jahanson/theshire
Archived
1
0
Fork 0
Code Issues 1 Pull requests 19 Projects Releases Packages Wiki Activity Actions

Compare commits

base: jahanson:main
Branches Tags
jahanson:main
jahanson:renovate/ghcr.io-onedr0p-sonarr-develop-4.x
jahanson:renovate/ghcr.io-unpoller-unpoller-2.x
jahanson:renovate/ghcr.io-kashalls-external-dns-unifi-webhook-0.x
jahanson:renovate/openebs-4.x
jahanson:renovate/ghcr.io-cross-seed-cross-seed-6.x
jahanson:renovate/emqx-operator-2.x
jahanson:renovate/ghcr.io-kiwigrid-k8s-sidecar-1.x
jahanson:renovate/vector
jahanson:renovate/kubelet-csr-approver-1.x
jahanson:renovate/public.ecr.aws-emqx-emqx-5.x
jahanson:renovate/node-feature-discovery-0.x
jahanson:renovate/rook-ceph
jahanson:renovate/docker.io-excalidraw-excalidraw-latest
jahanson:renovate/fallenbagel-jellyseerr-2.x
jahanson:renovate/ingress-nginx-4.x
jahanson:renovate/docker.io-cloudflare-cloudflared-2025.x
jahanson:renovate/ghcr.io-dragonflydb-dragonfly-1.x
jahanson:renovate/descheduler-0.x
jahanson:renovate/ghcr.io-siderolabs-kubelet-1.x
jahanson:shokoserver
jahanson:kasm-wip
jahanson:multus-app-template-style
jahanson:renovate/configure
jahanson:bgp->l2
jahanson:swap-to-zfs
..
compare: jahanson:bgp->l2
Branches Tags
jahanson:main
jahanson:renovate/ghcr.io-onedr0p-sonarr-develop-4.x
jahanson:renovate/ghcr.io-unpoller-unpoller-2.x
jahanson:renovate/ghcr.io-kashalls-external-dns-unifi-webhook-0.x
jahanson:renovate/openebs-4.x
jahanson:renovate/ghcr.io-cross-seed-cross-seed-6.x
jahanson:renovate/emqx-operator-2.x
jahanson:renovate/ghcr.io-kiwigrid-k8s-sidecar-1.x
jahanson:renovate/vector
jahanson:renovate/kubelet-csr-approver-1.x
jahanson:renovate/public.ecr.aws-emqx-emqx-5.x
jahanson:renovate/node-feature-discovery-0.x
jahanson:renovate/rook-ceph
jahanson:renovate/docker.io-excalidraw-excalidraw-latest
jahanson:renovate/fallenbagel-jellyseerr-2.x
jahanson:renovate/ingress-nginx-4.x
jahanson:renovate/docker.io-cloudflare-cloudflared-2025.x
jahanson:renovate/ghcr.io-dragonflydb-dragonfly-1.x
jahanson:renovate/descheduler-0.x
jahanson:renovate/ghcr.io-siderolabs-kubelet-1.x
jahanson:shokoserver
jahanson:kasm-wip
jahanson:multus-app-template-style
jahanson:renovate/configure
jahanson:bgp->l2
jahanson:swap-to-zfs

1 commit
main ... bgp->l2

Author SHA1 Message Date
Joseph Hanson
6424c51a86
switch from ceph buckets to minio bucket 2024-05-08 18:37:29 -05:00
582 changed files with 25989 additions and 20879 deletions
Show stats Expand all files Collapse all files

9
.ansible-lint Normal file
View file

@ -0,0 +1,9 @@
---
skip_list:
- yaml[line-length]
- var-naming
warn_list:
- command-instead-of-shell
- deprecated-command-syntax
- experimental
- no-changed-when

52
.archive/.taskfiles/Ansible/Taskfile.yaml Normal file
View file

@ -0,0 +1,52 @@
---
# yaml-language-server: $schema=https://taskfile.dev/schema.json
version: "3"
vars:
PYTHON_BIN: python3
env:
PATH: "{{.ROOT_DIR}}/.venv/bin:$PATH"
VIRTUAL_ENV: "{{.ROOT_DIR}}/.venv"
ANSIBLE_COLLECTIONS_PATH: "{{.ROOT_DIR}}/.venv/galaxy"
ANSIBLE_ROLES_PATH: "{{.ROOT_DIR}}/.venv/galaxy/ansible_roles"
ANSIBLE_VARS_ENABLED: "host_group_vars,community.sops.sops"
tasks:
deps:
desc: Set up Ansible dependencies for the environment
cmds:
- task: .venv
run:
desc: Run an Ansible playbook for configuring a cluster
summary: |
Args:
cluster: Cluster to run command against (required)
playbook: Playbook to run (required)
prompt: Run Ansible playbook '{{.playbook}}' against the '{{.cluster}}' cluster... continue?
deps: ["deps"]
cmd: |
.venv/bin/ansible-playbook \
--inventory {{.ANSIBLE_DIR}}/{{.cluster}}/inventory/hosts.yaml \
{{.ANSIBLE_DIR}}/{{.cluster}}/playbooks/{{.playbook}}.yaml {{.CLI_ARGS}}
preconditions:
- { msg: "Argument (cluster) is required", sh: "test -n {{.cluster}}" }
- { msg: "Argument (playbook) is required", sh: "test -n {{.playbook}}" }
- { msg: "Venv not found", sh: "test -d {{.ROOT_DIR}}/.venv" }
- { msg: "Inventory not found", sh: "test -f {{.ANSIBLE_DIR}}/{{.cluster}}/inventory/hosts.yaml" }
- { msg: "Playbook not found", sh: "test -f {{.ANSIBLE_DIR}}/{{.cluster}}/playbooks/{{.playbook}}.yaml" }
.venv:
internal: true
cmds:
- true && {{.PYTHON_BIN}} -m venv {{.ROOT_DIR}}/.venv
- .venv/bin/python3 -m pip install --upgrade pip setuptools wheel
- .venv/bin/python3 -m pip install --upgrade --requirement {{.ANSIBLE_DIR}}/requirements.txt
- .venv/bin/ansible-galaxy install --role-file "{{.ANSIBLE_DIR}}/requirements.yaml" --force
sources:
- "{{.ANSIBLE_DIR}}/requirements.txt"
- "{{.ANSIBLE_DIR}}/requirements.yaml"
generates:
- "{{.ROOT_DIR}}/.venv/pyvenv.cfg"

87
.archive/ai/ollama/app/helmrelease.yaml
View file

@ -1,87 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app ollama
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.5.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
values:
controllers:
ollama:
annotations:
reloader.stakater.com/auto: "true"
pod:
nodeSelector:
nvidia.com/gpu.present: "true"
runtimeClassName: nvidia
containers:
app:
image:
repository: docker.io/ollama/ollama
tag: 0.4.2
env:
- name: OLLAMA_HOST
value: 0.0.0.0
- name: OLLAMA_ORIGINS
value: "*"
- name: OLLAMA_MODELS
value: &modelPath "/models"
- name: OLLAMA_KEEP_ALIVE
value: "24h"
resources:
requests:
cpu: 500m
memory: 2Gi
limits:
memory: 16Gi
nvidia.com/gpu: 1 # requesting 1 GPU
service:
app:
controller: ollama
ports:
http:
port: 11434
ingress:
app:
enabled: true
className: internal-nginx
hosts:
- host: &host "{{ .Release.Name }}.jahanson.tech"
paths:
- path: /
service:
identifier: app
port: http
tls:
- hosts:
- *host
persistence:
models:
enabled: true
existingClaim: ollama-models
advancedMounts:
ollama:
app:
- path: *modelPath
config:
enabled: true
existingClaim: ollama
globalMounts:
- path: /root/.ollama

8
.archive/ai/ollama/app/kustomization.yaml
View file

@ -1,8 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml
- ./pvc.yaml
- ../../../../templates/volsync

12
.archive/ai/ollama/app/pvc.yaml
View file

@ -1,12 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ollama-models
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
storageClassName: openebs-hostpath

29
.archive/ai/ollama/ks.yaml
View file

@ -1,29 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app ollama
namespace: flux-system
spec:
targetNamespace: ai
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: nvidia-device-plugin
- name: node-feature-discovery
- name: volsync
- name: rook-ceph-cluster
path: ./kubernetes/apps/ai/ollama/app
prune: true
sourceRef:
kind: GitRepository
name: theshire
wait: false
interval: 30m
timeout: 5m
postBuild:
substitute:
APP: *app
VOLSYNC_CAPACITY: 1Gi

81
.archive/ai/stable-diffusion/comfyui/helmrelease.yaml
View file

@ -1,81 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app comfyui
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.5.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
values:
controllers:
comfyui:
annotations:
reloader.stakater.com/auto: "true"
pod:
nodeSelector:
nvidia.com/gpu.present: "true"
runtimeClassName: nvidia
containers:
app:
image:
repository: docker.io/jahanson/comfyui
tag: v0.0.1
resources:
requests:
cpu: 500m
memory: 2Gi
limits:
memory: 60Gi
nvidia.com/gpu: 1 # requesting 1 GPU
service:
app:
controller: comfyui
ports:
http:
port: 7860
ingress:
app:
enabled: true
className: internal-nginx
hosts:
- host: &host "{{ .Release.Name }}.jahanson.tech"
paths:
- path: /
service:
identifier: app
port: http
tls:
- hosts:
- *host
persistence:
models:
enabled: true
existingClaim: stablediffusion-checkpoints
globalMounts:
- path: /data/models
config:
enabled: true
existingClaim: comfyui
globalMounts:
- path: /data/config
output:
enabled: true
type: emptyDir
globalMounts:
- path: /output

9
.archive/ai/stable-diffusion/comfyui/kustomization.yaml
View file

@ -1,9 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml
- ./pvc.yaml
- ../../../../templates/volsync
- ../../../../templates/gatus/internal

12
.archive/ai/stable-diffusion/comfyui/pvc.yaml
View file

@ -1,12 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: stablediffusion-checkpoints
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 300Gi
storageClassName: openebs-hostpath

31
.archive/ai/stable-diffusion/ks.yaml
View file

@ -1,31 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app comfyui
namespace: flux-system
spec:
targetNamespace: ai
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: nvidia-device-plugin
- name: node-feature-discovery
- name: volsync
- name: rook-ceph-cluster
path: ./kubernetes/apps/ai/stable-diffusion/comfyui
prune: true
sourceRef:
kind: GitRepository
name: theshire
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app
VOLSYNC_CAPACITY: 5Gi
GATUS_SUBDOMAIN: comfyui

22
.archive/ci-runners/forgejo/app/externalsecret.yaml
View file

@ -1,22 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: forgejo-runner-secret
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: forgejo-runner-secret
template:
engineVersion: v2
data:
FORGEJO_INSTANCE_URL: "{{ .forgejo_instance_url }}"
RUNNER_NAME: "{{ .runner_name }}"
RUNNER_TOKEN: "{{ .runner_token }}"
dataFrom:
- extract:
key: forgejo-runner

103
.archive/ci-runners/forgejo/app/helmrelease.yaml
View file

@ -1,103 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app forgejo-runner
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.5.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
values:
controllers:
forgejo-runner:
replicas: 2
initContainers:
runner-register:
image:
repository: code.forgejo.org/forgejo/runner
tag: 5.0.4
command:
- "forgejo-runner"
- "register"
- "--no-interactive"
- "--token"
- $(RUNNER_TOKEN)
- "--name"
- $(RUNNER_NAME)
- "--instance"
- $(FORGEJO_INSTANCE_URL)
- "--labels"
- "docker:docker://node:20-bullseye,x86_64:docker://node:20-bullseye,linux:docker://node:20-bullseye,pc:docker://node:20-bullseye,ubuntu-x86_64:docker://node:20-bullseye"
env:
- name: RUNNER_NAME
valueFrom:
secretKeyRef:
name: forgejo-runner-secret
key: RUNNER_NAME
- name: RUNNER_TOKEN
valueFrom:
secretKeyRef:
name: forgejo-runner-secret
key: RUNNER_TOKEN
- name: FORGEJO_INSTANCE_URL
valueFrom:
secretKeyRef:
name: forgejo-runner-secret
key: FORGEJO_INSTANCE_URL
containers:
daemon:
image:
repository: docker
tag: 27.4.1-dind
securityContext:
privileged: true
env:
- name: DOCKER_TLS_CERTDIR
value: /certs
app:
image:
repository: code.forgejo.org/forgejo/runner
tag: 5.0.4
command:
- "sh"
- "-c"
- "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; forgejo-runner daemon"
env:
- name: DOCKER_HOST
value: tcp://localhost:2376
- name: DOCKER_CERT_PATH
value: /certs/client
- name: DOCKER_TLS_VERIFY
value: "1"
annotations:
reloader.stakater.com/auto: "true"
service:
app:
controller: forgejo-runner
ports:
http:
port: 45315
persistence:
docker-certs:
type: emptyDir
globalMounts:
- path: /certs
runner-data:
type: emptyDir
globalMounts:
- path: /data

8
.archive/ci-runners/forgejo/app/kustomization.yaml
View file

@ -1,8 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: ci-runners
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml

5
.archive/ci-runners/namespace.yaml
View file

@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: ci-runners

123
.archive/default/home-assistant/app/helmrelease.yaml
View file

@ -1,123 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: home-assistant
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.5.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
dependsOn:
- name: rook-ceph-cluster
namespace: rook-ceph
- name: volsync
namespace: volsync-system
values:
controllers:
home-assistant:
annotations:
reloader.stakater.com/auto: "true"
containers:
app:
image:
repository: ghcr.io/onedr0p/home-assistant
tag: 2024.11.3@sha256:f45f502b1738e46eb435fbc8947cdcc2574f3713b156c6738129ea2ea9b49018
env:
TZ: America/Chicago
envFrom:
- secretRef:
name: home-assistant-secret
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
resources:
requests:
cpu: 10m
limits:
memory: 2Gi
code-server:
image:
repository: ghcr.io/coder/code-server
tag: 4.95.3@sha256:6d74583d68179cbb6ddadc2518b450d2ac3eaec2d342474fe1941e03371cd2cf
args: [
"--auth", "none",
"--user-data-dir", "/config/.vscode",
"--extensions-dir", "/config/.vscode",
"--port", "12321",
"/config"
]
resources:
requests:
cpu: 10m
limits:
memory: 512Mi
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
seccompProfile: { type: RuntimeDefault }
service:
app:
controller: home-assistant
ports:
http:
port: 8123
code-server:
port: 12321
ingress:
app:
annotations:
className: internal-nginx
hosts:
- host: hass.jahanson.tech
paths:
- path: /
service:
identifier: app
port: http
code-server:
annotations:
className: internal-nginx
hosts:
- host: hass-code.jahanson.tech
paths:
- path: /
service:
identifier: app
port: code-server
persistence:
config:
existingClaim: home-assistant
globalMounts:
- path: /config
logs:
type: emptyDir
globalMounts:
- path: /config/logs
tts:
type: emptyDir
globalMounts:
- path: /config/tts
tmp:
type: emptyDir
globalMounts:
- path: /tmp

9
.archive/default/home-assistant/app/kustomization.yaml
View file

@ -1,9 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml
- ../../../../templates/gatus/internal
- ../../../../templates/volsync

8
.archive/default/jellyfin/app/kustomization.yaml
View file

@ -1,8 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml
- ../../../../templates/gatus/external
- ../../../../templates/volsync

29
.archive/default/jellyfin/ks.yaml
View file

@ -1,29 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app jellyfin
namespace: flux-system
spec:
targetNamespace: anime
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: node-feature-discovery
- name: nvidia-device-plugin
- name: volsync
path: ./kubernetes/apps/anime/jellyfin/app
prune: true
sourceRef:
kind: GitRepository
name: theshire
wait: false
interval: 30m
timeout: 5m
postBuild:
substitute:
APP: *app
GATUS_PATH: /web/index.html
VOLSYNC_CAPACITY: 20Gi

21
.archive/default/matter-server/app/gatus.yaml
View file

@ -1,21 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: matter-server-gatus-ep
labels:
gatus.io/enabled: "true"
data:
config.yaml: |
endpoints:
- name: matter-server
group: infrastructure
url: ws://matter-server.default.svc.cluster.local:5580
interval: 1m
ui:
hide-url: true
hide-hostname: true
conditions:
- "[CONNECTED] == true"
alerts:
- type: pushover

79
.archive/default/matter-server/app/helmrelease.yaml
View file

@ -1,79 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app matter-server
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.5.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
values:
controllers:
matter-server:
annotations:
reloader.stakater.com/auto: "true"
containers:
app:
image:
repository: ghcr.io/home-assistant-libs/python-matter-server
tag: 6.6.1
pullPolicy: IfNotPresent
env:
TZ: "America/Chicago"
MATTER_SERVER__INSTANCE_NAME: *app
MATTER_SERVER__PORT: &port 5580
MATTER_SERVER__APPLICATION_URL: &host matter.jahanson.tech
MATTER_SERVER__LOG_LEVEL: debug
resources:
requests:
memory: "100Mi"
limits:
memory: "300Mi"
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
seccompProfile: { type: RuntimeDefault }
service:
app:
controller: matter-server
type: LoadBalancer
annotations:
external-dns.alpha.kubernetes.io/hostname: *host
ports:
http:
port: *port
ingress:
app:
className: internal-nginx
hosts:
- host: *host
paths:
- path: /
service:
identifier: app
port: *port
tls:
- hosts:
- *host
persistence:
data:
existingClaim: *app

24
.archive/default/matter-server/ks.yaml
View file

@ -1,24 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app matter-server
namespace: flux-system
spec:
targetNamespace: default
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/default/matter-server/app
prune: true
sourceRef:
kind: GitRepository
name: theshire
wait: false # no flux ks dependents
interval: 30m
timeout: 5m
postBuild:
substitute:
APP: *app
VOLSYNC_CAPACITY: 1Gi

20
.archive/default/nicehash/app/externalsecret.yaml
View file

@ -1,20 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: nicehash
spec:
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: nicehash-secret
template:
type: Opaque
data:
MINING_ADDRESS: "{{ .MINING_ADDRESS }}"
dataFrom:
- extract:
key: nicehash

72
.archive/default/nicehash/app/helmrelease.yaml
View file

@ -1,72 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: nicehash
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.5.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
values:
controllers:
nicehash:
annotations:
reloader.stakater.com/auto: "true"
containers:
app:
image:
repository: docker.io/dockerhubnh/nicehash
tag: latest
envFrom:
- secretRef:
name: nicehash-secret
env:
TZ: America/Chicago
MINING_WORKER_NAME: shadowfax
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
resources:
requests:
cpu: 10m
limits:
nvidia.com/gpu: 1 # requesting 1 GPU
memory: 10Gi
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
seccompProfile: { type: RuntimeDefault }
nodeSelector:
nvidia.com/gpu.present: "true"
runtimeClassName: nvidia
persistence:
logs:
type: emptyDir
globalMounts:
- path: /var/log/
tmp:
type: emptyDir
cache:
existingClaim: nicehash
globalMounts:
- path: /var/cache/nhm4/

27
.archive/default/nicehash/ks.yaml
View file

@ -1,27 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app nicehash
namespace: flux-system
spec:
targetNamespace: default
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: external-secrets-stores
- name: rook-ceph-cluster
path: ./kubernetes/apps/default/nicehash/app
prune: true
sourceRef:
kind: GitRepository
name: theshire
wait: false
interval: 30m
timeout: 5m
postBuild:
substitute:
APP: *app
VOLSYNC_CAPACITY: 1Gi

34
.archive/default/piped/app/externalsecret.yaml
View file

@ -1,34 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: piped
spec:
refreshInterval: 1m
secretStoreRef:
name: crunchy-pgo-secrets
kind: ClusterSecretStore
target:
name: piped-secret
template:
type: Opaque
data:
config.properties: |
API_URL: https://piped-api.hsn.dev
COMPROMISED_PASSWORD_CHECK: true
DISABLE_REGISTRATION: true
FEED_RETENTION: 30
FRONTEND_URL: https://piped.hsn.dev
HTTP_WORKERS: 4
MATRIX_SERVER: https://element.infosec.exchange
PORT: 8080
PROXY_PART: https://piped-proxy.jahanson.tech
SENTRY_DSN:
hibernate.connection.driver_class: org.postgresql.Driver
hibernate.connection.url: jdbc:postgresql://{{ index . "host" }}:5432/{{ index . "dbname" }}
hibernate.connection.username: {{ index . "user" }}
hibernate.connection.password: {{ index . "password" }}
dataFrom:
- extract:
key: postgres-pguser-piped

182
.archive/default/piped/app/helmrelease.yaml
View file

@ -1,182 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: piped
spec:
chart:
spec:
chart: app-template
version: 3.5.1
interval: 30m
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
interval: 30m
values:
defaultPodOptions:
automountServiceAccountToken: false
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
controllers:
backend:
strategy: RollingUpdate
annotations:
secret.reloader.stakater.com/reload: piped-secret
containers:
app:
image:
repository: 1337kavin/piped
tag: latest@sha256:18e77857414236edc7245bebb3fb8ab3ac49c44bd76701bfce24f6ba0170d4b8
probes:
liveness:
enabled: true
readiness:
enabled: true
resources:
requests:
cpu: 10m
memory: 500Mi
limits:
memory: 2000Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
frontend:
strategy: RollingUpdate
containers:
app:
image:
repository: ghcr.io/bjw-s-labs/piped-frontend
tag: 2024.11.4@sha256:0e413986606f39cdc6afa0379feca912d4a4abbdcbe67b408c9fbe19fbabd10f
env:
BACKEND_HOSTNAME: piped-api.hsn.dev
probes:
liveness:
enabled: true
readiness:
enabled: true
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
ytproxy:
strategy: RollingUpdate
containers:
app:
image:
repository: 1337kavin/piped-proxy
tag: latest@sha256:ab9e472107337886d71b0151b6e777fc4cba0dd8251a21d4788a7a7f165f545a
command:
- /app/piped-proxy
probes:
liveness:
enabled: true
readiness:
enabled: true
resources:
requests:
cpu: 10m
memory: 500Mi
limits:
memory: 2000Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
service:
backend:
controller: backend
ports:
http:
port: 8080
frontend:
controller: frontend
ports:
http:
port: 8080
ytproxy:
controller: ytproxy
ports:
http:
port: 8080
ingress:
backend:
className: "external-nginx"
annotations:
external-dns.alpha.kubernetes.io/target: external.hsn.dev
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "https://piped.hsn.dev, https://piped-api.hsn.dev, https://piped-proxy.jahanson.tech"
hosts:
- host: piped-api.hsn.dev
paths:
- path: /
service:
identifier: backend
port: http
frontend:
className: "external-nginx"
annotations:
external-dns.alpha.kubernetes.io/target: external.hsn.dev
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "https://piped.hsn.dev, https://piped-api.hsn.dev, https://piped-proxy.jahanson.tech"
hosts:
- host: piped.hsn.dev
paths:
- path: /
service:
identifier: frontend
port: http
ytproxy:
className: "internal-nginx"
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "https://piped.hsn.dev, https://piped-api.hsn.dev, https://piped-proxy.jahanson.tech"
hosts:
- host: piped-proxy.jahanson.tech
paths:
- path: /
service:
identifier: ytproxy
port: http
persistence:
config:
type: secret
name: piped-secret
advancedMounts:
backend:
app:
- path: /app/config.properties
subPath: config.properties
readOnly: true

132
.archive/default/plex/app/helmrelease.yaml
View file

@ -1,132 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: plex
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.5.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
dependsOn:
- name: nvidia-device-plugin
namespace: kube-system
- name: rook-ceph-cluster
namespace: rook-ceph
- name: volsync
namespace: volsync-system
values:
controllers:
plex:
annotations:
reloader.stakater.com/auto: "true"
containers:
app:
image:
repository: ghcr.io/onedr0p/plex
tag: 1.41.2.9200-c6bbc1b53@sha256:47c6f3d85f4e739210860934a0bb24126170fa2f6a602fb909467f17a035c311
env:
TZ: America/Chicago
PLEX_ADVERTISE_URL: https://plex.hsn.dev:443,http://10.1.1.39:32400
PLEX_NO_AUTH_NETWORKS: 10.1.1.0/24,10.244.0.0/16
probes:
liveness: &probes
enabled: true
custom: true
spec:
httpGet:
path: /identity
port: 32400
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
readiness: *probes
startup:
enabled: true
spec:
failureThreshold: 30
periodSeconds: 10
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
resources:
requests:
cpu: 100m
limits:
nvidia.com/gpu: 1 # requesting 1 GPU
memory: 16Gi
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups: [44, 10000]
seccompProfile: { type: RuntimeDefault }
nodeSelector:
nvidia.com/gpu.present: "true"
runtimeClassName: nvidia
service:
app:
controller: plex
type: LoadBalancer
ports:
http:
port: 32400
ingress:
app:
annotations:
external-dns.alpha.kubernetes.io/target: external.hsn.dev
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
className: external-nginx
hosts:
- host: "{{ .Release.Name }}.hsn.dev"
paths:
- path: /
service:
identifier: app
port: http
persistence:
config:
existingClaim: plex
# TODO: If setting up Plex for the first time, you'll want to add the globalMounts section
globalMounts:
- path: /config/Library/Application Support/Plex Media Server
# Separate PVC for cache to avoid backing up cache files
cache:
existingClaim: plex-cache
globalMounts:
- path: /config/Library/Application Support/Plex Media Server/Cache
logs:
type: emptyDir
globalMounts:
- path: /config/Library/Application Support/Plex Media Server/Logs
tmp:
type: emptyDir
transcode:
type: emptyDir
media:
type: nfs
server: 10.1.1.61
path: /moria/media
globalMounts:
- path: /media
readOnly: true

11
.archive/default/plex/app/kustomization.yaml
View file

@ -1,11 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./pvc.yaml
- ./helmrelease.yaml
- ../../../../templates/gatus/external
- ../../../../templates/volsync
generatorOptions:
disableNameSuffixHash: true

11
.archive/default/plex/app/pvc.yaml
View file

@ -1,11 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: plex-cache
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 75Gi
storageClassName: ceph-block

19
.archive/default/plex/kometa-image-maid/externalsecret.yaml
View file

@ -1,19 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kometa-image-maid
spec:
refreshInterval: 5m
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: kometa-image-maid-secret
creationPolicy: Owner
data:
- secretKey: PLEX_TOKEN
remoteRef:
key: Plex
property: token

93
.archive/default/plex/kometa-image-maid/helmrelease.yaml
View file

@ -1,93 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: plex-image-cleanup
spec:
chart:
spec:
chart: app-template
version: 3.5.1
interval: 30m
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
interval: 30m
values:
controllers:
kometa-image-maid:
type: cronjob
annotations:
reloader.stakater.com/auto: "true"
cronjob:
schedule: "30 8 * * 6"
pod:
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- plex
topologyKey: kubernetes.io/hostname
securityContext:
runAsUser: 568
runAsGroup: 568
runAsNonRoot: true
containers:
app:
image:
repository: docker.io/kometateam/imagemaid
tag: v1.1.1
env:
PLEX_URL: http://plex.default.svc.cluster.local:32400
PLEX_TOKEN:
valueFrom:
secretKeyRef:
name: kometa-image-maid-secret
key: PLEX_TOKEN
PLEX_PATH: /data/plex_config/Library/Application Support/Plex Media Server
MODE: remove
PHOTO_TRANSCODER: true
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
resources:
requests:
cpu: 25m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
persistence:
config:
type: emptyDir
advancedMounts:
kometa-image-maid:
app:
- path: /config
plex-config:
existingClaim: plex
advancedMounts:
kometa-image-maid:
app:
- path: /data/plex_config/Library/Application Support/Plex Media Server/
plex-cache:
existingClaim: plex-cache
advancedMounts:
kometa-image-maid:
app:
- path: /data/plex_config/Library/Application Support/Plex Media Server/Cache

55
.archive/default/plex/ks.yaml
View file

@ -1,55 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app plex
namespace: flux-system
spec:
targetNamespace: default
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/default/plex/app
prune: true
sourceRef:
kind: GitRepository
name: theshire
wait: true
dependsOn:
- name: rook-ceph-cluster
- name: volsync
- name: external-secrets-stores
interval: 30m
timeout: 5m
postBuild:
substitute:
APP: *app
GATUS_PATH: /web/index.html
VOLSYNC_CAPACITY: 30Gi
---
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app kometa-image-maid
namespace: flux-system
spec:
targetNamespace: default
commonMetadata:
labels:
app.kubernetes.io/name: *app
interval: 30m
timeout: 5m
path: "./kubernetes/apps/default/plex/kometa-image-maid"
prune: true
sourceRef:
kind: GitRepository
name: theshire
wait: false
dependsOn:
- name: external-secrets-stores
- name: plex
postBuild:
substitute:
APP: *app

30
.archive/default/pterodactyl/app/externalsecret.yaml
View file

@ -1,30 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: pterodactyl
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: pterodactyl-secret
template:
engineVersion: v2
data:
APP_SERVICE_AUTHOR: "{{ .PTERODACTYL_APP_EMAIL }}"
APP_URL: "https://pt.hsn.dev"
DB_DATABASE: "pterodactyl"
DB_HOST: "mariadb.database.svc.cluster.local"
DB_PASSWORD: "{{ .PTERODACTYL_MARIADB_PANEL_PASSWORD }}"
DB_USERNAME: "pterodactyl"
REDIS_HOST: "dragonfly.database.svc.cluster.local"
dataFrom:
- extract:
key: pterodactyl
rewrite:
- regexp:
source: "(.*)"
target: "PTERODACTYL_$1"

101
.archive/default/pterodactyl/app/helmrelease.yaml
View file

@ -1,101 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app pterodactyl
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.6.0
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
values:
controllers:
pterodactyl:
annotations:
reloader.stakater.com/auto: "true"
containers:
app:
image:
repository: ghcr.io/pterodactyl/panel
tag: v1.11.10@sha256:6c9d060396c0a2c273aa5573460ed51f9176016dac59608b414a3cb02b0cc30c
env:
CACHE_DRIVER: "redis"
SESSION_DRIVER: "redis"
QUEUE_DRIVER: "redis"
APP_ENV: "production"
APP_ENVIRONMENT_ONLY: "false"
APP_TIMEZONE: America/Chicago
TRUSTED_PROXIES: "*"
TZ: America/Chicago
envFrom:
- secretRef:
name: pterodactyl-secret
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
resources:
requests:
cpu: 10m
limits:
memory: 1Gi
pod:
securityContext:
runAsUser: 568
runAsGroup: 568
runAsNonRoot: true
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
service:
app:
controller: pterodactyl
ports:
http:
port: 80
ingress:
app:
enabled: true
className: external-nginx
annotations:
external-dns.alpha.kubernetes.io/target: external.hsn.dev
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
hosts:
- host: &host "pt.hsn.dev"
paths:
- path: /
service:
identifier: app
port: http
tls:
- hosts:
- *host
persistence:
config:
existingClaim: *app
advancedMounts:
pterodactyl:
app:
- subPath: "config"
path: "/app/var"
- subPath: "nginx"
path: "/etc/nginx/http.d"
- subPath: "applogs"
path: "/app/storage/logs"
- subPath: "syslogs"
path: "/var/log"
- subPath: "letsencrypt"
path: "/etc/letsencrypt"

10
.archive/default/pterodactyl/app/kustomization.yaml
View file

@ -1,10 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../../templates/volsync
# - ../../../../templates/gatus/external
- ./externalsecret.yaml
# - ./helmrelease.yaml
- ./mariadb.yaml

46
.archive/default/pterodactyl/app/mariadb.yaml
View file

@ -1,46 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/k8s.mariadb.com/database_v1alpha1.json
apiVersion: k8s.mariadb.com/v1alpha1
kind: Database
metadata:
name: pterodactyl
spec:
mariaDbRef:
name: mariadb
namespace: database
characterSet: utf8
collate: utf8_general_ci
---
# yaml-language-server: $schema=https://ks.hsn.dev/k8s.mariadb.com/user_v1alpha1.json
apiVersion: k8s.mariadb.com/v1alpha1
kind: User
metadata:
name: pterodactyl
spec:
mariaDbRef:
name: mariadb
namespace: database
passwordSecretKeyRef:
name: pterodactyl-secret
key: DB_PASSWORD
maxUserConnections: 20
host: "%"
cleanupPolicy: Delete
---
# yaml-language-server: $schema=https://ks.hsn.dev/k8s.mariadb.com/grant_v1alpha1.json
apiVersion: k8s.mariadb.com/v1alpha1
kind: Grant
metadata:
name: grant-pterodactyl
spec:
mariaDbRef:
name: mariadb
namespace: database
privileges:
- ALL PRIVILEGES
database: "pterodactyl"
table: "*"
username: pterodactyl
grantOption: true
host: "%"

31
.archive/default/pterodactyl/ks.yaml
View file

@ -1,31 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app pterodactyl
namespace: flux-system
spec:
targetNamespace: default
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: external-secrets
- name: dragonfly-cluster
- name: mariadb-cluster
- name: rook-ceph-cluster
- name: volsync
path: ./kubernetes/apps/default/pterodactyl/app
prune: true
sourceRef:
kind: GitRepository
name: theshire
wait: false
interval: 30m
timeout: 5m
postBuild:
substitute:
APP: *app
GATUS_SUBDOMAIN: "pt"
VOLSYNC_CAPACITY: 10Gi

118
.archive/default/scrypted/app/helmrelease.yaml
View file

@ -1,118 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app scrypted
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.5.1
interval: 30m
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
values:
controllers:
scrypted:
annotations:
reloader.stakater.com/auto: "true"
pod:
nodeSelector:
google.feature.node.kubernetes.io/coral: "true"
nvidia.com/gpu.present: "true"
securityContext:
supplementalGroups:
- 568
containers:
app:
image:
repository: ghcr.io/koush/scrypted
tag: v0.123.31-jammy-nvidia
probes:
liveness:
enabled: true
readiness:
enabled: true
startup:
enabled: true
spec:
failureThreshold: 30
periodSeconds: 5
resources:
requests:
cpu: 136m
memory: 1024Mi
limits:
nvidia.com/gpu: 1
memory: 8192Mi
securityContext:
privileged: true
service:
app:
controller: *app
type: LoadBalancer
nameOverride: *app
ports:
http:
port: 11080
primary: true
rebroadcast1: # driveway
port: 39655
rebroadcast2: # sideyard
port: 46561
rebroadcast3: # doorbell
port: 44759
homekit: # homekit
port: 42010
homekit-bridge: # bridge
port: 33961
ingress:
app:
className: "internal-nginx"
annotations:
hosts:
- host: &host scrypted.jahanson.tech
paths:
- path: /
service:
identifier: app
port: http
tls:
- hosts:
- *host
persistence:
config:
existingClaim: scrypted
advancedMounts:
scrypted:
app:
- path: /server/volume
cache:
type: emptyDir
globalMounts:
- path: /.cache
cache-npm:
type: emptyDir
globalMounts:
- path: /.npm
dev-bus-usb:
type: hostPath
hostPath: /dev/bus/usb
hostPathType: Directory
sys-bus-usb:
type: hostPath
hostPath: /sys/bus/usb
hostPathType: Directory
recordings:
type: nfs
server: shadowfax.jahanson.tech
path: /nahar/scrypted
globalMounts:
- path: /recordings

8
.archive/default/scrypted/app/kustomization.yaml
View file

@ -1,8 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml
- ../../../../templates/gatus/internal
- ../../../../templates/volsync

30
.archive/default/scrypted/ks.yaml
View file

@ -1,30 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &appname scrypted
namespace: flux-system
spec:
targetNamespace: default
commonMetadata:
labels:
app.kubernetes.io/name: *appname
interval: 30m
timeout: 5m
path: "./kubernetes/apps/default/scrypted/app"
prune: true
sourceRef:
kind: GitRepository
name: theshire
wait: false
dependsOn:
- name: rook-ceph-cluster
- name: volsync
- name: external-secrets-stores
postBuild:
substitute:
APP: *appname
APP_UID: "0"
APP_GID: "0"
VOLSYNC_CAPACITY: 5Gi

8
.archive/kube-system/spegel/app/helm-values.yml
View file

@ -1,8 +0,0 @@
---
spegel:
appendMirrors: true
containerdSock: /run/containerd/containerd.sock
containerdRegistryConfigPath: /etc/cri/conf.d/hosts
service:
registry:
hostPort: 29999

102
.archive/default/jellyfin/app/helmrelease.yaml → .archive/kubernetes/default/jellyfin/app/helmrelease.yaml
View file

@ -1,15 +1,16 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: &app jellyfin
name: jellyfin
namespace: default
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.5.1
version: 3.1.0
sourceRef:
kind: HelmRepository
name: bjw-s
@ -20,31 +21,26 @@ spec:
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
dependsOn:
- name: nvidia-device-plugin
namespace: kube-system
- name: node-feature-discovery
namespace: kube-system
- name: rook-ceph-cluster
namespace: rook-ceph
- name: volsync
namespace: volsync-system
strategy: rollback
values:
controllers:
jellyfin:
type: statefulset
annotations:
reloader.stakater.com/auto: "true"
containers:
app:
image:
repository: ghcr.io/jellyfin/jellyfin
tag: 10.10.3@sha256:17c3a8d9dddb97789b5f37112840ebf96566442c14d4754193a6c2eb154bc221
repository: jellyfin/jellyfin
tag: 10.8.13
env:
NVIDIA_VISIBLE_DEVICES: "all"
NVIDIA_DRIVER_CAPABILITIES: "compute,video,utility"
DOTNET_SYSTEM_IO_DISABLEFILELOCKING: "true"
JELLYFIN_FFmpeg__probesize: 50000000
JELLYFIN_FFmpeg__analyzeduration: 50000000
JELLYFIN_PublishedServerUrl: jelly.hsn.dev
TZ: America/Chicago
probes:
liveness: &probes
@ -63,76 +59,58 @@ spec:
enabled: false
resources:
requests:
cpu: 100m
limits:
nvidia.com/gpu: 1 # requesting 1 GPU
cpu: 100m
memory: 512Mi
limits:
nvidia.com/gpu: 1
memory: 4Gi
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups: [44, 10000]
seccompProfile: { type: RuntimeDefault }
nodeSelector:
nvidia.com/gpu.present: "true"
runtimeClassName: nvidia
pod:
runtimeClassName: nvidia
enableServiceLinks: false
nodeSelector:
nvidia.com/gpu.present: "true"
securityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups: [44, 105, 10000]
service:
app:
controller: *app
type: LoadBalancer
annotations:
io.cilium/lb-ipam-ips: 10.1.1.40
controller: jellyfin
ports:
http:
port: *port
ingress:
app:
annotations:
external-dns.alpha.kubernetes.io/target: external.hsn.dev
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
enabled: true
className: external-nginx
annotations:
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
external-dns.alpha.kubernetes.io/target: external.hsn.dev
hosts:
- host: "{{ .Release.Name }}.hsn.dev"
- host: &host "jelly.hsn.dev"
paths:
- path: /
service:
identifier: app
port: *port
internal:
className: internal-nginx
hosts:
- host: &host "{{ .Release.Name }}.jahanson.tech"
paths:
- path: /
service:
identifier: app
port: *port
port: http
tls:
- hosts:
- *host
persistence:
config:
existingClaim: jellyfin
enabled: true
existingClaim: *app
globalMounts:
- path: /config
media:
type: nfs
server: shadowfax.jahanson.tech
path: /moria/media
globalMounts:
- path: /media
readOnly: true
transcode:
enabled: true
type: emptyDir
globalMounts:
- path: /transcode
cache:
media:
enabled: true
type: emptyDir
type: nfs
server: 10.1.1.12
path: /mnt/users/Media
globalMounts:
- path: /cache
- path: /media

2
kubernetes/apps/database/influxdb/app/kustomization.yaml → .archive/kubernetes/default/jellyfin/app/kustomization.yaml
View file

@ -2,7 +2,7 @@
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./gatus.yaml
- ./helmrelease.yaml
- ../../../../templates/volsync

12
kubernetes/apps/default/redlib/ks.yaml → .archive/kubernetes/default/jellyfin/ks.yaml
View file

@ -3,23 +3,21 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app redlib
name: &app jellyfin
namespace: flux-system
spec:
targetNamespace: default
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: external-secrets-stores
path: ./kubernetes/apps/default/redlib/app
path: ./kubernetes/apps/default/jellyfin/app
prune: true
sourceRef:
kind: GitRepository
name: theshire
name: homelab
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app
VOLSYNC_CAPACITY: 10Gi

588
.archive/kubernetes/kube-system/cilium/app/bgpcrd.yaml Normal file
View file

@ -0,0 +1,588 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
creationTimestamp: null
name: ciliumbgppeeringpolicies.cilium.io
spec:
group: cilium.io
names:
categories:
- cilium
- ciliumbgp
kind: CiliumBGPPeeringPolicy
listKind: CiliumBGPPeeringPolicyList
plural: ciliumbgppeeringpolicies
shortNames:
- bgpp
singular: ciliumbgppeeringpolicy
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v2alpha1
schema:
openAPIV3Schema:
description: CiliumBGPPeeringPolicy is a Kubernetes third-party resource for
instructing Cilium's BGP control plane to create virtual BGP routers.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec is a human readable description of a BGP peering policy
properties:
nodeSelector:
description: "NodeSelector selects a group of nodes where this BGP
Peering Policy applies. \n If empty / nil this policy applies to
all nodes."
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
description: MatchLabelsValue represents the value from the
MatchLabels {key,value} pair.
maxLength: 63
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
virtualRouters:
description: A list of CiliumBGPVirtualRouter(s) which instructs the
BGP control plane how to instantiate virtual BGP routers.
items:
description: CiliumBGPVirtualRouter defines a discrete BGP virtual
router configuration.
properties:
exportPodCIDR:
default: false
description: ExportPodCIDR determines whether to export the
Node's private CIDR block to the configured neighbors.
type: boolean
localASN:
description: LocalASN is the ASN of this virtual router. Supports
extended 32bit ASNs
format: int64
maximum: 4294967295
minimum: 0
type: integer
neighbors:
description: Neighbors is a list of neighboring BGP peers for
this virtual router
items:
description: CiliumBGPNeighbor is a neighboring peer for use
in a CiliumBGPVirtualRouter configuration.
properties:
advertisedPathAttributes:
description: AdvertisedPathAttributes can be used to apply
additional path attributes to selected routes when advertising
them to the peer. If empty / nil, no additional path
attributes are advertised.
items:
description: CiliumBGPPathAttributes can be used to
apply additional path attributes to matched routes
when advertising them to a BGP peer.
properties:
communities:
description: Communities defines a set of community
values advertised in the supported BGP Communities
path attributes. If nil / not set, no BGP Communities
path attribute will be advertised.
properties:
large:
description: Large holds a list of the BGP Large
Communities Attribute (RFC 8092) values.
items:
description: BGPLargeCommunity type represents
a value of the BGP Large Communities Attribute
(RFC 8092), as three 4-byte decimal numbers
separated by colons.
pattern: ^([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5])$
type: string
type: array
standard:
description: Standard holds a list of "standard"
32-bit BGP Communities Attribute (RFC 1997)
values defined as numeric values.
items:
description: BGPStandardCommunity type represents
a value of the "standard" 32-bit BGP Communities
Attribute (RFC 1997) as a 4-byte decimal
number or two 2-byte decimal numbers separated
by a colon (<0-65535>:<0-65535>). For example,
no-export community value is 65553:65281.
pattern: ^([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5])$|^([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$
type: string
type: array
wellKnown:
description: WellKnown holds a list "standard"
32-bit BGP Communities Attribute (RFC 1997)
values defined as well-known string aliases
to their numeric values.
items:
description: "BGPWellKnownCommunity type represents
a value of the \"standard\" 32-bit BGP Communities
Attribute (RFC 1997) as a well-known string
alias to its numeric value. Allowed values
and their mapping to the numeric values:
\n internet = 0x00000000
(0:0) planned-shut = 0xffff0000
(65535:0) accept-own = 0xffff0001
(65535:1) route-filter-translated-v4 = 0xffff0002
(65535:2) route-filter-v4 = 0xffff0003
(65535:3) route-filter-translated-v6 = 0xffff0004
(65535:4) route-filter-v6 = 0xffff0005
(65535:5) llgr-stale = 0xffff0006
(65535:6) no-llgr = 0xffff0007
(65535:7) blackhole = 0xffff029a
(65535:666) no-export =
0xffffff01\t(65535:65281) no-advertise =
0xffffff02 (65535:65282) no-export-subconfed
\ = 0xffffff03 (65535:65283) no-peer
\ = 0xffffff04 (65535:65284)"
enum:
- internet
- planned-shut
- accept-own
- route-filter-translated-v4
- route-filter-v4
- route-filter-translated-v6
- route-filter-v6
- llgr-stale
- no-llgr
- blackhole
- no-export
- no-advertise
- no-export-subconfed
- no-peer
type: string
type: array
type: object
localPreference:
description: LocalPreference defines the preference
value advertised in the BGP Local Preference path
attribute. As Local Preference is only valid for
iBGP peers, this value will be ignored for eBGP
peers (no Local Preference path attribute will
be advertised). If nil / not set, the default
Local Preference of 100 will be advertised in
the Local Preference path attribute for iBGP peers.
format: int64
maximum: 4294967295
minimum: 0
type: integer
selector:
description: Selector selects a group of objects
of the SelectorType resulting into routes that
will be announced with the configured Attributes.
If nil / not set, all objects of the SelectorType
are selected.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
description: MatchLabelsValue represents the
value from the MatchLabels {key,value} pair.
maxLength: 63
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
selectorType:
description: 'SelectorType defines the object type
on which the Selector applies: - For "PodCIDR"
the Selector matches k8s CiliumNode resources
(path attributes apply to routes announced for
PodCIDRs of selected CiliumNodes. Only affects
routes of cluster scope / Kubernetes IPAM CIDRs,
not Multi-Pool IPAM CIDRs. - For "CiliumLoadBalancerIPPool"
the Selector matches CiliumLoadBalancerIPPool
custom resources (path attributes apply to routes
announced for selected CiliumLoadBalancerIPPools).
- For "CiliumPodIPPool" the Selector matches CiliumPodIPPool
custom resources (path attributes apply to routes
announced for allocated CIDRs of selected CiliumPodIPPools).'
enum:
- PodCIDR
- CiliumLoadBalancerIPPool
- CiliumPodIPPool
type: string
required:
- selectorType
type: object
type: array
authSecretRef:
description: AuthSecretRef is the name of the secret to
use to fetch a TCP authentication password for this
peer.
type: string
connectRetryTimeSeconds:
default: 120
description: ConnectRetryTimeSeconds defines the initial
value for the BGP ConnectRetryTimer (RFC 4271, Section
8).
format: int32
maximum: 2147483647
minimum: 1
type: integer
eBGPMultihopTTL:
default: 1
description: EBGPMultihopTTL controls the multi-hop feature
for eBGP peers. Its value defines the Time To Live (TTL)
value used in BGP packets sent to the neighbor. The
value 1 implies that eBGP multi-hop feature is disabled
(only a single hop is allowed). This field is ignored
for iBGP peers.
format: int32
maximum: 255
minimum: 1
type: integer
families:
description: "Families, if provided, defines a set of
AFI/SAFIs the speaker will negotiate with it's peer.
\n If this slice is not provided the default families
of IPv6 and IPv4 will be provided."
items:
description: CiliumBGPFamily represents a AFI/SAFI address
family pair.
properties:
afi:
description: Afi is the Address Family Identifier
(AFI) of the family.
enum:
- ipv4
- ipv6
- l2vpn
- ls
- opaque
type: string
safi:
description: Safi is the Subsequent Address Family
Identifier (SAFI) of the family.
enum:
- unicast
- multicast
- mpls_label
- encapsulation
- vpls
- evpn
- ls
- sr_policy
- mup
- mpls_vpn
- mpls_vpn_multicast
- route_target_constraints
- flowspec_unicast
- flowspec_vpn
- key_value
type: string
required:
- afi
- safi
type: object
type: array
gracefulRestart:
description: GracefulRestart defines graceful restart
parameters which are negotiated with this neighbor.
If empty / nil, the graceful restart capability is disabled.
properties:
enabled:
description: Enabled flag, when set enables graceful
restart capability.
type: boolean
restartTimeSeconds:
default: 120
description: RestartTimeSeconds is the estimated time
it will take for the BGP session to be re-established
with peer after a restart. After this period, peer
will remove stale routes. This is described RFC
4724 section 4.2.
format: int32
maximum: 4095
minimum: 1
type: integer
required:
- enabled
type: object
holdTimeSeconds:
default: 90
description: HoldTimeSeconds defines the initial value
for the BGP HoldTimer (RFC 4271, Section 4.2). Updating
this value will cause a session reset.
format: int32
maximum: 65535
minimum: 3
type: integer
keepAliveTimeSeconds:
default: 30
description: KeepaliveTimeSeconds defines the initial
value for the BGP KeepaliveTimer (RFC 4271, Section
8). It can not be larger than HoldTimeSeconds. Updating
this value will cause a session reset.
format: int32
maximum: 65535
minimum: 1
type: integer
peerASN:
description: PeerASN is the ASN of the peer BGP router.
Supports extended 32bit ASNs
format: int64
maximum: 4294967295
minimum: 0
type: integer
peerAddress:
description: PeerAddress is the IP address of the peer.
This must be in CIDR notation and use a /32 to express
a single host.
format: cidr
type: string
peerPort:
default: 179
description: PeerPort is the TCP port of the peer. 1-65535
is the range of valid port numbers that can be specified.
If unset, defaults to 179.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- peerASN
- peerAddress
type: object
minItems: 1
type: array
podIPPoolSelector:
description: "PodIPPoolSelector selects CiliumPodIPPools based
on labels. The virtual router will announce allocated CIDRs
of matching CiliumPodIPPools. \n If empty / nil no CiliumPodIPPools
will be announced."
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that relates
the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn,
Exists and DoesNotExist.
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values array
must be non-empty. If the operator is Exists or
DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
description: MatchLabelsValue represents the value from
the MatchLabels {key,value} pair.
maxLength: 63
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
serviceSelector:
description: "ServiceSelector selects a group of load balancer
services which this virtual router will announce. The loadBalancerClass
for a service must be nil or specify a class supported by
Cilium, e.g. \"io.cilium/bgp-control-plane\". Refer to the
following document for additional details regarding load balancer
classes: \n https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
\n If empty / nil no services will be announced."
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that relates
the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn,
Exists and DoesNotExist.
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values array
must be non-empty. If the operator is Exists or
DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
description: MatchLabelsValue represents the value from
the MatchLabels {key,value} pair.
maxLength: 63
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
required:
- localASN
- neighbors
type: object
minItems: 1
type: array
required:
- virtualRouters
type: object
required:
- metadata
type: object
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

25
kubernetes/apps/kube-system/cilium/config/l3.yaml → .archive/kubernetes/kube-system/cilium/app/bgppeeringpolicy.yaml
View file

@ -1,5 +1,4 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumbgppeeringpolicy_v2alpha1.json
apiVersion: cilium.io/v2alpha1
kind: CiliumBGPPeeringPolicy
# comments courtesy of JJGadgets
@ -13,15 +12,25 @@ spec:
matchLabels:
kubernetes.io/os: "linux" # match all Linux nodes, change this to match more granularly if more than 1 PeeringPolicy is to be used throughout cluster
virtualRouters:
- localASN: 64514
- localASN: 64512
exportPodCIDR: false
serviceSelector: # this replaces address-pools, instead of defining the range of IPs that can be assigned to LoadBalancer services, now services have to match below selectors for their LB IPs to be announced
matchExpressions:
- {
key: thisFakeSelector,
operator: NotIn,
values: ["will-match-and-announce-all-services"],
}
key: thisFakeSelector,
operator: NotIn,
values: ["will-match-and-announce-all-services"],
}
neighbors:
- peerAddress: "10.33.44.1/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation
peerASN: 64513
- peerAddress: "10.1.1.1/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation
peerASN: 64512
---
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumloadbalancerippool_v2alpha1.json
apiVersion: "cilium.io/v2alpha1"
kind: CiliumLoadBalancerIPPool
metadata:
name: main-pool
spec:
cidrs:
- cidr: 10.45.0.1/24

78
.archive/kubernetes/kube-system/cilium/app/helmrelease.yaml Normal file
View file

@ -0,0 +1,78 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: cilium
namespace: kube-system
spec:
interval: 30m
chart:
spec:
chart: cilium
version: 1.15.3
sourceRef:
kind: HelmRepository
name: cilium
namespace: flux-system
maxHistory: 2
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
cluster:
name: homelab
id: 1
hubble:
relay:
enabled: true
ui:
enabled: true
metrics:
enableOpenMetrics: true
prometheus:
enabled: true
operator:
prometheus:
enabled: true
ipam:
mode: kubernetes
kubeProxyReplacement: true
k8sServiceHost: 127.0.0.1
k8sServicePort: 7445
rollOutCiliumPods: true
cgroup:
automount:
enabled: false
hostRoot: /sys/fs/cgroup
bgp:
enabled: false
announce:
loadbalancerIP: true
podCIDR: false
bgpControlPlane:
enabled: true
securityContext:
capabilities:
ciliumAgent:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
cleanCiliumState:
- NET_ADMIN
- SYS_ADMIN
- SYS_RESOURCE

23
.archive/kubernetes/kube-system/cilium/app/netpols/allow-ssh.yaml Normal file
View file

@ -0,0 +1,23 @@
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
---
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: allow-ssh
spec:
description: ""
nodeSelector:
matchLabels:
# node-access: ssh
node-role.kubernetes.io/control-plane: "true"
ingress:
- fromEntities:
- cluster
- toPorts:
- ports:
- port: "22"
protocol: TCP
- icmps:
- fields:
- type: 8
family: IPv4

27
.archive/kubernetes/kube-system/cilium/app/netpols/apiserver.yaml Normal file
View file

@ -0,0 +1,27 @@
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
---
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: api-server
spec:
nodeSelector:
# apply to master nodes
matchLabels:
node-role.kubernetes.io/control-plane: 'true'
ingress:
# load balancer -> api server
- fromCIDR:
- 167.235.217.82/32
toPorts:
- ports:
- port: '6443'
protocol: TCP
egress:
# api server -> kubelet
- toEntities:
- remote-node
toPorts:
- ports:
- port: '10250'
protocol: TCP

41
.archive/kubernetes/kube-system/cilium/app/netpols/cilium-health.yaml Normal file
View file

@ -0,0 +1,41 @@
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
---
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: cilium-health
specs:
- endpointSelector:
# apply to health endpoints
matchLabels:
reserved:health: ''
ingress:
# cilium agent -> cilium agent
- fromEntities:
- host
- remote-node
toPorts:
- ports:
- port: '4240'
protocol: TCP
- nodeSelector:
# apply to all nodes
matchLabels: {}
ingress:
# cilium agent -> cilium agent
- fromEntities:
- health
- remote-node
toPorts:
- ports:
- port: '4240'
protocol: TCP
egress:
# cilium agent -> cilium agent
- toEntities:
- health
- remote-node
toPorts:
- ports:
- port: '4240'
protocol: TCP

26
.archive/kubernetes/kube-system/cilium/app/netpols/cilium-vxlan.yaml Normal file
View file

@ -0,0 +1,26 @@
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
---
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: cilium-vxlan
spec:
nodeSelector:
# apply to all nodes
matchLabels: {}
ingress:
# node -> vxlan
- fromEntities:
- remote-node
toPorts:
- ports:
- port: '8472'
protocol: UDP
egress:
# node -> vxlan
- toEntities:
- remote-node
toPorts:
- ports:
- port: '8472'
protocol: UDP

65
.archive/kubernetes/kube-system/cilium/app/netpols/core-dns.yaml Normal file
View file

@ -0,0 +1,65 @@
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: core-dns
namespace: kube-system
specs:
- nodeSelector:
# apply to master nodes
matchLabels:
node-role.kubernetes.io/control-plane: 'true'
ingress:
# core dns -> api server
- fromEndpoints:
- matchLabels:
io.cilium.k8s.policy.serviceaccount: coredns
toPorts:
- ports:
- port: '6443'
protocol: TCP
- nodeSelector:
# apply to all nodes
matchLabels: {}
egress:
# kubelet -> core dns probes
- toEndpoints:
- matchLabels:
io.cilium.k8s.policy.serviceaccount: coredns
toPorts:
- ports:
- port: '8080'
protocol: TCP
- port: '8181'
protocol: TCP
- endpointSelector:
# apply to core dns pods
matchLabels:
io.cilium.k8s.policy.serviceaccount: coredns
ingress:
# kubelet -> core dns probes
- fromEntities:
- host
toPorts:
- ports:
- port: '8080'
protocol: TCP
- port: '8181'
protocol: TCP
egress:
# core dns -> api server
- toEntities:
- kube-apiserver
toPorts:
- ports:
- port: '6443'
protocol: TCP
# core dns -> upstream DNS
- toCIDR:
- 185.12.64.1/32
- 185.12.64.2/32
toPorts:
- ports:
- port: '53'
protocol: UDP

27
.archive/kubernetes/kube-system/cilium/app/netpols/etcd.yaml Normal file
View file

@ -0,0 +1,27 @@
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
---
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: etcd
spec:
nodeSelector:
# apply to master nodes
matchLabels:
node-role.kubernetes.io/control-plane: 'true'
ingress:
# etcd peer -> etcd peer
- fromEntities:
- remote-node
toPorts:
- ports:
- port: '2380'
protocol: TCP
egress:
# etcd peer -> etcd peer
- toEntities:
- remote-node
toPorts:
- ports:
- port: '2380'
protocol: TCP

15
.archive/kubernetes/kube-system/cilium/app/netpols/fix-apiserver.yml Normal file
View file

@ -0,0 +1,15 @@
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
---
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
name: allow-specific-traffic
spec:
endpointSelector: {}
ingress:
- fromEntities:
- host
toPorts:
- ports:
- port: '6443'
protocol: TCP

50
.archive/kubernetes/kube-system/cilium/app/netpols/hubble-relay.yaml Normal file
View file

@ -0,0 +1,50 @@
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: hubble-relay
namespace: kube-system
specs:
- nodeSelector:
# apply to all nodes
matchLabels: {}
ingress:
# hubble relay -> hubble agent
- fromEndpoints:
- matchLabels:
io.cilium.k8s.policy.serviceaccount: hubble-relay
toPorts:
- ports:
- port: '4244'
protocol: TCP
egress:
# kubelet -> hubble relay probes
- toEndpoints:
- matchLabels:
io.cilium.k8s.policy.serviceaccount: hubble-relay
toPorts:
- ports:
- port: '4245'
protocol: TCP
- endpointSelector:
# apply to hubble relay pods
matchLabels:
io.cilium.k8s.policy.serviceaccount: hubble-relay
ingress:
# kubelet -> hubble relay probes
- fromEntities:
- host
toPorts:
- ports:
- port: '4245'
protocol: TCP
egress:
# hubble relay -> hubble agent
- toEntities:
- host
- remote-node
toPorts:
- ports:
- port: '4244'
protocol: TCP

75
.archive/kubernetes/kube-system/cilium/app/netpols/hubble-ui.yaml Normal file
View file

@ -0,0 +1,75 @@
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: hubble-ui
namespace: kube-system
specs:
- nodeSelector:
# apply to master nodes
matchLabels:
node-role.kubernetes.io/control-plane: ''
ingress:
# hubble ui -> api server
- fromEndpoints:
- matchLabels:
io.cilium.k8s.policy.serviceaccount: hubble-ui
toPorts:
- ports:
- port: '6443'
protocol: TCP
- endpointSelector:
# apply to core dns endpoints
matchLabels:
io.cilium.k8s.policy.serviceaccount: coredns
ingress:
# hubble ui -> core dns
- fromEndpoints:
- matchLabels:
io.cilium.k8s.policy.serviceaccount: hubble-ui
toPorts:
- ports:
- port: '53'
protocol: UDP
- endpointSelector:
# apply to hubble relay endpoints
matchLabels:
io.cilium.k8s.policy.serviceaccount: hubble-relay
ingress:
# hubble ui -> hubble relay
- fromEndpoints:
- matchLabels:
io.cilium.k8s.policy.serviceaccount: hubble-ui
toPorts:
- ports:
- port: '4245'
protocol: TCP
- endpointSelector:
# apply to hubble ui endpoints
matchLabels:
io.cilium.k8s.policy.serviceaccount: hubble-ui
egress:
# hubble ui -> api server
- toEntities:
- kube-apiserver
toPorts:
- ports:
- port: '6443'
protocol: TCP
# hubble ui -> hubble relay
- toEndpoints:
- matchLabels:
io.cilium.k8s.policy.serviceaccount: hubble-relay
toPorts:
- ports:
- port: '4245'
protocol: TCP
# hubble ui -> core dns
- toEndpoints:
- matchLabels:
io.cilium.k8s.policy.serviceaccount: coredns
toPorts:
- ports:
- port: '53'
protocol: UDP

28
.archive/kubernetes/kube-system/cilium/app/netpols/kubelet.yaml Normal file
View file

@ -0,0 +1,28 @@
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
---
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: kubelet
spec:
nodeSelector:
# apply to all nodes
matchLabels: {}
ingress:
# api server -> kubelet
- fromEntities:
- kube-apiserver
toPorts:
- ports:
- port: '10250'
protocol: TCP
egress:
# kubelet -> load balancer
- toCIDR:
- 167.235.217.82/32
toEntities:
- host
toPorts:
- ports:
- port: '6443'
protocol: TCP

16
.archive/kubernetes/kube-system/cilium/app/netpols/kustomization.yaml Normal file
View file

@ -0,0 +1,16 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kube-system
resources:
- ./allow-ssh.yaml
- ./apiserver.yaml
- ./cilium-health.yaml
- ./cilium-vxlan.yaml
- ./core-dns.yaml
- ./etcd.yaml
- ./hubble-relay.yaml
- ./hubble-ui.yaml
- ./kubelet.yaml

15
.archive/vault/ks.yaml → .archive/kubernetes/kube-system/cilium/ks.yaml
View file

@ -3,18 +3,15 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app vault
name: cilium
namespace: flux-system
spec:
commonMetadata:
labels:
app.kubernetes.io/name: *app
interval: 1m
path: "./kubernetes/apps/security/vault/app"
interval: 30m
retryInterval: 1m
timeout: 5m
path: "./kubernetes/apps/kube-system/cilium/app"
prune: true
sourceRef:
kind: GitRepository
name: theshire
name: homelab
wait: false
dependsOn:
- name: rook-ceph-cluster

0
kubernetes/apps/rook-ceph/kustomization.yaml → .archive/kubernetes/rook-ceph/kustomization.yaml
View file

0
kubernetes/apps/rook-ceph/namespace.yaml → .archive/kubernetes/rook-ceph/namespace.yaml
View file

8
kubernetes/apps/rook-ceph/rook-ceph/app/helmrelease.yaml → .archive/kubernetes/rook-ceph/rook-ceph/app/helmrelease.yaml
View file

@ -1,6 +1,6 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: rook-ceph-operator
@ -10,7 +10,7 @@ spec:
chart:
spec:
chart: rook-ceph
version: v1.15.7
version: v1.14.2
sourceRef:
kind: HelmRepository
name: rook-ceph
@ -29,6 +29,8 @@ spec:
namespace: volsync-system
values:
csi:
provisioner:
image: registry.k8s.io/sig-storage/csi-provisioner:v4.0.1
cephFSKernelMountOptions: ms_mode=prefer-crc
enableLiveness: true
serviceMonitor:

0
kubernetes/apps/rook-ceph/rook-ceph/app/kustomization.yaml → .archive/kubernetes/rook-ceph/rook-ceph/app/kustomization.yaml
View file

26
.archive/kubernetes/rook-ceph/rook-ceph/app/rook-ceph-dashboard-password.secret.sops.yaml Normal file
View file

@ -0,0 +1,26 @@
apiVersion: v1
kind: Secret
metadata:
name: rook-ceph-dashboard-password
stringData:
password: ENC[AES256_GCM,data:WWTt7SN6ssndLahsOA1gujEeGAM=,iv:YbHGNN+11wA/MLq9vFVM6v4mhPO58JmwXBDj0Qs7+Wk=,tag:5Xn0tqpiIiEt8ZWZHRTM3w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzb2ZpaDd0azNHNTJoUTB6
VVpKbm94ZEprSHplb2UrQnkzTzdGUEFjcGxBCnhxR1BwNmFIOExtMW5GRkVJWTl5
blQzSmZ0Tm5CWTk3N25nUUM0dFpKUTQKLS0tIEgwSHNlVXNRdHZvcE10VzExU0hE
L0dGK1lFd0ZSQ0lTcEdMNTBkSDJ6WWsKQuiJmRSLbvmgenlu4F2/CQYCCbZTtS/K
nz7NsY2om+mWMvPSvLAp1pOHDAdFW79ggQAiCyslDi9iOkaD8MOnxQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-16T23:22:39Z"
mac: ENC[AES256_GCM,data:djsWoz/MuUhEKsM03+iaGV/dZUjRAGkiBEz4hROi+rfNWeHLJG2/xXPSKYYgT3h7JOZGh2Gnz7NXiB7TuixlWrAfT2BUBzd+2o9/hzg3xQzLAjApSfZdyap6oafatKxZAR/JHBSw7s0saVNnop9d/DZK4c1Fb1qNKoTrnWqqrF8=,iv:oitjHdZl07CaoBtNtX/sOPLHu7AS/R4YE4TKBJKrUBw=,tag:Br8mBH+mATEwsLzSZmoVYg==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.8.1

78
kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml → .archive/kubernetes/rook-ceph/rook-ceph/cluster/helmrelease.yaml
View file

@ -1,6 +1,6 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: rook-ceph-cluster
@ -10,7 +10,7 @@ spec:
chart:
spec:
chart: rook-ceph-cluster
version: v1.15.7
version: v1.14.2
sourceRef:
kind: HelmRepository
name: rook-ceph
@ -49,18 +49,8 @@ spec:
bdev_enable_discard = true
bdev_async_discard = true
osd_class_update_on_start = false
osd_pool_default_size = 1
cephClusterSpec:
mgr:
modules:
- name: pg_autoscaler
enabled: true
- name: nfs
enabled: false
- name: rook
enabled: true
- name: insights
enabled: true
network:
provider: host
connections:
@ -74,13 +64,33 @@ spec:
storage:
useAllNodes: true
useAllDevices: false
deviceFilter: "nvme[0-9]+n1"
deviceFilter: "nvme2n1"
resources:
mgr:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 2000m
memory: 2Gi
mon:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 4000m
memory: 4Gi
osd:
requests:
cpu: 500m
memory: 4Gi
limits:
cpu: 4000m
memory: 8Gi
cephBlockPools:
- name: ceph-blockpool
spec:
failureDomain: host
replicated:
size: 3
storageClass:
enabled: true
name: ceph-block
@ -106,21 +116,16 @@ spec:
- name: ceph-filesystem
spec:
metadataPool:
replicated:
size: 3
dataPools:
- failureDomain: host
replicated:
size: 3
name: data0
metadataServer:
activeCount: 1
activeStandby: true
priorityClassName: system-cluster-critical
resources:
requests:
cpu: 100m
memory: 1Gi
cpu: 1000m
memory: 4Gi
limits:
memory: 4Gi
storageClass:
@ -143,4 +148,29 @@ spec:
name: csi-ceph-filesystem
isDefault: false
deletionPolicy: Delete
cephObjectStores: []
cephObjectStores:
- name: ceph-objectstore
spec:
metadataPool:
failureDomain: host
dataPool:
failureDomain: host
preservePoolsOnDelete: true
gateway:
port: 80
resources:
requests:
cpu: 1000m
memory: 1Gi
limits:
memory: 2Gi
instances: 2
healthCheck:
bucket:
interval: 60s
storageClass:
enabled: true
name: ceph-bucket
reclaimPolicy: Delete
parameters:
region: us-east-1

0
kubernetes/apps/observability/alertmanager/silencer/kustomization.yaml → .archive/kubernetes/rook-ceph/rook-ceph/cluster/kustomization.yaml
View file

6
kubernetes/apps/rook-ceph/rook-ceph/ks.yaml → .archive/kubernetes/rook-ceph/rook-ceph/ks.yaml
View file

@ -14,9 +14,10 @@ spec:
prune: false # never should be deleted
sourceRef:
kind: GitRepository
name: theshire
name: homelab
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
---
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
@ -34,7 +35,8 @@ spec:
prune: false # never should be deleted
sourceRef:
kind: GitRepository
name: theshire
name: homelab
wait: false
interval: 30m
retryInterval: 1m
timeout: 15m

200
.archive/kyverno/kyverno/app/helmrelease.yaml
View file

@ -1,200 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: kyverno
namespace: kyverno
spec:
interval: 30m
chart:
spec:
chart: kyverno
version: 3.3.2
sourceRef:
kind: HelmRepository
name: kyverno
namespace: flux-system
maxHistory: 2
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
crds:
install: true
grafana:
enabled: true
annotations:
grafana_folder: System
backgroundController:
clusterRole:
extraResources:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- update
- patch
resources:
requests:
cpu: 100m
limits:
memory: 1Gi
cleanupController:
serviceMonitor:
enabled: true
reportsController:
clusterRole:
extraResources:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
serviceMonitor:
enabled: true
admissionController:
clusterRole:
extraResources:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
serviceMonitor:
enabled: true
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/instance: kyverno
app.kubernetes.io/component: kyverno
config:
# -- Resource types to be skipped by the Kyverno policy engine.
# Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
# These are joined together without spaces, run through `tpl`, and the result is set in the config map.
# @default -- See [values.yaml](https://github.com/kyverno/kyverno/blob/ed1906a0dc281c2aeb9b7046b843708825310330/charts/kyverno/values.yaml#L207C3-L316C1)
resourceFilters:
- "[Event,*,*]"
# - "[*/*,kube-system,*]"
- "[*/*,kube-public,*]"
- "[*/*,kube-node-lease,*]"
- "[Node,*,*]"
- "[Node/*,*,*]"
- "[APIService,*,*]"
- "[APIService/*,*,*]"
- "[TokenReview,*,*]"
- "[SubjectAccessReview,*,*]"
- "[SelfSubjectAccessReview,*,*]"
# remove the following to allow for schematic-to-pod.yaml to work
# - '[Binding,*,*]'
# - '[Pod/binding,*,*]'
- "[ReplicaSet,*,*]"
- "[ReplicaSet/*,*,*]"
- "[EphemeralReport,*,*]"
- "[ClusterEphemeralReport,*,*]"
# exclude resources from the chart
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]'
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]'
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]'
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]'
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]'
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]'
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]'
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]'
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]'
- '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]'
- '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]'
- '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
- '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
- '[Job/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]'
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]'
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]'
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'

8
.archive/kyverno/kyverno/policies/kustomization.yaml
View file

@ -1,8 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# - ./remove-cpu-limits.yaml
- ./schematic-to-pod.yaml
- ./volsync-movers.yaml

39
.archive/kyverno/kyverno/policies/schematic-to-pod.yaml
View file

@ -1,39 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/kyverno.io/clusterpolicy_v1.json
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-talos-factory-schematic-to-node
annotations:
pod-policies.kyverno.io/autogen-controllers: none
policies.kyverno.io/title: Adds talos factory schematic to node
policies.kyverno.io/category: Other
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.10.0
policies.kyverno.io/minversion: 1.10.0
kyverno.io/kubernetes-version: "1.30"
spec:
background: false
rules:
- name: project-foo
match:
any:
- resources:
kinds:
- Pod/binding
names:
- apply-talos*
context:
- name: node
variable:
jmesPath: request.object.target.name
default: ""
- name: schematic
apiCall:
urlPath: "/api/v1/nodes/{{node}}"
jmesPath: 'metadata.annotations."extensions.talos.dev/schematic" || ''empty'''
mutate:
patchStrategicMerge:
metadata:
annotations:
extensions.talos.dev/schematic: "{{ schematic }}"

76
.archive/kyverno/kyverno/policies/volsync-movers.yaml
View file

@ -1,76 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/kyverno.io/clusterpolicy_v1.json
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: volsync-movers
annotations:
policies.kyverno.io/title: Set custom config on the Volsync mover Jobs
policies.kyverno.io/description: |
This policy sets custom configuration on the Volsync mover Jobs.
policies.kyverno.io/subject: Pod
spec:
rules:
- name: mutate-volsync-src-movers
match:
any:
- resources:
kinds: ["batch/v1/Job"]
names: ["volsync-src-*"]
namespaces: ["*"]
selector:
matchLabels:
app.kubernetes.io/created-by: volsync
mutate:
patchStrategicMerge:
spec:
podReplacementPolicy: Failed
podFailurePolicy:
rules:
- action: FailJob
onExitCodes:
containerName: restic
operator: In
values: [11]
template:
spec:
initContainers:
- name: jitter
image: docker.io/library/busybox:latest
imagePullPolicy: IfNotPresent
command: ['sh', '-c', 'sleep $(shuf -i 0-60 -n 1)']
containers:
- name: restic
volumeMounts:
- name: repository
mountPath: /repository
volumes:
- name: repository
nfs:
server: shadowfax.jahanson.tech
path: /nahar/volsync
- name: mutate-volsync-dst-movers
match:
any:
- resources:
kinds: ["batch/v1/Job"]
names: ["volsync-dst-*"]
namespaces: ["*"]
selector:
matchLabels:
app.kubernetes.io/created-by: volsync
mutate:
patchStrategicMerge:
spec:
template:
spec:
containers:
- name: restic
volumeMounts:
- name: repository
mountPath: /repository
volumes:
- name: repository
nfs:
server: shadowfax.jahanson.tech
path: /nahar/volsync

9
.archive/system-upgrade/kustomization.yaml
View file

@ -1,9 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Pre Flux-Kustomizations
- ./namespace.yaml
# Flux-Kustomizations
- ./system-upgrade-controller/ks.yaml

38
.archive/system-upgrade/namespace.yaml
View file

@ -1,38 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: system-upgrade
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
volsync.backube/privileged-movers: "true"
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Provider
metadata:
name: alert-manager
namespace: system-upgrade
spec:
type: alertmanager
address: http://alertmanager.observability.svc.cluster.local:9093/api/v2/alerts/
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Alert
metadata:
name: alert-manager
namespace: system-upgrade
spec:
providerRef:
name: alert-manager
eventSeverity: error
eventSources:
- kind: HelmRelease
name: "*"
exclusionList:
- "error.*lookup github\\.com"
- "error.*lookup raw\\.githubusercontent\\.com"
- "dial.*tcp.*timeout"
- "waiting.*socket"
suspend: false

101
.archive/system-upgrade/system-upgrade-controller/app/helmrelease.yaml
View file

@ -1,101 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app system-upgrade-controller
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.5.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
values:
controllers:
system-upgrade-controller:
strategy: RollingUpdate
containers:
app:
image:
repository: docker.io/rancher/system-upgrade-controller
tag: v0.14.2@sha256:3cdbfdd90f814702cefb832fc4bdb09ea93865a4d06c6bafd019d1dc6a9f34c9
env:
SYSTEM_UPGRADE_CONTROLLER_DEBUG: false
SYSTEM_UPGRADE_CONTROLLER_THREADS: 2
SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: 900
SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: 99
SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: IfNotPresent
SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: registry.k8s.io/kubectl:v1.31.1
SYSTEM_UPGRADE_JOB_POD_REPLACEMENT_POLICY: Failed
SYSTEM_UPGRADE_JOB_PRIVILEGED: true
SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: 900
SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m
SYSTEM_UPGRADE_CONTROLLER_NAME: *app
SYSTEM_UPGRADE_CONTROLLER_NAMESPACE:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
seccompProfile:
type: RuntimeDefault
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
seccompProfile: { type: RuntimeDefault }
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
serviceAccount:
create: true
name: system-upgrade
persistence:
tmp:
type: emptyDir
etc-ssl:
type: hostPath
hostPath: /etc/ssl
hostPathType: DirectoryOrCreate
globalMounts:
- readOnly: true
etc-pki:
type: hostPath
hostPath: /etc/pki
hostPathType: DirectoryOrCreate
globalMounts:
- readOnly: true
etc-ca-certificates:
type: hostPath
hostPath: /etc/ca-certificates
hostPathType: DirectoryOrCreate
globalMounts:
- readOnly: true

21
.archive/system-upgrade/system-upgrade-controller/app/rbac.yaml
View file

@ -1,21 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system-upgrade
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: system-upgrade
namespace: system-upgrade
---
apiVersion: talos.dev/v1alpha1
kind: ServiceAccount
metadata:
name: talos
spec:
roles:
- os:admin

50
.archive/system-upgrade/system-upgrade-controller/ks.yaml
View file

@ -1,50 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app system-upgrade-controller
namespace: flux-system
spec:
targetNamespace: system-upgrade
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: node-feature-discovery-rules
path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/app
prune: true
sourceRef:
kind: GitRepository
name: theshire
wait: true
interval: 30m
timeout: 5m
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app system-upgrade-controller-plans
namespace: flux-system
spec:
targetNamespace: system-upgrade
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: system-upgrade-controller
path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/plans
prune: true
sourceRef:
kind: GitRepository
name: theshire
wait: false
interval: 30m
timeout: 5m
postBuild:
substitute:
# renovate: datasource=docker depName=ghcr.io/siderolabs/installer
TALOS_VERSION: v1.8.2
# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
KUBERNETES_VERSION: v1.30.2

45
.archive/system-upgrade/system-upgrade-controller/plans/kubernetes.yaml
View file

@ -1,45 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/upgrade.cattle.io/plan_v1.json
apiVersion: upgrade.cattle.io/v1
kind: Plan
metadata:
name: kubernetes
spec:
version: ${KUBERNETES_VERSION}
serviceAccountName: system-upgrade
secrets:
- name: talos
path: /var/run/secrets/talos.dev
ignoreUpdates: true
concurrency: 1
exclusive: true
nodeSelector:
matchExpressions:
- key: feature.node.kubernetes.io/system-os_release.ID
operator: In
values: ["talos"]
- key: node-role.kubernetes.io/control-plane
operator: Exists
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
prepare: &prepare
image: ghcr.io/siderolabs/talosctl:${TALOS_VERSION}
envs:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
args:
- --nodes=$(NODE_IP)
- health
- --server=false
upgrade:
<<: *prepare
args:
- --nodes=$(NODE_IP)
- upgrade-k8s
- --to=$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)

51
.archive/system-upgrade/system-upgrade-controller/plans/talos.yaml
View file

@ -1,51 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/upgrade.cattle.io/plan_v1.json
apiVersion: upgrade.cattle.io/v1
kind: Plan
metadata:
name: talos
spec:
version: ${TALOS_VERSION}
serviceAccountName: system-upgrade
secrets:
- name: talos
path: /var/run/secrets/talos.dev
ignoreUpdates: true
concurrency: 1
exclusive: true
nodeSelector:
matchExpressions:
- key: feature.node.kubernetes.io/system-os_release.ID
operator: In
values: ["talos"]
- key: feature.node.kubernetes.io/system-os_release.VERSION_ID
operator: NotIn
values: ["${TALOS_VERSION}"]
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
prepare: &prepare
image: ghcr.io/siderolabs/talosctl:${TALOS_VERSION}
envs:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: TALOS_SCHEMATIC_ID
valueFrom:
fieldRef:
fieldPath: metadata.annotations['extensions.talos.dev/schematic']
args:
- --nodes=$(NODE_IP)
- health
- --server=false
upgrade:
<<: *prepare
args:
- --nodes=$(NODE_IP)
- upgrade
- --image=factory.talos.dev/installer/$(TALOS_SCHEMATIC_ID):$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
- --wait=false

27
.archive/vault/app/externalsecret.yaml
View file

@ -1,27 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault
namespace: security
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: vault-secret
creationPolicy: Owner
data:
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
key: vault
property: AWS_SECRET_ACCESS_KEY
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
key: vault
property: AWS_ACCESS_KEY_ID
- secretKey: VAULT_AWSKMS_SEAL_KEY_ID
remoteRef:
key: vault
property: VAULT_AWSKMS_SEAL_KEY_ID

141
.archive/vault/app/helmrelease.yaml
View file

@ -1,141 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: vault
spec:
interval: 30m
chart:
spec:
chart: vault
version: 0.28.1
sourceRef:
kind: HelmRepository
name: hashicorp
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
strategy: uninstall
values:
server:
image:
repository: public.ecr.aws/hashicorp/vault
tag: "1.17.5"
logLevel: "info"
logFormat: "json"
ingress:
enabled: true
ingressClassName: internal-nginx
hosts:
- host: &host "vault.jahanson.tech"
paths: []
tls:
- hosts:
- *host
service:
type: "ClusterIP"
port: &port 8200
targetPort: *port
# off until it's online for the first time
readinessProbe:
enabled: true
path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
livenessProbe:
enabled: true
path: "/v1/sys/health?standbyok=true"
initialDelaySeconds: 60
# If you need to use a http path instead of the default exec
# path: /v1/sys/health?standbyok=true
# Port number on which readinessProbe will be checked.
port: *port
extraEnvironmentVars:
# This is required because they will lose their values when the pod is upgraded in my experience.
# Probably a Flux thing.
VAULT_CLUSTER_ADDR: http://$(HOSTNAME).vault-internal:8201
extraSecretEnvironmentVars:
- envName: AWS_SECRET_ACCESS_KEY
secretName: vault-secret
secretKey: AWS_SECRET_ACCESS_KEY
- envName: AWS_ACCESS_KEY_ID
secretName: vault-secret
secretKey: AWS_ACCESS_KEY_ID
- envName: VAULT_AWSKMS_SEAL_KEY_ID
secretName: vault-secret
secretKey: VAULT_AWSKMS_SEAL_KEY_ID
# These are defaults but explicitly set here for clarity.
dataStorage:
size: 4Gi
mountPath: /vault/data
storageClass: ceph-block
auditStorage:
enabled: true
size: 10Gi
mountPath: /vault/audit
storageClass: ceph-block
# We want high availability. If standalone is true it sets the storage backend to file
# and the max replicas can only be 1.
standalone:
enabled: false
ha:
enabled: true
# maxUnavailable will default to (n/2)-1 where n is the number of replicas
# so if you have 6 replicas, maxUnavailable will be 2 unless you set it specifically.
replicas: 3
config: ""
raft:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
# For prometheus!
telemetry {
unauthenticated_metrics_access = "true"
}
}
storage "raft" {
path = "/vault/data"
retry_join {
auto_join = "provider=k8s label_selector=\"app.kubernetes.io/name=vault,component=server\" namespace=\"security\""
auto_join_scheme = "http"
}
}
seal "awskms" {
region = "us-east-2"
}
service_registration "kubernetes" {}
statefulSet:
securityContext:
pod:
runAsUser: 568
runAsGroup: 568
runAsNonRoot: true
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups: [10000]
container:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
capabilities:
drop:
- "ALL"
ui:
enabled: true
publishNotReadyAddresses: true
# The service should only contain selectors for active Vault pod
activeVaultPodOnly: true
serviceType: "LoadBalancer"
externalPort: *port
targetPort: *port

8
.archive/vault/app/kustomization.yaml
View file

@ -1,8 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: security
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml

2
.editorconfig
View file

@ -1,3 +1,5 @@
; https://editorconfig.org/
root = true
[*]

12
.envrc
View file

@ -1,13 +1,5 @@
#shellcheck disable=SC2148,SC2155
export KUBECONFIG="$(expand_path ./kubeconfig)"
export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
export TALOSCONFIG="$(expand_path ./kubernetes/bootstrap/talos/clusterconfig/talosconfig)"
export KREW_ROOT="$(expand_path ~/.krew/bin)"
export CLUSTER="theshire"
export KUBERNETES_DIR="$(expand_path ./kubernetes)"
#export MQTTUI_BROKER="mqtt://10.1.1.38"
#export MQTTUI_BROKER=$(op item get "emqx [jahanson]" --fields broker)
#export MQTTUI_USERNAME=$(op item get "emqx [jahanson]" --fields username)
#export MQTTUI_PASSWORD=$(op item get "emqx [jahanson]" --fields mqtt-password)
PATH_add $KREW_ROOT
use nix
export TALOSCONFIG="$(expand_path ./talosconfig.yaml)"
export OMNICONFIG="$(expand_path ./omniconfig.yaml)"

25
.gitignore vendored
View file

@ -1,32 +1,15 @@
# OS generated files
.DS_Store
Thumbs.db
# Development environments
.direnv
.idea/
.private/
.venv/
.pytest_cache/
# Infrastructure and deployment
.terraform
*.tfvars
kubeconfig*
*talosconfig.yaml
omniconfig.yaml
# Security and credentials
.private/
.decrypted~*
*.agekey
*.pub
*.key
*.pem
*.secrets
kubeconfig*
*talosconfig.yaml
omniconfig.yaml
config.xml
# syncthing
**/*sync-conflict*
# Aider
.aider*

4
.krmignore
View file

@ -1,4 +0,0 @@
.archive
.forgejo
.git
.taskfiles

2
.pre-commit-config.yaml
View file

@ -47,7 +47,7 @@ repos:
args: [--severity=error]
additional_dependencies: []
- repo: https://github.com/onedr0p/sops-pre-commit
- repo: https://github.com/k8s-at-home/sops-pre-commit
rev: v2.1.1
hooks:
- id: forbid-secrets

4
.prettierrc
View file

@ -1,4 +0,0 @@
{
"quoteProps": "preserve",
"trailingComma": "none"
}

46
.renovate/autoMerge.json5
View file

@ -1,26 +1,22 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"packageRules": [
{
"description": "Auto merge container digests",
"matchDatasources": ["docker"],
"automerge": true,
"automergeType": "branch",
"matchUpdateTypes": ["digest"],
"matchPackagePrefixes": [
"ghcr.io/onedr0p",
"ghcr.io/bjw-s",
"ghcr.io/bjw-s-labs"
],
"ignoreTests": true
},
{
"description": "Auto merge KPS minors and patches",
"matchDatasources": ["helm"],
"automerge": true,
"matchUpdateTypes": ["minor", "patch"],
"matchDepNames": ["kube-prometheus-stack"],
"ignoreTests": false
}
]
}
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"packageRules": [
{
"description": "Auto merge container digests",
"matchDatasources": ["docker"],
"automerge": true,
"automergeType": "branch",
"matchUpdateTypes": ["digest"],
"matchPackagePrefixes": ["ghcr.io/onedr0p", "ghcr.io/bjw-s"],
"ignoreTests": true
},
{
"description": "Auto merge KPS minors and patches",
"matchDatasources": ["helm"],
"automerge": true,
"matchUpdateTypes": ["minor", "patch"],
"matchDepNames": ["kube-prometheus-stack"],
"ignoreTests": false
}
]
}

16
.renovate/commitMessage.json5
View file

@ -1,16 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"commitMessageTopic": "{{depName}}",
"commitMessageExtra": "to {{newVersion}}",
"commitMessageSuffix": "",
"packageRules": [
{
"matchDatasources": ["helm"],
"commitMessageTopic": "chart {{depName}}"
},
{
"matchDatasources": ["docker"],
"commitMessageTopic": "image {{depName}}"
}
]
}

54
.renovate/customManagers.json5
View file

@ -1,19 +1,37 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"customManagers": [
{
"customType": "regex",
"description": ["Process custom dependencies"],
"fileMatch": ["(^|/)kubernetes/.+\\.ya?ml(?:\\.j2)?$"],
"matchStrings": [
// # renovate: datasource=helm depName=cilium repository=https://helm.cilium.io
// version: 1.15.1
"datasource=(?<datasource>\\S+) depName=(?<depName>\\S+)( repository=(?<registryUrl>\\S+))?\\n.+: (&\\S+\\s)?(?<currentValue>\\S+)",
// # renovate: datasource=github-releases depName=rancher/system-upgrade-controller
// https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.2/crd.yaml
"datasource=(?<datasource>\\S+) depName=(?<depName>\\S+)\\n.+/(?<currentValue>(v|\\d)[^/]+)"
],
"datasourceTemplate": "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}"
}
]
}
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"customDatasources": {
"grafana-dashboards": {
"defaultRegistryUrlTemplate": "https://grafana.com/api/dashboards/{{packageName}}",
"format": "json",
"transformTemplates": [
"{\"releases\":[{\"version\": $string(revision)}]}"
]
}
},
"customManagers": [
{
"customType": "regex",
"description": "Process Grafana dashboards",
"fileMatch": [
"(^|/)kubernetes/.+\\.ya?ml(\\.j2)?$"
],
"matchStrings": [
"depName=\"(?<depName>\\S+)\"\\n.*?gnetId: (?<packageName>\\d+)\\n.*?revision: (?<currentValue>\\d+)"
],
"datasourceTemplate": "custom.grafana-dashboards",
"versioningTemplate": "regex:^(?<major>\\d+)$"
}
],
"packageRules": [
{
"addLabels": ["renovate/grafana-dashboard"],
"commitMessageExtra": "to revision {{newVersion}}",
"commitMessageTopic": "dashboard {{depName}}",
"matchDatasources": ["grafana-dashboards", "custom.grafana-dashboards"],
"matchUpdateTypes": ["major"],
"semanticCommitScope": "grafana-dashboards",
"semanticCommitType": "chore"
}
]
}

38
.renovate/grafanaDashboards.json5
View file

@ -1,38 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"customDatasources": {
"grafana-dashboards": {
"defaultRegistryUrlTemplate": "https://grafana.com/api/dashboards/{{packageName}}",
"format": "json",
"transformTemplates": [
"{\"releases\":[{\"version\": $string(revision)}]}"
]
}
},
"customManagers": [
{
"customType": "regex",
"description": ["Process Grafana dashboards"],
"fileMatch": ["(^|/)kubernetes/.+\\.ya?ml(?:\\.j2)?$"],
"matchStrings": [
"depName=\"(?<depName>.*)\"\\n(?<indentation>\\s+)gnetId: (?<packageName>\\d+)\\n.+revision: (?<currentValue>\\d+)"
],
"autoReplaceStringTemplate": "depName=\"{{{depName}}}\"\n{{{indentation}}}gnetId: {{{packageName}}}\n{{{indentation}}}revision: {{{newValue}}}",
"datasourceTemplate": "custom.grafana-dashboards",
"versioningTemplate": "regex:^(?<major>\\d+)$"
}
],
"packageRules": [
{
"addLabels": ["renovate/grafana-dashboard"],
"automerge": true,
"automergeType": "branch",
"matchDatasources": ["custom.grafana-dashboards"],
"matchUpdateTypes": ["major"],
"semanticCommitType": "chore",
"semanticCommitScope": "grafana-dashboards",
"commitMessageTopic": "dashboard {{depName}}",
"commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
}
]
}

61
.renovate/groups.json5
View file

@ -1,61 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"packageRules": [
{
"description": ["Dragonfly Operator Group"],
"groupName": "Dragonfly Operator",
"matchPackagePatterns": ["dragonfly(?:db)?.operator"],
"matchDatasources": ["docker", "github-releases"],
"group": {
"commitMessageTopic": "{{{groupName}}} group"
},
"separateMinorPatch": true
},
{
"description": ["Flux Group"],
"groupName": "Flux",
"matchPackagePatterns": ["fluxcd"],
"matchDatasources": ["docker", "github-tags"],
"versioning": "semver",
"group": {
"commitMessageTopic": "{{{groupName}}} group"
},
"separateMinorPatch": true
},
{
"description": ["Rook-Ceph Group"],
"groupName": "Rook-Ceph",
"matchPackagePatterns": ["rook.ceph"],
"matchDatasources": ["helm"],
"group": {
"commitMessageTopic": "{{{groupName}}} group"
},
"separateMinorPatch": true
},
{
"description": ["Talos Group"],
"groupName": "Talos",
"matchPackagePatterns": [
"ghcr.io/siderolabs/talosctl",
"ghcr.io/siderolabs/installer",
"factory.talos.dev/installer"
],
"matchDatasources": ["docker"],
"group": {
"commitMessageTopic": "{{{groupName}}} group"
},
"separateMinorPatch": true
},
{
"description": ["Volsync Group"],
"groupName": "Volsync",
"matchPackagePatterns": ["volsync"],
"matchDatasources": ["docker", "helm"],
"matchUpdateTypes": ["minor", "patch"],
"group": {
"commitMessageTopic": "{{{groupName}}} group"
},
"separateMinorPatch": true
}
]
}

37
.renovate/labels.json5
View file

@ -1,37 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"packageRules": [
{
"matchUpdateTypes": ["major"],
"labels": ["type/major"]
},
{
"matchUpdateTypes": ["minor"],
"labels": ["type/minor"]
},
{
"matchUpdateTypes": ["patch"],
"labels": ["type/patch"]
},
{
"matchUpdateTypes": ["digest"],
"labels": ["type/digest"]
},
{
"matchDatasources": ["docker"],
"addLabels": ["renovate/container"]
},
{
"matchDatasources": ["helm"],
"addLabels": ["renovate/helm"]
},
{
"matchDatasources": ["github-releases", "github-tags"],
"addLabels": ["renovate/github-release"]
},
{
"matchManagers": ["github-actions"],
"addLabels": ["renovate/github-action"]
}
]
}

23
.renovate/packageRules.json5
View file

@ -1,23 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"packageRules": [
{
"description": ["Loose versioning for non-semver packages"],
"matchDatasources": ["docker"],
"matchPackagePatterns": ["plex"],
"versioning": "loose"
},
{
"description": ["Custom schedule for frequently updated packages"],
"matchDataSources": ["docker", "helm"],
"matchPackagePatterns": ["minio", "reloader"],
"schedule": ["on the first day of the month"]
},
{
"description": ["Custom versioning for minio"],
"matchDatasources": ["docker"],
"matchPackagePatterns": ["minio"],
"versioning": "regex:^RELEASE\\.(?<major>\\d+)-(?<minor>\\d+)-(?<patch>\\d+)T.*Z$"
}
]
}

15
.sops.yaml
View file

@ -1,24 +1,15 @@
---
creation_rules:
- # IMPORTANT: Keep this rule first
path_regex: kubernetes/bootstrap/talos/talsecret(\.sops)?\.ya?ml
input_type: yaml
encrypted_regex: ^(token|crt|key|id|secret|secretboxencryptionsecret|ca|bootstraptoken)$
age: >-
age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn
- path_regex: kubernetes/.*/talos/.*\.sops\.ya?ml$
age: >-
age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn
- path_regex: kubernetes/.*\.sops\.ya?ml
encrypted_regex: "^(data|stringData)$"
# Homelab
age: >-
age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn
age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6
- path_regex: .*\.sops\.(env|ini|json|toml)
# Homelab
age: >-
age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn
age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6
- path_regex: (ansible|terraform|talos)/.*\.sops\.ya?ml
# Homelab
age: >-
age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn
age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6

0
.taskfiles/precommit/Taskfile.yaml → .taskfiles/PreCommit/Tasks.yaml
View file

19
.taskfiles/VolSync/ListJob.tmpl.yaml Normal file
View file

@ -0,0 +1,19 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: "list-${rsrc}-${ts}"
namespace: "${namespace}"
spec:
ttlSecondsAfterFinished: 3600
template:
spec:
automountServiceAccountToken: false
restartPolicy: OnFailure
containers:
- name: list
image: docker.io/restic/restic:0.16.0
args: ["snapshots"]
envFrom:
- secretRef:
name: "${rsrc}-restic-secret"

25
.taskfiles/VolSync/ReplicationDestination.tmpl.yaml Normal file
View file

@ -0,0 +1,25 @@
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationDestination
metadata:
name: "${rsrc}-${claim}-${ts}"
namespace: "${namespace}"
spec:
trigger:
manual: restore-once
restic:
repository: "${rsrc}-restic-secret"
destinationPVC: "${claim}"
copyMethod: Direct
storageClassName: openebs-zfs
# IMPORTANT NOTE:
# Set to the last X number of snapshots to restore from
previous: ${previous}
# OR;
# IMPORTANT NOTE:
# On bootstrap set `restoreAsOf` to the time the old cluster was destroyed.
# This will essentially prevent volsync from trying to restore a backup
# from a application that started with default data in the PVC.
# Do not restore snapshots made after the following RFC3339 Timestamp.
# date --rfc-3339=seconds (--utc)
# restoreAsOf: "2022-12-10T16:00:00-05:00"

158
.taskfiles/VolSync/Tasks.yaml Normal file
View file

@ -0,0 +1,158 @@
---
version: "3"
x-task-vars: &task-vars
rsrc: '{{.rsrc}}'
controller: '{{.controller}}'
namespace: '{{.namespace}}'
claim: '{{.claim}}'
ts: '{{.ts}}'
kustomization: '{{.kustomization}}'
previous: '{{.previous}}'
vars:
destinationTemplate: "{{.ROOT_DIR}}/.taskfiles/VolSync/ReplicationDestination.tmpl.yaml"
wipeJobTemplate: "{{.ROOT_DIR}}/.taskfiles/VolSync/WipeJob.tmpl.yaml"
waitForJobScript: "{{.ROOT_DIR}}/.taskfiles/VolSync/wait-for-job.sh"
listJobTemplate: "{{.ROOT_DIR}}/.taskfiles/VolSync/ListJob.tmpl.yaml"
unlockJobTemplate: "{{.ROOT_DIR}}/.taskfiles/VolSync/UnlockJob.tmpl.yaml"
ts: '{{now | date "150405"}}'
tasks:
list:
desc: List all snapshots taken by restic for a given ReplicationSource (ex. task volsync:list rsrc=plex [namespace=default])
silent: true
cmds:
- envsubst < <(cat {{.listJobTemplate}}) | kubectl apply -f -
- bash {{.waitForJobScript}} list-{{.rsrc}}-{{.ts}} {{.namespace}}
- kubectl -n {{.namespace}} wait job/list-{{.rsrc}}-{{.ts}} --for condition=complete --timeout=1m
- kubectl -n {{.namespace}} logs job/list-{{.rsrc}}-{{.ts}} --container list
- kubectl -n {{.namespace}} delete job list-{{.rsrc}}-{{.ts}}
vars:
rsrc: '{{ or .rsrc (fail "ReplicationSource `rsrc` is required") }}'
namespace: '{{.namespace | default "default"}}'
env: *task-vars
preconditions:
# - sh: test -f {{.waitForJobScript}}
- sh: test -f {{.listJobTemplate}}
unlock:
desc: Unlocks restic repository for a given ReplicationSource (ex. task volsync:unlock rsrc=plex [namespace=default])
silent: true
cmds:
- envsubst < <(cat {{.unlockJobTemplate}}) | kubectl apply -f -
# - bash {{.waitForJobScript}} unlock-{{.rsrc}}-{{.ts}} {{.namespace}}
- kubectl -n {{.namespace}} wait job/unlock-{{.rsrc}}-{{.ts}} --for condition=complete --timeout=1m
- kubectl -n {{.namespace}} logs job/unlock-{{.rsrc}}-{{.ts}} --container unlock
- kubectl -n {{.namespace}} delete job unlock-{{.rsrc}}-{{.ts}}
vars:
rsrc: '{{ or .rsrc (fail "ReplicationSource `rsrc` is required") }}'
namespace: '{{.namespace | default "default"}}'
env: *task-vars
preconditions:
# - sh: test -f {{.waitForJobScript}}
- sh: test -f {{.unlockJobTemplate}}
# To run backup jobs in parallel for all replicationsources:
# - kubectl get replicationsources --all-namespaces --no-headers | awk '{print $2, $1}' | xargs --max-procs=4 -l bash -c 'task volsync:snapshot rsrc=$0 namespace=$1'
#
snapshot:
desc: Trigger a Restic ReplicationSource snapshot (ex. task volsync:snapshot rsrc=plex [namespace=default])
cmds:
- kubectl -n {{.namespace}} patch replicationsources {{.rsrc}} --type merge -p '{"spec":{"trigger":{"manual":"{{.ts}}"}}}'
- bash {{.waitForJobScript}} volsync-src-{{.rsrc}} {{.namespace}}
- kubectl -n {{.namespace}} wait job/volsync-src-{{.rsrc}} --for condition=complete --timeout=120m
# TODO: Find a way to output logs
# Error from server (NotFound): jobs.batch "volsync-src-zzztest" not found
# - kubectl -n {{.namespace}} logs job/volsync-src-{{.rsrc}}
vars:
rsrc: '{{ or .rsrc (fail "ReplicationSource `rsrc` is required") }}'
namespace: '{{.namespace | default "default"}}'
env: *task-vars
preconditions:
# - sh: test -f {{.waitForJobScript}}
- sh: kubectl -n {{.namespace}} get replicationsources {{.rsrc}}
msg: "ReplicationSource '{{.rsrc}}' not found in namespace '{{.namespace}}'"
# To run restore jobs in parallel for all replicationdestinations:
# - kubectl get replicationsources --all-namespaces --no-headers | awk '{print $2, $1}' | xargs --max-procs=2 -l bash -c 'task volsync:restore rsrc=$0 namespace=$1'
#
restore:
desc: Trigger a Restic ReplicationSource restore (ex. task volsync:restore rsrc=plex [namespace=default])
cmds:
- task: restore-suspend-app
vars: *task-vars
- task: restore-wipe-job
vars: *task-vars
- task: restore-volsync-job
vars: *task-vars
- task: restore-resume-app
vars: *task-vars
vars:
rsrc: '{{ or .rsrc (fail "Variable `rsrc` is required") }}'
namespace: '{{.namespace | default "default"}}'
# 1) Query to find the Flux Kustomization associated with the ReplicationSource (rsrc)
kustomization:
sh: |
kubectl -n {{.namespace}} get replicationsource {{.rsrc}} \
-o jsonpath="{.metadata.labels.kustomize\.toolkit\.fluxcd\.io/name}"
# 2) Query to find the Claim associated with the ReplicationSource (rsrc)
claim:
sh: |
kubectl -n {{.namespace}} get replicationsource {{.rsrc}} \
-o jsonpath="{.spec.sourcePVC}"
# 3) Query to find the controller associated with the PersistentVolumeClaim (claim)
controller:
sh: |
app=$(kubectl -n {{.namespace}} get persistentvolumeclaim {{.claim}} -o jsonpath="{.metadata.labels.app\.kubernetes\.io/name}")
if kubectl -n {{ .namespace }} get deployment.apps/$app >/dev/null 2>&1 ; then
echo "deployment.apps/$app"
else
echo "statefulset.apps/$app"
fi
previous: "{{.previous | default 2}}"
env: *task-vars
preconditions:
- sh: test -f {{.wipeJobTemplate}}
- sh: test -f {{.destinationTemplate}}
# - sh: test -f {{.waitForJobScript}}
# Suspend the Flux ks and hr
restore-suspend-app:
internal: true
cmds:
- flux -n flux-system suspend kustomization {{.kustomization}}
- flux -n {{.namespace}} suspend helmrelease {{.rsrc}}
- kubectl -n {{.namespace}} scale {{.controller}} --replicas 0
- kubectl -n {{.namespace}} wait pod --for delete --selector="app.kubernetes.io/name={{.rsrc}}" --timeout=2m
env: *task-vars
# Wipe the PVC of all data
restore-wipe-job:
internal: true
cmds:
- envsubst < <(cat {{.wipeJobTemplate}}) | kubectl apply -f -
- bash {{.waitForJobScript}} wipe-{{.rsrc}}-{{.claim}}-{{.ts}} {{.namespace}}
- kubectl -n {{.namespace}} wait job/wipe-{{.rsrc}}-{{.claim}}-{{.ts}} --for condition=complete --timeout=120m
- kubectl -n {{.namespace}} logs job/wipe-{{.rsrc}}-{{.claim}}-{{.ts}} --container wipe
- kubectl -n {{.namespace}} delete job wipe-{{.rsrc}}-{{.claim}}-{{.ts}}
env: *task-vars
# Create VolSync replicationdestination CR to restore data
restore-volsync-job:
internal: true
cmds:
- envsubst < <(cat {{.destinationTemplate}}) | kubectl apply -f -
- bash {{.waitForJobScript}} volsync-dst-{{.rsrc}}-{{.claim}}-{{.ts}} {{.namespace}}
- kubectl -n {{.namespace}} wait job/volsync-dst-{{.rsrc}}-{{.claim}}-{{.ts}} --for condition=complete --timeout=120m
- kubectl -n {{.namespace}} delete replicationdestination {{.rsrc}}-{{.claim}}-{{.ts}}
env: *task-vars
# Resume Flux ks and hr
restore-resume-app:
internal: true
cmds:
- flux -n {{.namespace}} resume helmrelease {{.rsrc}}
- flux -n flux-system resume kustomization {{.kustomization}}
env: *task-vars

38
.taskfiles/VolSync/UnlockJob.tmpl.yaml Normal file
View file

@ -0,0 +1,38 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: "unlock-${rsrc}-${ts}"
namespace: "${namespace}"
spec:
ttlSecondsAfterFinished: 3600
template:
spec:
automountServiceAccountToken: false
restartPolicy: OnFailure
containers:
- name: unlock
image: docker.io/restic/restic:0.16.0
args: ["unlock", "--remove-all"]
envFrom:
- secretRef:
name: "${rsrc}-volsync-r2-secret"
---
apiVersion: batch/v1
kind: Job
metadata:
name: "unlock-${rsrc}-r2-${ts}"
namespace: "${namespace}"
spec:
ttlSecondsAfterFinished: 3600
template:
spec:
automountServiceAccountToken: false
restartPolicy: OnFailure
containers:
- name: unlock
image: docker.io/restic/restic:0.16.0
args: ["unlock", "--remove-all"]
envFrom:
- secretRef:
name: "${rsrc}-volsync-secret"

Some files were not shown because too many files have changed in this diff Show more