allowSnippetAnnotations: true
 #      maxmindLicenseKey: ${geoip_license_key}
      config:
        proxy-buffer-size: 16k
        use-gzip: ${use_gzip:=true}
        enable-brotli: ${enable_brotli:=true}
        hsts-max-age: ${hsts_max_age:=31536000}
        hsts-preload: ${hsts_preload:=true}
        disable-ipv6: ${disable_ipv6:=false}
        disable-ipv6-dns: ${disable_ipv6_dns:=false}
        keep-alive-requests: ${keep_alive_requests:=1000}
        use-geoip2: ${use_geoip2:=true}
        custom-http-errors: 401,403,404,500,501,502,503,504
      extraEnvs:
        - name: TZ
          value: Australia/Sydney
      addHeaders:
        Referrer-Policy: same-origin, strict-origin-when-cross-origin
        X-Content-Type-Options: nosniff
        X-Frame-Options: SAMEORIGIN
        X-XSS-Protection: 1; mode=block
      ingressClassResource:
        default: true
      service:
        externalTrafficPolicy: Cluster
        ipFamilyPolicy: SingleStack
      metrics:
        enabled: ${metrics_enabled:=false}
 #        serviceMonitor:
 #          enabled: ${metrics_enabled:=false}
 #          scrapeInterval: 1m
      admissionWebhooks:
        labels:
          rpi5.cluster.policy/egress-kubeapi: "true"
        patch:
          labels:
            rpi5.cluster.policy/egress-kubeapi: "true"
      spec:
        template:
          spec:
            containers:
              volumeMounts:
                - mountPath: /etc/nginx/template
                  name: nginx-template-volume
                  readOnly: true
            volumes:
              - name: nginx-template-volume
                hostPath:
                  path: /mnt/nfs/AppData/ingress-nginx/etc/nginx/template
                  type: Directory
    defaultBackend:
      enabled: true
      image:
        repository: ghcr.io/tarampampam/error-pages
        tag: 2.27.0@sha256:40e2631173b1a407c18fe7d1ba8104d995cf9e4780d123eeadfa1d57c68eaf4f
        pullPolicy: IfNotPresent
      extraEnvs:
        - name: TEMPLATE_NAME
          value: connection
        - name: SHOW_DETAILS
          value: "true"
        - name: READ_BUFFER_SIZE
          value: "8192"
      podLabels:
        rpi5.cluster.policy/ingress-namespace: "true"
--- a/kubernetes/infrastructure/ingress-nginx/app/repository.yaml
+++ b/kubernetes/infrastructure/ingress-nginx/app/repository.yaml
@@ -0,0 +1,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: ingress-nginx
  namespace: ingress-nginx
 spec:
  interval: 1h
  url: https://kubernetes.github.io/ingress-nginx
--- a/kubernetes/infrastructure/ingress-nginx/config/ingress-configmap.yaml
+++ b/kubernetes/infrastructure/ingress-nginx/config/ingress-configmap.yaml
@@ -0,0 +1,26 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: tcp-services
  namespace: ingress-nginx
 data:
  "53": "flux-system/adguard-home:53"
  "853": "flux-system/adguard-home:853"
  "5432": "postgresql/postgresql-primary:5432"
  "5433": "postgresql/postgresql-replica:5432"
  "5443": "flux-system/adguard-home:5443"
  "6060": "flux-system/adguard-home:6060"
  "8388": "qbittorrent/qbittorrent-torrent:8388"
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: udp-services
  namespace: ingress-nginx
 data:
  "53": "flux-system/adguard-home:53"
  "67": "flux-system/adguard-home:67"
  "68": "flux-system/adguard-home:68"
  "853": "flux-system/adguard-home:853"
  "5443": "flux-system/adguard-home:5443"
  "8388": "qbittorrent/qbittorrent-torrent:8388"
--- a/kubernetes/infrastructure/ingress-nginx/config/values.yaml
+++ b/kubernetes/infrastructure/ingress-nginx/config/values.yaml
@@ -0,0 +1,9 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: ingress-nginx-values
  namespace: ingress-nginx
 data:
  use_geoip2: "false"
  disable_ipv6: "true"
  disable_ipv6_dns: "true"
--- a/kubernetes/infrastructure/ingress-nginx/ingress-nginx-config.yaml
+++ b/kubernetes/infrastructure/ingress-nginx/ingress-nginx-config.yaml
@@ -0,0 +1,15 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: ingress-nginx-config
  namespace: ingress-nginx
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/infrastructure/ingress-nginx/config
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
--- a/kubernetes/infrastructure/ingress-nginx/ingress-nginx.yaml
+++ b/kubernetes/infrastructure/ingress-nginx/ingress-nginx.yaml
@@ -0,0 +1,91 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: ingress-nginx
  namespace: ingress-nginx
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  targetNamespace: ingress-nginx
  path: ./kubernetes/infrastructure/ingress-nginx/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
  dependsOn:
    - name: ingress-nginx-config
  postBuild:
    substituteFrom:
      - kind: ConfigMap
        name: ingress-nginx-values
  patches:
    - target:
        kind: Service
        name: ingress-nginx-controller
        namespace: ingress-nginx
      patch: |
        - op: add
          path: /spec/ports/-
          value:
            name: dns-tcp
            port: 53
            targetPort: 53
            protocol: TCP
        - op: add
          path: /spec/ports/-
          value:
            name: dns-udp
            port: 53
            targetPort: 53
            protocol: UDP
        - op: add
          path: /spec/ports/-
          value:
            name: dhcps-udp
            port: 67
            targetPort: 67
            protocol: UDP
        - op: add
          path: /spec/ports/-
          value:
            name: dhcpc-udp
            port: 68
            targetPort: 68
            protocol: UDP
        - op: add
          path: /spec/ports/-
          value:
            name: dns-tls-tcp
            port: 853
            targetPort: 853
            protocol: TCP
        - op: add
          path: /spec/ports/-
          value:
            name: dns-tls-udp
            port: 853
            targetPort: 853
            protocol: UDP
        - op: add
          path: /spec/ports/-
          value:
            name: dnscrypt-tcp
            port: 5443
            targetPort: 5443
            protocol: TCP
        - op: add
          path: /spec/ports/-
          value:
            name: dnscrypt-udp
            port: 5443
            targetPort: 5443
            protocol: UDP
        - op: add
          path: /spec/ports/-
          value:
            name: https-pprof
            port: 6060
            targetPort: 6060
            protocol: TCP
--- a/kubernetes/infrastructure/ingress-nginx/kustomization.yaml
+++ b/kubernetes/infrastructure/ingress-nginx/kustomization.yaml
@@ -1,4 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - podinfo.yaml
+  - ingress-nginx.yaml
  - ingress-nginx-config.yaml
--- a/kubernetes/infrastructure/kustomization.yaml
+++ b/kubernetes/infrastructure/kustomization.yaml
@@ -1,4 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./cert-manager/cert-manager.yaml
  #  - ./cilium/cilium.yaml
  - ./consul/consul.yaml
  - ./grafana-dashboards/grafana-dashboards.yaml
  - ./ingress-nginx/ingress-nginx.yaml
  - ./ingress-nginx/ingress-nginx-config.yaml
  - ./local-path-provisioner/local-path-provisioner.yaml
  - ./minio/minio.yaml
  - ./namespaces/namespaces.yaml
  - ./postgresql/postgresql.yaml
  - ./prometheus/prometheus.yaml
  - ./prometheus-alertmanager/prometheus-alertmanager.yaml
  - ./prometheus-exporters/prometheus-exporters.yaml
  - ./redis/redis.yaml
  - ./repositories/repositories.yaml
--- a/kubernetes/infrastructure/local-path-provisioner/app/local-path-provisioner.yaml
+++ b/kubernetes/infrastructure/local-path-provisioner/app/local-path-provisioner.yaml
@@ -0,0 +1,149 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: local-path-provisioner-service-account
  namespace: local-path-storage
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: local-path-provisioner-role
  namespace: local-path-storage
 rules:
  - apiGroups: [ "" ]
    resources: [ "pods" ]
    verbs: [ "get", "list", "watch", "create", "patch", "update", "delete" ]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: local-path-provisioner-role
 rules:
  - apiGroups: [ "" ]
    resources: [ "nodes", "persistentvolumeclaims", "configmaps", "pods", "pods/log" ]
    verbs: [ "get", "list", "watch" ]
  - apiGroups: [ "" ]
    resources: [ "persistentvolumes" ]
    verbs: [ "get", "list", "watch", "create", "patch", "update", "delete" ]
  - apiGroups: [ "" ]
    resources: [ "events" ]
    verbs: [ "create", "patch" ]
  - apiGroups: [ "storage.k8s.io" ]
    resources: [ "storageclasses" ]
    verbs: [ "get", "list", "watch" ]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: local-path-provisioner-bind
  namespace: local-path-storage
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: local-path-provisioner-role
 subjects:
  - kind: ServiceAccount
    name: local-path-provisioner-service-account
    namespace: local-path-storage
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: local-path-provisioner-bind
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: local-path-provisioner-role
 subjects:
  - kind: ServiceAccount
    name: local-path-provisioner-service-account
    namespace: local-path-storage
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: local-path-provisioner
  namespace: local-path-storage
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: local-path-provisioner
  template:
    metadata:
      labels:
        app: local-path-provisioner
    spec:
      serviceAccountName: local-path-provisioner-service-account
      containers:
        - name: local-path-provisioner
          image: rancher/local-path-provisioner:v0.0.28
          imagePullPolicy: IfNotPresent
          command:
            - local-path-provisioner
            - --debug
            - start
            - --config
            - /etc/config/config.json
          volumeMounts:
            - name: config-volume
              mountPath: /etc/config/
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: CONFIG_MOUNT_PATH
              value: /etc/config/
      volumes:
        - name: config-volume
          configMap:
            name: local-path-config
 ---
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
  name: local-path
 provisioner: rancher.io/local-path
 volumeBindingMode: WaitForFirstConsumer
 reclaimPolicy: Retain
 ---
 kind: ConfigMap
 apiVersion: v1
 metadata:
  name: local-path-config
  namespace: local-path-storage
 data:
  config.json: |-
    {
      "nodePathMap": [
        {
          "node": "DEFAULT_PATH_FOR_NON_LISTED_NODES",
          "paths": [
            "/opt/local-path-provisioner"]
        }
      ]
    }
  setup: |-
    #!/bin/sh
    set -eu
    mkdir -m 0777 -p "$VOL_DIR"
  teardown: |-
    #!/bin/sh
    set -eu
    rm -rf "$VOL_DIR"
  helperPod.yaml: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: helper-pod
    spec:
      priorityClassName: system-node-critical
      tolerations:
        - key: node.kubernetes.io/disk-pressure
          operator: Exists
          effect: NoSchedule
      containers:
        - name: helper-pod
          image: busybox
          imagePullPolicy: IfNotPresent
--- a/kubernetes/infrastructure/local-path-provisioner/local-path-provisioner.yaml
+++ b/kubernetes/infrastructure/local-path-provisioner/local-path-provisioner.yaml
@@ -0,0 +1,19 @@
 # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/gitrepository_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: local-path-provisioner
  namespace: local-path-storage
 spec:
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
  path: ./kubernetes/infrastructure/local-path-provisioner/app
  prune: true
  sourceRef:
    kind: GitRepository
    namespace: flux-system
    name: flux-system
  dependsOn:
    - name: namespaces
      namespace: flux-system
--- a/Show More
+++ b/Show More