From f0f3a0dbcee28ef9d478923f6e6356c5ab76a1f8 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 00:20:52 +0100 Subject: [PATCH 001/114] feat(migration): cluster version 2 --- AGENTS.md | 221 +++++ .../infrastructure}/kustomization.yaml | 5 +- .../longhorn/app/helmrelease.yaml} | 4 +- .../longhorn/app}/kustomization.yaml | 6 +- .../longhorn/app/storageClass-retain.yaml} | 3 +- .../apps/infrastructure/longhorn/ks.yaml | 13 +- kubernetes/apps/infrastructure/namespace.yaml | 7 + .../kube-system/cilium/app/helmrelease.yaml | 62 ++ .../cilium}/app/kustomization.yaml | 2 - .../cilium/config/kustomization.yaml | 6 + .../cilium/config/loadbalancer.yaml | 24 + .../kube-system/cilium}/ks.yaml | 39 +- .../apps/kube-system/kustomization.yaml | 7 + .../apps/network/kustomization.yaml | 5 +- kubernetes/apps/network/namespace.yaml | 7 + .../pihole-system/app/helmrelease.yaml} | 9 +- .../pihole-system/app/kustomization.yaml | 1 - .../pihole-system/app/pihole-exporter.yaml | 0 .../pihole-system/app/secret.sops.yaml | 0 .../network/pihole-system}/ks.yaml | 15 +- kubernetes/{main => }/flux-system/apps.yaml | 0 .../{main => }/flux-system/flux-instance.yaml | 4 +- .../flux-operator/app/kustomization.yaml | 0 .../flux-operator/app/resourceset.yaml | 0 .../flux-system/flux-operator/ks.yaml | 0 .../{main => }/flux-system/kustomization.yaml | 1 + .../flux-system/repositories/helm/cilium.yaml | 10 + .../repositories/helm/kustomization.yaml | 8 + .../repositories/helm/longhorn.yaml} | 4 +- .../repositories/helm/pihole.yaml} | 4 +- .../repositories/kustomization.yaml | 8 + .../vars/cluster-secrets.sops.yaml | 0 .../flux-system/vars/kustomization.yaml | 0 .../audiobookshelf/app/audiobooks-pvc.yaml | 12 - .../app/audiobookshelf-filebrowser.yaml | 102 --- .../audiobookshelf/app/kustomization.yaml | 9 - .../apps/audiobookshelf/app/namespace.yaml | 9 - .../main/apps/audiobookshelf/app/release.yaml | 67 -- .../apps/audiobookshelf/app/repository.yaml | 10 - kubernetes/main/apps/audiobookshelf/ks.yaml | 21 - .../main/apps/bentopdf/app/kustomization.yaml | 6 - .../main/apps/bentopdf/app/manifest.yaml | 77 -- .../main/apps/bentopdf/app/namespace.yaml | 9 - kubernetes/main/apps/bentopdf/ks.yaml | 21 - kubernetes/main/apps/blog/app/deployment.yaml | 41 - kubernetes/main/apps/blog/app/ingress.yaml | 21 - .../main/apps/blog/app/kustomization.yaml | 8 - kubernetes/main/apps/blog/app/namespace.yaml | 10 - kubernetes/main/apps/blog/app/service.yaml | 13 - kubernetes/main/apps/blog/ks.yaml | 20 - .../apps/cert-manager/app/kustomization.yaml | 7 - .../main/apps/cert-manager/app/namespace.yaml | 9 - .../main/apps/cert-manager/app/release.yaml | 34 - .../apps/cert-manager/app/repository.yaml | 10 - .../apps/cert-manager/issuers/issuers.yaml | 22 - .../cert-manager/issuers/kustomization.yaml | 6 - .../cert-manager/issuers/secret.sops.yaml | 22 - kubernetes/main/apps/cert-manager/ks.yaml | 44 - .../apps/cloudflared/app/configs/config.yaml | 10 - .../main/apps/cloudflared/app/deployment.yaml | 35 - .../apps/cloudflared/app/dnsendpoint.yaml | 11 - .../apps/cloudflared/app/kustomization.yaml | 16 - .../main/apps/cloudflared/app/namespace.yaml | 10 - .../main/apps/cloudflared/app/release.yaml | 118 --- .../main/apps/cloudflared/app/repository.yaml | 9 - .../apps/cloudflared/app/secret.sops.yaml | 28 - .../cloudnative-pg/cluster/cluster18.yaml | 52 -- .../cloudnative-pg/cluster/s3-creds.sops.yaml | 23 - .../cluster/scheduledbackup.yaml | 13 - .../cloudnative-pg/operator/release.yaml | 31 - .../cloudnative-pg/operator/repository.yaml | 8 - .../cloudnative-pg/operator/secret.sops.yaml | 25 - .../main/apps/database/kustomization.yaml | 6 - kubernetes/main/apps/database/namespace.yaml | 9 - .../external-dns/external/kustomization.yaml | 10 - .../apps/external-dns/external/namespace.yaml | 9 - .../apps/external-dns/external/release.yaml | 83 -- .../external-dns/external/repository.yaml | 10 - .../external-dns/external/secret.sops.yaml | 27 - kubernetes/main/apps/external-dns/ks.yaml | 22 - .../garmin/garmin-fetch-data/deployment.yaml | 61 -- .../garmin-fetch-data/kustomization.yaml | 9 - .../garmin/garmin-fetch-data/namespace.yaml | 9 - .../apps/garmin/garmin-fetch-data/pvc.yaml | 12 - .../garmin/garmin-fetch-data/secret.sops.yaml | 23 - .../garmin/garmin-fetch-data/service.yaml | 12 - kubernetes/main/apps/garmin/ks.yaml | 21 - .../apps/gitlab-runner/app/kustomization.yaml | 7 - .../apps/gitlab-runner/app/namespace.yaml | 9 - .../main/apps/gitlab-runner/app/release.yaml | 19 - .../apps/gitlab-runner/app/repository.yaml | 8 - kubernetes/main/apps/gitlab-runner/ks.yaml | 21 - .../goriva-si-influxdb/kustomization.yaml | 8 - .../goriva-si-influxdb/namespace.yaml | 10 - .../goriva-si/goriva-si-influxdb/release.yaml | 47 -- .../goriva-si-influxdb/repository.yaml | 10 - .../goriva-si-influxdb/secret.sops.yaml | 24 - .../goriva-si/goriva-si-scraper/cronjob.yaml | 53 -- .../goriva-si-scraper/kustomization.yaml | 6 - .../goriva-si-scraper/secret.sops.yaml | 23 - kubernetes/main/apps/goriva-si/ks.yaml | 48 -- .../external-secrets/app/kustomization.yaml | 7 - .../external-secrets/app/namespace.yaml | 9 - .../external-secrets/app/release.yaml | 18 - .../external-secrets/app/repository.yaml | 8 - .../infrastructure/external-secrets/ks.yaml | 21 - .../apps/infrastructure/kustomization.yaml | 8 - .../longhorn/app/kustomization.yaml | 8 - .../longhorn/app/namespace.yaml | 9 - .../infrastructure/reloader/app/reloader.yaml | 144 ---- .../main/apps/infrastructure/reloader/ks.yaml | 21 - .../weave-gitops/app/release.yaml | 38 - .../weave-gitops/app/repository.yaml | 18 - .../apps/infrastructure/weave-gitops/ks.yaml | 21 - .../certificates/certificate.yaml | 15 - .../certificates/kustomization.yaml | 6 - .../ingress-nginx/external/kustomization.yaml | 7 - .../ingress-nginx/external/namespace.yaml | 9 - .../apps/ingress-nginx/external/release.yaml | 81 -- .../ingress-nginx/external/repository.yaml | 10 - .../ingress-nginx/internal/kustomization.yaml | 5 - .../apps/ingress-nginx/internal/release.yaml | 77 -- kubernetes/main/apps/ingress-nginx/ks.yaml | 70 -- .../apps/k8s-gateway/app/kustomization.yaml | 7 - .../main/apps/k8s-gateway/app/namespace.yaml | 9 - .../main/apps/k8s-gateway/app/release.yaml | 35 - .../main/apps/k8s-gateway/app/repository.yaml | 10 - kubernetes/main/apps/k8s-gateway/ks.yaml | 21 - .../main/apps/linkwarden/app/cluster-pg.yaml | 40 - .../main/apps/linkwarden/app/deployment.yaml | 77 -- .../main/apps/linkwarden/app/ingress.yaml | 21 - .../apps/linkwarden/app/kustomization.yaml | 13 - .../main/apps/linkwarden/app/namespace.yaml | 10 - .../main/apps/linkwarden/app/pg-backup.yaml | 13 - .../apps/linkwarden/app/pg-secret.sops.yaml | 25 - .../main/apps/linkwarden/app/secret.sops.yaml | 34 - .../main/apps/linkwarden/app/service.yaml | 16 - .../main/apps/linkwarden/app/storage.yaml | 11 - kubernetes/main/apps/linkwarden/ks.yaml | 21 - .../main/apps/mealie/app/deployment.yaml | 47 -- kubernetes/main/apps/mealie/app/ingress.yaml | 29 - .../main/apps/mealie/app/kustomization.yaml | 9 - .../main/apps/mealie/app/namespace.yaml | 10 - kubernetes/main/apps/mealie/app/service.yaml | 16 - kubernetes/main/apps/mealie/app/storage.yaml | 11 - kubernetes/main/apps/mealie/ks.yaml | 22 - .../main/apps/network/k8tz/app/namespace.yaml | 10 - .../main/apps/network/k8tz/app/pki.yaml | 32 - .../main/apps/network/k8tz/app/release.yaml | 49 -- .../apps/network/k8tz/app/repository.yaml | 10 - kubernetes/main/apps/network/k8tz/ks.yaml | 21 - .../app/config/kustomization.yaml | 5 - .../metallb-system/app/config/pool.yaml | 18 - .../metallb-system/app/kustomization.yaml | 7 - .../network/metallb-system/app/namespace.yaml | 10 - .../network/metallb-system/app/release.yaml | 18 - .../metallb-system/app/repository.yaml | 8 - .../main/apps/network/metallb-system/ks.yaml | 21 - .../network/pihole-system/app/namespace.yaml | 10 - .../main/apps/network/pihole-system/ks.yaml | 21 - .../apps/network/wg-easy/app/manifest.yaml | 147 ---- kubernetes/main/apps/network/wg-easy/ks.yaml | 0 .../alertmanager/app/kustomization.yaml | 5 - .../alertmanager/app/release.yaml | 27 - .../alertmanager/app/repository.yaml | 8 - .../apps/observability/alertmanager/ks.yaml | 21 - .../alloy/app/kustomization.yaml | 4 - .../apps/observability/alloy/app/release.yaml | 338 -------- .../main/apps/observability/alloy/ks.yaml | 21 - .../blackbox-exporter/app/kustomization.yaml | 5 - .../blackbox-exporter/app/release.yaml | 66 -- .../blackbox-exporter/app/repository.yaml | 9 - .../observability/blackbox-exporter/ks.yaml | 21 - .../observability/crucix/app/deployment.yaml | 50 -- .../observability/crucix/app/ingress.yaml | 20 - .../crucix/app/kustomization.yaml | 9 - .../apps/observability/crucix/app/pvc.yaml | 13 - .../observability/crucix/app/secret.sops.yaml | 30 - .../observability/crucix/app/service.yaml | 15 - .../main/apps/observability/crucix/ks.yaml | 20 - .../glance/app/configs/glance.yml | 322 -------- .../observability/glance/app/deployment.yaml | 46 -- .../observability/glance/app/ingress.yaml | 28 - .../glance/app/kustomization.yaml | 15 - .../observability/glance/app/namespace.yaml | 10 - .../observability/glance/app/service.yaml | 15 - .../main/apps/observability/glance/ks.yaml | 20 - .../grafana/app/kustomization.yaml | 6 - .../observability/grafana/app/namespace.yaml | 10 - .../observability/grafana/app/release.yaml | 220 ----- .../observability/grafana/app/repository.yaml | 8 - .../main/apps/observability/grafana/ks.yaml | 21 - .../app/kustomization.yaml | 5 - .../kube-prometheus-stack/app/release.yaml | 777 ------------------ .../kube-prometheus-stack/app/repository.yaml | 8 - .../kube-prometheus-stack/ks.yaml | 21 - .../apps/observability/kustomization.yaml | 12 - .../observability/loki/app/kustomization.yaml | 4 - .../apps/observability/loki/app/release.yaml | 135 --- .../observability/loki/app/secret.sops.yaml | 23 - .../main/apps/observability/loki/ks.yaml | 21 - .../apps/paperless-ngx/app/kustomization.yaml | 8 - .../apps/paperless-ngx/app/namespace.yaml | 9 - .../main/apps/paperless-ngx/app/release.yaml | 86 -- .../apps/paperless-ngx/app/repository.yaml | 10 - .../apps/paperless-ngx/app/secret.sops.yaml | 28 - kubernetes/main/apps/paperless-ngx/ks.yaml | 21 - .../security/authentik/app/kustomization.yaml | 8 - .../security/authentik/app/namespace.yaml | 9 - .../security/authentik/app/pg-backup.yaml | 36 - .../apps/security/authentik/app/release.yaml | 48 -- .../security/authentik/app/repository.yaml | 8 - .../main/apps/security/authentik/ks.yaml | 20 - .../main/apps/uptime-kuma/app/ingress.yaml | 29 - .../apps/uptime-kuma/app/kustomization.yaml | 10 - .../main/apps/uptime-kuma/app/namespace.yaml | 10 - .../main/apps/uptime-kuma/app/service.yaml | 19 - .../apps/uptime-kuma/app/serviceAccount.yaml | 9 - .../apps/uptime-kuma/app/statefulSet.yaml | 62 -- .../main/apps/uptime-kuma/app/storage.yaml | 12 - kubernetes/main/apps/uptime-kuma/ks.yaml | 20 - kubernetes/main/apps/web/app/deployment.yaml | 56 -- kubernetes/main/apps/web/app/ingress.yaml | 23 - .../main/apps/web/app/kustomization.yaml | 8 - kubernetes/main/apps/web/app/namespace.yaml | 10 - kubernetes/main/apps/web/app/service.yaml | 13 - kubernetes/main/apps/web/ks.yaml | 20 - .../main/apps/whoami/app/deployment.yaml | 24 - kubernetes/main/apps/whoami/app/ingress.yaml | 29 - .../main/apps/whoami/app/namespace.yaml | 9 - kubernetes/main/apps/whoami/app/service.yaml | 12 - kubernetes/main/apps/whoami/ks.yaml | 20 - .../main/avto-masini/avto-masini-web/ks.yaml | 40 - .../production/deployment.yaml | 68 -- .../avto-masini-web/production/ingress.yaml | 32 - .../production/kustomization.yaml | 8 - .../avto-masini-web/production/secret.yaml | 8 - .../avto-masini-web/production/service.yaml | 13 - .../avto-masini-web/staging/deployment.yaml | 66 -- .../avto-masini-web/staging/ingress.yaml | 30 - .../staging/kustomization.yaml | 8 - .../avto-masini-web/staging/secret.yaml | 8 - .../avto-masini-web/staging/service.yaml | 13 - .../cloudflared/app/configs/config.yaml | 10 - .../cloudflared/app/dnsendpoint.yaml | 11 - .../cloudflared/app/kustomization.yaml | 15 - .../avto-masini/cloudflared/app/release.yaml | 118 --- .../cloudflared/app/repository.yaml | 9 - .../cloudflared/app/secret.sops.yaml | 23 - .../main/avto-masini/cloudflared/ks.yaml | 21 - .../external-dns/app/kustomization.yaml | 8 - .../avto-masini/external-dns/app/release.yaml | 46 -- .../external-dns/app/repository.yaml | 10 - .../external-dns/app/secret.sops.yaml | 22 - .../main/avto-masini/external-dns/ks.yaml | 21 - .../ingress-nginx/app/kustomization.yaml | 6 - .../ingress-nginx/app/release.yaml | 81 -- .../ingress-nginx/app/repository.yaml | 10 - .../certificates/avto-masini-production.yaml | 15 - .../certificates/kustomization.yaml | 5 - .../main/avto-masini/ingress-nginx/ks.yaml | 46 -- .../main/avto-masini/kustomization.yaml | 9 - kubernetes/main/avto-masini/namespace.yaml | 9 - kubernetes/main/flux-system/avto-masini.yaml | 41 - 264 files changed, 412 insertions(+), 7107 deletions(-) create mode 100644 AGENTS.md rename kubernetes/{main/apps/database/cloudnative-pg/cluster => apps/infrastructure}/kustomization.yaml (68%) rename kubernetes/{main/apps/infrastructure/longhorn/app/release.yaml => apps/infrastructure/longhorn/app/helmrelease.yaml} (68%) rename kubernetes/{main/apps/database/cloudnative-pg/operator => apps/infrastructure/longhorn/app}/kustomization.yaml (64%) rename kubernetes/{main/apps/infrastructure/longhorn/app/storageclass-retain.yaml => apps/infrastructure/longhorn/app/storageClass-retain.yaml} (93%) rename kubernetes/{main => }/apps/infrastructure/longhorn/ks.yaml (54%) create mode 100644 kubernetes/apps/infrastructure/namespace.yaml create mode 100644 kubernetes/apps/kube-system/cilium/app/helmrelease.yaml rename kubernetes/{main/apps/network/k8tz => apps/kube-system/cilium}/app/kustomization.yaml (84%) create mode 100644 kubernetes/apps/kube-system/cilium/config/kustomization.yaml create mode 100644 kubernetes/apps/kube-system/cilium/config/loadbalancer.yaml rename kubernetes/{main/apps/database/cloudnative-pg => apps/kube-system/cilium}/ks.yaml (51%) create mode 100644 kubernetes/apps/kube-system/kustomization.yaml rename kubernetes/{main => }/apps/network/kustomization.yaml (52%) create mode 100644 kubernetes/apps/network/namespace.yaml rename kubernetes/{main/apps/network/pihole-system/app/release.yaml => apps/network/pihole-system/app/helmrelease.yaml} (86%) rename kubernetes/{main => }/apps/network/pihole-system/app/kustomization.yaml (89%) rename kubernetes/{main => }/apps/network/pihole-system/app/pihole-exporter.yaml (100%) rename kubernetes/{main => }/apps/network/pihole-system/app/secret.sops.yaml (100%) rename kubernetes/{main/apps/cloudflared => apps/network/pihole-system}/ks.yaml (50%) rename kubernetes/{main => }/flux-system/apps.yaml (100%) rename kubernetes/{main => }/flux-system/flux-instance.yaml (94%) rename kubernetes/{main => }/flux-system/flux-operator/app/kustomization.yaml (100%) rename kubernetes/{main => }/flux-system/flux-operator/app/resourceset.yaml (100%) rename kubernetes/{main => }/flux-system/flux-operator/ks.yaml (100%) rename kubernetes/{main => }/flux-system/kustomization.yaml (67%) create mode 100644 kubernetes/flux-system/repositories/helm/cilium.yaml create mode 100644 kubernetes/flux-system/repositories/helm/kustomization.yaml rename kubernetes/{main/apps/infrastructure/longhorn/app/repository.yaml => flux-system/repositories/helm/longhorn.yaml} (51%) rename kubernetes/{main/apps/network/pihole-system/app/repository.yaml => flux-system/repositories/helm/pihole.yaml} (54%) create mode 100644 kubernetes/flux-system/repositories/kustomization.yaml rename kubernetes/{main => }/flux-system/vars/cluster-secrets.sops.yaml (100%) rename kubernetes/{main => }/flux-system/vars/kustomization.yaml (100%) delete mode 100644 kubernetes/main/apps/audiobookshelf/app/audiobooks-pvc.yaml delete mode 100644 kubernetes/main/apps/audiobookshelf/app/audiobookshelf-filebrowser.yaml delete mode 100644 kubernetes/main/apps/audiobookshelf/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/audiobookshelf/app/namespace.yaml delete mode 100644 kubernetes/main/apps/audiobookshelf/app/release.yaml delete mode 100644 kubernetes/main/apps/audiobookshelf/app/repository.yaml delete mode 100644 kubernetes/main/apps/audiobookshelf/ks.yaml delete mode 100644 kubernetes/main/apps/bentopdf/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/bentopdf/app/manifest.yaml delete mode 100644 kubernetes/main/apps/bentopdf/app/namespace.yaml delete mode 100644 kubernetes/main/apps/bentopdf/ks.yaml delete mode 100644 kubernetes/main/apps/blog/app/deployment.yaml delete mode 100644 kubernetes/main/apps/blog/app/ingress.yaml delete mode 100644 kubernetes/main/apps/blog/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/blog/app/namespace.yaml delete mode 100644 kubernetes/main/apps/blog/app/service.yaml delete mode 100644 kubernetes/main/apps/blog/ks.yaml delete mode 100644 kubernetes/main/apps/cert-manager/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/cert-manager/app/namespace.yaml delete mode 100644 kubernetes/main/apps/cert-manager/app/release.yaml delete mode 100644 kubernetes/main/apps/cert-manager/app/repository.yaml delete mode 100644 kubernetes/main/apps/cert-manager/issuers/issuers.yaml delete mode 100644 kubernetes/main/apps/cert-manager/issuers/kustomization.yaml delete mode 100644 kubernetes/main/apps/cert-manager/issuers/secret.sops.yaml delete mode 100644 kubernetes/main/apps/cert-manager/ks.yaml delete mode 100644 kubernetes/main/apps/cloudflared/app/configs/config.yaml delete mode 100644 kubernetes/main/apps/cloudflared/app/deployment.yaml delete mode 100644 kubernetes/main/apps/cloudflared/app/dnsendpoint.yaml delete mode 100644 kubernetes/main/apps/cloudflared/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/cloudflared/app/namespace.yaml delete mode 100644 kubernetes/main/apps/cloudflared/app/release.yaml delete mode 100644 kubernetes/main/apps/cloudflared/app/repository.yaml delete mode 100644 kubernetes/main/apps/cloudflared/app/secret.sops.yaml delete mode 100644 kubernetes/main/apps/database/cloudnative-pg/cluster/cluster18.yaml delete mode 100644 kubernetes/main/apps/database/cloudnative-pg/cluster/s3-creds.sops.yaml delete mode 100644 kubernetes/main/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml delete mode 100644 kubernetes/main/apps/database/cloudnative-pg/operator/release.yaml delete mode 100644 kubernetes/main/apps/database/cloudnative-pg/operator/repository.yaml delete mode 100644 kubernetes/main/apps/database/cloudnative-pg/operator/secret.sops.yaml delete mode 100644 kubernetes/main/apps/database/kustomization.yaml delete mode 100644 kubernetes/main/apps/database/namespace.yaml delete mode 100644 kubernetes/main/apps/external-dns/external/kustomization.yaml delete mode 100644 kubernetes/main/apps/external-dns/external/namespace.yaml delete mode 100644 kubernetes/main/apps/external-dns/external/release.yaml delete mode 100644 kubernetes/main/apps/external-dns/external/repository.yaml delete mode 100644 kubernetes/main/apps/external-dns/external/secret.sops.yaml delete mode 100644 kubernetes/main/apps/external-dns/ks.yaml delete mode 100644 kubernetes/main/apps/garmin/garmin-fetch-data/deployment.yaml delete mode 100644 kubernetes/main/apps/garmin/garmin-fetch-data/kustomization.yaml delete mode 100644 kubernetes/main/apps/garmin/garmin-fetch-data/namespace.yaml delete mode 100644 kubernetes/main/apps/garmin/garmin-fetch-data/pvc.yaml delete mode 100644 kubernetes/main/apps/garmin/garmin-fetch-data/secret.sops.yaml delete mode 100644 kubernetes/main/apps/garmin/garmin-fetch-data/service.yaml delete mode 100644 kubernetes/main/apps/garmin/ks.yaml delete mode 100644 kubernetes/main/apps/gitlab-runner/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/gitlab-runner/app/namespace.yaml delete mode 100644 kubernetes/main/apps/gitlab-runner/app/release.yaml delete mode 100644 kubernetes/main/apps/gitlab-runner/app/repository.yaml delete mode 100644 kubernetes/main/apps/gitlab-runner/ks.yaml delete mode 100644 kubernetes/main/apps/goriva-si/goriva-si-influxdb/kustomization.yaml delete mode 100644 kubernetes/main/apps/goriva-si/goriva-si-influxdb/namespace.yaml delete mode 100644 kubernetes/main/apps/goriva-si/goriva-si-influxdb/release.yaml delete mode 100644 kubernetes/main/apps/goriva-si/goriva-si-influxdb/repository.yaml delete mode 100644 kubernetes/main/apps/goriva-si/goriva-si-influxdb/secret.sops.yaml delete mode 100644 kubernetes/main/apps/goriva-si/goriva-si-scraper/cronjob.yaml delete mode 100644 kubernetes/main/apps/goriva-si/goriva-si-scraper/kustomization.yaml delete mode 100644 kubernetes/main/apps/goriva-si/goriva-si-scraper/secret.sops.yaml delete mode 100644 kubernetes/main/apps/goriva-si/ks.yaml delete mode 100644 kubernetes/main/apps/infrastructure/external-secrets/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/infrastructure/external-secrets/app/namespace.yaml delete mode 100644 kubernetes/main/apps/infrastructure/external-secrets/app/release.yaml delete mode 100644 kubernetes/main/apps/infrastructure/external-secrets/app/repository.yaml delete mode 100644 kubernetes/main/apps/infrastructure/external-secrets/ks.yaml delete mode 100644 kubernetes/main/apps/infrastructure/kustomization.yaml delete mode 100644 kubernetes/main/apps/infrastructure/longhorn/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/infrastructure/longhorn/app/namespace.yaml delete mode 100644 kubernetes/main/apps/infrastructure/reloader/app/reloader.yaml delete mode 100644 kubernetes/main/apps/infrastructure/reloader/ks.yaml delete mode 100644 kubernetes/main/apps/infrastructure/weave-gitops/app/release.yaml delete mode 100644 kubernetes/main/apps/infrastructure/weave-gitops/app/repository.yaml delete mode 100644 kubernetes/main/apps/infrastructure/weave-gitops/ks.yaml delete mode 100644 kubernetes/main/apps/ingress-nginx/certificates/certificate.yaml delete mode 100644 kubernetes/main/apps/ingress-nginx/certificates/kustomization.yaml delete mode 100644 kubernetes/main/apps/ingress-nginx/external/kustomization.yaml delete mode 100644 kubernetes/main/apps/ingress-nginx/external/namespace.yaml delete mode 100644 kubernetes/main/apps/ingress-nginx/external/release.yaml delete mode 100644 kubernetes/main/apps/ingress-nginx/external/repository.yaml delete mode 100644 kubernetes/main/apps/ingress-nginx/internal/kustomization.yaml delete mode 100644 kubernetes/main/apps/ingress-nginx/internal/release.yaml delete mode 100644 kubernetes/main/apps/ingress-nginx/ks.yaml delete mode 100644 kubernetes/main/apps/k8s-gateway/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/k8s-gateway/app/namespace.yaml delete mode 100644 kubernetes/main/apps/k8s-gateway/app/release.yaml delete mode 100644 kubernetes/main/apps/k8s-gateway/app/repository.yaml delete mode 100644 kubernetes/main/apps/k8s-gateway/ks.yaml delete mode 100644 kubernetes/main/apps/linkwarden/app/cluster-pg.yaml delete mode 100644 kubernetes/main/apps/linkwarden/app/deployment.yaml delete mode 100644 kubernetes/main/apps/linkwarden/app/ingress.yaml delete mode 100644 kubernetes/main/apps/linkwarden/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/linkwarden/app/namespace.yaml delete mode 100644 kubernetes/main/apps/linkwarden/app/pg-backup.yaml delete mode 100644 kubernetes/main/apps/linkwarden/app/pg-secret.sops.yaml delete mode 100644 kubernetes/main/apps/linkwarden/app/secret.sops.yaml delete mode 100644 kubernetes/main/apps/linkwarden/app/service.yaml delete mode 100644 kubernetes/main/apps/linkwarden/app/storage.yaml delete mode 100644 kubernetes/main/apps/linkwarden/ks.yaml delete mode 100644 kubernetes/main/apps/mealie/app/deployment.yaml delete mode 100644 kubernetes/main/apps/mealie/app/ingress.yaml delete mode 100644 kubernetes/main/apps/mealie/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/mealie/app/namespace.yaml delete mode 100644 kubernetes/main/apps/mealie/app/service.yaml delete mode 100644 kubernetes/main/apps/mealie/app/storage.yaml delete mode 100644 kubernetes/main/apps/mealie/ks.yaml delete mode 100644 kubernetes/main/apps/network/k8tz/app/namespace.yaml delete mode 100644 kubernetes/main/apps/network/k8tz/app/pki.yaml delete mode 100644 kubernetes/main/apps/network/k8tz/app/release.yaml delete mode 100644 kubernetes/main/apps/network/k8tz/app/repository.yaml delete mode 100644 kubernetes/main/apps/network/k8tz/ks.yaml delete mode 100644 kubernetes/main/apps/network/metallb-system/app/config/kustomization.yaml delete mode 100644 kubernetes/main/apps/network/metallb-system/app/config/pool.yaml delete mode 100644 kubernetes/main/apps/network/metallb-system/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/network/metallb-system/app/namespace.yaml delete mode 100644 kubernetes/main/apps/network/metallb-system/app/release.yaml delete mode 100644 kubernetes/main/apps/network/metallb-system/app/repository.yaml delete mode 100644 kubernetes/main/apps/network/metallb-system/ks.yaml delete mode 100644 kubernetes/main/apps/network/pihole-system/app/namespace.yaml delete mode 100644 kubernetes/main/apps/network/pihole-system/ks.yaml delete mode 100644 kubernetes/main/apps/network/wg-easy/app/manifest.yaml delete mode 100644 kubernetes/main/apps/network/wg-easy/ks.yaml delete mode 100644 kubernetes/main/apps/observability/alertmanager/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/observability/alertmanager/app/release.yaml delete mode 100644 kubernetes/main/apps/observability/alertmanager/app/repository.yaml delete mode 100644 kubernetes/main/apps/observability/alertmanager/ks.yaml delete mode 100644 kubernetes/main/apps/observability/alloy/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/observability/alloy/app/release.yaml delete mode 100644 kubernetes/main/apps/observability/alloy/ks.yaml delete mode 100644 kubernetes/main/apps/observability/blackbox-exporter/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/observability/blackbox-exporter/app/release.yaml delete mode 100644 kubernetes/main/apps/observability/blackbox-exporter/app/repository.yaml delete mode 100644 kubernetes/main/apps/observability/blackbox-exporter/ks.yaml delete mode 100644 kubernetes/main/apps/observability/crucix/app/deployment.yaml delete mode 100644 kubernetes/main/apps/observability/crucix/app/ingress.yaml delete mode 100644 kubernetes/main/apps/observability/crucix/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/observability/crucix/app/pvc.yaml delete mode 100644 kubernetes/main/apps/observability/crucix/app/secret.sops.yaml delete mode 100644 kubernetes/main/apps/observability/crucix/app/service.yaml delete mode 100644 kubernetes/main/apps/observability/crucix/ks.yaml delete mode 100644 kubernetes/main/apps/observability/glance/app/configs/glance.yml delete mode 100644 kubernetes/main/apps/observability/glance/app/deployment.yaml delete mode 100644 kubernetes/main/apps/observability/glance/app/ingress.yaml delete mode 100644 kubernetes/main/apps/observability/glance/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/observability/glance/app/namespace.yaml delete mode 100644 kubernetes/main/apps/observability/glance/app/service.yaml delete mode 100644 kubernetes/main/apps/observability/glance/ks.yaml delete mode 100644 kubernetes/main/apps/observability/grafana/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/observability/grafana/app/namespace.yaml delete mode 100644 kubernetes/main/apps/observability/grafana/app/release.yaml delete mode 100644 kubernetes/main/apps/observability/grafana/app/repository.yaml delete mode 100644 kubernetes/main/apps/observability/grafana/ks.yaml delete mode 100644 kubernetes/main/apps/observability/kube-prometheus-stack/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/observability/kube-prometheus-stack/app/release.yaml delete mode 100644 kubernetes/main/apps/observability/kube-prometheus-stack/app/repository.yaml delete mode 100644 kubernetes/main/apps/observability/kube-prometheus-stack/ks.yaml delete mode 100644 kubernetes/main/apps/observability/kustomization.yaml delete mode 100644 kubernetes/main/apps/observability/loki/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/observability/loki/app/release.yaml delete mode 100644 kubernetes/main/apps/observability/loki/app/secret.sops.yaml delete mode 100644 kubernetes/main/apps/observability/loki/ks.yaml delete mode 100644 kubernetes/main/apps/paperless-ngx/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/paperless-ngx/app/namespace.yaml delete mode 100644 kubernetes/main/apps/paperless-ngx/app/release.yaml delete mode 100644 kubernetes/main/apps/paperless-ngx/app/repository.yaml delete mode 100644 kubernetes/main/apps/paperless-ngx/app/secret.sops.yaml delete mode 100644 kubernetes/main/apps/paperless-ngx/ks.yaml delete mode 100644 kubernetes/main/apps/security/authentik/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/security/authentik/app/namespace.yaml delete mode 100644 kubernetes/main/apps/security/authentik/app/pg-backup.yaml delete mode 100644 kubernetes/main/apps/security/authentik/app/release.yaml delete mode 100644 kubernetes/main/apps/security/authentik/app/repository.yaml delete mode 100644 kubernetes/main/apps/security/authentik/ks.yaml delete mode 100644 kubernetes/main/apps/uptime-kuma/app/ingress.yaml delete mode 100644 kubernetes/main/apps/uptime-kuma/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/uptime-kuma/app/namespace.yaml delete mode 100644 kubernetes/main/apps/uptime-kuma/app/service.yaml delete mode 100644 kubernetes/main/apps/uptime-kuma/app/serviceAccount.yaml delete mode 100644 kubernetes/main/apps/uptime-kuma/app/statefulSet.yaml delete mode 100644 kubernetes/main/apps/uptime-kuma/app/storage.yaml delete mode 100644 kubernetes/main/apps/uptime-kuma/ks.yaml delete mode 100644 kubernetes/main/apps/web/app/deployment.yaml delete mode 100644 kubernetes/main/apps/web/app/ingress.yaml delete mode 100644 kubernetes/main/apps/web/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/web/app/namespace.yaml delete mode 100644 kubernetes/main/apps/web/app/service.yaml delete mode 100644 kubernetes/main/apps/web/ks.yaml delete mode 100644 kubernetes/main/apps/whoami/app/deployment.yaml delete mode 100644 kubernetes/main/apps/whoami/app/ingress.yaml delete mode 100644 kubernetes/main/apps/whoami/app/namespace.yaml delete mode 100644 kubernetes/main/apps/whoami/app/service.yaml delete mode 100644 kubernetes/main/apps/whoami/ks.yaml delete mode 100644 kubernetes/main/avto-masini/avto-masini-web/ks.yaml delete mode 100644 kubernetes/main/avto-masini/avto-masini-web/production/deployment.yaml delete mode 100644 kubernetes/main/avto-masini/avto-masini-web/production/ingress.yaml delete mode 100644 kubernetes/main/avto-masini/avto-masini-web/production/kustomization.yaml delete mode 100644 kubernetes/main/avto-masini/avto-masini-web/production/secret.yaml delete mode 100644 kubernetes/main/avto-masini/avto-masini-web/production/service.yaml delete mode 100644 kubernetes/main/avto-masini/avto-masini-web/staging/deployment.yaml delete mode 100644 kubernetes/main/avto-masini/avto-masini-web/staging/ingress.yaml delete mode 100644 kubernetes/main/avto-masini/avto-masini-web/staging/kustomization.yaml delete mode 100644 kubernetes/main/avto-masini/avto-masini-web/staging/secret.yaml delete mode 100644 kubernetes/main/avto-masini/avto-masini-web/staging/service.yaml delete mode 100644 kubernetes/main/avto-masini/cloudflared/app/configs/config.yaml delete mode 100644 kubernetes/main/avto-masini/cloudflared/app/dnsendpoint.yaml delete mode 100644 kubernetes/main/avto-masini/cloudflared/app/kustomization.yaml delete mode 100644 kubernetes/main/avto-masini/cloudflared/app/release.yaml delete mode 100644 kubernetes/main/avto-masini/cloudflared/app/repository.yaml delete mode 100644 kubernetes/main/avto-masini/cloudflared/app/secret.sops.yaml delete mode 100644 kubernetes/main/avto-masini/cloudflared/ks.yaml delete mode 100644 kubernetes/main/avto-masini/external-dns/app/kustomization.yaml delete mode 100644 kubernetes/main/avto-masini/external-dns/app/release.yaml delete mode 100644 kubernetes/main/avto-masini/external-dns/app/repository.yaml delete mode 100644 kubernetes/main/avto-masini/external-dns/app/secret.sops.yaml delete mode 100644 kubernetes/main/avto-masini/external-dns/ks.yaml delete mode 100644 kubernetes/main/avto-masini/ingress-nginx/app/kustomization.yaml delete mode 100644 kubernetes/main/avto-masini/ingress-nginx/app/release.yaml delete mode 100644 kubernetes/main/avto-masini/ingress-nginx/app/repository.yaml delete mode 100644 kubernetes/main/avto-masini/ingress-nginx/certificates/avto-masini-production.yaml delete mode 100644 kubernetes/main/avto-masini/ingress-nginx/certificates/kustomization.yaml delete mode 100644 kubernetes/main/avto-masini/ingress-nginx/ks.yaml delete mode 100644 kubernetes/main/avto-masini/kustomization.yaml delete mode 100644 kubernetes/main/avto-masini/namespace.yaml delete mode 100644 kubernetes/main/flux-system/avto-masini.yaml diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 00000000..7d50bb7a --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,221 @@ +# AGENTS.md - AI Coding Agent Guidelines + +## Repository Overview + +This is a **Kubernetes GitOps homelab infrastructure** repository using [FluxCD](https://fluxcd.io/) to manage cluster state. It runs on [Talos Linux](https://www.talos.dev/) with applications deployed via Helm and Kustomize. + +**Key Technologies:** +- FluxCD (GitOps continuous delivery) +- Kustomize (configuration management) +- SOPS + age (secrets encryption) +- Helm (application packaging) +- Talos Linux (immutable Kubernetes OS) + +## Build / Lint / Test Commands + +### Validate All Kustomizations +```bash +# Validate all kustomize builds across the cluster +find kubernetes/main/apps -name "kustomization.yaml" -exec dirname {} \; | \ + xargs -I {} sh -c 'echo "Building {}" && kustomize build {} > /dev/null || exit 1' +``` + +### Validate Single Application +```bash +# Test a specific application's kustomization +kustomize build kubernetes/main/apps//app + +# Example: Test audiobookshelf +kustomize build kubernetes/main/apps/audiobookshelf/app +``` + +### YAML Validation (if yamllint installed) +```bash +# Lint all YAML files +yamllint kubernetes/ + +# Lint specific file +yamllint kubernetes/main/apps//app/.yaml +``` + +### Kubernetes Schema Validation (if kubeconform installed) +```bash +# Validate Kubernetes manifests against schemas +kustomize build kubernetes/main/apps//app | kubeconform -strict +``` + +### Check SOPS Encryption +```bash +# Verify secrets are properly encrypted +sops -d kubernetes/main/apps//app/.sops.yaml > /dev/null && echo "Valid" +``` + +### Flux Validation +```bash +# Validate Flux Kustomization resources +flux get kustomizations + +# Reconcile specific app manually +flux reconcile kustomization +``` + +## Code Style Guidelines + +### File Naming Conventions +- Use **kebab-case** for all filenames: `my-config.yaml`, `deployment.yaml` +- Secrets must use `.sops.yaml` extension: `secret.sops.yaml` +- Kustomization files must be named exactly: `kustomization.yaml` +- Application entry point: `ks.yaml` (Flux Kustomization resource) + +### Directory Structure +``` +apps// +├── ks.yaml # Flux Kustomization (root resource) +└── app/ + ├── kustomization.yaml # Lists all resources + ├── namespace.yaml # App namespace + ├── repository.yaml # HelmRepository (if needed) + ├── release.yaml # HelmRelease + ├── *.sops.yaml # Encrypted secrets + └── ... # Additional manifests +``` + +### YAML Formatting +- **Indentation:** 2 spaces (no tabs) +- **Document separators:** Use `---` at start of each file +- **Line endings:** Unix (LF) +- **Trailing whitespace:** Remove trailing whitespace +- **Empty lines:** Single blank line between resources +- **Quotes:** Use double quotes for strings with special characters + +### Kubernetes Resource Standards + +**Namespace Labels (Required):** +```yaml +metadata: + labels: + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged + goldilocks.fairwinds.com/enabled: "true" +``` + +**Common Metadata (Required in ks.yaml):** +```yaml +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app # Anchor reference +``` + +**Flux Kustomization Template:** +```yaml +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app + namespace: flux-system +spec: + targetNamespace: + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps//app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m +``` + +### Secrets Management (SOPS) + +**ALWAYS encrypt sensitive values:** +- All secrets must be stored in files ending with `.sops.yaml` +- Use `sops` CLI to edit: `sops .sops.yaml` +- Never commit plaintext secrets +- Follow the encryption regex pattern: `^(data|stringData)$` + +**Creating New Encrypted Secret:** +```bash +cat < secret.sops.yaml +apiVersion: v1 +kind: Secret +metadata: + name: + namespace: +stringData: + KEY: "value" # Will be encrypted +EOF +sops -e -i secret.sops.yaml +``` + +### HelmRelease Conventions + +**Standard HelmRelease Structure:** +```yaml +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: + namespace: +spec: + interval: 30m + chart: + spec: + chart: + version: "x.x.x" # Pin version + sourceRef: + kind: HelmRepository + name: + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + # App-specific values +``` + +### Variable References +- Use `${SECRET_EXTERNAL_DOMAIN}` for external domain references +- Use anchors (`&app`) and aliases (`*app`) for consistent naming +- Store cluster-wide vars in `kubernetes/main/flux-system/vars/` + +## Error Handling + +**No Automated Tests:** This repo has no traditional test suite. Validation is done via: +1. `kustomize build` success +2. Flux reconciliation status +3. Kubernetes manifest schema validation + +**Debugging Tips:** +- Check Flux reconciliation: `flux get kustomizations --watch` +- Check pod status: `kubectl get pods -n ` +- View logs: `kubectl logs -n flux-system -l app=kustomize-controller` + +## PR Workflow + +Before submitting changes: +1. Run `kustomize build` on affected app(s) +2. Ensure secrets are encrypted with `.sops.yaml` extension +3. Verify YAML indentation (2 spaces) +4. Check that namespaces include required labels +5. Validate syntax with `yamllint` if available + +## Resources + +- [Flux Documentation](https://fluxcd.io/flux/) +- [Kustomize Reference](https://kubectl.docs.kubernetes.io/references/kustomize/) +- [SOPS Documentation](https://github.com/mozilla/sops) +- [Talos Linux Docs](https://www.talos.dev/v1.9/) +- Based on [flux-cluster-template](https://github.com/onedr0p/flux-cluster-template) diff --git a/kubernetes/main/apps/database/cloudnative-pg/cluster/kustomization.yaml b/kubernetes/apps/infrastructure/kustomization.yaml similarity index 68% rename from kubernetes/main/apps/database/cloudnative-pg/cluster/kustomization.yaml rename to kubernetes/apps/infrastructure/kustomization.yaml index 7fe26b4f..3f0374f5 100644 --- a/kubernetes/main/apps/database/cloudnative-pg/cluster/kustomization.yaml +++ b/kubernetes/apps/infrastructure/kustomization.yaml @@ -3,6 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - s3-creds.sops.yaml - - cluster18.yaml - - scheduledbackup.yaml + - ./namespace.yaml + - ./longhorn/ks.yaml diff --git a/kubernetes/main/apps/infrastructure/longhorn/app/release.yaml b/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml similarity index 68% rename from kubernetes/main/apps/infrastructure/longhorn/app/release.yaml rename to kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml index 78ceb8ab..62adfa12 100644 --- a/kubernetes/main/apps/infrastructure/longhorn/app/release.yaml +++ b/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml @@ -1,3 +1,5 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: @@ -12,5 +14,5 @@ spec: sourceRef: kind: HelmRepository name: longhorn - namespace: longhorn-system + namespace: flux-system interval: 12h diff --git a/kubernetes/main/apps/database/cloudnative-pg/operator/kustomization.yaml b/kubernetes/apps/infrastructure/longhorn/app/kustomization.yaml similarity index 64% rename from kubernetes/main/apps/database/cloudnative-pg/operator/kustomization.yaml rename to kubernetes/apps/infrastructure/longhorn/app/kustomization.yaml index 2367cc38..945c8121 100644 --- a/kubernetes/main/apps/database/cloudnative-pg/operator/kustomization.yaml +++ b/kubernetes/apps/infrastructure/longhorn/app/kustomization.yaml @@ -2,8 +2,6 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: cnpg-system resources: - - repository.yaml - - secret.sops.yaml - - release.yaml + - ./helmrelease.yaml + - ./storageClass-retain.yaml diff --git a/kubernetes/main/apps/infrastructure/longhorn/app/storageclass-retain.yaml b/kubernetes/apps/infrastructure/longhorn/app/storageClass-retain.yaml similarity index 93% rename from kubernetes/main/apps/infrastructure/longhorn/app/storageclass-retain.yaml rename to kubernetes/apps/infrastructure/longhorn/app/storageClass-retain.yaml index b16d226a..65bb41eb 100644 --- a/kubernetes/main/apps/infrastructure/longhorn/app/storageclass-retain.yaml +++ b/kubernetes/apps/infrastructure/longhorn/app/storageClass-retain.yaml @@ -1,3 +1,4 @@ +--- apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: @@ -10,4 +11,4 @@ parameters: numberOfReplicas: "3" staleReplicaTimeout: "2880" fromBackup: "" - fsType: "ext4" + fsType: "ext4" \ No newline at end of file diff --git a/kubernetes/main/apps/infrastructure/longhorn/ks.yaml b/kubernetes/apps/infrastructure/longhorn/ks.yaml similarity index 54% rename from kubernetes/main/apps/infrastructure/longhorn/ks.yaml rename to kubernetes/apps/infrastructure/longhorn/ks.yaml index 09137197..14fb6ef3 100644 --- a/kubernetes/main/apps/infrastructure/longhorn/ks.yaml +++ b/kubernetes/apps/infrastructure/longhorn/ks.yaml @@ -1,21 +1,20 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app longhorn - namespace: flux-system + namespace: &namespace infrastructure spec: - targetNamespace: longhorn-system commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/infrastructure/longhorn/app + interval: 30m + path: ./kubernetes/apps/infrastructure/longhorn/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - wait: true - interval: 30m - retryInterval: 1m - timeout: 15m + targetNamespace: *namespace + wait: true \ No newline at end of file diff --git a/kubernetes/apps/infrastructure/namespace.yaml b/kubernetes/apps/infrastructure/namespace.yaml new file mode 100644 index 00000000..2a599d3b --- /dev/null +++ b/kubernetes/apps/infrastructure/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: infrastructure + labels: + kustomize.toolkit.fluxcd.io/prune: disabled \ No newline at end of file diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml new file mode 100644 index 00000000..dfbd84be --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml @@ -0,0 +1,62 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cilium + namespace: kube-system +spec: + interval: 30m + chart: + spec: + chart: cilium + version: "1.16.0" + sourceRef: + kind: HelmRepository + name: cilium + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + ipam: + mode: kubernetes + kubeProxyReplacement: true + securityContext: + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE + cgroup: + autoMount: + enabled: false + hostRoot: /sys/fs/cgroup + k8sServiceHost: localhost + k8sServicePort: 7445 + l2announcements: + enabled: true + lbIPAM: + enabled: true + enableIPv4Masquerade: true + enableIPv6Masquerade: false + ipv4: + enabled: true + ipv6: + enabled: false diff --git a/kubernetes/main/apps/network/k8tz/app/kustomization.yaml b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml similarity index 84% rename from kubernetes/main/apps/network/k8tz/app/kustomization.yaml rename to kubernetes/apps/kube-system/cilium/app/kustomization.yaml index 35e07a4d..f28a58f5 100644 --- a/kubernetes/main/apps/network/k8tz/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml @@ -3,7 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./namespace.yaml - ./repository.yaml - - ./pki.yaml - ./release.yaml diff --git a/kubernetes/apps/kube-system/cilium/config/kustomization.yaml b/kubernetes/apps/kube-system/cilium/config/kustomization.yaml new file mode 100644 index 00000000..4ee575de --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/config/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./loadbalancer.yaml diff --git a/kubernetes/apps/kube-system/cilium/config/loadbalancer.yaml b/kubernetes/apps/kube-system/cilium/config/loadbalancer.yaml new file mode 100644 index 00000000..6e593744 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/config/loadbalancer.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumLoadBalancerIPPool +metadata: + name: cilium-pool +spec: + cidrs: + - cidr: 10.0.10.192/26 + disabled: false +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumL2AnnouncementPolicy +metadata: + name: cilium-l2-policy +spec: + nodeSelector: + matchLabels: + kubernetes.io/os: linux + externalIPs: false + loadBalancerIPs: true + interfaces: + - eth0 + - en.* + - eth.* diff --git a/kubernetes/main/apps/database/cloudnative-pg/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml similarity index 51% rename from kubernetes/main/apps/database/cloudnative-pg/ks.yaml rename to kubernetes/apps/kube-system/cilium/ks.yaml index 037340b4..1c3bd12f 100644 --- a/kubernetes/main/apps/database/cloudnative-pg/ks.yaml +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -1,52 +1,43 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app cloudnative-pg - namespace: flux-system + name: &app cilium + namespace: &namespace kube-system spec: - targetNamespace: cnpg-system commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/database/cloudnative-pg/operator + interval: 30m + path: ./kubernetes/apps/kube-system/cilium/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - decryption: - provider: sops - secretRef: - name: sops-age + targetNamespace: *namespace wait: true - interval: 30m - retryInterval: 1m - timeout: 5m --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app cloudnative-pg-cluster - namespace: flux-system + name: &app cilium-config + namespace: &namespace kube-system spec: - dependsOn: - - name: cloudnative-pg - targetNamespace: cnpg-system commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/database/cloudnative-pg/cluster + dependsOn: + - name: cilium + namespace: *namespace + interval: 30m + path: ./kubernetes/apps/kube-system/cilium/config prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - decryption: - provider: sops - secretRef: - name: sops-age + targetNamespace: *namespace wait: true - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml new file mode 100644 index 00000000..3344d6f2 --- /dev/null +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: + - ./cilium/ks.yaml \ No newline at end of file diff --git a/kubernetes/main/apps/network/kustomization.yaml b/kubernetes/apps/network/kustomization.yaml similarity index 52% rename from kubernetes/main/apps/network/kustomization.yaml rename to kubernetes/apps/network/kustomization.yaml index c2b3a395..67d933c5 100644 --- a/kubernetes/main/apps/network/kustomization.yaml +++ b/kubernetes/apps/network/kustomization.yaml @@ -1,7 +1,8 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./metallb-system/ks.yaml + - ./namespace.yaml - ./pihole-system/ks.yaml - - ./k8tz/ks.yaml + diff --git a/kubernetes/apps/network/namespace.yaml b/kubernetes/apps/network/namespace.yaml new file mode 100644 index 00000000..fd3ce59d --- /dev/null +++ b/kubernetes/apps/network/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network + labels: + kustomize.toolkit.fluxcd.io/prune: disabled \ No newline at end of file diff --git a/kubernetes/main/apps/network/pihole-system/app/release.yaml b/kubernetes/apps/network/pihole-system/app/helmrelease.yaml similarity index 86% rename from kubernetes/main/apps/network/pihole-system/app/release.yaml rename to kubernetes/apps/network/pihole-system/app/helmrelease.yaml index 1760aed3..111dffe3 100644 --- a/kubernetes/main/apps/network/pihole-system/app/release.yaml +++ b/kubernetes/apps/network/pihole-system/app/helmrelease.yaml @@ -1,9 +1,10 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app pihole - namespace: pihole-system + namespace: network spec: interval: 30m chart: @@ -13,7 +14,7 @@ spec: sourceRef: kind: HelmRepository name: mojo2600 - namespace: pihole-system + namespace: flux-system values: image: tag: "2026.02.0" @@ -49,14 +50,10 @@ spec: serviceWeb: loadBalancerIP: 10.0.10.200 - annotations: - metallb.io/allow-shared-ip: pihole-svc type: LoadBalancer serviceDns: loadBalancerIP: 10.0.10.200 - annotations: - metallb.io/allow-shared-ip: pihole-svc type: LoadBalancer replicaCount: 1 diff --git a/kubernetes/main/apps/network/pihole-system/app/kustomization.yaml b/kubernetes/apps/network/pihole-system/app/kustomization.yaml similarity index 89% rename from kubernetes/main/apps/network/pihole-system/app/kustomization.yaml rename to kubernetes/apps/network/pihole-system/app/kustomization.yaml index 3f1ef038..c7b3cce7 100644 --- a/kubernetes/main/apps/network/pihole-system/app/kustomization.yaml +++ b/kubernetes/apps/network/pihole-system/app/kustomization.yaml @@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./namespace.yaml - ./repository.yaml - ./release.yaml - ./secret.sops.yaml diff --git a/kubernetes/main/apps/network/pihole-system/app/pihole-exporter.yaml b/kubernetes/apps/network/pihole-system/app/pihole-exporter.yaml similarity index 100% rename from kubernetes/main/apps/network/pihole-system/app/pihole-exporter.yaml rename to kubernetes/apps/network/pihole-system/app/pihole-exporter.yaml diff --git a/kubernetes/main/apps/network/pihole-system/app/secret.sops.yaml b/kubernetes/apps/network/pihole-system/app/secret.sops.yaml similarity index 100% rename from kubernetes/main/apps/network/pihole-system/app/secret.sops.yaml rename to kubernetes/apps/network/pihole-system/app/secret.sops.yaml diff --git a/kubernetes/main/apps/cloudflared/ks.yaml b/kubernetes/apps/network/pihole-system/ks.yaml similarity index 50% rename from kubernetes/main/apps/cloudflared/ks.yaml rename to kubernetes/apps/network/pihole-system/ks.yaml index d329f074..3908ee34 100644 --- a/kubernetes/main/apps/cloudflared/ks.yaml +++ b/kubernetes/apps/network/pihole-system/ks.yaml @@ -1,21 +1,20 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app cloudflared - namespace: flux-system + name: &app pihole-system + namespace: &namespace network spec: - targetNamespace: cloudflared commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/cloudflared/app + interval: 30m + path: ./kubernetes/apps/network/pihole-system/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m + targetNamespace: *namespace + wait: true \ No newline at end of file diff --git a/kubernetes/main/flux-system/apps.yaml b/kubernetes/flux-system/apps.yaml similarity index 100% rename from kubernetes/main/flux-system/apps.yaml rename to kubernetes/flux-system/apps.yaml diff --git a/kubernetes/main/flux-system/flux-instance.yaml b/kubernetes/flux-system/flux-instance.yaml similarity index 94% rename from kubernetes/main/flux-system/flux-instance.yaml rename to kubernetes/flux-system/flux-instance.yaml index d63ded2a..a42cb753 100644 --- a/kubernetes/main/flux-system/flux-instance.yaml +++ b/kubernetes/flux-system/flux-instance.yaml @@ -23,8 +23,8 @@ spec: sync: kind: GitRepository url: "https://github.com/dnikoloski/infrastructure-as-code.git" - ref: "refs/heads/main" - path: "kubernetes/main/flux-system" + ref: "refs/heads/cluster-v2" + path: "kubernetes/flux-system" pullSecret: "flux-system" interval: 1m kustomize: diff --git a/kubernetes/main/flux-system/flux-operator/app/kustomization.yaml b/kubernetes/flux-system/flux-operator/app/kustomization.yaml similarity index 100% rename from kubernetes/main/flux-system/flux-operator/app/kustomization.yaml rename to kubernetes/flux-system/flux-operator/app/kustomization.yaml diff --git a/kubernetes/main/flux-system/flux-operator/app/resourceset.yaml b/kubernetes/flux-system/flux-operator/app/resourceset.yaml similarity index 100% rename from kubernetes/main/flux-system/flux-operator/app/resourceset.yaml rename to kubernetes/flux-system/flux-operator/app/resourceset.yaml diff --git a/kubernetes/main/flux-system/flux-operator/ks.yaml b/kubernetes/flux-system/flux-operator/ks.yaml similarity index 100% rename from kubernetes/main/flux-system/flux-operator/ks.yaml rename to kubernetes/flux-system/flux-operator/ks.yaml diff --git a/kubernetes/main/flux-system/kustomization.yaml b/kubernetes/flux-system/kustomization.yaml similarity index 67% rename from kubernetes/main/flux-system/kustomization.yaml rename to kubernetes/flux-system/kustomization.yaml index cadb5a48..d7c18818 100644 --- a/kubernetes/main/flux-system/kustomization.yaml +++ b/kubernetes/flux-system/kustomization.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/kubernetes/flux-system/repositories/helm/cilium.yaml b/kubernetes/flux-system/repositories/helm/cilium.yaml new file mode 100644 index 00000000..bb938f41 --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/cilium.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: cilium + namespace: flux-system +spec: + interval: 30m + url: https://helm.cilium.io/ diff --git a/kubernetes/flux-system/repositories/helm/kustomization.yaml b/kubernetes/flux-system/repositories/helm/kustomization.yaml new file mode 100644 index 00000000..4e68931e --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./cilium.yaml + - ./longhorn.yaml + - ./pihole.yaml diff --git a/kubernetes/main/apps/infrastructure/longhorn/app/repository.yaml b/kubernetes/flux-system/repositories/helm/longhorn.yaml similarity index 51% rename from kubernetes/main/apps/infrastructure/longhorn/app/repository.yaml rename to kubernetes/flux-system/repositories/helm/longhorn.yaml index d5c5c9d6..3ebb76f1 100644 --- a/kubernetes/main/apps/infrastructure/longhorn/app/repository.yaml +++ b/kubernetes/flux-system/repositories/helm/longhorn.yaml @@ -1,8 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: longhorn - namespace: longhorn-system + namespace: flux-system spec: interval: 24h url: https://charts.longhorn.io diff --git a/kubernetes/main/apps/network/pihole-system/app/repository.yaml b/kubernetes/flux-system/repositories/helm/pihole.yaml similarity index 54% rename from kubernetes/main/apps/network/pihole-system/app/repository.yaml rename to kubernetes/flux-system/repositories/helm/pihole.yaml index 916430dd..02190ea7 100644 --- a/kubernetes/main/apps/network/pihole-system/app/repository.yaml +++ b/kubernetes/flux-system/repositories/helm/pihole.yaml @@ -1,8 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: mojo2600 - namespace: pihole-system + namespace: flux-system spec: interval: 5m url: https://mojo2600.github.io/pihole-kubernetes/ diff --git a/kubernetes/flux-system/repositories/kustomization.yaml b/kubernetes/flux-system/repositories/kustomization.yaml new file mode 100644 index 00000000..ae7e0ad4 --- /dev/null +++ b/kubernetes/flux-system/repositories/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./git + - ./helm + - ./oci diff --git a/kubernetes/main/flux-system/vars/cluster-secrets.sops.yaml b/kubernetes/flux-system/vars/cluster-secrets.sops.yaml similarity index 100% rename from kubernetes/main/flux-system/vars/cluster-secrets.sops.yaml rename to kubernetes/flux-system/vars/cluster-secrets.sops.yaml diff --git a/kubernetes/main/flux-system/vars/kustomization.yaml b/kubernetes/flux-system/vars/kustomization.yaml similarity index 100% rename from kubernetes/main/flux-system/vars/kustomization.yaml rename to kubernetes/flux-system/vars/kustomization.yaml diff --git a/kubernetes/main/apps/audiobookshelf/app/audiobooks-pvc.yaml b/kubernetes/main/apps/audiobookshelf/app/audiobooks-pvc.yaml deleted file mode 100644 index bc56fb59..00000000 --- a/kubernetes/main/apps/audiobookshelf/app/audiobooks-pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: audiobooks - namespace: audiobookshelf -spec: - accessModes: - - ReadWriteOnce - storageClassName: longhorn - resources: - requests: - storage: 50Gi diff --git a/kubernetes/main/apps/audiobookshelf/app/audiobookshelf-filebrowser.yaml b/kubernetes/main/apps/audiobookshelf/app/audiobookshelf-filebrowser.yaml deleted file mode 100644 index 7b9f7927..00000000 --- a/kubernetes/main/apps/audiobookshelf/app/audiobookshelf-filebrowser.yaml +++ /dev/null @@ -1,102 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: filebrowser-database - namespace: audiobookshelf -spec: - accessModes: - - ReadWriteOnce - storageClassName: longhorn - resources: - requests: - storage: 256Mi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: filebrowser-config - namespace: audiobookshelf -spec: - accessModes: - - ReadWriteOnce - storageClassName: longhorn - resources: - requests: - storage: 100Mi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: audiobooks-filebrowser - namespace: audiobookshelf -spec: - replicas: 1 - selector: - matchLabels: - app: audiobooks-filebrowser - template: - metadata: - labels: - app: audiobooks-filebrowser - spec: - securityContext: - runAsUser: 0 - runAsGroup: 0 - fsGroup: 0 - containers: - - name: filebrowser - image: filebrowser/filebrowser - args: - - --baseURL=/filebrowser - ports: - - containerPort: 80 - volumeMounts: - - name: audiobooks - mountPath: /srv - - name: database - mountPath: /database - - name: config - mountPath: /config - volumes: - - name: audiobooks - persistentVolumeClaim: - claimName: audiobooks - - name: database - persistentVolumeClaim: - claimName: filebrowser-database - - name: config - persistentVolumeClaim: - claimName: filebrowser-config ---- -apiVersion: v1 -kind: Service -metadata: - name: audiobooks-filebrowser - namespace: audiobookshelf -spec: - selector: - app: audiobooks-filebrowser - ports: - - port: 80 - targetPort: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: audiobooks-filebrowser-ingress - namespace: audiobookshelf - annotations: - nginx.ingress.kubernetes.io/rewrite-target: /$2 -spec: - ingressClassName: external - rules: - - host: "books.cloudwithdan.com" - http: - paths: - - path: /filebrowser(/|$)(.*) - pathType: ImplementationSpecific - backend: - service: - name: audiobooks-filebrowser - port: - number: 80 diff --git a/kubernetes/main/apps/audiobookshelf/app/kustomization.yaml b/kubernetes/main/apps/audiobookshelf/app/kustomization.yaml deleted file mode 100644 index ef8ab737..00000000 --- a/kubernetes/main/apps/audiobookshelf/app/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./audiobooks-pvc.yaml - - ./release.yaml - - ./audiobookshelf-filebrowser.yaml diff --git a/kubernetes/main/apps/audiobookshelf/app/namespace.yaml b/kubernetes/main/apps/audiobookshelf/app/namespace.yaml deleted file mode 100644 index c1c97a18..00000000 --- a/kubernetes/main/apps/audiobookshelf/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: audiobookshelf - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/audiobookshelf/app/release.yaml b/kubernetes/main/apps/audiobookshelf/app/release.yaml deleted file mode 100644 index 29924c69..00000000 --- a/kubernetes/main/apps/audiobookshelf/app/release.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: audiobookshelf - namespace: audiobookshelf -spec: - interval: 30m - chart: - spec: - chart: audiobookshelf - version: 0.0.2-nightly.49 - sourceRef: - kind: HelmRepository - name: audiobookshelf - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - values: - persistence: - config: - enabled: true - size: 1Gi - storageClass: "longhorn" - metadata: - enabled: true - size: 10Gi - storageClass: "longhorn" - - persistentVolumeClaims: - - name: audiobooks - mountPath: /audiobooks - readOnly: false - - volumes: - - name: audiobooks - persistentVolumeClaim: - claimName: audiobooks-pvc - - volumeMounts: - - name: audiobooks - mountPath: "/audiobooks" - readOnly: false - - ingress: - enabled: true - annotations: - external-dns.alpha.kubernetes.io/target: books.${SECRET_EXTERNAL_DOMAIN} - # nginx.ingress.kubernetes.io/auth-url: |- - # http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx - # nginx.ingress.kubernetes.io/auth-signin: |- - # https://auth.${SECRET_EXTERNAL_DOMAIN}/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri - # nginx.ingress.kubernetes.io/auth-response-headers: |- - # Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - # nginx.ingress.kubernetes.io/auth-snippet: | - # proxy_set_header X-Forwarded-Host $http_host; - kubernetes.io/ingress.class: external - hosts: - - host: books.${SECRET_EXTERNAL_DOMAIN} - paths: - - path: / - pathType: Prefix diff --git a/kubernetes/main/apps/audiobookshelf/app/repository.yaml b/kubernetes/main/apps/audiobookshelf/app/repository.yaml deleted file mode 100644 index 0a2ab943..00000000 --- a/kubernetes/main/apps/audiobookshelf/app/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: audiobookshelf - namespace: flux-system -spec: - interval: 1h - url: https://gitlab.com/api/v4/projects/57546317/packages/helm/nightly \ No newline at end of file diff --git a/kubernetes/main/apps/audiobookshelf/ks.yaml b/kubernetes/main/apps/audiobookshelf/ks.yaml deleted file mode 100644 index c788545c..00000000 --- a/kubernetes/main/apps/audiobookshelf/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app audiobookshelf - namespace: flux-system -spec: - targetNamespace: audiobookshelf - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/audiobookshelf/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/bentopdf/app/kustomization.yaml b/kubernetes/main/apps/bentopdf/app/kustomization.yaml deleted file mode 100644 index d19534cc..00000000 --- a/kubernetes/main/apps/bentopdf/app/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./manifest.yaml diff --git a/kubernetes/main/apps/bentopdf/app/manifest.yaml b/kubernetes/main/apps/bentopdf/app/manifest.yaml deleted file mode 100644 index 55ffb4cc..00000000 --- a/kubernetes/main/apps/bentopdf/app/manifest.yaml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: bentopdf - namespace: bentopdf -spec: - replicas: 1 - revisionHistoryLimit: 1 - selector: - matchLabels: - app.kubernetes.io/name: bentopdf - strategy: - # Restrict to a Single bentopdf instance, on redeploys it will tear down the old one before bring a new one up. - type: Recreate - template: - metadata: - labels: - app.kubernetes.io/name: bentopdf - spec: - containers: - - name: bentopdf - image: bentopdf/bentopdf-simple:latest - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8080 - name: http - protocol: TCP - # Use the http server for pod health checks - livenessProbe: - failureThreshold: 3 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: http - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: http ---- -apiVersion: v1 -kind: Service -metadata: - name: bentopdf - namespace: bentopdf -spec: - selector: - app.kubernetes.io/name: bentopdf - ports: - - port: 8080 - name: http - targetPort: 8080 - protocol: TCP - type: ClusterIP ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bentopdf-ingress - namespace: bentopdf - annotations: - external-dns.alpha.kubernetes.io/target: "ilovepdf.${SECRET_EXTERNAL_DOMAIN}" -spec: - ingressClassName: external - rules: - - host: ilovepdf.${SECRET_EXTERNAL_DOMAIN} - http: - paths: - - backend: - service: - name: bentopdf - port: - name: http - path: / - pathType: Prefix diff --git a/kubernetes/main/apps/bentopdf/app/namespace.yaml b/kubernetes/main/apps/bentopdf/app/namespace.yaml deleted file mode 100644 index 483ccb92..00000000 --- a/kubernetes/main/apps/bentopdf/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: bentopdf - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/bentopdf/ks.yaml b/kubernetes/main/apps/bentopdf/ks.yaml deleted file mode 100644 index e3cffc19..00000000 --- a/kubernetes/main/apps/bentopdf/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app bentopdf - namespace: flux-system -spec: - targetNamespace: bentopdf - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/bentopdf/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/blog/app/deployment.yaml b/kubernetes/main/apps/blog/app/deployment.yaml deleted file mode 100644 index 0117403f..00000000 --- a/kubernetes/main/apps/blog/app/deployment.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: blog - namespace: blog - labels: - app: blog -spec: - replicas: 1 - selector: - matchLabels: - app: blog - template: - metadata: - labels: - app: blog - spec: - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - containers: - - name: blog - resources: - limits: - memory: "128Mi" - cpu: "500m" - requests: - memory: "64Mi" - cpu: "250m" - image: ghcr.io/cloudwithdan/blog:latest - imagePullPolicy: Always - ports: - - name: blog - containerPort: 8080 - livenessProbe: - httpGet: - path: / - port: 8080 - readinessProbe: - httpGet: - path: / - port: 8080 diff --git a/kubernetes/main/apps/blog/app/ingress.yaml b/kubernetes/main/apps/blog/app/ingress.yaml deleted file mode 100644 index ff77101d..00000000 --- a/kubernetes/main/apps/blog/app/ingress.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: blog-ingress - namespace: blog - annotations: - external-dns.alpha.kubernetes.io/target: "cloudwithdan.com" - nginx.ingress.kubernetes.io/use-forwarded-headers: "true" -spec: - ingressClassName: external - rules: - - host: cloudwithdan.com - http: - paths: - - path: /posts - pathType: Prefix - backend: - service: - name: blog - port: - name: blog diff --git a/kubernetes/main/apps/blog/app/kustomization.yaml b/kubernetes/main/apps/blog/app/kustomization.yaml deleted file mode 100644 index ffa602dc..00000000 --- a/kubernetes/main/apps/blog/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./deployment.yaml - - ./service.yaml - - ./ingress.yaml diff --git a/kubernetes/main/apps/blog/app/namespace.yaml b/kubernetes/main/apps/blog/app/namespace.yaml deleted file mode 100644 index 7fa851fc..00000000 --- a/kubernetes/main/apps/blog/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: blog - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/blog/app/service.yaml b/kubernetes/main/apps/blog/app/service.yaml deleted file mode 100644 index 8a6001f9..00000000 --- a/kubernetes/main/apps/blog/app/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: blog - namespace: blog -spec: - ports: - - name: blog - port: 8080 - targetPort: blog - selector: - app: blog - type: ClusterIP diff --git a/kubernetes/main/apps/blog/ks.yaml b/kubernetes/main/apps/blog/ks.yaml deleted file mode 100644 index ddd438fd..00000000 --- a/kubernetes/main/apps/blog/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app web - namespace: flux-system -spec: - targetNamespace: web - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/web/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/cert-manager/app/kustomization.yaml b/kubernetes/main/apps/cert-manager/app/kustomization.yaml deleted file mode 100644 index c00b6bbb..00000000 --- a/kubernetes/main/apps/cert-manager/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/cert-manager/app/namespace.yaml b/kubernetes/main/apps/cert-manager/app/namespace.yaml deleted file mode 100644 index e385fcfd..00000000 --- a/kubernetes/main/apps/cert-manager/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/cert-manager/app/release.yaml b/kubernetes/main/apps/cert-manager/app/release.yaml deleted file mode 100644 index 976a54e2..00000000 --- a/kubernetes/main/apps/cert-manager/app/release.yaml +++ /dev/null @@ -1,34 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: cert-manager - namespace: cert-manager -spec: - interval: 30m - chart: - spec: - chart: cert-manager - version: v1.16.1 - sourceRef: - kind: HelmRepository - name: jetstack - namespace: cert-manager - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - values: - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - podDnsPolicy: "None" - podDnsConfig: - nameservers: - - "1.1.1.1" - - "8.8.8.8" - installCRDs: true - dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query - dns01RecursiveNameserversOnly: true diff --git a/kubernetes/main/apps/cert-manager/app/repository.yaml b/kubernetes/main/apps/cert-manager/app/repository.yaml deleted file mode 100644 index 87edf2b7..00000000 --- a/kubernetes/main/apps/cert-manager/app/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: jetstack - namespace: cert-manager -spec: - interval: 1h - url: https://charts.jetstack.io diff --git a/kubernetes/main/apps/cert-manager/issuers/issuers.yaml b/kubernetes/main/apps/cert-manager/issuers/issuers.yaml deleted file mode 100644 index f691d37d..00000000 --- a/kubernetes/main/apps/cert-manager/issuers/issuers.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-production - namespace: cert-manager -spec: - acme: - server: https://acme-v02.api.letsencrypt.org/directory - email: "${SECRET_ACME_EMAIL}" - privateKeySecretRef: - name: letsencrypt-production - solvers: - - dns01: - cloudflare: - apiTokenSecretRef: - name: cert-manager-secret - key: api-token - selector: - dnsZones: - - "${SECRET_EXTERNAL_DOMAIN}" - - "${SECRET_PROD_DOMAIN}" diff --git a/kubernetes/main/apps/cert-manager/issuers/kustomization.yaml b/kubernetes/main/apps/cert-manager/issuers/kustomization.yaml deleted file mode 100644 index 448b0f64..00000000 --- a/kubernetes/main/apps/cert-manager/issuers/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./issuers.yaml - - ./secret.sops.yaml diff --git a/kubernetes/main/apps/cert-manager/issuers/secret.sops.yaml b/kubernetes/main/apps/cert-manager/issuers/secret.sops.yaml deleted file mode 100644 index 31c5fff4..00000000 --- a/kubernetes/main/apps/cert-manager/issuers/secret.sops.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cert-manager-secret - namespace: cert-manager -stringData: - api-token: ENC[AES256_GCM,data:TTq56YNQ27hy3dPaj9oVV6DxxtM/hVbjQh0y39ryVFnsFxMdKACoSg==,iv:TY9knIP7YG3FAxIYTzmnVe6GfT4zdOCJKX+leqIrc0g=,tag:6Fy0kiC1klgOSHwlyVx4jA==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaQzVNWEVRTTM1OFhnZzMv - MFVPNUNpV3BlNFc2NXRoL1hRRzIvYVdLUWhRCnFOT3A0cGtjekJwZURwWG0zdURy - Y2hVY1VFcTZpQStzelNVWVF3M0xEUGMKLS0tIFN2YldhY0hGdlBJb1R1UXp2blRy - bG5EOFhML2VScGkwVlY3alpJY1oyL1kKB0c8QBNT14iP1AEfektDO7ZY0iHhQnOi - AsYRaxv9JoR+k+ADJy94DLLij8zM6ac12vqMgyyQDAEjTbsXWNCU2g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-31T21:21:13Z" - mac: ENC[AES256_GCM,data:frGKZrkZjO+inq8nlxWiKhNAAPBmZTXNh1dkNQVviViObmzaeHWcEOdaigKgFSMQ/gqfvjPNxxU6YH1zOXjLqdPKGv7UkcBqvcSfpky9L7Vh01nxmasVUtlZiM45Rez6gb9SPLMUrxesFfRa5+LgsTsRsK5Ah0sSkgUFNe7BKzs=,iv:fEXsguSCCL+GjJiLAwQmfBnugBZFS4i3gXk52natmio=,tag:liZLdrc6f4zHjqvhr0M5vA==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.11.0 diff --git a/kubernetes/main/apps/cert-manager/ks.yaml b/kubernetes/main/apps/cert-manager/ks.yaml deleted file mode 100644 index 4adb7b12..00000000 --- a/kubernetes/main/apps/cert-manager/ks.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app cert-manager - namespace: flux-system -spec: - targetNamespace: cert-manager - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/cert-manager/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app cert-manager-issuers - namespace: flux-system -spec: - targetNamespace: cert-manager - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: cert-manager - path: ./kubernetes/main/apps/cert-manager/issuers - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/cloudflared/app/configs/config.yaml b/kubernetes/main/apps/cloudflared/app/configs/config.yaml deleted file mode 100644 index 63dd3dd5..00000000 --- a/kubernetes/main/apps/cloudflared/app/configs/config.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -originRequest: - noTLSVerify: true - -ingress: - - hostname: "${SECRET_EXTERNAL_DOMAIN}" - service: https://ingress-nginx-external-controller.ingress-nginx.svc.cluster.local:443 - - hostname: "*.${SECRET_EXTERNAL_DOMAIN}" - service: https://ingress-nginx-external-controller.ingress-nginx.svc.cluster.local:443 - - service: http_status:404 diff --git a/kubernetes/main/apps/cloudflared/app/deployment.yaml b/kubernetes/main/apps/cloudflared/app/deployment.yaml deleted file mode 100644 index a6c43d3c..00000000 --- a/kubernetes/main/apps/cloudflared/app/deployment.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: cloudflared - name: &app cloudflared - namespace: cloudflared -spec: - selector: - matchLabels: - app: cloudflared - template: - metadata: - labels: - app: cloudflared - spec: - containers: - - name: cloudflared - image: cloudflare/cloudflared:latest - imagePullPolicy: Always - args: - [ - "tunnel", - "--no-autoupdate", - "run", - "--token=$(token)", - ] - env: - - name: token - valueFrom: - secretKeyRef: - name: cloudflared-token - key: token - restartPolicy: Always - terminationGracePeriodSeconds: 60 diff --git a/kubernetes/main/apps/cloudflared/app/dnsendpoint.yaml b/kubernetes/main/apps/cloudflared/app/dnsendpoint.yaml deleted file mode 100644 index 9b723d56..00000000 --- a/kubernetes/main/apps/cloudflared/app/dnsendpoint.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: externaldns.k8s.io/v1alpha1 -kind: DNSEndpoint -metadata: - name: cloudflared - namespace: cloudflared -spec: - endpoints: - - dnsName: "external.${SECRET_EXTERNAL_DOMAIN}" - recordType: CNAME - targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] diff --git a/kubernetes/main/apps/cloudflared/app/kustomization.yaml b/kubernetes/main/apps/cloudflared/app/kustomization.yaml deleted file mode 100644 index 36506d48..00000000 --- a/kubernetes/main/apps/cloudflared/app/kustomization.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./secret.sops.yaml - - ./dnsendpoint.yaml - - ./release.yaml -configMapGenerator: - - name: cloudflared-configmap - namespace: cloudflared - files: - - ./configs/config.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/main/apps/cloudflared/app/namespace.yaml b/kubernetes/main/apps/cloudflared/app/namespace.yaml deleted file mode 100644 index b7740ac3..00000000 --- a/kubernetes/main/apps/cloudflared/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: cloudflared - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - kustomize.toolkit.fluxcd.io/prune: disabled - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/cloudflared/app/release.yaml b/kubernetes/main/apps/cloudflared/app/release.yaml deleted file mode 100644 index 946d1fb5..00000000 --- a/kubernetes/main/apps/cloudflared/app/release.yaml +++ /dev/null @@ -1,118 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: cloudflared - namespace: cloudflared -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.5.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: cloudflared - # DEPENDS ON EXTERNAL-DNS ?, EXTERNAL-DNS DEPENDS ON NGINX-INGRESS - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - values: - controllers: - cloudflared: - strategy: RollingUpdate - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: docker.io/cloudflare/cloudflared - tag: 2024.4.1 - env: - NO_AUTOUPDATE: true - TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json - TUNNEL_METRICS: 0.0.0.0:8080 - TUNNEL_ORIGIN_ENABLE_HTTP2: true - TUNNEL_TRANSPORT_PROTOCOL: quic - TUNNEL_POST_QUANTUM: true - TUNNEL_ID: - valueFrom: - secretKeyRef: - name: cloudflared-secret - key: TUNNEL_ID - args: - - tunnel - - --config - - /etc/cloudflared/config/config.yaml - - run - - "$(TUNNEL_ID)" - # probes: - # liveness: &probes - # enabled: true - # custom: true - # spec: - # httpGet: - # path: /ready - # port: &port 8080 - # initialDelaySeconds: 0 - # periodSeconds: 10 - # timeoutSeconds: 1 - # failureThreshold: 3 - # readiness: *probes - # securityContext: - # allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - # capabilities: { drop: ["ALL"] } - # sysctls: - # - name: net.ipv4.ping_group_range - # value: "0 2147483647" - resources: - requests: - cpu: 10m - limits: - memory: 256Mi - # defaultPodOptions: - # securityContext: - # runAsNonRoot: true - # runAsUser: 65534 - # runAsGroup: 65534 - # seccompProfile: { type: RuntimeDefault } - # sysctls: - # - name: net.ipv4.ping_group_range - # value: "0 2147483647" - service: - app: - controller: cloudflared - ports: - http: - port: &port 8080 - serviceMonitor: - app: - serviceName: cloudflared - endpoints: - - port: http - scheme: http - path: /metrics - interval: 1m - scrapeTimeout: 10s - persistence: - config: - type: configMap - name: cloudflared-configmap - globalMounts: - - path: /etc/cloudflared/config/config.yaml - subPath: config.yaml - readOnly: true - creds: - type: secret - name: cloudflared-secret - globalMounts: - - path: /etc/cloudflared/creds/credentials.json - subPath: credentials.json - readOnly: true diff --git a/kubernetes/main/apps/cloudflared/app/repository.yaml b/kubernetes/main/apps/cloudflared/app/repository.yaml deleted file mode 100644 index 63063cf8..00000000 --- a/kubernetes/main/apps/cloudflared/app/repository.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: bjw-s - namespace: cloudflared -spec: - type: oci - interval: 5m - url: oci://ghcr.io/bjw-s/helm diff --git a/kubernetes/main/apps/cloudflared/app/secret.sops.yaml b/kubernetes/main/apps/cloudflared/app/secret.sops.yaml deleted file mode 100644 index 363186be..00000000 --- a/kubernetes/main/apps/cloudflared/app/secret.sops.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cloudflared-secret - namespace: cloudflared -stringData: - TUNNEL_ID: ENC[AES256_GCM,data:68DrzuJQl+ctdxQuvXPMggC3rvGUHKPRiBGwtcVqZSNfQ0yO,iv:GzzmEGPE84/9E/wBSn23Z1TXe0EtAoLLdi+yUZ3ra1k=,tag:+WFngzuY4Z7oJU1L5yefBw==,type:str] - credentials.json: ENC[AES256_GCM,data:2J4ZNFlgLoH6ehZUQ0v9oAP5YSCxtuXb80v7KrW9zOzdJAnAH1eP7lz3fXIHH8UEP4MCTKLRd0IjMiniM3OFQABVfPxkluwjHBdUMgvPI7sy/sXJ3jMarLixEdeKWM2vMJ8Vif+cKYn74kjliDnKiBsNM6MID2aQtdtgEONjf0ZP/1qNhyuvyAdQKS7oGK+Rr48mhZh4e4OiS2WzeRjVTMvoqWMcphw/+DK4iKTQO6Y=,iv:xu4Zvca2z4hNXsncUh25Ml3uVj4V0edCIbm37+7gL/k=,tag:MLqjggs1ggLdh5gJtU8p9Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZDZoN0tYS1lsQStlcjNr - ZEFjKy85bmdFcEdER2EwRWJ0cDVKWUdZeTFzCm10L21aaE82dCtsS2E3eEpaZm85 - U1oxREd4YWVEbXl1d3ZJQThLVkM4YWsKLS0tIFRNQ2ErQk9JSGNDcytBSHBxUlYv - aVVMODRlWUV3MWZmUGI5ZXluMytESU0KRXR4ju/86wNTOx6EKc2sVMM3ChHaWAB5 - aSnTDb88vaegs5lGJKvienxn0t27ropq9FFMwGgOWMWHcz9RdwnPUA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-23T20:22:39Z" - mac: ENC[AES256_GCM,data:kD5qsfnn7dEfGEegVjPgwO/z0F7TEfPsthuJBIeUNo3BmzhSC9/pvy+gIl+mntcdAEP4z0FY34SLelS0mpBo0pjnA96rWsvrsjdMAmJgZ1oNZlrKswVlDgTu0LYeBYPzFq9QkcOVUye1GuvkUQp4fIwUVVgAJXOQoTECS+UFbRw=,iv:CwutYyx9GobsykEkobb9ZZXb1mqmI0GBsRZf20tmBW8=,tag:rENd/dCNteOY571o4Al3ZA==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.9.4 diff --git a/kubernetes/main/apps/database/cloudnative-pg/cluster/cluster18.yaml b/kubernetes/main/apps/database/cloudnative-pg/cluster/cluster18.yaml deleted file mode 100644 index 80f8bb7a..00000000 --- a/kubernetes/main/apps/database/cloudnative-pg/cluster/cluster18.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: postgres18 -spec: - imageName: ghcr.io/cloudnative-pg/postgresql:18.3 - instances: 2 - primaryUpdateStrategy: unsupervised - primaryUpdateMethod: switchover - - storage: - storageClass: longhorn - size: 20Gi - - superuserSecret: - name: cloudnative-pg-secret - - enableSuperuserAccess: true - - postgresql: - parameters: - max_connections: "400" - shared_buffers: 256MB - nodeMaintenanceWindow: - inProgress: false - reusePVC: true - - resources: - requests: - cpu: 250m - memory: 500Mi - limits: - memory: 4Gi - monitoring: - enablePodMonitor: true - - backup: - retentionPolicy: 7d - barmanObjectStore: - destinationPath: 's3://talos-lj-backup/' - s3Credentials: - accessKeyId: - name: s3-creds - key: ACCESS_KEY_ID - secretAccessKey: - name: s3-creds - key: SECRET_ACCESS_KEY - wal: - compression: gzip - maxParallel: 4 - encryption: AES256 diff --git a/kubernetes/main/apps/database/cloudnative-pg/cluster/s3-creds.sops.yaml b/kubernetes/main/apps/database/cloudnative-pg/cluster/s3-creds.sops.yaml deleted file mode 100644 index dd607dce..00000000 --- a/kubernetes/main/apps/database/cloudnative-pg/cluster/s3-creds.sops.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: s3-creds - namespace: cnpg-system -stringData: - ACCESS_KEY_ID: ENC[AES256_GCM,data:lBKXulaxXfgzvqkRfTx2CaPIyMc=,iv:mTvf40lrtJWcYRi37yxYVci5PDg8FCaFy42yndsXiQQ=,tag:oGRIY0+lx6Honpfyx3Uz5Q==,type:str] - SECRET_ACCESS_KEY: ENC[AES256_GCM,data:dBauVdZaxubgBHpZVS/cGcArNLgXtf6eeUBqmOpYWdkXEtxphl6MjA==,iv:+PgcVrUNmQWjJ9TiNS+9/jL3HJ+BR0p52CTIW86EIIk=,tag:Vt9tnjTtjWoN2huaITEkfg==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaVQxUk1xZEIxZFRLOGto - a2hrRG1rZk1oeGd4NktuNUtTUkhJelU5ekJ3Cmx4azlaKzBwOUFudDRuYnkvQjly - ellyREd4djU4OTBON2ljMWwyWGtnWDAKLS0tIGcrMlp3UCtoL0Y3V2lrTkpyc3M5 - MzhBUGRGa1NyOE9ia0hNZDR2T3pFcVEKg4W0L//J2m7izP1rlejS46TLKpss3Ijv - TVZ3eJmTce6y/IsQbiJ7kaDHBFouYv3waDUMkxkDkgbeX3hgC32j1Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-12T22:13:36Z" - mac: ENC[AES256_GCM,data:vWobFFmQL1tLCjUC4fqOqHsZegCxGJeG9q/iNdCwuyTDqEsowx4SPCj1Vz33Ri9XQ7tG/uKgY5caQgN8m+vmIvCe56iZ4l5EUNbNe3fPrZo/1Krnqulv+zfepAyuw7rideq7UrPu6Uvd7W4IkgpWzcyKi+97y9QhRkfr/gmS1B8=,iv:mTeYjKECcX6lkdWNuhdSyMSJx1evgir2tEnFWaqZJsA=,tag:OmB37YMVx4iPCNjmpop89g==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.12.1 diff --git a/kubernetes/main/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml b/kubernetes/main/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml deleted file mode 100644 index 670f31ed..00000000 --- a/kubernetes/main/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml +++ /dev/null @@ -1,13 +0,0 @@ - -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: postgres18-backup - namespace: cnpg-system -spec: - schedule: "0 0 0 * * *" - suspend: false - immediate: true - backupOwnerReference: self - cluster: - name: postgres18 diff --git a/kubernetes/main/apps/database/cloudnative-pg/operator/release.yaml b/kubernetes/main/apps/database/cloudnative-pg/operator/release.yaml deleted file mode 100644 index a7802216..00000000 --- a/kubernetes/main/apps/database/cloudnative-pg/operator/release.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app cnpg - namespace: cnpg-system -spec: - interval: 30m - chart: - spec: - chart: cloudnative-pg - version: "0.27.0" - sourceRef: - kind: HelmRepository - name: cnpg - namespace: cnpg-system - interval: 12h - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - crds: - create: true - monitoring: - podMonitorEnabled: false - grafanaDashboard: - create: true diff --git a/kubernetes/main/apps/database/cloudnative-pg/operator/repository.yaml b/kubernetes/main/apps/database/cloudnative-pg/operator/repository.yaml deleted file mode 100644 index 8d653530..00000000 --- a/kubernetes/main/apps/database/cloudnative-pg/operator/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: cnpg - namespace: cnpg-system -spec: - interval: 24h - url: https://cloudnative-pg.github.io/charts diff --git a/kubernetes/main/apps/database/cloudnative-pg/operator/secret.sops.yaml b/kubernetes/main/apps/database/cloudnative-pg/operator/secret.sops.yaml deleted file mode 100644 index 0d55a38e..00000000 --- a/kubernetes/main/apps/database/cloudnative-pg/operator/secret.sops.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# yamllint disable -kind: Secret -apiVersion: v1 -type: Opaque -metadata: - name: cloudnative-pg-secret - namespace: cnpg-system -stringData: - username: ENC[AES256_GCM,data:zsQ739He39Y=,iv:HR+37xHAdjzCn16tYbMhl78OvdSBMA7/oSgExHHrGb8=,tag:8BtN53W3OfBmvY467as1ig==,type:str] - password: ENC[AES256_GCM,data:iakn5nzVdggPgACVrUo=,iv:I3N44IK3M/qKSlfYz6QgSTaUJUQDsnHxxno3aiC4hW8=,tag:AKKl0TqsO/krpqYKcS8Y6g==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWnRLQVg4Y0N1cEJqeHhY - YTZ2UmZsOFRGV1VJQlhCeVBxVkF5YmU3WDBVCm13bkNjNUg5RHozbFYvR29DZjFk - ZXlIT0RidDNubFVPbkkzcW4yRkRFcUUKLS0tIEJEY05xMHpqY2h6akN4cUkwa0dz - ZlJJLzRQRjFjbDhaVm12QUxjd3BpcHcKhHVQAWXYky4XXxJJnCqKnGUYkBakMZfc - Gs/xgDG7WgO6h6CxMjaUahZUcZZA/6R9wm++1xxdzSZou0b0XXco5w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-13T10:01:32Z" - mac: ENC[AES256_GCM,data:JlV2tomDu6IDiltrVIbFc0jlqYGMtDOJn9N4ib9+E6aZ1yHYl8qRe2kd9uGmhEPiPoUj9kWn1n9mTmnThj7Yp4FOuMKn8b2cWfmyni8tM0E8qUXSDvZWZdTYb2A8aU7/DdCYQBiI1dDViXF511D/CBr1UWxa/hornxan63XU/Tc=,iv:VGb53J7uImZmWYyv9MsPDtITHsT96ZWPCl3hWWcYzdQ=,tag:Vrvuc43GeEpPcc5ZjOkyww==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.12.1 diff --git a/kubernetes/main/apps/database/kustomization.yaml b/kubernetes/main/apps/database/kustomization.yaml deleted file mode 100644 index 17c3814f..00000000 --- a/kubernetes/main/apps/database/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./cloudnative-pg/ks.yaml diff --git a/kubernetes/main/apps/database/namespace.yaml b/kubernetes/main/apps/database/namespace.yaml deleted file mode 100644 index 9f2cf3f8..00000000 --- a/kubernetes/main/apps/database/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: cnpg-system - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/external-dns/external/kustomization.yaml b/kubernetes/main/apps/external-dns/external/kustomization.yaml deleted file mode 100644 index 92c244fb..00000000 --- a/kubernetes/main/apps/external-dns/external/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./secret.sops.yaml -# - ./dnsendpoint.yaml - - ./release.yaml - diff --git a/kubernetes/main/apps/external-dns/external/namespace.yaml b/kubernetes/main/apps/external-dns/external/namespace.yaml deleted file mode 100644 index dbd211d5..00000000 --- a/kubernetes/main/apps/external-dns/external/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: external-dns - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/external-dns/external/release.yaml b/kubernetes/main/apps/external-dns/external/release.yaml deleted file mode 100644 index 7953f532..00000000 --- a/kubernetes/main/apps/external-dns/external/release.yaml +++ /dev/null @@ -1,83 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app external-dns - namespace: external-dns -spec: - interval: 30m - chart: - spec: - chart: external-dns - version: 1.15.0 - sourceRef: - kind: HelmRepository - name: external-dns - namespace: external-dns - # install: - # crds: CreateReplace - # remediation: - # retries: 3 - # upgrade: - # cleanupOnFail: true - # crds: CreateReplace - # remediation: - # strategy: rollback - # retries: 3 - values: - fullnameOverride: *app - provider: cloudflare - env: - - name: CF_API_TOKEN - valueFrom: - secretKeyRef: - name: external-dns-secret - key: api-token - extraArgs: - - --ingress-class=external - - --cloudflare-proxied - - --default-targets=${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com - policy: sync - sources: ["crd", "ingress"] - domainFilters: ["${SECRET_EXTERNAL_DOMAIN}"] - serviceMonitor: - enabled: true - podAnnotations: - secret.reloader.stakater.com/reload: external-dns-secret ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app external-dns-pihole - namespace: external-dns -spec: - interval: 30m - chart: - spec: - chart: external-dns - version: 1.20.0 - sourceRef: - kind: HelmRepository - name: external-dns - namespace: external-dns - values: - fullnameOverride: *app - provider: pihole - policy: upsert-only - registry: noop - env: - - name: EXTERNAL_DNS_PIHOLE_PASSWORD - value: ${PIHOLE_PASSWORD} - - name: EXTERNAL_DNS_PIHOLE_SERVER - value: http://pihole-web.pihole-system.svc.cluster.local - extraArgs: - - --pihole-api-version=6 - - --ingress-class=internal - serviceAccount: - create: true - name: "external-dns-pihole" - sources: ["service", "ingress"] - serviceMonitor: - enabled: true - securityContext: - fsGroup: 65534 diff --git a/kubernetes/main/apps/external-dns/external/repository.yaml b/kubernetes/main/apps/external-dns/external/repository.yaml deleted file mode 100644 index a7ff8d16..00000000 --- a/kubernetes/main/apps/external-dns/external/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: external-dns - namespace: external-dns -spec: - interval: 1h - url: https://kubernetes-sigs.github.io/external-dns diff --git a/kubernetes/main/apps/external-dns/external/secret.sops.yaml b/kubernetes/main/apps/external-dns/external/secret.sops.yaml deleted file mode 100644 index 63cd98dd..00000000 --- a/kubernetes/main/apps/external-dns/external/secret.sops.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: external-dns-secret - namespace: external-dns -stringData: - api-token: ENC[AES256_GCM,data:lBmBhVzUuXSLQL/yHDf5LpF2RKfI0CY3XkJwTzYoICfHvyrqbKgiGg==,iv:Kn4DLY4eGKAzwJG6DPhLMkoedNkVbv4B9EdkhnoIwpw=,tag:QXXChKY/+f3LXlf/uXAqtg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKOEhzMkZndUFwNm5FTUtU - L1p2bG5zSWd1am93RVhwZHZvbEVNZEJhbTBRCkZQeUlwY1FTV2h1RWs4MWVjYlcy - amE5WGZUMXVWWlc3Z2ZCUlRNM1dUa1kKLS0tIG91ODVaV21jaFBOOUQ5RFN2S29t - UUZSM2tLQ3hNRmVmYkdsTk0yRTBEUnMKi+PWiVO/m7C3/e5qz66jYWA6Bt6SxyEh - /6+K/znmBYtKgm/IYcJNaIlXB0F/Oukl1c7BcFnPjB/glu3PwxR0vg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-23T20:35:07Z" - mac: ENC[AES256_GCM,data:8RS31dDuxM02Q909qrQTtfv6ThLDHKdVq2KkQXKm/8TpD9Cgm5GkKnCkeztG58AU/2XUR3FRxP3JhMRzvgplYR6cWn8D902k9ulSFUBqZRkBnzoVZugTe4g7rpqB8LPma3Yc0GFyWNM3CxaoTIy/ZAHU/IlO+8eAWuzS7JEdTXc=,iv:qTnTFxsakTHqaAZowPA/SpyrKYVWQ4S/BfXdfrNnY0Y=,tag:CI0DrjMYDDeBCQbpZ67+LA==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.9.4 diff --git a/kubernetes/main/apps/external-dns/ks.yaml b/kubernetes/main/apps/external-dns/ks.yaml deleted file mode 100644 index 551a776d..00000000 --- a/kubernetes/main/apps/external-dns/ks.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app external-dns - namespace: flux-system -spec: - targetNamespace: external-dns - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/external-dns/external - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - diff --git a/kubernetes/main/apps/garmin/garmin-fetch-data/deployment.yaml b/kubernetes/main/apps/garmin/garmin-fetch-data/deployment.yaml deleted file mode 100644 index feb47325..00000000 --- a/kubernetes/main/apps/garmin/garmin-fetch-data/deployment.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: garmin-fetch-data - namespace: garmin -spec: - replicas: 1 - selector: - matchLabels: - app: garmin-fetch-data - template: - metadata: - labels: - app: garmin-fetch-data - spec: - securityContext: - runAsUser: 0 # 0 is the UID for root - runAsGroup: 0 - containers: - - name: garmin-fetch-data - image: thisisarpanghosh/garmin-fetch-data:latest - env: - - name: INFLUXDB_HOST - value: "influxdb.garmin.svc.cluster.local" - - name: INFLUXDB_PORT - value: "8086" - - name: INFLUXDB_USERNAME - value: "influxdb_user" - - name: INFLUXDB_PASSWORD - value: "influxdb_secret_password" - - name: INFLUXDB_DATABASE - value: "GarminStats" - - name: GARMINCONNECT_IS_CN - value: "False" - volumeMounts: - - name: oauth1-token - mountPath: /root/.garminconnect/oauth1_token.json - subPath: oauth1_token.json - - name: oauth2-token - mountPath: /root/.garminconnect/oauth2_token.json - subPath: oauth2_token.json - resources: - limits: - cpu: 500m - memory: 1000Mi - requests: - cpu: 100m - memory: 256Mi - volumes: - - name: oauth1-token - secret: - secretName: garmin-secret - items: - - key: oauth1_token.json - path: oauth1_token.json - - name: oauth2-token - secret: - secretName: garmin-secret - items: - - key: oauth2_token.json - path: oauth2_token.json diff --git a/kubernetes/main/apps/garmin/garmin-fetch-data/kustomization.yaml b/kubernetes/main/apps/garmin/garmin-fetch-data/kustomization.yaml deleted file mode 100644 index c41e6ccf..00000000 --- a/kubernetes/main/apps/garmin/garmin-fetch-data/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./secret.sops.yaml - - ./pvc.yaml - - ./deployment.yaml - - ./service.yaml diff --git a/kubernetes/main/apps/garmin/garmin-fetch-data/namespace.yaml b/kubernetes/main/apps/garmin/garmin-fetch-data/namespace.yaml deleted file mode 100644 index d866a48f..00000000 --- a/kubernetes/main/apps/garmin/garmin-fetch-data/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: garmin - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/garmin/garmin-fetch-data/pvc.yaml b/kubernetes/main/apps/garmin/garmin-fetch-data/pvc.yaml deleted file mode 100644 index 18a11e0e..00000000 --- a/kubernetes/main/apps/garmin/garmin-fetch-data/pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: garminconnect-tokens-pvc - namespace: garmin -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 500Mi diff --git a/kubernetes/main/apps/garmin/garmin-fetch-data/secret.sops.yaml b/kubernetes/main/apps/garmin/garmin-fetch-data/secret.sops.yaml deleted file mode 100644 index d2afdc86..00000000 --- a/kubernetes/main/apps/garmin/garmin-fetch-data/secret.sops.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: garmin-secret - namespace: garmin -stringData: - oauth1_token.json: ENC[AES256_GCM,data:DaIH/X+vGjD633AQauW+V8ouvRCN477rYtSxhtj9cSyKeCNbAegb5chHG/qhwXbYuyFUChBMV2xodGZYM0WF6+os72uWDS9nenU18JEUO72b5EUXLj1eUoCoMv2Tyw527rpFeybEkkPjMiupty91QJKaBZHEut1kdEM4gHLk1KICTE5h7e3C0TBlw6Y8nfMHs8UtF/L0gJCwLgwyP5QsbRlw3PIcdzE85zA5WuNVbpMBjWkVKBpMXpSEl+fP/VNGE8iUk16d4wKGY+r/62vHHX3qQnQ9Pl9efGshcpCjDEgPQuLZeL3+tcAZER3OVAdqLR1Tl6qcLCuXHZYMLTHExNG4pDDXvHvAhmteU+0=,iv:J5ZqQhbZgGrG5LHE0S2QEV7QotBNM/075zIDXYwFzLk=,tag:4YMrdGg+z4OqVZ4WkrRw1g==,type:str] - oauth2_token.json: ENC[AES256_GCM,data:g0DfW93SSP28qB+/l7pGjV9b6jTalBSSRP0crEZPWQkT3iL9pu/DshjPy+ji+V1lquWRIylC3RGB7+3BSsTbsUiKSBfZlhOTOtKcDMWXmgcAR8605WPq9z4fMs6azasYkNqNbFEqS9u8CyiOE8eefI7I4rk9BBQI/PDheFB6Q3U57XR+OzU+H5P4MDiuBPw3k5u3jI9pYuChO7ZjlhJ+VJaMrdiac/ti2XPfz6Zl4NyHdE5hfVY+jZt5n3aPRcnkZdjU1eIxTwptsOOXtL3SUViVgpMq2yAwFDX9lx7WpTRXS8dBAUdX2IEIq9YOGjNZQ4ZH/tI7Fa5fE3GNFaRHDsFN3ljTQcNqmwQGD7a6HeAYcAhIj1e/XlM+Z1fuZDo9XjnedumLCnzHeEhmNkWP85vq7xCgNA172zp95a66UFQA1Ppnf1d9gsHCSkp0/RXJeOz78miAXV4p2EoruU5p4iweEMtvgd6HDjm6DeoWQpvMysg0wBzfxRqYDo112oBlxtVVrWMXejKUqivnn1IQXf3CXfCrS2Wv5lu76oXhlU0EZjT20WAk1jdpwtLTeB6DbzH3iJCGyoJYqJem49cYWT44hY3Qby3QdkKACbFyQhVpF3jExmrYKg6XGNo1yUjjHx/Iqx+c6v26B+zgbt6wt0oObvlK2tw04rdud3vOZVUUGex5/NglOgyzPGDxc62PowD6TBt0IZ8Z6OdVPsmDHCmi1T8edgOkNoaUqIaHL/BlzWt9kDQ/FyarN5/4tCztAi5NObDVFVGzsHyu6NGpV9N7wWwM266kVqZa7sJrQRkGRF2MMUyNIFdqEiDIH/qTrfwImaT+kPOBUBsdQrn2GZTUJtbhxrSCBZ+NZyn6TpUA6unYVgCL2qDwkkhDlKl6QdpyGJx5pTBE65FqDkJ6fTgJasmXFr/IcE7XzibauN4kro18vckF2qH84nM87u39Kzt4p8fsz7QSSrCSMk/yUjBwu31MhqSZpuV92DzTEJqByFtsTJWbKGWrbeXJgMMwqNhr+doKzOpxyFF1D/LGzN80G+pdU6BK/LvM/m8n14xr+4+TtHHsnnhtQ+4md256189V99mMIiZ+KVPvIdVYEUYkqL7PnhxoQsf0O/bsDYHAf/9K2ifqnLBuxrLkU6ccOJApMvOHJXTQLgTu2geFvz6dm7ofWmloiHlOypzovpHto0OT88NdybYEdiZQP+2lcw6AQ7od8Kml5ICLBYDkuba+BoqQHGydDodhh8Hnn27Y8MNXpyqfhRDBUDz/lhZvy3unoMd6mHhU5cdBurvUQZLXTMFapeqEIDEY0Qhw0uYRm9dLNM6oOcbJVgwVYRvN4FHPalvFMztAQa8PkP6oPpD/Rd44FWXSlaTByFwimsA2k0/9bi8VBe0Sk8/96SL9iTGAXX/l+DPA8UHPbXuJ12zhjcuVWaBRLBlD1QlK0kuRQsk3QiN1OIyqpVH/4MSeP6+2mg4re36k152fhxC6sBYn9FxgmTi62GaHPX0ENXsxnQrbRLfp4l+wZlzMqDGbJVBQFPKsCkzafC6c6lT4qNi+ia3ofGwetmY5XOPGZ303cYOZdecZyso73LRmx9Y7o1aRnN+GLLiCcGNIZpx+vrQmco/Io6EU9ebngq/x+rvUtRPNGt/ewzJnNPbEmxOkKmcUPQzunOJIpj0ekRp3Yi54NHA75HqyaFUNBvbbxr02f5vABKUu7JqM2qp9nHM5leIr7K/LLfDk3A8OF8HbQPoLx4Ww33xpdfOyNs7UeKiKC98TCVBnH78FTyttH28a21WuzGU+tng6Ict0LI0HxNEht+hpj6KgC//vm9m5JHv9oVpFDLJ1MJvKbDZuO0tK+9B+nDUkPON/SqFzvJRStcM0N8XnDAcSr4WH+DqwBdWCwvuWaiSMMngTctQdt9+qWFv3+EEkvkaQlK/VTL01ZwQXdyjWh50a/lupwZ5gqF34rkywdOh9UFyzimiRVQzUlmBP/7iZ8HxcHLjL4tl3oYwFkDlxg1v6uNd/HfSpAXjPpa+3dUH4488pC7bQjkI3FPXiiNDfwhmylhV7hlcBMrd6N6O11G1YozSGUFFSP3MQcCAqRnUDTIqbJjLY1gYZGLGbU6bDqQ9JnGByDXb7+01PPaPzsAcPwZV8zxTW0CXk6lvQQ8NxhiJaTK4KiFChThJMM6o7QXfwteEski0OL+lSgIqbRvayFUUmTqs13CjI8x3wnIJ8L0l2YvStQ6jBNnDdqNMZ5K5a6YTFyz9wFJI1qpWosZjULA6YS6S5taXF97p8W7WaZ+3E+6+uMCGngjjOYYx+Ymq84rbsAMoGzJuZCk6I052fy3byxIIjlpuL12ybMd+4oP8SOECgln9RNrHRGagagAfH4+hhW7RWkMoC0a6jfdHEeHbjvNV09oge/S7YF64KFrT+nhrk4fgSW/S9RFYcYwr2ItrZYDQqSeLv0kLwzfIo9oFQPEIy89bW84uhb0cqcJ6Eq1jpkUe0J1rxodKx4FTwwy59onyTjQ89pW949wR766KSJR/fevD0QyAs4J/dPKgWN6A8lqClM1f8RZxU39VeYluIyw+fDw5qBMbSKerq4Z+0RqPiJlNp10HNoYbLjC9AnECw/IKRzVXn+TihS1GQ99UpFVpYk9EUANmY/RleWsYuJx8SFiTKF12SkldAdSOSad4TrswbrykVapkqhx5DjS9ldLGu1ZP+8/ihO+r5VxSpVRfVtOszFrj4IUh8cldDvzuYFZwxlkOtgzI5TOH3RnQIhsPzGHgywQUNHJQbb5Eq5aruiX60JQkZrxQMW/sq2jHEZNCr1+U3z+xrmCrA+GBA03bdmrRymhbbpraTCyc=,iv:fRrrj+bT7cq84c9Gh2tVKBpW7hv8wgtMXU/JVldvKB4=,tag:qhQBCXKCI7jO4KEzYrwo1g==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2T3lkOUtMRGlEaXJoVTgv - Nyt4S3VJcS9xYmJuY01XU2cvQWptWEZsa1EwCkwyYzVQTFE2N2dxYzYvR3pIcUxC - QjRUMy9Qb0NiTFNrdHBqUnJSbVRSOEEKLS0tIFI5NElWR1BsSWFFaVZwbmdoSWdr - bGdKNnErUlZoRjFNYTRNUlhOSlFDUkUKw4wF06QZW7RUuUAUu3reyR0azEssw9RO - 9mdF5djBhw7XyWWvHqm9Qo/I6aoYeArSrR0Aa7va2hH58N54PrlRUg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-15T12:12:36Z" - mac: ENC[AES256_GCM,data:c/7rrZc0loNGuPRK2HkEqf+wFxgG7c1LsXhfqQeuF9cMIzeGBHXZJuNaCu0fpT3e+3RYtN3nLkiRWZbT1TpG6LDnWqTpTygFaLlQEx+enflYA+CzN+t/ssb+GxDA3uyB/6dP6Qimp6CNsvyeRzcAIlvxQVQepIKmvmW1T5+Q+40=,iv:/JJUpkdzly19vSpX819GSVrFlQzAzIq7oSZcu7qlTs0=,tag:xjRGaJASA4zZPfNiwPfKRQ==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 diff --git a/kubernetes/main/apps/garmin/garmin-fetch-data/service.yaml b/kubernetes/main/apps/garmin/garmin-fetch-data/service.yaml deleted file mode 100644 index 587fad92..00000000 --- a/kubernetes/main/apps/garmin/garmin-fetch-data/service.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: garmin-fetch-data - namespace: garmin -spec: - ports: - - port: 8086 - targetPort: 8086 - selector: - app: garmin-fetch-data diff --git a/kubernetes/main/apps/garmin/ks.yaml b/kubernetes/main/apps/garmin/ks.yaml deleted file mode 100644 index 80e64e92..00000000 --- a/kubernetes/main/apps/garmin/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app garmin-fetch-data - namespace: flux-system -spec: - targetNamespace: garmin - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/garmin/garmin-fetch-data - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/gitlab-runner/app/kustomization.yaml b/kubernetes/main/apps/gitlab-runner/app/kustomization.yaml deleted file mode 100644 index c00b6bbb..00000000 --- a/kubernetes/main/apps/gitlab-runner/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/gitlab-runner/app/namespace.yaml b/kubernetes/main/apps/gitlab-runner/app/namespace.yaml deleted file mode 100644 index ff097eca..00000000 --- a/kubernetes/main/apps/gitlab-runner/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: gitlab-runner - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/gitlab-runner/app/release.yaml b/kubernetes/main/apps/gitlab-runner/app/release.yaml deleted file mode 100644 index f91d1b0e..00000000 --- a/kubernetes/main/apps/gitlab-runner/app/release.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app gitlab-runner - namespace: gitlab-runner -spec: - interval: 30m - chart: - spec: - chart: gitlab-runner - version: "0.84.1" - sourceRef: - kind: HelmRepository - name: gitlab - namespace: gitlab-runner - interval: 12h - values: - gitlabUrl: "https://gitlab.com/" - runnerToken: "${GITLAB_RUNNER_REGISTRATION_TOKEN}" diff --git a/kubernetes/main/apps/gitlab-runner/app/repository.yaml b/kubernetes/main/apps/gitlab-runner/app/repository.yaml deleted file mode 100644 index 4b770218..00000000 --- a/kubernetes/main/apps/gitlab-runner/app/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: gitlab - namespace: gitlab-runner -spec: - interval: 24h - url: https://charts.gitlab.io diff --git a/kubernetes/main/apps/gitlab-runner/ks.yaml b/kubernetes/main/apps/gitlab-runner/ks.yaml deleted file mode 100644 index 6b231505..00000000 --- a/kubernetes/main/apps/gitlab-runner/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app gitlab-runner - namespace: flux-system -spec: - targetNamespace: gitlab-runner - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/gitlab-runner/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: true - interval: 30m - retryInterval: 1m - timeout: 15m diff --git a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/kustomization.yaml b/kubernetes/main/apps/goriva-si/goriva-si-influxdb/kustomization.yaml deleted file mode 100644 index 28cc4e0d..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./secret.sops.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/namespace.yaml b/kubernetes/main/apps/goriva-si/goriva-si-influxdb/namespace.yaml deleted file mode 100644 index c9658e48..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: goriva-si - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/release.yaml b/kubernetes/main/apps/goriva-si/goriva-si-influxdb/release.yaml deleted file mode 100644 index de4a9ee1..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/release.yaml +++ /dev/null @@ -1,47 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: goriva-si-influxdb - namespace: goriva-si -spec: - interval: 30m - chart: - spec: - chart: influxdb2 - version: "2.1.2" - sourceRef: - kind: HelmRepository - name: influxdata - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - values: - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - persistence: - enabled: true - size: 5Gi - storageClass: longhorn - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi - adminUser: - organization: "gorivasi" - bucket: "gorivasi" - user: "admin" - existingSecret: "influxdb-admin-credentials" - service: - type: ClusterIP - port: 8086 - ingress: - enabled: false diff --git a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/repository.yaml b/kubernetes/main/apps/goriva-si/goriva-si-influxdb/repository.yaml deleted file mode 100644 index dca0f97b..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: influxdata - namespace: flux-system -spec: - interval: 1h - url: https://helm.influxdata.com/ diff --git a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/secret.sops.yaml b/kubernetes/main/apps/goriva-si/goriva-si-influxdb/secret.sops.yaml deleted file mode 100644 index c7e97f9f..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/secret.sops.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: influxdb-admin-credentials - namespace: goriva-si -type: Opaque -stringData: - admin-password: ENC[AES256_GCM,data:OKVOKd4cxF3ImHa769C6Zff9poU=,iv:4wYjARUFIquocx76Yady4TT3cjB8dma3M1X6sgaBgO0=,tag:yygUSzlSy6Do/GZG2OvrAQ==,type:str] - admin-token: ENC[AES256_GCM,data:K2J+qucHRGEnSBJ1k6uV+FMsXVDETq3sK6nHnNPdRd+YNwFilxxq1AsEYwLu7apCWt2tsolrY6ZjTmS7/Q==,iv:1Tz2aPRMwvLjVORr1E61HtRj8Lz4k7ZRPCWVSllPZx0=,tag:hqe4M0Q1jka9ib/d4szeiA==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZYmtwNE14UTYwejZrTmdC - SVlib0trWnJSYlk0TGlqcE1BUmM4QXJCTFJZCkVmMzFGRFdKY2NlWm41dkZMc2JP - Tjlqb0M4c3JyUStkUWlia2l2R2xzZjQKLS0tIGtUc0dENmhhTU1YVFo4MWlpSTJr - S2lBMzd2NHo2Z2xsbW1vNWFMZWxxalUKt/FPpZZAyDBnxcaJpzhWCepxbXyQvo80 - fYwl/pRx9T7h93XRV+odjQYINNNJN3njtEZmSOr30qsH6wrBmBLnrQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-26T20:02:19Z" - mac: ENC[AES256_GCM,data:iHQDqf2tyUlIFWGFFi8E6PL0/j4SY235qMAJaIuzhdgDtGE/RGR20eN4K/t9jVO8ka//Ymq57vE5e6KoNdLk1hOC+mv3W/9VPNZvg1trdvy/hG6cR7gxpI6zNIibee3sJA2OoE7W82B5BpaMy45WahRoll6S/5Cs9xUXSmpRwzg=,iv:rVojmJJxmMrDBKNnl8Fie53NdJZ6DU6K6tlxhUDv62o=,tag:tMEloj2HUk2vp3hOJm3nVg==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.12.2 diff --git a/kubernetes/main/apps/goriva-si/goriva-si-scraper/cronjob.yaml b/kubernetes/main/apps/goriva-si/goriva-si-scraper/cronjob.yaml deleted file mode 100644 index f985beb8..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-scraper/cronjob.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goriva-si-scraper - namespace: goriva-si -spec: - schedule: "0 */6 * * *" - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: 3 - failedJobsHistoryLimit: 3 - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: goriva-si-scraper - image: ghcr.io/cloudwithdan/goriva-si-scraper:latest - imagePullPolicy: Always - env: - - name: INFLUXDB_URL - value: "http://goriva-si-influxdb-influxdb2.goriva-si.svc.cluster.local:8086" - - name: INFLUXDB_TOKEN - valueFrom: - secretKeyRef: - name: influxdb-scraper-credentials - key: token - - name: INFLUXDB_ORG - value: "gorivasi" - - name: INFLUXDB_BUCKET - value: "gorivasi" - - name: LOG_LEVEL - value: "INFO" - resources: - requests: - cpu: 50m - memory: 128Mi - limits: - cpu: 200m - memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - seccompProfile: - type: RuntimeDefault - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - securityContext: - fsGroup: 1000 diff --git a/kubernetes/main/apps/goriva-si/goriva-si-scraper/kustomization.yaml b/kubernetes/main/apps/goriva-si/goriva-si-scraper/kustomization.yaml deleted file mode 100644 index c894206f..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-scraper/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./secret.sops.yaml - - ./cronjob.yaml diff --git a/kubernetes/main/apps/goriva-si/goriva-si-scraper/secret.sops.yaml b/kubernetes/main/apps/goriva-si/goriva-si-scraper/secret.sops.yaml deleted file mode 100644 index b8f6af6d..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-scraper/secret.sops.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: influxdb-scraper-credentials - namespace: goriva-si -type: Opaque -stringData: - token: ENC[AES256_GCM,data:h7bs7VjcNYuzr+tjuvAlN9A2jfTj7JnIQGeH8UDkBddV+XmsKCDEU8lhKyG4KsQMAmUeWIirUFFPQ68Z8A==,iv:RZenm9HlRBLcrKs/dIW21EBjSf4O7nlQWjsiU8OrkGo=,tag:V+V2jQZCw4xY2sE+ltTS+g==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDVktSMVNSQ08rY0ZUU3Na - MmdJczY2WS81a2ljZzZhWW9GU0lZeExyZmxJCmVCcVlmWWoyTEdEWU1JZ2N4c0Ni - WlZRRU1HMnVzRXVsK0Jhc1ArVDJRR00KLS0tIGZ1Y2pJM0VsdVRRZGFnTWNOaHJi - QkQ1dU4vajh2OHdKTTBnRWVZbXo5dW8KIvi3mWEV2A+debNc5tp9X/r8wQCKZuah - aXc5T08j/tWtZGLQnTN3f58235dvzHyiVDaDzERMc2jWmNCPF/pCzw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-26T20:02:56Z" - mac: ENC[AES256_GCM,data:mYVx6ytBwNo+vb+bzA3ujmW/vV/kC2uNHbnPBDdnTboXJW2u9fDrpxcpw4TZqlMy7pqVs+u4lNFiXPtfHaTd+eZAqURKzupHsh7czJ5CZRnqA4fYi94WZG42NbutLTZNT+G7SEYqqV3QUg+V3r4HUDF8sdP5qKDZRJCd/L/OrvE=,iv:mmOPiqdBsyDQB3QlYBsW3IVOGKOmKAPEIrvetuXOTRY=,tag:Lx19Uq/96SoXxLp8z3I9kg==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.12.2 diff --git a/kubernetes/main/apps/goriva-si/ks.yaml b/kubernetes/main/apps/goriva-si/ks.yaml deleted file mode 100644 index 7ad2b218..00000000 --- a/kubernetes/main/apps/goriva-si/ks.yaml +++ /dev/null @@ -1,48 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app goriva-si-influxdb - namespace: flux-system -spec: - targetNamespace: goriva-si - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/goriva-si/goriva-si-influxdb - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - dependsOn: - - name: grafana - namespace: flux-system ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app goriva-si-scraper - namespace: flux-system -spec: - targetNamespace: goriva-si - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/goriva-si/goriva-si-scraper - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - dependsOn: - - name: grafana - namespace: flux-system diff --git a/kubernetes/main/apps/infrastructure/external-secrets/app/kustomization.yaml b/kubernetes/main/apps/infrastructure/external-secrets/app/kustomization.yaml deleted file mode 100644 index c00b6bbb..00000000 --- a/kubernetes/main/apps/infrastructure/external-secrets/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/infrastructure/external-secrets/app/namespace.yaml b/kubernetes/main/apps/infrastructure/external-secrets/app/namespace.yaml deleted file mode 100644 index 12b63726..00000000 --- a/kubernetes/main/apps/infrastructure/external-secrets/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: external-secrets - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/infrastructure/external-secrets/app/release.yaml b/kubernetes/main/apps/infrastructure/external-secrets/app/release.yaml deleted file mode 100644 index bf75122e..00000000 --- a/kubernetes/main/apps/infrastructure/external-secrets/app/release.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app external-secrets - namespace: external-secrets -spec: - interval: 30m - chart: - spec: - chart: external-secrets - version: "0.10.5" - sourceRef: - kind: HelmRepository - name: external-secrets - namespace: external-secrets - interval: 12h - values: - installCRDs: true \ No newline at end of file diff --git a/kubernetes/main/apps/infrastructure/external-secrets/app/repository.yaml b/kubernetes/main/apps/infrastructure/external-secrets/app/repository.yaml deleted file mode 100644 index f847a754..00000000 --- a/kubernetes/main/apps/infrastructure/external-secrets/app/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: external-secrets - namespace: external-secrets -spec: - interval: 24h - url: https://charts.external-secrets.io diff --git a/kubernetes/main/apps/infrastructure/external-secrets/ks.yaml b/kubernetes/main/apps/infrastructure/external-secrets/ks.yaml deleted file mode 100644 index 9ae71ea9..00000000 --- a/kubernetes/main/apps/infrastructure/external-secrets/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app external-secrets - namespace: flux-system -spec: - targetNamespace: external-secrets - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/infrastructure/external-secrets/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/infrastructure/kustomization.yaml b/kubernetes/main/apps/infrastructure/kustomization.yaml deleted file mode 100644 index 739c69bb..00000000 --- a/kubernetes/main/apps/infrastructure/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./external-secrets/ks.yaml - - ./weave-gitops/ks.yaml - - ./longhorn/ks.yaml - - ./reloader/ks.yaml diff --git a/kubernetes/main/apps/infrastructure/longhorn/app/kustomization.yaml b/kubernetes/main/apps/infrastructure/longhorn/app/kustomization.yaml deleted file mode 100644 index 8c8db5a8..00000000 --- a/kubernetes/main/apps/infrastructure/longhorn/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml - - ./storageclass-retain.yaml diff --git a/kubernetes/main/apps/infrastructure/longhorn/app/namespace.yaml b/kubernetes/main/apps/infrastructure/longhorn/app/namespace.yaml deleted file mode 100644 index f80ab852..00000000 --- a/kubernetes/main/apps/infrastructure/longhorn/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: longhorn-system - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/infrastructure/reloader/app/reloader.yaml b/kubernetes/main/apps/infrastructure/reloader/app/reloader.yaml deleted file mode 100644 index 254420b1..00000000 --- a/kubernetes/main/apps/infrastructure/reloader/app/reloader.yaml +++ /dev/null @@ -1,144 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: reloader-reloader - namespace: default ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: reloader-reloader-role -rules: -- apiGroups: - - "" - resources: - - secrets - - configmaps - verbs: - - list - - get - - watch -- apiGroups: - - apps - resources: - - deployments - - daemonsets - - statefulsets - verbs: - - list - - get - - update - - patch -- apiGroups: - - extensions - resources: - - deployments - - daemonsets - verbs: - - list - - get - - update - - patch -- apiGroups: - - batch - resources: - - cronjobs - verbs: - - list - - get -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - list - - get -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: reloader-reloader-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: reloader-reloader-role -subjects: -- kind: ServiceAccount - name: reloader-reloader - namespace: default ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reloader-reloader - namespace: default -spec: - replicas: 1 - revisionHistoryLimit: 2 - selector: - matchLabels: - app: reloader-reloader - template: - metadata: - labels: - app: reloader-reloader - spec: - containers: - - env: - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - divisor: "1" - resource: limits.cpu - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - divisor: "1" - resource: limits.memory - image: "ghcr.io/stakater/reloader:latest" - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - path: /live - port: http - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - name: reloader-reloader - ports: - - containerPort: 9090 - name: http - readinessProbe: - failureThreshold: 5 - httpGet: - path: /metrics - port: http - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 10m - memory: 512Mi - securityContext: {} - securityContext: - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - serviceAccountName: reloader-reloader diff --git a/kubernetes/main/apps/infrastructure/reloader/ks.yaml b/kubernetes/main/apps/infrastructure/reloader/ks.yaml deleted file mode 100644 index 878ff7ea..00000000 --- a/kubernetes/main/apps/infrastructure/reloader/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app reloader - namespace: flux-system -spec: - targetNamespace: default - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/infrastructure/reloader/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: true - interval: 30m - retryInterval: 1m - timeout: 15m diff --git a/kubernetes/main/apps/infrastructure/weave-gitops/app/release.yaml b/kubernetes/main/apps/infrastructure/weave-gitops/app/release.yaml deleted file mode 100644 index ba8858e2..00000000 --- a/kubernetes/main/apps/infrastructure/weave-gitops/app/release.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - annotations: - metadata.weave.works/description: - This is the Weave GitOps Dashboard. It provides - a simple way to get insights into your GitOps workloads. - name: &app ww-gitops - namespace: flux-system -spec: - chart: - spec: - chart: weave-gitops - sourceRef: - kind: HelmRepository - name: ww-gitops - interval: 1h0m0s - values: - resources: - requests: - cpu: 100m - memory: 64Mi - limits: - cpu: 1 - memory: 512Mi - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - adminUser: - create: true - passwordHash: $2a$12$/xzvyuZsUFacrXul.j14dOiAeZBECAO9m5.g1f9XsF1SUk4soH9DK - username: admin - metrics: - enabled: true \ No newline at end of file diff --git a/kubernetes/main/apps/infrastructure/weave-gitops/app/repository.yaml b/kubernetes/main/apps/infrastructure/weave-gitops/app/repository.yaml deleted file mode 100644 index cd2ec222..00000000 --- a/kubernetes/main/apps/infrastructure/weave-gitops/app/repository.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - annotations: - metadata.weave.works/description: - This is the source location for the Weave GitOps - Dashboard's helm chart. - labels: - app.kubernetes.io/component: ui - app.kubernetes.io/created-by: weave-gitops-cli - app.kubernetes.io/name: weave-gitops-dashboard - app.kubernetes.io/part-of: weave-gitops - name: &app ww-gitops - namespace: flux-system -spec: - interval: 1h0m0s - type: oci - url: oci://ghcr.io/weaveworks/charts diff --git a/kubernetes/main/apps/infrastructure/weave-gitops/ks.yaml b/kubernetes/main/apps/infrastructure/weave-gitops/ks.yaml deleted file mode 100644 index 35766c96..00000000 --- a/kubernetes/main/apps/infrastructure/weave-gitops/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app ww-gitops - namespace: flux-system -spec: - targetNamespace: flux-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/infrastructure/weave-gitops/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/ingress-nginx/certificates/certificate.yaml b/kubernetes/main/apps/ingress-nginx/certificates/certificate.yaml deleted file mode 100644 index 53a42b15..00000000 --- a/kubernetes/main/apps/ingress-nginx/certificates/certificate.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "${SECRET_EXTERNAL_DOMAIN/./-}-production" - namespace: ingress-nginx -spec: - secretName: "${SECRET_EXTERNAL_DOMAIN/./-}-production-tls" - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "${SECRET_EXTERNAL_DOMAIN}" - dnsNames: - - "${SECRET_EXTERNAL_DOMAIN}" - - "*.${SECRET_EXTERNAL_DOMAIN}" diff --git a/kubernetes/main/apps/ingress-nginx/certificates/kustomization.yaml b/kubernetes/main/apps/ingress-nginx/certificates/kustomization.yaml deleted file mode 100644 index 93654906..00000000 --- a/kubernetes/main/apps/ingress-nginx/certificates/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./certificate.yaml - diff --git a/kubernetes/main/apps/ingress-nginx/external/kustomization.yaml b/kubernetes/main/apps/ingress-nginx/external/kustomization.yaml deleted file mode 100644 index c00b6bbb..00000000 --- a/kubernetes/main/apps/ingress-nginx/external/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/ingress-nginx/external/namespace.yaml b/kubernetes/main/apps/ingress-nginx/external/namespace.yaml deleted file mode 100644 index 5ee4d44d..00000000 --- a/kubernetes/main/apps/ingress-nginx/external/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ingress-nginx - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/ingress-nginx/external/release.yaml b/kubernetes/main/apps/ingress-nginx/external/release.yaml deleted file mode 100644 index f75a38dd..00000000 --- a/kubernetes/main/apps/ingress-nginx/external/release.yaml +++ /dev/null @@ -1,81 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: ingress-nginx-external - namespace: ingress-nginx -spec: - interval: 30m - chart: - spec: - chart: ingress-nginx - version: 4.11.3 - sourceRef: - kind: HelmRepository - name: ingress-nginx - namespace: ingress-nginx - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - dependsOn: - - name: cloudflared - namespace: cloudflared - values: - fullnameOverride: ingress-nginx-external - controller: - allowSnippetAnnotations: true - service: - annotations: - external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_EXTERNAL_DOMAIN}" - metallb.io/allow-shared-ip: ingress-nginx-external - metallb.io/ip-allocated-from-pool: pool - externalTrafficPolicy: Cluster - ingressClassResource: - name: external - default: false - controllerValue: k8s.io/external - admissionWebhooks: - objectSelector: - matchExpressions: - - key: ingress-class - operator: In - values: ["external"] - config: - annotations-risk-level: "Critical" - use-forwarded-headers: "true" - strict-validate-path-type: "false" - client-body-buffer-size: 100M - client-body-timeout: 120 - client-header-timeout: 120 - enable-brotli: "true" - enable-real-ip: "true" - hsts-max-age: 31449600 - keep-alive-requests: 10000 - keep-alive: 120 - log-format-escape-json: "true" - log-format-upstream: > - {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", - "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, - "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", - "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", - "http_user_agent": "$http_user_agent"} - proxy-body-size: 0 - proxy-buffer-size: 16k - ssl-protocols: TLSv1.3 TLSv1.2 - metrics: - enabled: true - serviceMonitor: - enabled: true - namespaceSelector: - any: true - extraArgs: - default-ssl-certificate: "ingress-nginx/${SECRET_EXTERNAL_DOMAIN/./-}-production-tls" - resources: - requests: - cpu: 100m - limits: - memory: 500Mi diff --git a/kubernetes/main/apps/ingress-nginx/external/repository.yaml b/kubernetes/main/apps/ingress-nginx/external/repository.yaml deleted file mode 100644 index 988da8ba..00000000 --- a/kubernetes/main/apps/ingress-nginx/external/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: ingress-nginx - namespace: ingress-nginx -spec: - interval: 1h - url: https://kubernetes.github.io/ingress-nginx diff --git a/kubernetes/main/apps/ingress-nginx/internal/kustomization.yaml b/kubernetes/main/apps/ingress-nginx/internal/kustomization.yaml deleted file mode 100644 index 4ec97219..00000000 --- a/kubernetes/main/apps/ingress-nginx/internal/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./release.yaml diff --git a/kubernetes/main/apps/ingress-nginx/internal/release.yaml b/kubernetes/main/apps/ingress-nginx/internal/release.yaml deleted file mode 100644 index 7ab0a657..00000000 --- a/kubernetes/main/apps/ingress-nginx/internal/release.yaml +++ /dev/null @@ -1,77 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: ingress-nginx-internal - namespace: ingress-nginx -spec: - interval: 30m - chart: - spec: - chart: ingress-nginx - version: 4.11.3 - sourceRef: - kind: HelmRepository - name: ingress-nginx - namespace: ingress-nginx - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - values: - fullnameOverride: ingress-nginx-internal - controller: - allowSnippetAnnotations: true - service: - annotations: - metallb.io/allow-shared-ip: ingress-nginx-internal - metallb.io/ip-allocated-from-pool: pool - externalTrafficPolicy: Cluster - ingressClassResource: - name: internal - default: true - controllerValue: k8s.io/internal - admissionWebhooks: - objectSelector: - matchExpressions: - - key: ingress-class - operator: In - values: ["internal"] - config: - annotations-risk-level: "Critical" - use-forwarded-headers: "true" - strict-validate-path-type: "false" - client-body-buffer-size: 100M - client-body-timeout: 120 - client-header-timeout: 120 - enable-brotli: "true" - enable-real-ip: "true" - hsts-max-age: 31449600 - keep-alive-requests: 10000 - keep-alive: 120 - log-format-escape-json: "true" - log-format-upstream: > - {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", - "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, - "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", - "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", - "http_user_agent": "$http_user_agent"} - proxy-body-size: 0 - proxy-buffer-size: 16k - ssl-protocols: TLSv1.3 TLSv1.2 - metrics: - enabled: true - serviceMonitor: - enabled: true - namespaceSelector: - any: true - extraArgs: - default-ssl-certificate: "ingress-nginx/${SECRET_EXTERNAL_DOMAIN/./-}-production-tls" - resources: - requests: - cpu: 100m - limits: - memory: 500Mi diff --git a/kubernetes/main/apps/ingress-nginx/ks.yaml b/kubernetes/main/apps/ingress-nginx/ks.yaml deleted file mode 100644 index 7e62a88e..00000000 --- a/kubernetes/main/apps/ingress-nginx/ks.yaml +++ /dev/null @@ -1,70 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app ingress-nginx-certificates - namespace: flux-system -spec: - targetNamespace: ingress-nginx - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: cert-manager-issuers - path: ./kubernetes/main/apps/ingress-nginx/certificates - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app ingress-nginx-external - namespace: flux-system -spec: - targetNamespace: ingress-nginx - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: ingress-nginx-certificates - path: ./kubernetes/main/apps/ingress-nginx/external - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app ingress-nginx-internal - namespace: flux-system -spec: - targetNamespace: ingress-nginx - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: ingress-nginx-certificates - path: ./kubernetes/main/apps/ingress-nginx/internal - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - diff --git a/kubernetes/main/apps/k8s-gateway/app/kustomization.yaml b/kubernetes/main/apps/k8s-gateway/app/kustomization.yaml deleted file mode 100644 index c00b6bbb..00000000 --- a/kubernetes/main/apps/k8s-gateway/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/k8s-gateway/app/namespace.yaml b/kubernetes/main/apps/k8s-gateway/app/namespace.yaml deleted file mode 100644 index be391b42..00000000 --- a/kubernetes/main/apps/k8s-gateway/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: k8s-gateway - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/k8s-gateway/app/release.yaml b/kubernetes/main/apps/k8s-gateway/app/release.yaml deleted file mode 100644 index 6bc3c28c..00000000 --- a/kubernetes/main/apps/k8s-gateway/app/release.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: k8s-gateway - namespace: k8s-gateway -spec: - interval: 30m - chart: - spec: - chart: k8s-gateway - version: 2.4.0 - sourceRef: - kind: HelmRepository - name: k8s-gateway - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - values: - fullnameOverride: k8s-gateway - domain: "${SECRET_EXTERNAL_DOMAIN}" - ttl: 1 - service: - type: LoadBalancer - port: 53 - annotations: - metallb.io/allow-shared-ip: lb-k8s-gateway - metallb.io/ip-allocated-from-pool: pool - externalTrafficPolicy: Cluster - watchedResources: ["Ingress", "Service"] diff --git a/kubernetes/main/apps/k8s-gateway/app/repository.yaml b/kubernetes/main/apps/k8s-gateway/app/repository.yaml deleted file mode 100644 index d7723106..00000000 --- a/kubernetes/main/apps/k8s-gateway/app/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: k8s-gateway - namespace: flux-system -spec: - interval: 1h - url: https://ori-edge.github.io/k8s_gateway \ No newline at end of file diff --git a/kubernetes/main/apps/k8s-gateway/ks.yaml b/kubernetes/main/apps/k8s-gateway/ks.yaml deleted file mode 100644 index 5694735c..00000000 --- a/kubernetes/main/apps/k8s-gateway/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app k8s-gateway - namespace: flux-system -spec: - targetNamespace: k8s-gateway - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/k8s-gateway/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m \ No newline at end of file diff --git a/kubernetes/main/apps/linkwarden/app/cluster-pg.yaml b/kubernetes/main/apps/linkwarden/app/cluster-pg.yaml deleted file mode 100644 index d29f24c7..00000000 --- a/kubernetes/main/apps/linkwarden/app/cluster-pg.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: linkwarden-db - namespace: linkwarden -spec: - imageName: ghcr.io/cloudnative-pg/postgresql:16.9 - instances: 1 - - bootstrap: - initdb: - database: ${POSTGRES_DATABASE} - owner: ${POSTGRES_USERNAME} - secret: - name: pg-cluster-secret - - enableSuperuserAccess: true - superuserSecret: - name: pg-cluster-secret - - storage: - storageClass: longhorn - size: 1Gi - - backup: - retentionPolicy: 30d - barmanObjectStore: - destinationPath: 's3://talos-lj-backup/linkwarden-pg/' - s3Credentials: - accessKeyId: - name: s3-creds - key: ACCESS_KEY_ID - secretAccessKey: - name: s3-creds - key: SECRET_ACCESS_KEY - wal: - compression: gzip - maxParallel: 4 - encryption: AES256 diff --git a/kubernetes/main/apps/linkwarden/app/deployment.yaml b/kubernetes/main/apps/linkwarden/app/deployment.yaml deleted file mode 100644 index c94062d3..00000000 --- a/kubernetes/main/apps/linkwarden/app/deployment.yaml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: linkwarden - name: linkwarden-deployment - namespace: linkwarden -spec: - replicas: 1 - selector: - matchLabels: - app: linkwarden - strategy: - type: Recreate - template: - metadata: - labels: - app: linkwarden - spec: - containers: - - name: linkwarden - image: ghcr.io/linkwarden/linkwarden:v2.13.5 - ports: - - containerPort: 3000 - name: http - imagePullPolicy: IfNotPresent - env: - - name: DATABASE_URL - value: "${DATABASE_URL}" - - name: NEXT_PUBLIC_AUTHENTIK_ENABLED - value: "true" - - name: NEXTAUTH_URL - valueFrom: - secretKeyRef: - name: linkwarden-secret - key: NEXTAUTH_URL - - name: NEXTAUTH_SECRET - valueFrom: - secretKeyRef: - name: linkwarden-secret - key: NEXTAUTH_SECRET - - name: AUTHENTIK_ISSUER - valueFrom: - secretKeyRef: - name: linkwarden-secret - key: AUTHENTIK_ISSUER - - name: AUTHENTIK_CLIENT_ID - valueFrom: - secretKeyRef: - name: linkwarden-secret - key: AUTHENTIK_CLIENT_ID - - name: AUTHENTIK_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: linkwarden-secret - key: AUTHENTIK_CLIENT_SECRET - volumeMounts: - - mountPath: /pfs - name: data - resources: - requests: - cpu: 250m - memory: 256Mi - limits: - memory: 4Gi - livenessProbe: - httpGet: - path: / - port: http - readinessProbe: - httpGet: - path: / - port: http - volumes: - - name: data - persistentVolumeClaim: - claimName: linkwarden diff --git a/kubernetes/main/apps/linkwarden/app/ingress.yaml b/kubernetes/main/apps/linkwarden/app/ingress.yaml deleted file mode 100644 index 91aeb963..00000000 --- a/kubernetes/main/apps/linkwarden/app/ingress.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: linkwarden-ingress - namespace: linkwarden - annotations: - external-dns.alpha.kubernetes.io/target: "bookmark.${SECRET_EXTERNAL_DOMAIN}" -spec: - ingressClassName: external - rules: - - host: "bookmark.${SECRET_EXTERNAL_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: linkwarden - port: - name: http diff --git a/kubernetes/main/apps/linkwarden/app/kustomization.yaml b/kubernetes/main/apps/linkwarden/app/kustomization.yaml deleted file mode 100644 index 99c75563..00000000 --- a/kubernetes/main/apps/linkwarden/app/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./storage.yaml - - ./secret.sops.yaml - - ./pg-secret.sops.yaml - - ./cluster-pg.yaml - - ./pg-backup.yaml - - ./deployment.yaml - - ./service.yaml - - ./ingress.yaml diff --git a/kubernetes/main/apps/linkwarden/app/namespace.yaml b/kubernetes/main/apps/linkwarden/app/namespace.yaml deleted file mode 100644 index 38094843..00000000 --- a/kubernetes/main/apps/linkwarden/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: linkwarden - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/linkwarden/app/pg-backup.yaml b/kubernetes/main/apps/linkwarden/app/pg-backup.yaml deleted file mode 100644 index 9dd3a722..00000000 --- a/kubernetes/main/apps/linkwarden/app/pg-backup.yaml +++ /dev/null @@ -1,13 +0,0 @@ - -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: linkwarden-db-backup - namespace: linkwarden -spec: - schedule: "0 0 0 * * *" - suspend: false - immediate: true - backupOwnerReference: self - cluster: - name: linkwarden-db diff --git a/kubernetes/main/apps/linkwarden/app/pg-secret.sops.yaml b/kubernetes/main/apps/linkwarden/app/pg-secret.sops.yaml deleted file mode 100644 index 44d58046..00000000 --- a/kubernetes/main/apps/linkwarden/app/pg-secret.sops.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: pg-cluster-secret - namespace: linkwarden -stringData: - username: ENC[AES256_GCM,data:/DW6,iv:bSqXmW2HcNLIz2TQs4/n1oIZyNH1T+UZzSNCDVmiT38=,tag:wx9BHm1i1lvUemHxPeDJqQ==,type:str] - password: ENC[AES256_GCM,data:SFknfyV0q1RU9A==,iv:x7R4Fnpd03fvIELm4QkAcWWVDboTkymtODipczTsPDE=,tag:tPxQ149+WiKoJltKZUOr9w==,type:str] - ACCESS_KEY_ID: ENC[AES256_GCM,data:c/QTRveVnN0nXCu8Ijc1YmX4JI4=,iv:UNuk4QxYnBIbwqBcw26V2JeBK9KS9vQGunPbqOmptxo=,tag:QdPqfglDM93THHhlGXNE2A==,type:str] - SECRET_ACCESS_KEY: ENC[AES256_GCM,data:qALvmxnZyNxPoTwbkNgvZSZ8QFOpaPHyd7O6lSiTtFx26dwuZH0cxw==,iv:vWrA2TY6UCVHaG1R9N9eoiolqetano0BbkCbE9ekCRU=,tag:Zb+slrQ7yDPgSwM3H+JT3g==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMU9rRGhkMXFoc0w1d2RK - UlVSblZKejJ4YTIycG9ETEVVTVJGekQ2SjBFCnhFbEhsTC9sSEUwSWM2eWNJSjdu - N0t1UVlYMXd5WGdUZUFhNnN5SjhUd00KLS0tIGdPcUtkVjU3WXFoREFCS1NXaHhl - cWJLdmI4MWIzMzNtQWZwbk9EMkxPTE0Kl6A0U/jjdSurED3QrlvrSpv4uAM8yyuk - 9xUI00tZ4/YWwB6A9nScLQADA73Rtr0aO0Va7RVtfYV2lbAejKfkIA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-10T09:42:29Z" - mac: ENC[AES256_GCM,data:bu/ofcjwgT1zjqsW344YsP3a7m+7Z4Ec9AXEa9e+5FmEbCMBaAZm+Xg2EQu+AKDjoni2DL/QLyENgr1qiOJc1N9RRpc1WkB09ekALrd4LB8vkhu8hKE/Qw+1Oqa7HVo4+LnZMgQ/9qfEalknbdwuK2CcGtFSz+yl7/GWK7yVEGI=,iv:TBVkDLbX45S1bl4NVu3JOeCMZHXzXpdA2v36glyntgE=,tag:XhSOW97gXJi5MyKrBM/3jA==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 diff --git a/kubernetes/main/apps/linkwarden/app/secret.sops.yaml b/kubernetes/main/apps/linkwarden/app/secret.sops.yaml deleted file mode 100644 index b4ddd33b..00000000 --- a/kubernetes/main/apps/linkwarden/app/secret.sops.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: linkwarden-secret - namespace: linkwarden -stringData: - POSTGRES_USERNAME: ENC[AES256_GCM,data:g5vR,iv:YrKG/Jlwh626fR07sEr0QYWv6Ow+IKcFL+85QQLudB8=,tag:qSac4Ayb7DzdyfT901aFPQ==,type:str] - POSTGRES_PASSWORD: ENC[AES256_GCM,data:QQRYvXVUKPvagA==,iv:C1YRIYBkwtEgjpShEGPlePBIaykyHkOvV8xUimWjudk=,tag:Jxkudnlbjjb97PMFrCnrwQ==,type:str] - POSTGRES_HOST: ENC[AES256_GCM,data:T3eiKNdoydSW2Uy6qUGPTGjtkzhDD8mtBsLMFmEGlaC6qoVY8xmBWArDQo2V,iv:0+1UVZ/O/ru8E+MM+xu9Ej51UN5v7bTzGuJl4S7CK7Y=,tag:Vq55i7JJNElgek1fOxgbZQ==,type:str] - POSTGRES_PORT: ENC[AES256_GCM,data:XRCCLx6PGRw=,iv:8292LhFa7msxUqMMkMNsfKNvjgpi+vUWezN4qhyVhVk=,tag:Uth8wgrUXv8sIxv37smHmA==,type:str] - POSTGRES_DATABASE: ENC[AES256_GCM,data:I9Yz,iv:5rK1PqbQgHFAOkmwe1dUAbh49FZkbxB/3j74HtE1iK0=,tag:DFL/GCgooIV+VDWBJNHv+A==,type:str] - DATABASE_URL: ENC[AES256_GCM,data:Chs7GD/UMq+61ze8JqTLCB63QP2puK98j/zsSGwbGwDujBefeyl1vK9tzofTx+8m3hZGxQit+cLo2JvWm0m8RI+vhy91eAXlpxez2WJBVTgPkQ==,iv:B7QZVs9HrkpCZvzg/lAEy6SF9YKMMVZfEizQlOw+Rjg=,tag:Io/voUBn7PsFQ9/cawgSpA==,type:str] - NEXTAUTH_SECRET: ENC[AES256_GCM,data:/4l0E72ZCkBkYQmmbFCs,iv:QXJp4wStkXNhKrN1EJjicRuJsBm7wrfwSTtLubgX9cw=,tag:lCVFzCvMcBxwTzftcETp1w==,type:str] - ACCESS_KEY_ID: ENC[AES256_GCM,data:Q/c1ehUXF/3XxHcf8/o2jKB+wfY=,iv:TlxQgMpRz/Z0qjxFg8SE03vTPHIXQFqKwHWn1DkiIHc=,tag:ke7ywXcb5gsWrgr3BIITKg==,type:str] - SECRET_ACCESS_KEY: ENC[AES256_GCM,data:z2Lg4yvalcL2Iaril7bcFigCszqzcuAApok41x4xIcHTR6gqFHn0NA==,iv:+1F7JvpIPATPcx6LtvqucpvJOH2ICG1Q4tU+ag24hcQ=,tag:yLpkVK3S9BT+F/RP8C8NHw==,type:str] - NEXTAUTH_URL: ENC[AES256_GCM,data:QmfFe8nMZI3fEudMNogPcFwZrIRhw7L8tcyr6mJOPoU0+aCFe51qmJruu2Us,iv:b5bjnlRxSFG8H0pgjFhDCpCDORQu0K+Ipn3zSgxZDcA=,tag:YsHpRNnMaIoPfW8A/vtVkw==,type:str] - AUTHENTIK_ISSUER: ENC[AES256_GCM,data:0fxbDx55pwj+w350d6cWK1STKgk3faE2cyYrTnstwB0Z9AWgL3okH2VJ/vtmmM7h8g3o2yAk,iv:+bquvug+OpponyUH4a7DM4ymuO1W5vuYG9hYpCmfmnQ=,tag:64KgxbTp+BLH7hAtofIsSA==,type:str] - AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:U3MplBoN5zxRXzQveBT9taZJ9pfvvZwuTouA+UiQTxNrHwNe8jTUMQ==,iv:bkWI7GIha4ZEVJzjOYTCyEI+eKBoG7CZD+KvFLrS5Bk=,tag:MWdlBBqMPS/YX/RMv1gOeQ==,type:str] - AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:LEOt7BzHtF3HBw6TyaCLdUJkmKZpv7fc9zvkZkHLrc298ReOKm5243zxJqOinA2WvzyktXoaGcZ+E6s427wttelHCpAImYe9ISCkap0l0+bTyvDL2irViIelZlszaYLzehOUqvJDcmK9+iFW8b6DGMPDg/Mg6ullytHJReiZtow=,iv:wwIMoYHyE1yYf4ercR8yzOZZ4GDYeO4o5olQQ9xBXaw=,tag:zoTIhBV12+MVJUZm/ho8wA==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWHEwdnEvS0VSalhGRWl0 - N205dTNRVkFaWUNwY28zd09vWUlkWlk3ZW1ZCisvVjBTaDNkeEpFRit2OTNvWktT - U05rdjVVdGRxdUwxMkFwVHpmV0pWSnMKLS0tIDVwUThnNmc1UVpmR3hHQ1c1UHRs - dFZSNUE2MERxbjZsUTk0eGNnTlNNVEkKii2XiumYBDlCtUmg27ZhNK+IIQAn+0oD - ToQqymMlwcTFl7ccUNtvmh07HwOsL3rUA88yrvJ+m+RkuUyVNDBQ3w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-10T11:23:16Z" - mac: ENC[AES256_GCM,data:oQSMRBWwibLOeXkBRdn7LYWEgfFoBR+3AQjFpTzVy5ioqgBs3sTVQRELf+8353hZppAf0VgIAXgdS++qGbPaujb67GBt1UJ14XoeAqOT7GCoBy3nVR1guBJ65H4MMLIjEZv2+FXbldQeW/lJXMIiHn03nRjaeofwVpdkbIQXnHQ=,iv:DSVa8NN51nayleUR1G3Sy/Sf/DLyDrrZnjdp+E6W96s=,tag:L0ObYePX9Lw5XRiyBlx0Ow==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 diff --git a/kubernetes/main/apps/linkwarden/app/service.yaml b/kubernetes/main/apps/linkwarden/app/service.yaml deleted file mode 100644 index d51a2766..00000000 --- a/kubernetes/main/apps/linkwarden/app/service.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: linkwarden - name: linkwarden - namespace: linkwarden -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - selector: - app: linkwarden - type: ClusterIP diff --git a/kubernetes/main/apps/linkwarden/app/storage.yaml b/kubernetes/main/apps/linkwarden/app/storage.yaml deleted file mode 100644 index 3c0ce690..00000000 --- a/kubernetes/main/apps/linkwarden/app/storage.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: linkwarden - namespace: linkwarden -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi diff --git a/kubernetes/main/apps/linkwarden/ks.yaml b/kubernetes/main/apps/linkwarden/ks.yaml deleted file mode 100644 index 0dc9ccbf..00000000 --- a/kubernetes/main/apps/linkwarden/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app linkwarden - namespace: flux-system -spec: - targetNamespace: linkwarden - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/linkwarden/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/mealie/app/deployment.yaml b/kubernetes/main/apps/mealie/app/deployment.yaml deleted file mode 100644 index 3d206e12..00000000 --- a/kubernetes/main/apps/mealie/app/deployment.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: mealie - name: mealie-deployment - namespace: mealie -spec: - replicas: 1 - selector: - matchLabels: - app: mealie - strategy: - type: Recreate - template: - metadata: - labels: - app: mealie - spec: - containers: - - env: - - name: TZ - value: Europe/Ljubljana - - name: ALLOW_SIGNUP - value: "false" - - name: BASE_URL - value: "https://recept.${SECRET_EXTERNAL_DOMAIN}" - image: ghcr.io/mealie-recipes/mealie:v3.13.1 - ports: - - containerPort: 9000 - name: http - imagePullPolicy: IfNotPresent - name: mealie - volumeMounts: - - mountPath: /app/data - name: data - resources: - limits: - cpu: 500m - memory: 1000Mi - requests: - cpu: 100m - memory: 256Mi - volumes: - - name: data - persistentVolumeClaim: - claimName: mealie diff --git a/kubernetes/main/apps/mealie/app/ingress.yaml b/kubernetes/main/apps/mealie/app/ingress.yaml deleted file mode 100644 index e565fbc2..00000000 --- a/kubernetes/main/apps/mealie/app/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: mealie-ingress - namespace: mealie - annotations: - external-dns.alpha.kubernetes.io/target: "recept.${SECRET_EXTERNAL_DOMAIN}" - nginx.ingress.kubernetes.io/auth-url: |- - http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx - nginx.ingress.kubernetes.io/auth-signin: |- - https://auth.${SECRET_EXTERNAL_DOMAIN}/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri - nginx.ingress.kubernetes.io/auth-response-headers: |- - Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; -spec: - ingressClassName: external - rules: - - host: "recept.${SECRET_EXTERNAL_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: mealie - port: - name: http diff --git a/kubernetes/main/apps/mealie/app/kustomization.yaml b/kubernetes/main/apps/mealie/app/kustomization.yaml deleted file mode 100644 index 5bf81147..00000000 --- a/kubernetes/main/apps/mealie/app/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./storage.yaml - - ./deployment.yaml - - ./service.yaml - - ./ingress.yaml diff --git a/kubernetes/main/apps/mealie/app/namespace.yaml b/kubernetes/main/apps/mealie/app/namespace.yaml deleted file mode 100644 index e2f14e65..00000000 --- a/kubernetes/main/apps/mealie/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: mealie - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/mealie/app/service.yaml b/kubernetes/main/apps/mealie/app/service.yaml deleted file mode 100644 index 881bd19c..00000000 --- a/kubernetes/main/apps/mealie/app/service.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: mealie - name: mealie - namespace: mealie -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - selector: - app: mealie - type: ClusterIP diff --git a/kubernetes/main/apps/mealie/app/storage.yaml b/kubernetes/main/apps/mealie/app/storage.yaml deleted file mode 100644 index 7158a159..00000000 --- a/kubernetes/main/apps/mealie/app/storage.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: mealie - namespace: mealie -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi \ No newline at end of file diff --git a/kubernetes/main/apps/mealie/ks.yaml b/kubernetes/main/apps/mealie/ks.yaml deleted file mode 100644 index 1949f7a3..00000000 --- a/kubernetes/main/apps/mealie/ks.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app mealie - namespace: flux-system -spec: - targetNamespace: mealie - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/mealie/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - diff --git a/kubernetes/main/apps/network/k8tz/app/namespace.yaml b/kubernetes/main/apps/network/k8tz/app/namespace.yaml deleted file mode 100644 index cab11eac..00000000 --- a/kubernetes/main/apps/network/k8tz/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: k8tz - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/network/k8tz/app/pki.yaml b/kubernetes/main/apps/network/k8tz/app/pki.yaml deleted file mode 100644 index 498982e0..00000000 --- a/kubernetes/main/apps/network/k8tz/app/pki.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -# Create a selfsigned Issuer, in order to create a root CA certificate for -# signing webhook serving certificates -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: k8tz-webhook-selfsign -spec: - selfSigned: {} ---- -# Generate a CA Certificate used to sign certificates for the webhook -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: k8tz-webhook-ca -spec: - secretName: k8tz-webhook-ca - duration: 43800h # 5y - issuerRef: - name: k8tz-webhook-selfsign - kind: Issuer - commonName: "ca.k8tz.cert-manager" - isCA: true ---- -# Create an Issuer that uses the above generated CA certificate to issue certs -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: k8tz-webhook-ca -spec: - ca: - secretName: k8tz-webhook-ca diff --git a/kubernetes/main/apps/network/k8tz/app/release.yaml b/kubernetes/main/apps/network/k8tz/app/release.yaml deleted file mode 100644 index 7887ea71..00000000 --- a/kubernetes/main/apps/network/k8tz/app/release.yaml +++ /dev/null @@ -1,49 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: k8tz -spec: - chart: - spec: - chart: k8tz - version: 0.18.0 - interval: 30m - sourceRef: - kind: HelmRepository - name: k8tz - namespace: k8tz - interval: 30m - values: - namespace: k8tz - replicaCount: 2 - timezone: "${TIMEZONE}" - cronJobTimeZone: true - webhook: - certManager: - enabled: true - issuerRef: - name: k8tz-webhook-selfsign - kind: Issuer - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: k8tz - topologyKey: kubernetes.io/hostname - postRenderers: - - kustomize: - patches: - - target: - version: v1 - kind: Namespace - patch: |- - $patch: delete - apiVersion: v1 - kind: Namespace - metadata: - name: not-used diff --git a/kubernetes/main/apps/network/k8tz/app/repository.yaml b/kubernetes/main/apps/network/k8tz/app/repository.yaml deleted file mode 100644 index affd710f..00000000 --- a/kubernetes/main/apps/network/k8tz/app/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: k8tz - namespace: k8tz -spec: - interval: 1h - url: https://k8tz.github.io/k8tz/ diff --git a/kubernetes/main/apps/network/k8tz/ks.yaml b/kubernetes/main/apps/network/k8tz/ks.yaml deleted file mode 100644 index b15cc51f..00000000 --- a/kubernetes/main/apps/network/k8tz/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app k8tz - namespace: flux-system -spec: - targetNamespace: k8tz - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/network/k8tz/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/network/metallb-system/app/config/kustomization.yaml b/kubernetes/main/apps/network/metallb-system/app/config/kustomization.yaml deleted file mode 100644 index f0e57762..00000000 --- a/kubernetes/main/apps/network/metallb-system/app/config/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./pool.yaml diff --git a/kubernetes/main/apps/network/metallb-system/app/config/pool.yaml b/kubernetes/main/apps/network/metallb-system/app/config/pool.yaml deleted file mode 100644 index f63fa6cb..00000000 --- a/kubernetes/main/apps/network/metallb-system/app/config/pool.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: metallb.io/v1beta1 -kind: IPAddressPool -metadata: - name: pool - namespace: metallb-system -spec: - addresses: - - 10.0.10.192/26 ---- -apiVersion: metallb.io/v1beta1 -kind: L2Advertisement -metadata: - name: pool - namespace: metallb-system -spec: - ipAddressPools: - - pool diff --git a/kubernetes/main/apps/network/metallb-system/app/kustomization.yaml b/kubernetes/main/apps/network/metallb-system/app/kustomization.yaml deleted file mode 100644 index c00b6bbb..00000000 --- a/kubernetes/main/apps/network/metallb-system/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/network/metallb-system/app/namespace.yaml b/kubernetes/main/apps/network/metallb-system/app/namespace.yaml deleted file mode 100644 index 9e56c5ac..00000000 --- a/kubernetes/main/apps/network/metallb-system/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: metallb-system - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/network/metallb-system/app/release.yaml b/kubernetes/main/apps/network/metallb-system/app/release.yaml deleted file mode 100644 index 920f17f8..00000000 --- a/kubernetes/main/apps/network/metallb-system/app/release.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app metallb - namespace: metallb-system -spec: - interval: 30m - chart: - spec: - chart: metallb - version: 0.14.9 - sourceRef: - kind: HelmRepository - name: metallb - namespace: metallb-system - values: - installCRDs: true diff --git a/kubernetes/main/apps/network/metallb-system/app/repository.yaml b/kubernetes/main/apps/network/metallb-system/app/repository.yaml deleted file mode 100644 index 90d8df17..00000000 --- a/kubernetes/main/apps/network/metallb-system/app/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: metallb - namespace: metallb-system -spec: - interval: 5m - url: https://metallb.github.io/metallb diff --git a/kubernetes/main/apps/network/metallb-system/ks.yaml b/kubernetes/main/apps/network/metallb-system/ks.yaml deleted file mode 100644 index 0c1b273e..00000000 --- a/kubernetes/main/apps/network/metallb-system/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app metallb - namespace: flux-system -spec: - targetNamespace: metallb-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/network/metallb-system/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/network/pihole-system/app/namespace.yaml b/kubernetes/main/apps/network/pihole-system/app/namespace.yaml deleted file mode 100644 index 9384217d..00000000 --- a/kubernetes/main/apps/network/pihole-system/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: pihole-system - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/network/pihole-system/ks.yaml b/kubernetes/main/apps/network/pihole-system/ks.yaml deleted file mode 100644 index 202f2989..00000000 --- a/kubernetes/main/apps/network/pihole-system/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app pihole - namespace: flux-system -spec: - targetNamespace: pihole-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/network/pihole-system/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/network/wg-easy/app/manifest.yaml b/kubernetes/main/apps/network/wg-easy/app/manifest.yaml deleted file mode 100644 index f0526083..00000000 --- a/kubernetes/main/apps/network/wg-easy/app/manifest.yaml +++ /dev/null @@ -1,147 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: wg-easy - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: wg-easy - namespace: wg-easy -spec: - replicas: 1 - revisionHistoryLimit: 1 - selector: - matchLabels: - app.kubernetes.io/name: wg-easy - strategy: - # Restrict to a Single wg-easy instance, on redeploys it will tear down the old one before bring a new one up. - type: Recreate - template: - metadata: - labels: - app.kubernetes.io/name: wg-easy - spec: - containers: - - name: wg-easy - # Specify external hostname and port as environment variables - env: - - name: WG_HOST - value: wg.cloudwithdan.com - - name: WG_PORT - value: "30000" - image: ghcr.io/wg-easy/wg-easy - imagePullPolicy: IfNotPresent - ports: - - containerPort: 51820 - name: wg - protocol: UDP - - containerPort: 51821 - name: http - protocol: TCP - # Use the http server for pod health checks - livenessProbe: - failureThreshold: 3 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: http - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: http - timeoutSeconds: 1 - startupProbe: - failureThreshold: 30 - periodSeconds: 5 - successThreshold: 1 - tcpSocket: - port: http - timeoutSeconds: 1 - # Give pod permissions to modify iptables and load the wireguard kernel module - securityContext: - privileged: true - capabilities: - add: - - NET_ADMIN - # Persistent storage location - volumeMounts: - - mountPath: /etc/wireguard - name: config - restartPolicy: Always - volumes: - - name: config - persistentVolumeClaim: - claimName: wg-easy-storage-claim ---- -apiVersion: v1 -kind: Service -metadata: - name: wg-easy-wg - namespace: wg-easy - annotations: - metallb.io/allow-shared-ip: lb-wg-easy - metallb.io/ip-allocated-from-pool: pool -spec: - ports: - - name: wg - port: 30000 - nodePort: 30000 - protocol: UDP - targetPort: wg - selector: - app.kubernetes.io/name: wg-easy - type: LoadBalancer ---- -apiVersion: v1 -kind: Service -metadata: - name: wg-easy-http - namespace: wg-easy -spec: - ports: - - name: http - port: 51821 - protocol: TCP - targetPort: http - selector: - app.kubernetes.io/name: wg-easy - type: ClusterIP ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: wg-easy - namespace: wg-easy -spec: - rules: - - host: wg.cloudwithdan.com - http: - paths: - - backend: - service: - name: wg-easy-http - port: - name: http - path: / - pathType: Prefix ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: wg-easy-storage-claim - namespace: wg-easy -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 256Mi diff --git a/kubernetes/main/apps/network/wg-easy/ks.yaml b/kubernetes/main/apps/network/wg-easy/ks.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/kubernetes/main/apps/observability/alertmanager/app/kustomization.yaml b/kubernetes/main/apps/observability/alertmanager/app/kustomization.yaml deleted file mode 100644 index 74e73708..00000000 --- a/kubernetes/main/apps/observability/alertmanager/app/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - repository.yaml - - release.yaml diff --git a/kubernetes/main/apps/observability/alertmanager/app/release.yaml b/kubernetes/main/apps/observability/alertmanager/app/release.yaml deleted file mode 100644 index e7ac3fe6..00000000 --- a/kubernetes/main/apps/observability/alertmanager/app/release.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: alertmanager - namespace: observability -spec: - interval: 30m - chart: - spec: - chart: alertmanager - version: "1.19.0" - sourceRef: - kind: HelmRepository - name: alertmanager - namespace: observability - interval: 12h - values: - config: - route: - group_wait: 10s - group_interval: 5m - receiver: discord - repeat_interval: 3h - receivers: - - name: discord - discord_configs: - - webhook_url: ${SECRET_DISCORD_WEBHOOK_URL} diff --git a/kubernetes/main/apps/observability/alertmanager/app/repository.yaml b/kubernetes/main/apps/observability/alertmanager/app/repository.yaml deleted file mode 100644 index bebfb507..00000000 --- a/kubernetes/main/apps/observability/alertmanager/app/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: alertmanager - namespace: observability -spec: - interval: 12h - url: https://prometheus-community.github.io/helm-charts diff --git a/kubernetes/main/apps/observability/alertmanager/ks.yaml b/kubernetes/main/apps/observability/alertmanager/ks.yaml deleted file mode 100644 index 40f48eeb..00000000 --- a/kubernetes/main/apps/observability/alertmanager/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app alertmanager - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/alertmanager/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/observability/alloy/app/kustomization.yaml b/kubernetes/main/apps/observability/alloy/app/kustomization.yaml deleted file mode 100644 index ad4414d8..00000000 --- a/kubernetes/main/apps/observability/alloy/app/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - release.yaml diff --git a/kubernetes/main/apps/observability/alloy/app/release.yaml b/kubernetes/main/apps/observability/alloy/app/release.yaml deleted file mode 100644 index 80958a5a..00000000 --- a/kubernetes/main/apps/observability/alloy/app/release.yaml +++ /dev/null @@ -1,338 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: alloy - namespace: observability -spec: - interval: 30m - chart: - spec: - chart: alloy - version: "1.4.0" - sourceRef: - kind: HelmRepository - name: grafana - namespace: observability - interval: 12h - upgrade: - cleanupOnFail: true - crds: Skip - remediation: - strategy: rollback - retries: 3 - values: - controller: - type: daemonset - nodeSelector: - node-role.kubernetes.io/control-plane: "" - tolerations: - - operator: Exists - volumes: - extra: - - name: auditlog - hostPath: - path: /var/log/audit/kube - type: DirectoryOrCreate - alloy: - configMap: - create: true - name: alloy-config - key: config.alloy - content: |- - // ==================== - // DISCOVERY - // ==================== - discovery.kubernetes "pod" { - role = "pod" - } - - // ==================== - // RELABELING - // ==================== - discovery.relabel "pod_logs" { - targets = discovery.kubernetes.pod.targets - - rule { - source_labels = ["__meta_kubernetes_namespace"] - action = "replace" - target_label = "namespace" - } - - rule { - source_labels = ["__meta_kubernetes_pod_name"] - action = "replace" - target_label = "pod" - } - - rule { - source_labels = ["__meta_kubernetes_pod_container_name"] - action = "replace" - target_label = "container" - } - - rule { - source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name"] - action = "replace" - target_label = "app" - } - - rule { - source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"] - action = "replace" - target_label = "job" - separator = "/" - replacement = "$1" - } - - rule { - source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"] - action = "replace" - target_label = "__path__" - separator = "/" - replacement = "/var/log/pods/*$1/*.log" - } - - rule { - source_labels = ["__meta_kubernetes_pod_container_id"] - action = "replace" - target_label = "container_runtime" - regex = "^(\\S+):\\/\\/.+$" - replacement = "$1" - } - } - - // ==================== - // LOG SOURCE - // ==================== - loki.source.kubernetes "pod_logs" { - targets = discovery.relabel.pod_logs.output - forward_to = [loki.process.pod_logs.receiver] - } - - // ==================== - // LOG PROCESSING + DROP FILTERS - // ==================== - loki.process "pod_logs" { - // --- Static labels --- - stage.static_labels { - values = { - cluster = "talos-lj-eu", - } - } - - // === AIRFLOW METADATA NOISE === - stage.match { - selector = "{namespace=\"airflow\"}" - - stage.drop { - expression = ".*computeMetadata/v1.*" - drop_counter_reason = "airflow_metadata" - } - stage.drop { - expression = ".*metadata\\.go:\\d+\\].*" - drop_counter_reason = "airflow_metadata_go" - } - } - - // === KUBERNETES SYSTEM === - stage.match { - selector = "{namespace=\"kube-system\"}" - - stage.drop { - expression = ".*(healthz|readyz|livez|kube-probe).*" - drop_counter_reason = "kube_health_probes" - } - stage.drop { - expression = ".*level=debug.*" - drop_counter_reason = "kube_debug" - } - } - - // === INGRESS ACCESS LOGS (keep errors only) === - stage.match { - selector = "{namespace=\"ingress-nginx\"}" - - stage.drop { - expression = ".*\" (200|204|301|302|304) \\d+.*" - drop_counter_reason = "ingress_2xx_3xx" - } - } - - // === EXTERNAL-DNS === - stage.match { - selector = "{namespace=\"external-dns\"}" - - stage.drop { - expression = ".*All records are already up to date.*" - drop_counter_reason = "externaldns_noop" - } - } - - // === FLUX SYSTEM === - stage.match { - selector = "{namespace=\"flux-system\"}" - - stage.drop { - expression = ".*no changes since last reconcil.*" - drop_counter_reason = "flux_no_changes" - } - stage.drop { - expression = ".*level=debug.*" - drop_counter_reason = "flux_debug" - } - } - - // === GATEKEEPER === - stage.match { - selector = "{namespace=\"gatekeeper-system\"}" - - stage.drop { - expression = ".*level=debug.*" - drop_counter_reason = "gatekeeper_debug" - } - } - - // === OBSERVABILITY STACK === - stage.match { - selector = "{namespace=\"observability\"}" - - stage.drop { - expression = ".*level=debug.*" - drop_counter_reason = "observability_debug" - } - stage.drop { - expression = ".*msg=\"successful series query\".*" - drop_counter_reason = "observability_series_query" - } - } - - // === GITLAB RUNNER === - stage.match { - selector = "{namespace=\"gitlab-runner-shared\"}" - - stage.drop { - expression = ".*Downloading artifacts.*" - drop_counter_reason = "gitlab_artifacts" - } - stage.drop { - expression = ".*Uploading artifacts.*" - drop_counter_reason = "gitlab_artifacts" - } - } - - // === GLOBAL: HEALTH CHECKS (all namespaces) === - stage.drop { - expression = ".*GET /(health|ready|readyz|healthz|livez|metrics).*\" (200|204).*" - drop_counter_reason = "global_health_probes" - } - stage.drop { - expression = ".*kube-probe/.*" - drop_counter_reason = "global_kube_probe" - } - - // === GLOBAL: DEBUG LOGS === - stage.drop { - expression = ".*\"level\":\"debug\".*" - drop_counter_reason = "global_debug_json" - } - stage.drop { - expression = ".*level=debug.*" - drop_counter_reason = "global_debug_logfmt" - } - - // --- Forward to Loki --- - forward_to = [loki.write.loki.receiver] - } - - // ==================== - // LOKI DESTINATION - // ==================== - loki.write "loki" { - endpoint { - url = "http://loki-gateway.observability.svc.cluster.local/loki/api/v1/push" - } - } - - // ==================== - // K8s Audit Logs - // ==================== - - local.file_match "k8s_audit" { - path_targets = [{ - __address__ = "localhost", - __path__ = "/var/log/audit/kube/kube-apiserver*.log", - }] - } - - loki.source.file "audit" { - targets = local.file_match.k8s_audit.targets - forward_to = [loki.process.audit.receiver] - tail_from_end = true - } - - loki.process "audit" { - forward_to = [loki.write.loki.receiver] - - stage.static_labels { - values = { - job = "k8s-audit", - stream = "k8s-audit", - source = "apiserver-audit", - node = constants.hostname, - } - } - - stage.json { - expressions = { - stage = "stage", - verb = "verb", - user = "user.username", - namespace = "objectRef.namespace", - resource = "objectRef.resource", - code = "responseStatus.code", - uri = "requestURI", - } - } - - // Keep only final outcome (drops RequestReceived/ResponseStarted duplicates) - stage.drop { - source = "stage" - expression = "^(RequestReceived|ResponseStarted)$" - drop_counter_reason = "audit_non_final_stage" - } - - // Drop leader-election / coordination noise (successful lease operations) - stage.drop { - source = "resource" - expression = "^leases$" - drop_counter_reason = "audit_leases" - } - - // Drop successful WATCH (biggest remaining volume) - stage.drop { - source = "verb" - expression = "^watch$" - drop_counter_reason = "audit_watch" - } - - // Drop successful reads (get/list) - stage.drop { - source = "verb" - expression = "^(get|list)$" - drop_counter_reason = "audit_reads" - } - - // LOW-cardinality labels only (prevents stream/cardinality explosion) - stage.labels { - values = { - verb = "verb", - code = "code", - } - } - } - - mounts: - extra: - - name: auditlog - mountPath: /var/log/audit/kube - readOnly: true diff --git a/kubernetes/main/apps/observability/alloy/ks.yaml b/kubernetes/main/apps/observability/alloy/ks.yaml deleted file mode 100644 index 8c9606a1..00000000 --- a/kubernetes/main/apps/observability/alloy/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app alloy - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/alloy/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/observability/blackbox-exporter/app/kustomization.yaml b/kubernetes/main/apps/observability/blackbox-exporter/app/kustomization.yaml deleted file mode 100644 index 74e73708..00000000 --- a/kubernetes/main/apps/observability/blackbox-exporter/app/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - repository.yaml - - release.yaml diff --git a/kubernetes/main/apps/observability/blackbox-exporter/app/release.yaml b/kubernetes/main/apps/observability/blackbox-exporter/app/release.yaml deleted file mode 100644 index 80740542..00000000 --- a/kubernetes/main/apps/observability/blackbox-exporter/app/release.yaml +++ /dev/null @@ -1,66 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: blackbox-exporter -spec: - interval: 30m - chart: - spec: - chart: prometheus-blackbox-exporter - version: 9.0.1 - sourceRef: - kind: HelmRepository - name: prometheus-community - namespace: observability - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - fullnameOverride: blackbox-exporter - config: - modules: - http_2xx: - prober: http - timeout: 5s - http: - method: GET - preferred_ip_protocol: "ip4" - fail_if_ssl: false - tls_config: - insecure_skip_verify: false - - http_post_2xx: - prober: http - timeout: 5s - http: - method: POST - headers: - Content-Type: application/json - body: '{}' - icmp: - prober: icmp - timeout: 30s - icmp: - preferred_ip_protocol: ip4 - pspEnabled: false - securityContext: - capabilities: - add: ["NET_RAW"] - podSecurityContext: - sysctls: - - name: net.ipv4.ping_group_range - value: "0 2147483647" - serviceMonitor: - enabled: true - defaults: - interval: 1m - targets: - - { name: &name avto-masini.mk, module: http_2xx, url: https://avto-masini.mk } - - { name: &name cloudwithdan.com, module: http_2xx, url: https://cloudwithdan.com } diff --git a/kubernetes/main/apps/observability/blackbox-exporter/app/repository.yaml b/kubernetes/main/apps/observability/blackbox-exporter/app/repository.yaml deleted file mode 100644 index 51875066..00000000 --- a/kubernetes/main/apps/observability/blackbox-exporter/app/repository.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: prometheus-community - namespace: observability -spec: - type: oci - interval: 5m - url: oci://ghcr.io/prometheus-community/charts diff --git a/kubernetes/main/apps/observability/blackbox-exporter/ks.yaml b/kubernetes/main/apps/observability/blackbox-exporter/ks.yaml deleted file mode 100644 index ce34cc38..00000000 --- a/kubernetes/main/apps/observability/blackbox-exporter/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app blackbox-exporter - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/blackbox-exporter/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/observability/crucix/app/deployment.yaml b/kubernetes/main/apps/observability/crucix/app/deployment.yaml deleted file mode 100644 index b0796ef5..00000000 --- a/kubernetes/main/apps/observability/crucix/app/deployment.yaml +++ /dev/null @@ -1,50 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: &app crucix - namespace: observability - labels: - app: crucix - annotations: - reloader.stakater.com/auto: "true" -spec: - replicas: 1 - selector: - matchLabels: - app: crucix - template: - metadata: - labels: - app: crucix - spec: - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - containers: - - name: crucix - image: ghcr.io/calesthio/crucix:2d040cb - ports: - - name: web - containerPort: 3117 - imagePullPolicy: Always - resources: - limits: - memory: 500Mi - cpu: 100m - requests: - cpu: 10m - memory: 256Mi - envFrom: - - secretRef: - name: crucix-apis - volumeMounts: - - name: runs - mountPath: /app/runs - volumes: - - name: runs - persistentVolumeClaim: - claimName: crucix-runs - restartPolicy: Always - terminationGracePeriodSeconds: 60 - - diff --git a/kubernetes/main/apps/observability/crucix/app/ingress.yaml b/kubernetes/main/apps/observability/crucix/app/ingress.yaml deleted file mode 100644 index 80443dfc..00000000 --- a/kubernetes/main/apps/observability/crucix/app/ingress.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: &app crucix-ingress - namespace: observability - annotations: - external-dns.alpha.kubernetes.io/target: crucix.${SECRET_EXTERNAL_DOMAIN} -spec: - ingressClassName: external - rules: - - host: crucix.${SECRET_EXTERNAL_DOMAIN} - http: - paths: - - backend: - service: - name: crucix - port: - number: 3117 - path: / - pathType: Prefix diff --git a/kubernetes/main/apps/observability/crucix/app/kustomization.yaml b/kubernetes/main/apps/observability/crucix/app/kustomization.yaml deleted file mode 100644 index 69877ca8..00000000 --- a/kubernetes/main/apps/observability/crucix/app/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - deployment.yaml - - service.yaml - - ingress.yaml - - secret.sops.yaml - - pvc.yaml diff --git a/kubernetes/main/apps/observability/crucix/app/pvc.yaml b/kubernetes/main/apps/observability/crucix/app/pvc.yaml deleted file mode 100644 index 48d1e100..00000000 --- a/kubernetes/main/apps/observability/crucix/app/pvc.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: crucix-runs - namespace: observability -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - storageClassName: longhorn diff --git a/kubernetes/main/apps/observability/crucix/app/secret.sops.yaml b/kubernetes/main/apps/observability/crucix/app/secret.sops.yaml deleted file mode 100644 index 8d457e82..00000000 --- a/kubernetes/main/apps/observability/crucix/app/secret.sops.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: crucix-apis - namespace: observability -stringData: - FRED_API_KEY: ENC[AES256_GCM,data:pF11wUAK4riZuuhuPmBMGe1UCD2Yw3NAhtTuyIrEIb8=,iv:DrB3oR04lw2TmUbrlL5uDKSueDrFVZrh6a+lRrcEwaQ=,tag:u8p52/zKMXX+0PjTamadqA==,type:str] - FIRMS_MAP_KEY: ENC[AES256_GCM,data:CfoURrOBN8TITGUmNQlQgo2+ohjiaeBpcAYHju4FkxE=,iv:FHGHQQFALLLZ1jpbLQnhNl2uOX7jzgtQPPKLVHA+eWw=,tag:O//beJ/RZ7X+hImmJiesHg==,type:str] - EIA_API_KEY: ENC[AES256_GCM,data:gPVMjBAzv0mTbFnRU8SYUWcA5QLXTzEKNSpjbJ9GkdCFm3s1Yxy28w==,iv:F9uhVZ/6x3TLcNSTq+YjzVkmjeffbbYcbNsBLT8C/dQ=,tag:fHQBYSX4vSbtatQAvSxcwQ==,type:str] - AISSTREAM_API_KEY: ENC[AES256_GCM,data:5pgTH/tnZt3NsECsFJYB1A3CQuM9s4sm0FXFAz2ZvTRtVfnb+RbaAg==,iv:PTlSjzWER0+0a9eKeTF819jbLNnxx3y1FzxxycWYDG4=,tag:AVz1nMxMOXEvCSllxuMFwA==,type:str] - ACLED_EMAIL: ENC[AES256_GCM,data:IioSL+lBvBKAR+Ghx3SZ3rPigGP0Ezt6RiESLpyl,iv:mz8tKFEPwJn43nkGW8x54+gyMjHv9EL04SGQrgps+9g=,tag:IBZZmgLHIYxzvuKoEUBLtg==,type:str] - ACLED_PASSWORD: ENC[AES256_GCM,data:CQ9oOpkZI/dp3u3/cyub,iv:wnnLXtKYN8oXLDHIRFJ7T80Jib1w/Y0syc5HngHRL1Q=,tag:99q2kFBE1UV676Cyai18QQ==,type:str] - DISCORD_BOT_TOKEN: ENC[AES256_GCM,data:QWtdB8oICEEl7eMuOPKkFTgC34mnCOM/h95USGvhnADM6IX3xlyLmMyydi1ANkrmr+Iowr1Sp3ZwLD6IOZck2HALnpqqeaVt,iv:i2POcSzb/ldIhFccTpEPOScrysskSJQZUSmHeEK28qc=,tag:2ekq49nDwZv+75wEMd1clA==,type:str] - DISCORD_CHANNEL_ID: ENC[AES256_GCM,data:RzPF3wHb3zEsZMP0qgd4i0YxHA==,iv:F/xLoZv0xLisfn2CMyfVLEwCJVLMRXTtxbuwiXJHz7w=,tag:ihpWbNyiMuyvjrPYCYgZig==,type:str] - DISCORD_GUILD_ID: ENC[AES256_GCM,data:Xou5wmrCRJSeru4YWTXai7vxNg==,iv:N0zqnB1fwqz1+fEOmgzUPIm9P1LWan82FSLmJpsf/gI=,tag:2dxMSndnG6ppMTno/p3ClA==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6T1NqYXRJaVo0UFJ6dUF6 - ZFY0cHNqSlF3Mk9JNGIyUmJuVUdpSFowY2hFCjl3ZVJSZ3JNZVA0RmxjaHVlSFh0 - OXRoTzVmV3p3VWpzeG96QmtvSlhjTlEKLS0tIC9PRFhoUnNzdElGVjdIMDlpZGlO - b2ZiWmc2M3h1eUlyV29hSHVHeFJPZG8KQqK3o/BujZXfjnSDf/+FeotWbAYUWEfJ - kO3eg6eoyVxmOqjPvQmXkhLDfBKaVrikDfyrZFW3sAkupoDLAk/n+A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-21T20:28:50Z" - mac: ENC[AES256_GCM,data:DXe4cFAyDWh317LrX50ezHOhZ2nOH7VyLiREJutIuPVDcihPrtfujZbdQfz/j4lTIxQosBXINZ3VqdmxzM8NPajrH2hau9m6ELlVqGdDdnrteaSeDej2ZPtUNJ4s507Rwprq+Q4QSOJqNqS8nXgGWBD2C56GoBWAjsRsS/Es6II=,iv:/6GjLLWZ9WYkJbwTLq5YLmF+99sw8jAuirvY1lmvmKQ=,tag:dL7jAi5iTuddKvTGNmtHsA==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.12.2 diff --git a/kubernetes/main/apps/observability/crucix/app/service.yaml b/kubernetes/main/apps/observability/crucix/app/service.yaml deleted file mode 100644 index 19ca43cf..00000000 --- a/kubernetes/main/apps/observability/crucix/app/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# Source: crucix/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: &app crucix - namespace: observability -spec: - type: ClusterIP - ports: - - name: web - port: 3117 - targetPort: web - selector: - app: crucix diff --git a/kubernetes/main/apps/observability/crucix/ks.yaml b/kubernetes/main/apps/observability/crucix/ks.yaml deleted file mode 100644 index b70d9808..00000000 --- a/kubernetes/main/apps/observability/crucix/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app crucix - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/crucix/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/observability/glance/app/configs/glance.yml b/kubernetes/main/apps/observability/glance/app/configs/glance.yml deleted file mode 100644 index 0abe491d..00000000 --- a/kubernetes/main/apps/observability/glance/app/configs/glance.yml +++ /dev/null @@ -1,322 +0,0 @@ -theme: - background-color: 240 27 11 - contrast-multiplier: 1.5 - primary-color: 321 100 71 - positive-color: 165 78 51 - negative-color: 360 100 71 -pages: - - name: Home - # Optionally, if you only have a single page you can hide the desktop navigation for a cleaner look - # hide-desktop-navigation: true - columns: - - size: small - widgets: - - type: calendar - first-day-of-week: monday - - type: rss - limit: 10 - collapse-after: 3 - cache: 12h - feeds: - - url: https://archlinux.org/feeds/news/ - title: Arch Linux News - limit: 4 - - url: http://sreweekly.com/feed/ - title: SRE Weekly - limit: 4 - - size: full - widgets: - - type: monitor - title: Services - sites: - - title: Authentik - url: https://auth.${SECRET_EXTERNAL_DOMAIN} - check-url: http://authentik-server.authentik.svc.cluster.local:80 - icon: di:authentik - - title: Pihole - url: http://10.0.10.200/admin/ - check-url: http://pihole-web.pihole-system.svc.cluster.local:80/admin/ - icon: di:pi-hole - - title: Glance - url: https://home.${SECRET_EXTERNAL_DOMAIN} - check-url: http://glance.glance.svc.cluster.local:8080 - icon: di:glance - - title: Linkwarden - url: https://bookmark.${SECRET_EXTERNAL_DOMAIN} - check-url: http://linkwarden.linkwarden.svc.cluster.local:80 - icon: auto-invert https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/linkwarden.png - - title: Uptime Kuma - url: https://status.${SECRET_EXTERNAL_DOMAIN} - check-url: http://uptime-kuma.uptime-kuma.svc.cluster.local:3001 - icon: di:uptime-kuma - - title: Grafana - url: https://metrics.${SECRET_EXTERNAL_DOMAIN} - check-url: http://grafana.observability.svc.cluster.local:80 - icon: di:grafana - - title: Mealie - url: https://recept.${SECRET_EXTERNAL_DOMAIN} - check-url: http://mealie.mealie.svc.cluster.local:80 - icon: di:mealie - - type: videos - channels: - # Mental Outlaw - - UC7YOGHUfC1Tb6E4pudI9STA - # SomeOrdinaryGamers - - UCtMVHI3AJD4Qk4hcbZnI9ZQ - # Fireship - - UCsBjURrPoezykLs9EqgamOA - # Low Level - - UC6biysICWOJ-C3P4Tyeggzg - # ThePrimeTime - - UCUyeluBRhGPCW4rPe_UvBZQ - # Linus Tech Tips - - UCXuqSBlHAE6Xw-yeJA0Tunw - # Veritasium - - UCHnyfMqiRRG1u-2MsSQLbXA - - type: group - widgets: - - type: reddit - subreddit: devops - show-thumbnails: true - - type: reddit - subreddit: technology - show-thumbnails: true - - type: reddit - subreddit: selfhosted - show-thumbnails: true - - type: hacker-news - - size: small - widgets: - - type: weather - location: ${WEATHER_LOCATION} - # alternatively "imperial" - units: metric - # alternatively "24h" - hour-format: 12h - # Optionally hide the location from being displayed in the widget - # hide-location: true - - type: dns-stats - service: pihole-v6 - url: http://10.0.10.200 - username: admin - password: ${PIHOLE_PASSWORD} - - type: markets - # The link to go to when clicking on the symbol in the UI, - # {SYMBOL} will be substituded with the symbol for each market - markets: - - symbol: VUAA.DE - name: Vanguard S&P 500 UCITS ETF - chart-link: https://www.tradingview.com/chart/?symbol=VUAA - - symbol: VWCG.DE - name: Vanguard FTSE Developed Europe - chart-link: https://www.tradingview.com/chart/?symbol=VWCG - - type: repository - repository: ublue-os/bluefin - pull-requests-limit: 5 - issues-limit: 3 - commits-limit: 3 - - type: repository - repository: dnikoloski/infrastructure-as-code - pull-requests-limit: 5 - issues-limit: 3 - commits-limit: 3 - - type: releases - cache: 1d - # Without authentication the Github API allows for up to 60 requests per hour. You can create a - # read-only token from your Github account settings and use it here to increase the limit. - # token: ... - repositories: - - ublue-os/bluefin - - glanceapp/glance - - siderolabs/talos - - name: Homelab - # Optionally, if you only have a single page you can hide the desktop navigation for a cleaner look - # hide-desktop-navigation: true - columns: - - size: small - widgets: - - type: custom-api - title: Uptime Kumas - title-url: ${UPTIME_KUMA_URL} - url: ${UPTIME_KUMA_URL}/api/status-page/${UPTIME_KUMA_STATUS_SLUG} - subrequests: - heartbeats: - url: ${UPTIME_KUMA_URL}/api/status-page/heartbeat/${UPTIME_KUMA_STATUS_SLUG} - cache: 10m - template: | - {{ $hb := .Subrequest "heartbeats" }} - - {{ if not (.JSON.Exists "publicGroupList") }} -

Error reading response

- {{ else if eq (len (.JSON.Array "publicGroupList")) 0 }} -

No monitors found

- {{ else }} - -
    - {{ range .JSON.Array "publicGroupList" }} - {{ range .Array "monitorList" }} - {{ $id := .String "id" }} - {{ $hbArray := $hb.JSON.Array (print "heartbeatList." $id) }} -
    - - {{ .String "name" }} - - {{ if gt (len $hbArray) 0 }} - {{ $latest := index $hbArray (sub (len $hbArray) 1) }} - {{ if eq ($latest.Int "status") 1 }} -
    {{ $latest.Int "ping" }}ms
    -
    - - - -
    - {{ else }} -
    DOWN
    -
    - - - -
    - {{ end }} - {{ else }} -
    No data
    -
    - - - -
    - {{ end }} -
    - {{ end }} - {{ end }} -
- {{ end }} - - size: small - widgets: - - type: custom-api - cache: 30m - headers: - Authorization: Bearer ${LINKWARDEN_API_KEY} - method: GET - template: | -
    - {{ range .JSON.Array "response" }} -
  • - {{ $title := .String "name" }} - {{ if gt (len $title) 50 }} - {{ $title = (slice $title 0 50) | printf "%s..." }} - {{ end }} - - {{ $title }} - -
      -
    • - {{ .String "collection.name" }} -
      • - {{ $tags := .Array "tags" }} - {{ range $index, $tag := $tags }} -
    • {{ .String "name" }}
      • - {{ end }} -
    -
    • - {{ end }} -
- title: Bookmarks - url: http://linkwarden.linkwarden.svc.cluster.local:80/api/v1/links - - size: full - widgets: - - type: custom-api - title: Beszel Metrics - url: http://beszel-hub.beszel.svc.cluster.local:8090/api/collections/systems/records - method: GET - options: - redirect-url: "" # You must use "" and http:// or https:// - headers: - Authorization: Bearer ${BESZEL_TOKEN} - Accept: application/json - template: | - {{ $redirect := .Options.StringOr "redirect-url" "" }} - {{ $newTab := .Options.BoolOr "in-new-tab" false }} - {{ $hideKernel := .Options.BoolOr "hide-kernel" false }} - {{ $hideUptime := .Options.BoolOr "hide-uptime" false }} - {{ $hideCPUInfo := .Options.BoolOr "hide-cpu-info" false }} - {{ $hideIP := .Options.BoolOr "hide-ip" false }} - {{ $collapsible := .Options.BoolOr "collapsible" false }} - {{ $items := .JSON.Array "items" }} - {{ range $items }} - {{ $info := .Get "info" }} - {{ $name := .String "name" }} - {{ $link := "" }} - {{ if ne $redirect "" }} - {{ $link = printf "%s/system/%s" $redirect $name }} - {{ end }} -
- {{ if eq (.String "status") "up" }} - - {{ else }} - - {{ end }} - {{ if ne $redirect "" }} - - {{ $name }}{{ if not $hideIP }} ({{ .String "host" }}){{ end }} - - {{ else }} - - {{ $name }}{{ if not $hideIP }} ({{ .String "host" }}){{ end }} - - {{ end }} -
- {{ if $collapsible }} -
- Metrics -
- {{ if not $hideKernel }} -

Kernel: {{ $info.String "k" }}

- {{ end }} - {{ if not $hideUptime }} - {{ $uptimeSec := $info.Float "u" }} - {{ if ge $uptimeSec 86400.0 }} -

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000011574) }}d

- {{ else }} -

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000277778) }}h

- {{ end }} - {{ end }} - {{ if not $hideCPUInfo }} -

CPU: {{ replaceAll "CPU " "" ($info.String "m") }}

- {{ end }} -

📊 Cpu: {{ $info.Float "cpu" }}%

-

🧠 Memory: {{ $info.Float "mp" }}%

-

💾 Disk: {{ $info.Float "dp" }}%

-
-
- {{ else }} -
- {{ if not $hideKernel }} -

Kernel: {{ $info.String "k" }}

- {{ end }} - {{ if not $hideUptime }} - {{ $uptimeSec := $info.Float "u" }} - {{ if ge $uptimeSec 86400.0 }} -

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000011574) }}d

- {{ else }} -

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000277778) }}h

- {{ end }} - {{ end }} - {{ if not $hideCPUInfo }} -

CPU: {{ replaceAll "CPU " "" ($info.String "m") }}

- {{ end }} -

📊 Cpu: {{ $info.Float "cpu" }}%

-

🧠 Memory: {{ $info.Float "mp" }}%

-

💾 Disk: {{ $info.Float "dp" }}%

-
- {{ end }} - {{ end }} diff --git a/kubernetes/main/apps/observability/glance/app/deployment.yaml b/kubernetes/main/apps/observability/glance/app/deployment.yaml deleted file mode 100644 index a14d61d6..00000000 --- a/kubernetes/main/apps/observability/glance/app/deployment.yaml +++ /dev/null @@ -1,46 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: &app glance - namespace: glance - labels: - app: glance - annotations: - configmap.reloader.stakater.com/reload: "glance-configmap" -spec: - replicas: 1 - selector: - matchLabels: - app: glance - template: - metadata: - labels: - app: glance - spec: - containers: - - name: glance - image: docker.io/glanceapp/glance:latest - ports: - - name: web - containerPort: 8080 - imagePullPolicy: Always - resources: - limits: - memory: 256Mi - cpu: 100m - requests: - cpu: 10m - volumeMounts: - - mountPath: /app/config/glance.yml - name: config - readOnly: true - subPath: glance.yml - restartPolicy: Always - terminationGracePeriodSeconds: 60 - volumes: - - configMap: - defaultMode: 420 - name: glance-configmap - name: config - diff --git a/kubernetes/main/apps/observability/glance/app/ingress.yaml b/kubernetes/main/apps/observability/glance/app/ingress.yaml deleted file mode 100644 index b349dfb2..00000000 --- a/kubernetes/main/apps/observability/glance/app/ingress.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: &app glance-ingress - namespace: glance - annotations: - external-dns.alpha.kubernetes.io/target: home.${SECRET_EXTERNAL_DOMAIN} - nginx.ingress.kubernetes.io/auth-url: |- - http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx - nginx.ingress.kubernetes.io/auth-signin: |- - https://auth.${SECRET_EXTERNAL_DOMAIN}/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri - nginx.ingress.kubernetes.io/auth-response-headers: |- - Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; -spec: - ingressClassName: external - rules: - - host: home.${SECRET_EXTERNAL_DOMAIN} - http: - paths: - - backend: - service: - name: glance - port: - number: 8080 - path: / - pathType: Prefix diff --git a/kubernetes/main/apps/observability/glance/app/kustomization.yaml b/kubernetes/main/apps/observability/glance/app/kustomization.yaml deleted file mode 100644 index 706e571b..00000000 --- a/kubernetes/main/apps/observability/glance/app/kustomization.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - deployment.yaml - - service.yaml - - ingress.yaml -configMapGenerator: - - name: glance-configmap - namespace: glance - files: - - ./configs/glance.yml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/main/apps/observability/glance/app/namespace.yaml b/kubernetes/main/apps/observability/glance/app/namespace.yaml deleted file mode 100644 index c0fb3c0c..00000000 --- a/kubernetes/main/apps/observability/glance/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: glance - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - kustomize.toolkit.fluxcd.io/prune: disabled - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/observability/glance/app/service.yaml b/kubernetes/main/apps/observability/glance/app/service.yaml deleted file mode 100644 index 986a0df2..00000000 --- a/kubernetes/main/apps/observability/glance/app/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# Source: glance/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: &app glance - namespace: glance -spec: - type: ClusterIP - ports: - - name: web - port: 8080 - targetPort: web - selector: - app: glance diff --git a/kubernetes/main/apps/observability/glance/ks.yaml b/kubernetes/main/apps/observability/glance/ks.yaml deleted file mode 100644 index f867c448..00000000 --- a/kubernetes/main/apps/observability/glance/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app glance - namespace: flux-system -spec: - targetNamespace: glance - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/glance/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/observability/grafana/app/kustomization.yaml b/kubernetes/main/apps/observability/grafana/app/kustomization.yaml deleted file mode 100644 index 1658c0fd..00000000 --- a/kubernetes/main/apps/observability/grafana/app/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - repository.yaml - - release.yaml \ No newline at end of file diff --git a/kubernetes/main/apps/observability/grafana/app/namespace.yaml b/kubernetes/main/apps/observability/grafana/app/namespace.yaml deleted file mode 100644 index bd2714f4..00000000 --- a/kubernetes/main/apps/observability/grafana/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: observability - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - app.kubernetes.io/component: observability - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/observability/grafana/app/release.yaml b/kubernetes/main/apps/observability/grafana/app/release.yaml deleted file mode 100644 index c7ce1dfe..00000000 --- a/kubernetes/main/apps/observability/grafana/app/release.yaml +++ /dev/null @@ -1,220 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: grafana - namespace: observability -spec: - interval: 30m - chart: - spec: - chart: grafana - version: "10.0.0" - sourceRef: - kind: HelmRepository - name: grafana - namespace: observability - interval: 12h - values: - # alerting: - # contactpoints.yaml: - # secret: - # apiVersion: 1 - # contactPoints: - # - orgId: 1 - # name: discord-alerting - # receivers: - # - uid: discord - # type: discord - # disableResolveMessage: false - # settings: - # use_discord_username: false - # url: ${SECRET_DISCORD_WEBHOOK_URL} - # message: '{{ template "discord.default.message" . }}' - # title: '{{ template "default.title" . }}' - - # policies.yaml: - # apiVersion: 1 - # policies: - # - orgId: 1 - # receiver: discord-alerting - # group_wait: 0s - # group_interval: 30s - # repeat_interval: 3m - - # templates.yaml: - # apiVersion: 1 - # templates: - # - orgId: 1 - # name: basic-discord-template - # template: | - # {{ ` - # {{ define "alert_severity_prefix_emoji" }} - # {{- if ne .Status "firing" -}} - # :white_check_mark: - # {{- else if eq .Status "firing" -}} - # :warning: - # {{- end -}} - # {{- end -}} - - # {{ define "basic-discord-template" -}} - # {{- template "alert_severity_prefix_emoji" . -}} - # [{{- .Status | toUpper -}}]: {{ .CommonLabels.alertname -}} - # {{- end -}} - - # {{ define "discord.default.message" -}} - # Alert triggered for {{ .CommonLabels.alertname }} with severity {{ .Status }}. - # Details: {{ .Annotations.description }} - # {{ end -}} - # ` }} - - - dashboardProviders: - dashboardproviders.yaml: - apiVersion: 1 - providers: - - name: default - orgId: 1 - folder: "" - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/default - - dashboards: - default: - cloudflared: - # renovate: depName="Cloudflare Tunnels (cloudflared)" - gnetId: 17457 - revision: 6 - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - external-dns: - # renovate: depName="External-dns" - gnetId: 15038 - revision: 3 - datasource: Prometheus - cert-manager: - url: https://raw.githubusercontent.com/nlamirault/monitoring-mixins/refs/heads/master/monitoring-mixins/cert-manager-mixin/dashboards/cert-manager.json - datasource: Prometheus - flux-cluster: - url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/cluster.json - datasource: Prometheus - flux-control-plane: - url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/control-plane.json - datasource: Prometheus - kubernetes-api-server: - # renovate: depName="Kubernetes / System / API Server" - gnetId: 15761 - revision: 19 - datasource: Prometheus - kubernetes-coredns: - # renovate: depName="Kubernetes / System / CoreDNS" - gnetId: 15762 - revision: 20 - datasource: Prometheus - kubernetes-global: - # renovate: depName="Kubernetes / Views / Global" - gnetId: 15757 - revision: 43 - datasource: Prometheus - kubernetes-namespaces: - # renovate: depName="Kubernetes / Views / Namespaces" - gnetId: 15758 - revision: 42 - datasource: Prometheus - kubernetes-nodes: - # renovate: depName="Kubernetes / Views / Nodes" - gnetId: 15759 - revision: 34 - datasource: Prometheus - kubernetes-pods: - # renovate: depName="Kubernetes / Views / Pods" - gnetId: 15760 - revision: 36 - datasource: Prometheus - kubernetes-volumes: - # renovate: depName="K8s / Storage / Volumes / Cluster" - gnetId: 11454 - revision: 14 - datasource: Prometheus - nginx: - url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json - datasource: Prometheus - nginx-request-handling-performance: - url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json - datasource: Prometheus - node-feature-discovery: - url: https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/examples/grafana-dashboard.json - datasource: Prometheus - node-exporter-full: - # renovate: depName="Node Exporter Full" - gnetId: 1860 - revision: 37 - datasource: Prometheus - prometheus: - # renovate: depName="Prometheus" - gnetId: 19105 - revision: 7 - datasource: Prometheus - pihole-exporter: - # renovate: depName="Prometheus" - gnetId: 10176 - revision: 3 - datasource: Prometheus - sidecar: - dashboards: - enabled: true - searchNamespace: ALL - label: grafana_dashboard - labelValue: "1" - folderAnnotation: grafana_folder - provider: - disableDelete: false - foldersFromFilesStructure: true - allowUiUpdates: true - datasources: - enabled: true - searchNamespace: ALL - labelValue: "1" - plugins: - - grafana-clock-panel - - grafana-piechart-panel - - grafana-worldmap-panel - - grafana-polystat-panel - - natel-discrete-panel - - pr0ps-trackmap-panel - - vonage-status-panel - - volkovlabs-rss-datasource - - marcusolsson-dynamictext-panel - # configuration to make dashboard configmaps discoverable - # sidecar: - # datasources: - # enabled: true - # label: grafana_datasource - # labelValue: "1" - # dashboards: - # enabled: true - # label: grafana_dashboard - # labelValue: "1" - # # Allow discovery in all namespaces for dashboards - # searchNamespace: ALL - # provider: - # allowUiUpdates: true - - persistence: - enabled: true - type: pvc - accessModes: - - ReadWriteOnce - size: 4Gi - - ingress: - enabled: true - ingressClassName: external - annotations: - external-dns.alpha.kubernetes.io/target: "metrics.${SECRET_EXTERNAL_DOMAIN}" - path: / - pathType: Prefix - hosts: - - metrics.${SECRET_EXTERNAL_DOMAIN} diff --git a/kubernetes/main/apps/observability/grafana/app/repository.yaml b/kubernetes/main/apps/observability/grafana/app/repository.yaml deleted file mode 100644 index 2cea471f..00000000 --- a/kubernetes/main/apps/observability/grafana/app/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: grafana - namespace: observability -spec: - interval: 24h - url: https://grafana.github.io/helm-charts diff --git a/kubernetes/main/apps/observability/grafana/ks.yaml b/kubernetes/main/apps/observability/grafana/ks.yaml deleted file mode 100644 index 23f80a7e..00000000 --- a/kubernetes/main/apps/observability/grafana/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app grafana - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/grafana/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/app/kustomization.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/app/kustomization.yaml deleted file mode 100644 index 9e8fe6fb..00000000 --- a/kubernetes/main/apps/observability/kube-prometheus-stack/app/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - repository.yaml - - release.yaml \ No newline at end of file diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/app/release.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/app/release.yaml deleted file mode 100644 index 41967ab2..00000000 --- a/kubernetes/main/apps/observability/kube-prometheus-stack/app/release.yaml +++ /dev/null @@ -1,777 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: kube-prometheus-stack - namespace: observability -spec: - interval: 30m - chart: - spec: - chart: kube-prometheus-stack - version: "69.3.0" - sourceRef: - kind: HelmRepository - name: kube-prometheus-stack - namespace: observability - interval: 12h - upgrade: - cleanupOnFail: true - crds: Skip - remediation: - strategy: rollback - retries: 3 - values: - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - - kubeControllerManager: - service: - selector: - k8s-app: kube-controller-manager - kubeScheduler: - service: - selector: - k8s-app: kube-scheduler - kubeStateMetrics: - service: - selector: - k8s-app: kube-state-metrics - - prometheus: - prometheusSpec: - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - podMonitorNamespaceSelector: - matchLabels: - app.kubernetes.io/component: observability - - # Discover all PodMonitors, Probes, PrometheusRules and ServiceMonitors - podMonitorSelectorNilUsesHelmValues: false - probeSelectorNilUsesHelmValues: false - ruleSelectorNilUsesHelmValues: false - serviceMonitorSelectorNilUsesHelmValues: false - additionalScrapeConfigs: - - job_name: "pihole" - static_configs: - - targets: ["pihole-exporter.pihole-system.svc.cluster.local:9617"] - - prometheusOperator: - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - verticalPodAutoscaler: - enabled: true - - alertmanager: - alertmanagerSpec: - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - - grafana: - enabled: false - forceDeployDashboards: true - - persistence: - enabled: true - type: pvc - accessModes: - - ReadWriteOnce - size: 4Gi - - defaultRules: - create: true - rules: - configReloaders: true - general: true - k8sContainerCpuUsageSecondsTotal: true - k8sContainerMemoryCache: true - k8sContainerMemoryRss: true - k8sContainerMemorySwap: true - k8sContainerResource: true - k8sContainerMemoryWorkingSetBytes: true - k8sPodOwner: true - kubeApiserverAvailability: true - kubeApiserverBurnrate: true - kubeApiserverHistogram: true - kubeApiserverSlos: true - kubeControllerManager: true - kubelet: true - kubeProxy: true - kubePrometheusGeneral: true - kubePrometheusNodeRecording: true - kubernetesApps: true - kubernetesResources: true - kubernetesStorage: true - kubernetesSystem: true - kubeSchedulerAlerting: true - kubeSchedulerRecording: true - kubeStateMetrics: true - network: true - node: true - nodeExporterAlerting: true - nodeExporterRecording: true - prometheus: true - prometheusOperator: true - - - kube-state-metrics: - rbac: - extraRules: - - apiGroups: - - source.toolkit.fluxcd.io - - kustomize.toolkit.fluxcd.io - - helm.toolkit.fluxcd.io - - notification.toolkit.fluxcd.io - - image.toolkit.fluxcd.io - - autoscaling.k8s.io - resources: - - gitrepositories - - buckets - - helmrepositories - - helmcharts - - ocirepositories - - kustomizations - - helmreleases - - alerts - - providers - - receivers - - imagerepositories - - imagepolicies - - imageupdateautomations - - verticalpodautoscalers - verbs: ["list", "watch"] - customResourceState: - enabled: true - config: - kind: CustomResourceStateMetrics - spec: - resources: - - groupVersionKind: - group: kustomize.toolkit.fluxcd.io - version: v1 - kind: Kustomization - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux Kustomization resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - revision: [ status, lastAppliedRevision ] - source_name: [ spec, sourceRef, name ] - - groupVersionKind: - group: helm.toolkit.fluxcd.io - version: v2 - kind: HelmRelease - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux HelmRelease resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - revision: [ status, history, "0", chartVersion ] - chart_name: [ status, history, "0", chartName ] - chart_app_version: [ status, history, "0", appVersion ] - chart_ref_name: [ spec, chartRef, name ] - chart_source_name: [ spec, chart, spec, sourceRef, name ] - - groupVersionKind: - group: source.toolkit.fluxcd.io - version: v1 - kind: GitRepository - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux GitRepository resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - revision: [ status, artifact, revision ] - url: [ spec, url ] - - groupVersionKind: - group: source.toolkit.fluxcd.io - version: v1 - kind: Bucket - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux Bucket resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - revision: [ status, artifact, revision ] - endpoint: [ spec, endpoint ] - bucket_name: [ spec, bucketName ] - - groupVersionKind: - group: source.toolkit.fluxcd.io - version: v1 - kind: HelmRepository - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux HelmRepository resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - revision: [ status, artifact, revision ] - url: [ spec, url ] - - groupVersionKind: - group: source.toolkit.fluxcd.io - version: v1 - kind: HelmChart - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux HelmChart resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - revision: [ status, artifact, revision ] - chart_name: [ spec, chart ] - chart_version: [ spec, version ] - - groupVersionKind: - group: source.toolkit.fluxcd.io - version: v1 - kind: OCIRepository - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux OCIRepository resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - revision: [ status, artifact, revision ] - url: [ spec, url ] - - groupVersionKind: - group: notification.toolkit.fluxcd.io - version: v1beta3 - kind: Alert - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux Alert resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - suspended: [ spec, suspend ] - - groupVersionKind: - group: notification.toolkit.fluxcd.io - version: v1beta3 - kind: Provider - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux Provider resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - suspended: [ spec, suspend ] - - groupVersionKind: - group: notification.toolkit.fluxcd.io - version: v1 - kind: Receiver - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux Receiver resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - webhook_path: [ status, webhookPath ] - - groupVersionKind: - group: image.toolkit.fluxcd.io - version: v1 - kind: ImageRepository - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux ImageRepository resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - image: [ spec, image ] - - groupVersionKind: - group: image.toolkit.fluxcd.io - version: v1 - kind: ImagePolicy - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux ImagePolicy resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - source_name: [ spec, imageRepositoryRef, name ] - - groupVersionKind: - group: image.toolkit.fluxcd.io - version: v1 - kind: ImageUpdateAutomation - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux ImageUpdateAutomation resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - source_name: [ spec, sourceRef, name ] - - groupVersionKind: - group: autoscaling.k8s.io - kind: "VerticalPodAutoscaler" - version: "v1" - labelsFromPath: - verticalpodautoscaler: [metadata, name] - namespace: [metadata, namespace] - target_api_version: [spec, targetRef, apiVersion] - target_kind: [spec, targetRef, kind] - target_name: [spec, targetRef, name] - - metrics: - - name: "vpa_containerrecommendations_target" - help: "VPA container recommendations for memory." - each: - type: Gauge - gauge: - path: [status, recommendation, containerRecommendations] - valueFrom: [target, memory] - labelsFromPath: - container: [containerName] - commonLabels: - resource: "memory" - unit: "byte" - - name: "vpa_containerrecommendations_target" - help: "VPA container recommendations for cpu." - each: - type: Gauge - gauge: - path: [status, recommendation, containerRecommendations] - valueFrom: [target, cpu] - labelsFromPath: - container: [containerName] - commonLabels: - resource: "cpu" - unit: "core" - # Labels - - name: "verticalpodautoscaler_labels" - help: "VPA container recommendations. Kubernetes labels converted to Prometheus labels" - each: - type: Info - info: - labelsFromPath: - name: [metadata, name] - # Memory Information - - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_target" - help: "VPA container recommendations for memory. Target resources the VerticalPodAutoscaler recommends for the container." - each: - type: Gauge - gauge: - path: [status, recommendation, containerRecommendations] - valueFrom: [target, memory] - labelsFromPath: - container: [containerName] - commonLabels: - resource: "memory" - unit: "byte" - - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_lowerbound" - help: "VPA container recommendations for memory. Minimum resources the container can use before the VerticalPodAutoscaler updater evicts it" - each: - type: Gauge - gauge: - path: [status, recommendation, containerRecommendations] - valueFrom: [lowerBound, memory] - labelsFromPath: - container: [containerName] - commonLabels: - resource: "memory" - unit: "byte" - - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_upperbound" - help: "VPA container recommendations for memory. Maximum resources the container can use before the VerticalPodAutoscaler updater evicts it" - each: - type: Gauge - gauge: - path: [status, recommendation, containerRecommendations] - valueFrom: [upperBound, memory] - labelsFromPath: - container: [containerName] - commonLabels: - resource: "memory" - unit: "byte" - - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_uncappedtarget" - help: "VPA container recommendations for memory. Target resources the VerticalPodAutoscaler recommends for the container ignoring bounds" - each: - type: Gauge - gauge: - path: [status, recommendation, containerRecommendations] - valueFrom: [uncappedTarget, memory] - labelsFromPath: - container: [containerName] - commonLabels: - resource: "memory" - unit: "byte" - # CPU Information - - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_target" - help: "VPA container recommendations for cpu. Target resources the VerticalPodAutoscaler recommends for the container." - each: - type: Gauge - gauge: - path: [status, recommendation, containerRecommendations] - valueFrom: [target, cpu] - labelsFromPath: - container: [containerName] - commonLabels: - resource: "cpu" - unit: "core" - - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_lowerbound" - help: "VPA container recommendations for cpu. Minimum resources the container can use before the VerticalPodAutoscaler updater evicts it" - each: - type: Gauge - gauge: - path: [status, recommendation, containerRecommendations] - valueFrom: [lowerBound, cpu] - labelsFromPath: - container: [containerName] - commonLabels: - resource: "cpu" - unit: "core" - - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_upperbound" - help: "VPA container recommendations for cpu. Maximum resources the container can use before the VerticalPodAutoscaler updater evicts it" - each: - type: Gauge - gauge: - path: [status, recommendation, containerRecommendations] - valueFrom: [upperBound, cpu] - labelsFromPath: - container: [containerName] - commonLabels: - resource: "cpu" - unit: "core" - - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_uncappedtarget" - help: "VPA container recommendations for cpu. Target resources the VerticalPodAutoscaler recommends for the container ignoring bounds" - each: - type: Gauge - gauge: - path: [status, recommendation, containerRecommendations] - valueFrom: [uncappedTarget, cpu] - labelsFromPath: - container: [containerName] - commonLabels: - resource: "cpu" - unit: "core" - - - groupVersionKind: - group: kustomize.toolkit.fluxcd.io - version: v1 - kind: Kustomization - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux Kustomization resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - revision: [ status, lastAppliedRevision ] - source_name: [ spec, sourceRef, name ] - - groupVersionKind: - group: helm.toolkit.fluxcd.io - version: v2 - kind: HelmRelease - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux HelmRelease resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - revision: [ status, history, "0", chartVersion ] - chart_name: [ status, history, "0", chartName ] - chart_app_version: [ status, history, "0", appVersion ] - chart_ref_name: [ spec, chartRef, name ] - chart_source_name: [ spec, chart, spec, sourceRef, name ] - - groupVersionKind: - group: source.toolkit.fluxcd.io - version: v1 - kind: GitRepository - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux GitRepository resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - revision: [ status, artifact, revision ] - url: [ spec, url ] - - groupVersionKind: - group: source.toolkit.fluxcd.io - version: v1 - kind: Bucket - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux Bucket resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - revision: [ status, artifact, revision ] - endpoint: [ spec, endpoint ] - bucket_name: [ spec, bucketName ] - - groupVersionKind: - group: source.toolkit.fluxcd.io - version: v1 - kind: HelmRepository - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux HelmRepository resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - revision: [ status, artifact, revision ] - url: [ spec, url ] - - groupVersionKind: - group: source.toolkit.fluxcd.io - version: v1 - kind: HelmChart - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux HelmChart resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - revision: [ status, artifact, revision ] - chart_name: [ spec, chart ] - chart_version: [ spec, version ] - - groupVersionKind: - group: source.toolkit.fluxcd.io - version: v1beta2 - kind: OCIRepository - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux OCIRepository resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - revision: [ status, artifact, revision ] - url: [ spec, url ] - - groupVersionKind: - group: notification.toolkit.fluxcd.io - version: v1beta3 - kind: Alert - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux Alert resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - suspended: [ spec, suspend ] - - groupVersionKind: - group: notification.toolkit.fluxcd.io - version: v1beta3 - kind: Provider - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux Provider resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - suspended: [ spec, suspend ] - - groupVersionKind: - group: notification.toolkit.fluxcd.io - version: v1 - kind: Receiver - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux Receiver resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - webhook_path: [ status, webhookPath ] - - groupVersionKind: - group: image.toolkit.fluxcd.io - version: v1beta2 - kind: ImageRepository - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux ImageRepository resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - image: [ spec, image ] - - groupVersionKind: - group: image.toolkit.fluxcd.io - version: v1beta2 - kind: ImagePolicy - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux ImagePolicy resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - source_name: [ spec, imageRepositoryRef, name ] - - groupVersionKind: - group: image.toolkit.fluxcd.io - version: v1beta2 - kind: ImageUpdateAutomation - metricNamePrefix: gotk - metrics: - - name: "resource_info" - help: "The current state of a Flux ImageUpdateAutomation resource." - each: - type: Info - info: - labelsFromPath: - name: [ metadata, name ] - labelsFromPath: - exported_namespace: [ metadata, namespace ] - ready: [ status, conditions, "[type=Ready]", status ] - suspended: [ spec, suspend ] - source_name: [ spec, sourceRef, name ] - - selfMonitor: - enabled: true diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/app/repository.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/app/repository.yaml deleted file mode 100644 index f1dbc08d..00000000 --- a/kubernetes/main/apps/observability/kube-prometheus-stack/app/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: kube-prometheus-stack - namespace: observability -spec: - interval: 12h - url: https://prometheus-community.github.io/helm-charts diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/ks.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/ks.yaml deleted file mode 100644 index c35f9d10..00000000 --- a/kubernetes/main/apps/observability/kube-prometheus-stack/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app kube-prometheus-stack - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/kube-prometheus-stack/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/observability/kustomization.yaml b/kubernetes/main/apps/observability/kustomization.yaml deleted file mode 100644 index e71a8538..00000000 --- a/kubernetes/main/apps/observability/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./glance/ks.yaml - - ./grafana/ks.yaml - - ./kube-prometheus-stack/ks.yaml - # - ./alertmanager/ks.yaml - - ./blackbox-exporter/ks.yaml - - ./alloy/ks.yaml - - ./loki/ks.yaml - - ./crucix/ks.yaml diff --git a/kubernetes/main/apps/observability/loki/app/kustomization.yaml b/kubernetes/main/apps/observability/loki/app/kustomization.yaml deleted file mode 100644 index ad4414d8..00000000 --- a/kubernetes/main/apps/observability/loki/app/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - release.yaml diff --git a/kubernetes/main/apps/observability/loki/app/release.yaml b/kubernetes/main/apps/observability/loki/app/release.yaml deleted file mode 100644 index fdf02d6d..00000000 --- a/kubernetes/main/apps/observability/loki/app/release.yaml +++ /dev/null @@ -1,135 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: loki - namespace: observability -spec: - interval: 30m - chart: - spec: - chart: loki - version: "6.40.0" - sourceRef: - kind: HelmRepository - name: grafana - namespace: observability - interval: 12h - upgrade: - cleanupOnFail: true - crds: Skip - remediation: - strategy: rollback - retries: 3 - values: - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - - chunksCache: - enabled: false - - deploymentMode: SingleBinary - - loki: - # ingestion limits (prevents dropped audit logs during bursts) - limitsConfig: - ingestion_rate_mb: 16 - ingestion_burst_size_mb: 32 - - # guaranteed config (this is what ends up in the loki ConfigMap) - structuredConfig: - auth_enabled: false - - common: - replication_factor: 1 - path_prefix: /var/loki - storage: - s3: - endpoint: loki-minio.observability.svc:9000 - bucketnames: loki-chunks - s3forcepathstyle: true - insecure: true - - schema_config: - configs: - - from: "2024-04-01" - store: tsdb - object_store: s3 - schema: v13 - index: - prefix: loki_index_ - period: 24h - - storage_config: - tsdb_shipper: - active_index_directory: /var/loki/index - cache_location: /var/loki/cache - - ruler: - storage: - type: s3 - s3: - bucketnames: loki-ruler - wal: - dir: /var/loki/ruler-wal - - minio: - enabled: true - - extraEnvFrom: - - secretRef: - name: loki-minio - - persistence: - enabled: true - storageClass: longhorn-retain - size: 20Gi - - buckets: - - name: loki-chunks - - name: loki-ruler - - name: loki-admin - - singleBinary: - replicas: 1 - resources: - requests: - cpu: 200m - memory: 1Gi - limits: - cpu: 1000m - memory: 2Gi - - sidecar: - resources: - requests: - cpu: 50m - memory: 128Mi - limits: - cpu: 200m - memory: 256Mi - - # Zero out replica counts of other modes (important!) - backend: - replicas: 0 - read: - replicas: 0 - write: - replicas: 0 - ingester: - replicas: 0 - querier: - replicas: 0 - queryFrontend: - replicas: 0 - queryScheduler: - replicas: 0 - distributor: - replicas: 0 - compactor: - replicas: 0 - indexGateway: - replicas: 0 - bloomCompactor: - replicas: 0 - bloomGateway: - replicas: 0 \ No newline at end of file diff --git a/kubernetes/main/apps/observability/loki/app/secret.sops.yaml b/kubernetes/main/apps/observability/loki/app/secret.sops.yaml deleted file mode 100644 index 14449b45..00000000 --- a/kubernetes/main/apps/observability/loki/app/secret.sops.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: loki-minio-root - namespace: observability -stringData: - rootUser: ENC[AES256_GCM,data:0+aY7RQ=,iv:PcD8emdnzrCnkLI4axsEiwN/aE7AcPrGA2DFpaiSbYY=,tag:gOhVm8DNbhZFkKgROZ31mw==,type:str] - rootPassword: ENC[AES256_GCM,data:nqnnmes7ehSbKZqFXlzzxNs=,iv:Ji/BtXm/1wkYS+8VQ5z3T1bmqTFKmnOUNt/RvYslaZs=,tag:zFAxZ561u2geGNrFoEIQ6w==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvSXlBRUZCK0NHMnd6ZkF0 - bi9ydTdENnE3a014SXZvRTVnWWJ6ektQN0ZjCk9NNDErQUljNHdkeWlBSHJxK1k1 - T1dqNzlpaGF6a3FTdERCT0VJN0hGajgKLS0tIHk2Yk5sN0lYUS9xTXZ1U29EcjlW - RUZMR2ViTmJGdUc1OWVkM1hka3ZITWMK4kswfM9qLOGmAWPEkiAg13/xi2U4xRcw - Y5sOwnES4U5GGl4g8Aj+xEiIocnoeI4Y9EVmQakZGg3YbGyCsxXZqg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-21T10:37:17Z" - mac: ENC[AES256_GCM,data:zmoiYWyJqryf/HC2fKx53DJw5tWKad+wPYI9Q+JjKz8BGS1foVQnqkDMzcFURVzoQGtXzIk9iSTInx+fBxYhb6r5j5JiEzAWTldiRjV4u5c9avr81owZY/mRbrztPU0MlvhVMPTzP442aSxkpanAcx8B8MFHoV7I/0XI7aMyGkQ=,iv:11NQx6X9a2JnQlTEejW7xFPxWF9J/eVsGosmNpioxdM=,tag:PLUQTvQDIZPUBfSGkpkJuQ==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.12.1 diff --git a/kubernetes/main/apps/observability/loki/ks.yaml b/kubernetes/main/apps/observability/loki/ks.yaml deleted file mode 100644 index db180735..00000000 --- a/kubernetes/main/apps/observability/loki/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app loki - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/loki/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/paperless-ngx/app/kustomization.yaml b/kubernetes/main/apps/paperless-ngx/app/kustomization.yaml deleted file mode 100644 index 28cc4e0d..00000000 --- a/kubernetes/main/apps/paperless-ngx/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./secret.sops.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/paperless-ngx/app/namespace.yaml b/kubernetes/main/apps/paperless-ngx/app/namespace.yaml deleted file mode 100644 index 151391fb..00000000 --- a/kubernetes/main/apps/paperless-ngx/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: paperless-ngx - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/paperless-ngx/app/release.yaml b/kubernetes/main/apps/paperless-ngx/app/release.yaml deleted file mode 100644 index 7222c8aa..00000000 --- a/kubernetes/main/apps/paperless-ngx/app/release.yaml +++ /dev/null @@ -1,86 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app paperless-ngx - namespace: paperless-ngx -spec: - interval: 30m - chart: - spec: - chart: paperless-ngx - version: 0.24.1 - sourceRef: - kind: HelmRepository - name: paperless-ngx - namespace: paperless-ngx - # install: - # crds: CreateReplace - # remediation: - # retries: 3 - # upgrade: - # cleanupOnFail: true - # crds: CreateReplace - # remediation: - # strategy: rollback - # retries: 3 - values: - env: - TZ: Europe/Berlin - PAPERLESS_ADMIN_USER: "${PAPERLESS_ADMIN_USER}" - PAPERLESS_ADMIN_PASSWORD: "${PAPERLESS_ADMIN_PASSWORD}" - PAPERLESS_URL: "https://docs.${SECRET_EXTERNAL_DOMAIN}" - PAPERLESS_DBHOST: paperless-ngx-postgresql.paperless-ngx.svc.cluster.local - PAPERLESS_DBENGINE: postgresql - PAPERLESS_DBNAME: "${PAPERLESS_POSTGRES_DATABASE}" - PAPERLESS_DBUSER: "${PAPERLESS_POSTGRES_USER}" - PAPERLESS_DBPASS: "${PAPERLESS_POSTGRES_PASSWORD}" - postgresql: - enabled: true - auth: - postgresPassword: "${PAPERLESS_POSTGRES_PASSWORD}" - password: "${PAPERLESS_POSTGRES_PASSWORD}" - primary: - persistence: - size: 4Gi - storageClass: longhorn - persistence: - # data: - # enabled: false - # retain: true - # mountPath: /usr/src/paperless/data - # storageClass: "longhorn" - # accessMode: ReadWriteOnce - # size: 1Gi - media: - enabled: true - retain: true - mountPath: /usr/src/paperless/media - storageClass: "longhorn" - accessMode: ReadWriteOnce - size: 4Gi - export: - enabled: true - retain: true - mountPath: /usr/src/paperless/export - storageClass: "longhorn" - accessMode: ReadWriteOnce - size: 1Gi - consume: - enabled: true - retain: true - mountPath: /usr/src/paperless/consume - storageClass: "longhorn" - accessMode: ReadWriteOnce - size: 4Gi - ingress: - main: - enabled: enabled - annotations: - nginx.ingress.kubernetes.io/proxy-body-size: 64m - external-dns.alpha.kubernetes.io/target: "docs.${SECRET_EXTERNAL_DOMAIN}" - ingressClassName: external - hosts: - - host: "docs.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / diff --git a/kubernetes/main/apps/paperless-ngx/app/repository.yaml b/kubernetes/main/apps/paperless-ngx/app/repository.yaml deleted file mode 100644 index 88bd532c..00000000 --- a/kubernetes/main/apps/paperless-ngx/app/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: paperless-ngx - namespace: paperless-ngx -spec: - interval: 1h - url: https://charts.gabe565.com diff --git a/kubernetes/main/apps/paperless-ngx/app/secret.sops.yaml b/kubernetes/main/apps/paperless-ngx/app/secret.sops.yaml deleted file mode 100644 index 864db984..00000000 --- a/kubernetes/main/apps/paperless-ngx/app/secret.sops.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: paperless-ngx-secret - namespace: paperless-ngx -stringData: - POSTGRES_DATABASE: ENC[AES256_GCM,data:a1wyb0cFjj99mqWb,iv:huFoVP5xDy70rgccF8oICcBR1NAuU6e8uvpyT1BgBk4=,tag:iODoKwowQDn5HL4YdnOMuw==,type:str] - POSTGRES_PASSWORD: ENC[AES256_GCM,data:wXjD1VHGUcA31A4dd1RENfen,iv:H3u7HRO75kJCndGwk6pd5E2f/b5buTCm25IRYh922lc=,tag:iYeL6t4LgqL3QBoM1wWNMw==,type:str] - POSTGRES_USERNAME: ENC[AES256_GCM,data:73xvsRJqH6sU,iv:v6a5MdwwNzH6E/6sBa1YHhtVy/fpY9k9r5M7Or2BtsY=,tag:UL1o8cdiZ5V//BHqMQlNHA==,type:str] - username: ENC[AES256_GCM,data:ez610nippRTn,iv:sf16DOHHKCC3jYBPYXOarMKob46mul6SqgqzVk4d908=,tag:zAoXfwalnds8yofIfgPHvw==,type:str] - password: ENC[AES256_GCM,data:HYpkWgD2Zv7+Y8XJwwQnPpqB,iv:vm7OJkBr4RFwFFNb35sWPfmKWbIZTa3tJaFehxMASoE=,tag:XEtnryGihrYHAwVPWy+eBQ==,type:str] - PAPERLESS_ADMIN_USER: ENC[AES256_GCM,data:HBohKE9KkrGgGA==,iv:r9uvmk4lErfByZQpZq1qtl6JkmOzVVzR9lFjECFjqmM=,tag:AxI7HWWf1P+WnCviXfe4gg==,type:str] - PAPERLESS_ADMIN_PASSWORD: ENC[AES256_GCM,data:sShinPhbuB9nJA==,iv:qSrB5YltmOVOQL9jR+kxZrFQqTkCpFiUmyJkLBCLwKg=,tag:lD4WfskcnLCYs/5tQX7HQQ==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUDFNL3lrYXVkbFBPZ29h - eGt1WW9Ia0JSSGQ5NXoxcGhpdGVpd3Vld0FRCmVqbC9pclJGK3hCV1V1aXlicnlz - c1hWR1B5YWUzcFdFRnRkSUlLYWUvREEKLS0tIGJ0ai83eTZtejlsdDNkNnp3amlM - cUJ2Y2MvOEZuY29qZnZHcStpYkxoQWsKdmivQRw5D6C3MO+ZHIMh3h0NYO/4tvLB - lZCUkkJcRwgRhbxleQSYLghiPaYld/2suj7l/bbZ6p6s9o5wKkEhEw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-27T22:03:41Z" - mac: ENC[AES256_GCM,data:WxgF4nS3d7mICZPy+vIE3Hwjo0Wp6QuYJ4XpO1HiQkTBpc8WgsrTmqEGpuuSmdMllzl3nvqbaCOCVCpaJsZ8QOK4YBewz26VcZM9ouF8sU5nrqtzaE5Gr7qTzFx6O7aEqNWEWtz2N2LOnMghbz74BxF9SPYi4F9c1hmAwqQA/cs=,iv:Mkr9XAF3801hstbXWnsxNUw2EEZRSQ/WkKLDEfNKWbA=,tag:GA97+c2wq4fMg6n11XbDuA==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 diff --git a/kubernetes/main/apps/paperless-ngx/ks.yaml b/kubernetes/main/apps/paperless-ngx/ks.yaml deleted file mode 100644 index 44224c62..00000000 --- a/kubernetes/main/apps/paperless-ngx/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app paperless-ngx - namespace: flux-system -spec: - targetNamespace: paperless-ngx - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/paperless-ngx/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/security/authentik/app/kustomization.yaml b/kubernetes/main/apps/security/authentik/app/kustomization.yaml deleted file mode 100644 index 9dca9ce7..00000000 --- a/kubernetes/main/apps/security/authentik/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml - - ./pg-backup.yaml diff --git a/kubernetes/main/apps/security/authentik/app/namespace.yaml b/kubernetes/main/apps/security/authentik/app/namespace.yaml deleted file mode 100644 index a9cd9432..00000000 --- a/kubernetes/main/apps/security/authentik/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: authentik - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/security/authentik/app/pg-backup.yaml b/kubernetes/main/apps/security/authentik/app/pg-backup.yaml deleted file mode 100644 index cbbc58a2..00000000 --- a/kubernetes/main/apps/security/authentik/app/pg-backup.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: authentik-pg-backup - namespace: authentik -spec: - schedule: "0 0 * * *" # this runs on 00:00 every day. see https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax - jobTemplate: - spec: - template: - spec: - containers: - - name: postgres-backup - image: th0th/postgres-s3-backup:0.3 - env: - - name: AWS_ACCESS_KEY_ID - value: "${AWS_ACCESS_KEY_ID}" - - name: AWS_REGION - value: "${AWS_REGION}" - - name: AWS_S3_ENDPOINT - value: "${AWS_S3_ENDPOINT}" - - name: AWS_SECRET_ACCESS_KEY - value: "${AWS_SECRET_ACCESS_KEY}" - - name: POSTGRES_DB - value: "${AUTHENTIK_POSTGRES_DATABASE}" - - name: POSTGRES_HOST - value: "authentik-postgresql.authentik.svc.cluster.local" - - name: POSTGRES_PASSWORD - value: "${AUTHENTIK_POSTGRES_PASSWORD}" - - name: POSTGRES_PORT - value: "5432" - - name: POSTGRES_USER - value: "${AUTHENTIK_POSTGRES_USER}" - - name: POSTGRES_VERSION - value: "16" - restartPolicy: OnFailure diff --git a/kubernetes/main/apps/security/authentik/app/release.yaml b/kubernetes/main/apps/security/authentik/app/release.yaml deleted file mode 100644 index 807204a7..00000000 --- a/kubernetes/main/apps/security/authentik/app/release.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: authentik - namespace: authentik -spec: - releaseName: authentik - chart: - spec: - chart: authentik - version: "2025.2.2" - sourceRef: - kind: HelmRepository - name: goauthentik - namespace: authentik - interval: 5m - install: - remediation: - retries: 3 - values: - authentik: - secret_key: "${AUTHENTIK_KEY}" - error_reporting: - enabled: false - postgresql: - password: "${AUTHENTIK_POSTGRES_PASSWORD}" - server: - ingress: - enabled: true - annotations: - external-dns.alpha.kubernetes.io/target: "auth.${SECRET_EXTERNAL_DOMAIN}" - ingressClassName: external - hosts: - - &host "auth.${SECRET_EXTERNAL_DOMAIN}" - postgresql: - enabled: true - auth: - password: "${AUTHENTIK_POSTGRES_PASSWORD}" - primary: - persistence: - size: 4Gi - storageClass: longhorn - redis: - enabled: true - master: - persistence: - size: 1Gi - storageClass: longhorn \ No newline at end of file diff --git a/kubernetes/main/apps/security/authentik/app/repository.yaml b/kubernetes/main/apps/security/authentik/app/repository.yaml deleted file mode 100644 index 5e354060..00000000 --- a/kubernetes/main/apps/security/authentik/app/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: goauthentik - namespace: authentik -spec: - interval: 1h - url: https://charts.goauthentik.io/ diff --git a/kubernetes/main/apps/security/authentik/ks.yaml b/kubernetes/main/apps/security/authentik/ks.yaml deleted file mode 100644 index 220969a0..00000000 --- a/kubernetes/main/apps/security/authentik/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app authentik - namespace: flux-system -spec: - targetNamespace: authentik - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/security/authentik/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/uptime-kuma/app/ingress.yaml b/kubernetes/main/apps/uptime-kuma/app/ingress.yaml deleted file mode 100644 index 0ec219a0..00000000 --- a/kubernetes/main/apps/uptime-kuma/app/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: uptime-kuma-ingress - namespace: uptime-kuma - annotations: - external-dns.alpha.kubernetes.io/target: "status.${SECRET_EXTERNAL_DOMAIN}" - nginx.ingress.kubernetes.io/auth-url: |- - http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx - nginx.ingress.kubernetes.io/auth-signin: |- - https://auth.${SECRET_EXTERNAL_DOMAIN}/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri - nginx.ingress.kubernetes.io/auth-response-headers: |- - Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; -spec: - ingressClassName: external - rules: - - host: "status.${SECRET_EXTERNAL_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: uptime-kuma - port: - number: 3001 diff --git a/kubernetes/main/apps/uptime-kuma/app/kustomization.yaml b/kubernetes/main/apps/uptime-kuma/app/kustomization.yaml deleted file mode 100644 index 5b4d9345..00000000 --- a/kubernetes/main/apps/uptime-kuma/app/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./serviceAccount.yaml - - ./storage.yaml - - ./statefulSet.yaml - - ./service.yaml - - ./ingress.yaml diff --git a/kubernetes/main/apps/uptime-kuma/app/namespace.yaml b/kubernetes/main/apps/uptime-kuma/app/namespace.yaml deleted file mode 100644 index c9ac5f63..00000000 --- a/kubernetes/main/apps/uptime-kuma/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: uptime-kuma - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/uptime-kuma/app/service.yaml b/kubernetes/main/apps/uptime-kuma/app/service.yaml deleted file mode 100644 index 09b36b58..00000000 --- a/kubernetes/main/apps/uptime-kuma/app/service.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# Source: uptime-kuma/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: &app uptime-kuma - namespace: uptime-kuma - labels: - app.kubernetes.io/name: uptime-kuma - app.kubernetes.io/instance: uptime-kuma -spec: - type: ClusterIP - ports: - - name: web - port: 3001 - targetPort: web - selector: - app.kubernetes.io/name: uptime-kuma - app.kubernetes.io/instance: uptime-kuma diff --git a/kubernetes/main/apps/uptime-kuma/app/serviceAccount.yaml b/kubernetes/main/apps/uptime-kuma/app/serviceAccount.yaml deleted file mode 100644 index 8305a0e2..00000000 --- a/kubernetes/main/apps/uptime-kuma/app/serviceAccount.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: &app uptime-kuma - namespace: uptime-kuma - labels: - app.kubernetes.io/name: uptime-kuma - app.kubernetes.io/instance: uptime-kuma diff --git a/kubernetes/main/apps/uptime-kuma/app/statefulSet.yaml b/kubernetes/main/apps/uptime-kuma/app/statefulSet.yaml deleted file mode 100644 index 8e64ba0c..00000000 --- a/kubernetes/main/apps/uptime-kuma/app/statefulSet.yaml +++ /dev/null @@ -1,62 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: &app uptime-kuma - namespace: uptime-kuma - labels: - app.kubernetes.io/name: uptime-kuma - app.kubernetes.io/instance: uptime-kuma - annotations: - meta.helm.sh/release-name: uptime-kuma -spec: - replicas: 1 - serviceName: uptime-kuma - selector: - matchLabels: - app.kubernetes.io/name: uptime-kuma - app.kubernetes.io/instance: uptime-kuma - template: - metadata: - labels: - app.kubernetes.io/name: uptime-kuma - app.kubernetes.io/instance: uptime-kuma - spec: - serviceAccountName: uptime-kuma - securityContext: - {} - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - containers: - - name: uptime-kuma - securityContext: - {} - image: "louislam/uptime-kuma:2.2.1" - imagePullPolicy: IfNotPresent - env: - - name: UPTIME_KUMA_PORT - value: '3001' - - name: PORT - value: '3001' - ports: - - name: web - containerPort: 3001 - livenessProbe: - exec: - command: - - extra/healthcheck - readinessProbe: - httpGet: - path: / - port: 3001 - scheme: HTTP - resources: - {} - volumeMounts: - - mountPath: /app/data - name: uptime-storage - readOnly: false - volumes: - - name: uptime-storage - persistentVolumeClaim: - claimName: uptime-storage-pvc diff --git a/kubernetes/main/apps/uptime-kuma/app/storage.yaml b/kubernetes/main/apps/uptime-kuma/app/storage.yaml deleted file mode 100644 index 6a873fe0..00000000 --- a/kubernetes/main/apps/uptime-kuma/app/storage.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: uptime-storage-pvc - namespace: uptime-kuma -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi \ No newline at end of file diff --git a/kubernetes/main/apps/uptime-kuma/ks.yaml b/kubernetes/main/apps/uptime-kuma/ks.yaml deleted file mode 100644 index 547dac4e..00000000 --- a/kubernetes/main/apps/uptime-kuma/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app uptime-kuma - namespace: flux-system -spec: - targetNamespace: uptime-kuma - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/uptime-kuma/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m \ No newline at end of file diff --git a/kubernetes/main/apps/web/app/deployment.yaml b/kubernetes/main/apps/web/app/deployment.yaml deleted file mode 100644 index 86ff9f54..00000000 --- a/kubernetes/main/apps/web/app/deployment.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: web - namespace: web - labels: - app: web -spec: - replicas: 1 - selector: - matchLabels: - app: web - template: - metadata: - labels: - app: web - spec: - containers: - - name: web - resources: - limits: - memory: "128Mi" - cpu: "500m" - requests: - memory: "64Mi" - cpu: "250m" - image: ghcr.io/cloudwithdan/world-wide-web:latest - imagePullPolicy: Always - ports: - - name: web - containerPort: 8080 - livenessProbe: - httpGet: - path: / - port: 8080 - readinessProbe: - httpGet: - path: / - port: 8080 - volumeMounts: - - name: tmp - mountPath: /tmp/ - securityContext: - runAsUser: 1000 # Non-root user - runAsGroup: 3000 # Non-root group - readOnlyRootFilesystem: true # Read-only filesystem - allowPrivilegeEscalation: false # No privilege escalation - privileged: false - capabilities: - drop: - - ALL # Drop all capabilities - add: - - NET_BIND_SERVICE # Allow only required capabilities - volumes: - - name: tmp - emptyDir: {} diff --git a/kubernetes/main/apps/web/app/ingress.yaml b/kubernetes/main/apps/web/app/ingress.yaml deleted file mode 100644 index 19e4611a..00000000 --- a/kubernetes/main/apps/web/app/ingress.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: web-ingress - namespace: web - annotations: - external-dns.alpha.kubernetes.io/target: "${SECRET_EXTERNAL_DOMAIN}" - nginx.ingress.kubernetes.io/use-forwarded-headers: "true" - nginx.ingress.kubernetes.io/compute-full-forwarded-for: "true" -spec: - ingressClassName: external - rules: - - host: "${SECRET_EXTERNAL_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: web - port: - name: web diff --git a/kubernetes/main/apps/web/app/kustomization.yaml b/kubernetes/main/apps/web/app/kustomization.yaml deleted file mode 100644 index ffa602dc..00000000 --- a/kubernetes/main/apps/web/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./deployment.yaml - - ./service.yaml - - ./ingress.yaml diff --git a/kubernetes/main/apps/web/app/namespace.yaml b/kubernetes/main/apps/web/app/namespace.yaml deleted file mode 100644 index 940f59b7..00000000 --- a/kubernetes/main/apps/web/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: web - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/web/app/service.yaml b/kubernetes/main/apps/web/app/service.yaml deleted file mode 100644 index d0624126..00000000 --- a/kubernetes/main/apps/web/app/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: web - namespace: web -spec: - ports: - - name: web - port: 8080 - targetPort: web - selector: - app: web - type: ClusterIP diff --git a/kubernetes/main/apps/web/ks.yaml b/kubernetes/main/apps/web/ks.yaml deleted file mode 100644 index 8922fc6a..00000000 --- a/kubernetes/main/apps/web/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app blog - namespace: flux-system -spec: - targetNamespace: blog - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/blog/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/whoami/app/deployment.yaml b/kubernetes/main/apps/whoami/app/deployment.yaml deleted file mode 100644 index 036c9671..00000000 --- a/kubernetes/main/apps/whoami/app/deployment.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: &app whoami - namespace: whoami - labels: - app: whoami -spec: - replicas: 1 - selector: - matchLabels: - app: whoami - template: - metadata: - labels: - app: whoami - spec: - containers: - - name: whoami - resources: {} - image: traefik/whoami - ports: - - name: web - containerPort: 80 diff --git a/kubernetes/main/apps/whoami/app/ingress.yaml b/kubernetes/main/apps/whoami/app/ingress.yaml deleted file mode 100644 index 341c95aa..00000000 --- a/kubernetes/main/apps/whoami/app/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: whoami-ingress - namespace: whoami - annotations: - external-dns.alpha.kubernetes.io/target: "whoami.${SECRET_EXTERNAL_DOMAIN}" - nginx.ingress.kubernetes.io/auth-url: |- - http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx - nginx.ingress.kubernetes.io/auth-signin: |- - https://auth.${SECRET_EXTERNAL_DOMAIN}/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri - nginx.ingress.kubernetes.io/auth-response-headers: |- - Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; -spec: - ingressClassName: external - rules: - - host: "whoami.${SECRET_EXTERNAL_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: whoami - port: - number: 80 diff --git a/kubernetes/main/apps/whoami/app/namespace.yaml b/kubernetes/main/apps/whoami/app/namespace.yaml deleted file mode 100644 index 4070dff3..00000000 --- a/kubernetes/main/apps/whoami/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: whoami - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/whoami/app/service.yaml b/kubernetes/main/apps/whoami/app/service.yaml deleted file mode 100644 index 73410f12..00000000 --- a/kubernetes/main/apps/whoami/app/service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: &app whoami - namespace: whoami -spec: - ports: - - name: web - port: 80 - targetPort: web - selector: - app: whoami diff --git a/kubernetes/main/apps/whoami/ks.yaml b/kubernetes/main/apps/whoami/ks.yaml deleted file mode 100644 index 18bb32b5..00000000 --- a/kubernetes/main/apps/whoami/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app whoami - namespace: flux-system -spec: - targetNamespace: whoami - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/whoami/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m \ No newline at end of file diff --git a/kubernetes/main/avto-masini/avto-masini-web/ks.yaml b/kubernetes/main/avto-masini/avto-masini-web/ks.yaml deleted file mode 100644 index 46cec0fd..00000000 --- a/kubernetes/main/avto-masini/avto-masini-web/ks.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app avto-masini-web-staging - namespace: flux-system -spec: - targetNamespace: avto-masini - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/avto-masini/avto-masini-web/staging - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app avto-masini-web-production - namespace: flux-system -spec: - targetNamespace: avto-masini - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/avto-masini/avto-masini-web/production - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m \ No newline at end of file diff --git a/kubernetes/main/avto-masini/avto-masini-web/production/deployment.yaml b/kubernetes/main/avto-masini/avto-masini-web/production/deployment.yaml deleted file mode 100644 index a2fe91a5..00000000 --- a/kubernetes/main/avto-masini/avto-masini-web/production/deployment.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: avto-masini-web-production - namespace: avto-masini - labels: - app: avto-masini-web-production -spec: - replicas: 1 - selector: - matchLabels: - app: avto-masini-web-production - template: - metadata: - labels: - app: avto-masini-web-production - spec: - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - containers: - - name: avto-masini-web-production - resources: - limits: - memory: "128Mi" - cpu: "500m" - requests: - memory: "64Mi" - cpu: "250m" - image: ghcr.io/avto-masini/avto-masini-web:v2.0.10 - imagePullPolicy: Always - ports: - - name: prod-svc - containerPort: 80 - livenessProbe: - httpGet: - path: / - port: 80 - readinessProbe: - httpGet: - path: / - port: 80 - volumeMounts: - - name: tmp - mountPath: /tmp/ - - name: nginx-cache - mountPath: /var/cache/nginx - - name: run - mountPath: /run - securityContext: - runAsUser: 1000 # Non-root user - runAsGroup: 3000 # Non-root group - readOnlyRootFilesystem: true # Read-only filesystem - allowPrivilegeEscalation: false # No privilege escalation - privileged: false - capabilities: - drop: - - ALL # Drop all capabilities - add: - - NET_BIND_SERVICE # Allow only required capabilities - imagePullSecrets: - - name: pull-token - volumes: - - name: tmp - emptyDir: {} - - name: nginx-cache - emptyDir: {} - - name: run - emptyDir: {} diff --git a/kubernetes/main/avto-masini/avto-masini-web/production/ingress.yaml b/kubernetes/main/avto-masini/avto-masini-web/production/ingress.yaml deleted file mode 100644 index 23a63fd3..00000000 --- a/kubernetes/main/avto-masini/avto-masini-web/production/ingress.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: avto-masini-web-production-ingress - namespace: avto-masini - annotations: - external-dns.alpha.kubernetes.io/target: "${SECRET_PROD_DOMAIN}" - external-dns.alpha.kubernetes.io/hostname: "${SECRET_PROD_DOMAIN}, www.${SECRET_PROD_DOMAIN}" -spec: - ingressClassName: avto-masini - rules: - - host: "${SECRET_PROD_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: avto-masini-web-production - port: - name: prod-svc - - host: "www.${SECRET_PROD_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: avto-masini-web-production - port: - name: prod-svc diff --git a/kubernetes/main/avto-masini/avto-masini-web/production/kustomization.yaml b/kubernetes/main/avto-masini/avto-masini-web/production/kustomization.yaml deleted file mode 100644 index 0935db4a..00000000 --- a/kubernetes/main/avto-masini/avto-masini-web/production/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./secret.yaml - - ./deployment.yaml - - ./service.yaml - - ./ingress.yaml diff --git a/kubernetes/main/avto-masini/avto-masini-web/production/secret.yaml b/kubernetes/main/avto-masini/avto-masini-web/production/secret.yaml deleted file mode 100644 index 251ab91d..00000000 --- a/kubernetes/main/avto-masini/avto-masini-web/production/secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: pull-token - namespace: avto-masini -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: ${PULL_GITHUB_TOKEN} diff --git a/kubernetes/main/avto-masini/avto-masini-web/production/service.yaml b/kubernetes/main/avto-masini/avto-masini-web/production/service.yaml deleted file mode 100644 index 2e7c4e54..00000000 --- a/kubernetes/main/avto-masini/avto-masini-web/production/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: avto-masini-web-production - namespace: avto-masini -spec: - ports: - - name: avto-masini-web-production - port: 80 - targetPort: prod-svc - selector: - app: avto-masini-web-production - type: ClusterIP diff --git a/kubernetes/main/avto-masini/avto-masini-web/staging/deployment.yaml b/kubernetes/main/avto-masini/avto-masini-web/staging/deployment.yaml deleted file mode 100644 index 1c49efc9..00000000 --- a/kubernetes/main/avto-masini/avto-masini-web/staging/deployment.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: avto-masini-web-staging - namespace: avto-masini - labels: - app: avto-masini-web-staging -spec: - replicas: 1 - selector: - matchLabels: - app: avto-masini-web-staging - template: - metadata: - labels: - app: avto-masini-web-staging - spec: - containers: - - name: avto-masini-web-staging - resources: - limits: - memory: "128Mi" - cpu: "500m" - requests: - memory: "64Mi" - cpu: "250m" - image: ghcr.io/avto-masini/avto-masini-web:9ff0c4c - imagePullPolicy: Always - ports: - - name: staging-svc - containerPort: 80 - livenessProbe: - httpGet: - path: / - port: 80 - readinessProbe: - httpGet: - path: / - port: 80 - volumeMounts: - - name: tmp - mountPath: /tmp/ - - name: nginx-cache - mountPath: /var/cache/nginx - - name: run - mountPath: /run - securityContext: - runAsUser: 1000 # Non-root user - runAsGroup: 3000 # Non-root group - readOnlyRootFilesystem: true # Read-only filesystem - allowPrivilegeEscalation: false # No privilege escalation - privileged: false - capabilities: - drop: - - ALL # Drop all capabilities - add: - - NET_BIND_SERVICE # Allow only required capabilities - imagePullSecrets: - - name: pull-token - volumes: - - name: tmp - emptyDir: {} - - name: nginx-cache - emptyDir: {} - - name: run - emptyDir: {} \ No newline at end of file diff --git a/kubernetes/main/avto-masini/avto-masini-web/staging/ingress.yaml b/kubernetes/main/avto-masini/avto-masini-web/staging/ingress.yaml deleted file mode 100644 index 4ac9fa52..00000000 --- a/kubernetes/main/avto-masini/avto-masini-web/staging/ingress.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: avto-masini-web-staging-ingress - namespace: avto-masini - annotations: - external-dns.alpha.kubernetes.io/target: "${SECRET_PROD_DOMAIN}" - external-dns.alpha.kubernetes.io/hostname: "${SECRET_PROD_DOMAIN}" - # nginx.ingress.kubernetes.io/auth-url: |- - # http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx - # nginx.ingress.kubernetes.io/auth-signin: |- - # https://auth.${SECRET_EXTERNAL_DOMAIN}/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri - # nginx.ingress.kubernetes.io/auth-response-headers: |- - # Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - # nginx.ingress.kubernetes.io/auth-snippet: | - # proxy_set_header X-Forwarded-Host $http_host; -spec: - ingressClassName: avto-masini - rules: - - host: "staging.${SECRET_PROD_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: avto-masini-web-staging - port: - name: staging-svc diff --git a/kubernetes/main/avto-masini/avto-masini-web/staging/kustomization.yaml b/kubernetes/main/avto-masini/avto-masini-web/staging/kustomization.yaml deleted file mode 100644 index 0935db4a..00000000 --- a/kubernetes/main/avto-masini/avto-masini-web/staging/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./secret.yaml - - ./deployment.yaml - - ./service.yaml - - ./ingress.yaml diff --git a/kubernetes/main/avto-masini/avto-masini-web/staging/secret.yaml b/kubernetes/main/avto-masini/avto-masini-web/staging/secret.yaml deleted file mode 100644 index 251ab91d..00000000 --- a/kubernetes/main/avto-masini/avto-masini-web/staging/secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: pull-token - namespace: avto-masini -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: ${PULL_GITHUB_TOKEN} diff --git a/kubernetes/main/avto-masini/avto-masini-web/staging/service.yaml b/kubernetes/main/avto-masini/avto-masini-web/staging/service.yaml deleted file mode 100644 index 5014eb64..00000000 --- a/kubernetes/main/avto-masini/avto-masini-web/staging/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: avto-masini-web-staging - namespace: avto-masini -spec: - ports: - - name: avto-masini-web-staging - port: 80 - targetPort: staging-svc - selector: - app: avto-masini-web-staging - type: ClusterIP diff --git a/kubernetes/main/avto-masini/cloudflared/app/configs/config.yaml b/kubernetes/main/avto-masini/cloudflared/app/configs/config.yaml deleted file mode 100644 index ec972810..00000000 --- a/kubernetes/main/avto-masini/cloudflared/app/configs/config.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -originRequest: - noTLSVerify: true - -ingress: - - hostname: "${SECRET_PROD_DOMAIN}" - service: https://ingress-nginx-avto-masini-controller.avto-masini.svc.cluster.local:443 - - hostname: "*.${SECRET_PROD_DOMAIN}" - service: https://ingress-nginx-avto-masini-controller.avto-masini.svc.cluster.local:443 - - service: http_status:404 diff --git a/kubernetes/main/avto-masini/cloudflared/app/dnsendpoint.yaml b/kubernetes/main/avto-masini/cloudflared/app/dnsendpoint.yaml deleted file mode 100644 index cb592c20..00000000 --- a/kubernetes/main/avto-masini/cloudflared/app/dnsendpoint.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: externaldns.k8s.io/v1alpha1 -kind: DNSEndpoint -metadata: - name: cloudflared - namespace: avto-masini -spec: - endpoints: - - dnsName: "external.${SECRET_PROD_DOMAIN}" - recordType: CNAME - targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] diff --git a/kubernetes/main/avto-masini/cloudflared/app/kustomization.yaml b/kubernetes/main/avto-masini/cloudflared/app/kustomization.yaml deleted file mode 100644 index b00a3f44..00000000 --- a/kubernetes/main/avto-masini/cloudflared/app/kustomization.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./repository.yaml - - ./secret.sops.yaml - - ./dnsendpoint.yaml - - ./release.yaml -configMapGenerator: - - name: cloudflared-configmap - namespace: cloudflared-avto-masini - files: - - ./configs/config.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/main/avto-masini/cloudflared/app/release.yaml b/kubernetes/main/avto-masini/cloudflared/app/release.yaml deleted file mode 100644 index f9b5f81d..00000000 --- a/kubernetes/main/avto-masini/cloudflared/app/release.yaml +++ /dev/null @@ -1,118 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: cloudflared-avto-masini - namespace: avto-masini -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.5.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: avto-masini - # DEPENDS ON EXTERNAL-DNS ?, EXTERNAL-DNS DEPENDS ON NGINX-INGRESS - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - values: - controllers: - cloudflared: - strategy: RollingUpdate - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: docker.io/cloudflare/cloudflared - tag: 2024.4.1 - env: - NO_AUTOUPDATE: true - TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json - TUNNEL_METRICS: 0.0.0.0:8080 - TUNNEL_ORIGIN_ENABLE_HTTP2: true - TUNNEL_TRANSPORT_PROTOCOL: quic - TUNNEL_POST_QUANTUM: true - TUNNEL_ID: - valueFrom: - secretKeyRef: - name: cloudflared-secret - key: TUNNEL_ID - args: - - tunnel - - --config - - /etc/cloudflared/config/config.yaml - - run - - "$(TUNNEL_ID)" - # probes: - # liveness: &probes - # enabled: true - # custom: true - # spec: - # httpGet: - # path: /ready - # port: &port 8080 - # initialDelaySeconds: 0 - # periodSeconds: 10 - # timeoutSeconds: 1 - # failureThreshold: 3 - # readiness: *probes - # securityContext: - # allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - # capabilities: { drop: ["ALL"] } - # sysctls: - # - name: net.ipv4.ping_group_range - # value: "0 2147483647" - resources: - requests: - cpu: 10m - limits: - memory: 256Mi - # defaultPodOptions: - # securityContext: - # runAsNonRoot: true - # runAsUser: 65534 - # runAsGroup: 65534 - # seccompProfile: { type: RuntimeDefault } - # sysctls: - # - name: net.ipv4.ping_group_range - # value: "0 2147483647" - service: - app: - controller: cloudflared - ports: - http: - port: &port 8080 - serviceMonitor: - app: - serviceName: cloudflared - endpoints: - - port: http - scheme: http - path: /metrics - interval: 1m - scrapeTimeout: 10s - persistence: - config: - type: configMap - name: cloudflared-configmap - globalMounts: - - path: /etc/cloudflared/config/config.yaml - subPath: config.yaml - readOnly: true - creds: - type: secret - name: cloudflared-secret - globalMounts: - - path: /etc/cloudflared/creds/credentials.json - subPath: credentials.json - readOnly: true diff --git a/kubernetes/main/avto-masini/cloudflared/app/repository.yaml b/kubernetes/main/avto-masini/cloudflared/app/repository.yaml deleted file mode 100644 index cdfaa3a1..00000000 --- a/kubernetes/main/avto-masini/cloudflared/app/repository.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: bjw-s - namespace: avto-masini -spec: - type: oci - interval: 5m - url: oci://ghcr.io/bjw-s/helm diff --git a/kubernetes/main/avto-masini/cloudflared/app/secret.sops.yaml b/kubernetes/main/avto-masini/cloudflared/app/secret.sops.yaml deleted file mode 100644 index e941b00d..00000000 --- a/kubernetes/main/avto-masini/cloudflared/app/secret.sops.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cloudflared-secret - namespace: avto-masini -stringData: - TUNNEL_ID: ENC[AES256_GCM,data:rZaQEBasiK7loTZmgk8OGpvJvqh+TbZkXzUjAtP1xLY7nmfH,iv:t9Rn+rlYDC9RApuLBKqA34DFDMJqe0RCXt+JAtsSjFg=,tag:F2xGG0Iq+XBhQ+u5SjLmkA==,type:str] - credentials.json: ENC[AES256_GCM,data:FB6MBHmXGqyO9+usE1QmmDKgAvkdUTi5W56AlLf67vdY5ihUT7xh3e0Y+hA1A/M/aEzcZEAc9nj82cuyHZ5yujxcszzqChDkBeDkF+RnOhpQw58auRZ7/W0YD8KtU6YE8MvWoN5th1v7Q3y96AJdlkyLC9dqvhUmWGZppTODYu6DgRyj0LbGyEjs9DsXcJC+cyAQDWQk2c1sE7AM+PcAFl6R8/aNshhWAvFqUNLpIk0=,iv:43aWcwONsjxtkn4BXMUjzwjDi6yS0OIP/QpDcimhYhY=,tag:4Doj44YQIJNhJ2J7zSbt1g==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1V05tdE96S2RBVmZydWhZ - dzMwdzlzTU5QRWtTWFlROGN2c0J0NTRUSlJrCkJOVXJBaFFPY2RPN2RsQUxTYkcw - eUZIb1hTL1hpWXdjd1FwWTVvRkN5ZUkKLS0tIExrMDB5MkRCSkZXMDM1bTdXU1VK - eDJVWWI0SkxaMmJuR2dUbWpEOHFKOE0KoOwrVst6HQ7fRFWOz7/9Ack1Ete9+/EU - 4dU9veoIBudoezm0D00J6RLNX0kLm2WuDFIvPEHbXeWh9sjtdTB28g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-09T20:33:48Z" - mac: ENC[AES256_GCM,data:Dh5SSSrqzkWObMVcpLwFEbGLzWcJqVtIHoraKbj3ALSG/WQzQZNNJy9cZef65xP2YqOGd41hvUzMUlgTGKzzSCwo3k9YYz9PjF8To23Ix1fO4zRs3QJ9L1ogWeQymSOdq6fiacV7Mkj23aI01+4IQrHf+zn/sgvAG+kbgLWGDsw=,iv:nu765SXAgd7zJCfMFOqiBJcCIOlGajnNc7/09DmSTrQ=,tag:/dfSwtF3Pew54k0bQuJpSw==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.1 diff --git a/kubernetes/main/avto-masini/cloudflared/ks.yaml b/kubernetes/main/avto-masini/cloudflared/ks.yaml deleted file mode 100644 index 7cf75af2..00000000 --- a/kubernetes/main/avto-masini/cloudflared/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app cloudflared-avto-masini - namespace: flux-system -spec: - targetNamespace: avto-masini - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/avto-masini/cloudflared/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/avto-masini/external-dns/app/kustomization.yaml b/kubernetes/main/avto-masini/external-dns/app/kustomization.yaml deleted file mode 100644 index d21557a2..00000000 --- a/kubernetes/main/avto-masini/external-dns/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./repository.yaml - - ./secret.sops.yaml - - ./release.yaml - diff --git a/kubernetes/main/avto-masini/external-dns/app/release.yaml b/kubernetes/main/avto-masini/external-dns/app/release.yaml deleted file mode 100644 index e3c8f3e9..00000000 --- a/kubernetes/main/avto-masini/external-dns/app/release.yaml +++ /dev/null @@ -1,46 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app external-dns-avto-masini - namespace: avto-masini -spec: - interval: 30m - chart: - spec: - chart: external-dns - version: 1.15.0 - sourceRef: - kind: HelmRepository - name: external-dns - namespace: avto-masini - # install: - # crds: CreateReplace - # remediation: - # retries: 3 - # upgrade: - # cleanupOnFail: true - # crds: CreateReplace - # remediation: - # strategy: rollback - # retries: 3 - values: - fullnameOverride: *app - provider: cloudflare - env: - - name: CF_API_TOKEN - valueFrom: - secretKeyRef: - name: external-dns-secret - key: api-token - extraArgs: - - --ingress-class=avto-masini - - --cloudflare-proxied - - --default-targets=${SECRET_AVTO_MASINI_TUNNEL_ID}.cfargotunnel.com - policy: sync - sources: ["crd", "ingress"] - domainFilters: ["${SECRET_PROD_DOMAIN}"] - serviceMonitor: - enabled: true - podAnnotations: - secret.reloader.stakater.com/reload: external-dns-secret diff --git a/kubernetes/main/avto-masini/external-dns/app/repository.yaml b/kubernetes/main/avto-masini/external-dns/app/repository.yaml deleted file mode 100644 index a7ff8d16..00000000 --- a/kubernetes/main/avto-masini/external-dns/app/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: external-dns - namespace: external-dns -spec: - interval: 1h - url: https://kubernetes-sigs.github.io/external-dns diff --git a/kubernetes/main/avto-masini/external-dns/app/secret.sops.yaml b/kubernetes/main/avto-masini/external-dns/app/secret.sops.yaml deleted file mode 100644 index 13189bc9..00000000 --- a/kubernetes/main/avto-masini/external-dns/app/secret.sops.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: external-dns-secret - namespace: avto-masini -stringData: - api-token: ENC[AES256_GCM,data:ivGrW18/EISMvs2VEFSABuz6fHBpelohSGMiFgegKvHdPPjB3/sw8A==,iv:lAli7rfR2qvJZFcqrKranriKeJ4jygn8FPnFeyxa6NA=,tag:u/SmJCPTk828FXE1ygxcWA==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWjhaWHJRSm1CdWdLRE9T - TGdsUVphWnNuTkVTcXhUbzZSM2lTc3pMa0YwCitqcUowd3FEcGRCS3NCSmVjSmc4 - eXFjT0V6aTVMZVpqMW9wWGxlVmpoNTgKLS0tIC82ZnI2OHdPMllNNzJzckczVnV0 - REdBd2pZTEttRCtHMS93VmhZWVMvMk0KeRQeFjlriw5jHwFKYDvNpl+BmsIJrWYn - 3nck23G8Cw96Iu7agtqhZ5Lt9UfIn/2tAcP4YjF25H2y209VMXOA5A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-10T12:31:17Z" - mac: ENC[AES256_GCM,data:5ROGDBVyb4U8M//v4gJWWlbn72I0YagNfdjyPLeGzD7EeQZHS5E74ZQsfnt/fnlHzhdq4uRMunZS7yQS0Lc1cdaYnMQRNocbti/HILVCXfT93N6ff78xa/G+C1+2lVWBBNWm+Qa55nfsEbx3FdMs6kpXwnmZb7B1NSw5ORXbkAk=,iv:jqHzul0FgbjXJoquwkGOb6RB3NvgqoXpJP7kzn7IMWQ=,tag:VZd9EEQh3JqU06Mzx3nedA==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.1 diff --git a/kubernetes/main/avto-masini/external-dns/ks.yaml b/kubernetes/main/avto-masini/external-dns/ks.yaml deleted file mode 100644 index 0ee051a9..00000000 --- a/kubernetes/main/avto-masini/external-dns/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app external-dns-avto-masini - namespace: flux-system -spec: - targetNamespace: avto-masini - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/avto-masini/external-dns/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/avto-masini/ingress-nginx/app/kustomization.yaml b/kubernetes/main/avto-masini/ingress-nginx/app/kustomization.yaml deleted file mode 100644 index 700918c8..00000000 --- a/kubernetes/main/avto-masini/ingress-nginx/app/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./repository.yaml - - ./release.yaml diff --git a/kubernetes/main/avto-masini/ingress-nginx/app/release.yaml b/kubernetes/main/avto-masini/ingress-nginx/app/release.yaml deleted file mode 100644 index 7b404500..00000000 --- a/kubernetes/main/avto-masini/ingress-nginx/app/release.yaml +++ /dev/null @@ -1,81 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: ingress-nginx-avto-masini - namespace: avto-masini -spec: - interval: 30m - chart: - spec: - chart: ingress-nginx - version: 4.11.3 - sourceRef: - kind: HelmRepository - name: ingress-nginx - namespace: avto-masini - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - dependsOn: - - name: cloudflared-avto-masini - namespace: avto-masini - values: - fullnameOverride: ingress-nginx-avto-masini - controller: - allowSnippetAnnotations: true - service: - annotations: - external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_PROD_DOMAIN}" - metallb.io/allow-shared-ip: ingress-nginx-avto-masini - metallb.io/ip-allocated-from-pool: pool - externalTrafficPolicy: Cluster - ingressClassResource: - name: avto-masini - default: false - controllerValue: k8s.io/avto-masini - admissionWebhooks: - objectSelector: - matchExpressions: - - key: ingress-class - operator: In - values: ["avto-masini"] - config: - annotations-risk-level: "Critical" - use-forwarded-headers: "true" - strict-validate-path-type: "false" - client-body-buffer-size: 100M - client-body-timeout: 120 - client-header-timeout: 120 - enable-brotli: "true" - enable-real-ip: "true" - hsts-max-age: 31449600 - keep-alive-requests: 10000 - keep-alive: 120 - log-format-escape-json: "true" - log-format-upstream: > - {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", - "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, - "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", - "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", - "http_user_agent": "$http_user_agent"} - proxy-body-size: 0 - proxy-buffer-size: 16k - ssl-protocols: TLSv1.3 TLSv1.2 - metrics: - enabled: true - serviceMonitor: - enabled: true - namespaceSelector: - any: true - extraArgs: - default-ssl-certificate: "avto-masini/${SECRET_PROD_DOMAIN/./-}-production-tls" - resources: - requests: - cpu: 100m - limits: - memory: 500Mi diff --git a/kubernetes/main/avto-masini/ingress-nginx/app/repository.yaml b/kubernetes/main/avto-masini/ingress-nginx/app/repository.yaml deleted file mode 100644 index fba4dd94..00000000 --- a/kubernetes/main/avto-masini/ingress-nginx/app/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: ingress-nginx - namespace: avto-masini -spec: - interval: 1h - url: https://kubernetes.github.io/ingress-nginx \ No newline at end of file diff --git a/kubernetes/main/avto-masini/ingress-nginx/certificates/avto-masini-production.yaml b/kubernetes/main/avto-masini/ingress-nginx/certificates/avto-masini-production.yaml deleted file mode 100644 index 6d814017..00000000 --- a/kubernetes/main/avto-masini/ingress-nginx/certificates/avto-masini-production.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "${SECRET_PROD_DOMAIN/./-}-production" - namespace: avto-masini -spec: - secretName: "${SECRET_PROD_DOMAIN/./-}-production-tls" - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "${SECRET_PROD_DOMAIN}" - dnsNames: - - "${SECRET_PROD_DOMAIN}" - - "*.${SECRET_PROD_DOMAIN}" diff --git a/kubernetes/main/avto-masini/ingress-nginx/certificates/kustomization.yaml b/kubernetes/main/avto-masini/ingress-nginx/certificates/kustomization.yaml deleted file mode 100644 index a4dea79f..00000000 --- a/kubernetes/main/avto-masini/ingress-nginx/certificates/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./avto-masini-production.yaml \ No newline at end of file diff --git a/kubernetes/main/avto-masini/ingress-nginx/ks.yaml b/kubernetes/main/avto-masini/ingress-nginx/ks.yaml deleted file mode 100644 index 7a14fb8e..00000000 --- a/kubernetes/main/avto-masini/ingress-nginx/ks.yaml +++ /dev/null @@ -1,46 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app avto-masini-ingress-nginx-certificates - namespace: flux-system -spec: - targetNamespace: avto-masini - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: cert-manager-issuers - path: ./kubernetes/main/avto-masini/ingress-nginx/certificates - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app ingress-nginx-avto-masini - namespace: flux-system -spec: - targetNamespace: avto-masini - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: avto-masini-ingress-nginx-certificates - path: ./kubernetes/main/avto-masini/ingress-nginx/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/avto-masini/kustomization.yaml b/kubernetes/main/avto-masini/kustomization.yaml deleted file mode 100644 index 5d6ed6b9..00000000 --- a/kubernetes/main/avto-masini/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./cloudflared/ks.yaml - - ./external-dns/ks.yaml - - ./ingress-nginx/ks.yaml - - ./avto-masini-web/ks.yaml diff --git a/kubernetes/main/avto-masini/namespace.yaml b/kubernetes/main/avto-masini/namespace.yaml deleted file mode 100644 index 803b957b..00000000 --- a/kubernetes/main/avto-masini/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: avto-masini - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/flux-system/avto-masini.yaml b/kubernetes/main/flux-system/avto-masini.yaml deleted file mode 100644 index 262360f9..00000000 --- a/kubernetes/main/flux-system/avto-masini.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: avto-masini - namespace: flux-system -spec: - interval: 10m0s - retryInterval: 1m - timeout: 5m - sourceRef: - kind: GitRepository - name: flux-system - path: ./kubernetes/main/avto-masini - prune: true - decryption: - provider: sops - secretRef: - name: sops-age - postBuild: - substituteFrom: - - kind: Secret - name: cluster-secrets - patches: - - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1 - kind: Kustomization - metadata: - name: not-used - spec: - decryption: - provider: sops - secretRef: - name: sops-age - postBuild: - substituteFrom: - - kind: Secret - name: cluster-secrets - target: - group: kustomize.toolkit.fluxcd.io - kind: Kustomization - labelSelector: substitution.flux.home.arpa/disabled notin (true) From c9cdfae2627bdc53146a2443f524f364ce59d020 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 00:24:28 +0100 Subject: [PATCH 002/114] fix --- kubernetes/apps/kube-system/cilium/app/kustomization.yaml | 3 +-- kubernetes/apps/network/pihole-system/app/helmrelease.yaml | 7 ++----- .../apps/network/pihole-system/app/kustomization.yaml | 2 +- .../apps/network/pihole-system/app/pihole-exporter.yaml | 2 +- .../flux-system/flux-operator/app/kustomization.yaml | 1 + kubernetes/flux-system/vars/kustomization.yaml | 2 ++ 6 files changed, 8 insertions(+), 9 deletions(-) diff --git a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml index f28a58f5..17cbc72b 100644 --- a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml @@ -3,5 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./repository.yaml - - ./release.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/pihole-system/app/helmrelease.yaml b/kubernetes/apps/network/pihole-system/app/helmrelease.yaml index 111dffe3..7b2ea699 100644 --- a/kubernetes/apps/network/pihole-system/app/helmrelease.yaml +++ b/kubernetes/apps/network/pihole-system/app/helmrelease.yaml @@ -37,10 +37,7 @@ spec: storageClass: "longhorn" ingress: - enabled: true - ingressClassName: internal - hosts: - - "pihole.${SECRET_INTERNAL_DOMAIN}" + enabled: false extraEnvVars: FTLCONF_webserver_port: "80" @@ -59,4 +56,4 @@ spec: replicaCount: 1 nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 \ No newline at end of file + kubernetes.io/hostname: talos-worker-eu-01 \ No newline at end of file diff --git a/kubernetes/apps/network/pihole-system/app/kustomization.yaml b/kubernetes/apps/network/pihole-system/app/kustomization.yaml index c7b3cce7..8b80ad3a 100644 --- a/kubernetes/apps/network/pihole-system/app/kustomization.yaml +++ b/kubernetes/apps/network/pihole-system/app/kustomization.yaml @@ -3,6 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./repository.yaml - - ./release.yaml + - ./helmrelease.yaml - ./secret.sops.yaml - ./pihole-exporter.yaml diff --git a/kubernetes/apps/network/pihole-system/app/pihole-exporter.yaml b/kubernetes/apps/network/pihole-system/app/pihole-exporter.yaml index cce55176..4576af03 100644 --- a/kubernetes/apps/network/pihole-system/app/pihole-exporter.yaml +++ b/kubernetes/apps/network/pihole-system/app/pihole-exporter.yaml @@ -14,7 +14,7 @@ spec: app: pihole-exporter spec: nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 + kubernetes.io/hostname: talos-worker-eu-01 containers: - name: pihole-exporter image: ekofr/pihole-exporter:v1.2.0 diff --git a/kubernetes/flux-system/flux-operator/app/kustomization.yaml b/kubernetes/flux-system/flux-operator/app/kustomization.yaml index 965defa1..c3ed2ce5 100644 --- a/kubernetes/flux-system/flux-operator/app/kustomization.yaml +++ b/kubernetes/flux-system/flux-operator/app/kustomization.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/kubernetes/flux-system/vars/kustomization.yaml b/kubernetes/flux-system/vars/kustomization.yaml index ccb20388..81aa03d1 100644 --- a/kubernetes/flux-system/vars/kustomization.yaml +++ b/kubernetes/flux-system/vars/kustomization.yaml @@ -1,3 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: From cf500131e9bde5d7d69d9ade42ff7e33fcc8f919 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 00:25:17 +0100 Subject: [PATCH 003/114] remove repository from pihole-system --- kubernetes/apps/network/pihole-system/app/kustomization.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/kubernetes/apps/network/pihole-system/app/kustomization.yaml b/kubernetes/apps/network/pihole-system/app/kustomization.yaml index 8b80ad3a..9defcaab 100644 --- a/kubernetes/apps/network/pihole-system/app/kustomization.yaml +++ b/kubernetes/apps/network/pihole-system/app/kustomization.yaml @@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./repository.yaml - ./helmrelease.yaml - ./secret.sops.yaml - ./pihole-exporter.yaml From 7385966f5a96dbe0ca454bf182143472811d65e2 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 00:26:04 +0100 Subject: [PATCH 004/114] remove avto-masini ks --- kubernetes/flux-system/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/flux-system/kustomization.yaml b/kubernetes/flux-system/kustomization.yaml index d7c18818..d72910a1 100644 --- a/kubernetes/flux-system/kustomization.yaml +++ b/kubernetes/flux-system/kustomization.yaml @@ -4,6 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./apps.yaml - - ./avto-masini.yaml +# - ./avto-masini.yaml - ./flux-operator/ks.yaml - ./vars From 19df02fd5b707437f064ca14735cb750ef91c27e Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 00:27:28 +0100 Subject: [PATCH 005/114] fix repositories kustomization --- kubernetes/flux-system/repositories/git/kustomization.yaml | 5 +++++ kubernetes/flux-system/repositories/oci/kustomization.yaml | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 kubernetes/flux-system/repositories/git/kustomization.yaml create mode 100644 kubernetes/flux-system/repositories/oci/kustomization.yaml diff --git a/kubernetes/flux-system/repositories/git/kustomization.yaml b/kubernetes/flux-system/repositories/git/kustomization.yaml new file mode 100644 index 00000000..8fb7c142 --- /dev/null +++ b/kubernetes/flux-system/repositories/git/kustomization.yaml @@ -0,0 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: [] diff --git a/kubernetes/flux-system/repositories/oci/kustomization.yaml b/kubernetes/flux-system/repositories/oci/kustomization.yaml new file mode 100644 index 00000000..8fb7c142 --- /dev/null +++ b/kubernetes/flux-system/repositories/oci/kustomization.yaml @@ -0,0 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: [] From 559b749a3c3df571c1ee638c0c33be67ee12eeef Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 00:38:03 +0100 Subject: [PATCH 006/114] fix: fluxinstance --- kubernetes/flux-system/flux-instance.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/kubernetes/flux-system/flux-instance.yaml b/kubernetes/flux-system/flux-instance.yaml index a42cb753..68813924 100644 --- a/kubernetes/flux-system/flux-instance.yaml +++ b/kubernetes/flux-system/flux-instance.yaml @@ -22,10 +22,9 @@ spec: domain: "cluster.local" sync: kind: GitRepository - url: "https://github.com/dnikoloski/infrastructure-as-code.git" + url: "https://github.com/cloudwithdan/infrastructure-as-code.git" ref: "refs/heads/cluster-v2" path: "kubernetes/flux-system" - pullSecret: "flux-system" interval: 1m kustomize: patches: From 20af075a5c10796dcca9c08291de2686715db3e8 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 00:45:27 +0100 Subject: [PATCH 007/114] fix path --- kubernetes/flux-system/apps.yaml | 2 +- kubernetes/flux-system/flux-operator/ks.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/flux-system/apps.yaml b/kubernetes/flux-system/apps.yaml index c4374995..064bcf7d 100644 --- a/kubernetes/flux-system/apps.yaml +++ b/kubernetes/flux-system/apps.yaml @@ -10,7 +10,7 @@ spec: sourceRef: kind: GitRepository name: flux-system - path: ./kubernetes/main/apps + path: ./kubernetes/apps prune: true decryption: provider: sops diff --git a/kubernetes/flux-system/flux-operator/ks.yaml b/kubernetes/flux-system/flux-operator/ks.yaml index e5b027f2..e7ff507d 100644 --- a/kubernetes/flux-system/flux-operator/ks.yaml +++ b/kubernetes/flux-system/flux-operator/ks.yaml @@ -13,6 +13,6 @@ spec: sourceRef: kind: GitRepository name: flux-system - path: ./kubernetes/main/flux-system/flux-operator/app + path: ./kubernetes/flux-system/flux-operator/app prune: true wait: true From f14735c793fcfa7585a44bb626d552eba9008525 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 00:50:49 +0100 Subject: [PATCH 008/114] temp fix for sops --- kubernetes/flux-system/apps.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/flux-system/apps.yaml b/kubernetes/flux-system/apps.yaml index 064bcf7d..3046640c 100644 --- a/kubernetes/flux-system/apps.yaml +++ b/kubernetes/flux-system/apps.yaml @@ -20,6 +20,7 @@ spec: substituteFrom: - kind: Secret name: cluster-secrets + optional: true # temp fix patches: - patch: |- apiVersion: kustomize.toolkit.fluxcd.io/v1 From 86b275d924c53ddc3cb06e9ba2f23d89e60abba3 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 00:58:14 +0100 Subject: [PATCH 009/114] move ks to flux-system namespace --- kubernetes/apps/infrastructure/longhorn/ks.yaml | 4 ++-- kubernetes/apps/kube-system/cilium/ks.yaml | 8 ++++---- kubernetes/apps/network/pihole-system/ks.yaml | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/kubernetes/apps/infrastructure/longhorn/ks.yaml b/kubernetes/apps/infrastructure/longhorn/ks.yaml index 14fb6ef3..6ae3a6dd 100644 --- a/kubernetes/apps/infrastructure/longhorn/ks.yaml +++ b/kubernetes/apps/infrastructure/longhorn/ks.yaml @@ -4,7 +4,7 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app longhorn - namespace: &namespace infrastructure + namespace: flux-system spec: commonMetadata: labels: @@ -16,5 +16,5 @@ spec: kind: GitRepository name: flux-system namespace: flux-system - targetNamespace: *namespace + targetNamespace: infrastructure wait: true \ No newline at end of file diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml index 1c3bd12f..6d6a7e19 100644 --- a/kubernetes/apps/kube-system/cilium/ks.yaml +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -4,7 +4,7 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app cilium - namespace: &namespace kube-system + namespace: flux-system spec: commonMetadata: labels: @@ -16,7 +16,7 @@ spec: kind: GitRepository name: flux-system namespace: flux-system - targetNamespace: *namespace + targetNamespace: kube-system wait: true --- # yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json @@ -24,7 +24,7 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app cilium-config - namespace: &namespace kube-system + namespace: flux-system spec: commonMetadata: labels: @@ -39,5 +39,5 @@ spec: kind: GitRepository name: flux-system namespace: flux-system - targetNamespace: *namespace + targetNamespace: kube-system wait: true diff --git a/kubernetes/apps/network/pihole-system/ks.yaml b/kubernetes/apps/network/pihole-system/ks.yaml index 3908ee34..4eb0bf5f 100644 --- a/kubernetes/apps/network/pihole-system/ks.yaml +++ b/kubernetes/apps/network/pihole-system/ks.yaml @@ -4,7 +4,7 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app pihole-system - namespace: &namespace network + namespace: flux-system spec: commonMetadata: labels: @@ -16,5 +16,5 @@ spec: kind: GitRepository name: flux-system namespace: flux-system - targetNamespace: *namespace + targetNamespace: network wait: true \ No newline at end of file From db61a79dec419ce8c993abb4b21eec40c3179787 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 00:59:50 +0100 Subject: [PATCH 010/114] fix cilium k --- kubernetes/apps/kube-system/cilium/ks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml index 6d6a7e19..cc4e79ab 100644 --- a/kubernetes/apps/kube-system/cilium/ks.yaml +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -31,7 +31,7 @@ spec: app.kubernetes.io/name: *app dependsOn: - name: cilium - namespace: *namespace + namespace: kube-system interval: 30m path: ./kubernetes/apps/kube-system/cilium/config prune: true From 530f7e5749009d4eda379fc60e40aace61717aaf Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 01:02:11 +0100 Subject: [PATCH 011/114] add helmrepositories --- kubernetes/flux-system/kustomization.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/flux-system/kustomization.yaml b/kubernetes/flux-system/kustomization.yaml index d72910a1..bb493df0 100644 --- a/kubernetes/flux-system/kustomization.yaml +++ b/kubernetes/flux-system/kustomization.yaml @@ -4,6 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./apps.yaml + - ./repositories # - ./avto-masini.yaml - ./flux-operator/ks.yaml - ./vars From 71ed0d7a1d0d15ee7c711ea719ae23dbb1b5f7d9 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 01:08:33 +0100 Subject: [PATCH 012/114] fix test --- kubernetes/apps/kube-system/kustomization.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml index 3344d6f2..4cee79e6 100644 --- a/kubernetes/apps/kube-system/kustomization.yaml +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -2,6 +2,5 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: kube-system resources: - - ./cilium/ks.yaml \ No newline at end of file + - ./cilium/ks.yaml From 98f19b05443f4aee713144c66e658c82220f4596 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 01:12:23 +0100 Subject: [PATCH 013/114] fix --- kubernetes/apps/kube-system/cilium/ks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml index cc4e79ab..6d115731 100644 --- a/kubernetes/apps/kube-system/cilium/ks.yaml +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -31,7 +31,7 @@ spec: app.kubernetes.io/name: *app dependsOn: - name: cilium - namespace: kube-system + namespace: flux-system interval: 30m path: ./kubernetes/apps/kube-system/cilium/config prune: true From 6de9df432f695d249b472207aef69b43af226937 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 01:16:15 +0100 Subject: [PATCH 014/114] fixes --- kubernetes/apps/infrastructure/namespace.yaml | 5 ++++- kubernetes/apps/kube-system/cilium/config/loadbalancer.yaml | 2 +- kubernetes/apps/network/namespace.yaml | 5 ++++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/kubernetes/apps/infrastructure/namespace.yaml b/kubernetes/apps/infrastructure/namespace.yaml index 2a599d3b..e193916a 100644 --- a/kubernetes/apps/infrastructure/namespace.yaml +++ b/kubernetes/apps/infrastructure/namespace.yaml @@ -4,4 +4,7 @@ kind: Namespace metadata: name: infrastructure labels: - kustomize.toolkit.fluxcd.io/prune: disabled \ No newline at end of file + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged \ No newline at end of file diff --git a/kubernetes/apps/kube-system/cilium/config/loadbalancer.yaml b/kubernetes/apps/kube-system/cilium/config/loadbalancer.yaml index 6e593744..88397053 100644 --- a/kubernetes/apps/kube-system/cilium/config/loadbalancer.yaml +++ b/kubernetes/apps/kube-system/cilium/config/loadbalancer.yaml @@ -4,7 +4,7 @@ kind: CiliumLoadBalancerIPPool metadata: name: cilium-pool spec: - cidrs: + blocks: - cidr: 10.0.10.192/26 disabled: false --- diff --git a/kubernetes/apps/network/namespace.yaml b/kubernetes/apps/network/namespace.yaml index fd3ce59d..040270be 100644 --- a/kubernetes/apps/network/namespace.yaml +++ b/kubernetes/apps/network/namespace.yaml @@ -4,4 +4,7 @@ kind: Namespace metadata: name: network labels: - kustomize.toolkit.fluxcd.io/prune: disabled \ No newline at end of file + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged \ No newline at end of file From ddb71dacb96de5012b9ae8187539ac39ae33d1d4 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 10:38:46 +0100 Subject: [PATCH 015/114] fix longhorn --- .../infrastructure/longhorn/app/helmrelease.yaml | 15 ++++++++++++++- kubernetes/apps/infrastructure/longhorn/ks.yaml | 2 ++ kubernetes/apps/network/namespace.yaml | 2 +- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml b/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml index 62adfa12..30ce1bf9 100644 --- a/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml +++ b/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml @@ -4,7 +4,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app longhorn - namespace: longhorn-system + namespace: infrastructure spec: interval: 30m chart: @@ -16,3 +16,16 @@ spec: name: longhorn namespace: flux-system interval: 12h + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + persistence: + defaultClass: true + defaultSettings: + defaultDataPath: /var/lib/longhorn + systemManagedPodsNodeSelector: "kubernetes.io/os:linux" diff --git a/kubernetes/apps/infrastructure/longhorn/ks.yaml b/kubernetes/apps/infrastructure/longhorn/ks.yaml index 6ae3a6dd..7b894856 100644 --- a/kubernetes/apps/infrastructure/longhorn/ks.yaml +++ b/kubernetes/apps/infrastructure/longhorn/ks.yaml @@ -10,6 +10,8 @@ spec: labels: app.kubernetes.io/name: *app interval: 30m + retryInterval: 1m + timeout: 15m path: ./kubernetes/apps/infrastructure/longhorn/app prune: true sourceRef: diff --git a/kubernetes/apps/network/namespace.yaml b/kubernetes/apps/network/namespace.yaml index 040270be..8affa022 100644 --- a/kubernetes/apps/network/namespace.yaml +++ b/kubernetes/apps/network/namespace.yaml @@ -7,4 +7,4 @@ metadata: kustomize.toolkit.fluxcd.io/prune: disabled pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged \ No newline at end of file + pod-security.kubernetes.io/warn: privileged From b7e4d784ecfd61854c83f48299d88c38323faa01 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 10:48:33 +0100 Subject: [PATCH 016/114] fix timeout --- kubernetes/flux-system/apps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/flux-system/apps.yaml b/kubernetes/flux-system/apps.yaml index 3046640c..b63ca439 100644 --- a/kubernetes/flux-system/apps.yaml +++ b/kubernetes/flux-system/apps.yaml @@ -6,7 +6,7 @@ metadata: spec: interval: 10m0s retryInterval: 1m - timeout: 5m + timeout: 15m sourceRef: kind: GitRepository name: flux-system From 275c485a056f0165e08df6fb87ae5e929a41d8d4 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 15:16:27 +0100 Subject: [PATCH 017/114] add metallb-system as LB --- .../cilium/config/loadbalancer.yaml | 24 ----------- kubernetes/apps/kube-system/cilium/ks.yaml | 23 ---------- .../metallb-system/app/helmrelease.yaml | 19 ++++++++ .../metallb-system/app/kustomization.yaml | 7 +++ .../metallb-system}/config/kustomization.yaml | 2 +- .../network/metallb-system/config/pool.yaml | 18 ++++++++ .../apps/network/metallb-system/ks.yaml | 43 +++++++++++++++++++ .../repositories/helm/kustomization.yaml | 1 + .../repositories/helm/metallb-system.yaml | 12 ++++++ 9 files changed, 101 insertions(+), 48 deletions(-) delete mode 100644 kubernetes/apps/kube-system/cilium/config/loadbalancer.yaml create mode 100644 kubernetes/apps/network/metallb-system/app/helmrelease.yaml create mode 100644 kubernetes/apps/network/metallb-system/app/kustomization.yaml rename kubernetes/apps/{kube-system/cilium => network/metallb-system}/config/kustomization.yaml (86%) create mode 100644 kubernetes/apps/network/metallb-system/config/pool.yaml create mode 100644 kubernetes/apps/network/metallb-system/ks.yaml create mode 100644 kubernetes/flux-system/repositories/helm/metallb-system.yaml diff --git a/kubernetes/apps/kube-system/cilium/config/loadbalancer.yaml b/kubernetes/apps/kube-system/cilium/config/loadbalancer.yaml deleted file mode 100644 index 88397053..00000000 --- a/kubernetes/apps/kube-system/cilium/config/loadbalancer.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: cilium.io/v2alpha1 -kind: CiliumLoadBalancerIPPool -metadata: - name: cilium-pool -spec: - blocks: - - cidr: 10.0.10.192/26 - disabled: false ---- -apiVersion: cilium.io/v2alpha1 -kind: CiliumL2AnnouncementPolicy -metadata: - name: cilium-l2-policy -spec: - nodeSelector: - matchLabels: - kubernetes.io/os: linux - externalIPs: false - loadBalancerIPs: true - interfaces: - - eth0 - - en.* - - eth.* diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml index 6d115731..de87ed14 100644 --- a/kubernetes/apps/kube-system/cilium/ks.yaml +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -18,26 +18,3 @@ spec: namespace: flux-system targetNamespace: kube-system wait: true ---- -# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app cilium-config - namespace: flux-system -spec: - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: cilium - namespace: flux-system - interval: 30m - path: ./kubernetes/apps/kube-system/cilium/config - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - targetNamespace: kube-system - wait: true diff --git a/kubernetes/apps/network/metallb-system/app/helmrelease.yaml b/kubernetes/apps/network/metallb-system/app/helmrelease.yaml new file mode 100644 index 00000000..50178cf7 --- /dev/null +++ b/kubernetes/apps/network/metallb-system/app/helmrelease.yaml @@ -0,0 +1,19 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app metallb + namespace: network +spec: + interval: 30m + chart: + spec: + chart: metallb + version: 0.14.9 + sourceRef: + kind: HelmRepository + name: metallb + namespace: flux-system + values: + installCRDs: true diff --git a/kubernetes/apps/network/metallb-system/app/kustomization.yaml b/kubernetes/apps/network/metallb-system/app/kustomization.yaml new file mode 100644 index 00000000..9defcaab --- /dev/null +++ b/kubernetes/apps/network/metallb-system/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml + - ./secret.sops.yaml + - ./pihole-exporter.yaml diff --git a/kubernetes/apps/kube-system/cilium/config/kustomization.yaml b/kubernetes/apps/network/metallb-system/config/kustomization.yaml similarity index 86% rename from kubernetes/apps/kube-system/cilium/config/kustomization.yaml rename to kubernetes/apps/network/metallb-system/config/kustomization.yaml index 4ee575de..87654627 100644 --- a/kubernetes/apps/kube-system/cilium/config/kustomization.yaml +++ b/kubernetes/apps/network/metallb-system/config/kustomization.yaml @@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./loadbalancer.yaml + - ./pool.yaml diff --git a/kubernetes/apps/network/metallb-system/config/pool.yaml b/kubernetes/apps/network/metallb-system/config/pool.yaml new file mode 100644 index 00000000..f63fa6cb --- /dev/null +++ b/kubernetes/apps/network/metallb-system/config/pool.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: pool + namespace: metallb-system +spec: + addresses: + - 10.0.10.192/26 +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: pool + namespace: metallb-system +spec: + ipAddressPools: + - pool diff --git a/kubernetes/apps/network/metallb-system/ks.yaml b/kubernetes/apps/network/metallb-system/ks.yaml new file mode 100644 index 00000000..2ca6bb4b --- /dev/null +++ b/kubernetes/apps/network/metallb-system/ks.yaml @@ -0,0 +1,43 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app metallb-system + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + path: ./kubernetes/apps/network/metallb-system/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: network + wait: true +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app metallb-system-config + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: metallb-system + namespace: flux-system + interval: 30m + path: ./kubernetes/apps/network/metallb-system/config + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: network + wait: true diff --git a/kubernetes/flux-system/repositories/helm/kustomization.yaml b/kubernetes/flux-system/repositories/helm/kustomization.yaml index 4e68931e..2cb5a691 100644 --- a/kubernetes/flux-system/repositories/helm/kustomization.yaml +++ b/kubernetes/flux-system/repositories/helm/kustomization.yaml @@ -6,3 +6,4 @@ resources: - ./cilium.yaml - ./longhorn.yaml - ./pihole.yaml + - ./metallb.yaml diff --git a/kubernetes/flux-system/repositories/helm/metallb-system.yaml b/kubernetes/flux-system/repositories/helm/metallb-system.yaml new file mode 100644 index 00000000..f9709038 --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/metallb-system.yaml @@ -0,0 +1,12 @@ + +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: metallb + namespace: metallb-system +spec: + interval: 5m + url: https://metallb.github.io/metallb + \ No newline at end of file From 11c7fe3fe03263d8b325e035b06e6f40fec1c359 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 15:18:23 +0100 Subject: [PATCH 018/114] fix pihole-svc and metallb-system --- kubernetes/apps/network/kustomization.yaml | 2 +- kubernetes/apps/network/metallb-system/app/kustomization.yaml | 3 +-- kubernetes/apps/network/pihole-system/app/helmrelease.yaml | 4 ++++ kubernetes/apps/network/pihole-system/app/kustomization.yaml | 1 + 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/kubernetes/apps/network/kustomization.yaml b/kubernetes/apps/network/kustomization.yaml index 67d933c5..1df1571b 100644 --- a/kubernetes/apps/network/kustomization.yaml +++ b/kubernetes/apps/network/kustomization.yaml @@ -5,4 +5,4 @@ kind: Kustomization resources: - ./namespace.yaml - ./pihole-system/ks.yaml - + - ./metallb-system/ks.yaml diff --git a/kubernetes/apps/network/metallb-system/app/kustomization.yaml b/kubernetes/apps/network/metallb-system/app/kustomization.yaml index 9defcaab..17cbc72b 100644 --- a/kubernetes/apps/network/metallb-system/app/kustomization.yaml +++ b/kubernetes/apps/network/metallb-system/app/kustomization.yaml @@ -1,7 +1,6 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helmrelease.yaml - - ./secret.sops.yaml - - ./pihole-exporter.yaml diff --git a/kubernetes/apps/network/pihole-system/app/helmrelease.yaml b/kubernetes/apps/network/pihole-system/app/helmrelease.yaml index 7b2ea699..06909afd 100644 --- a/kubernetes/apps/network/pihole-system/app/helmrelease.yaml +++ b/kubernetes/apps/network/pihole-system/app/helmrelease.yaml @@ -47,10 +47,14 @@ spec: serviceWeb: loadBalancerIP: 10.0.10.200 + annotations: + metallb.io/allow-shared-ip: pihole-svc type: LoadBalancer serviceDns: loadBalancerIP: 10.0.10.200 + annotations: + metallb.io/allow-shared-ip: pihole-svc type: LoadBalancer replicaCount: 1 diff --git a/kubernetes/apps/network/pihole-system/app/kustomization.yaml b/kubernetes/apps/network/pihole-system/app/kustomization.yaml index 9defcaab..24303a7a 100644 --- a/kubernetes/apps/network/pihole-system/app/kustomization.yaml +++ b/kubernetes/apps/network/pihole-system/app/kustomization.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: From 801580a6cc20abac42b0bb330480e94c0357ea5f Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 15:19:22 +0100 Subject: [PATCH 019/114] add metallb-system helmrepo --- kubernetes/flux-system/repositories/helm/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/flux-system/repositories/helm/kustomization.yaml b/kubernetes/flux-system/repositories/helm/kustomization.yaml index 2cb5a691..ed8872e1 100644 --- a/kubernetes/flux-system/repositories/helm/kustomization.yaml +++ b/kubernetes/flux-system/repositories/helm/kustomization.yaml @@ -6,4 +6,4 @@ resources: - ./cilium.yaml - ./longhorn.yaml - ./pihole.yaml - - ./metallb.yaml + - ./metallb-system.yaml From 8c85ea90d9890af51bfe4791d3a341753e936fc9 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 15:20:48 +0100 Subject: [PATCH 020/114] fix metallb-system helmrepo ns --- kubernetes/flux-system/repositories/helm/metallb-system.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/flux-system/repositories/helm/metallb-system.yaml b/kubernetes/flux-system/repositories/helm/metallb-system.yaml index f9709038..d3a9e1fb 100644 --- a/kubernetes/flux-system/repositories/helm/metallb-system.yaml +++ b/kubernetes/flux-system/repositories/helm/metallb-system.yaml @@ -5,7 +5,7 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: metallb - namespace: metallb-system + namespace: flux-system spec: interval: 5m url: https://metallb.github.io/metallb From 2503959750ac324ad96582483b75a360a96fcf0d Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 18:15:20 +0100 Subject: [PATCH 021/114] add external-dns, traefik, prometheus --- .../external-dns/app/helmrelease.yaml | 75 ++ .../external-dns/app/kustomization.yaml | 7 + .../external-dns/app/secret.sops.yaml | 22 + .../apps/infrastructure/external-dns/ks.yaml | 22 + .../apps/infrastructure/kustomization.yaml | 1 + .../apps/network/traefik/app/helmrelease.yaml | 25 + .../network/traefik/app/kustomization.yaml | 6 + kubernetes/apps/network/traefik/ks.yaml | 22 + .../app/helmrelease.yaml | 779 ++++++++++++++++++ .../app/kustomization.yaml | 6 + .../kube-prometheus-stack/ks.yaml | 22 + .../apps/observability/kustomization.yaml | 7 + kubernetes/apps/observability/namespace.yaml | 10 + .../repositories/helm/external-dns.yaml | 10 + .../repositories/helm/kustomization.yaml | 3 + .../helm/prometheus-community.yaml | 10 + .../repositories/helm/traefik.yaml | 10 + 17 files changed, 1037 insertions(+) create mode 100644 kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml create mode 100644 kubernetes/apps/infrastructure/external-dns/app/kustomization.yaml create mode 100644 kubernetes/apps/infrastructure/external-dns/app/secret.sops.yaml create mode 100644 kubernetes/apps/infrastructure/external-dns/ks.yaml create mode 100644 kubernetes/apps/network/traefik/app/helmrelease.yaml create mode 100644 kubernetes/apps/network/traefik/app/kustomization.yaml create mode 100644 kubernetes/apps/network/traefik/ks.yaml create mode 100644 kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml create mode 100644 kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml create mode 100644 kubernetes/apps/observability/kube-prometheus-stack/ks.yaml create mode 100644 kubernetes/apps/observability/kustomization.yaml create mode 100644 kubernetes/apps/observability/namespace.yaml create mode 100644 kubernetes/flux-system/repositories/helm/external-dns.yaml create mode 100644 kubernetes/flux-system/repositories/helm/prometheus-community.yaml create mode 100644 kubernetes/flux-system/repositories/helm/traefik.yaml diff --git a/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml b/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml new file mode 100644 index 00000000..a69c1666 --- /dev/null +++ b/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml @@ -0,0 +1,75 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app external-dns + namespace: infrastructure +spec: + interval: 30m + chart: + spec: + chart: external-dns + version: 1.20.0 + sourceRef: + kind: HelmRepository + name: external-dns + namespace: flux-system + values: + fullnameOverride: *app + provider: cloudflare + env: + - name: CF_API_TOKEN + valueFrom: + secretKeyRef: + name: external-dns-secret + key: api-token + extraArgs: + - --ingress-class=external + - --cloudflare-proxied + - --default-targets=${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com + policy: sync + sources: ["crd", "ingress"] + domainFilters: ["${SECRET_EXTERNAL_DOMAIN}"] + serviceMonitor: + enabled: true + podAnnotations: + secret.reloader.stakater.com/reload: external-dns-secret +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app external-dns-pihole + namespace: infrastructure +spec: + interval: 30m + chart: + spec: + chart: external-dns + version: 1.20.0 + sourceRef: + kind: HelmRepository + name: external-dns + namespace: flux-system + values: + fullnameOverride: *app + provider: pihole + policy: upsert-only + registry: noop + env: + - name: EXTERNAL_DNS_PIHOLE_PASSWORD + value: ${PIHOLE_PASSWORD} + - name: EXTERNAL_DNS_PIHOLE_SERVER + value: http://pihole-web.network.svc.cluster.local + extraArgs: + - --pihole-api-version=6 + - --ingress-class=internal + serviceAccount: + create: true + name: "external-dns-pihole" + sources: ["service", "ingress"] + serviceMonitor: + enabled: true + securityContext: + fsGroup: 65534 \ No newline at end of file diff --git a/kubernetes/apps/infrastructure/external-dns/app/kustomization.yaml b/kubernetes/apps/infrastructure/external-dns/app/kustomization.yaml new file mode 100644 index 00000000..16a6ce30 --- /dev/null +++ b/kubernetes/apps/infrastructure/external-dns/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/infrastructure/external-dns/app/secret.sops.yaml b/kubernetes/apps/infrastructure/external-dns/app/secret.sops.yaml new file mode 100644 index 00000000..5156fb70 --- /dev/null +++ b/kubernetes/apps/infrastructure/external-dns/app/secret.sops.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Secret +metadata: + name: external-dns-secret + namespace: external-dns +stringData: + api-token: ENC[AES256_GCM,data:O623ud/31zbI+fqmyuDhjerfJo68A3Ga0UII+DGVE/BalZdrwI2TAA==,iv:UYIRQryd2mk8t/W+ydWoLBkQMQ0WeWU+9BkjMR49PoM=,tag:pz6vmyOLaPGoGwvFJhRtFQ==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cU9YNTJvS1RIdFFCQzIx + TnZINHNsaVY5SkJLVDNianorU0M4Wm9Wb0FFCllmaVpPTHFjRTlkaGRidXZkRmsy + amV4QzVwYk1IUzRyZUYvQ1p2d2drOHMKLS0tIHhFWjlXSDN5eXVhWDcydEFvZUZV + N1JuT1p5TFpUOUVEc0NBcEdNMkplZG8KhgfASu2LOHwgyVyEgTkIdGFeOoeJG5+w + UonRkCxYPgfEGA6XqQ9wYd/R7CDhWplOOoMOyu/gkI6EmkW6LrPqCw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-28T17:11:12Z" + mac: ENC[AES256_GCM,data:QoyTJpfRUFVcPbydv8D67oJosPjQ2+z9et3mA7maBg1wFCnLKQE3hKw55VOAnQmRWJVe9BDUkj00TWW3ZUC1/JacoUg/AjKWcPWd7zL0yodMOmhyiM/r05xe/uqZ7HmYUSKelc3R4S03I1E+GYXi2JHKDsjendP6w2lJmMQyjfc=,iv:d3OKtsUhwJgUjNu/UHy0oJe4BLR07lzn4gW16K6d0wk=,tag:qgyGSQG1RtQrOkez5KrDeQ==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/apps/infrastructure/external-dns/ks.yaml b/kubernetes/apps/infrastructure/external-dns/ks.yaml new file mode 100644 index 00000000..558c91f9 --- /dev/null +++ b/kubernetes/apps/infrastructure/external-dns/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app external-dns + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/infrastructure/external-dns/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: infrastructure + wait: true diff --git a/kubernetes/apps/infrastructure/kustomization.yaml b/kubernetes/apps/infrastructure/kustomization.yaml index 3f0374f5..5eeb3ece 100644 --- a/kubernetes/apps/infrastructure/kustomization.yaml +++ b/kubernetes/apps/infrastructure/kustomization.yaml @@ -5,3 +5,4 @@ kind: Kustomization resources: - ./namespace.yaml - ./longhorn/ks.yaml + - ./external-dns/ks.yaml diff --git a/kubernetes/apps/network/traefik/app/helmrelease.yaml b/kubernetes/apps/network/traefik/app/helmrelease.yaml new file mode 100644 index 00000000..77092a6b --- /dev/null +++ b/kubernetes/apps/network/traefik/app/helmrelease.yaml @@ -0,0 +1,25 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app traefik + namespace: network +spec: + interval: 30m + chart: + spec: + chart: traefik + version: "39.0.5" + sourceRef: + kind: HelmRepository + name: traefik + namespace: flux-system + interval: 12h + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 diff --git a/kubernetes/apps/network/traefik/app/kustomization.yaml b/kubernetes/apps/network/traefik/app/kustomization.yaml new file mode 100644 index 00000000..17cbc72b --- /dev/null +++ b/kubernetes/apps/network/traefik/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/traefik/ks.yaml b/kubernetes/apps/network/traefik/ks.yaml new file mode 100644 index 00000000..d457e84d --- /dev/null +++ b/kubernetes/apps/network/traefik/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app traefik + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/network/traefik/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: network + wait: true diff --git a/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml new file mode 100644 index 00000000..fad7253d --- /dev/null +++ b/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml @@ -0,0 +1,779 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: kube-prometheus-stack + namespace: observability +spec: + interval: 30m + chart: + spec: + chart: kube-prometheus-stack + version: "69.3.0" + sourceRef: + kind: HelmRepository + name: prometheus-community + namespace: flux-system + interval: 12h + upgrade: + cleanupOnFail: true + crds: Skip + remediation: + strategy: rollback + retries: 3 + values: + nodeSelector: + kubernetes.io/hostname: talos-worker-eu-02 + + kubeControllerManager: + service: + selector: + k8s-app: kube-controller-manager + kubeScheduler: + service: + selector: + k8s-app: kube-scheduler + kubeStateMetrics: + service: + selector: + k8s-app: kube-state-metrics + + prometheus: + prometheusSpec: + nodeSelector: + kubernetes.io/hostname: talos-worker-eu-02 + podMonitorNamespaceSelector: + matchLabels: + app.kubernetes.io/component: observability + + # Discover all PodMonitors, Probes, PrometheusRules and ServiceMonitors + podMonitorSelectorNilUsesHelmValues: false + probeSelectorNilUsesHelmValues: false + ruleSelectorNilUsesHelmValues: false + serviceMonitorSelectorNilUsesHelmValues: false + additionalScrapeConfigs: + - job_name: "pihole" + static_configs: + - targets: ["pihole-exporter.pihole-system.svc.cluster.local:9617"] + + prometheusOperator: + nodeSelector: + kubernetes.io/hostname: talos-worker-eu-02 + verticalPodAutoscaler: + enabled: true + + alertmanager: + alertmanagerSpec: + nodeSelector: + kubernetes.io/hostname: talos-worker-eu-02 + + grafana: + enabled: false + forceDeployDashboards: true + + persistence: + enabled: true + type: pvc + accessModes: + - ReadWriteOnce + size: 4Gi + + defaultRules: + create: true + rules: + configReloaders: true + general: true + k8sContainerCpuUsageSecondsTotal: true + k8sContainerMemoryCache: true + k8sContainerMemoryRss: true + k8sContainerMemorySwap: true + k8sContainerResource: true + k8sContainerMemoryWorkingSetBytes: true + k8sPodOwner: true + kubeApiserverAvailability: true + kubeApiserverBurnrate: true + kubeApiserverHistogram: true + kubeApiserverSlos: true + kubeControllerManager: true + kubelet: true + kubeProxy: true + kubePrometheusGeneral: true + kubePrometheusNodeRecording: true + kubernetesApps: true + kubernetesResources: true + kubernetesStorage: true + kubernetesSystem: true + kubeSchedulerAlerting: true + kubeSchedulerRecording: true + kubeStateMetrics: true + network: true + node: true + nodeExporterAlerting: true + nodeExporterRecording: true + prometheus: true + prometheusOperator: true + + + kube-state-metrics: + rbac: + extraRules: + - apiGroups: + - source.toolkit.fluxcd.io + - kustomize.toolkit.fluxcd.io + - helm.toolkit.fluxcd.io + - notification.toolkit.fluxcd.io + - image.toolkit.fluxcd.io + - autoscaling.k8s.io + resources: + - gitrepositories + - buckets + - helmrepositories + - helmcharts + - ocirepositories + - kustomizations + - helmreleases + - alerts + - providers + - receivers + - imagerepositories + - imagepolicies + - imageupdateautomations + - verticalpodautoscalers + verbs: ["list", "watch"] + customResourceState: + enabled: true + config: + kind: CustomResourceStateMetrics + spec: + resources: + - groupVersionKind: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux Kustomization resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + revision: [ status, lastAppliedRevision ] + source_name: [ spec, sourceRef, name ] + - groupVersionKind: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux HelmRelease resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + revision: [ status, history, "0", chartVersion ] + chart_name: [ status, history, "0", chartName ] + chart_app_version: [ status, history, "0", appVersion ] + chart_ref_name: [ spec, chartRef, name ] + chart_source_name: [ spec, chart, spec, sourceRef, name ] + - groupVersionKind: + group: source.toolkit.fluxcd.io + version: v1 + kind: GitRepository + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux GitRepository resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + revision: [ status, artifact, revision ] + url: [ spec, url ] + - groupVersionKind: + group: source.toolkit.fluxcd.io + version: v1 + kind: Bucket + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux Bucket resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + revision: [ status, artifact, revision ] + endpoint: [ spec, endpoint ] + bucket_name: [ spec, bucketName ] + - groupVersionKind: + group: source.toolkit.fluxcd.io + version: v1 + kind: HelmRepository + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux HelmRepository resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + revision: [ status, artifact, revision ] + url: [ spec, url ] + - groupVersionKind: + group: source.toolkit.fluxcd.io + version: v1 + kind: HelmChart + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux HelmChart resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + revision: [ status, artifact, revision ] + chart_name: [ spec, chart ] + chart_version: [ spec, version ] + - groupVersionKind: + group: source.toolkit.fluxcd.io + version: v1 + kind: OCIRepository + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux OCIRepository resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + revision: [ status, artifact, revision ] + url: [ spec, url ] + - groupVersionKind: + group: notification.toolkit.fluxcd.io + version: v1beta3 + kind: Alert + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux Alert resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + suspended: [ spec, suspend ] + - groupVersionKind: + group: notification.toolkit.fluxcd.io + version: v1beta3 + kind: Provider + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux Provider resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + suspended: [ spec, suspend ] + - groupVersionKind: + group: notification.toolkit.fluxcd.io + version: v1 + kind: Receiver + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux Receiver resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + webhook_path: [ status, webhookPath ] + - groupVersionKind: + group: image.toolkit.fluxcd.io + version: v1 + kind: ImageRepository + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux ImageRepository resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + image: [ spec, image ] + - groupVersionKind: + group: image.toolkit.fluxcd.io + version: v1 + kind: ImagePolicy + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux ImagePolicy resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + source_name: [ spec, imageRepositoryRef, name ] + - groupVersionKind: + group: image.toolkit.fluxcd.io + version: v1 + kind: ImageUpdateAutomation + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux ImageUpdateAutomation resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + source_name: [ spec, sourceRef, name ] + - groupVersionKind: + group: autoscaling.k8s.io + kind: "VerticalPodAutoscaler" + version: "v1" + labelsFromPath: + verticalpodautoscaler: [metadata, name] + namespace: [metadata, namespace] + target_api_version: [spec, targetRef, apiVersion] + target_kind: [spec, targetRef, kind] + target_name: [spec, targetRef, name] + + metrics: + - name: "vpa_containerrecommendations_target" + help: "VPA container recommendations for memory." + each: + type: Gauge + gauge: + path: [status, recommendation, containerRecommendations] + valueFrom: [target, memory] + labelsFromPath: + container: [containerName] + commonLabels: + resource: "memory" + unit: "byte" + - name: "vpa_containerrecommendations_target" + help: "VPA container recommendations for cpu." + each: + type: Gauge + gauge: + path: [status, recommendation, containerRecommendations] + valueFrom: [target, cpu] + labelsFromPath: + container: [containerName] + commonLabels: + resource: "cpu" + unit: "core" + # Labels + - name: "verticalpodautoscaler_labels" + help: "VPA container recommendations. Kubernetes labels converted to Prometheus labels" + each: + type: Info + info: + labelsFromPath: + name: [metadata, name] + # Memory Information + - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_target" + help: "VPA container recommendations for memory. Target resources the VerticalPodAutoscaler recommends for the container." + each: + type: Gauge + gauge: + path: [status, recommendation, containerRecommendations] + valueFrom: [target, memory] + labelsFromPath: + container: [containerName] + commonLabels: + resource: "memory" + unit: "byte" + - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_lowerbound" + help: "VPA container recommendations for memory. Minimum resources the container can use before the VerticalPodAutoscaler updater evicts it" + each: + type: Gauge + gauge: + path: [status, recommendation, containerRecommendations] + valueFrom: [lowerBound, memory] + labelsFromPath: + container: [containerName] + commonLabels: + resource: "memory" + unit: "byte" + - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_upperbound" + help: "VPA container recommendations for memory. Maximum resources the container can use before the VerticalPodAutoscaler updater evicts it" + each: + type: Gauge + gauge: + path: [status, recommendation, containerRecommendations] + valueFrom: [upperBound, memory] + labelsFromPath: + container: [containerName] + commonLabels: + resource: "memory" + unit: "byte" + - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_uncappedtarget" + help: "VPA container recommendations for memory. Target resources the VerticalPodAutoscaler recommends for the container ignoring bounds" + each: + type: Gauge + gauge: + path: [status, recommendation, containerRecommendations] + valueFrom: [uncappedTarget, memory] + labelsFromPath: + container: [containerName] + commonLabels: + resource: "memory" + unit: "byte" + # CPU Information + - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_target" + help: "VPA container recommendations for cpu. Target resources the VerticalPodAutoscaler recommends for the container." + each: + type: Gauge + gauge: + path: [status, recommendation, containerRecommendations] + valueFrom: [target, cpu] + labelsFromPath: + container: [containerName] + commonLabels: + resource: "cpu" + unit: "core" + - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_lowerbound" + help: "VPA container recommendations for cpu. Minimum resources the container can use before the VerticalPodAutoscaler updater evicts it" + each: + type: Gauge + gauge: + path: [status, recommendation, containerRecommendations] + valueFrom: [lowerBound, cpu] + labelsFromPath: + container: [containerName] + commonLabels: + resource: "cpu" + unit: "core" + - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_upperbound" + help: "VPA container recommendations for cpu. Maximum resources the container can use before the VerticalPodAutoscaler updater evicts it" + each: + type: Gauge + gauge: + path: [status, recommendation, containerRecommendations] + valueFrom: [upperBound, cpu] + labelsFromPath: + container: [containerName] + commonLabels: + resource: "cpu" + unit: "core" + - name: "verticalpodautoscaler_status_recommendation_containerrecommendations_uncappedtarget" + help: "VPA container recommendations for cpu. Target resources the VerticalPodAutoscaler recommends for the container ignoring bounds" + each: + type: Gauge + gauge: + path: [status, recommendation, containerRecommendations] + valueFrom: [uncappedTarget, cpu] + labelsFromPath: + container: [containerName] + commonLabels: + resource: "cpu" + unit: "core" + + - groupVersionKind: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux Kustomization resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + revision: [ status, lastAppliedRevision ] + source_name: [ spec, sourceRef, name ] + - groupVersionKind: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux HelmRelease resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + revision: [ status, history, "0", chartVersion ] + chart_name: [ status, history, "0", chartName ] + chart_app_version: [ status, history, "0", appVersion ] + chart_ref_name: [ spec, chartRef, name ] + chart_source_name: [ spec, chart, spec, sourceRef, name ] + - groupVersionKind: + group: source.toolkit.fluxcd.io + version: v1 + kind: GitRepository + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux GitRepository resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + revision: [ status, artifact, revision ] + url: [ spec, url ] + - groupVersionKind: + group: source.toolkit.fluxcd.io + version: v1 + kind: Bucket + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux Bucket resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + revision: [ status, artifact, revision ] + endpoint: [ spec, endpoint ] + bucket_name: [ spec, bucketName ] + - groupVersionKind: + group: source.toolkit.fluxcd.io + version: v1 + kind: HelmRepository + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux HelmRepository resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + revision: [ status, artifact, revision ] + url: [ spec, url ] + - groupVersionKind: + group: source.toolkit.fluxcd.io + version: v1 + kind: HelmChart + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux HelmChart resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + revision: [ status, artifact, revision ] + chart_name: [ spec, chart ] + chart_version: [ spec, version ] + - groupVersionKind: + group: source.toolkit.fluxcd.io + version: v1beta2 + kind: OCIRepository + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux OCIRepository resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + revision: [ status, artifact, revision ] + url: [ spec, url ] + - groupVersionKind: + group: notification.toolkit.fluxcd.io + version: v1beta3 + kind: Alert + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux Alert resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + suspended: [ spec, suspend ] + - groupVersionKind: + group: notification.toolkit.fluxcd.io + version: v1beta3 + kind: Provider + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux Provider resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + suspended: [ spec, suspend ] + - groupVersionKind: + group: notification.toolkit.fluxcd.io + version: v1 + kind: Receiver + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux Receiver resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + webhook_path: [ status, webhookPath ] + - groupVersionKind: + group: image.toolkit.fluxcd.io + version: v1beta2 + kind: ImageRepository + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux ImageRepository resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + image: [ spec, image ] + - groupVersionKind: + group: image.toolkit.fluxcd.io + version: v1beta2 + kind: ImagePolicy + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux ImagePolicy resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + source_name: [ spec, imageRepositoryRef, name ] + - groupVersionKind: + group: image.toolkit.fluxcd.io + version: v1beta2 + kind: ImageUpdateAutomation + metricNamePrefix: gotk + metrics: + - name: "resource_info" + help: "The current state of a Flux ImageUpdateAutomation resource." + each: + type: Info + info: + labelsFromPath: + name: [ metadata, name ] + labelsFromPath: + exported_namespace: [ metadata, namespace ] + ready: [ status, conditions, "[type=Ready]", status ] + suspended: [ spec, suspend ] + source_name: [ spec, sourceRef, name ] + + selfMonitor: + enabled: true diff --git a/kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml b/kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml new file mode 100644 index 00000000..17cbc72b --- /dev/null +++ b/kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/observability/kube-prometheus-stack/ks.yaml b/kubernetes/apps/observability/kube-prometheus-stack/ks.yaml new file mode 100644 index 00000000..9a6f92f7 --- /dev/null +++ b/kubernetes/apps/observability/kube-prometheus-stack/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kube-prometheus-stack + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/observability/kube-prometheus-stack/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/observability/kustomization.yaml b/kubernetes/apps/observability/kustomization.yaml new file mode 100644 index 00000000..b5b8f80b --- /dev/null +++ b/kubernetes/apps/observability/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./kube-prometheus-stack/ks.yaml \ No newline at end of file diff --git a/kubernetes/apps/observability/namespace.yaml b/kubernetes/apps/observability/namespace.yaml new file mode 100644 index 00000000..85aaab89 --- /dev/null +++ b/kubernetes/apps/observability/namespace.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: observability + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged \ No newline at end of file diff --git a/kubernetes/flux-system/repositories/helm/external-dns.yaml b/kubernetes/flux-system/repositories/helm/external-dns.yaml new file mode 100644 index 00000000..f38c48ad --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/external-dns.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: external-dns + namespace: flux-system +spec: + interval: 1h + url: https://kubernetes-sigs.github.io/external-dns diff --git a/kubernetes/flux-system/repositories/helm/kustomization.yaml b/kubernetes/flux-system/repositories/helm/kustomization.yaml index ed8872e1..3979e1ce 100644 --- a/kubernetes/flux-system/repositories/helm/kustomization.yaml +++ b/kubernetes/flux-system/repositories/helm/kustomization.yaml @@ -7,3 +7,6 @@ resources: - ./longhorn.yaml - ./pihole.yaml - ./metallb-system.yaml + - ./traefik.yaml + - ./external-dns.yaml + - ./prometheus-community.yaml diff --git a/kubernetes/flux-system/repositories/helm/prometheus-community.yaml b/kubernetes/flux-system/repositories/helm/prometheus-community.yaml new file mode 100644 index 00000000..5b8ac69c --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/prometheus-community.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: prometheus-community + namespace: observability +spec: + interval: 12h + url: https://prometheus-community.github.io/helm-charts diff --git a/kubernetes/flux-system/repositories/helm/traefik.yaml b/kubernetes/flux-system/repositories/helm/traefik.yaml new file mode 100644 index 00000000..4d5ef3b4 --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/traefik.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: traefik + namespace: flux-system +spec: + interval: 5m + url: https://traefik.github.io/charts From 899a0c735d97f0979ec5e9080b7747b32af3e14f Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 18:16:39 +0100 Subject: [PATCH 022/114] add traefik ks --- kubernetes/apps/network/kustomization.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/apps/network/kustomization.yaml b/kubernetes/apps/network/kustomization.yaml index 1df1571b..379de3e8 100644 --- a/kubernetes/apps/network/kustomization.yaml +++ b/kubernetes/apps/network/kustomization.yaml @@ -6,3 +6,4 @@ resources: - ./namespace.yaml - ./pihole-system/ks.yaml - ./metallb-system/ks.yaml + - ./traefik/ks.yaml From a2da0b1cb840c0bea55aaa2858454d1a6061813e Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 18:27:08 +0100 Subject: [PATCH 023/114] cloudflared --- .../cloudflared/app/config/config.yaml | 10 +++ .../network/cloudflared/app/helmrelease.yaml | 88 +++++++++++++++++++ .../cloudflared/app/kustomization.yaml | 15 ++++ .../network/cloudflared/app/secret.sops.yaml | 23 +++++ .../flux-system/repositories/helm/bjw-s.yaml | 11 +++ .../repositories/helm/kustomization.yaml | 1 + 6 files changed, 148 insertions(+) create mode 100644 kubernetes/apps/network/cloudflared/app/config/config.yaml create mode 100644 kubernetes/apps/network/cloudflared/app/helmrelease.yaml create mode 100644 kubernetes/apps/network/cloudflared/app/kustomization.yaml create mode 100644 kubernetes/apps/network/cloudflared/app/secret.sops.yaml create mode 100644 kubernetes/flux-system/repositories/helm/bjw-s.yaml diff --git a/kubernetes/apps/network/cloudflared/app/config/config.yaml b/kubernetes/apps/network/cloudflared/app/config/config.yaml new file mode 100644 index 00000000..c1094db5 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/config/config.yaml @@ -0,0 +1,10 @@ +--- +originRequest: + noTLSVerify: true + +ingress: + - hostname: "${SECRET_EXTERNAL_DOMAIN}" + service: https://traefik.network.svc.cluster.local:443 + - hostname: "*.${SECRET_EXTERNAL_DOMAIN}" + service: https://traefik.network.svc.cluster.local:443 + - service: http_status:404 diff --git a/kubernetes/apps/network/cloudflared/app/helmrelease.yaml b/kubernetes/apps/network/cloudflared/app/helmrelease.yaml new file mode 100644 index 00000000..bc35d54b --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/helmrelease.yaml @@ -0,0 +1,88 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cloudflared + namespace: network +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + controllers: + cloudflared: + strategy: RollingUpdate + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + image: + repository: docker.io/cloudflare/cloudflared + tag: 2024.4.1 + env: + NO_AUTOUPDATE: true + TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json + TUNNEL_METRICS: 0.0.0.0:8080 + TUNNEL_ORIGIN_ENABLE_HTTP2: true + TUNNEL_TRANSPORT_PROTOCOL: quic + TUNNEL_POST_QUANTUM: true + TUNNEL_ID: + valueFrom: + secretKeyRef: + name: cloudflared-secret + key: TUNNEL_ID + args: + - tunnel + - --config + - /etc/cloudflared/config/config.yaml + - run + - "$(TUNNEL_ID)" + resources: + requests: + cpu: 10m + limits: + memory: 256Mi + service: + app: + controller: cloudflared + ports: + http: + port: &port 8080 + serviceMonitor: + app: + serviceName: cloudflared + endpoints: + - port: http + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 10s + persistence: + config: + type: configMap + name: cloudflared-configmap + globalMounts: + - path: /etc/cloudflared/config/config.yaml + subPath: config.yaml + readOnly: true + creds: + type: secret + name: cloudflared-secret + globalMounts: + - path: /etc/cloudflared/creds/credentials.json + subPath: credentials.json + readOnly: true diff --git a/kubernetes/apps/network/cloudflared/app/kustomization.yaml b/kubernetes/apps/network/cloudflared/app/kustomization.yaml new file mode 100644 index 00000000..9178427a --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/kustomization.yaml @@ -0,0 +1,15 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./dnsendpoint.yaml + - ./release.yaml +configMapGenerator: + - name: cloudflared-configmap + namespace: cloudflared + files: + - ./config/config.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/kubernetes/apps/network/cloudflared/app/secret.sops.yaml b/kubernetes/apps/network/cloudflared/app/secret.sops.yaml new file mode 100644 index 00000000..fa966821 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/secret.sops.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cloudflared-secret + namespace: network +stringData: + TUNNEL_ID: ENC[AES256_GCM,data:kql5Y/KgY8GeE7DkTmf9wL6t3moeBxF4TQ4kCeDBc75Oofdk,iv:133Cy63DPgN70OsBz6vQ3TjkrKmQf8HrUehyyPVmHWo=,tag:ahOQ7/i+u8/K+sPGVwWNzA==,type:str] + credentials.json: ENC[AES256_GCM,data:0375KzF1bWHcNq6zESihvMoRPZsxCC064CC6s/RdtoP4bZrjNVpqgQrjZvyHdGwBGgyLx7lStvcLoCGiV5UNqRaNq9zYLA9LHzgEmNab1HvkqIIpVoSPjIr9fGH6PySn2vd90eKtZzVP7kLFuRCjZ5ADKHxTITxAAaURRqjeux/kvFpcHopjURGopbKNt43YIBbHmdRAI60pJYQ4KXLh7ELqAsGABVWVyUXaf7qxMhk=,iv:EMSuEqxT6XWVk0Kf0Q7vnJ9hed0NsHtsXBFkI17B3Oo=,tag:dPh1xXBRwu65YBuFDG8Uzw==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCS3dPanhEYkliUjVZVDJP + MFU2b3ZFZXBKOEJsVmpSMFl3VjZQc3FnUVRzCk9ic2V5c05OMi8veVFMNGVBRGpF + UnY2RWNlRUdmTW5xRU41VWZ3MmxWSHcKLS0tIFRkaHNqeDZ5Y2hramxaRGpQTVRF + TGdnWGo0aTVGN3RTcVFGOXlNNmlKZ28KwBHGBJGjDaPPTYcjN0NOd2M+B57YBdy8 + ZA5WR+DYrhsiGu1RVJX+y+vFiNxaAhD10mDEK4JHYTwxzX653GgXYA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-28T17:24:33Z" + mac: ENC[AES256_GCM,data:3iJJ3Oyp1/QMFehjmi4LO10klg2v3yRIJxTeOJfBxBozVN+I60yyo96XmWXGAWZ2x/y9v4xjojJz34ZcB8TFaDcCD/GPvIxrrrh+voLi9jzwNlRK4bMwvmu/xmNPffwRVK7c5tZgqclFG3KXqGDK+l0BET+CKa+uBXoEZOqbb7k=,iv:pTkxe7KNPkBSZ8wsUyCvDQjviS2IbCaw9fuWOll5ORc=,tag:YnzaYgi1wtIVBiLz2tk1wQ==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/flux-system/repositories/helm/bjw-s.yaml b/kubernetes/flux-system/repositories/helm/bjw-s.yaml new file mode 100644 index 00000000..84fbbe07 --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/bjw-s.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: bjw-s + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/bjw-s/helm diff --git a/kubernetes/flux-system/repositories/helm/kustomization.yaml b/kubernetes/flux-system/repositories/helm/kustomization.yaml index 3979e1ce..31b16b55 100644 --- a/kubernetes/flux-system/repositories/helm/kustomization.yaml +++ b/kubernetes/flux-system/repositories/helm/kustomization.yaml @@ -10,3 +10,4 @@ resources: - ./traefik.yaml - ./external-dns.yaml - ./prometheus-community.yaml + - ./bjw-s.yaml From 895a908f9cef7fc4d8962629ce27a47334561c27 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 18:28:02 +0100 Subject: [PATCH 024/114] prometheus-community ns fix --- .../flux-system/repositories/helm/prometheus-community.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/flux-system/repositories/helm/prometheus-community.yaml b/kubernetes/flux-system/repositories/helm/prometheus-community.yaml index 5b8ac69c..55d163e6 100644 --- a/kubernetes/flux-system/repositories/helm/prometheus-community.yaml +++ b/kubernetes/flux-system/repositories/helm/prometheus-community.yaml @@ -4,7 +4,7 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: prometheus-community - namespace: observability + namespace: flux-system spec: interval: 12h url: https://prometheus-community.github.io/helm-charts From 5c8eee9b39d4a5a73b91e4eb3239c04c6551a3d9 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 18:30:08 +0100 Subject: [PATCH 025/114] fix --- .gitignore | 1 - .../apps/network/cloudflared/app/dnsendpoint.yaml | 11 +++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml diff --git a/.gitignore b/.gitignore index f927764f..e69de29b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +0,0 @@ -dnsendpoint.yaml diff --git a/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml b/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml new file mode 100644 index 00000000..437fdb3d --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: cloudflared + namespace: network +spec: + endpoints: + - dnsName: "external.${SECRET_EXTERNAL_DOMAIN}" + recordType: CNAME + targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] From 76d4dc0513fb89b49003d25d04b8324329ce63a8 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 18:30:54 +0100 Subject: [PATCH 026/114] add gitignore --- .gitignore | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.gitignore b/.gitignore index e69de29b..6fe688a3 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,24 @@ +# Trash +.DS_Store +Thumbs.db +tmp +# k8s +kubeconfig +talosconfig +# vscode-sops +.decrypted~*.yaml +*.agekey +*.pub +*.key +# Taskfile +.task +Brewfile.lock.json +# Output +megalinter-reports +# scripts +node_modules +*.log +*.pem +# Python +.venv* +_out From d0296705c9128aee91982991256c49b7d8fb886c Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 18:31:37 +0100 Subject: [PATCH 027/114] fix --- kubernetes/apps/network/cloudflared/app/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/network/cloudflared/app/kustomization.yaml b/kubernetes/apps/network/cloudflared/app/kustomization.yaml index 9178427a..2532525a 100644 --- a/kubernetes/apps/network/cloudflared/app/kustomization.yaml +++ b/kubernetes/apps/network/cloudflared/app/kustomization.yaml @@ -5,7 +5,7 @@ kind: Kustomization resources: - ./secret.sops.yaml - ./dnsendpoint.yaml - - ./release.yaml + - ./helmrelease.yaml configMapGenerator: - name: cloudflared-configmap namespace: cloudflared From 180df5b070585e9719d9ef585894e8df65e4645b Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 18:33:31 +0100 Subject: [PATCH 028/114] add cloudflared ks --- kubernetes/apps/network/cloudflared/ks.yaml | 20 ++++++++++++++++++++ kubernetes/apps/network/kustomization.yaml | 1 + 2 files changed, 21 insertions(+) create mode 100644 kubernetes/apps/network/cloudflared/ks.yaml diff --git a/kubernetes/apps/network/cloudflared/ks.yaml b/kubernetes/apps/network/cloudflared/ks.yaml new file mode 100644 index 00000000..1af56269 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/ks.yaml @@ -0,0 +1,20 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cloudflared + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + path: ./kubernetes/apps/network/cloudflared/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: network + wait: true diff --git a/kubernetes/apps/network/kustomization.yaml b/kubernetes/apps/network/kustomization.yaml index 379de3e8..37803c8f 100644 --- a/kubernetes/apps/network/kustomization.yaml +++ b/kubernetes/apps/network/kustomization.yaml @@ -7,3 +7,4 @@ resources: - ./pihole-system/ks.yaml - ./metallb-system/ks.yaml - ./traefik/ks.yaml + - ./cloudflared/ks.yaml From af4f16a752a6f803e98ccdf6932d0cda23aa86f5 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 18:37:54 +0100 Subject: [PATCH 029/114] fix external-dns-pihole --- .../apps/infrastructure/external-dns/app/helmrelease.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml b/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml index a69c1666..73d6fe7d 100644 --- a/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml +++ b/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml @@ -34,7 +34,7 @@ spec: serviceMonitor: enabled: true podAnnotations: - secret.reloader.stakater.com/reload: external-dns-secret + secret.reloader.stakater.com/reload: external-dns-secret --- # yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json apiVersion: helm.toolkit.fluxcd.io/v2 @@ -71,5 +71,5 @@ spec: sources: ["service", "ingress"] serviceMonitor: enabled: true - securityContext: + podSecurityContext: fsGroup: 65534 \ No newline at end of file From 27414f76937782c6b43fd1bbbd818373383cbb1a Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 18:38:02 +0100 Subject: [PATCH 030/114] fix external-dns-pihole --- .../apps/infrastructure/external-dns/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml b/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml index 73d6fe7d..c943bf13 100644 --- a/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml +++ b/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml @@ -72,4 +72,4 @@ spec: serviceMonitor: enabled: true podSecurityContext: - fsGroup: 65534 \ No newline at end of file + fsGroup: 65534 From 6df6ad5969ce9f0fdccd6be59e37fc3cb01cb1c7 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 18:51:05 +0100 Subject: [PATCH 031/114] add cnpg-system --- .../cloudnative-pg/cluster/cluster18.yaml | 52 +++++++++++++++++++ .../cloudnative-pg/cluster/kustomization.yaml | 8 +++ .../cloudnative-pg/cluster/s3-creds.sops.yaml | 23 ++++++++ .../cluster/scheduledbackup.yaml | 12 +++++ .../apps/database/cloudnative-pg/ks.yaml | 44 ++++++++++++++++ .../cloudnative-pg/operator/helmrelease.yaml | 33 ++++++++++++ .../operator/kustomization.yaml | 8 +++ .../cloudnative-pg/operator/secret.sops.yaml | 25 +++++++++ kubernetes/apps/database/kustomization.yaml | 7 +++ kubernetes/apps/database/namespace.yaml | 10 ++++ .../flux-system/repositories/helm/cnpg.yaml | 10 ++++ .../repositories/helm/kustomization.yaml | 1 + 12 files changed, 233 insertions(+) create mode 100644 kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml create mode 100644 kubernetes/apps/database/cloudnative-pg/cluster/kustomization.yaml create mode 100644 kubernetes/apps/database/cloudnative-pg/cluster/s3-creds.sops.yaml create mode 100644 kubernetes/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml create mode 100644 kubernetes/apps/database/cloudnative-pg/ks.yaml create mode 100644 kubernetes/apps/database/cloudnative-pg/operator/helmrelease.yaml create mode 100644 kubernetes/apps/database/cloudnative-pg/operator/kustomization.yaml create mode 100644 kubernetes/apps/database/cloudnative-pg/operator/secret.sops.yaml create mode 100644 kubernetes/apps/database/kustomization.yaml create mode 100644 kubernetes/apps/database/namespace.yaml create mode 100644 kubernetes/flux-system/repositories/helm/cnpg.yaml diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml b/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml new file mode 100644 index 00000000..80f8bb7a --- /dev/null +++ b/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: postgres18 +spec: + imageName: ghcr.io/cloudnative-pg/postgresql:18.3 + instances: 2 + primaryUpdateStrategy: unsupervised + primaryUpdateMethod: switchover + + storage: + storageClass: longhorn + size: 20Gi + + superuserSecret: + name: cloudnative-pg-secret + + enableSuperuserAccess: true + + postgresql: + parameters: + max_connections: "400" + shared_buffers: 256MB + nodeMaintenanceWindow: + inProgress: false + reusePVC: true + + resources: + requests: + cpu: 250m + memory: 500Mi + limits: + memory: 4Gi + monitoring: + enablePodMonitor: true + + backup: + retentionPolicy: 7d + barmanObjectStore: + destinationPath: 's3://talos-lj-backup/' + s3Credentials: + accessKeyId: + name: s3-creds + key: ACCESS_KEY_ID + secretAccessKey: + name: s3-creds + key: SECRET_ACCESS_KEY + wal: + compression: gzip + maxParallel: 4 + encryption: AES256 diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/kustomization.yaml b/kubernetes/apps/database/cloudnative-pg/cluster/kustomization.yaml new file mode 100644 index 00000000..caf11478 --- /dev/null +++ b/kubernetes/apps/database/cloudnative-pg/cluster/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./s3-creds.sops.yaml + - ./helmrelease.yaml + - ./scheduledbackup.yaml diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/s3-creds.sops.yaml b/kubernetes/apps/database/cloudnative-pg/cluster/s3-creds.sops.yaml new file mode 100644 index 00000000..ab3dadd4 --- /dev/null +++ b/kubernetes/apps/database/cloudnative-pg/cluster/s3-creds.sops.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: s3-creds + namespace: database +stringData: + ACCESS_KEY_ID: ENC[AES256_GCM,data:6deABkqAccFGHMk6t8GOX2z1/a8=,iv:J6lhlaXbVtM+kW3klLaJx0QYU1HVZ0ffo3mjqpr5eVo=,tag:3UVLAFZ/YwqJuOJREhR2WQ==,type:str] + SECRET_ACCESS_KEY: ENC[AES256_GCM,data:rd4cRP461Sh5I7GR5+RmL7GWvq7jPVsKIjoNOH8QwnmRMJluPJArtQ==,iv:0zGoTblmM8UctaxnI9H2cTDeh8bIkhBizMRO9AmQTVQ=,tag:JOX/Fh74LB2yFU9UDEdrbQ==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkazIxWlNHc0toMFhuQmtj + d2FUakdiVmJnZ1E4dVBiUkc2dVV3bjlPQUFzCnc2T1RySUVQamlCci9naGJzMnQ1 + cjRVWDNlbVA5NFo0VGh3Ly9wUENUa00KLS0tIEJ1RndnNG5CY0ZrbDZ6STdJNVVC + bXUzOHNXQUt0MEEvYUFkbkJMY2xFeVEKTHX6Hp510uDZYZ/JbIt7ugTjZSm4Uykx + svj1q4j/9STmNQCEIIVSB/NtWrgckUzftjOaiJQ0W6Ib1LixxXqgbw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-28T17:47:28Z" + mac: ENC[AES256_GCM,data:wOTR6t16UbtfXV25QXL9f7fQc8kk40vqNZ/c9guODR5c1NJBep+8mU/GNCaG8TsE6fnD9Dd0R8/tXJ5HAN4Le8u3UJayvcJ8xHcmsoBuvHXDFRfSemQlVpDsPCUbMJvUtjqLbG4zjI22L16ulFBgnkrPobTlq+lT+zwyf9P1nFA=,iv:W/m6l0w9slR8qF9X1qms82AXN4bfykLlZT+F1H5Qds8=,tag:HvQkhQ44YKy06/802b4Ulw==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml b/kubernetes/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml new file mode 100644 index 00000000..93597f43 --- /dev/null +++ b/kubernetes/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml @@ -0,0 +1,12 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: ScheduledBackup +metadata: + name: postgres18-backup + namespace: database +spec: + schedule: "0 0 0 * * *" + suspend: false + immediate: true + backupOwnerReference: self + cluster: + name: postgres18 diff --git a/kubernetes/apps/database/cloudnative-pg/ks.yaml b/kubernetes/apps/database/cloudnative-pg/ks.yaml new file mode 100644 index 00000000..c9e3867e --- /dev/null +++ b/kubernetes/apps/database/cloudnative-pg/ks.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cloudnative-pg + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/database/cloudnative-pg/operator + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cloudnative-pg-cluster + namespace: flux-system +spec: + dependsOn: + - name: cloudnative-pg + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/database/cloudnative-pg/cluster + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m \ No newline at end of file diff --git a/kubernetes/apps/database/cloudnative-pg/operator/helmrelease.yaml b/kubernetes/apps/database/cloudnative-pg/operator/helmrelease.yaml new file mode 100644 index 00000000..c4ad6d6d --- /dev/null +++ b/kubernetes/apps/database/cloudnative-pg/operator/helmrelease.yaml @@ -0,0 +1,33 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app cnpg + namespace: database +spec: + interval: 30m + chart: + spec: + chart: cloudnative-pg + version: "0.27.0" + sourceRef: + kind: HelmRepository + name: cnpg + namespace: flux-system + interval: 12h + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + crds: + create: true + monitoring: + podMonitorEnabled: false + grafanaDashboard: + create: true diff --git a/kubernetes/apps/database/cloudnative-pg/operator/kustomization.yaml b/kubernetes/apps/database/cloudnative-pg/operator/kustomization.yaml new file mode 100644 index 00000000..ab439e40 --- /dev/null +++ b/kubernetes/apps/database/cloudnative-pg/operator/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml + diff --git a/kubernetes/apps/database/cloudnative-pg/operator/secret.sops.yaml b/kubernetes/apps/database/cloudnative-pg/operator/secret.sops.yaml new file mode 100644 index 00000000..2ecbb6ea --- /dev/null +++ b/kubernetes/apps/database/cloudnative-pg/operator/secret.sops.yaml @@ -0,0 +1,25 @@ +# yamllint disable +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: cloudnative-pg-secret + namespace: database +stringData: + username: ENC[AES256_GCM,data:8Rg3WEWmcR8=,iv:qR//wo4/rTXMkLzq+U1Iug16QKPAFoINEgFPSteLRwY=,tag:ouYiFKaf/Itk2zEBXnhRuw==,type:str] + password: ENC[AES256_GCM,data:sxdm9K65ruo+5btDdSw=,iv:QhLeBQN8+OtcCeNWZ6wc+UPGPl8T2ncTLBlj3ZOii6U=,tag:B9vlfEOREKj6axGIhaTHvA==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Y3pwL3ZEMWg5dVFuU0hl + REFHQ3dDeHdUdWlHcXRjRFNtVWpqeE5uNVU4CngzV3phMzMvM25BMzFSbWorUXlM + QUM1SmxLQlRuNyttZ3ZISjllYTl4QjQKLS0tIG5oQk9nM0tnNXFldFk3RUlnenQ5 + cWxJcVZBSG8vNEN1MHhIOTR2eXB4Q1kK2lmTkf5wkG1/K8xJVLihrwzSrSk3rmIz + 8IZ0E8W7bxNnPLixJAmuJchpgY/yNVgwew3W2Lot1hf6hecLkhHlPg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-28T17:45:14Z" + mac: ENC[AES256_GCM,data:9W7TVMLhg1p7Gv1dJ8ccXQz1pf1KpajEuvUM40ECxinJOxaP8u7YPXfOjIc31TqAVNHuggzHUAkfzBmJwsrikXkAoWvKg8/qMWnTpZtRg+jTkCau757FxAinr33y386x4CmbTsxDBy3nY59H3rKp7N+6Qcg6PLtJXCgp2GFLQtU=,iv:lCaiL0txUeudel3QH0vXl5OAGU4YCT1BOiDDOSai7jE=,tag:WBBROUtk+/t3tr5u7s5dUQ==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/apps/database/kustomization.yaml b/kubernetes/apps/database/kustomization.yaml new file mode 100644 index 00000000..0f442ddc --- /dev/null +++ b/kubernetes/apps/database/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./cloudnative-pg/ks.yaml diff --git a/kubernetes/apps/database/namespace.yaml b/kubernetes/apps/database/namespace.yaml new file mode 100644 index 00000000..417aa86b --- /dev/null +++ b/kubernetes/apps/database/namespace.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: database + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged diff --git a/kubernetes/flux-system/repositories/helm/cnpg.yaml b/kubernetes/flux-system/repositories/helm/cnpg.yaml new file mode 100644 index 00000000..a2983039 --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/cnpg.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: cnpg + namespace: flux-system +spec: + interval: 24h + url: https://cloudnative-pg.github.io/charts diff --git a/kubernetes/flux-system/repositories/helm/kustomization.yaml b/kubernetes/flux-system/repositories/helm/kustomization.yaml index 31b16b55..6dba6df3 100644 --- a/kubernetes/flux-system/repositories/helm/kustomization.yaml +++ b/kubernetes/flux-system/repositories/helm/kustomization.yaml @@ -11,3 +11,4 @@ resources: - ./external-dns.yaml - ./prometheus-community.yaml - ./bjw-s.yaml + - ./cnpg.yaml From e7cb3ba16c309efbc0a822c3baf57f156b8a29ff Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 18:53:03 +0100 Subject: [PATCH 032/114] fix cnpg --- .../apps/database/cloudnative-pg/cluster/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/kustomization.yaml b/kubernetes/apps/database/cloudnative-pg/cluster/kustomization.yaml index caf11478..3541a0dc 100644 --- a/kubernetes/apps/database/cloudnative-pg/cluster/kustomization.yaml +++ b/kubernetes/apps/database/cloudnative-pg/cluster/kustomization.yaml @@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./s3-creds.sops.yaml - - ./helmrelease.yaml + - ./cluster18.yaml - ./scheduledbackup.yaml From d01f9fe4e665fb0e5e9cace80d36991b5016eee1 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 18:59:45 +0100 Subject: [PATCH 033/114] bump longhorn to v1.11.1 --- .../apps/infrastructure/longhorn/app/helmrelease.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml b/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml index 30ce1bf9..5d8fbda4 100644 --- a/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml +++ b/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: longhorn - version: "1.8.0" + version: "1.11.1" sourceRef: kind: HelmRepository name: longhorn @@ -23,9 +23,3 @@ spec: cleanupOnFail: true remediation: retries: 3 - values: - persistence: - defaultClass: true - defaultSettings: - defaultDataPath: /var/lib/longhorn - systemManagedPodsNodeSelector: "kubernetes.io/os:linux" From 87b19048e59a9297cfd70e7d0daa366ff6643c45 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 21:36:45 +0100 Subject: [PATCH 034/114] add cert-manager and fix for longhorn --- .../cert-manager/app/helmrelease.yaml | 34 +++++++++++++++ .../cert-manager/app/kustomization.yaml | 6 +++ .../cert-manager/issuers/issuers.yaml | 22 ++++++++++ .../cert-manager/issuers/kustomization.yaml | 7 +++ .../cert-manager/issuers/secret.sops.yaml | 22 ++++++++++ .../apps/infrastructure/cert-manager/ks.yaml | 43 +++++++++++++++++++ .../apps/infrastructure/kustomization.yaml | 1 + .../longhorn/app/helmrelease.yaml | 10 +++++ .../longhorn/app/kustomization.yaml | 1 + .../longhorn/app/secret.sops.yaml | 23 ++++++++++ .../repositories/helm/goauthentik.yaml | 10 +++++ .../repositories/helm/jetstack.yaml | 10 +++++ .../repositories/helm/kustomization.yaml | 2 + 13 files changed, 191 insertions(+) create mode 100644 kubernetes/apps/infrastructure/cert-manager/app/helmrelease.yaml create mode 100644 kubernetes/apps/infrastructure/cert-manager/app/kustomization.yaml create mode 100644 kubernetes/apps/infrastructure/cert-manager/issuers/issuers.yaml create mode 100644 kubernetes/apps/infrastructure/cert-manager/issuers/kustomization.yaml create mode 100644 kubernetes/apps/infrastructure/cert-manager/issuers/secret.sops.yaml create mode 100644 kubernetes/apps/infrastructure/cert-manager/ks.yaml create mode 100644 kubernetes/apps/infrastructure/longhorn/app/secret.sops.yaml create mode 100644 kubernetes/flux-system/repositories/helm/goauthentik.yaml create mode 100644 kubernetes/flux-system/repositories/helm/jetstack.yaml diff --git a/kubernetes/apps/infrastructure/cert-manager/app/helmrelease.yaml b/kubernetes/apps/infrastructure/cert-manager/app/helmrelease.yaml new file mode 100644 index 00000000..38544325 --- /dev/null +++ b/kubernetes/apps/infrastructure/cert-manager/app/helmrelease.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cert-manager + namespace: infrastructure +spec: + interval: 30m + chart: + spec: + chart: cert-manager + version: v1.16.1 + sourceRef: + kind: HelmRepository + name: jetstack + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + nodeSelector: + kubernetes.io/hostname: talos-worker-eu-02 + podDnsPolicy: "None" + podDnsConfig: + nameservers: + - "1.1.1.1" + - "8.8.8.8" + installCRDs: true + dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query + dns01RecursiveNameserversOnly: true diff --git a/kubernetes/apps/infrastructure/cert-manager/app/kustomization.yaml b/kubernetes/apps/infrastructure/cert-manager/app/kustomization.yaml new file mode 100644 index 00000000..17cbc72b --- /dev/null +++ b/kubernetes/apps/infrastructure/cert-manager/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/infrastructure/cert-manager/issuers/issuers.yaml b/kubernetes/apps/infrastructure/cert-manager/issuers/issuers.yaml new file mode 100644 index 00000000..f691d37d --- /dev/null +++ b/kubernetes/apps/infrastructure/cert-manager/issuers/issuers.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production + namespace: cert-manager +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: "${SECRET_ACME_EMAIL}" + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + apiTokenSecretRef: + name: cert-manager-secret + key: api-token + selector: + dnsZones: + - "${SECRET_EXTERNAL_DOMAIN}" + - "${SECRET_PROD_DOMAIN}" diff --git a/kubernetes/apps/infrastructure/cert-manager/issuers/kustomization.yaml b/kubernetes/apps/infrastructure/cert-manager/issuers/kustomization.yaml new file mode 100644 index 00000000..1f556e2c --- /dev/null +++ b/kubernetes/apps/infrastructure/cert-manager/issuers/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./issuers.yaml + - ./secret.sops.yaml \ No newline at end of file diff --git a/kubernetes/apps/infrastructure/cert-manager/issuers/secret.sops.yaml b/kubernetes/apps/infrastructure/cert-manager/issuers/secret.sops.yaml new file mode 100644 index 00000000..b3a78175 --- /dev/null +++ b/kubernetes/apps/infrastructure/cert-manager/issuers/secret.sops.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cert-manager-secret + namespace: infrastructure +stringData: + api-token: ENC[AES256_GCM,data:Wi0Mv1x6c99DUxmaJ/cEVp4nkBX3bxPz9abT6Gyi8QKs00ZMy0RmLw==,iv:eepyXwJtmn7bK5vzyzGzgZNnhxzvoaJwPLAltBNe8iM=,tag:8SIwwxJngPr4kfCSToiqNA==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZTZSeG8zSUdySWxuazRG + WGZJdTE0TFA0Umo3SnA4bG0yUGMya2FOeUVJCnVUdHZKOWs4cE8rbWRmSVUvSkQ2 + UGRjTDh3UXl3b2FxeFcvbC9Zeklja00KLS0tIHhWR0ZadWMweWRvTGlVdWN4RDlw + VTk5Z0NVNFVEczNNdWJlaUJiZzk0YVkKEgrljM9QR4dWIdHRVdSF1ldWvmMctA2N + WriKJLs7yQDgsKC10dRB64Jzwbakl8OU8G3KpnIX8HWR/+cdupoYCw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-28T20:33:09Z" + mac: ENC[AES256_GCM,data:bBNTS1LW9zkeonbYRxpam64dI/auSD381XU44qZulxnAwTCZ0gZQDIskxV6eOXem9cAaOe6kC0ldEx0a4OaU7xUZ7wT4VWFOxWpPr9B1nTl0gONr3cgy/m+2SKUE17sxHeEdLfFGE9y4CxjWnQQjgNSFW6r50RMbOOGKvjla+gA=,iv:jnpGmd70d1wd51zh0tVP+ZP2kkK9yMhBsd/l9LJfr4s=,tag:kgIqZ33t/5ve5s/V7IA/2g==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/apps/infrastructure/cert-manager/ks.yaml b/kubernetes/apps/infrastructure/cert-manager/ks.yaml new file mode 100644 index 00000000..223c642b --- /dev/null +++ b/kubernetes/apps/infrastructure/cert-manager/ks.yaml @@ -0,0 +1,43 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cert-manager + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + path: ./kubernetes/apps/infrastructure/cert-manager/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: infrastructure + wait: true +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cert-manager-issuer + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: metallb-system + namespace: flux-system + interval: 30m + path: ./kubernetes/apps/infrastructure/cert-manager/issuers + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: infrastructure + wait: true diff --git a/kubernetes/apps/infrastructure/kustomization.yaml b/kubernetes/apps/infrastructure/kustomization.yaml index 5eeb3ece..03e80903 100644 --- a/kubernetes/apps/infrastructure/kustomization.yaml +++ b/kubernetes/apps/infrastructure/kustomization.yaml @@ -6,3 +6,4 @@ resources: - ./namespace.yaml - ./longhorn/ks.yaml - ./external-dns/ks.yaml + - ./cert-manager/ks.yaml diff --git a/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml b/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml index 5d8fbda4..b26f5697 100644 --- a/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml +++ b/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml @@ -23,3 +23,13 @@ spec: cleanupOnFail: true remediation: retries: 3 + values: + persistence: + defaultClass: true + defaultSettings: + defaultDataPath: /var/lib/longhorn + systemManagedPodsNodeSelector: "kubernetes.io/os:linux" + defaultBackupStore: + backupTarget: "s3://talos-lj-backup@eu-central-1/" + backupTargetCredentialSecret: "s3-creds" + pollInterval: 300 diff --git a/kubernetes/apps/infrastructure/longhorn/app/kustomization.yaml b/kubernetes/apps/infrastructure/longhorn/app/kustomization.yaml index 945c8121..60f74fc5 100644 --- a/kubernetes/apps/infrastructure/longhorn/app/kustomization.yaml +++ b/kubernetes/apps/infrastructure/longhorn/app/kustomization.yaml @@ -3,5 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ./secret.sops.yaml - ./helmrelease.yaml - ./storageClass-retain.yaml diff --git a/kubernetes/apps/infrastructure/longhorn/app/secret.sops.yaml b/kubernetes/apps/infrastructure/longhorn/app/secret.sops.yaml new file mode 100644 index 00000000..6a00449b --- /dev/null +++ b/kubernetes/apps/infrastructure/longhorn/app/secret.sops.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: s3-creds + namespace: infrastructure +stringData: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:neGUx8fjiswVwBcuenjLQVfDvEg=,iv:LFEKss1y7ywnACIpjqHSPp/H0PJHgVYgf52NN3UOCBo=,tag:VtOGpQ27sVrwr6xfOKNACA==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:zl8uN0R1GgOQ5kPFoTRIwPQGS1KK47JFjMiRBNLaJNcyyLbTcCaskQ==,iv:/hkiouxA9t4wdvJRz7HvLOaxtwT8VNaxYwRw8dxFGvY=,tag:U7gI00FNR9DPSiHi5SPSOQ==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSDZ5MXd6djB1SjFaWEt0 + a3lDaXRFV0R0UlBCaElMMHpvajRxZFBJcDA0CmZBcWFrUlRWQmdmVUtYclI5U3VB + MHNYNWpRM3JLd0Z6aG5MejNidW50YVUKLS0tIGhQeStSaGVvckE2M0xsUjJTZUY3 + NC8yRzdXZlJhSjY2OEFIOCtqNkFCZFUKZ81FehyC8v3bhIIECmK0o6lZwpl6HRxJ + OSTAJ8AvVLoUmGi23CNVqekyxcyrLpxuFs7/Z+VJoOWCvQlNtSWsuw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-28T19:56:50Z" + mac: ENC[AES256_GCM,data:+QhbrJoXk9S6wxheuFKBX2SKcgDIK/uVCb501AHbfM6PCXVNHdR8HtHubohf9sqc1a3kSuPFRa520HckFLYY91sVcTNvpesZHw/JdR2a+wI5eDKEJQDmh3thSQsWH+YN16eAv1Xy8QkEtaz9DDvQFjHhnwqXYByBbr5LnMz43zw=,iv:TVLFUP017CvMaxTOCpScTrv/nIMqhNbxOLmOsRCj5xE=,tag:/LK8VlpHXdcJElA850U5NA==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/flux-system/repositories/helm/goauthentik.yaml b/kubernetes/flux-system/repositories/helm/goauthentik.yaml new file mode 100644 index 00000000..9b3daa29 --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/goauthentik.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: goauthentik + namespace: flux-system +spec: + interval: 1h + url: https://charts.goauthentik.io/ diff --git a/kubernetes/flux-system/repositories/helm/jetstack.yaml b/kubernetes/flux-system/repositories/helm/jetstack.yaml new file mode 100644 index 00000000..b0b92c1a --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/jetstack.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: jetstack + namespace: cert-manager +spec: + interval: 1h + url: https://charts.jetstack.io \ No newline at end of file diff --git a/kubernetes/flux-system/repositories/helm/kustomization.yaml b/kubernetes/flux-system/repositories/helm/kustomization.yaml index 6dba6df3..b2a064be 100644 --- a/kubernetes/flux-system/repositories/helm/kustomization.yaml +++ b/kubernetes/flux-system/repositories/helm/kustomization.yaml @@ -12,3 +12,5 @@ resources: - ./prometheus-community.yaml - ./bjw-s.yaml - ./cnpg.yaml + - ./goauthentik.yaml + - ./jetstack.yaml From c1da7edfed0f40e46cea41c84800ea0712e77006 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 21:39:27 +0100 Subject: [PATCH 035/114] fix jetstack helmrepo ns --- .../security/authentik/app/helmrelease.yaml | 32 +++++++++++++++++++ .../security/authentik/app/kustomization.yaml | 6 ++++ kubernetes/apps/security/authentik/ks.yaml | 22 +++++++++++++ kubernetes/apps/security/kustomization.yaml | 7 ++++ kubernetes/apps/security/namespace.yaml | 10 ++++++ 5 files changed, 77 insertions(+) create mode 100644 kubernetes/apps/security/authentik/app/helmrelease.yaml create mode 100644 kubernetes/apps/security/authentik/app/kustomization.yaml create mode 100644 kubernetes/apps/security/authentik/ks.yaml create mode 100644 kubernetes/apps/security/kustomization.yaml create mode 100644 kubernetes/apps/security/namespace.yaml diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml new file mode 100644 index 00000000..1a6ad890 --- /dev/null +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -0,0 +1,32 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: authentik + namespace: security +spec: + releaseName: authentik + chart: + spec: + chart: authentik + version: "2025.2.2" + sourceRef: + kind: HelmRepository + name: goauthentik + namespace: flux-system + interval: 5m + install: + remediation: + retries: 3 + values: + authentik: + secret_key: "${AUTHENTIK_KEY}" + error_reporting: + enabled: false + postgresql: + password: "${AUTHENTIK_POSTGRES_PASSWORD}" + redis: + enabled: true + master: + persistence: + size: 1Gi + storageClass: longhorn diff --git a/kubernetes/apps/security/authentik/app/kustomization.yaml b/kubernetes/apps/security/authentik/app/kustomization.yaml new file mode 100644 index 00000000..17cbc72b --- /dev/null +++ b/kubernetes/apps/security/authentik/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/security/authentik/ks.yaml b/kubernetes/apps/security/authentik/ks.yaml new file mode 100644 index 00000000..df497829 --- /dev/null +++ b/kubernetes/apps/security/authentik/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app authentik + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/security/authentik/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: security + wait: true diff --git a/kubernetes/apps/security/kustomization.yaml b/kubernetes/apps/security/kustomization.yaml new file mode 100644 index 00000000..2b19a1eb --- /dev/null +++ b/kubernetes/apps/security/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./authentik/ks.yaml \ No newline at end of file diff --git a/kubernetes/apps/security/namespace.yaml b/kubernetes/apps/security/namespace.yaml new file mode 100644 index 00000000..d7f327d1 --- /dev/null +++ b/kubernetes/apps/security/namespace.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: security + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged From b125076d08fd966a0dd74b57b6ce123659aedac6 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 21:40:17 +0100 Subject: [PATCH 036/114] fix dependOn for cert-manager --- kubernetes/apps/infrastructure/cert-manager/ks.yaml | 4 ++-- kubernetes/flux-system/repositories/helm/jetstack.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/kubernetes/apps/infrastructure/cert-manager/ks.yaml b/kubernetes/apps/infrastructure/cert-manager/ks.yaml index 223c642b..d679b9fb 100644 --- a/kubernetes/apps/infrastructure/cert-manager/ks.yaml +++ b/kubernetes/apps/infrastructure/cert-manager/ks.yaml @@ -23,14 +23,14 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app cert-manager-issuer + name: &app cert-manager-issuers namespace: flux-system spec: commonMetadata: labels: app.kubernetes.io/name: *app dependsOn: - - name: metallb-system + - name: cert-manager namespace: flux-system interval: 30m path: ./kubernetes/apps/infrastructure/cert-manager/issuers diff --git a/kubernetes/flux-system/repositories/helm/jetstack.yaml b/kubernetes/flux-system/repositories/helm/jetstack.yaml index b0b92c1a..b513441b 100644 --- a/kubernetes/flux-system/repositories/helm/jetstack.yaml +++ b/kubernetes/flux-system/repositories/helm/jetstack.yaml @@ -4,7 +4,7 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: jetstack - namespace: cert-manager + namespace: flux-system spec: interval: 1h - url: https://charts.jetstack.io \ No newline at end of file + url: https://charts.jetstack.io From f6894e7f3802e98e1a086b6aae14984b6f1b3bc5 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 21:46:45 +0100 Subject: [PATCH 037/114] Deploy authentik with restored database from s3 --- .../security/authentik/app/helmrelease.yaml | 115 +++++++++++++++++- .../security/authentik/app/kustomization.yaml | 2 + .../apps/security/authentik/app/pvc.yaml | 13 ++ .../security/authentik/app/secret.sops.yaml | 39 ++++++ 4 files changed, 164 insertions(+), 5 deletions(-) create mode 100644 kubernetes/apps/security/authentik/app/pvc.yaml create mode 100644 kubernetes/apps/security/authentik/app/secret.sops.yaml diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 1a6ad890..fb4980eb 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -1,7 +1,9 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: authentik + name: &app authentik namespace: security spec: releaseName: authentik @@ -13,20 +15,123 @@ spec: kind: HelmRepository name: goauthentik namespace: flux-system - interval: 5m + interval: 30m install: remediation: retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + global: + deploymentAnnotations: + reloader.stakater.com/auto: "true" + + envFrom: + - secretRef: + name: authentik-secret + + volumes: + - name: media + persistentVolumeClaim: + claimName: authentik-media + + volumeMounts: + - name: media + mountPath: /media + + # Authentik configuration authentik: - secret_key: "${AUTHENTIK_KEY}" + # Use existing secret instead of creating one + enabled: false + existingSecret: + secretName: authentik-secret + + log_level: info error_reporting: enabled: false + + # Database config (actual values come from secret via env vars) postgresql: - password: "${AUTHENTIK_POSTGRES_PASSWORD}" + host: "postgres18-rw.database.svc.cluster.local" + port: 5432 + name: "authentik" + user: "authentik" + + # Server configuration + server: + replicas: 1 + + # Init container to ensure database exists + initContainers: + - name: init-db + image: ghcr.io/home-operations/postgres-init:18.3@sha256:6fa1f331cddd2eb0b6afa7b8d3685c864127a81ab01c3d9400bc3ff5263a51cf + envFrom: + - secretRef: + name: authentik-secret + + resources: + requests: + cpu: 100m + memory: 512Mi + limits: + memory: 1536Mi + + # Enable metrics for monitoring + metrics: + enabled: true + serviceMonitor: + enabled: false + + # Use standard Kubernetes Ingress (Traefik will handle it) + ingress: + enabled: true + ingressClassName: traefik + hosts: + - "auth.${SECRET_EXTERNAL_DOMAIN}" + paths: + - / + pathType: Prefix + tls: + - secretName: authentik-tls + hosts: + - "auth.${SECRET_EXTERNAL_DOMAIN}" + + service: + type: ClusterIP + + # Worker configuration + worker: + replicas: 1 + + resources: + requests: + cpu: 100m + memory: 512Mi + limits: + memory: 1536Mi + + metrics: + enabled: true + serviceMonitor: + enabled: false + + # Redis configuration (bundled) redis: enabled: true master: persistence: - size: 1Gi + enabled: true + size: 2Gi storageClass: longhorn + + # Disable bundled PostgreSQL (using external postgres18) + postgresql: + enabled: false + + # Prometheus rules + prometheus: + rules: + enabled: false diff --git a/kubernetes/apps/security/authentik/app/kustomization.yaml b/kubernetes/apps/security/authentik/app/kustomization.yaml index 17cbc72b..401de914 100644 --- a/kubernetes/apps/security/authentik/app/kustomization.yaml +++ b/kubernetes/apps/security/authentik/app/kustomization.yaml @@ -3,4 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ./authentik-secret.sops.yaml + - ./pvc.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/security/authentik/app/pvc.yaml b/kubernetes/apps/security/authentik/app/pvc.yaml new file mode 100644 index 00000000..0ff49a1b --- /dev/null +++ b/kubernetes/apps/security/authentik/app/pvc.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: authentik-media + namespace: security +spec: + accessModes: + - ReadWriteOnce + storageClassName: longhorn + resources: + requests: + storage: 1Gi diff --git a/kubernetes/apps/security/authentik/app/secret.sops.yaml b/kubernetes/apps/security/authentik/app/secret.sops.yaml new file mode 100644 index 00000000..c4a75cd8 --- /dev/null +++ b/kubernetes/apps/security/authentik/app/secret.sops.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Secret +metadata: + name: authentik-secret + namespace: security +type: Opaque +stringData: + #ENC[AES256_GCM,data:dyh+A4itWODSXNU2IKsViaPSTWEwkhwjvn2JFvU=,iv:mrn4ez1SMl2FMd3oD2hl1Gg60YGNKZ4kG3cmRLOg624=,tag:S7MOWAmIiNZq5HGckHY8dQ==,type:comment] + AUTHENTIK_SECRET_KEY: ENC[AES256_GCM,data:oS4RegSuHhuMKeJlReO2K/vf445DA+0k5eeGsQdJupEkAoXlc2xp3DEewrr0y7PYW0t/NH7h34C2ygfQTCoFUGcxiW8I31ZSjpFN8fVhv2s=,iv:2yVy+vWNmjL5pfBq0/irquoKMFmOaRXS8XG7qRMVTJ8=,tag:/lnI/WwSKX5eFgH2pjXAFw==,type:str] + AUTHENTIK_ERROR_REPORTING__ENABLED: ENC[AES256_GCM,data:Tfzv/Rc=,iv:0T5W8fZLqzZFr3dm062jxYcanaSCyyXcbVSag4Eyzm0=,tag:2amR9X97SQXU6ey9wnN9ew==,type:str] + #ENC[AES256_GCM,data:+doMcYJB7hSi5phJidNOvYmMEoRJnQ==,iv:GqR929SwpJMQRWh7Ax3ijjX66nuM6q/8VsH30Y2eIbA=,tag:efGLZQRbVyhFZ/BE2qvnoA==,type:comment] + AUTHENTIK_POSTGRESQL__HOST: ENC[AES256_GCM,data:c47FS7/e1NqwVpYLFvIh6xJwj8/vibCVLY/TQhdMWxwak4bHlOsCOw==,iv:Wxat6SHJwq9k0XQ30hld8lZvaCJbhot7PyamxzEhoSM=,tag:YIIq+irz8fsSzPYL8xcXfA==,type:str] + AUTHENTIK_POSTGRESQL__PORT: ENC[AES256_GCM,data:U/dLYQ==,iv:51fmk425B92+pbxHrgcst+0TKshQZc44K067KO4Sf8g=,tag:hPqkRYeiA8hXdlLLURcgXQ==,type:str] + AUTHENTIK_POSTGRESQL__NAME: ENC[AES256_GCM,data:D95mbI33DEnt,iv:gk3yol5khd83+WfhNVOvae+TMzex4lHr+r30JHFYaSs=,tag:1gQSFXLCp0XO7X3/aHfW/A==,type:str] + AUTHENTIK_POSTGRESQL__USER: ENC[AES256_GCM,data:f4xUcDDLnBxd,iv:MHn4R5sKIjqkHf6BVzueKGTkEKYzG/XvtNDMZPunGu4=,tag:sfaFoFa0K3rA0/4WVtXh5A==,type:str] + AUTHENTIK_POSTGRESQL__PASSWORD: ENC[AES256_GCM,data:Zg4We4jErOQt9YB3jjs5W0gApSEtag0YBIbZgscUQm0=,iv:/1pJpG9eALKy9van3mpn7ycJXslGMgW6RJoovcqN4EA=,tag:e9HtlbP5oiY80L8VGhgB2Q==,type:str] + #ENC[AES256_GCM,data:+zMW3gJxJW5YFOwxOslB0i3TzoQfwl7gv9Sif5qzpQ1n2g==,iv:9+TQ0hhF450BytUH9QbOk7CT0vKfXigEp+hey3n9HEc=,tag:8SQ77qd+BkNGhKaVLz5OGQ==,type:comment] + INIT_POSTGRES_HOST: ENC[AES256_GCM,data:t4uzs9N4oOphT0nDEShZ07AkmRWTTnRtcLjU1jU0TrI0MN8UlkBmFQ==,iv:mtLEG8fOtifryyBIQ6UwY+3Wb2ACDSpcv0fZq6oKxt8=,tag:wgJNkLx+AjWDPkj5i5Kbyg==,type:str] + INIT_POSTGRES_PORT: ENC[AES256_GCM,data:Isvimg==,iv:ytpzlnC0pPq1Pt/tQQk8f0I71q+gjGV1+4L7QdZJpaA=,tag:o0jw7ZkuedyqM2o89O8SSw==,type:str] + INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:CqVBGieWyDSS,iv:wptRGEUeEkE5xUSl4c94F8jcyiU2WQjaB7v9UZ8E+qE=,tag:GikwPsu0JMRGgeIJS0HwZA==,type:str] + INIT_POSTGRES_USER: ENC[AES256_GCM,data:h99OVscZTc4+,iv:EqWm0U7VBXai+tzk6/GIdktEg58YFhRXgnLOxQlW658=,tag:vtHv+um1nlIWOgLvW6KG/Q==,type:str] + INIT_POSTGRES_PASS: ENC[AES256_GCM,data:iTQr19mm8zwychykRvcgP9Z377M5wVA13Gh+Tqm7Iuw=,iv:/KN+wE9xJINjrrBxW9+tCeEBEFcYjOaTwliWbgccnlE=,tag:STPrb4MhF2mBN/lvq1QMQA==,type:str] + INIT_POSTGRES_SUPER_USER: ENC[AES256_GCM,data:GCo+Cq62ODY=,iv:tYkbqI6vj5vhx+KQ54wGtPcd2Wh6XZWKOjddznKd/nc=,tag:1GxhF2F9gBr54nVCjQHY6A==,type:str] + INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:Qg1+pZPOM0OSOKOiK78=,iv:IYy6Ky9gXCmKxEv/QxBbUX7Ya/coo/qw7DDJsu9UNkA=,tag:7dgLwajov9el1eEaqJFISw==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIcitjZUhuT0s5ek53RWxo + M3U0aFlHN1Z6ZU90bUhHN2hmN0xOWWFCWmxBCm12SmxSR2pZbVdJY2VISjBDRm5y + T2tjWHhkSks5VnhIRFl0NGY0VkZ0blUKLS0tICs2VEoyWE1kbUk5MzZ3RnErRG5D + bEdYV2dwZUcyZnJuN1lpMDVVVVk4dTQK/eRkn4jd7CQPO4hGe8QjVlfxF/yTvx/h + BLilN3oAkFyU1DiQCV6kaqecN2DIoTCwAjyCQgCOX7RzBWdczvKdSQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-28T20:42:23Z" + mac: ENC[AES256_GCM,data:mGCdtoPFz5S+wrBS4fflboP9BdLssJEh35v4wb02E0aHSQZh7w0zKwA3WPDgSK/GVyUBYuNfsvh/giPCT5kMUejIin+1D2YdICj4cmpxNXcCzJz8i5EjcmqOrn1lfjdpVKQNJLwv9bvwCIcstLySux1h+5Wn8iAq4WVLFR7Fy4g=,iv:A4rJST84DQT5nYcnl2qMTlOBSaP7Dk4jRyYM/syucrQ=,tag:dACNiqGqO6CUpnXujCqMFQ==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 From 783d0705dcba03173206f147320f41a06eb2f64a Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 21:50:33 +0100 Subject: [PATCH 038/114] fix authentik --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 7 +------ kubernetes/apps/security/authentik/app/kustomization.yaml | 2 +- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index fb4980eb..38d46af9 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -120,12 +120,7 @@ spec: # Redis configuration (bundled) redis: - enabled: true - master: - persistence: - enabled: true - size: 2Gi - storageClass: longhorn + enabled: false # Disable bundled PostgreSQL (using external postgres18) postgresql: diff --git a/kubernetes/apps/security/authentik/app/kustomization.yaml b/kubernetes/apps/security/authentik/app/kustomization.yaml index 401de914..037c3742 100644 --- a/kubernetes/apps/security/authentik/app/kustomization.yaml +++ b/kubernetes/apps/security/authentik/app/kustomization.yaml @@ -3,6 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./authentik-secret.sops.yaml + - ./secret.sops.yaml - ./pvc.yaml - ./helmrelease.yaml From 68f2e8d3c892542fad7630ae58e7c302e9cb9cb2 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 21:55:14 +0100 Subject: [PATCH 039/114] authentik bump to 2025.8.6 version --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 38d46af9..e8f08749 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: authentik - version: "2025.2.2" + version: "2025.8.6" sourceRef: kind: HelmRepository name: goauthentik From 2c2d1029b5191cbd65dd6c4967e2fc20dc44fcb3 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 22:05:04 +0100 Subject: [PATCH 040/114] fix authentik version --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index e8f08749..6fa515ae 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: authentik - version: "2025.8.6" + version: "2025.8.4" sourceRef: kind: HelmRepository name: goauthentik From 669589c7175f93f75378010b984cbf2d03918188 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 22:17:26 +0100 Subject: [PATCH 041/114] fix authentik secret configuration --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 6fa515ae..466a9a70 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -44,10 +44,8 @@ spec: # Authentik configuration authentik: - # Use existing secret instead of creating one - enabled: false - existingSecret: - secretName: authentik-secret + secret_key: "" # Will be overridden by env var from secret + existingSecret: authentik-secret log_level: info error_reporting: From 2aa4c6519f78c8529702f72455cfffcdebd52d57 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 22:19:11 +0100 Subject: [PATCH 042/114] fix authentik chart configuration - disable built-in secret --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 466a9a70..005cdf8a 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -44,9 +44,8 @@ spec: # Authentik configuration authentik: - secret_key: "" # Will be overridden by env var from secret - existingSecret: authentik-secret - + # Don't create a secret - we provide credentials via global.envFrom + enabled: false log_level: info error_reporting: enabled: false From a594d099b09cb25812b51f7e2484603f9115cf42 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 22:22:00 +0100 Subject: [PATCH 043/114] dont wait to ready up --- kubernetes/apps/security/authentik/ks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/security/authentik/ks.yaml b/kubernetes/apps/security/authentik/ks.yaml index df497829..5890c46c 100644 --- a/kubernetes/apps/security/authentik/ks.yaml +++ b/kubernetes/apps/security/authentik/ks.yaml @@ -19,4 +19,4 @@ spec: name: flux-system namespace: flux-system targetNamespace: security - wait: true + wait: false From 948975989f8ceedc80ce4c926bd1756a78c6d563 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 22:26:45 +0100 Subject: [PATCH 044/114] fix secret name --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 4 ++-- kubernetes/apps/security/authentik/app/secret.sops.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 005cdf8a..af62e0dc 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -31,7 +31,7 @@ spec: envFrom: - secretRef: - name: authentik-secret + name: authentik volumes: - name: media @@ -67,7 +67,7 @@ spec: image: ghcr.io/home-operations/postgres-init:18.3@sha256:6fa1f331cddd2eb0b6afa7b8d3685c864127a81ab01c3d9400bc3ff5263a51cf envFrom: - secretRef: - name: authentik-secret + name: authentik resources: requests: diff --git a/kubernetes/apps/security/authentik/app/secret.sops.yaml b/kubernetes/apps/security/authentik/app/secret.sops.yaml index c4a75cd8..946cce70 100644 --- a/kubernetes/apps/security/authentik/app/secret.sops.yaml +++ b/kubernetes/apps/security/authentik/app/secret.sops.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Secret metadata: - name: authentik-secret + name: authentik namespace: security type: Opaque stringData: From a304302179a6e67a3a2ccaac02dce90e5ef238d2 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 22:42:41 +0100 Subject: [PATCH 045/114] add minimal redis instance for authentik 2025.8.x compatibility Authentik 2025.8.x no longer uses Redis for background tasks (replaced with PostgreSQL-based Dramatiq), but still requires Redis connection during startup for migration from the old Celery/Redis task system. Changes: - Add minimal Redis deployment (64Mi-128Mi memory) - Configure authentik.redis.host to point to local Redis service - Update kustomization to include redis.yaml Once migration is complete, Redis won't be actively used by Authentik. --- .../security/authentik/app/helmrelease.yaml | 5 +++ .../security/authentik/app/kustomization.yaml | 1 + .../apps/security/authentik/app/redis.yaml | 41 +++++++++++++++++++ 3 files changed, 47 insertions(+) create mode 100644 kubernetes/apps/security/authentik/app/redis.yaml diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index af62e0dc..4d838ece 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -57,6 +57,11 @@ spec: name: "authentik" user: "authentik" + # Redis config (minimal instance for 2025.8.x migration compatibility) + redis: + host: "authentik-redis.security.svc.cluster.local" + password: "" + # Server configuration server: replicas: 1 diff --git a/kubernetes/apps/security/authentik/app/kustomization.yaml b/kubernetes/apps/security/authentik/app/kustomization.yaml index 037c3742..324fab08 100644 --- a/kubernetes/apps/security/authentik/app/kustomization.yaml +++ b/kubernetes/apps/security/authentik/app/kustomization.yaml @@ -5,4 +5,5 @@ kind: Kustomization resources: - ./secret.sops.yaml - ./pvc.yaml + - ./redis.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/security/authentik/app/redis.yaml b/kubernetes/apps/security/authentik/app/redis.yaml new file mode 100644 index 00000000..b4c48d9c --- /dev/null +++ b/kubernetes/apps/security/authentik/app/redis.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: authentik-redis + namespace: security +spec: + replicas: 1 + selector: + matchLabels: + app: authentik-redis + template: + metadata: + labels: + app: authentik-redis + spec: + containers: + - name: redis + image: docker.io/library/redis:8.2-alpine + ports: + - containerPort: 6379 + name: redis + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: authentik-redis + namespace: security +spec: + selector: + app: authentik-redis + ports: + - port: 6379 + targetPort: 6379 + name: redis From 3b6daaaab72b4dfe89f6bb9072856b1d74d2340d Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 22:43:50 +0100 Subject: [PATCH 046/114] fix redis configuration - set AUTHENTIK_REDIS__HOST env var The authentik.redis.host setting in Helm values doesn't automatically create environment variables. Need to explicitly set AUTHENTIK_REDIS__HOST via global.env to point to the Redis service. --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 4d838ece..4a50f7f7 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -29,6 +29,10 @@ spec: deploymentAnnotations: reloader.stakater.com/auto: "true" + env: + - name: AUTHENTIK_REDIS__HOST + value: "authentik-redis.security.svc.cluster.local" + envFrom: - secretRef: name: authentik @@ -57,11 +61,6 @@ spec: name: "authentik" user: "authentik" - # Redis config (minimal instance for 2025.8.x migration compatibility) - redis: - host: "authentik-redis.security.svc.cluster.local" - password: "" - # Server configuration server: replicas: 1 From 8b6b8c1b5c8a76f83a46dde74f86cb2857dc04bd Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 22:49:42 +0100 Subject: [PATCH 047/114] add init container to fix media volume permissions Fix permission denied error on /media/public by adding an init container that sets proper ownership (1000:1000) and permissions (755) on the media volume before authentik starts. --- .../apps/security/authentik/app/helmrelease.yaml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 4a50f7f7..8c2fa812 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -65,8 +65,21 @@ spec: server: replicas: 1 - # Init container to ensure database exists + # Init containers initContainers: + # Fix permissions on media volume + - name: init-permissions + image: busybox:latest + command: + - sh + - -c + - | + chown -R 1000:1000 /media + chmod -R 755 /media + volumeMounts: + - name: media + mountPath: /media + # Ensure database exists - name: init-db image: ghcr.io/home-operations/postgres-init:18.3@sha256:6fa1f331cddd2eb0b6afa7b8d3685c864127a81ab01c3d9400bc3ff5263a51cf envFrom: From a680ed40e5dca0a7968646a7b8f6e7a99771139e Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 22:52:51 +0100 Subject: [PATCH 048/114] remove authentik media PVC --- .../security/authentik/app/helmrelease.yaml | 21 ------------------- .../security/authentik/app/kustomization.yaml | 1 - .../apps/security/authentik/app/pvc.yaml | 13 ------------ 3 files changed, 35 deletions(-) delete mode 100644 kubernetes/apps/security/authentik/app/pvc.yaml diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 8c2fa812..add80122 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -37,15 +37,6 @@ spec: - secretRef: name: authentik - volumes: - - name: media - persistentVolumeClaim: - claimName: authentik-media - - volumeMounts: - - name: media - mountPath: /media - # Authentik configuration authentik: # Don't create a secret - we provide credentials via global.envFrom @@ -67,18 +58,6 @@ spec: # Init containers initContainers: - # Fix permissions on media volume - - name: init-permissions - image: busybox:latest - command: - - sh - - -c - - | - chown -R 1000:1000 /media - chmod -R 755 /media - volumeMounts: - - name: media - mountPath: /media # Ensure database exists - name: init-db image: ghcr.io/home-operations/postgres-init:18.3@sha256:6fa1f331cddd2eb0b6afa7b8d3685c864127a81ab01c3d9400bc3ff5263a51cf diff --git a/kubernetes/apps/security/authentik/app/kustomization.yaml b/kubernetes/apps/security/authentik/app/kustomization.yaml index 324fab08..0d4f035a 100644 --- a/kubernetes/apps/security/authentik/app/kustomization.yaml +++ b/kubernetes/apps/security/authentik/app/kustomization.yaml @@ -4,6 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./secret.sops.yaml - - ./pvc.yaml - ./redis.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/security/authentik/app/pvc.yaml b/kubernetes/apps/security/authentik/app/pvc.yaml deleted file mode 100644 index 0ff49a1b..00000000 --- a/kubernetes/apps/security/authentik/app/pvc.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: authentik-media - namespace: security -spec: - accessModes: - - ReadWriteOnce - storageClassName: longhorn - resources: - requests: - storage: 1Gi From 39ed8131cc85194fb7afde0ed6b80c0907c7c73c Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 23:11:43 +0100 Subject: [PATCH 049/114] fix auth ingress --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index add80122..00ee84ee 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -81,6 +81,9 @@ spec: # Use standard Kubernetes Ingress (Traefik will handle it) ingress: enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + external-dns.alpha.kubernetes.io/target: "auth.${SECRET_EXTERNAL_DOMAIN}" ingressClassName: traefik hosts: - "auth.${SECRET_EXTERNAL_DOMAIN}" From 6944ee812f2ef41b412088383b02a050b144e656 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 23:13:38 +0100 Subject: [PATCH 050/114] fix: change ingress class to external for external-dns compatibility --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 00ee84ee..4a319bde 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -84,7 +84,7 @@ spec: annotations: cert-manager.io/cluster-issuer: letsencrypt-production external-dns.alpha.kubernetes.io/target: "auth.${SECRET_EXTERNAL_DOMAIN}" - ingressClassName: traefik + ingressClassName: external hosts: - "auth.${SECRET_EXTERNAL_DOMAIN}" paths: From 422410dc66f6ec040187ab537ee4a96d19d81ff5 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 23:14:24 +0100 Subject: [PATCH 051/114] fix: remove self-referencing external-dns target annotation --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 4a319bde..a90661a9 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -83,7 +83,6 @@ spec: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-production - external-dns.alpha.kubernetes.io/target: "auth.${SECRET_EXTERNAL_DOMAIN}" ingressClassName: external hosts: - "auth.${SECRET_EXTERNAL_DOMAIN}" From 934a460a464046aa61cdc1b083ffea160fd29401 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 23:15:05 +0100 Subject: [PATCH 052/114] fix: disable cloudflare proxying for authentik ingress --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index a90661a9..687d927f 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -83,6 +83,7 @@ spec: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-production + external-dns.alpha.kubernetes.io/cloudflare-proxied: "false" ingressClassName: external hosts: - "auth.${SECRET_EXTERNAL_DOMAIN}" From 7f59fa2ef8a894984c5e6a746f612b597cf1464b Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 23:16:02 +0100 Subject: [PATCH 053/114] fix: set external-dns target to cloudflare tunnel endpoint --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 687d927f..ee410542 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -83,7 +83,7 @@ spec: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-production - external-dns.alpha.kubernetes.io/cloudflare-proxied: "false" + external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" ingressClassName: external hosts: - "auth.${SECRET_EXTERNAL_DOMAIN}" From 15f0c022c899276695816e3fff8bae414112ef10 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 23:20:11 +0100 Subject: [PATCH 054/114] fix: remove target annotation, use external-dns default-targets --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index ee410542..a90661a9 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -83,7 +83,6 @@ spec: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-production - external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" ingressClassName: external hosts: - "auth.${SECRET_EXTERNAL_DOMAIN}" From f8ea3e4c1c53ed9839ff8674f17e113eaf274a60 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 23:21:52 +0100 Subject: [PATCH 055/114] fix: add --force-default-targets to external-dns for cloudflare tunnel --- kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml b/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml index c943bf13..f985abe9 100644 --- a/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml +++ b/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml @@ -28,6 +28,7 @@ spec: - --ingress-class=external - --cloudflare-proxied - --default-targets=${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com + - --force-default-targets policy: sync sources: ["crd", "ingress"] domainFilters: ["${SECRET_EXTERNAL_DOMAIN}"] From 68d1b8ba1f19e4add011ced655041e7a8cd85937 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 23:30:04 +0100 Subject: [PATCH 056/114] fix: change ingress class from external to traefik --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index a90661a9..84d4cac9 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -83,7 +83,7 @@ spec: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-production - ingressClassName: external + ingressClassName: traefik hosts: - "auth.${SECRET_EXTERNAL_DOMAIN}" paths: From 45638c284da76d0b5146f9ccb4545488dd8e3a48 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 23:36:08 +0100 Subject: [PATCH 057/114] fix: restore external-dns target annotation and external ingress class --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 84d4cac9..742ab679 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -78,12 +78,13 @@ spec: serviceMonitor: enabled: false - # Use standard Kubernetes Ingress (Traefik will handle it) + # Use standard Kubernetes Ingress ingress: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-production - ingressClassName: traefik + external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" + ingressClassName: external hosts: - "auth.${SECRET_EXTERNAL_DOMAIN}" paths: From b9fdef3a6838a79675167b9f26f35b1461bfe34d Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 23:38:09 +0100 Subject: [PATCH 058/114] fix: use traefik ingress class for routing (external-dns uses target annotation) --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 742ab679..5173020c 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -84,7 +84,7 @@ spec: annotations: cert-manager.io/cluster-issuer: letsencrypt-production external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" - ingressClassName: external + ingressClassName: traefik hosts: - "auth.${SECRET_EXTERNAL_DOMAIN}" paths: From 41f7c1b7131e834f7009fd74060c8d4f05c8c615 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 23:45:13 +0100 Subject: [PATCH 059/114] fix: manage authentik dns via external-dns endpoint --- .../apps/security/authentik/app/dnsendpoint.yaml | 11 +++++++++++ .../apps/security/authentik/app/helmrelease.yaml | 1 - .../apps/security/authentik/app/kustomization.yaml | 1 + 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 kubernetes/apps/security/authentik/app/dnsendpoint.yaml diff --git a/kubernetes/apps/security/authentik/app/dnsendpoint.yaml b/kubernetes/apps/security/authentik/app/dnsendpoint.yaml new file mode 100644 index 00000000..1e1397cd --- /dev/null +++ b/kubernetes/apps/security/authentik/app/dnsendpoint.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: authentik + namespace: security +spec: + endpoints: + - dnsName: "auth.${SECRET_EXTERNAL_DOMAIN}" + recordType: CNAME + targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 5173020c..71a30aed 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -83,7 +83,6 @@ spec: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-production - external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" ingressClassName: traefik hosts: - "auth.${SECRET_EXTERNAL_DOMAIN}" diff --git a/kubernetes/apps/security/authentik/app/kustomization.yaml b/kubernetes/apps/security/authentik/app/kustomization.yaml index 0d4f035a..f4192d57 100644 --- a/kubernetes/apps/security/authentik/app/kustomization.yaml +++ b/kubernetes/apps/security/authentik/app/kustomization.yaml @@ -5,4 +5,5 @@ kind: Kustomization resources: - ./secret.sops.yaml - ./redis.yaml + - ./dnsendpoint.yaml - ./helmrelease.yaml From c614895697265d76b3429d3acbd2927863fb9396 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 28 Mar 2026 23:46:00 +0100 Subject: [PATCH 060/114] fix: restore external-dns ingress-based auth record management --- .../infrastructure/external-dns/app/helmrelease.yaml | 2 +- .../apps/security/authentik/app/dnsendpoint.yaml | 11 ----------- .../apps/security/authentik/app/helmrelease.yaml | 1 + .../apps/security/authentik/app/kustomization.yaml | 1 - 4 files changed, 2 insertions(+), 13 deletions(-) delete mode 100644 kubernetes/apps/security/authentik/app/dnsendpoint.yaml diff --git a/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml b/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml index f985abe9..70af3abf 100644 --- a/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml +++ b/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml @@ -25,7 +25,7 @@ spec: name: external-dns-secret key: api-token extraArgs: - - --ingress-class=external + - --ingress-class=traefik - --cloudflare-proxied - --default-targets=${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com - --force-default-targets diff --git a/kubernetes/apps/security/authentik/app/dnsendpoint.yaml b/kubernetes/apps/security/authentik/app/dnsendpoint.yaml deleted file mode 100644 index 1e1397cd..00000000 --- a/kubernetes/apps/security/authentik/app/dnsendpoint.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: externaldns.k8s.io/v1alpha1 -kind: DNSEndpoint -metadata: - name: authentik - namespace: security -spec: - endpoints: - - dnsName: "auth.${SECRET_EXTERNAL_DOMAIN}" - recordType: CNAME - targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 71a30aed..5173020c 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -83,6 +83,7 @@ spec: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-production + external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" ingressClassName: traefik hosts: - "auth.${SECRET_EXTERNAL_DOMAIN}" diff --git a/kubernetes/apps/security/authentik/app/kustomization.yaml b/kubernetes/apps/security/authentik/app/kustomization.yaml index f4192d57..0d4f035a 100644 --- a/kubernetes/apps/security/authentik/app/kustomization.yaml +++ b/kubernetes/apps/security/authentik/app/kustomization.yaml @@ -5,5 +5,4 @@ kind: Kustomization resources: - ./secret.sops.yaml - ./redis.yaml - - ./dnsendpoint.yaml - ./helmrelease.yaml From eb926f8decb1a9be4c0410f1bc2e068891b2490f Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sun, 29 Mar 2026 00:06:02 +0100 Subject: [PATCH 061/114] bump authentik to 2025.12.0 --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 8 ++++---- kubernetes/apps/security/authentik/app/kustomization.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index 5173020c..2c3ac306 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: authentik - version: "2025.8.4" + version: "2025.12.0" sourceRef: kind: HelmRepository name: goauthentik @@ -29,9 +29,9 @@ spec: deploymentAnnotations: reloader.stakater.com/auto: "true" - env: - - name: AUTHENTIK_REDIS__HOST - value: "authentik-redis.security.svc.cluster.local" + # env: + # - name: AUTHENTIK_REDIS__HOST + # value: "authentik-redis.security.svc.cluster.local" envFrom: - secretRef: diff --git a/kubernetes/apps/security/authentik/app/kustomization.yaml b/kubernetes/apps/security/authentik/app/kustomization.yaml index 0d4f035a..77256996 100644 --- a/kubernetes/apps/security/authentik/app/kustomization.yaml +++ b/kubernetes/apps/security/authentik/app/kustomization.yaml @@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./secret.sops.yaml - - ./redis.yaml +# - ./redis.yaml - ./helmrelease.yaml From 142418040cefb7b57e85cabbc6132a443f13746e Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sun, 29 Mar 2026 13:18:50 +0200 Subject: [PATCH 062/114] feat(selfhosted): add Linkwarden bookmark manager deployment - Add Linkwarden v2.13.5 deployment to selfhosted namespace - Configure PostgreSQL database on postgres18 cluster - Add postgres-init container to ensure database exists - Configure Authentik SSO integration - Set up ingress at bookmarks.cloudwithdan.com with TLS - Add 5Gi PVC for data storage (screenshots/PDFs) - Include database restore script for PostgreSQL setup - Configure Cloudflare Tunnel and external-dns integration --- kubernetes/apps/selfhosted/kustomization.yaml | 7 + .../selfhosted/linkwarden/app/deployment.yaml | 133 ++++++++++++++++++ .../selfhosted/linkwarden/app/ingress.yaml | 26 ++++ .../linkwarden/app/kustomization.yaml | 11 ++ .../selfhosted/linkwarden/app/namespace.yaml | 10 ++ .../apps/selfhosted/linkwarden/app/pvc.yaml | 13 ++ .../linkwarden/app/secret.sops.yaml | 34 +++++ .../selfhosted/linkwarden/app/service.yaml | 17 +++ kubernetes/apps/selfhosted/linkwarden/ks.yaml | 22 +++ kubernetes/apps/selfhosted/namespace.yaml | 10 ++ scripts/restore-linkwarden-db.sh | 108 ++++++++++++++ 11 files changed, 391 insertions(+) create mode 100644 kubernetes/apps/selfhosted/kustomization.yaml create mode 100644 kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml create mode 100644 kubernetes/apps/selfhosted/linkwarden/app/ingress.yaml create mode 100644 kubernetes/apps/selfhosted/linkwarden/app/kustomization.yaml create mode 100644 kubernetes/apps/selfhosted/linkwarden/app/namespace.yaml create mode 100644 kubernetes/apps/selfhosted/linkwarden/app/pvc.yaml create mode 100644 kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml create mode 100644 kubernetes/apps/selfhosted/linkwarden/app/service.yaml create mode 100644 kubernetes/apps/selfhosted/linkwarden/ks.yaml create mode 100644 kubernetes/apps/selfhosted/namespace.yaml create mode 100755 scripts/restore-linkwarden-db.sh diff --git a/kubernetes/apps/selfhosted/kustomization.yaml b/kubernetes/apps/selfhosted/kustomization.yaml new file mode 100644 index 00000000..51bc2792 --- /dev/null +++ b/kubernetes/apps/selfhosted/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./linkwarden/ks.yaml \ No newline at end of file diff --git a/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml b/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml new file mode 100644 index 00000000..8af41168 --- /dev/null +++ b/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml @@ -0,0 +1,133 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: linkwarden + namespace: selfhosted + labels: + app: linkwarden +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: linkwarden + template: + metadata: + labels: + app: linkwarden + spec: + initContainers: + # Ensure database exists before app starts + - name: init-db + image: ghcr.io/home-operations/postgres-init:18.3@sha256:6fa1f331cddd2eb0b6afa7b8d3685c864127a81ab01c3d9400bc3ff5263a51cf + envFrom: + - secretRef: + name: linkwarden-secret + + # Fix data directory permissions + - name: init-permissions + image: busybox:latest + command: ['sh', '-c', 'chown -R 1000:1000 /data'] + volumeMounts: + - name: data + mountPath: /data + + containers: + - name: linkwarden + image: ghcr.io/linkwarden/linkwarden:v2.13.5 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3000 + name: http + env: + # Database connection + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: linkwarden-secret + key: DATABASE_URL + + # NextAuth configuration + - name: NEXTAUTH_URL + valueFrom: + secretKeyRef: + name: linkwarden-secret + key: NEXTAUTH_URL + - name: NEXTAUTH_SECRET + valueFrom: + secretKeyRef: + name: linkwarden-secret + key: NEXTAUTH_SECRET + + # Authentik SSO configuration + - name: NEXT_PUBLIC_AUTHENTIK_ENABLED + value: "true" + - name: AUTHENTIK_ISSUER + valueFrom: + secretKeyRef: + name: linkwarden-secret + key: AUTHENTIK_ISSUER + - name: AUTHENTIK_CLIENT_ID + valueFrom: + secretKeyRef: + name: linkwarden-secret + key: AUTHENTIK_CLIENT_ID + - name: AUTHENTIK_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: linkwarden-secret + key: AUTHENTIK_CLIENT_SECRET + + # S3 storage for screenshots/PDFs (optional) + - name: SPACES_KEY + valueFrom: + secretKeyRef: + name: linkwarden-secret + key: ACCESS_KEY_ID + optional: true + - name: SPACES_SECRET + valueFrom: + secretKeyRef: + name: linkwarden-secret + key: SECRET_ACCESS_KEY + optional: true + + # Storage folder + - name: STORAGE_FOLDER + value: /data + + volumeMounts: + - name: data + mountPath: /data + + resources: + requests: + cpu: 250m + memory: 256Mi + limits: + memory: 4Gi + + livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + + readinessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 3 + failureThreshold: 3 + + volumes: + - name: data + persistentVolumeClaim: + claimName: linkwarden-data diff --git a/kubernetes/apps/selfhosted/linkwarden/app/ingress.yaml b/kubernetes/apps/selfhosted/linkwarden/app/ingress.yaml new file mode 100644 index 00000000..0da707ad --- /dev/null +++ b/kubernetes/apps/selfhosted/linkwarden/app/ingress.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: linkwarden + namespace: selfhosted + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" +spec: + ingressClassName: traefik + tls: + - hosts: + - bookmarks.${SECRET_EXTERNAL_DOMAIN} + secretName: linkwarden-tls + rules: + - host: bookmarks.${SECRET_EXTERNAL_DOMAIN} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: linkwarden + port: + number: 3000 diff --git a/kubernetes/apps/selfhosted/linkwarden/app/kustomization.yaml b/kubernetes/apps/selfhosted/linkwarden/app/kustomization.yaml new file mode 100644 index 00000000..da144ff6 --- /dev/null +++ b/kubernetes/apps/selfhosted/linkwarden/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./secret.sops.yaml + - ./pvc.yaml + - ./deployment.yaml + - ./service.yaml + - ./ingress.yaml diff --git a/kubernetes/apps/selfhosted/linkwarden/app/namespace.yaml b/kubernetes/apps/selfhosted/linkwarden/app/namespace.yaml new file mode 100644 index 00000000..92070613 --- /dev/null +++ b/kubernetes/apps/selfhosted/linkwarden/app/namespace.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: selfhosted + labels: + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged + goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/apps/selfhosted/linkwarden/app/pvc.yaml b/kubernetes/apps/selfhosted/linkwarden/app/pvc.yaml new file mode 100644 index 00000000..63e13eac --- /dev/null +++ b/kubernetes/apps/selfhosted/linkwarden/app/pvc.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: linkwarden-data + namespace: selfhosted +spec: + accessModes: + - ReadWriteOnce + storageClassName: longhorn + resources: + requests: + storage: 5Gi diff --git a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml new file mode 100644 index 00000000..b47d54b6 --- /dev/null +++ b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Secret +metadata: + name: linkwarden-secret + namespace: selfhosted +stringData: + POSTGRES_USERNAME: ENC[AES256_GCM,data:RWzm,iv:cPig4+d09VR2xqo+0O3oJ7YH5mM1RqDYvi+Fw1b7HjU=,tag:cK0EyZZcwFWE28yUou3VTA==,type:str] + POSTGRES_PASSWORD: ENC[AES256_GCM,data:0gNsa1050CB+bA==,iv:inKV6P8maOPSjdWpZOta930mBn1AcgpR5MaAG8xQ33I=,tag:mJqLpaWV5/HFgYQLYy4Ynw==,type:str] + POSTGRES_HOST: ENC[AES256_GCM,data:ngD4vKk2yvDbqQoypK5VMwXQXzoyYovdg5sAvPoPSVokehbNFt+Oo1RyZy6K,iv:ibSu9shChON1ZsILOKlYNgU1gGbi1Q2jmw/VRmL8ImQ=,tag:jToU5PWDEg2U+cTVpmHXRw==,type:str] + POSTGRES_PORT: ENC[AES256_GCM,data:AHrkwpb3c9U=,iv:AjT8vTIzsDTPAwYZqyUjU2Ge2U8mlaMeLCPQQSUlzQs=,tag:DXGfA37M8P4vpkF0mBMpMg==,type:str] + POSTGRES_DATABASE: ENC[AES256_GCM,data:nUis,iv:aadEax3bIX/tBumb7WKex3+gYc2ErUow0zAGqaoNUBg=,tag:M0QdvPS+6FDZmJOdbxiN5Q==,type:str] + DATABASE_URL: ENC[AES256_GCM,data:lpZqv/Q07dj9sR+npatoQwyWgKUZo4ln+a68nOo0KFgDdEYSsikWXJgO6aYjOzktGkGj/BOLIcbxQ4np4+bWo1C17sT1vce2H8RYWbFWmMec3A==,iv:TVHH6qdjAulIObHz/MzTa2korDr01ZVSHgCvE+dQGwI=,tag:LPsJ2APMpOYgDnW4XbYUQg==,type:str] + NEXTAUTH_SECRET: ENC[AES256_GCM,data:tg0wq+M1BefA2Dm0pd5E,iv:bwCrHwhfVPcY1ruf/yDqm+w7fwzK3zZ4POUh4+o5Kmc=,tag:3GU/Nttw3jFtGvLNEKWtrw==,type:str] + ACCESS_KEY_ID: ENC[AES256_GCM,data:Y7kL8Iy0AV2zzLfBS+CN0BzDCoQ=,iv:wxH6OrHUuq3xn6Jq8sfVRM4uQRh0YMah+EiyT/vSBDs=,tag:6IEFhDHqXzAzz6dHUBdtuA==,type:str] + SECRET_ACCESS_KEY: ENC[AES256_GCM,data:ncQiB3S+L/Ny+0ategFNLasyo5BZkHTwj6E2arSgX7RkUqjFpCpFGw==,iv:nxARPDnAmMzkJ3AFiWdIlDlAK8UXK3z4EYbFEte6C48=,tag:nul9yHRYsW0UGrUPH46anQ==,type:str] + NEXTAUTH_URL: ENC[AES256_GCM,data:JOwj3rRw1b7rbIk93aZMRpwCZN60DAiWnQKTwkmqIX/3NtwiKnVDwaOdW1xA,iv:OGElrs4mPAkD7XLlwGRP03ZS81tc6lKAyCYHtSiy/SA=,tag:VGttguZVSmGJ2FtTgw1KNg==,type:str] + AUTHENTIK_ISSUER: ENC[AES256_GCM,data:LGdXrZsYv46FxBzv+06E52E18ErnXKuFfCZ40gQwVZxMVjBAIVeVqEQsbsst8ZsLtgRdKJoE,iv:4JqcJme2gMYXyd5S39WvfzNwGlwmy+/h9B5uKI8IC28=,tag:CCR5bk5gE4kIhMWI7N+mdw==,type:str] + AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:lc1MpWjQgCT1drkOdy6BHtJxBzzZPHF8Ik4mn2xvsB/DkGQFLfdV7Q==,iv:6ho33Acd974bmK5T6gbUiUJwx/QZjocwLBYSQzNPzZ0=,tag:C0ASTgeC7NBpLN8DBoL2zQ==,type:str] + AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:wTiU3o+6mxby7xAhpiCLqGcb2mz3Ovh1fnbkOvb4AK7vH6/Zg1MizOdaCjWAd0tBh4MJ6TT6TuYiEQnLeM4ZhRtx81hCypt/aHhwygcGXHG7N5fLgr8ejfNh+P2tf8ih7KTdZZcFnoBDS8arjwEwO9JrIEOWcWENQiKtp1MTqqY=,iv:nLWWkwTRaL8cN9VKGqLjVq/Xinc24cdDT5YiUo7/gDE=,tag:pZQNJalE8/yVLvRpEeDOUw==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdVhqT2xEYU5razdWbmha + UWVGQit5SHliTjdibkJPYkIwSTNBNUt6bkZZCk4xK2pLcUFNRVltUkQxOHc5MHRx + cGJqanVQNXFDZTNHUzlOeFNrRWY5UG8KLS0tIFVzdGk4Tlh3M2pvMFZkUUVldFo3 + Ujl4VFM5VHNMRGlnamVRRjV5bTVEVXMKNwmaVoz7Jm9X4Irmtl9Rx1yXYfS+kUGT + U/hFAimAUXS2if/DASgTqP6B8W6+LnpcRchSX4rVA5HwBdvd9nfc8Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-29T10:56:20Z" + mac: ENC[AES256_GCM,data:rAj4Z398Z4hpcnHMCr5yjwYaO/PTKZV6VVOCqprdaCNvF/paZefdlbsL4oqr/yi4DE/dbrKKj/aB8Pf77ESqUsA4kw5f9AotaHd1xHwWCPAjCJx5mEj4eGYPEfaTYlTknutOzXQV0gE4zyUjTiZHMgdAFtzzo0a8uFMR5SA4xus=,iv:BqveuEnEBCvgokhONYdTuK4UPGbgZ9lwqclF6gPwlYY=,tag:5SFBL+/1Yq/h+GqRT5U1lA==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/apps/selfhosted/linkwarden/app/service.yaml b/kubernetes/apps/selfhosted/linkwarden/app/service.yaml new file mode 100644 index 00000000..d82b0788 --- /dev/null +++ b/kubernetes/apps/selfhosted/linkwarden/app/service.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: linkwarden + namespace: selfhosted + labels: + app: linkwarden +spec: + type: ClusterIP + ports: + - port: 3000 + targetPort: http + protocol: TCP + name: http + selector: + app: linkwarden diff --git a/kubernetes/apps/selfhosted/linkwarden/ks.yaml b/kubernetes/apps/selfhosted/linkwarden/ks.yaml new file mode 100644 index 00000000..610eb130 --- /dev/null +++ b/kubernetes/apps/selfhosted/linkwarden/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app linkwarden + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/selfhosted/linkwarden/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: selfhosted + wait: false diff --git a/kubernetes/apps/selfhosted/namespace.yaml b/kubernetes/apps/selfhosted/namespace.yaml new file mode 100644 index 00000000..6c5a9834 --- /dev/null +++ b/kubernetes/apps/selfhosted/namespace.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: selfhosted + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged diff --git a/scripts/restore-linkwarden-db.sh b/scripts/restore-linkwarden-db.sh new file mode 100755 index 00000000..0f942307 --- /dev/null +++ b/scripts/restore-linkwarden-db.sh @@ -0,0 +1,108 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Linkwarden Database Restore Script - Version 2 +# This script uses pg_dump/pg_restore via psql since the backup is a barman base backup + +# Color output +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' # No Color + +log_info() { + echo -e "${GREEN}[INFO]${NC} $1" +} + +log_warn() { + echo -e "${YELLOW}[WARN]${NC} $1" +} + +log_error() { + echo -e "${RED}[ERROR]${NC} $1" +} + +# Configuration +NAMESPACE="database" +POSTGRES_HOST="postgres18-rw.database.svc.cluster.local" +POSTGRES_PORT="5432" +DB_NAME="linkwarden" +DB_USER="linkwarden" +DB_PASSWORD="linkwarden" # This should match the secret +POSTGRES_SUPER_USER="postgres" +POSTGRES_SUPER_PASS="x088Fi7OU1LOVr" # From cloudnative-pg-secret + +log_warn "The S3 backup is a physical PGDATA backup (barman format)." +log_warn "Since we're migrating to postgres18 cluster, we'll create an empty database." +log_warn "Linkwarden will run its own migrations on first startup." +log_info "" + +# Create a temporary pod to access postgres +SETUP_POD_NAME="linkwarden-dbsetup-$(date +%s)" + +log_info "Creating database setup pod: ${SETUP_POD_NAME}" + +cat < /dev/null + +log_info "Application user can connect successfully" + +# Cleanup +log_info "Cleaning up setup pod..." +kubectl delete pod ${SETUP_POD_NAME} -n ${NAMESPACE} + +log_info "✅ Database setup completed successfully!" +log_info "" +log_info "Database Details:" +log_info " Host: ${POSTGRES_HOST}" +log_info " Port: ${POSTGRES_PORT}" +log_info " Database: ${DB_NAME}" +log_info " User: ${DB_USER}" +log_info "" +log_info "Note: Database is empty. Linkwarden will run Prisma migrations on first startup." +log_info "If you need to import old data, you'll need to use pg_dump from the old cluster" +log_info "and pg_restore it into this new database." From a2e834d68b6b0ba0c11fd75dcf265bd19d714ceb Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sun, 29 Mar 2026 13:22:23 +0200 Subject: [PATCH 063/114] fix secrets --- .../linkwarden/app/secret.sops.yaml | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml index b47d54b6..887a64d2 100644 --- a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml @@ -4,19 +4,26 @@ metadata: name: linkwarden-secret namespace: selfhosted stringData: - POSTGRES_USERNAME: ENC[AES256_GCM,data:RWzm,iv:cPig4+d09VR2xqo+0O3oJ7YH5mM1RqDYvi+Fw1b7HjU=,tag:cK0EyZZcwFWE28yUou3VTA==,type:str] + POSTGRES_USERNAME: ENC[AES256_GCM,data:ZCCQmryeHj0lzA==,iv:oXU0BuEKI6ABV5unMWqaV9Rga6eYhjJC+yix98du844=,tag:i/JPR2yGg25+AC96RJep6g==,type:str] POSTGRES_PASSWORD: ENC[AES256_GCM,data:0gNsa1050CB+bA==,iv:inKV6P8maOPSjdWpZOta930mBn1AcgpR5MaAG8xQ33I=,tag:mJqLpaWV5/HFgYQLYy4Ynw==,type:str] - POSTGRES_HOST: ENC[AES256_GCM,data:ngD4vKk2yvDbqQoypK5VMwXQXzoyYovdg5sAvPoPSVokehbNFt+Oo1RyZy6K,iv:ibSu9shChON1ZsILOKlYNgU1gGbi1Q2jmw/VRmL8ImQ=,tag:jToU5PWDEg2U+cTVpmHXRw==,type:str] + POSTGRES_HOST: ENC[AES256_GCM,data:ayOUoi12jcmU+6KPjxKC6epXIkcjvgbcls/O5L0+Mh3OW3PRP8p7zg==,iv:EdgbU0ZEOUjIKVgjwjtZc9ShPdGCW/ZhWrPFUI5VimU=,tag:hEo9HN9LlQgjGi1S7ru0zQ==,type:str] POSTGRES_PORT: ENC[AES256_GCM,data:AHrkwpb3c9U=,iv:AjT8vTIzsDTPAwYZqyUjU2Ge2U8mlaMeLCPQQSUlzQs=,tag:DXGfA37M8P4vpkF0mBMpMg==,type:str] - POSTGRES_DATABASE: ENC[AES256_GCM,data:nUis,iv:aadEax3bIX/tBumb7WKex3+gYc2ErUow0zAGqaoNUBg=,tag:M0QdvPS+6FDZmJOdbxiN5Q==,type:str] - DATABASE_URL: ENC[AES256_GCM,data:lpZqv/Q07dj9sR+npatoQwyWgKUZo4ln+a68nOo0KFgDdEYSsikWXJgO6aYjOzktGkGj/BOLIcbxQ4np4+bWo1C17sT1vce2H8RYWbFWmMec3A==,iv:TVHH6qdjAulIObHz/MzTa2korDr01ZVSHgCvE+dQGwI=,tag:LPsJ2APMpOYgDnW4XbYUQg==,type:str] + POSTGRES_DATABASE: ENC[AES256_GCM,data:w4v9dJpw4ow00A==,iv:zLVBXUCPw/1eArdo5tFEXqDRs4NVqpRSYOAwPx0fNDM=,tag:37Q94xEDu7DTQG71g/Y2Ig==,type:str] + DATABASE_URL: ENC[AES256_GCM,data:XuVVACh9IBctfinWVJQIvUB7Vd7d/6MqHR99juXJ3nfz8PMcDUc7gBzD5BhBNTk55ICXWNGXlG/QQ9P0na0eVLXEf5rxgoRhcX9mvXKW5pwEz6fsKcD1LdDvbQ==,iv:jAqtX+5agqbSay4mC7xxBpqLbd7JZ1o+vC1SI5ReU5U=,tag:HtvcRqDTWfYBY4JTnzBVqg==,type:str] NEXTAUTH_SECRET: ENC[AES256_GCM,data:tg0wq+M1BefA2Dm0pd5E,iv:bwCrHwhfVPcY1ruf/yDqm+w7fwzK3zZ4POUh4+o5Kmc=,tag:3GU/Nttw3jFtGvLNEKWtrw==,type:str] ACCESS_KEY_ID: ENC[AES256_GCM,data:Y7kL8Iy0AV2zzLfBS+CN0BzDCoQ=,iv:wxH6OrHUuq3xn6Jq8sfVRM4uQRh0YMah+EiyT/vSBDs=,tag:6IEFhDHqXzAzz6dHUBdtuA==,type:str] SECRET_ACCESS_KEY: ENC[AES256_GCM,data:ncQiB3S+L/Ny+0ategFNLasyo5BZkHTwj6E2arSgX7RkUqjFpCpFGw==,iv:nxARPDnAmMzkJ3AFiWdIlDlAK8UXK3z4EYbFEte6C48=,tag:nul9yHRYsW0UGrUPH46anQ==,type:str] - NEXTAUTH_URL: ENC[AES256_GCM,data:JOwj3rRw1b7rbIk93aZMRpwCZN60DAiWnQKTwkmqIX/3NtwiKnVDwaOdW1xA,iv:OGElrs4mPAkD7XLlwGRP03ZS81tc6lKAyCYHtSiy/SA=,tag:VGttguZVSmGJ2FtTgw1KNg==,type:str] + NEXTAUTH_URL: ENC[AES256_GCM,data:sSmzQIQ2AK/dKB4TjUXkJuYjZNZhJJU9Ik65tf4xHQXNbla8fzEFLPu0037KiQ==,iv:tXVn6gMjzi0jpKzEK9oj5lBeiyXT1E45VepqHBMbPrw=,tag:yFvgxYt7WdUNceiVYsdIuA==,type:str] AUTHENTIK_ISSUER: ENC[AES256_GCM,data:LGdXrZsYv46FxBzv+06E52E18ErnXKuFfCZ40gQwVZxMVjBAIVeVqEQsbsst8ZsLtgRdKJoE,iv:4JqcJme2gMYXyd5S39WvfzNwGlwmy+/h9B5uKI8IC28=,tag:CCR5bk5gE4kIhMWI7N+mdw==,type:str] AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:lc1MpWjQgCT1drkOdy6BHtJxBzzZPHF8Ik4mn2xvsB/DkGQFLfdV7Q==,iv:6ho33Acd974bmK5T6gbUiUJwx/QZjocwLBYSQzNPzZ0=,tag:C0ASTgeC7NBpLN8DBoL2zQ==,type:str] - AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:wTiU3o+6mxby7xAhpiCLqGcb2mz3Ovh1fnbkOvb4AK7vH6/Zg1MizOdaCjWAd0tBh4MJ6TT6TuYiEQnLeM4ZhRtx81hCypt/aHhwygcGXHG7N5fLgr8ejfNh+P2tf8ih7KTdZZcFnoBDS8arjwEwO9JrIEOWcWENQiKtp1MTqqY=,iv:nLWWkwTRaL8cN9VKGqLjVq/Xinc24cdDT5YiUo7/gDE=,tag:pZQNJalE8/yVLvRpEeDOUw==,type:str] + AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:qOOtNqzCJrtP/QHEn/ZW5Tn/W96g7axGuUli671VvD+WaN0cCbGi2gSEJ88oJKSXofxa4MnHU2RMxmXVJwIo2Qtq0DXMAxug48ClQIGyJsDHhqURjxdEOgYt1mia9gxqhkJ1h7viPcAh7Eg35xvajrKSPCQFpY+tL/D6LnBUBt4=,iv:FO+OXCHnZYBKCdoV0B5oO3GvUw5xKh/c/vv58tkXzzI=,tag:JdU/QIrqWLDQkXZsC483Og==,type:str] + INIT_POSTGRES_HOST: ENC[AES256_GCM,data:dZqk8kkUMpzI7O+ZAsBJ3hkqh+ju9siFnCvdrRsom88DThAoXr9S2A==,iv:ERcAN5Fz4umjE37smFENrwr1hEsNUSQ9JsKevSxlXsQ=,tag:05l0HEcpfrCRop3TurxSbg==,type:str] + INIT_POSTGRES_PORT: ENC[AES256_GCM,data:ula8XA==,iv:M7CabhhOPTr/ny52pXHGsdno9y/o1mU31jOPVAO4WOs=,tag:12N2jhRvbAyv84+FFujFXw==,type:int] + INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:DABnObLGFgHAEg==,iv:9A3KO9XOC/VDpgyLfTZGmN8zM87mzCmQGRoJUQp6MOI=,tag:uM97TFJ5NjLYEdDIGQPZqQ==,type:str] + INIT_POSTGRES_USER: ENC[AES256_GCM,data:5N8/J1n6Ba9Vdw==,iv:aiSDp1g/fik+OqG1YyCTOU1AL6vi0SatYnjQ1mRYaw4=,tag:rqYSDWJMHs9kas3aMyD7Rg==,type:str] + INIT_POSTGRES_PASS: ENC[AES256_GCM,data:GHH/te6byeogBA==,iv:uuvttfms5Xv7T8QgW/a5zco0iU/yK4BNeCZ7z2nWb58=,tag:mhSNY93mY0H+Y9xItc6fDQ==,type:str] + INIT_POSTGRES_SUPER_USER: ENC[AES256_GCM,data:UUojx4FeMSU=,iv:dNiCNOf1LqFRpBx75p/DzoHCH4oU0hjqVpgBM390ymg=,tag:ylbA3ERKKox8sOzepsavaA==,type:str] + INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:guyk8BwGsZ63ouQSGDM=,iv:bC3dXZPm1JHXsVTclQjl/R/0WSoVDO3fCz/3yL2AR6g=,tag:WxfzgbYREAOua+vU/mjl+g==,type:str] sops: age: - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv @@ -28,7 +35,7 @@ sops: Ujl4VFM5VHNMRGlnamVRRjV5bTVEVXMKNwmaVoz7Jm9X4Irmtl9Rx1yXYfS+kUGT U/hFAimAUXS2if/DASgTqP6B8W6+LnpcRchSX4rVA5HwBdvd9nfc8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-29T10:56:20Z" - mac: ENC[AES256_GCM,data:rAj4Z398Z4hpcnHMCr5yjwYaO/PTKZV6VVOCqprdaCNvF/paZefdlbsL4oqr/yi4DE/dbrKKj/aB8Pf77ESqUsA4kw5f9AotaHd1xHwWCPAjCJx5mEj4eGYPEfaTYlTknutOzXQV0gE4zyUjTiZHMgdAFtzzo0a8uFMR5SA4xus=,iv:BqveuEnEBCvgokhONYdTuK4UPGbgZ9lwqclF6gPwlYY=,tag:5SFBL+/1Yq/h+GqRT5U1lA==,type:str] + lastmodified: "2026-03-29T11:21:33Z" + mac: ENC[AES256_GCM,data:yODHkS7tqgWjwbvpvdVUvY5i18cCakO3OG7lDVL+REWLvo8GW9fBU4oJmN9whsfsKWZX00Q1Mw3mOq6E0/dpX7jJHKbZzfE9uXNAva5Iq/R9gFtiUhhlnVwO4WA5FuEuTv6Bh9zt+JwFZlNfCm8hlRnJw6XwachuXNsrbdoeveM=,iv:U7vRHqXsY6YutzoHdLqnq1fbPEcucOeKQF+fUGuh2vs=,tag:6heNYcBjgnlEf6WuHLI10A==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.12.2 From 654a9aaf8a22ceccf9bf10b0d99ecae6e15308eb Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sun, 29 Mar 2026 13:23:11 +0200 Subject: [PATCH 064/114] remove ns from dir --- .../apps/selfhosted/linkwarden/app/kustomization.yaml | 1 - .../apps/selfhosted/linkwarden/app/namespace.yaml | 10 ---------- 2 files changed, 11 deletions(-) delete mode 100644 kubernetes/apps/selfhosted/linkwarden/app/namespace.yaml diff --git a/kubernetes/apps/selfhosted/linkwarden/app/kustomization.yaml b/kubernetes/apps/selfhosted/linkwarden/app/kustomization.yaml index da144ff6..68d19710 100644 --- a/kubernetes/apps/selfhosted/linkwarden/app/kustomization.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/kustomization.yaml @@ -3,7 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./namespace.yaml - ./secret.sops.yaml - ./pvc.yaml - ./deployment.yaml diff --git a/kubernetes/apps/selfhosted/linkwarden/app/namespace.yaml b/kubernetes/apps/selfhosted/linkwarden/app/namespace.yaml deleted file mode 100644 index 92070613..00000000 --- a/kubernetes/apps/selfhosted/linkwarden/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: selfhosted - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" From 1d0a5d0b7b18799536363de8d0bae0deba10ca61 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sun, 29 Mar 2026 13:24:15 +0200 Subject: [PATCH 065/114] fix port int secret --- kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml index 887a64d2..2abf0f6f 100644 --- a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml @@ -18,7 +18,7 @@ stringData: AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:lc1MpWjQgCT1drkOdy6BHtJxBzzZPHF8Ik4mn2xvsB/DkGQFLfdV7Q==,iv:6ho33Acd974bmK5T6gbUiUJwx/QZjocwLBYSQzNPzZ0=,tag:C0ASTgeC7NBpLN8DBoL2zQ==,type:str] AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:qOOtNqzCJrtP/QHEn/ZW5Tn/W96g7axGuUli671VvD+WaN0cCbGi2gSEJ88oJKSXofxa4MnHU2RMxmXVJwIo2Qtq0DXMAxug48ClQIGyJsDHhqURjxdEOgYt1mia9gxqhkJ1h7viPcAh7Eg35xvajrKSPCQFpY+tL/D6LnBUBt4=,iv:FO+OXCHnZYBKCdoV0B5oO3GvUw5xKh/c/vv58tkXzzI=,tag:JdU/QIrqWLDQkXZsC483Og==,type:str] INIT_POSTGRES_HOST: ENC[AES256_GCM,data:dZqk8kkUMpzI7O+ZAsBJ3hkqh+ju9siFnCvdrRsom88DThAoXr9S2A==,iv:ERcAN5Fz4umjE37smFENrwr1hEsNUSQ9JsKevSxlXsQ=,tag:05l0HEcpfrCRop3TurxSbg==,type:str] - INIT_POSTGRES_PORT: ENC[AES256_GCM,data:ula8XA==,iv:M7CabhhOPTr/ny52pXHGsdno9y/o1mU31jOPVAO4WOs=,tag:12N2jhRvbAyv84+FFujFXw==,type:int] + INIT_POSTGRES_PORT: ENC[AES256_GCM,data:EdWFQg==,iv:D6YmV0MxI/KcLAwRT3yPdzpTjKdTTgpNzoAihDAn6uc=,tag:Ct9uKTwt5KwrHOC83z+kKw==,type:str] INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:DABnObLGFgHAEg==,iv:9A3KO9XOC/VDpgyLfTZGmN8zM87mzCmQGRoJUQp6MOI=,tag:uM97TFJ5NjLYEdDIGQPZqQ==,type:str] INIT_POSTGRES_USER: ENC[AES256_GCM,data:5N8/J1n6Ba9Vdw==,iv:aiSDp1g/fik+OqG1YyCTOU1AL6vi0SatYnjQ1mRYaw4=,tag:rqYSDWJMHs9kas3aMyD7Rg==,type:str] INIT_POSTGRES_PASS: ENC[AES256_GCM,data:GHH/te6byeogBA==,iv:uuvttfms5Xv7T8QgW/a5zco0iU/yK4BNeCZ7z2nWb58=,tag:mhSNY93mY0H+Y9xItc6fDQ==,type:str] @@ -35,7 +35,7 @@ sops: Ujl4VFM5VHNMRGlnamVRRjV5bTVEVXMKNwmaVoz7Jm9X4Irmtl9Rx1yXYfS+kUGT U/hFAimAUXS2if/DASgTqP6B8W6+LnpcRchSX4rVA5HwBdvd9nfc8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-29T11:21:33Z" - mac: ENC[AES256_GCM,data:yODHkS7tqgWjwbvpvdVUvY5i18cCakO3OG7lDVL+REWLvo8GW9fBU4oJmN9whsfsKWZX00Q1Mw3mOq6E0/dpX7jJHKbZzfE9uXNAva5Iq/R9gFtiUhhlnVwO4WA5FuEuTv6Bh9zt+JwFZlNfCm8hlRnJw6XwachuXNsrbdoeveM=,iv:U7vRHqXsY6YutzoHdLqnq1fbPEcucOeKQF+fUGuh2vs=,tag:6heNYcBjgnlEf6WuHLI10A==,type:str] + lastmodified: "2026-03-29T11:24:09Z" + mac: ENC[AES256_GCM,data:T3dwX1mu4juJc69WlwgGlO8sRyQRkpBtgVqvv4fY9StPKWcIeEqO3ZIz2deROCgqan1WvkJSTGXCn1t0y2UdHH8o82Ft5KU+BU8gvmtPD5i4mzJEFr+eOEV/K7UFRN1CgycXOujqsnz+74P0WRa13+lG70qlfnad2K04L3yH6XQ=,iv:HhaAg+840Hn7GAFFSwQm6QWPiYZ1QKYQuYH5WdoqUF0=,tag:kSogOtUUvizocERC/qdu6A==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.12.2 From cc2074818e2ea2df31975d32f121f86901ff9b48 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sun, 29 Mar 2026 13:38:02 +0200 Subject: [PATCH 066/114] bump linkwarden to v2.14.0 --- kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml b/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml index 8af41168..21f19c9f 100644 --- a/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml @@ -36,7 +36,7 @@ spec: containers: - name: linkwarden - image: ghcr.io/linkwarden/linkwarden:v2.13.5 + image: ghcr.io/linkwarden/linkwarden:v2.14.0 imagePullPolicy: IfNotPresent ports: - containerPort: 3000 From 4d60c07086ce80d9a02c80b3136bbd7bd7655750 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sun, 29 Mar 2026 13:43:09 +0200 Subject: [PATCH 067/114] fix data storage folder --- .../apps/selfhosted/linkwarden/app/deployment.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml b/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml index 21f19c9f..76bda100 100644 --- a/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml @@ -29,14 +29,14 @@ spec: # Fix data directory permissions - name: init-permissions image: busybox:latest - command: ['sh', '-c', 'chown -R 1000:1000 /data'] + command: ['sh', '-c', 'chown -R 1000:1000 /data/data'] volumeMounts: - name: data - mountPath: /data + mountPath: /data/data containers: - name: linkwarden - image: ghcr.io/linkwarden/linkwarden:v2.14.0 + image: ghcr.io/linkwarden/linkwarden:v2.13.5 imagePullPolicy: IfNotPresent ports: - containerPort: 3000 @@ -96,11 +96,11 @@ spec: # Storage folder - name: STORAGE_FOLDER - value: /data + value: /data/data volumeMounts: - name: data - mountPath: /data + mountPath: /data/data resources: requests: From c3119e85f5898c613114be2bce4483fc8fd976fc Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sun, 29 Mar 2026 13:46:39 +0200 Subject: [PATCH 068/114] fix linkwarden img v --- kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml b/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml index 76bda100..cb0a5e87 100644 --- a/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml @@ -36,7 +36,7 @@ spec: containers: - name: linkwarden - image: ghcr.io/linkwarden/linkwarden:v2.13.5 + image: ghcr.io/linkwarden/linkwarden:v2.14.0 imagePullPolicy: IfNotPresent ports: - containerPort: 3000 From ebfd8610086fb8e09d49f5d21dc625a2055faaa7 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sun, 29 Mar 2026 13:54:32 +0200 Subject: [PATCH 069/114] fix authentik issuer url --- kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml index 2abf0f6f..09802a30 100644 --- a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml @@ -14,7 +14,7 @@ stringData: ACCESS_KEY_ID: ENC[AES256_GCM,data:Y7kL8Iy0AV2zzLfBS+CN0BzDCoQ=,iv:wxH6OrHUuq3xn6Jq8sfVRM4uQRh0YMah+EiyT/vSBDs=,tag:6IEFhDHqXzAzz6dHUBdtuA==,type:str] SECRET_ACCESS_KEY: ENC[AES256_GCM,data:ncQiB3S+L/Ny+0ategFNLasyo5BZkHTwj6E2arSgX7RkUqjFpCpFGw==,iv:nxARPDnAmMzkJ3AFiWdIlDlAK8UXK3z4EYbFEte6C48=,tag:nul9yHRYsW0UGrUPH46anQ==,type:str] NEXTAUTH_URL: ENC[AES256_GCM,data:sSmzQIQ2AK/dKB4TjUXkJuYjZNZhJJU9Ik65tf4xHQXNbla8fzEFLPu0037KiQ==,iv:tXVn6gMjzi0jpKzEK9oj5lBeiyXT1E45VepqHBMbPrw=,tag:yFvgxYt7WdUNceiVYsdIuA==,type:str] - AUTHENTIK_ISSUER: ENC[AES256_GCM,data:LGdXrZsYv46FxBzv+06E52E18ErnXKuFfCZ40gQwVZxMVjBAIVeVqEQsbsst8ZsLtgRdKJoE,iv:4JqcJme2gMYXyd5S39WvfzNwGlwmy+/h9B5uKI8IC28=,tag:CCR5bk5gE4kIhMWI7N+mdw==,type:str] + AUTHENTIK_ISSUER: ENC[AES256_GCM,data:F1ePx2HQmwuVQwqwd3WY5b5uMdbpOZGx17KgxTOJxh6zdH0lc4MxT+ULQxZGczu/6YjzTPoErQ==,iv:hrhMC57p3uzhb54OT+2Yj/fanwGrS1Pbr1i2nKGztLM=,tag:dlqirQnlgKy56XHYB5rgBg==,type:str] AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:lc1MpWjQgCT1drkOdy6BHtJxBzzZPHF8Ik4mn2xvsB/DkGQFLfdV7Q==,iv:6ho33Acd974bmK5T6gbUiUJwx/QZjocwLBYSQzNPzZ0=,tag:C0ASTgeC7NBpLN8DBoL2zQ==,type:str] AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:qOOtNqzCJrtP/QHEn/ZW5Tn/W96g7axGuUli671VvD+WaN0cCbGi2gSEJ88oJKSXofxa4MnHU2RMxmXVJwIo2Qtq0DXMAxug48ClQIGyJsDHhqURjxdEOgYt1mia9gxqhkJ1h7viPcAh7Eg35xvajrKSPCQFpY+tL/D6LnBUBt4=,iv:FO+OXCHnZYBKCdoV0B5oO3GvUw5xKh/c/vv58tkXzzI=,tag:JdU/QIrqWLDQkXZsC483Og==,type:str] INIT_POSTGRES_HOST: ENC[AES256_GCM,data:dZqk8kkUMpzI7O+ZAsBJ3hkqh+ju9siFnCvdrRsom88DThAoXr9S2A==,iv:ERcAN5Fz4umjE37smFENrwr1hEsNUSQ9JsKevSxlXsQ=,tag:05l0HEcpfrCRop3TurxSbg==,type:str] @@ -35,7 +35,7 @@ sops: Ujl4VFM5VHNMRGlnamVRRjV5bTVEVXMKNwmaVoz7Jm9X4Irmtl9Rx1yXYfS+kUGT U/hFAimAUXS2if/DASgTqP6B8W6+LnpcRchSX4rVA5HwBdvd9nfc8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-29T11:24:09Z" - mac: ENC[AES256_GCM,data:T3dwX1mu4juJc69WlwgGlO8sRyQRkpBtgVqvv4fY9StPKWcIeEqO3ZIz2deROCgqan1WvkJSTGXCn1t0y2UdHH8o82Ft5KU+BU8gvmtPD5i4mzJEFr+eOEV/K7UFRN1CgycXOujqsnz+74P0WRa13+lG70qlfnad2K04L3yH6XQ=,iv:HhaAg+840Hn7GAFFSwQm6QWPiYZ1QKYQuYH5WdoqUF0=,tag:kSogOtUUvizocERC/qdu6A==,type:str] + lastmodified: "2026-03-29T11:54:25Z" + mac: ENC[AES256_GCM,data:COmkv6WYwdHz3ZhtJMlNazZAyNBkW2FRV4v73Y12sz6ZJvwW3gZNKtY6ufzTx8AI47HIHBhJMYLo1doovR7ar5S+spq8DiTteFNAjGm1lqOOaPsaOIAOvGPoanXQr7o/pgUneczMkBaxvtyICF3TmS63U0+ZEtbK7lY8ce8im98=,iv:mAmz6v2oNuz6ScDLcPHEuDWGKfLJ1jzQqMA3AR4WGJo=,tag:uh7GUxyPuUaeHy+9xSC8iA==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.12.2 From 69a806eb00b24fc9e4413b987c7812241d823b86 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sun, 29 Mar 2026 13:59:47 +0200 Subject: [PATCH 070/114] test authentik --- kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml index 09802a30..a6c2fed4 100644 --- a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml @@ -13,8 +13,9 @@ stringData: NEXTAUTH_SECRET: ENC[AES256_GCM,data:tg0wq+M1BefA2Dm0pd5E,iv:bwCrHwhfVPcY1ruf/yDqm+w7fwzK3zZ4POUh4+o5Kmc=,tag:3GU/Nttw3jFtGvLNEKWtrw==,type:str] ACCESS_KEY_ID: ENC[AES256_GCM,data:Y7kL8Iy0AV2zzLfBS+CN0BzDCoQ=,iv:wxH6OrHUuq3xn6Jq8sfVRM4uQRh0YMah+EiyT/vSBDs=,tag:6IEFhDHqXzAzz6dHUBdtuA==,type:str] SECRET_ACCESS_KEY: ENC[AES256_GCM,data:ncQiB3S+L/Ny+0ategFNLasyo5BZkHTwj6E2arSgX7RkUqjFpCpFGw==,iv:nxARPDnAmMzkJ3AFiWdIlDlAK8UXK3z4EYbFEte6C48=,tag:nul9yHRYsW0UGrUPH46anQ==,type:str] + NEXT_PUBLIC_AUTHENTIK_ENABLED: ENC[AES256_GCM,data:MqhidQ==,iv:zdH9FHdV6df8Vhnc7Z7qm1W9ks6pVKZ8ITYPM3IsYgY=,tag:6fFd88Cc/470Oum8ylvu0Q==,type:bool] NEXTAUTH_URL: ENC[AES256_GCM,data:sSmzQIQ2AK/dKB4TjUXkJuYjZNZhJJU9Ik65tf4xHQXNbla8fzEFLPu0037KiQ==,iv:tXVn6gMjzi0jpKzEK9oj5lBeiyXT1E45VepqHBMbPrw=,tag:yFvgxYt7WdUNceiVYsdIuA==,type:str] - AUTHENTIK_ISSUER: ENC[AES256_GCM,data:F1ePx2HQmwuVQwqwd3WY5b5uMdbpOZGx17KgxTOJxh6zdH0lc4MxT+ULQxZGczu/6YjzTPoErQ==,iv:hrhMC57p3uzhb54OT+2Yj/fanwGrS1Pbr1i2nKGztLM=,tag:dlqirQnlgKy56XHYB5rgBg==,type:str] + AUTHENTIK_ISSUER: ENC[AES256_GCM,data:FzcHWB0aQCNZgzwzdPEzFxh2Nzm2y4Lzhw3R6nzHuX41SprA9/gkWF5aB0d1lf4q4LfIXf3x,iv:TvLsOtlri2CK99MB1k5vooNfpgiUCKYand+HFXl37L8=,tag:IjExXsM5z/id0SOVZwUNJQ==,type:str] AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:lc1MpWjQgCT1drkOdy6BHtJxBzzZPHF8Ik4mn2xvsB/DkGQFLfdV7Q==,iv:6ho33Acd974bmK5T6gbUiUJwx/QZjocwLBYSQzNPzZ0=,tag:C0ASTgeC7NBpLN8DBoL2zQ==,type:str] AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:qOOtNqzCJrtP/QHEn/ZW5Tn/W96g7axGuUli671VvD+WaN0cCbGi2gSEJ88oJKSXofxa4MnHU2RMxmXVJwIo2Qtq0DXMAxug48ClQIGyJsDHhqURjxdEOgYt1mia9gxqhkJ1h7viPcAh7Eg35xvajrKSPCQFpY+tL/D6LnBUBt4=,iv:FO+OXCHnZYBKCdoV0B5oO3GvUw5xKh/c/vv58tkXzzI=,tag:JdU/QIrqWLDQkXZsC483Og==,type:str] INIT_POSTGRES_HOST: ENC[AES256_GCM,data:dZqk8kkUMpzI7O+ZAsBJ3hkqh+ju9siFnCvdrRsom88DThAoXr9S2A==,iv:ERcAN5Fz4umjE37smFENrwr1hEsNUSQ9JsKevSxlXsQ=,tag:05l0HEcpfrCRop3TurxSbg==,type:str] @@ -35,7 +36,7 @@ sops: Ujl4VFM5VHNMRGlnamVRRjV5bTVEVXMKNwmaVoz7Jm9X4Irmtl9Rx1yXYfS+kUGT U/hFAimAUXS2if/DASgTqP6B8W6+LnpcRchSX4rVA5HwBdvd9nfc8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-29T11:54:25Z" - mac: ENC[AES256_GCM,data:COmkv6WYwdHz3ZhtJMlNazZAyNBkW2FRV4v73Y12sz6ZJvwW3gZNKtY6ufzTx8AI47HIHBhJMYLo1doovR7ar5S+spq8DiTteFNAjGm1lqOOaPsaOIAOvGPoanXQr7o/pgUneczMkBaxvtyICF3TmS63U0+ZEtbK7lY8ce8im98=,iv:mAmz6v2oNuz6ScDLcPHEuDWGKfLJ1jzQqMA3AR4WGJo=,tag:uh7GUxyPuUaeHy+9xSC8iA==,type:str] + lastmodified: "2026-03-29T11:59:36Z" + mac: ENC[AES256_GCM,data:t/S/xpy7UlZk1WoPqU3WdboYCBfl99WzUgtQKjJrfW+ut+WHr2L0f0WxFt6Iv11SD0mlmza7gYmhh2KSjq9/0/MeogNurSY9IaiyYpbxvQHK4Ik4+oXjNyQz7RpZVjQJRV3TNs/ffEd9Y9+KwRljLzWxXmCPK27emF/JMarL3Js=,iv:TdoFb5sdZVrzCghLIkAtAso7eiPqLTZDRG4BMoirvYc=,tag:hCg5VXbRw77R9SwpEM8CgQ==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.12.2 From 91b248c68a2af3ca729dd26d7de4bca5cd4ef1f8 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sun, 29 Mar 2026 14:01:13 +0200 Subject: [PATCH 071/114] fix authentik client secret for linkwarden --- kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml index a6c2fed4..5beda223 100644 --- a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml @@ -17,7 +17,7 @@ stringData: NEXTAUTH_URL: ENC[AES256_GCM,data:sSmzQIQ2AK/dKB4TjUXkJuYjZNZhJJU9Ik65tf4xHQXNbla8fzEFLPu0037KiQ==,iv:tXVn6gMjzi0jpKzEK9oj5lBeiyXT1E45VepqHBMbPrw=,tag:yFvgxYt7WdUNceiVYsdIuA==,type:str] AUTHENTIK_ISSUER: ENC[AES256_GCM,data:FzcHWB0aQCNZgzwzdPEzFxh2Nzm2y4Lzhw3R6nzHuX41SprA9/gkWF5aB0d1lf4q4LfIXf3x,iv:TvLsOtlri2CK99MB1k5vooNfpgiUCKYand+HFXl37L8=,tag:IjExXsM5z/id0SOVZwUNJQ==,type:str] AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:lc1MpWjQgCT1drkOdy6BHtJxBzzZPHF8Ik4mn2xvsB/DkGQFLfdV7Q==,iv:6ho33Acd974bmK5T6gbUiUJwx/QZjocwLBYSQzNPzZ0=,tag:C0ASTgeC7NBpLN8DBoL2zQ==,type:str] - AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:qOOtNqzCJrtP/QHEn/ZW5Tn/W96g7axGuUli671VvD+WaN0cCbGi2gSEJ88oJKSXofxa4MnHU2RMxmXVJwIo2Qtq0DXMAxug48ClQIGyJsDHhqURjxdEOgYt1mia9gxqhkJ1h7viPcAh7Eg35xvajrKSPCQFpY+tL/D6LnBUBt4=,iv:FO+OXCHnZYBKCdoV0B5oO3GvUw5xKh/c/vv58tkXzzI=,tag:JdU/QIrqWLDQkXZsC483Og==,type:str] + AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:bkf4oTR24xkhRFpKoZHD+hZytsbPCW8V3jAmEpkS2wQQds2u7VJNyNw3EwEAXWTRvlHPCGXo4+rq3ILkGqXSoBkrI06jsuB9n9YTKqR4URDAOBv6Kdqc6nh1k9VbFO/2CFf8j4MsxPeR1Fhcv50lSGI2cnpzQXx7cEsDjuP1Zuw=,iv:QK0zXGMW4h0T2BiqOUFo8ZTygt9nROQN4AhN7rcR6Zs=,tag:jGVTa9QxjcPHasNY4bCq9w==,type:str] INIT_POSTGRES_HOST: ENC[AES256_GCM,data:dZqk8kkUMpzI7O+ZAsBJ3hkqh+ju9siFnCvdrRsom88DThAoXr9S2A==,iv:ERcAN5Fz4umjE37smFENrwr1hEsNUSQ9JsKevSxlXsQ=,tag:05l0HEcpfrCRop3TurxSbg==,type:str] INIT_POSTGRES_PORT: ENC[AES256_GCM,data:EdWFQg==,iv:D6YmV0MxI/KcLAwRT3yPdzpTjKdTTgpNzoAihDAn6uc=,tag:Ct9uKTwt5KwrHOC83z+kKw==,type:str] INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:DABnObLGFgHAEg==,iv:9A3KO9XOC/VDpgyLfTZGmN8zM87mzCmQGRoJUQp6MOI=,tag:uM97TFJ5NjLYEdDIGQPZqQ==,type:str] @@ -36,7 +36,7 @@ sops: Ujl4VFM5VHNMRGlnamVRRjV5bTVEVXMKNwmaVoz7Jm9X4Irmtl9Rx1yXYfS+kUGT U/hFAimAUXS2if/DASgTqP6B8W6+LnpcRchSX4rVA5HwBdvd9nfc8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-29T11:59:36Z" - mac: ENC[AES256_GCM,data:t/S/xpy7UlZk1WoPqU3WdboYCBfl99WzUgtQKjJrfW+ut+WHr2L0f0WxFt6Iv11SD0mlmza7gYmhh2KSjq9/0/MeogNurSY9IaiyYpbxvQHK4Ik4+oXjNyQz7RpZVjQJRV3TNs/ffEd9Y9+KwRljLzWxXmCPK27emF/JMarL3Js=,iv:TdoFb5sdZVrzCghLIkAtAso7eiPqLTZDRG4BMoirvYc=,tag:hCg5VXbRw77R9SwpEM8CgQ==,type:str] + lastmodified: "2026-03-29T12:00:59Z" + mac: ENC[AES256_GCM,data:sXSTUM9TPuWSaxtTwviJrFPjbgzbFXgIjnWWvZ8ytYqbdSsHF6Wo7VkyugQN6nMIV6BSAjEkVomp93hGFUmqpz4heuP5f4HwjW+PDu2PwK47PZ7dT5yTGsjXeihOkPSKPLyQu+Vd4t4uelqcblnbKGr37GXTiQAqX9b/tdn6G3k=,iv:qEvRRHge4a7YBCUM9jkCnXiIMpNKeYmw/SyTZkyk3hs=,tag:1tlkNVXYU6tI+8fDKcs4Xg==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.12.2 From e05b070f5afb860cb2ac6cee681f80136bddf50c Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sun, 29 Mar 2026 14:11:40 +0200 Subject: [PATCH 072/114] created new authentik provider for linkwarden --- .../apps/selfhosted/linkwarden/app/secret.sops.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml index 5beda223..f2bab4bb 100644 --- a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml @@ -15,9 +15,9 @@ stringData: SECRET_ACCESS_KEY: ENC[AES256_GCM,data:ncQiB3S+L/Ny+0ategFNLasyo5BZkHTwj6E2arSgX7RkUqjFpCpFGw==,iv:nxARPDnAmMzkJ3AFiWdIlDlAK8UXK3z4EYbFEte6C48=,tag:nul9yHRYsW0UGrUPH46anQ==,type:str] NEXT_PUBLIC_AUTHENTIK_ENABLED: ENC[AES256_GCM,data:MqhidQ==,iv:zdH9FHdV6df8Vhnc7Z7qm1W9ks6pVKZ8ITYPM3IsYgY=,tag:6fFd88Cc/470Oum8ylvu0Q==,type:bool] NEXTAUTH_URL: ENC[AES256_GCM,data:sSmzQIQ2AK/dKB4TjUXkJuYjZNZhJJU9Ik65tf4xHQXNbla8fzEFLPu0037KiQ==,iv:tXVn6gMjzi0jpKzEK9oj5lBeiyXT1E45VepqHBMbPrw=,tag:yFvgxYt7WdUNceiVYsdIuA==,type:str] - AUTHENTIK_ISSUER: ENC[AES256_GCM,data:FzcHWB0aQCNZgzwzdPEzFxh2Nzm2y4Lzhw3R6nzHuX41SprA9/gkWF5aB0d1lf4q4LfIXf3x,iv:TvLsOtlri2CK99MB1k5vooNfpgiUCKYand+HFXl37L8=,tag:IjExXsM5z/id0SOVZwUNJQ==,type:str] - AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:lc1MpWjQgCT1drkOdy6BHtJxBzzZPHF8Ik4mn2xvsB/DkGQFLfdV7Q==,iv:6ho33Acd974bmK5T6gbUiUJwx/QZjocwLBYSQzNPzZ0=,tag:C0ASTgeC7NBpLN8DBoL2zQ==,type:str] - AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:bkf4oTR24xkhRFpKoZHD+hZytsbPCW8V3jAmEpkS2wQQds2u7VJNyNw3EwEAXWTRvlHPCGXo4+rq3ILkGqXSoBkrI06jsuB9n9YTKqR4URDAOBv6Kdqc6nh1k9VbFO/2CFf8j4MsxPeR1Fhcv50lSGI2cnpzQXx7cEsDjuP1Zuw=,iv:QK0zXGMW4h0T2BiqOUFo8ZTygt9nROQN4AhN7rcR6Zs=,tag:jGVTa9QxjcPHasNY4bCq9w==,type:str] + AUTHENTIK_ISSUER: ENC[AES256_GCM,data:ypg3bAoMQ6R1PbIqEvCtT05rnnlaUMFVUdSBveq7Og6XTpRawbAEet5uPFNQFaL10Lf3nR2Y,iv:rqbi1p10LIOb5QZQQMpIRVjW1FkayFCkRAlvWeA9DkA=,tag:FbWoWvZDuKaGV/NFMEE2oQ==,type:str] + AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:9OuKW+ucbBe1MRj7rdP4xfSWjYJewpcUQvmhnwbh/HpfbHqB1G7PWA==,iv:LuHPEsW2qpICULrTbqBpjG6sgtCFjf4kzM4H7qLFrJY=,tag:YRmfTJ1+iRkOI1D6K2cK+A==,type:str] + AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:G/nZinIBQa35Fk2tfXbjDUclFNNmh1VLefl/6z5zcXHXPvW/qsCiRF5890XJcikIFLGqOFpj+RwsaibQpSYqxSol7Uaoi/JhD/fGkDZXkH4j2yIbkF4Fv5Mktf/iBg8xgR6eoIyWVd/7TfAHZMrpmqSGmrMllx+Z0bkX3mLybOI=,iv:M2Wa2QwqDL0nfOWw0eeOIoUcqSRenkK7GxknTHlHjx8=,tag:xIJwQ2hZYNJN2oitPgyABQ==,type:str] INIT_POSTGRES_HOST: ENC[AES256_GCM,data:dZqk8kkUMpzI7O+ZAsBJ3hkqh+ju9siFnCvdrRsom88DThAoXr9S2A==,iv:ERcAN5Fz4umjE37smFENrwr1hEsNUSQ9JsKevSxlXsQ=,tag:05l0HEcpfrCRop3TurxSbg==,type:str] INIT_POSTGRES_PORT: ENC[AES256_GCM,data:EdWFQg==,iv:D6YmV0MxI/KcLAwRT3yPdzpTjKdTTgpNzoAihDAn6uc=,tag:Ct9uKTwt5KwrHOC83z+kKw==,type:str] INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:DABnObLGFgHAEg==,iv:9A3KO9XOC/VDpgyLfTZGmN8zM87mzCmQGRoJUQp6MOI=,tag:uM97TFJ5NjLYEdDIGQPZqQ==,type:str] @@ -36,7 +36,7 @@ sops: Ujl4VFM5VHNMRGlnamVRRjV5bTVEVXMKNwmaVoz7Jm9X4Irmtl9Rx1yXYfS+kUGT U/hFAimAUXS2if/DASgTqP6B8W6+LnpcRchSX4rVA5HwBdvd9nfc8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-29T12:00:59Z" - mac: ENC[AES256_GCM,data:sXSTUM9TPuWSaxtTwviJrFPjbgzbFXgIjnWWvZ8ytYqbdSsHF6Wo7VkyugQN6nMIV6BSAjEkVomp93hGFUmqpz4heuP5f4HwjW+PDu2PwK47PZ7dT5yTGsjXeihOkPSKPLyQu+Vd4t4uelqcblnbKGr37GXTiQAqX9b/tdn6G3k=,iv:qEvRRHge4a7YBCUM9jkCnXiIMpNKeYmw/SyTZkyk3hs=,tag:1tlkNVXYU6tI+8fDKcs4Xg==,type:str] + lastmodified: "2026-03-29T12:11:30Z" + mac: ENC[AES256_GCM,data:z4PHdWXvWSoLeyTrzTMiUXHSCvwP5GircC66ms9gRPdCVZwU3h/WXElV3njlyFmzPw4D0PPshV5qKyjh2ZIemk36G+aOQslZNcpO2aOfIfC/DCwONhWF6ZE6kUjZr7iywQX5ccH4+vAuFdgshV2EApv5tcS17I59Itd2sk/Iy+8=,iv:YkZGuNikJ5SVbL6pQvV5TnFda13q6eY0G/PF6papUKM=,tag:QK7Wkmcle5kr2RZkRveDnQ==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.12.2 From ab84441f7171f785e516174a41659cc81d2af2de Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sun, 29 Mar 2026 14:14:18 +0200 Subject: [PATCH 073/114] fix --- .../apps/selfhosted/linkwarden/app/secret.sops.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml index f2bab4bb..afcc560f 100644 --- a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml @@ -13,11 +13,11 @@ stringData: NEXTAUTH_SECRET: ENC[AES256_GCM,data:tg0wq+M1BefA2Dm0pd5E,iv:bwCrHwhfVPcY1ruf/yDqm+w7fwzK3zZ4POUh4+o5Kmc=,tag:3GU/Nttw3jFtGvLNEKWtrw==,type:str] ACCESS_KEY_ID: ENC[AES256_GCM,data:Y7kL8Iy0AV2zzLfBS+CN0BzDCoQ=,iv:wxH6OrHUuq3xn6Jq8sfVRM4uQRh0YMah+EiyT/vSBDs=,tag:6IEFhDHqXzAzz6dHUBdtuA==,type:str] SECRET_ACCESS_KEY: ENC[AES256_GCM,data:ncQiB3S+L/Ny+0ategFNLasyo5BZkHTwj6E2arSgX7RkUqjFpCpFGw==,iv:nxARPDnAmMzkJ3AFiWdIlDlAK8UXK3z4EYbFEte6C48=,tag:nul9yHRYsW0UGrUPH46anQ==,type:str] - NEXT_PUBLIC_AUTHENTIK_ENABLED: ENC[AES256_GCM,data:MqhidQ==,iv:zdH9FHdV6df8Vhnc7Z7qm1W9ks6pVKZ8ITYPM3IsYgY=,tag:6fFd88Cc/470Oum8ylvu0Q==,type:bool] + NEXT_PUBLIC_AUTHENTIK_ENABLED: ENC[AES256_GCM,data:qS2UTA==,iv:t1ltfjEEPVWilI7RvOxSkbctVdwybs14qTZD0hwUwzM=,tag:4r8jdAqvdfagczlA6F3wFA==,type:str] NEXTAUTH_URL: ENC[AES256_GCM,data:sSmzQIQ2AK/dKB4TjUXkJuYjZNZhJJU9Ik65tf4xHQXNbla8fzEFLPu0037KiQ==,iv:tXVn6gMjzi0jpKzEK9oj5lBeiyXT1E45VepqHBMbPrw=,tag:yFvgxYt7WdUNceiVYsdIuA==,type:str] - AUTHENTIK_ISSUER: ENC[AES256_GCM,data:ypg3bAoMQ6R1PbIqEvCtT05rnnlaUMFVUdSBveq7Og6XTpRawbAEet5uPFNQFaL10Lf3nR2Y,iv:rqbi1p10LIOb5QZQQMpIRVjW1FkayFCkRAlvWeA9DkA=,tag:FbWoWvZDuKaGV/NFMEE2oQ==,type:str] - AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:9OuKW+ucbBe1MRj7rdP4xfSWjYJewpcUQvmhnwbh/HpfbHqB1G7PWA==,iv:LuHPEsW2qpICULrTbqBpjG6sgtCFjf4kzM4H7qLFrJY=,tag:YRmfTJ1+iRkOI1D6K2cK+A==,type:str] - AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:G/nZinIBQa35Fk2tfXbjDUclFNNmh1VLefl/6z5zcXHXPvW/qsCiRF5890XJcikIFLGqOFpj+RwsaibQpSYqxSol7Uaoi/JhD/fGkDZXkH4j2yIbkF4Fv5Mktf/iBg8xgR6eoIyWVd/7TfAHZMrpmqSGmrMllx+Z0bkX3mLybOI=,iv:M2Wa2QwqDL0nfOWw0eeOIoUcqSRenkK7GxknTHlHjx8=,tag:xIJwQ2hZYNJN2oitPgyABQ==,type:str] + AUTHENTIK_ISSUER: ENC[AES256_GCM,data:qfiGTgm7XJtjfZL+cQfyGgkJVAf94B0ROizpuXr3lU0gAkF7Ykv+wlys8nHyms26zSeTCQ2b,iv:0EuzVgvP7bwyJfYOnJIIDeNviEy+5u900xydlrpRBm0=,tag:lLcvuqAn5WkPtwhdSy2riw==,type:str] + AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:ArVQuMw+K24zluD5KDT9s2KANd+Cx2OU0QeLwi6zIKvNSGjBmA0Yfw==,iv:fIBAZdKMkWwHZQU453Xw7NGbH8NYBk085ScoPhMoYcM=,tag:CTkxYI8/o6qqA1xmQjbmRw==,type:str] + AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:hFEouWUsmo+j/yZj/gNCfXAfASWmTA2eUjLDEXTLro1IE1PSFY3zkasllF2IEyz/MGRVtelRRhgFLBuibtCgU7F2PRmsTCQMjf00HYSDDUyLJc16pUUDcBxU5FxYDcmpfRQ5txFwir5+tuB503hlzbBgqFyUwK7A/xpKd8NPtfw=,iv:UIFD29pzzwTLzzO3IRX8weQdi+rBiVpRW6efZ3dJ0F8=,tag:P5uEG5lIpsaXmwMUxH4WpA==,type:str] INIT_POSTGRES_HOST: ENC[AES256_GCM,data:dZqk8kkUMpzI7O+ZAsBJ3hkqh+ju9siFnCvdrRsom88DThAoXr9S2A==,iv:ERcAN5Fz4umjE37smFENrwr1hEsNUSQ9JsKevSxlXsQ=,tag:05l0HEcpfrCRop3TurxSbg==,type:str] INIT_POSTGRES_PORT: ENC[AES256_GCM,data:EdWFQg==,iv:D6YmV0MxI/KcLAwRT3yPdzpTjKdTTgpNzoAihDAn6uc=,tag:Ct9uKTwt5KwrHOC83z+kKw==,type:str] INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:DABnObLGFgHAEg==,iv:9A3KO9XOC/VDpgyLfTZGmN8zM87mzCmQGRoJUQp6MOI=,tag:uM97TFJ5NjLYEdDIGQPZqQ==,type:str] @@ -36,7 +36,7 @@ sops: Ujl4VFM5VHNMRGlnamVRRjV5bTVEVXMKNwmaVoz7Jm9X4Irmtl9Rx1yXYfS+kUGT U/hFAimAUXS2if/DASgTqP6B8W6+LnpcRchSX4rVA5HwBdvd9nfc8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-29T12:11:30Z" - mac: ENC[AES256_GCM,data:z4PHdWXvWSoLeyTrzTMiUXHSCvwP5GircC66ms9gRPdCVZwU3h/WXElV3njlyFmzPw4D0PPshV5qKyjh2ZIemk36G+aOQslZNcpO2aOfIfC/DCwONhWF6ZE6kUjZr7iywQX5ccH4+vAuFdgshV2EApv5tcS17I59Itd2sk/Iy+8=,iv:YkZGuNikJ5SVbL6pQvV5TnFda13q6eY0G/PF6papUKM=,tag:QK7Wkmcle5kr2RZkRveDnQ==,type:str] + lastmodified: "2026-03-29T12:14:14Z" + mac: ENC[AES256_GCM,data:GY1dmDEgsPUm6bVqeed+vDq0/JUTwEGf0p5F/hAtwavLrkg427pjc9T/I60xgVFkgz2rTy2zJgHZDMNcLRoKCgOXhbjho+1Gr3skWLkDgzFqFbrrqTfbPwHItx9PehrLNNkDfTgScl55bITRANA8aNTWMP357/uTOAbZdzmMgxo=,iv:e7PJRXg9/fXRU9ZuLXwiPWtfo8HxYMuvK4fejbQFNFc=,tag:ETzXXPFs/UP3E3cA/Za5mg==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.12.2 From 11f0c14345ff8484d85fcda73f6094f0b464ddd1 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Tue, 31 Mar 2026 10:00:54 +0200 Subject: [PATCH 074/114] feat: deploy grafana --- .../grafana/app/helmrelease.yaml | 225 ++++++++++++++++++ .../grafana/app/kustomization.yaml | 6 + kubernetes/apps/observability/grafana/ks.yaml | 22 ++ .../repositories/helm/grafana.yaml | 10 + .../repositories/helm/kustomization.yaml | 1 + 5 files changed, 264 insertions(+) create mode 100644 kubernetes/apps/observability/grafana/app/helmrelease.yaml create mode 100644 kubernetes/apps/observability/grafana/app/kustomization.yaml create mode 100644 kubernetes/apps/observability/grafana/ks.yaml create mode 100644 kubernetes/flux-system/repositories/helm/grafana.yaml diff --git a/kubernetes/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/apps/observability/grafana/app/helmrelease.yaml new file mode 100644 index 00000000..22d20932 --- /dev/null +++ b/kubernetes/apps/observability/grafana/app/helmrelease.yaml @@ -0,0 +1,225 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: grafana + namespace: observability +spec: + interval: 30m + chart: + spec: + chart: grafana + version: "11.3.6" + sourceRef: + kind: HelmRepository + name: grafana-community + namespace: flux-system + interval: 12h + values: + # alerting: + # contactpoints.yaml: + # secret: + # apiVersion: 1 + # contactPoints: + # - orgId: 1 + # name: discord-alerting + # receivers: + # - uid: discord + # type: discord + # disableResolveMessage: false + # settings: + # use_discord_username: false + # url: ${SECRET_DISCORD_WEBHOOK_URL} + # message: '{{ template "discord.default.message" . }}' + # title: '{{ template "default.title" . }}' + + # policies.yaml: + # apiVersion: 1 + # policies: + # - orgId: 1 + # receiver: discord-alerting + # group_wait: 0s + # group_interval: 30s + # repeat_interval: 3m + + # templates.yaml: + # apiVersion: 1 + # templates: + # - orgId: 1 + # name: basic-discord-template + # template: | + # {{ ` + # {{ define "alert_severity_prefix_emoji" }} + # {{- if ne .Status "firing" -}} + # :white_check_mark: + # {{- else if eq .Status "firing" -}} + # :warning: + # {{- end -}} + # {{- end -}} + + # {{ define "basic-discord-template" -}} + # {{- template "alert_severity_prefix_emoji" . -}} + # [{{- .Status | toUpper -}}]: {{ .CommonLabels.alertname -}} + # {{- end -}} + + # {{ define "discord.default.message" -}} + # Alert triggered for {{ .CommonLabels.alertname }} with severity {{ .Status }}. + # Details: {{ .Annotations.description }} + # {{ end -}} + # ` }} + + + dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: default + orgId: 1 + folder: "" + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/default + + dashboards: + default: + cloudflared: + # renovate: depName="Cloudflare Tunnels (cloudflared)" + gnetId: 17457 + revision: 6 + datasource: + - { name: DS_PROMETHEUS, value: Prometheus } + external-dns: + # renovate: depName="External-dns" + gnetId: 15038 + revision: 3 + datasource: Prometheus + cert-manager: + url: https://raw.githubusercontent.com/nlamirault/monitoring-mixins/refs/heads/master/monitoring-mixins/cert-manager-mixin/dashboards/cert-manager.json + datasource: Prometheus + flux-cluster: + url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/cluster.json + datasource: Prometheus + flux-control-plane: + url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/control-plane.json + datasource: Prometheus + kubernetes-api-server: + # renovate: depName="Kubernetes / System / API Server" + gnetId: 15761 + revision: 19 + datasource: Prometheus + kubernetes-coredns: + # renovate: depName="Kubernetes / System / CoreDNS" + gnetId: 15762 + revision: 20 + datasource: Prometheus + kubernetes-global: + # renovate: depName="Kubernetes / Views / Global" + gnetId: 15757 + revision: 43 + datasource: Prometheus + kubernetes-namespaces: + # renovate: depName="Kubernetes / Views / Namespaces" + gnetId: 15758 + revision: 42 + datasource: Prometheus + kubernetes-nodes: + # renovate: depName="Kubernetes / Views / Nodes" + gnetId: 15759 + revision: 34 + datasource: Prometheus + kubernetes-pods: + # renovate: depName="Kubernetes / Views / Pods" + gnetId: 15760 + revision: 36 + datasource: Prometheus + kubernetes-volumes: + # renovate: depName="K8s / Storage / Volumes / Cluster" + gnetId: 11454 + revision: 14 + datasource: Prometheus + nginx: + url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json + datasource: Prometheus + nginx-request-handling-performance: + url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json + datasource: Prometheus + node-feature-discovery: + url: https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/examples/grafana-dashboard.json + datasource: Prometheus + node-exporter-full: + # renovate: depName="Node Exporter Full" + gnetId: 1860 + revision: 37 + datasource: Prometheus + prometheus: + # renovate: depName="Prometheus" + gnetId: 19105 + revision: 7 + datasource: Prometheus + pihole-exporter: + # renovate: depName="Prometheus" + gnetId: 10176 + revision: 3 + datasource: Prometheus + sidecar: + dashboards: + enabled: true + searchNamespace: ALL + label: grafana_dashboard + labelValue: "1" + folderAnnotation: grafana_folder + provider: + disableDelete: false + foldersFromFilesStructure: true + allowUiUpdates: true + datasources: + enabled: true + searchNamespace: ALL + labelValue: "1" + plugins: + - grafana-clock-panel + - grafana-piechart-panel + - grafana-worldmap-panel + - grafana-polystat-panel + - natel-discrete-panel + - pr0ps-trackmap-panel + - vonage-status-panel + - volkovlabs-rss-datasource + - marcusolsson-dynamictext-panel + # configuration to make dashboard configmaps discoverable + # sidecar: + # datasources: + # enabled: true + # label: grafana_datasource + # labelValue: "1" + # dashboards: + # enabled: true + # label: grafana_dashboard + # labelValue: "1" + # # Allow discovery in all namespaces for dashboards + # searchNamespace: ALL + # provider: + # allowUiUpdates: true + + persistence: + enabled: true + type: pvc + accessModes: + - ReadWriteOnce + size: 4Gi + + ingress: + enabled: true + ingressClassName: traefik + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" + path: / + pathType: Prefix + hosts: + - metrics.${SECRET_EXTERNAL_DOMAIN} + tls: + - hosts: + - metrics.${SECRET_EXTERNAL_DOMAIN} + secretName: grafana-tls \ No newline at end of file diff --git a/kubernetes/apps/observability/grafana/app/kustomization.yaml b/kubernetes/apps/observability/grafana/app/kustomization.yaml new file mode 100644 index 00000000..17cbc72b --- /dev/null +++ b/kubernetes/apps/observability/grafana/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/observability/grafana/ks.yaml b/kubernetes/apps/observability/grafana/ks.yaml new file mode 100644 index 00000000..9f7af25b --- /dev/null +++ b/kubernetes/apps/observability/grafana/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app grafana + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/observability/grafana/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/flux-system/repositories/helm/grafana.yaml b/kubernetes/flux-system/repositories/helm/grafana.yaml new file mode 100644 index 00000000..43a28fd2 --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/grafana.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: grafana-community + namespace: flux-system +spec: + interval: 1h + url: https://grafana-community.github.io/helm-charts \ No newline at end of file diff --git a/kubernetes/flux-system/repositories/helm/kustomization.yaml b/kubernetes/flux-system/repositories/helm/kustomization.yaml index b2a064be..8a531c4e 100644 --- a/kubernetes/flux-system/repositories/helm/kustomization.yaml +++ b/kubernetes/flux-system/repositories/helm/kustomization.yaml @@ -14,3 +14,4 @@ resources: - ./cnpg.yaml - ./goauthentik.yaml - ./jetstack.yaml + - ./grafana.yaml From db089d66c8715f74a8c413b034ee7da3e63a5d60 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Tue, 31 Mar 2026 10:02:27 +0200 Subject: [PATCH 075/114] add grafana to observability ks --- kubernetes/apps/observability/kustomization.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kubernetes/apps/observability/kustomization.yaml b/kubernetes/apps/observability/kustomization.yaml index b5b8f80b..08da1fce 100644 --- a/kubernetes/apps/observability/kustomization.yaml +++ b/kubernetes/apps/observability/kustomization.yaml @@ -4,4 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml - - ./kube-prometheus-stack/ks.yaml \ No newline at end of file + - ./kube-prometheus-stack/ks.yaml + - ./grafana/ks.yaml From 95d4f550b3dcf963e91f114ff549a74b76b6eb81 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Tue, 31 Mar 2026 10:14:02 +0200 Subject: [PATCH 076/114] fix pihole-exporter --- .../apps/network/pihole-system/app/secret.sops.yaml | 8 ++++---- .../kube-prometheus-stack/app/helmrelease.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/kubernetes/apps/network/pihole-system/app/secret.sops.yaml b/kubernetes/apps/network/pihole-system/app/secret.sops.yaml index b7976ad5..8893aa95 100644 --- a/kubernetes/apps/network/pihole-system/app/secret.sops.yaml +++ b/kubernetes/apps/network/pihole-system/app/secret.sops.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Secret metadata: name: pihole-api-token - namespace: pihole-system + namespace: network stringData: api_token: ENC[AES256_GCM,data:caQ0bbY=,iv:5L1LnoECJA7yPNoLy/rSDEOpwn9DzoJYsfH8uCWjAZc=,tag:PVH6Uw6VjZmner5X/89czw==,type:str] sops: @@ -16,7 +16,7 @@ sops: MURwNmxXaVJZV0ZVb2RqaUpTZEpIRUEKH6Iq6+azhNsHp7dhTw7uJC1KQZx7H+t7 lQ1sIhJsZnqR6jwXVrta0KUT5juFvLNB80hGkQqQOSQufjcLsQK4gw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-20T09:12:28Z" - mac: ENC[AES256_GCM,data:WmE3WLh3lIjs4YIoPCbAuF57YmQBXaKSn11pgIEezjIBZaqX/5AqpeF2P9mFy6soKxakcdvu4cPbna+2HTOphkdIAsKCYzfFWTMaO3c+Q4rEhze0ZOIMW2agClsWTWINak6m+Wrw45Ig30m0Zk7F7TlQIJSXPNBTNvjAW4eMTpQ=,iv:RjoAxAsz40dqgeWCUz1w1cBM/TXuoL9xju0rEXAlA4o=,tag:XaAaACHs6c78M5KcAALshw==,type:str] + lastmodified: "2026-03-31T08:10:48Z" + mac: ENC[AES256_GCM,data:tqIsvmzdQSbnIV1mbKqN9EFFlOpnelmUAKA+KKYL2g3CoHuFUmY6VLOpWkVshEdNAyhFLa4/W6MOGDsSzLbfzoheBQwtrwmj5BavY0gROQe6MqkqW+OwssHD5kkKiR/8Iq1ifOG5tyB9xI1usp6uW46VulKrq78oGwNL/85YTGw=,iv:Tbh/Rl9oerUYfcKJCUG6KdocRR9hYUNiHQhOd+NHiRE=,tag:JgnOPYtNqZOzne0ksJWGoA==,type:str] encrypted_regex: ^(data|stringData)$ - version: 3.10.2 + version: 3.12.2 diff --git a/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml index fad7253d..801818c9 100644 --- a/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml @@ -55,7 +55,7 @@ spec: additionalScrapeConfigs: - job_name: "pihole" static_configs: - - targets: ["pihole-exporter.pihole-system.svc.cluster.local:9617"] + - targets: ["pihole-exporter.network.svc.cluster.local:9617"] prometheusOperator: nodeSelector: From e36df605f7d6dfad18af72a044a7e6a3360404ae Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Tue, 31 Mar 2026 10:41:45 +0200 Subject: [PATCH 077/114] deploy avto-masini web --- .../apps/avto-masini/avto-masini-web/ks.yaml | 40 +++++++++ .../production/deployment.yaml | 68 ++++++++++++++ .../avto-masini-web/production/ingress.yaml | 32 +++++++ .../production/kustomization.yaml | 8 ++ .../avto-masini-web/production/secret.yaml | 8 ++ .../avto-masini-web/production/service.yaml | 13 +++ .../avto-masini-web/staging/deployment.yaml | 66 ++++++++++++++ .../avto-masini-web/staging/ingress.yaml | 30 +++++++ .../staging/kustomization.yaml | 8 ++ .../avto-masini-web/staging/secret.yaml | 8 ++ .../avto-masini-web/staging/service.yaml | 13 +++ .../cloudflared/app/config/config.yaml | 10 +++ .../cloudflared/app/dnsendpoint.yaml | 11 +++ .../cloudflared/app/helmrelease.yaml | 88 +++++++++++++++++++ .../cloudflared/app/kustomization.yaml | 15 ++++ .../cloudflared/app/secret.sops.yaml | 23 +++++ .../apps/avto-masini/cloudflared/ks.yaml | 20 +++++ .../external-dns/app/helmrelease.yaml | 38 ++++++++ .../external-dns/app/kustomization.yaml | 7 ++ .../external-dns/app/secret.sops.yaml | 22 +++++ .../apps/avto-masini/external-dns/ks.yaml | 22 +++++ .../apps/avto-masini/kustomization.yaml | 10 +++ kubernetes/apps/avto-masini/namespace.yaml | 10 +++ .../avto-masini/traefik/app/helmrelease.yaml | 29 ++++++ .../traefik/app/kustomization.yaml | 6 ++ kubernetes/apps/avto-masini/traefik/ks.yaml | 22 +++++ 26 files changed, 627 insertions(+) create mode 100644 kubernetes/apps/avto-masini/avto-masini-web/ks.yaml create mode 100644 kubernetes/apps/avto-masini/avto-masini-web/production/deployment.yaml create mode 100644 kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml create mode 100644 kubernetes/apps/avto-masini/avto-masini-web/production/kustomization.yaml create mode 100644 kubernetes/apps/avto-masini/avto-masini-web/production/secret.yaml create mode 100644 kubernetes/apps/avto-masini/avto-masini-web/production/service.yaml create mode 100644 kubernetes/apps/avto-masini/avto-masini-web/staging/deployment.yaml create mode 100644 kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml create mode 100644 kubernetes/apps/avto-masini/avto-masini-web/staging/kustomization.yaml create mode 100644 kubernetes/apps/avto-masini/avto-masini-web/staging/secret.yaml create mode 100644 kubernetes/apps/avto-masini/avto-masini-web/staging/service.yaml create mode 100644 kubernetes/apps/avto-masini/cloudflared/app/config/config.yaml create mode 100644 kubernetes/apps/avto-masini/cloudflared/app/dnsendpoint.yaml create mode 100644 kubernetes/apps/avto-masini/cloudflared/app/helmrelease.yaml create mode 100644 kubernetes/apps/avto-masini/cloudflared/app/kustomization.yaml create mode 100644 kubernetes/apps/avto-masini/cloudflared/app/secret.sops.yaml create mode 100644 kubernetes/apps/avto-masini/cloudflared/ks.yaml create mode 100644 kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml create mode 100644 kubernetes/apps/avto-masini/external-dns/app/kustomization.yaml create mode 100644 kubernetes/apps/avto-masini/external-dns/app/secret.sops.yaml create mode 100644 kubernetes/apps/avto-masini/external-dns/ks.yaml create mode 100644 kubernetes/apps/avto-masini/kustomization.yaml create mode 100644 kubernetes/apps/avto-masini/namespace.yaml create mode 100644 kubernetes/apps/avto-masini/traefik/app/helmrelease.yaml create mode 100644 kubernetes/apps/avto-masini/traefik/app/kustomization.yaml create mode 100644 kubernetes/apps/avto-masini/traefik/ks.yaml diff --git a/kubernetes/apps/avto-masini/avto-masini-web/ks.yaml b/kubernetes/apps/avto-masini/avto-masini-web/ks.yaml new file mode 100644 index 00000000..e8a080f5 --- /dev/null +++ b/kubernetes/apps/avto-masini/avto-masini-web/ks.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app avto-masini-web-staging + namespace: flux-system +spec: + targetNamespace: avto-masini + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/avto-masini/avto-masini-web/staging + prune: true + sourceRef: + kind: GitRepository + name: flux-system + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app avto-masini-web-production + namespace: flux-system +spec: + targetNamespace: avto-masini + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/avto-masini/avto-masini-web/production + prune: true + sourceRef: + kind: GitRepository + name: flux-system + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m \ No newline at end of file diff --git a/kubernetes/apps/avto-masini/avto-masini-web/production/deployment.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/deployment.yaml new file mode 100644 index 00000000..a2fe91a5 --- /dev/null +++ b/kubernetes/apps/avto-masini/avto-masini-web/production/deployment.yaml @@ -0,0 +1,68 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: avto-masini-web-production + namespace: avto-masini + labels: + app: avto-masini-web-production +spec: + replicas: 1 + selector: + matchLabels: + app: avto-masini-web-production + template: + metadata: + labels: + app: avto-masini-web-production + spec: + nodeSelector: + kubernetes.io/hostname: talos-worker-eu-02 + containers: + - name: avto-masini-web-production + resources: + limits: + memory: "128Mi" + cpu: "500m" + requests: + memory: "64Mi" + cpu: "250m" + image: ghcr.io/avto-masini/avto-masini-web:v2.0.10 + imagePullPolicy: Always + ports: + - name: prod-svc + containerPort: 80 + livenessProbe: + httpGet: + path: / + port: 80 + readinessProbe: + httpGet: + path: / + port: 80 + volumeMounts: + - name: tmp + mountPath: /tmp/ + - name: nginx-cache + mountPath: /var/cache/nginx + - name: run + mountPath: /run + securityContext: + runAsUser: 1000 # Non-root user + runAsGroup: 3000 # Non-root group + readOnlyRootFilesystem: true # Read-only filesystem + allowPrivilegeEscalation: false # No privilege escalation + privileged: false + capabilities: + drop: + - ALL # Drop all capabilities + add: + - NET_BIND_SERVICE # Allow only required capabilities + imagePullSecrets: + - name: pull-token + volumes: + - name: tmp + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: run + emptyDir: {} diff --git a/kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml new file mode 100644 index 00000000..23a63fd3 --- /dev/null +++ b/kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: avto-masini-web-production-ingress + namespace: avto-masini + annotations: + external-dns.alpha.kubernetes.io/target: "${SECRET_PROD_DOMAIN}" + external-dns.alpha.kubernetes.io/hostname: "${SECRET_PROD_DOMAIN}, www.${SECRET_PROD_DOMAIN}" +spec: + ingressClassName: avto-masini + rules: + - host: "${SECRET_PROD_DOMAIN}" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: avto-masini-web-production + port: + name: prod-svc + - host: "www.${SECRET_PROD_DOMAIN}" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: avto-masini-web-production + port: + name: prod-svc diff --git a/kubernetes/apps/avto-masini/avto-masini-web/production/kustomization.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/kustomization.yaml new file mode 100644 index 00000000..0935db4a --- /dev/null +++ b/kubernetes/apps/avto-masini/avto-masini-web/production/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.yaml + - ./deployment.yaml + - ./service.yaml + - ./ingress.yaml diff --git a/kubernetes/apps/avto-masini/avto-masini-web/production/secret.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/secret.yaml new file mode 100644 index 00000000..251ab91d --- /dev/null +++ b/kubernetes/apps/avto-masini/avto-masini-web/production/secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: pull-token + namespace: avto-masini +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: ${PULL_GITHUB_TOKEN} diff --git a/kubernetes/apps/avto-masini/avto-masini-web/production/service.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/service.yaml new file mode 100644 index 00000000..2e7c4e54 --- /dev/null +++ b/kubernetes/apps/avto-masini/avto-masini-web/production/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: avto-masini-web-production + namespace: avto-masini +spec: + ports: + - name: avto-masini-web-production + port: 80 + targetPort: prod-svc + selector: + app: avto-masini-web-production + type: ClusterIP diff --git a/kubernetes/apps/avto-masini/avto-masini-web/staging/deployment.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/deployment.yaml new file mode 100644 index 00000000..1c49efc9 --- /dev/null +++ b/kubernetes/apps/avto-masini/avto-masini-web/staging/deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: avto-masini-web-staging + namespace: avto-masini + labels: + app: avto-masini-web-staging +spec: + replicas: 1 + selector: + matchLabels: + app: avto-masini-web-staging + template: + metadata: + labels: + app: avto-masini-web-staging + spec: + containers: + - name: avto-masini-web-staging + resources: + limits: + memory: "128Mi" + cpu: "500m" + requests: + memory: "64Mi" + cpu: "250m" + image: ghcr.io/avto-masini/avto-masini-web:9ff0c4c + imagePullPolicy: Always + ports: + - name: staging-svc + containerPort: 80 + livenessProbe: + httpGet: + path: / + port: 80 + readinessProbe: + httpGet: + path: / + port: 80 + volumeMounts: + - name: tmp + mountPath: /tmp/ + - name: nginx-cache + mountPath: /var/cache/nginx + - name: run + mountPath: /run + securityContext: + runAsUser: 1000 # Non-root user + runAsGroup: 3000 # Non-root group + readOnlyRootFilesystem: true # Read-only filesystem + allowPrivilegeEscalation: false # No privilege escalation + privileged: false + capabilities: + drop: + - ALL # Drop all capabilities + add: + - NET_BIND_SERVICE # Allow only required capabilities + imagePullSecrets: + - name: pull-token + volumes: + - name: tmp + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: run + emptyDir: {} \ No newline at end of file diff --git a/kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml new file mode 100644 index 00000000..4ac9fa52 --- /dev/null +++ b/kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: avto-masini-web-staging-ingress + namespace: avto-masini + annotations: + external-dns.alpha.kubernetes.io/target: "${SECRET_PROD_DOMAIN}" + external-dns.alpha.kubernetes.io/hostname: "${SECRET_PROD_DOMAIN}" + # nginx.ingress.kubernetes.io/auth-url: |- + # http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx + # nginx.ingress.kubernetes.io/auth-signin: |- + # https://auth.${SECRET_EXTERNAL_DOMAIN}/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri + # nginx.ingress.kubernetes.io/auth-response-headers: |- + # Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + # nginx.ingress.kubernetes.io/auth-snippet: | + # proxy_set_header X-Forwarded-Host $http_host; +spec: + ingressClassName: avto-masini + rules: + - host: "staging.${SECRET_PROD_DOMAIN}" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: avto-masini-web-staging + port: + name: staging-svc diff --git a/kubernetes/apps/avto-masini/avto-masini-web/staging/kustomization.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/kustomization.yaml new file mode 100644 index 00000000..0935db4a --- /dev/null +++ b/kubernetes/apps/avto-masini/avto-masini-web/staging/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.yaml + - ./deployment.yaml + - ./service.yaml + - ./ingress.yaml diff --git a/kubernetes/apps/avto-masini/avto-masini-web/staging/secret.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/secret.yaml new file mode 100644 index 00000000..251ab91d --- /dev/null +++ b/kubernetes/apps/avto-masini/avto-masini-web/staging/secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: pull-token + namespace: avto-masini +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: ${PULL_GITHUB_TOKEN} diff --git a/kubernetes/apps/avto-masini/avto-masini-web/staging/service.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/service.yaml new file mode 100644 index 00000000..5014eb64 --- /dev/null +++ b/kubernetes/apps/avto-masini/avto-masini-web/staging/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: avto-masini-web-staging + namespace: avto-masini +spec: + ports: + - name: avto-masini-web-staging + port: 80 + targetPort: staging-svc + selector: + app: avto-masini-web-staging + type: ClusterIP diff --git a/kubernetes/apps/avto-masini/cloudflared/app/config/config.yaml b/kubernetes/apps/avto-masini/cloudflared/app/config/config.yaml new file mode 100644 index 00000000..69590f2b --- /dev/null +++ b/kubernetes/apps/avto-masini/cloudflared/app/config/config.yaml @@ -0,0 +1,10 @@ +--- +originRequest: + noTLSVerify: true + +ingress: + - hostname: "${SECRET_EXTERNAL_DOMAIN}" + service: https://traefik.avto-masini.svc.cluster.local:443 + - hostname: "*.${SECRET_EXTERNAL_DOMAIN}" + service: https://traefik.avto-masini.svc.cluster.local:443 + - service: http_status:404 diff --git a/kubernetes/apps/avto-masini/cloudflared/app/dnsendpoint.yaml b/kubernetes/apps/avto-masini/cloudflared/app/dnsendpoint.yaml new file mode 100644 index 00000000..cb592c20 --- /dev/null +++ b/kubernetes/apps/avto-masini/cloudflared/app/dnsendpoint.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: cloudflared + namespace: avto-masini +spec: + endpoints: + - dnsName: "external.${SECRET_PROD_DOMAIN}" + recordType: CNAME + targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] diff --git a/kubernetes/apps/avto-masini/cloudflared/app/helmrelease.yaml b/kubernetes/apps/avto-masini/cloudflared/app/helmrelease.yaml new file mode 100644 index 00000000..d9f0166e --- /dev/null +++ b/kubernetes/apps/avto-masini/cloudflared/app/helmrelease.yaml @@ -0,0 +1,88 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cloudflared + namespace: avto-masini +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + controllers: + cloudflared: + strategy: RollingUpdate + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + image: + repository: docker.io/cloudflare/cloudflared + tag: 2024.4.1 + env: + NO_AUTOUPDATE: true + TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json + TUNNEL_METRICS: 0.0.0.0:8080 + TUNNEL_ORIGIN_ENABLE_HTTP2: true + TUNNEL_TRANSPORT_PROTOCOL: quic + TUNNEL_POST_QUANTUM: true + TUNNEL_ID: + valueFrom: + secretKeyRef: + name: cloudflared-secret + key: TUNNEL_ID + args: + - tunnel + - --config + - /etc/cloudflared/config/config.yaml + - run + - "$(TUNNEL_ID)" + resources: + requests: + cpu: 10m + limits: + memory: 256Mi + service: + app: + controller: cloudflared + ports: + http: + port: &port 8080 + serviceMonitor: + app: + serviceName: cloudflared + endpoints: + - port: http + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 10s + persistence: + config: + type: configMap + name: cloudflared-configmap + globalMounts: + - path: /etc/cloudflared/config/config.yaml + subPath: config.yaml + readOnly: true + creds: + type: secret + name: cloudflared-secret + globalMounts: + - path: /etc/cloudflared/creds/credentials.json + subPath: credentials.json + readOnly: true diff --git a/kubernetes/apps/avto-masini/cloudflared/app/kustomization.yaml b/kubernetes/apps/avto-masini/cloudflared/app/kustomization.yaml new file mode 100644 index 00000000..2532525a --- /dev/null +++ b/kubernetes/apps/avto-masini/cloudflared/app/kustomization.yaml @@ -0,0 +1,15 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./dnsendpoint.yaml + - ./helmrelease.yaml +configMapGenerator: + - name: cloudflared-configmap + namespace: cloudflared + files: + - ./config/config.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/kubernetes/apps/avto-masini/cloudflared/app/secret.sops.yaml b/kubernetes/apps/avto-masini/cloudflared/app/secret.sops.yaml new file mode 100644 index 00000000..4a379d43 --- /dev/null +++ b/kubernetes/apps/avto-masini/cloudflared/app/secret.sops.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cloudflared-secret + namespace: avto-masini +stringData: + TUNNEL_ID: ENC[AES256_GCM,data:gk3nDGz2p9ARbp7HmF8uECKWs+3eDv3Er2dFYlwLZtT2PyCx,iv:/KA0QlNWFYrnAMMUWpN+dGW3dd9t+35XS2bg+QH4cU8=,tag:I3dLa4jHeXTA29lmNxMDcg==,type:str] + credentials.json: ENC[AES256_GCM,data:RmOGx7g5HvdO7qicfp7P6XuNzGFtGm4tyt8AyBWzuJes+9b5kKj6AfvbntFl7Xqxp4JgINbWo5zx36O1D382bSdA/BoGVYpkqhzVDgNH4foCcliNdLny1LDTTSZf921bvH9T0leREcszZBPGRafQfAABSUHaSAWOGkzXydYFUFl8QWe4icABsCaKvF21Z1kBmO1eNbz/AW017qsfXvrvDN03x96aU5CBgMfHJb87/r0=,iv:yZsLTXC+SKisdcPeXhDs5EgjMWuzzx7Si2q6RocVacQ=,tag:xKpGc1zz4AsN6ZB1ec0XDw==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCS3dPanhEYkliUjVZVDJP + MFU2b3ZFZXBKOEJsVmpSMFl3VjZQc3FnUVRzCk9ic2V5c05OMi8veVFMNGVBRGpF + UnY2RWNlRUdmTW5xRU41VWZ3MmxWSHcKLS0tIFRkaHNqeDZ5Y2hramxaRGpQTVRF + TGdnWGo0aTVGN3RTcVFGOXlNNmlKZ28KwBHGBJGjDaPPTYcjN0NOd2M+B57YBdy8 + ZA5WR+DYrhsiGu1RVJX+y+vFiNxaAhD10mDEK4JHYTwxzX653GgXYA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-31T08:32:42Z" + mac: ENC[AES256_GCM,data:1khBCLC0R0Kh2VtSBMbm6oeQurpd+ck97TTXEoJsDF5s2X5HxTZ7t4p4CeDSQJp1hqb1l8yL7iOL/wFyUWm2zGw/VCTLy3Qley+JZxW6FpHbsPg7iomtDn+AIqMIdA8UOxUfvepajNu3YDutjr20jxzXzLrojZdknM4Dx8HhZ9I=,iv:3uY1cfu8FwvStXbn4zADLEggqz8xsCAsFoR5pC86KZY=,tag:vHRYpfdlKhIQ6kp4dOgULw==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/apps/avto-masini/cloudflared/ks.yaml b/kubernetes/apps/avto-masini/cloudflared/ks.yaml new file mode 100644 index 00000000..cbfc19d5 --- /dev/null +++ b/kubernetes/apps/avto-masini/cloudflared/ks.yaml @@ -0,0 +1,20 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cloudflared + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + path: ./kubernetes/apps/avto-masini/cloudflared/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: avto-masini + wait: true diff --git a/kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml b/kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml new file mode 100644 index 00000000..7fc49e2f --- /dev/null +++ b/kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml @@ -0,0 +1,38 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app external-dns + namespace: avto-masini +spec: + interval: 30m + chart: + spec: + chart: external-dns + version: 1.20.0 + sourceRef: + kind: HelmRepository + name: external-dns + namespace: flux-system + values: + fullnameOverride: *app + provider: cloudflare + env: + - name: CF_API_TOKEN + valueFrom: + secretKeyRef: + name: external-dns-secret + key: api-token + extraArgs: + - --ingress-class=traefik-avto-masini + - --cloudflare-proxied + - --default-targets=${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com + - --force-default-targets + policy: sync + sources: ["crd", "ingress"] + domainFilters: ["${SECRET_PROD_DOMAIN}"] + serviceMonitor: + enabled: true + podAnnotations: + secret.reloader.stakater.com/reload: external-dns-secret diff --git a/kubernetes/apps/avto-masini/external-dns/app/kustomization.yaml b/kubernetes/apps/avto-masini/external-dns/app/kustomization.yaml new file mode 100644 index 00000000..16a6ce30 --- /dev/null +++ b/kubernetes/apps/avto-masini/external-dns/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/avto-masini/external-dns/app/secret.sops.yaml b/kubernetes/apps/avto-masini/external-dns/app/secret.sops.yaml new file mode 100644 index 00000000..79cf4530 --- /dev/null +++ b/kubernetes/apps/avto-masini/external-dns/app/secret.sops.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Secret +metadata: + name: external-dns-secret + namespace: avto-masini +stringData: + api-token: ENC[AES256_GCM,data:O623ud/31zbI+fqmyuDhjerfJo68A3Ga0UII+DGVE/BalZdrwI2TAA==,iv:UYIRQryd2mk8t/W+ydWoLBkQMQ0WeWU+9BkjMR49PoM=,tag:pz6vmyOLaPGoGwvFJhRtFQ==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cU9YNTJvS1RIdFFCQzIx + TnZINHNsaVY5SkJLVDNianorU0M4Wm9Wb0FFCllmaVpPTHFjRTlkaGRidXZkRmsy + amV4QzVwYk1IUzRyZUYvQ1p2d2drOHMKLS0tIHhFWjlXSDN5eXVhWDcydEFvZUZV + N1JuT1p5TFpUOUVEc0NBcEdNMkplZG8KhgfASu2LOHwgyVyEgTkIdGFeOoeJG5+w + UonRkCxYPgfEGA6XqQ9wYd/R7CDhWplOOoMOyu/gkI6EmkW6LrPqCw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-31T08:35:54Z" + mac: ENC[AES256_GCM,data:wYKGg++YRjaTqwDOie1/foY3vDQUpMg+IJZk7UQjqJkIiZdcqxIeRWuTgVymexPGV6hfq2nTk6vRPAqPL08XpGW+0tTHPLR8BXINgtUtd5Dy2iTphpo+9BDq8LnMUCRGUaiEVdrpZhwsOr4nkFXmiRe06wuCPIvy3E+P1daKn7c=,iv:eiuuwab+OIyaZsIhr3utpcIX58src9vIj5vESOjNpJA=,tag:4SIUk+5eSTp/FAotQAw3Tg==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/apps/avto-masini/external-dns/ks.yaml b/kubernetes/apps/avto-masini/external-dns/ks.yaml new file mode 100644 index 00000000..558c91f9 --- /dev/null +++ b/kubernetes/apps/avto-masini/external-dns/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app external-dns + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/infrastructure/external-dns/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: infrastructure + wait: true diff --git a/kubernetes/apps/avto-masini/kustomization.yaml b/kubernetes/apps/avto-masini/kustomization.yaml new file mode 100644 index 00000000..b1c95a4e --- /dev/null +++ b/kubernetes/apps/avto-masini/kustomization.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./traefik/ks.yaml + - ./cloudflared/ks.yaml + - ./external-dns/ks.yaml + - ./avto-masini-web/ks.yaml diff --git a/kubernetes/apps/avto-masini/namespace.yaml b/kubernetes/apps/avto-masini/namespace.yaml new file mode 100644 index 00000000..36a67646 --- /dev/null +++ b/kubernetes/apps/avto-masini/namespace.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: avto-masini + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged diff --git a/kubernetes/apps/avto-masini/traefik/app/helmrelease.yaml b/kubernetes/apps/avto-masini/traefik/app/helmrelease.yaml new file mode 100644 index 00000000..46cccded --- /dev/null +++ b/kubernetes/apps/avto-masini/traefik/app/helmrelease.yaml @@ -0,0 +1,29 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app traefik + namespace: avto-masini +spec: + interval: 30m + chart: + spec: + chart: traefik + version: "39.0.5" + sourceRef: + kind: HelmRepository + name: traefik + namespace: flux-system + interval: 12h + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + ingressClass: + enabled: true + name: traefik-avto-masini diff --git a/kubernetes/apps/avto-masini/traefik/app/kustomization.yaml b/kubernetes/apps/avto-masini/traefik/app/kustomization.yaml new file mode 100644 index 00000000..17cbc72b --- /dev/null +++ b/kubernetes/apps/avto-masini/traefik/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/avto-masini/traefik/ks.yaml b/kubernetes/apps/avto-masini/traefik/ks.yaml new file mode 100644 index 00000000..c8c2a118 --- /dev/null +++ b/kubernetes/apps/avto-masini/traefik/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app traefik + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/avto-masini/traefik/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: avto-masini + wait: true From 1c639bc762dd392a6720b7ff86d785f0d48b5187 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Tue, 31 Mar 2026 10:42:54 +0200 Subject: [PATCH 078/114] fix(avto-masini): external-dns --- kubernetes/apps/avto-masini/external-dns/ks.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/apps/avto-masini/external-dns/ks.yaml b/kubernetes/apps/avto-masini/external-dns/ks.yaml index 558c91f9..55c38fa7 100644 --- a/kubernetes/apps/avto-masini/external-dns/ks.yaml +++ b/kubernetes/apps/avto-masini/external-dns/ks.yaml @@ -12,11 +12,11 @@ spec: interval: 30m retryInterval: 1m timeout: 15m - path: ./kubernetes/apps/infrastructure/external-dns/app + path: ./kubernetes/apps/avto-masini/external-dns/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - targetNamespace: infrastructure + targetNamespace: avto-masini wait: true From 16c746d53527fe078054c8784b5d4bc0de1393cc Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Tue, 31 Mar 2026 10:47:40 +0200 Subject: [PATCH 079/114] fix avto-masini ks --- kubernetes/apps/avto-masini/avto-masini-web/ks.yaml | 5 ++++- .../avto-masini-web/production/kustomization.yaml | 1 + .../avto-masini/avto-masini-web/staging/kustomization.yaml | 1 + kubernetes/apps/database/cloudnative-pg/ks.yaml | 1 + 4 files changed, 7 insertions(+), 1 deletion(-) diff --git a/kubernetes/apps/avto-masini/avto-masini-web/ks.yaml b/kubernetes/apps/avto-masini/avto-masini-web/ks.yaml index e8a080f5..74b25ad7 100644 --- a/kubernetes/apps/avto-masini/avto-masini-web/ks.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/ks.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -14,6 +15,7 @@ spec: sourceRef: kind: GitRepository name: flux-system + namespace: flux-system wait: false interval: 30m retryInterval: 1m @@ -34,7 +36,8 @@ spec: sourceRef: kind: GitRepository name: flux-system + namespace: flux-system wait: false interval: 30m retryInterval: 1m - timeout: 5m \ No newline at end of file + timeout: 5m diff --git a/kubernetes/apps/avto-masini/avto-masini-web/production/kustomization.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/kustomization.yaml index 0935db4a..46fd9653 100644 --- a/kubernetes/apps/avto-masini/avto-masini-web/production/kustomization.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/production/kustomization.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/kubernetes/apps/avto-masini/avto-masini-web/staging/kustomization.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/kustomization.yaml index 0935db4a..46fd9653 100644 --- a/kubernetes/apps/avto-masini/avto-masini-web/staging/kustomization.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/staging/kustomization.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/kubernetes/apps/database/cloudnative-pg/ks.yaml b/kubernetes/apps/database/cloudnative-pg/ks.yaml index c9e3867e..e2b14fbd 100644 --- a/kubernetes/apps/database/cloudnative-pg/ks.yaml +++ b/kubernetes/apps/database/cloudnative-pg/ks.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: From 3a21a03d8464df8aa0cdd2153888bdaa76f270b6 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Tue, 31 Mar 2026 10:49:17 +0200 Subject: [PATCH 080/114] fix path indent --- kubernetes/apps/avto-masini/avto-masini-web/ks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/avto-masini/avto-masini-web/ks.yaml b/kubernetes/apps/avto-masini/avto-masini-web/ks.yaml index 74b25ad7..5e17ed87 100644 --- a/kubernetes/apps/avto-masini/avto-masini-web/ks.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/ks.yaml @@ -31,7 +31,7 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/apps/avto-masini/avto-masini-web/production + path: ./kubernetes/apps/avto-masini/avto-masini-web/production prune: true sourceRef: kind: GitRepository From 50e2b1abd02d65638cf701d33085a2935fa95a90 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Tue, 31 Mar 2026 10:52:57 +0200 Subject: [PATCH 081/114] fix ks for avto-masini services --- kubernetes/apps/avto-masini/cloudflared/ks.yaml | 2 +- kubernetes/apps/avto-masini/external-dns/ks.yaml | 2 +- kubernetes/apps/avto-masini/traefik/ks.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/kubernetes/apps/avto-masini/cloudflared/ks.yaml b/kubernetes/apps/avto-masini/cloudflared/ks.yaml index cbfc19d5..64106956 100644 --- a/kubernetes/apps/avto-masini/cloudflared/ks.yaml +++ b/kubernetes/apps/avto-masini/cloudflared/ks.yaml @@ -3,7 +3,7 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app cloudflared + name: &app cloudflared-avto-masini namespace: flux-system spec: commonMetadata: diff --git a/kubernetes/apps/avto-masini/external-dns/ks.yaml b/kubernetes/apps/avto-masini/external-dns/ks.yaml index 55c38fa7..caca9ee1 100644 --- a/kubernetes/apps/avto-masini/external-dns/ks.yaml +++ b/kubernetes/apps/avto-masini/external-dns/ks.yaml @@ -3,7 +3,7 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app external-dns + name: &app external-dns-avto-masini namespace: flux-system spec: commonMetadata: diff --git a/kubernetes/apps/avto-masini/traefik/ks.yaml b/kubernetes/apps/avto-masini/traefik/ks.yaml index c8c2a118..775d2b41 100644 --- a/kubernetes/apps/avto-masini/traefik/ks.yaml +++ b/kubernetes/apps/avto-masini/traefik/ks.yaml @@ -3,7 +3,7 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app traefik + name: &app traefik-avto-masini namespace: flux-system spec: commonMetadata: From 274e45b4a00d369ac8b42c7156b857640ac9b0b5 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Tue, 31 Mar 2026 11:05:30 +0200 Subject: [PATCH 082/114] fix avto-masini ingress --- .../avto-masini/avto-masini-web/production/ingress.yaml | 4 ++-- .../apps/avto-masini/avto-masini-web/staging/ingress.yaml | 6 +++--- .../apps/avto-masini/cloudflared/app/dnsendpoint.yaml | 2 +- .../apps/avto-masini/external-dns/app/helmrelease.yaml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml index 23a63fd3..faab485e 100644 --- a/kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml @@ -5,10 +5,10 @@ metadata: name: avto-masini-web-production-ingress namespace: avto-masini annotations: - external-dns.alpha.kubernetes.io/target: "${SECRET_PROD_DOMAIN}" + external-dns.alpha.kubernetes.io/target: "${SECRET_AVTO_MASINI_TUNNEL_ID}.cfargotunnel.com" external-dns.alpha.kubernetes.io/hostname: "${SECRET_PROD_DOMAIN}, www.${SECRET_PROD_DOMAIN}" spec: - ingressClassName: avto-masini + ingressClassName: traefik-avto-masini rules: - host: "${SECRET_PROD_DOMAIN}" http: diff --git a/kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml index 4ac9fa52..57f51aea 100644 --- a/kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml @@ -5,8 +5,8 @@ metadata: name: avto-masini-web-staging-ingress namespace: avto-masini annotations: - external-dns.alpha.kubernetes.io/target: "${SECRET_PROD_DOMAIN}" - external-dns.alpha.kubernetes.io/hostname: "${SECRET_PROD_DOMAIN}" + external-dns.alpha.kubernetes.io/target: "${SECRET_AVTO_MASINI_TUNNEL_ID}.cfargotunnel.com" + external-dns.alpha.kubernetes.io/hostname: "staging.${SECRET_PROD_DOMAIN}" # nginx.ingress.kubernetes.io/auth-url: |- # http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx # nginx.ingress.kubernetes.io/auth-signin: |- @@ -16,7 +16,7 @@ metadata: # nginx.ingress.kubernetes.io/auth-snippet: | # proxy_set_header X-Forwarded-Host $http_host; spec: - ingressClassName: avto-masini + ingressClassName: traefik-avto-masini rules: - host: "staging.${SECRET_PROD_DOMAIN}" http: diff --git a/kubernetes/apps/avto-masini/cloudflared/app/dnsendpoint.yaml b/kubernetes/apps/avto-masini/cloudflared/app/dnsendpoint.yaml index cb592c20..c40a4a94 100644 --- a/kubernetes/apps/avto-masini/cloudflared/app/dnsendpoint.yaml +++ b/kubernetes/apps/avto-masini/cloudflared/app/dnsendpoint.yaml @@ -8,4 +8,4 @@ spec: endpoints: - dnsName: "external.${SECRET_PROD_DOMAIN}" recordType: CNAME - targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] + targets: ["${SECRET_AVTO_MASINI_TUNNEL_ID}.cfargotunnel.com"] diff --git a/kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml b/kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml index 7fc49e2f..bf9f70fe 100644 --- a/kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml +++ b/kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml @@ -27,7 +27,7 @@ spec: extraArgs: - --ingress-class=traefik-avto-masini - --cloudflare-proxied - - --default-targets=${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com + - --default-targets=${SECRET_AVTO_MASINI_TUNNEL_ID}.cfargotunnel.com - --force-default-targets policy: sync sources: ["crd", "ingress"] From 8e113729b00df43c8ac9cdb0b9bd6ac18a30754c Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Tue, 31 Mar 2026 11:13:02 +0200 Subject: [PATCH 083/114] fix port naming for avto-masini web --- .../avto-masini/avto-masini-web/production/deployment.yaml | 2 +- .../apps/avto-masini/avto-masini-web/production/ingress.yaml | 4 ++-- .../apps/avto-masini/avto-masini-web/production/service.yaml | 4 ++-- .../apps/avto-masini/avto-masini-web/staging/deployment.yaml | 2 +- .../apps/avto-masini/avto-masini-web/staging/ingress.yaml | 2 +- .../apps/avto-masini/avto-masini-web/staging/service.yaml | 4 ++-- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/kubernetes/apps/avto-masini/avto-masini-web/production/deployment.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/deployment.yaml index a2fe91a5..4a09adf7 100644 --- a/kubernetes/apps/avto-masini/avto-masini-web/production/deployment.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/production/deployment.yaml @@ -29,7 +29,7 @@ spec: image: ghcr.io/avto-masini/avto-masini-web:v2.0.10 imagePullPolicy: Always ports: - - name: prod-svc + - name: http containerPort: 80 livenessProbe: httpGet: diff --git a/kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml index faab485e..9fb419ca 100644 --- a/kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml @@ -19,7 +19,7 @@ spec: service: name: avto-masini-web-production port: - name: prod-svc + number: 80 - host: "www.${SECRET_PROD_DOMAIN}" http: paths: @@ -29,4 +29,4 @@ spec: service: name: avto-masini-web-production port: - name: prod-svc + number: 80 diff --git a/kubernetes/apps/avto-masini/avto-masini-web/production/service.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/service.yaml index 2e7c4e54..d396e1e4 100644 --- a/kubernetes/apps/avto-masini/avto-masini-web/production/service.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/production/service.yaml @@ -5,9 +5,9 @@ metadata: namespace: avto-masini spec: ports: - - name: avto-masini-web-production + - name: http port: 80 - targetPort: prod-svc + targetPort: 80 selector: app: avto-masini-web-production type: ClusterIP diff --git a/kubernetes/apps/avto-masini/avto-masini-web/staging/deployment.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/deployment.yaml index 1c49efc9..7558a5ab 100644 --- a/kubernetes/apps/avto-masini/avto-masini-web/staging/deployment.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/staging/deployment.yaml @@ -27,7 +27,7 @@ spec: image: ghcr.io/avto-masini/avto-masini-web:9ff0c4c imagePullPolicy: Always ports: - - name: staging-svc + - name: http containerPort: 80 livenessProbe: httpGet: diff --git a/kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml index 57f51aea..b0893523 100644 --- a/kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml @@ -27,4 +27,4 @@ spec: service: name: avto-masini-web-staging port: - name: staging-svc + number: 80 diff --git a/kubernetes/apps/avto-masini/avto-masini-web/staging/service.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/service.yaml index 5014eb64..ff56f640 100644 --- a/kubernetes/apps/avto-masini/avto-masini-web/staging/service.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/staging/service.yaml @@ -5,9 +5,9 @@ metadata: namespace: avto-masini spec: ports: - - name: avto-masini-web-staging + - name: http port: 80 - targetPort: staging-svc + targetPort: 80 selector: app: avto-masini-web-staging type: ClusterIP From 47afebd57c8841f6ab6a2e5899e543930b55ade9 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Tue, 31 Mar 2026 11:21:30 +0200 Subject: [PATCH 084/114] fix cloudflared for avtomasini --- .../apps/avto-masini/cloudflared/app/config/config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/apps/avto-masini/cloudflared/app/config/config.yaml b/kubernetes/apps/avto-masini/cloudflared/app/config/config.yaml index 69590f2b..99e067ab 100644 --- a/kubernetes/apps/avto-masini/cloudflared/app/config/config.yaml +++ b/kubernetes/apps/avto-masini/cloudflared/app/config/config.yaml @@ -3,8 +3,8 @@ originRequest: noTLSVerify: true ingress: - - hostname: "${SECRET_EXTERNAL_DOMAIN}" + - hostname: "${SECRET_PROD_DOMAIN}" service: https://traefik.avto-masini.svc.cluster.local:443 - - hostname: "*.${SECRET_EXTERNAL_DOMAIN}" + - hostname: "*.${SECRET_PROD_DOMAIN}" service: https://traefik.avto-masini.svc.cluster.local:443 - service: http_status:404 From 53d85ae36a0a39556d14642cee74779582ad66b9 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Tue, 31 Mar 2026 12:01:22 +0200 Subject: [PATCH 085/114] fix external-dns RBAC issue --- .../apps/avto-masini/external-dns/app/helmrelease.yaml | 2 +- .../apps/infrastructure/external-dns/app/helmrelease.yaml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml b/kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml index bf9f70fe..12c66594 100644 --- a/kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml +++ b/kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml @@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: &app external-dns + name: &app external-dns-avto-masini namespace: avto-masini spec: interval: 30m diff --git a/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml b/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml index 70af3abf..8b076eca 100644 --- a/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml +++ b/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml @@ -17,6 +17,11 @@ spec: namespace: flux-system values: fullnameOverride: *app + rbac: + create: true + serviceAccount: + create: true + name: "external-dns" provider: cloudflare env: - name: CF_API_TOKEN From d890a9826e04c14e6602a51afeb27df5679d4bf2 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 12:42:13 +0200 Subject: [PATCH 086/114] feat: add glance, uptime-kuma and reloader --- kubernetes/apps/default/kustomization.yaml | 6 + .../apps/default/reloader/app/reloader.yaml | 144 ++++++++ kubernetes/apps/default/reloader/ks.yaml | 22 ++ .../glance/app/config/glance.yaml | 322 ++++++++++++++++++ .../observability/glance/app/deployment.yaml | 46 +++ .../observability/glance/app/ingress.yaml | 26 ++ .../glance/app/kustomization.yaml | 9 + .../observability/glance/app/middleware.yaml | 17 + .../observability/glance/app/service.yaml | 15 + kubernetes/apps/observability/glance/ks.yaml | 21 ++ .../apps/observability/kustomization.yaml | 1 + kubernetes/apps/selfhosted/kustomization.yaml | 3 +- .../selfhosted/uptime-kuma/app/ingress.yaml | 26 ++ .../uptime-kuma/app/kustomization.yaml | 10 + .../uptime-kuma/app/middleware.yaml | 17 + .../uptime-kuma/app/serviceaccount.yaml | 9 + .../uptime-kuma/app/statefulSet.yaml | 62 ++++ .../selfhosted/uptime-kuma/app/storage.yaml | 13 + .../apps/selfhosted/uptime-kuma/ks.yaml | 22 ++ 19 files changed, 790 insertions(+), 1 deletion(-) create mode 100644 kubernetes/apps/default/kustomization.yaml create mode 100644 kubernetes/apps/default/reloader/app/reloader.yaml create mode 100644 kubernetes/apps/default/reloader/ks.yaml create mode 100644 kubernetes/apps/observability/glance/app/config/glance.yaml create mode 100644 kubernetes/apps/observability/glance/app/deployment.yaml create mode 100644 kubernetes/apps/observability/glance/app/ingress.yaml create mode 100644 kubernetes/apps/observability/glance/app/kustomization.yaml create mode 100644 kubernetes/apps/observability/glance/app/middleware.yaml create mode 100644 kubernetes/apps/observability/glance/app/service.yaml create mode 100644 kubernetes/apps/observability/glance/ks.yaml create mode 100644 kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml create mode 100644 kubernetes/apps/selfhosted/uptime-kuma/app/kustomization.yaml create mode 100644 kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml create mode 100644 kubernetes/apps/selfhosted/uptime-kuma/app/serviceaccount.yaml create mode 100644 kubernetes/apps/selfhosted/uptime-kuma/app/statefulSet.yaml create mode 100644 kubernetes/apps/selfhosted/uptime-kuma/app/storage.yaml create mode 100644 kubernetes/apps/selfhosted/uptime-kuma/ks.yaml diff --git a/kubernetes/apps/default/kustomization.yaml b/kubernetes/apps/default/kustomization.yaml new file mode 100644 index 00000000..3f4f0da9 --- /dev/null +++ b/kubernetes/apps/default/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./reloader/ks.yaml diff --git a/kubernetes/apps/default/reloader/app/reloader.yaml b/kubernetes/apps/default/reloader/app/reloader.yaml new file mode 100644 index 00000000..254420b1 --- /dev/null +++ b/kubernetes/apps/default/reloader/app/reloader.yaml @@ -0,0 +1,144 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: reloader-reloader + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: reloader-reloader-role +rules: +- apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - list + - get + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - statefulsets + verbs: + - list + - get + - update + - patch +- apiGroups: + - extensions + resources: + - deployments + - daemonsets + verbs: + - list + - get + - update + - patch +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - list + - get +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - list + - get +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: reloader-reloader-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: reloader-reloader-role +subjects: +- kind: ServiceAccount + name: reloader-reloader + namespace: default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reloader-reloader + namespace: default +spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app: reloader-reloader + template: + metadata: + labels: + app: reloader-reloader + spec: + containers: + - env: + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.memory + image: "ghcr.io/stakater/reloader:latest" + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /live + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: reloader-reloader + ports: + - containerPort: 9090 + name: http + readinessProbe: + failureThreshold: 5 + httpGet: + path: /metrics + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 512Mi + requests: + cpu: 10m + memory: 512Mi + securityContext: {} + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + serviceAccountName: reloader-reloader diff --git a/kubernetes/apps/default/reloader/ks.yaml b/kubernetes/apps/default/reloader/ks.yaml new file mode 100644 index 00000000..db49d867 --- /dev/null +++ b/kubernetes/apps/default/reloader/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app reloader + namespace: flux-system +spec: + targetNamespace: default + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/default/reloader/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + wait: true + interval: 30m + retryInterval: 1m + timeout: 15m diff --git a/kubernetes/apps/observability/glance/app/config/glance.yaml b/kubernetes/apps/observability/glance/app/config/glance.yaml new file mode 100644 index 00000000..52cd6bf6 --- /dev/null +++ b/kubernetes/apps/observability/glance/app/config/glance.yaml @@ -0,0 +1,322 @@ +theme: + background-color: 240 27 11 + contrast-multiplier: 1.5 + primary-color: 321 100 71 + positive-color: 165 78 51 + negative-color: 360 100 71 +pages: + - name: Home + # Optionally, if you only have a single page you can hide the desktop navigation for a cleaner look + # hide-desktop-navigation: true + columns: + - size: small + widgets: + - type: calendar + first-day-of-week: monday + - type: rss + limit: 10 + collapse-after: 3 + cache: 12h + feeds: + - url: https://archlinux.org/feeds/news/ + title: Arch Linux News + limit: 4 + - url: http://sreweekly.com/feed/ + title: SRE Weekly + limit: 4 + - size: full + widgets: + - type: monitor + title: Services + sites: + - title: Authentik + url: https://auth.${SECRET_EXTERNAL_DOMAIN} + check-url: http://authentik-server.security.svc.cluster.local:80 + icon: di:authentik + - title: Pihole + url: http://10.0.10.200/admin/ + check-url: http://pihole-web.network.svc.cluster.local:80/admin/ + icon: di:pi-hole + - title: Glance + url: https://home.${SECRET_EXTERNAL_DOMAIN} + check-url: http://glance.glance.svc.cluster.local:8080 + icon: di:glance + - title: Linkwarden + url: https://bookmarks.${SECRET_EXTERNAL_DOMAIN} + check-url: http://linkwarden.selfhosted.svc.cluster.local:80 + icon: auto-invert https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/linkwarden.png + - title: Uptime Kuma + url: https://status.${SECRET_EXTERNAL_DOMAIN} + check-url: http://uptime-kuma.selfhosted.svc.cluster.local:3001 + icon: di:uptime-kuma + - title: Grafana + url: https://metrics.${SECRET_EXTERNAL_DOMAIN} + check-url: http://grafana.observability.svc.cluster.local:80 + icon: di:grafana + - title: Mealie + url: https://recept.${SECRET_EXTERNAL_DOMAIN} + check-url: http://mealie.selfhosted.svc.cluster.local:80 + icon: di:mealie + - type: videos + channels: + # Mental Outlaw + - UC7YOGHUfC1Tb6E4pudI9STA + # SomeOrdinaryGamers + - UCtMVHI3AJD4Qk4hcbZnI9ZQ + # Fireship + - UCsBjURrPoezykLs9EqgamOA + # Low Level + - UC6biysICWOJ-C3P4Tyeggzg + # ThePrimeTime + - UCUyeluBRhGPCW4rPe_UvBZQ + # Linus Tech Tips + - UCXuqSBlHAE6Xw-yeJA0Tunw + # Veritasium + - UCHnyfMqiRRG1u-2MsSQLbXA + - type: group + widgets: + - type: reddit + subreddit: devops + show-thumbnails: true + - type: reddit + subreddit: technology + show-thumbnails: true + - type: reddit + subreddit: selfhosted + show-thumbnails: true + - type: hacker-news + - size: small + widgets: + - type: weather + location: ${WEATHER_LOCATION} + # alternatively "imperial" + units: metric + # alternatively "24h" + hour-format: 12h + # Optionally hide the location from being displayed in the widget + # hide-location: true + - type: dns-stats + service: pihole-v6 + url: http://10.0.10.200 + username: admin + password: ${PIHOLE_PASSWORD} + - type: markets + # The link to go to when clicking on the symbol in the UI, + # {SYMBOL} will be substituded with the symbol for each market + markets: + - symbol: VUAA.DE + name: Vanguard S&P 500 UCITS ETF + chart-link: https://www.tradingview.com/chart/?symbol=VUAA + - symbol: VWCG.DE + name: Vanguard FTSE Developed Europe + chart-link: https://www.tradingview.com/chart/?symbol=VWCG + - type: repository + repository: ublue-os/bluefin + pull-requests-limit: 5 + issues-limit: 3 + commits-limit: 3 + - type: repository + repository: dnikoloski/infrastructure-as-code + pull-requests-limit: 5 + issues-limit: 3 + commits-limit: 3 + - type: releases + cache: 1d + # Without authentication the Github API allows for up to 60 requests per hour. You can create a + # read-only token from your Github account settings and use it here to increase the limit. + # token: ... + repositories: + - ublue-os/bluefin + - glanceapp/glance + - siderolabs/talos + - name: Homelab + # Optionally, if you only have a single page you can hide the desktop navigation for a cleaner look + # hide-desktop-navigation: true + columns: + - size: small + widgets: + - type: custom-api + title: Uptime Kumas + title-url: ${UPTIME_KUMA_URL} + url: ${UPTIME_KUMA_URL}/api/status-page/${UPTIME_KUMA_STATUS_SLUG} + subrequests: + heartbeats: + url: ${UPTIME_KUMA_URL}/api/status-page/heartbeat/${UPTIME_KUMA_STATUS_SLUG} + cache: 10m + template: | + {{ $hb := .Subrequest "heartbeats" }} + + {{ if not (.JSON.Exists "publicGroupList") }} +

Error reading response

+ {{ else if eq (len (.JSON.Array "publicGroupList")) 0 }} +

No monitors found

+ {{ else }} + +
    + {{ range .JSON.Array "publicGroupList" }} + {{ range .Array "monitorList" }} + {{ $id := .String "id" }} + {{ $hbArray := $hb.JSON.Array (print "heartbeatList." $id) }} +
    + + {{ .String "name" }} + + {{ if gt (len $hbArray) 0 }} + {{ $latest := index $hbArray (sub (len $hbArray) 1) }} + {{ if eq ($latest.Int "status") 1 }} +
    {{ $latest.Int "ping" }}ms
    +
    + + + +
    + {{ else }} +
    DOWN
    +
    + + + +
    + {{ end }} + {{ else }} +
    No data
    +
    + + + +
    + {{ end }} +
    + {{ end }} + {{ end }} +
+ {{ end }} + # - size: small + # widgets: + # - type: custom-api + # cache: 30m + # headers: + # Authorization: Bearer ${LINKWARDEN_API_KEY} + # method: GET + # template: | + #
    + # {{ range .JSON.Array "response" }} + #
  • + # {{ $title := .String "name" }} + # {{ if gt (len $title) 50 }} + # {{ $title = (slice $title 0 50) | printf "%s..." }} + # {{ end }} + # + # {{ $title }} + # + #
      + #
    • + # {{ .String "collection.name" }} + #
      • + # {{ $tags := .Array "tags" }} + # {{ range $index, $tag := $tags }} + #
    • {{ .String "name" }}
      • + # {{ end }} + #
    + #
    • + # {{ end }} + #
+ # title: Bookmarks + # url: http://linkwarden.linkwarden.svc.cluster.local:80/api/v1/links + # - size: full + # widgets: + # - type: custom-api + # title: Beszel Metrics + # url: http://beszel-hub.beszel.svc.cluster.local:8090/api/collections/systems/records + # method: GET + # options: + # redirect-url: "" # You must use "" and http:// or https:// + # headers: + # Authorization: Bearer ${BESZEL_TOKEN} + # Accept: application/json + # template: | + # {{ $redirect := .Options.StringOr "redirect-url" "" }} + # {{ $newTab := .Options.BoolOr "in-new-tab" false }} + # {{ $hideKernel := .Options.BoolOr "hide-kernel" false }} + # {{ $hideUptime := .Options.BoolOr "hide-uptime" false }} + # {{ $hideCPUInfo := .Options.BoolOr "hide-cpu-info" false }} + # {{ $hideIP := .Options.BoolOr "hide-ip" false }} + # {{ $collapsible := .Options.BoolOr "collapsible" false }} + # {{ $items := .JSON.Array "items" }} + # {{ range $items }} + # {{ $info := .Get "info" }} + # {{ $name := .String "name" }} + # {{ $link := "" }} + # {{ if ne $redirect "" }} + # {{ $link = printf "%s/system/%s" $redirect $name }} + # {{ end }} + #
+ # {{ if eq (.String "status") "up" }} + # + # {{ else }} + # + # {{ end }} + # {{ if ne $redirect "" }} + # + # {{ $name }}{{ if not $hideIP }} ({{ .String "host" }}){{ end }} + # + # {{ else }} + # + # {{ $name }}{{ if not $hideIP }} ({{ .String "host" }}){{ end }} + # + # {{ end }} + #
+ # {{ if $collapsible }} + #
+ # Metrics + #
+ # {{ if not $hideKernel }} + #

Kernel: {{ $info.String "k" }}

+ # {{ end }} + # {{ if not $hideUptime }} + # {{ $uptimeSec := $info.Float "u" }} + # {{ if ge $uptimeSec 86400.0 }} + #

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000011574) }}d

+ # {{ else }} + #

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000277778) }}h

+ # {{ end }} + # {{ end }} + # {{ if not $hideCPUInfo }} + #

CPU: {{ replaceAll "CPU " "" ($info.String "m") }}

+ # {{ end }} + #

📊 Cpu: {{ $info.Float "cpu" }}%

+ #

🧠 Memory: {{ $info.Float "mp" }}%

+ #

💾 Disk: {{ $info.Float "dp" }}%

+ #
+ #
+ # {{ else }} + #
+ # {{ if not $hideKernel }} + #

Kernel: {{ $info.String "k" }}

+ # {{ end }} + # {{ if not $hideUptime }} + # {{ $uptimeSec := $info.Float "u" }} + # {{ if ge $uptimeSec 86400.0 }} + #

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000011574) }}d

+ # {{ else }} + #

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000277778) }}h

+ # {{ end }} + # {{ end }} + # {{ if not $hideCPUInfo }} + #

CPU: {{ replaceAll "CPU " "" ($info.String "m") }}

+ # {{ end }} + #

📊 Cpu: {{ $info.Float "cpu" }}%

+ #

🧠 Memory: {{ $info.Float "mp" }}%

+ #

💾 Disk: {{ $info.Float "dp" }}%

+ #
+ # {{ end }} + # {{ end }} \ No newline at end of file diff --git a/kubernetes/apps/observability/glance/app/deployment.yaml b/kubernetes/apps/observability/glance/app/deployment.yaml new file mode 100644 index 00000000..31b39bab --- /dev/null +++ b/kubernetes/apps/observability/glance/app/deployment.yaml @@ -0,0 +1,46 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: &app glance + namespace: observability + labels: + app: glance + annotations: + configmap.reloader.stakater.com/reload: "glance-configmap" +spec: + replicas: 1 + selector: + matchLabels: + app: glance + template: + metadata: + labels: + app: glance + spec: + containers: + - name: glance + image: docker.io/glanceapp/glance:latest + ports: + - name: web + containerPort: 8080 + imagePullPolicy: Always + resources: + limits: + memory: 256Mi + cpu: 100m + requests: + cpu: 10m + memory: 128Mi + volumeMounts: + - mountPath: /app/config/glance.yml + name: config + readOnly: true + subPath: glance.yml + restartPolicy: Always + terminationGracePeriodSeconds: 60 + volumes: + - configMap: + defaultMode: 420 + name: glance-configmap + name: config diff --git a/kubernetes/apps/observability/glance/app/ingress.yaml b/kubernetes/apps/observability/glance/app/ingress.yaml new file mode 100644 index 00000000..6063352c --- /dev/null +++ b/kubernetes/apps/observability/glance/app/ingress.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: &app glance-ingress + namespace: observability + annotations: + external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.middlewares: observability-authentik-forwardauth@kubernetescrd +spec: + ingressClassName: traefik + rules: + - host: home.${SECRET_EXTERNAL_DOMAIN} + http: + paths: + - backend: + service: + name: glance + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - home.${SECRET_EXTERNAL_DOMAIN} + secretName: glance-tls diff --git a/kubernetes/apps/observability/glance/app/kustomization.yaml b/kubernetes/apps/observability/glance/app/kustomization.yaml new file mode 100644 index 00000000..81661fb8 --- /dev/null +++ b/kubernetes/apps/observability/glance/app/kustomization.yaml @@ -0,0 +1,9 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./deployment.yaml + - ./service.yaml + - ./middleware.yaml + - ./ingress.yaml diff --git a/kubernetes/apps/observability/glance/app/middleware.yaml b/kubernetes/apps/observability/glance/app/middleware.yaml new file mode 100644 index 00000000..bfd2209d --- /dev/null +++ b/kubernetes/apps/observability/glance/app/middleware.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: authentik-forwardauth + namespace: observability +spec: + forwardAuth: + address: http://ak-outpost-authentik-embedded-outpost.security.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - Set-Cookie + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid diff --git a/kubernetes/apps/observability/glance/app/service.yaml b/kubernetes/apps/observability/glance/app/service.yaml new file mode 100644 index 00000000..3109dea0 --- /dev/null +++ b/kubernetes/apps/observability/glance/app/service.yaml @@ -0,0 +1,15 @@ +--- +# Source: glance/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: &app glance + namespace: observability +spec: + type: ClusterIP + ports: + - name: web + port: 8080 + targetPort: web + selector: + app: glance diff --git a/kubernetes/apps/observability/glance/ks.yaml b/kubernetes/apps/observability/glance/ks.yaml new file mode 100644 index 00000000..74a52db6 --- /dev/null +++ b/kubernetes/apps/observability/glance/ks.yaml @@ -0,0 +1,21 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app glance + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/observability/glance/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/observability/kustomization.yaml b/kubernetes/apps/observability/kustomization.yaml index 08da1fce..a1a54ae8 100644 --- a/kubernetes/apps/observability/kustomization.yaml +++ b/kubernetes/apps/observability/kustomization.yaml @@ -6,3 +6,4 @@ resources: - ./namespace.yaml - ./kube-prometheus-stack/ks.yaml - ./grafana/ks.yaml + - ./glance/ks.yaml diff --git a/kubernetes/apps/selfhosted/kustomization.yaml b/kubernetes/apps/selfhosted/kustomization.yaml index 51bc2792..08f48cb6 100644 --- a/kubernetes/apps/selfhosted/kustomization.yaml +++ b/kubernetes/apps/selfhosted/kustomization.yaml @@ -4,4 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml - - ./linkwarden/ks.yaml \ No newline at end of file + - ./linkwarden/ks.yaml + - ./uptime-kuma/ks.yaml diff --git a/kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml new file mode 100644 index 00000000..e129c190 --- /dev/null +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: &app uptime-kuma-ingress + namespace: selfhosted + annotations: + external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.middlewares: selfhosted-authentik-forwardauth@kubernetescrd +spec: + ingressClassName: traefik + rules: + - host: status.${SECRET_EXTERNAL_DOMAIN} + http: + paths: + - backend: + service: + name: uptime-kuma + port: + number: 3001 + path: / + pathType: Prefix + tls: + - hosts: + - status.${SECRET_EXTERNAL_DOMAIN} + secretName: uptime-kuma-tls diff --git a/kubernetes/apps/selfhosted/uptime-kuma/app/kustomization.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/kustomization.yaml new file mode 100644 index 00000000..edc4cce3 --- /dev/null +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/kustomization.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./storage.yaml + - ./serviceaccount.yaml + - ./statefulSet.yaml + - ./middleware.yaml + - ./ingress.yaml diff --git a/kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml new file mode 100644 index 00000000..8d9f3614 --- /dev/null +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: authentik-forwardauth + namespace: selfhosted +spec: + forwardAuth: + address: http://ak-outpost-authentik-embedded-outpost.security.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - Set-Cookie + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid diff --git a/kubernetes/apps/selfhosted/uptime-kuma/app/serviceaccount.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/serviceaccount.yaml new file mode 100644 index 00000000..87df38a5 --- /dev/null +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/serviceaccount.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: &app uptime-kuma + namespace: selfhosted + labels: + app.kubernetes.io/name: uptime-kuma + app.kubernetes.io/instance: uptime-kuma \ No newline at end of file diff --git a/kubernetes/apps/selfhosted/uptime-kuma/app/statefulSet.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/statefulSet.yaml new file mode 100644 index 00000000..8d76146b --- /dev/null +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/statefulSet.yaml @@ -0,0 +1,62 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: &app uptime-kuma + namespace: selfhosted + labels: + app.kubernetes.io/name: uptime-kuma + app.kubernetes.io/instance: uptime-kuma + annotations: + meta.helm.sh/release-name: uptime-kuma +spec: + replicas: 1 + serviceName: uptime-kuma + selector: + matchLabels: + app.kubernetes.io/name: uptime-kuma + app.kubernetes.io/instance: uptime-kuma + template: + metadata: + labels: + app.kubernetes.io/name: uptime-kuma + app.kubernetes.io/instance: uptime-kuma + spec: + serviceAccountName: uptime-kuma + securityContext: + {} + nodeSelector: + kubernetes.io/hostname: talos-worker-eu-02 + containers: + - name: uptime-kuma + securityContext: + {} + image: "louislam/uptime-kuma:2.2.1" + imagePullPolicy: IfNotPresent + env: + - name: UPTIME_KUMA_PORT + value: '3001' + - name: PORT + value: '3001' + ports: + - name: web + containerPort: 3001 + livenessProbe: + exec: + command: + - extra/healthcheck + readinessProbe: + httpGet: + path: / + port: 3001 + scheme: HTTP + resources: + {} + volumeMounts: + - mountPath: /app/data + name: uptime-storage + readOnly: false + volumes: + - name: uptime-storage + persistentVolumeClaim: + claimName: uptime-storage-pvc diff --git a/kubernetes/apps/selfhosted/uptime-kuma/app/storage.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/storage.yaml new file mode 100644 index 00000000..43873b86 --- /dev/null +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/storage.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: uptime-storage-pvc + namespace: selfhosted +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: longhorn diff --git a/kubernetes/apps/selfhosted/uptime-kuma/ks.yaml b/kubernetes/apps/selfhosted/uptime-kuma/ks.yaml new file mode 100644 index 00000000..30fb110c --- /dev/null +++ b/kubernetes/apps/selfhosted/uptime-kuma/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app uptime-kuma + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/selfhosted/uptime-kuma/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: selfhosted + wait: false From 9258e656c15377c26f10f6219f00d73e4f266050 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 12:43:26 +0200 Subject: [PATCH 087/114] fix: ks path for glance and reloader --- kubernetes/apps/default/reloader/ks.yaml | 2 +- kubernetes/apps/observability/glance/ks.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/apps/default/reloader/ks.yaml b/kubernetes/apps/default/reloader/ks.yaml index db49d867..e3297c60 100644 --- a/kubernetes/apps/default/reloader/ks.yaml +++ b/kubernetes/apps/default/reloader/ks.yaml @@ -10,7 +10,7 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/default/reloader/app + path: ./kubernetes/apps/default/reloader/app prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/apps/observability/glance/ks.yaml b/kubernetes/apps/observability/glance/ks.yaml index 74a52db6..2f24f339 100644 --- a/kubernetes/apps/observability/glance/ks.yaml +++ b/kubernetes/apps/observability/glance/ks.yaml @@ -10,7 +10,7 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/observability/glance/app + path: ./kubernetes/apps/observability/glance/app prune: true sourceRef: kind: GitRepository From 6a52529eb76e4236c04f8591d5fb3e0b3ffaaa48 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 12:47:22 +0200 Subject: [PATCH 088/114] fix: add service for uptime-kuma and configMap for glance --- .../glance/app/kustomization.yaml | 7 +++++++ .../uptime-kuma/app/kustomization.yaml | 1 + .../selfhosted/uptime-kuma/app/service.yaml | 19 +++++++++++++++++++ 3 files changed, 27 insertions(+) create mode 100644 kubernetes/apps/selfhosted/uptime-kuma/app/service.yaml diff --git a/kubernetes/apps/observability/glance/app/kustomization.yaml b/kubernetes/apps/observability/glance/app/kustomization.yaml index 81661fb8..e343eb9e 100644 --- a/kubernetes/apps/observability/glance/app/kustomization.yaml +++ b/kubernetes/apps/observability/glance/app/kustomization.yaml @@ -7,3 +7,10 @@ resources: - ./service.yaml - ./middleware.yaml - ./ingress.yaml +configMapGenerator: + - name: glance-configmap + namespace: glance + files: + - ./configs/glance.yml +generatorOptions: + disableNameSuffixHash: true diff --git a/kubernetes/apps/selfhosted/uptime-kuma/app/kustomization.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/kustomization.yaml index edc4cce3..a67c5dd6 100644 --- a/kubernetes/apps/selfhosted/uptime-kuma/app/kustomization.yaml +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/kustomization.yaml @@ -6,5 +6,6 @@ resources: - ./storage.yaml - ./serviceaccount.yaml - ./statefulSet.yaml + - ./service.yaml - ./middleware.yaml - ./ingress.yaml diff --git a/kubernetes/apps/selfhosted/uptime-kuma/app/service.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/service.yaml new file mode 100644 index 00000000..0c9fe9b8 --- /dev/null +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/service.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: uptime-kuma + namespace: selfhosted + labels: + app.kubernetes.io/name: uptime-kuma + app.kubernetes.io/instance: uptime-kuma +spec: + type: ClusterIP + ports: + - port: 3001 + targetPort: web + protocol: TCP + name: web + selector: + app.kubernetes.io/name: uptime-kuma + app.kubernetes.io/instance: uptime-kuma From 30f987b5b796d9b9270aa3ade6ef1187da0ea05b Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 12:48:49 +0200 Subject: [PATCH 089/114] fix: glance configmap file dir --- kubernetes/apps/observability/glance/app/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/observability/glance/app/kustomization.yaml b/kubernetes/apps/observability/glance/app/kustomization.yaml index e343eb9e..a5046a44 100644 --- a/kubernetes/apps/observability/glance/app/kustomization.yaml +++ b/kubernetes/apps/observability/glance/app/kustomization.yaml @@ -11,6 +11,6 @@ configMapGenerator: - name: glance-configmap namespace: glance files: - - ./configs/glance.yml + - ./config/glance.yml generatorOptions: disableNameSuffixHash: true From 75854b1aeed7818864a91d9cd1ca930c4316a88d Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 12:49:35 +0200 Subject: [PATCH 090/114] fix: glance filetype --- .../observability/glance/app/config/{glance.yaml => glance.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename kubernetes/apps/observability/glance/app/config/{glance.yaml => glance.yml} (100%) diff --git a/kubernetes/apps/observability/glance/app/config/glance.yaml b/kubernetes/apps/observability/glance/app/config/glance.yml similarity index 100% rename from kubernetes/apps/observability/glance/app/config/glance.yaml rename to kubernetes/apps/observability/glance/app/config/glance.yml From f4cc099e6eab9df80d65c99d7ce7c6d1b20f683d Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 12:58:26 +0200 Subject: [PATCH 091/114] increase psql storage to 60Gi --- kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml b/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml index 80f8bb7a..1b8c7f6c 100644 --- a/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml +++ b/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml @@ -11,7 +11,7 @@ spec: storage: storageClass: longhorn - size: 20Gi + size: 60Gi superuserSecret: name: cloudnative-pg-secret From ba7d7128e8daba083a3908f67b01c66b2a58085f Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 13:20:53 +0200 Subject: [PATCH 092/114] increase cluster18 db to 100Gi --- kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml b/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml index 1b8c7f6c..98f7b9dd 100644 --- a/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml +++ b/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml @@ -11,7 +11,7 @@ spec: storage: storageClass: longhorn - size: 60Gi + size: 100Gi superuserSecret: name: cloudnative-pg-secret From fcfb52671c550a3bf42de259b7e8aee96ac74732 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 13:43:12 +0200 Subject: [PATCH 093/114] Restore postgres18 from S3 backup (all databases, 100Gi storage) --- .../cloudnative-pg/cluster/cluster18.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml b/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml index 98f7b9dd..ace5d531 100644 --- a/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml +++ b/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml @@ -9,6 +9,13 @@ spec: primaryUpdateStrategy: unsupervised primaryUpdateMethod: switchover + # Bootstrap from latest backup - restore to latest available point in time + bootstrap: + recovery: + source: postgres18-restore + recoveryTarget: + targetTime: "" # Empty = restore to latest available + storage: storageClass: longhorn size: 100Gi @@ -22,6 +29,23 @@ spec: parameters: max_connections: "400" shared_buffers: 256MB + + externalClusters: + - name: postgres18-restore + barmanObjectStore: + destinationPath: 's3://talos-lj-backup/' + serverName: postgres18 # Specify the source cluster name + s3Credentials: + accessKeyId: + name: s3-creds + key: ACCESS_KEY_ID + secretAccessKey: + name: s3-creds + key: SECRET_ACCESS_KEY + wal: + compression: gzip + maxParallel: 4 + encryption: AES256 nodeMaintenanceWindow: inProgress: false reusePVC: true From db674427e0076f363e614aa2e036a0dc0d5e8276 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 13:45:01 +0200 Subject: [PATCH 094/114] Fix WAL archive conflict: use postgres18-restored for new backups --- kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml b/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml index ace5d531..297b4f38 100644 --- a/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml +++ b/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml @@ -63,6 +63,7 @@ spec: retentionPolicy: 7d barmanObjectStore: destinationPath: 's3://talos-lj-backup/' + serverName: postgres18-restored # Use different name to avoid WAL archive conflict s3Credentials: accessKeyId: name: s3-creds From da4ebd1cdb5df8d25fb306d147d583fb74600414 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 14:08:59 +0200 Subject: [PATCH 095/114] create linkwarden with new authentik --- .../apps/selfhosted/linkwarden/app/secret.sops.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml index afcc560f..06f1cec3 100644 --- a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml @@ -16,8 +16,8 @@ stringData: NEXT_PUBLIC_AUTHENTIK_ENABLED: ENC[AES256_GCM,data:qS2UTA==,iv:t1ltfjEEPVWilI7RvOxSkbctVdwybs14qTZD0hwUwzM=,tag:4r8jdAqvdfagczlA6F3wFA==,type:str] NEXTAUTH_URL: ENC[AES256_GCM,data:sSmzQIQ2AK/dKB4TjUXkJuYjZNZhJJU9Ik65tf4xHQXNbla8fzEFLPu0037KiQ==,iv:tXVn6gMjzi0jpKzEK9oj5lBeiyXT1E45VepqHBMbPrw=,tag:yFvgxYt7WdUNceiVYsdIuA==,type:str] AUTHENTIK_ISSUER: ENC[AES256_GCM,data:qfiGTgm7XJtjfZL+cQfyGgkJVAf94B0ROizpuXr3lU0gAkF7Ykv+wlys8nHyms26zSeTCQ2b,iv:0EuzVgvP7bwyJfYOnJIIDeNviEy+5u900xydlrpRBm0=,tag:lLcvuqAn5WkPtwhdSy2riw==,type:str] - AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:ArVQuMw+K24zluD5KDT9s2KANd+Cx2OU0QeLwi6zIKvNSGjBmA0Yfw==,iv:fIBAZdKMkWwHZQU453Xw7NGbH8NYBk085ScoPhMoYcM=,tag:CTkxYI8/o6qqA1xmQjbmRw==,type:str] - AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:hFEouWUsmo+j/yZj/gNCfXAfASWmTA2eUjLDEXTLro1IE1PSFY3zkasllF2IEyz/MGRVtelRRhgFLBuibtCgU7F2PRmsTCQMjf00HYSDDUyLJc16pUUDcBxU5FxYDcmpfRQ5txFwir5+tuB503hlzbBgqFyUwK7A/xpKd8NPtfw=,iv:UIFD29pzzwTLzzO3IRX8weQdi+rBiVpRW6efZ3dJ0F8=,tag:P5uEG5lIpsaXmwMUxH4WpA==,type:str] + AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:VXfUahvwuTx/QvggGIeASXTY3etF83CqgTj5e+92Wb750F2tad64Aw==,iv:PoRc4pfA76Z/IeuWQfiCwT7fto5t+8gwqffAX+gtdL4=,tag:S8M9U5b3knrxOxQDMgem1g==,type:str] + AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:TjFHj9KZyy9FTntzVE3kmPhzrjc8ll1rEcd2AFab5oeWbbA7A2UH63c4nrXa6wvn4mmJFBQdbU5P49RmNoX5U/VIDoexFrX1cXJDHan82RRyMdRA3tuLXgQMA0JwaCz4m2moxp54jF4b7Cc9O4UOhjtR5N+ptuts1W61ZB161y0=,iv:8sP+RT/32rn7l4gY5/Jz4IqdKKZh65Rr5Dxw2OUphbE=,tag:0F02W3SIF10lmBALmSQk+Q==,type:str] INIT_POSTGRES_HOST: ENC[AES256_GCM,data:dZqk8kkUMpzI7O+ZAsBJ3hkqh+ju9siFnCvdrRsom88DThAoXr9S2A==,iv:ERcAN5Fz4umjE37smFENrwr1hEsNUSQ9JsKevSxlXsQ=,tag:05l0HEcpfrCRop3TurxSbg==,type:str] INIT_POSTGRES_PORT: ENC[AES256_GCM,data:EdWFQg==,iv:D6YmV0MxI/KcLAwRT3yPdzpTjKdTTgpNzoAihDAn6uc=,tag:Ct9uKTwt5KwrHOC83z+kKw==,type:str] INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:DABnObLGFgHAEg==,iv:9A3KO9XOC/VDpgyLfTZGmN8zM87mzCmQGRoJUQp6MOI=,tag:uM97TFJ5NjLYEdDIGQPZqQ==,type:str] @@ -36,7 +36,7 @@ sops: Ujl4VFM5VHNMRGlnamVRRjV5bTVEVXMKNwmaVoz7Jm9X4Irmtl9Rx1yXYfS+kUGT U/hFAimAUXS2if/DASgTqP6B8W6+LnpcRchSX4rVA5HwBdvd9nfc8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-29T12:14:14Z" - mac: ENC[AES256_GCM,data:GY1dmDEgsPUm6bVqeed+vDq0/JUTwEGf0p5F/hAtwavLrkg427pjc9T/I60xgVFkgz2rTy2zJgHZDMNcLRoKCgOXhbjho+1Gr3skWLkDgzFqFbrrqTfbPwHItx9PehrLNNkDfTgScl55bITRANA8aNTWMP357/uTOAbZdzmMgxo=,iv:e7PJRXg9/fXRU9ZuLXwiPWtfo8HxYMuvK4fejbQFNFc=,tag:ETzXXPFs/UP3E3cA/Za5mg==,type:str] + lastmodified: "2026-04-03T12:07:11Z" + mac: ENC[AES256_GCM,data:nWOHM3n+cLhVaOkGrOmasEGv+1Y+q5oRK/sFU5BismO3jZ6nkgPgSlJPX2AMyJgWeFgRdM6aSL+qJWVZRPympWkQ09qWFDhMoFx5kHYxtnFgEWZzLXjvj2KgaiGDE8R7LqGxK3tr1yJ/Z2iJUx3jkrGx0cH4P76bgI7kELl2TUI=,iv:EGlLLGR89BFq4flxe1fW+Jqfc/Aa8t72/LSMk8kOohU=,tag:d868lGfLpYKSZ5DdGWbawg==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.12.2 From f2c6a18681424ae7a855697db049641a4cd1432b Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 14:19:27 +0200 Subject: [PATCH 096/114] fix --- .../glance/app/config/glance.yml | 246 +++++++++--------- .../selfhosted/uptime-kuma/app/ingress.yaml | 2 +- 2 files changed, 124 insertions(+), 124 deletions(-) diff --git a/kubernetes/apps/observability/glance/app/config/glance.yml b/kubernetes/apps/observability/glance/app/config/glance.yml index 52cd6bf6..c5d3edcd 100644 --- a/kubernetes/apps/observability/glance/app/config/glance.yml +++ b/kubernetes/apps/observability/glance/app/config/glance.yml @@ -197,126 +197,126 @@ pages: {{ end }} {{ end }} - # - size: small - # widgets: - # - type: custom-api - # cache: 30m - # headers: - # Authorization: Bearer ${LINKWARDEN_API_KEY} - # method: GET - # template: | - #
    - # {{ range .JSON.Array "response" }} - #
  • - # {{ $title := .String "name" }} - # {{ if gt (len $title) 50 }} - # {{ $title = (slice $title 0 50) | printf "%s..." }} - # {{ end }} - # - # {{ $title }} - # - #
      - #
    • - # {{ .String "collection.name" }} - #
      • - # {{ $tags := .Array "tags" }} - # {{ range $index, $tag := $tags }} - #
    • {{ .String "name" }}
      • - # {{ end }} - #
    - #
    • - # {{ end }} - #
- # title: Bookmarks - # url: http://linkwarden.linkwarden.svc.cluster.local:80/api/v1/links - # - size: full - # widgets: - # - type: custom-api - # title: Beszel Metrics - # url: http://beszel-hub.beszel.svc.cluster.local:8090/api/collections/systems/records - # method: GET - # options: - # redirect-url: "" # You must use "" and http:// or https:// - # headers: - # Authorization: Bearer ${BESZEL_TOKEN} - # Accept: application/json - # template: | - # {{ $redirect := .Options.StringOr "redirect-url" "" }} - # {{ $newTab := .Options.BoolOr "in-new-tab" false }} - # {{ $hideKernel := .Options.BoolOr "hide-kernel" false }} - # {{ $hideUptime := .Options.BoolOr "hide-uptime" false }} - # {{ $hideCPUInfo := .Options.BoolOr "hide-cpu-info" false }} - # {{ $hideIP := .Options.BoolOr "hide-ip" false }} - # {{ $collapsible := .Options.BoolOr "collapsible" false }} - # {{ $items := .JSON.Array "items" }} - # {{ range $items }} - # {{ $info := .Get "info" }} - # {{ $name := .String "name" }} - # {{ $link := "" }} - # {{ if ne $redirect "" }} - # {{ $link = printf "%s/system/%s" $redirect $name }} - # {{ end }} - #
- # {{ if eq (.String "status") "up" }} - # - # {{ else }} - # - # {{ end }} - # {{ if ne $redirect "" }} - # - # {{ $name }}{{ if not $hideIP }} ({{ .String "host" }}){{ end }} - # - # {{ else }} - # - # {{ $name }}{{ if not $hideIP }} ({{ .String "host" }}){{ end }} - # - # {{ end }} - #
- # {{ if $collapsible }} - #
- # Metrics - #
- # {{ if not $hideKernel }} - #

Kernel: {{ $info.String "k" }}

- # {{ end }} - # {{ if not $hideUptime }} - # {{ $uptimeSec := $info.Float "u" }} - # {{ if ge $uptimeSec 86400.0 }} - #

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000011574) }}d

- # {{ else }} - #

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000277778) }}h

- # {{ end }} - # {{ end }} - # {{ if not $hideCPUInfo }} - #

CPU: {{ replaceAll "CPU " "" ($info.String "m") }}

- # {{ end }} - #

📊 Cpu: {{ $info.Float "cpu" }}%

- #

🧠 Memory: {{ $info.Float "mp" }}%

- #

💾 Disk: {{ $info.Float "dp" }}%

- #
- #
- # {{ else }} - #
- # {{ if not $hideKernel }} - #

Kernel: {{ $info.String "k" }}

- # {{ end }} - # {{ if not $hideUptime }} - # {{ $uptimeSec := $info.Float "u" }} - # {{ if ge $uptimeSec 86400.0 }} - #

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000011574) }}d

- # {{ else }} - #

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000277778) }}h

- # {{ end }} - # {{ end }} - # {{ if not $hideCPUInfo }} - #

CPU: {{ replaceAll "CPU " "" ($info.String "m") }}

- # {{ end }} - #

📊 Cpu: {{ $info.Float "cpu" }}%

- #

🧠 Memory: {{ $info.Float "mp" }}%

- #

💾 Disk: {{ $info.Float "dp" }}%

- #
- # {{ end }} - # {{ end }} \ No newline at end of file + - size: small + widgets: + - type: custom-api + cache: 30m + headers: + Authorization: Bearer ${LINKWARDEN_API_KEY} + method: GET + template: | +
    + {{ range .JSON.Array "response" }} +
  • + {{ $title := .String "name" }} + {{ if gt (len $title) 50 }} + {{ $title = (slice $title 0 50) | printf "%s..." }} + {{ end }} + + {{ $title }} + +
      +
    • + {{ .String "collection.name" }} +
      • + {{ $tags := .Array "tags" }} + {{ range $index, $tag := $tags }} +
    • {{ .String "name" }}
      • + {{ end }} +
    +
    • + {{ end }} +
+ title: Bookmarks + url: http://linkwarden.linkwarden.svc.cluster.local:80/api/v1/links + - size: full + widgets: + - type: custom-api + title: Beszel Metrics + url: http://beszel-hub.beszel.svc.cluster.local:8090/api/collections/systems/records + method: GET + options: + redirect-url: "" # You must use "" and http:// or https:// + headers: + Authorization: Bearer ${BESZEL_TOKEN} + Accept: application/json + template: | + {{ $redirect := .Options.StringOr "redirect-url" "" }} + {{ $newTab := .Options.BoolOr "in-new-tab" false }} + {{ $hideKernel := .Options.BoolOr "hide-kernel" false }} + {{ $hideUptime := .Options.BoolOr "hide-uptime" false }} + {{ $hideCPUInfo := .Options.BoolOr "hide-cpu-info" false }} + {{ $hideIP := .Options.BoolOr "hide-ip" false }} + {{ $collapsible := .Options.BoolOr "collapsible" false }} + {{ $items := .JSON.Array "items" }} + {{ range $items }} + {{ $info := .Get "info" }} + {{ $name := .String "name" }} + {{ $link := "" }} + {{ if ne $redirect "" }} + {{ $link = printf "%s/system/%s" $redirect $name }} + {{ end }} +
+ {{ if eq (.String "status") "up" }} + + {{ else }} + + {{ end }} + {{ if ne $redirect "" }} + + {{ $name }}{{ if not $hideIP }} ({{ .String "host" }}){{ end }} + + {{ else }} + + {{ $name }}{{ if not $hideIP }} ({{ .String "host" }}){{ end }} + + {{ end }} +
+ {{ if $collapsible }} +
+ Metrics +
+ {{ if not $hideKernel }} +

Kernel: {{ $info.String "k" }}

+ {{ end }} + {{ if not $hideUptime }} + {{ $uptimeSec := $info.Float "u" }} + {{ if ge $uptimeSec 86400.0 }} +

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000011574) }}d

+ {{ else }} +

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000277778) }}h

+ {{ end }} + {{ end }} + {{ if not $hideCPUInfo }} +

CPU: {{ replaceAll "CPU " "" ($info.String "m") }}

+ {{ end }} +

📊 Cpu: {{ $info.Float "cpu" }}%

+

🧠 Memory: {{ $info.Float "mp" }}%

+

💾 Disk: {{ $info.Float "dp" }}%

+
+
+ {{ else }} +
+ {{ if not $hideKernel }} +

Kernel: {{ $info.String "k" }}

+ {{ end }} + {{ if not $hideUptime }} + {{ $uptimeSec := $info.Float "u" }} + {{ if ge $uptimeSec 86400.0 }} +

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000011574) }}d

+ {{ else }} +

Uptime: {{ printf "%.2f" (mul $uptimeSec 0.000277778) }}h

+ {{ end }} + {{ end }} + {{ if not $hideCPUInfo }} +

CPU: {{ replaceAll "CPU " "" ($info.String "m") }}

+ {{ end }} +

📊 Cpu: {{ $info.Float "cpu" }}%

+

🧠 Memory: {{ $info.Float "mp" }}%

+

💾 Disk: {{ $info.Float "dp" }}%

+
+ {{ end }} + {{ end }} \ No newline at end of file diff --git a/kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml index e129c190..d0ee4942 100644 --- a/kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml @@ -6,7 +6,7 @@ metadata: annotations: external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" cert-manager.io/cluster-issuer: letsencrypt-production - traefik.ingress.kubernetes.io/router.middlewares: selfhosted-authentik-forwardauth@kubernetescrd +# traefik.ingress.kubernetes.io/router.middlewares: selfhosted-authentik-forwardauth@kubernetescrd spec: ingressClassName: traefik rules: From 6544b0f91777568fac54bdbe0025b3f84fc3e0f2 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 14:24:07 +0200 Subject: [PATCH 097/114] fix Authentik Auth Proxy URL --- kubernetes/apps/observability/glance/app/middleware.yaml | 2 +- kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml | 2 +- kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/kubernetes/apps/observability/glance/app/middleware.yaml b/kubernetes/apps/observability/glance/app/middleware.yaml index bfd2209d..bdd298d4 100644 --- a/kubernetes/apps/observability/glance/app/middleware.yaml +++ b/kubernetes/apps/observability/glance/app/middleware.yaml @@ -6,7 +6,7 @@ metadata: namespace: observability spec: forwardAuth: - address: http://ak-outpost-authentik-embedded-outpost.security.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + address: http://ak-outpost-domain-forward-auth-provider.security.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik trustForwardHeader: true authResponseHeaders: - Set-Cookie diff --git a/kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml index d0ee4942..e129c190 100644 --- a/kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml @@ -6,7 +6,7 @@ metadata: annotations: external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" cert-manager.io/cluster-issuer: letsencrypt-production -# traefik.ingress.kubernetes.io/router.middlewares: selfhosted-authentik-forwardauth@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: selfhosted-authentik-forwardauth@kubernetescrd spec: ingressClassName: traefik rules: diff --git a/kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml index 8d9f3614..e8987879 100644 --- a/kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml @@ -6,7 +6,7 @@ metadata: namespace: selfhosted spec: forwardAuth: - address: http://ak-outpost-authentik-embedded-outpost.security.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + address: http://ak-outpost-domain-forward-auth-provider.security.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik trustForwardHeader: true authResponseHeaders: - Set-Cookie From a3564eee8b90bc75772fe13e69c71e62277c1f96 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 15:50:47 +0200 Subject: [PATCH 098/114] feat: grafana with oauth --- .../grafana/app/helmrelease.yaml | 14 +++++++++++ .../grafana/app/kustomization.yaml | 1 + .../grafana/app/secret.sops.yaml | 23 +++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 kubernetes/apps/observability/grafana/app/secret.sops.yaml diff --git a/kubernetes/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/apps/observability/grafana/app/helmrelease.yaml index 22d20932..8cb3800f 100644 --- a/kubernetes/apps/observability/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/observability/grafana/app/helmrelease.yaml @@ -67,6 +67,20 @@ spec: # {{ end -}} # ` }} + grafana.ini: + auth: + signout_redirect_url: "https://auth.cloudwithdan.com/application/o/grafana/end-session/" + oauth_auto_login: true + auth.generic_oauth: + name: authentik + enabled: true + client_id: "${AUTH_CLIENT_ID}" + client_secret: "${AUTH_CLIENT_SECRET}" + scopes: "openid profile email" + auth_url: "https://auth.cloudwithdan.com/application/o/authorize/" + token_url: "https://auth.cloudwithdan.com/application/o/token/" + api_url: "https://auth.cloudwithdan.com/application/o/userinfo/" + role_attribute_path: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer' dashboardProviders: dashboardproviders.yaml: diff --git a/kubernetes/apps/observability/grafana/app/kustomization.yaml b/kubernetes/apps/observability/grafana/app/kustomization.yaml index 17cbc72b..16a6ce30 100644 --- a/kubernetes/apps/observability/grafana/app/kustomization.yaml +++ b/kubernetes/apps/observability/grafana/app/kustomization.yaml @@ -3,4 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ./secret.sops.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/observability/grafana/app/secret.sops.yaml b/kubernetes/apps/observability/grafana/app/secret.sops.yaml new file mode 100644 index 00000000..207435e0 --- /dev/null +++ b/kubernetes/apps/observability/grafana/app/secret.sops.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: grafana-secret + namespace: observability +stringData: + AUTH_CLIENT_ID: ENC[AES256_GCM,data:7kRc9k5EdO8Hf+llYbHafbsbdUPjGqiZRqCPD+DrmvQT2VmL3B7Qsw==,iv:i051BtRMFOaclBFJhNpyx9svtfT3oA/vKKqL6Eek7vs=,tag:G7Xar5kWiUCnamP0cmOFHQ==,type:str] + AUTH_CLIENT_SECRET: ENC[AES256_GCM,data:HcQwVa+LImQym9g9w9Vv4e20I7SXWOX+ZnrONsKgO4i3S/Zz0r2WzgR3LdktumLv1MxCcKDIoy8vduvfJoG7HN9SnOQ8/a8zit6JQISdRCdEAmgc4hLZGvMD/iyOYGskUgcegXXJo9hfwHglb/GQ2Rw65T5JNA2xzrtyJKUp4rI=,iv:Wj01EA83VTaNUNHJy+N2c9kC7NrZ6YsnYAWUq/83Uj8=,tag:SqaPwlYaG3Iz1CuTeZWTjw==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZGlVWElFQnZOYVlXckww + ZHVVNExNN2xZUkNsaklNVjlGQ3dMU0ptam1vCk5OQnFPZmhoNjd3ODJvZ202Q29Z + a2tYc1MyamFKeWpZbkF1ZmNsWkh2OE0KLS0tIGpKKzdmN1BJQ3NsM2lHMHFXSjlB + NDZxaGM1WGhuc1R2c0liNE1KV0o3eGsKEKL1KgZydxm6iz/46zUeoZq9488YRFta + mPjBjLGxQjJfIemJa4N/kZaZHuxhqpwHWcUp7Xfzp63NfNF3uaeBHA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-04-03T13:12:52Z" + mac: ENC[AES256_GCM,data:lQxLEMx4pZK3gn7QSCvi+xd2jSLoLVBQBiJvPPY+VZ5Uf0H44hUyS/WwW3gBHLukJC0lxSnu+D0E3NMqPWRzEla5c8xmkgck5Ct5e+0hg1qQyXiFGln5WKBRSnaVtRy8BGAmAm6QEPPSymBbF6asScZ+2Y5wK5M1DmVsc/lQTlQ=,iv:zsIeMCQO23OtBhqtQVtyWcebuVAM/vzVXGkD7T9bUDc=,tag:TVcphLTTRnN1Sa1Cq9xz0g==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 From 8d83c09b1828c02d98a2179ba9665ed184bf8725 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 15:55:15 +0200 Subject: [PATCH 099/114] Fix Grafana Helm release: use envFrom for OAuth secrets --- .../apps/observability/grafana/app/helmrelease.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/kubernetes/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/apps/observability/grafana/app/helmrelease.yaml index 8cb3800f..2c02e122 100644 --- a/kubernetes/apps/observability/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/observability/grafana/app/helmrelease.yaml @@ -67,6 +67,10 @@ spec: # {{ end -}} # ` }} + envFrom: + - secretRef: + name: grafana-secret + grafana.ini: auth: signout_redirect_url: "https://auth.cloudwithdan.com/application/o/grafana/end-session/" @@ -74,8 +78,8 @@ spec: auth.generic_oauth: name: authentik enabled: true - client_id: "${AUTH_CLIENT_ID}" - client_secret: "${AUTH_CLIENT_SECRET}" + client_id: $__env{AUTH_CLIENT_ID} + client_secret: $__env{AUTH_CLIENT_SECRET} scopes: "openid profile email" auth_url: "https://auth.cloudwithdan.com/application/o/authorize/" token_url: "https://auth.cloudwithdan.com/application/o/token/" From d61f19e3dc20b03eed05e02ae2fa24d09efef6f7 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 15:58:33 +0200 Subject: [PATCH 100/114] Fix Grafana OAuth: use valuesFrom to inject secrets from grafana-secret --- .../observability/grafana/app/helmrelease.yaml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/kubernetes/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/apps/observability/grafana/app/helmrelease.yaml index 2c02e122..7a07e628 100644 --- a/kubernetes/apps/observability/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/observability/grafana/app/helmrelease.yaml @@ -14,6 +14,15 @@ spec: name: grafana-community namespace: flux-system interval: 12h + valuesFrom: + - kind: Secret + name: grafana-secret + valuesKey: AUTH_CLIENT_ID + targetPath: grafana\.ini.auth\.generic_oauth.client_id + - kind: Secret + name: grafana-secret + valuesKey: AUTH_CLIENT_SECRET + targetPath: grafana\.ini.auth\.generic_oauth.client_secret values: # alerting: # contactpoints.yaml: @@ -67,10 +76,6 @@ spec: # {{ end -}} # ` }} - envFrom: - - secretRef: - name: grafana-secret - grafana.ini: auth: signout_redirect_url: "https://auth.cloudwithdan.com/application/o/grafana/end-session/" @@ -78,8 +83,6 @@ spec: auth.generic_oauth: name: authentik enabled: true - client_id: $__env{AUTH_CLIENT_ID} - client_secret: $__env{AUTH_CLIENT_SECRET} scopes: "openid profile email" auth_url: "https://auth.cloudwithdan.com/application/o/authorize/" token_url: "https://auth.cloudwithdan.com/application/o/token/" From 71ea38418af23e19942ddf37e23a3d90ffcbcbb9 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 16:01:26 +0200 Subject: [PATCH 101/114] fix Grafana: disable secret client-side validation --- kubernetes/apps/observability/grafana/app/helmrelease.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kubernetes/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/apps/observability/grafana/app/helmrelease.yaml index 7a07e628..602eb682 100644 --- a/kubernetes/apps/observability/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/observability/grafana/app/helmrelease.yaml @@ -76,6 +76,8 @@ spec: # {{ end -}} # ` }} + assertNoLeakedSecrets: false + grafana.ini: auth: signout_redirect_url: "https://auth.cloudwithdan.com/application/o/grafana/end-session/" From b57714ac578c31599ff80620dea90a934ef6f7d3 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 16:09:34 +0200 Subject: [PATCH 102/114] add grafana root url variable --- .../grafana/app/helmrelease.yaml | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/kubernetes/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/apps/observability/grafana/app/helmrelease.yaml index 602eb682..ef9b4d63 100644 --- a/kubernetes/apps/observability/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/observability/grafana/app/helmrelease.yaml @@ -79,17 +79,19 @@ spec: assertNoLeakedSecrets: false grafana.ini: - auth: - signout_redirect_url: "https://auth.cloudwithdan.com/application/o/grafana/end-session/" - oauth_auto_login: true - auth.generic_oauth: - name: authentik - enabled: true - scopes: "openid profile email" - auth_url: "https://auth.cloudwithdan.com/application/o/authorize/" - token_url: "https://auth.cloudwithdan.com/application/o/token/" - api_url: "https://auth.cloudwithdan.com/application/o/userinfo/" - role_attribute_path: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer' + server: + root_url: "https://grafana.apps.timvw.be" + auth: + signout_redirect_url: "https://auth.cloudwithdan.com/application/o/grafana/end-session/" + oauth_auto_login: true + auth.generic_oauth: + name: authentik + enabled: true + scopes: "openid profile email" + auth_url: "https://auth.cloudwithdan.com/application/o/authorize/" + token_url: "https://auth.cloudwithdan.com/application/o/token/" + api_url: "https://auth.cloudwithdan.com/application/o/userinfo/" + role_attribute_path: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer' dashboardProviders: dashboardproviders.yaml: From 8ddf096ee5087798e0f5b1de9694f79198a44344 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 16:18:07 +0200 Subject: [PATCH 103/114] recreate secrets --- .../apps/observability/grafana/app/secret.sops.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kubernetes/apps/observability/grafana/app/secret.sops.yaml b/kubernetes/apps/observability/grafana/app/secret.sops.yaml index 207435e0..e7f6b7c7 100644 --- a/kubernetes/apps/observability/grafana/app/secret.sops.yaml +++ b/kubernetes/apps/observability/grafana/app/secret.sops.yaml @@ -4,8 +4,8 @@ metadata: name: grafana-secret namespace: observability stringData: - AUTH_CLIENT_ID: ENC[AES256_GCM,data:7kRc9k5EdO8Hf+llYbHafbsbdUPjGqiZRqCPD+DrmvQT2VmL3B7Qsw==,iv:i051BtRMFOaclBFJhNpyx9svtfT3oA/vKKqL6Eek7vs=,tag:G7Xar5kWiUCnamP0cmOFHQ==,type:str] - AUTH_CLIENT_SECRET: ENC[AES256_GCM,data:HcQwVa+LImQym9g9w9Vv4e20I7SXWOX+ZnrONsKgO4i3S/Zz0r2WzgR3LdktumLv1MxCcKDIoy8vduvfJoG7HN9SnOQ8/a8zit6JQISdRCdEAmgc4hLZGvMD/iyOYGskUgcegXXJo9hfwHglb/GQ2Rw65T5JNA2xzrtyJKUp4rI=,iv:Wj01EA83VTaNUNHJy+N2c9kC7NrZ6YsnYAWUq/83Uj8=,tag:SqaPwlYaG3Iz1CuTeZWTjw==,type:str] + AUTH_CLIENT_ID: ENC[AES256_GCM,data:odyXdpMKdHonvAG8CIkvPIP90l31q2JXE9J8hyhE3rP+D7TrmBF4sA==,iv:SUdsqIlEc+I1z+SZDYhKQMrFcIYZ8N9zxlAm8XoeP7w=,tag:beOSH5NSladuXX1KovMxng==,type:str] + AUTH_CLIENT_SECRET: ENC[AES256_GCM,data:QhRPm4gsvSUQq3JDw1hjK0b9UqHyOoyjm3Hqo/CLWToGUFNUpQH+GOQPac05VMYbEszbZ8t93rAFc6c3Ut+tOyHuhKg7kU1jOlu+iuFEM9PLmmOt/CkuiU4Al/1a/0YSO0PNoN3JWnIjB17NKW5Abn/bxrz/MtxgLRC0rqGXLMg=,iv:hVr22mewynSdAkTFpD9Z5ujtA/VCcCSM4wq0WPBlhYw=,tag:fUQ1Lf2oAXNSQ01yf8fWrg==,type:str] sops: age: - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv @@ -17,7 +17,7 @@ sops: NDZxaGM1WGhuc1R2c0liNE1KV0o3eGsKEKL1KgZydxm6iz/46zUeoZq9488YRFta mPjBjLGxQjJfIemJa4N/kZaZHuxhqpwHWcUp7Xfzp63NfNF3uaeBHA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-03T13:12:52Z" - mac: ENC[AES256_GCM,data:lQxLEMx4pZK3gn7QSCvi+xd2jSLoLVBQBiJvPPY+VZ5Uf0H44hUyS/WwW3gBHLukJC0lxSnu+D0E3NMqPWRzEla5c8xmkgck5Ct5e+0hg1qQyXiFGln5WKBRSnaVtRy8BGAmAm6QEPPSymBbF6asScZ+2Y5wK5M1DmVsc/lQTlQ=,iv:zsIeMCQO23OtBhqtQVtyWcebuVAM/vzVXGkD7T9bUDc=,tag:TVcphLTTRnN1Sa1Cq9xz0g==,type:str] + lastmodified: "2026-04-03T14:18:03Z" + mac: ENC[AES256_GCM,data:wNTCzr8jog9zJheQkhPb4v8POkWJYq9sBKzxT5agZzEa7/FMSlaLZioCTPyMhWuc5MQSOLG5P2wJHRwAMD6pqw/sdID4rGY6UVYcTncrbCi690c1mJJ3dHKH2tKj+AWL2n84dYnnSBCdxrwvKn3qRbE6oYWAwgJo4hgBL/qEXTQ=,iv:siNoS4xh5fpfCZP5zJg/wSxK9/1jrPvdNtR3MQVngmM=,tag:15yWSqm2OsPRTNJz7PcwDA==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.12.2 From eacf271e09322b330181e23da5668f5cf668279c Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 3 Apr 2026 16:19:49 +0200 Subject: [PATCH 104/114] fix grafana --- .../apps/observability/grafana/app/helmrelease.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/kubernetes/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/apps/observability/grafana/app/helmrelease.yaml index ef9b4d63..8f766f3b 100644 --- a/kubernetes/apps/observability/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/observability/grafana/app/helmrelease.yaml @@ -80,17 +80,17 @@ spec: grafana.ini: server: - root_url: "https://grafana.apps.timvw.be" + root_url: "https://metrics.${SECRET_EXTERNAL_DOMAIN}" auth: - signout_redirect_url: "https://auth.cloudwithdan.com/application/o/grafana/end-session/" + signout_redirect_url: "https://auth.${SECRET_EXTERNAL_DOMAIN}/application/o/grafana/end-session/" oauth_auto_login: true auth.generic_oauth: name: authentik enabled: true scopes: "openid profile email" - auth_url: "https://auth.cloudwithdan.com/application/o/authorize/" - token_url: "https://auth.cloudwithdan.com/application/o/token/" - api_url: "https://auth.cloudwithdan.com/application/o/userinfo/" + auth_url: "https://auth.${SECRET_EXTERNAL_DOMAIN}/application/o/authorize/" + token_url: "https://auth.${SECRET_EXTERNAL_DOMAIN}/application/o/token/" + api_url: "https://auth.${SECRET_EXTERNAL_DOMAIN}/application/o/userinfo/" role_attribute_path: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer' dashboardProviders: From a176920c4c647cc1337efa770644615f5771870c Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 4 Apr 2026 14:31:17 +0200 Subject: [PATCH 105/114] disable immediate psql backups --- .../apps/database/cloudnative-pg/cluster/scheduledbackup.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml b/kubernetes/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml index 93597f43..094ca301 100644 --- a/kubernetes/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml +++ b/kubernetes/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml @@ -6,7 +6,7 @@ metadata: spec: schedule: "0 0 0 * * *" suspend: false - immediate: true + immediate: false backupOwnerReference: self cluster: name: postgres18 From c6b27d369b06d8a2e1841c749ed66f515b17802e Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 4 Apr 2026 14:32:17 +0200 Subject: [PATCH 106/114] disable s3 backup config in longhorn --- .../apps/infrastructure/longhorn/app/helmrelease.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml b/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml index b26f5697..c9efa1c6 100644 --- a/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml +++ b/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml @@ -29,7 +29,7 @@ spec: defaultSettings: defaultDataPath: /var/lib/longhorn systemManagedPodsNodeSelector: "kubernetes.io/os:linux" - defaultBackupStore: - backupTarget: "s3://talos-lj-backup@eu-central-1/" - backupTargetCredentialSecret: "s3-creds" - pollInterval: 300 + # defaultBackupStore: + # backupTarget: "s3://talos-lj-backup@eu-central-1/" + # backupTargetCredentialSecret: "s3-creds" + # pollInterval: 300 From 5e46058d63f2fca3ac9fb24e4be156b6bcd3570b Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 4 Apr 2026 14:56:43 +0200 Subject: [PATCH 107/114] add internal traefik --- kubernetes/apps/network/kustomization.yaml | 1 + .../pihole-system/app/helmrelease.yaml | 11 +- .../pihole-system/app/kustomization.yaml | 1 + .../app/dashboard-ingress.yaml | 25 +++++ .../traefik-internal/app/helmrelease.yaml | 100 ++++++++++++++++++ .../traefik-internal/app/kustomization.yaml | 7 ++ .../apps/network/traefik-internal/ks.yaml | 22 ++++ 7 files changed, 166 insertions(+), 1 deletion(-) create mode 100644 kubernetes/apps/network/traefik-internal/app/dashboard-ingress.yaml create mode 100644 kubernetes/apps/network/traefik-internal/app/helmrelease.yaml create mode 100644 kubernetes/apps/network/traefik-internal/app/kustomization.yaml create mode 100644 kubernetes/apps/network/traefik-internal/ks.yaml diff --git a/kubernetes/apps/network/kustomization.yaml b/kubernetes/apps/network/kustomization.yaml index 37803c8f..c576f915 100644 --- a/kubernetes/apps/network/kustomization.yaml +++ b/kubernetes/apps/network/kustomization.yaml @@ -7,4 +7,5 @@ resources: - ./pihole-system/ks.yaml - ./metallb-system/ks.yaml - ./traefik/ks.yaml + - ./traefik-internal/ks.yaml - ./cloudflared/ks.yaml diff --git a/kubernetes/apps/network/pihole-system/app/helmrelease.yaml b/kubernetes/apps/network/pihole-system/app/helmrelease.yaml index 06909afd..c1240042 100644 --- a/kubernetes/apps/network/pihole-system/app/helmrelease.yaml +++ b/kubernetes/apps/network/pihole-system/app/helmrelease.yaml @@ -37,7 +37,16 @@ spec: storageClass: "longhorn" ingress: - enabled: false + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + ingressClassName: internal + hosts: + - pihole.${SECRET_INTERNAL_DOMAIN} + tls: + - secretName: pihole-tls + hosts: + - pihole.${SECRET_INTERNAL_DOMAIN} extraEnvVars: FTLCONF_webserver_port: "80" diff --git a/kubernetes/apps/network/pihole-system/app/kustomization.yaml b/kubernetes/apps/network/pihole-system/app/kustomization.yaml index 24303a7a..a01d9b54 100644 --- a/kubernetes/apps/network/pihole-system/app/kustomization.yaml +++ b/kubernetes/apps/network/pihole-system/app/kustomization.yaml @@ -6,3 +6,4 @@ resources: - ./helmrelease.yaml - ./secret.sops.yaml - ./pihole-exporter.yaml + - ./ingress-internal.yaml diff --git a/kubernetes/apps/network/traefik-internal/app/dashboard-ingress.yaml b/kubernetes/apps/network/traefik-internal/app/dashboard-ingress.yaml new file mode 100644 index 00000000..0ff82531 --- /dev/null +++ b/kubernetes/apps/network/traefik-internal/app/dashboard-ingress.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: traefik-dashboard + namespace: network + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production +spec: + ingressClassName: internal + rules: + - host: traefik.${SECRET_INTERNAL_DOMAIN} + http: + paths: + - backend: + service: + name: traefik-internal + port: + number: 9000 + path: / + pathType: Prefix + tls: + - hosts: + - traefik.${SECRET_INTERNAL_DOMAIN} + secretName: traefik-dashboard-tls diff --git a/kubernetes/apps/network/traefik-internal/app/helmrelease.yaml b/kubernetes/apps/network/traefik-internal/app/helmrelease.yaml new file mode 100644 index 00000000..8745d59c --- /dev/null +++ b/kubernetes/apps/network/traefik-internal/app/helmrelease.yaml @@ -0,0 +1,100 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app traefik-internal + namespace: network +spec: + interval: 30m + chart: + spec: + chart: traefik + version: "39.0.5" + sourceRef: + kind: HelmRepository + name: traefik + namespace: flux-system + interval: 12h + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + deployment: + replicas: 1 + + ingressClass: + enabled: true + isDefaultClass: false + name: internal + + ingressRoute: + dashboard: + enabled: false + + service: + enabled: true + type: LoadBalancer + spec: + externalTrafficPolicy: Cluster + annotations: + metallb.universe.tf/loadBalancerIPs: "" + + ports: + web: + port: 80 + expose: + default: true + exposedPort: 80 + websecure: + port: 443 + expose: + default: true + exposedPort: 443 + tls: + enabled: true + traefik: + port: 9000 + expose: + default: true + exposedPort: 9000 + metrics: + port: 9100 + expose: + default: false + exposedPort: 9100 + + metrics: + prometheus: + enabled: true + serviceMonitor: + enabled: true + + logs: + general: + level: INFO + access: + enabled: true + + providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: true + kubernetesIngress: + enabled: true + allowExternalNameServices: true + publishedService: + enabled: true + + globalArguments: + - "--global.checknewversion=false" + - "--global.sendanonymoususage=false" + + additionalArguments: + - "--api.dashboard=true" + - "--api.insecure=false" + - "--serverstransport.insecureskipverify=true" diff --git a/kubernetes/apps/network/traefik-internal/app/kustomization.yaml b/kubernetes/apps/network/traefik-internal/app/kustomization.yaml new file mode 100644 index 00000000..01a2008b --- /dev/null +++ b/kubernetes/apps/network/traefik-internal/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: network +resources: + - ./helmrelease.yaml + - ./dashboard-ingress.yaml diff --git a/kubernetes/apps/network/traefik-internal/ks.yaml b/kubernetes/apps/network/traefik-internal/ks.yaml new file mode 100644 index 00000000..6d9bf3d7 --- /dev/null +++ b/kubernetes/apps/network/traefik-internal/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app traefik-internal + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/network/traefik-internal/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: network + wait: true From 9e3606a908d7f8236e05ff2c5fbb5b73c5105d09 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 4 Apr 2026 14:59:07 +0200 Subject: [PATCH 108/114] fix --- .../pihole-system/app/kustomization.yaml | 1 - .../traefik-internal/app/helmrelease.yaml | 33 ------------------- 2 files changed, 34 deletions(-) diff --git a/kubernetes/apps/network/pihole-system/app/kustomization.yaml b/kubernetes/apps/network/pihole-system/app/kustomization.yaml index a01d9b54..24303a7a 100644 --- a/kubernetes/apps/network/pihole-system/app/kustomization.yaml +++ b/kubernetes/apps/network/pihole-system/app/kustomization.yaml @@ -6,4 +6,3 @@ resources: - ./helmrelease.yaml - ./secret.sops.yaml - ./pihole-exporter.yaml - - ./ingress-internal.yaml diff --git a/kubernetes/apps/network/traefik-internal/app/helmrelease.yaml b/kubernetes/apps/network/traefik-internal/app/helmrelease.yaml index 8745d59c..83b00885 100644 --- a/kubernetes/apps/network/traefik-internal/app/helmrelease.yaml +++ b/kubernetes/apps/network/traefik-internal/app/helmrelease.yaml @@ -44,30 +44,6 @@ spec: annotations: metallb.universe.tf/loadBalancerIPs: "" - ports: - web: - port: 80 - expose: - default: true - exposedPort: 80 - websecure: - port: 443 - expose: - default: true - exposedPort: 443 - tls: - enabled: true - traefik: - port: 9000 - expose: - default: true - exposedPort: 9000 - metrics: - port: 9100 - expose: - default: false - exposedPort: 9100 - metrics: prometheus: enabled: true @@ -89,12 +65,3 @@ spec: allowExternalNameServices: true publishedService: enabled: true - - globalArguments: - - "--global.checknewversion=false" - - "--global.sendanonymoususage=false" - - additionalArguments: - - "--api.dashboard=true" - - "--api.insecure=false" - - "--serverstransport.insecureskipverify=true" From 88af4ec979a54a75778111decc5c5045bc051f79 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 4 Apr 2026 15:12:20 +0200 Subject: [PATCH 109/114] fix internal traefik --- .../traefik-internal/app/helmrelease.yaml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/kubernetes/apps/network/traefik-internal/app/helmrelease.yaml b/kubernetes/apps/network/traefik-internal/app/helmrelease.yaml index 83b00885..e3548a65 100644 --- a/kubernetes/apps/network/traefik-internal/app/helmrelease.yaml +++ b/kubernetes/apps/network/traefik-internal/app/helmrelease.yaml @@ -44,6 +44,31 @@ spec: annotations: metallb.universe.tf/loadBalancerIPs: "" + ports: + web: + port: 80 + expose: + default: true + exposedPort: 80 + websecure: + port: 443 + expose: + default: true + exposedPort: 443 + http: + tls: + enabled: true + traefik: + port: 9000 + expose: + default: false + exposedPort: 9000 + metrics: + port: 9100 + expose: + default: false + exposedPort: 9100 + metrics: prometheus: enabled: true @@ -60,8 +85,15 @@ spec: kubernetesCRD: enabled: true allowCrossNamespace: true + ingressClass: internal kubernetesIngress: enabled: true allowExternalNameServices: true + ingressClass: internal publishedService: enabled: true + + additionalArguments: + - "--api.dashboard=true" + - "--api.insecure=false" + - "--serverstransport.insecureskipverify=true" From 41c7144dd1ac13740403d5e98f2152a4ff0daa9d Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Sat, 4 Apr 2026 15:19:57 +0200 Subject: [PATCH 110/114] fix: configure Traefik instances to only watch their specific ingress classes - Main Traefik: only watch 'traefik' ingressClass - Internal Traefik: only watch 'internal' ingressClass - Remove traefik-dashboard ingress (not needed) This prevents both Traefik instances from fighting over ingress status updates. --- .../app/dashboard-ingress.yaml | 25 ------------------- .../traefik-internal/app/kustomization.yaml | 1 - .../apps/network/traefik/app/helmrelease.yaml | 12 +++++++++ 3 files changed, 12 insertions(+), 26 deletions(-) delete mode 100644 kubernetes/apps/network/traefik-internal/app/dashboard-ingress.yaml diff --git a/kubernetes/apps/network/traefik-internal/app/dashboard-ingress.yaml b/kubernetes/apps/network/traefik-internal/app/dashboard-ingress.yaml deleted file mode 100644 index 0ff82531..00000000 --- a/kubernetes/apps/network/traefik-internal/app/dashboard-ingress.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: traefik-dashboard - namespace: network - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production -spec: - ingressClassName: internal - rules: - - host: traefik.${SECRET_INTERNAL_DOMAIN} - http: - paths: - - backend: - service: - name: traefik-internal - port: - number: 9000 - path: / - pathType: Prefix - tls: - - hosts: - - traefik.${SECRET_INTERNAL_DOMAIN} - secretName: traefik-dashboard-tls diff --git a/kubernetes/apps/network/traefik-internal/app/kustomization.yaml b/kubernetes/apps/network/traefik-internal/app/kustomization.yaml index 01a2008b..a9c713e0 100644 --- a/kubernetes/apps/network/traefik-internal/app/kustomization.yaml +++ b/kubernetes/apps/network/traefik-internal/app/kustomization.yaml @@ -4,4 +4,3 @@ kind: Kustomization namespace: network resources: - ./helmrelease.yaml - - ./dashboard-ingress.yaml diff --git a/kubernetes/apps/network/traefik/app/helmrelease.yaml b/kubernetes/apps/network/traefik/app/helmrelease.yaml index 77092a6b..e4392071 100644 --- a/kubernetes/apps/network/traefik/app/helmrelease.yaml +++ b/kubernetes/apps/network/traefik/app/helmrelease.yaml @@ -23,3 +23,15 @@ spec: cleanupOnFail: true remediation: retries: 3 + values: + providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: true + ingressClass: traefik + kubernetesIngress: + enabled: true + allowExternalNameServices: true + ingressClass: traefik + publishedService: + enabled: true From 5db731378b5befa70d0498a59a5e72d489aeb647 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 17 Apr 2026 13:04:43 +0200 Subject: [PATCH 111/114] fix authentik middleware --- .../observability/glance/app/middleware.yaml | 18 ++++++++++++------ .../selfhosted/uptime-kuma/app/middleware.yaml | 18 ++++++++++++------ 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/kubernetes/apps/observability/glance/app/middleware.yaml b/kubernetes/apps/observability/glance/app/middleware.yaml index bdd298d4..f663dbd3 100644 --- a/kubernetes/apps/observability/glance/app/middleware.yaml +++ b/kubernetes/apps/observability/glance/app/middleware.yaml @@ -9,9 +9,15 @@ spec: address: http://ak-outpost-domain-forward-auth-provider.security.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik trustForwardHeader: true authResponseHeaders: - - Set-Cookie - - X-authentik-username - - X-authentik-groups - - X-authentik-email - - X-authentik-name - - X-authentik-uid + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml index e8987879..7bad49ad 100644 --- a/kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml @@ -9,9 +9,15 @@ spec: address: http://ak-outpost-domain-forward-auth-provider.security.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik trustForwardHeader: true authResponseHeaders: - - Set-Cookie - - X-authentik-username - - X-authentik-groups - - X-authentik-email - - X-authentik-name - - X-authentik-uid + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version From 51769f987e8a92a5fd57db8a41707b9d4e674f4a Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 17 Apr 2026 13:11:39 +0200 Subject: [PATCH 112/114] add IngressRoute for glance --- .../glance/app/ingress-route.yaml | 22 ++++++++++++++++ .../observability/glance/app/ingress.yaml | 26 ------------------- .../glance/app/kustomization.yaml | 2 +- 3 files changed, 23 insertions(+), 27 deletions(-) create mode 100644 kubernetes/apps/observability/glance/app/ingress-route.yaml delete mode 100644 kubernetes/apps/observability/glance/app/ingress.yaml diff --git a/kubernetes/apps/observability/glance/app/ingress-route.yaml b/kubernetes/apps/observability/glance/app/ingress-route.yaml new file mode 100644 index 00000000..2ba5c541 --- /dev/null +++ b/kubernetes/apps/observability/glance/app/ingress-route.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: glance + namespace: observability + annotations: + external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" +spec: + entryPoints: + - websecure + routes: + - match: Host(`home.${SECRET_EXTERNAL_DOMAIN}`) + kind: Rule + middlewares: + - name: authentik-forwardauth + namespace: observability + services: + - name: glance + port: 8080 + tls: + secretName: glance-tls diff --git a/kubernetes/apps/observability/glance/app/ingress.yaml b/kubernetes/apps/observability/glance/app/ingress.yaml deleted file mode 100644 index 6063352c..00000000 --- a/kubernetes/apps/observability/glance/app/ingress.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: &app glance-ingress - namespace: observability - annotations: - external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" - cert-manager.io/cluster-issuer: letsencrypt-production - traefik.ingress.kubernetes.io/router.middlewares: observability-authentik-forwardauth@kubernetescrd -spec: - ingressClassName: traefik - rules: - - host: home.${SECRET_EXTERNAL_DOMAIN} - http: - paths: - - backend: - service: - name: glance - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - home.${SECRET_EXTERNAL_DOMAIN} - secretName: glance-tls diff --git a/kubernetes/apps/observability/glance/app/kustomization.yaml b/kubernetes/apps/observability/glance/app/kustomization.yaml index a5046a44..eab760ef 100644 --- a/kubernetes/apps/observability/glance/app/kustomization.yaml +++ b/kubernetes/apps/observability/glance/app/kustomization.yaml @@ -6,7 +6,7 @@ resources: - ./deployment.yaml - ./service.yaml - ./middleware.yaml - - ./ingress.yaml + - ./ingress-route.yaml configMapGenerator: - name: glance-configmap namespace: glance From d1280486aab1211d791ed64237ecc92535e6e009 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 17 Apr 2026 13:57:52 +0200 Subject: [PATCH 113/114] fix glance URLs --- kubernetes/apps/observability/glance/app/config/glance.yml | 2 +- kubernetes/apps/observability/glance/app/ingress-route.yaml | 3 --- kubernetes/apps/observability/glance/app/kustomization.yaml | 2 +- 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/kubernetes/apps/observability/glance/app/config/glance.yml b/kubernetes/apps/observability/glance/app/config/glance.yml index c5d3edcd..497128a5 100644 --- a/kubernetes/apps/observability/glance/app/config/glance.yml +++ b/kubernetes/apps/observability/glance/app/config/glance.yml @@ -39,7 +39,7 @@ pages: icon: di:pi-hole - title: Glance url: https://home.${SECRET_EXTERNAL_DOMAIN} - check-url: http://glance.glance.svc.cluster.local:8080 + check-url: http://glance.observability.svc.cluster.local:8080 icon: di:glance - title: Linkwarden url: https://bookmarks.${SECRET_EXTERNAL_DOMAIN} diff --git a/kubernetes/apps/observability/glance/app/ingress-route.yaml b/kubernetes/apps/observability/glance/app/ingress-route.yaml index 2ba5c541..36e350c2 100644 --- a/kubernetes/apps/observability/glance/app/ingress-route.yaml +++ b/kubernetes/apps/observability/glance/app/ingress-route.yaml @@ -12,9 +12,6 @@ spec: routes: - match: Host(`home.${SECRET_EXTERNAL_DOMAIN}`) kind: Rule - middlewares: - - name: authentik-forwardauth - namespace: observability services: - name: glance port: 8080 diff --git a/kubernetes/apps/observability/glance/app/kustomization.yaml b/kubernetes/apps/observability/glance/app/kustomization.yaml index eab760ef..310bccd1 100644 --- a/kubernetes/apps/observability/glance/app/kustomization.yaml +++ b/kubernetes/apps/observability/glance/app/kustomization.yaml @@ -9,7 +9,7 @@ resources: - ./ingress-route.yaml configMapGenerator: - name: glance-configmap - namespace: glance + namespace: observability files: - ./config/glance.yml generatorOptions: From 3a522bbf3d1fa81b8272307ca8f06ef6d8d23db8 Mon Sep 17 00:00:00 2001 From: cloudwithdan Date: Fri, 17 Apr 2026 14:00:03 +0200 Subject: [PATCH 114/114] fix ingress for glance --- .../glance/app/ingress-route.yaml | 19 -------------- .../observability/glance/app/ingress.yaml | 26 +++++++++++++++++++ .../glance/app/kustomization.yaml | 2 +- 3 files changed, 27 insertions(+), 20 deletions(-) delete mode 100644 kubernetes/apps/observability/glance/app/ingress-route.yaml create mode 100644 kubernetes/apps/observability/glance/app/ingress.yaml diff --git a/kubernetes/apps/observability/glance/app/ingress-route.yaml b/kubernetes/apps/observability/glance/app/ingress-route.yaml deleted file mode 100644 index 36e350c2..00000000 --- a/kubernetes/apps/observability/glance/app/ingress-route.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: glance - namespace: observability - annotations: - external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" -spec: - entryPoints: - - websecure - routes: - - match: Host(`home.${SECRET_EXTERNAL_DOMAIN}`) - kind: Rule - services: - - name: glance - port: 8080 - tls: - secretName: glance-tls diff --git a/kubernetes/apps/observability/glance/app/ingress.yaml b/kubernetes/apps/observability/glance/app/ingress.yaml new file mode 100644 index 00000000..963e7ee0 --- /dev/null +++ b/kubernetes/apps/observability/glance/app/ingress.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: glance + namespace: observability + annotations: + external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" + cert-manager.io/cluster-issuer: letsencrypt-production +spec: + ingressClassName: traefik + rules: + - host: home.${SECRET_EXTERNAL_DOMAIN} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: glance + port: + number: 8080 + tls: + - hosts: + - home.${SECRET_EXTERNAL_DOMAIN} + secretName: glance-tls diff --git a/kubernetes/apps/observability/glance/app/kustomization.yaml b/kubernetes/apps/observability/glance/app/kustomization.yaml index 310bccd1..a159e725 100644 --- a/kubernetes/apps/observability/glance/app/kustomization.yaml +++ b/kubernetes/apps/observability/glance/app/kustomization.yaml @@ -6,7 +6,7 @@ resources: - ./deployment.yaml - ./service.yaml - ./middleware.yaml - - ./ingress-route.yaml + - ./ingress.yaml configMapGenerator: - name: glance-configmap namespace: observability