diff --git a/.gitignore b/.gitignore
index 4803a92..81c9c87 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,6 @@
+# Kubernetes secrets
*.secret.yaml
-charts/
+main.key
+
+# Helm Chart files
+charts/
\ No newline at end of file
diff --git a/README.md b/README.md
index a90680e..802f759 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,6 @@
# Kluster setup and IaaC using argoCD
-
### Initial setup
#### Requirements:
- A running k3s instance
@@ -28,5 +27,21 @@ The app-of-apps will bootstrap a fully featured cluster with the following compo
- immich
- ...
+#### Recap
+- install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
+ ```bash
+ kubectl apply -k infrastructure/sealedsecrets
+ kubectl apply -f infrastructure/sealedsecrets/main.key
+ kubectl delete pod -n kube-system -l name=sealed-secrets-controller
+ ```
+- install argocd
+ ```bash
+ kubectl apply -k infrastructure/argocd
+ ```
+- wait...
+
### Adding an application
+todo
+
+
diff --git a/apps/ocis/deployment.yaml b/apps/ocis/deployment.yaml
new file mode 100644
index 0000000..45c1269
--- /dev/null
+++ b/apps/ocis/deployment.yaml
@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: ocis-statefulset
+spec:
+ selector:
+ matchLabels:
+ app: ocis
+ serviceName: ocis-web
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: ocis
+ spec:
+ containers:
+ - name: ocis
+ image: ocis
+ resources:
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
+ env:
+ - name: OCIS_INSECURE
+ value: "true"
+ - name: OCIS_URL
+ value: "https://ocis.kluster.moll.re"
+ - name: OCIS_LOG_LEVEL
+ value: "debug"
+ ports:
+ - containerPort: 9200
+ volumeMounts:
+ - name: ocis-config
+ mountPath: /etc/ocis
+ # - name: ocis-config-file
+ # mountPath: /etc/ocis/config.yaml
+ - name: ocis-data
+ mountPath: /var/lib/ocis
+ volumes:
+ # - name: ocis-config
+ # persistentVolumeClaim:
+ # claimName: ocis-config
+ - name: ocis-config
+ secret:
+ secretName: ocis-config
+ - name: ocis-data
+ persistentVolumeClaim:
+ claimName: ocis-data
diff --git a/apps/ocis/ingress.yaml b/apps/ocis/ingress.yaml
new file mode 100644
index 0000000..70f0f16
--- /dev/null
+++ b/apps/ocis/ingress.yaml
@@ -0,0 +1,18 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+ name: ocis-ingressroute
+
+spec:
+ entryPoints:
+ - websecure
+ routes:
+ - match: Host(`ocis.kluster.moll.re`)
+ kind: Rule
+ services:
+ - name: ocis-web
+ port: 9200
+ scheme: https
+
+ tls:
+ certResolver: default-tls
diff --git a/apps/ocis/kustomization.yaml b/apps/ocis/kustomization.yaml
new file mode 100644
index 0000000..a854654
--- /dev/null
+++ b/apps/ocis/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - namespace.yaml
+ - ingress.yaml
+ - service.yaml
+ - pvc.yaml
+ - deployment.yaml
+ - ocis-config.sealedsecret.yaml
+
+namespace: ocis
+
+images:
+ - name: ocis
+ newName: owncloud/ocis
+ newTag: "5.0"
diff --git a/apps/ocis/namespace.yaml b/apps/ocis/namespace.yaml
new file mode 100644
index 0000000..3900a62
--- /dev/null
+++ b/apps/ocis/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: placeholder
\ No newline at end of file
diff --git a/apps/ocis/ocis-config.sealedsecret.yaml b/apps/ocis/ocis-config.sealedsecret.yaml
new file mode 100644
index 0000000..e8c68b2
--- /dev/null
+++ b/apps/ocis/ocis-config.sealedsecret.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+ creationTimestamp: null
+ name: ocis-config
+ namespace: default
+spec:
+ encryptedData:
+ JWT_SECRET: AgCWM7/D2xBlL2+4j5zAwRHV0LOIvzJFjS4QiHEy2GG7dYGh8hM3MYEGDj4K4Pg8Epn6ANHDa+ws+DDprMLOe6o6zznnDGf+eZkWJgp1YWmssv9hLZQFMy4Eln6XNBRtXrs8OXkbw1eBrYBhy6DvONt7LQ7niLUeMoeqM5BpBo/LwOvIlmbMkqJ5Y2FgTRxx+YYp/LXv4oZGv/+bJ1YMLqHKT4Rm0gPzDH4PdUpLuoj+mgp1UptHAZcfRf2ngXC3TyX8ZeZNnycNaRjRuVlGGnhvfifQ/7h7nYMPZldmvYvtefc0yU5fiFBj6ysRiZoo+hVQmj+tFiWAaEHyrb6HO97YDt55rhIg0gNFrCVsL84Pc7hdA5DktOqikyEnj9gtVHNVWXuyNbaffIU1OpIxPItKPjardnS31p3Z3LtCZY7IdcspghBy8BiETtWGDFp2F7EbdI01DlKwEFsIYzCsoEJarywhbeYGswKdLJ2HxGYixsJvQ60+bolo/BD+Xob3x4mMO9s5kqp/SmCzK/TLuRQbs95YpvTwDN2jy+KIugSBeWpVTyxJoYeixWbugY1Q79+ycwZCEIVK++Bz/Kd7YdwijC0a8I+1ncpYZ+LpzRr2jF0Nr33f1GPuho/x8WnWwCSnmM/9R7VFBk2ZkJir/PpzMIgwWuvx1mzL5CbsNa1fPXUhJ86Gvc9Zw/Ho+pyjeWr/CpnTRKcF1jvnozK9bzm2hU5PnxxUz2Gs/7+73X6GQeDiD84f70Qd7CLD4jJmYdN41vn8QcULpt/Xlb++Pqai
+ ocis.yaml: AgCOmhSilwDKRrSfJb1SDwG5v0CsaY4rWS6Q427mkcpUGixkH18R4LyzkYbv55W1P+czfu51u0mZdi4e7ys0JsJpQhk7pZSKeess5eQMmg0LKhL0ZlUXdaSjd1U4qC8FFSBa/AUji0qqaXZMgphVOi6jXiMZpvw5A5IA1h3BWLQShCnuJq3sN6u+Y9GlxVFcCD+VBkgVjnzstlnYQs7dA7qFYPmDUh425FTYZYCGoNY3PVQ9mb1ifO8SO8pNTpxxZveNrHcyts5K6iqiADV9Md/YhlcJUuqFBjYcBLkWLO+GcFBK/JHLgGVj0Wp6wKl4Lldjj/IWY8TnD4GPlEVPwVYtUbKdzETgs4uU7i01dCIwE1mdI/52MSPT4SycFvdbwmqeOYAIgGI+D3wXKyclCmiDvpSUqCDa7LhqObFoJ3AB2VC0TlahkgrbhPVo+I45tfMUm1ruq6tWvpJ1wAV34JROI1FYdKsOP27jS6dS1Priht7ANRzk2H+EtFeJY1fr/DOK83jiK0BDXltcDeGbfGxst/4uHC/0VvWmDfuqquUEBolFLJRYZdDj1Fy/lhAgpy8s+gAzlYdRX+HVG0M93lKNDKEflE5gpoPZoOx3qv6VQaDoO1lYS5kquW4ZpPWVCZFxDMU23nItRtKUnhe6gU02GOzjbxgmfyWXsUSqYCduWREbxiNI+Sdk3cqzTZMt1Cnw3o9xCDEmibCsqXhfUxeC8cmz3VHO1p25BK+483t3Gsbh4pMBqgkCg120ge3oSSiDcEpgPbqH2NprqRzzsrg9XlPmy1N7msNPlGs7SU718nWZxl9ZWF9D1/e7OtmPdmyq1E+uRL+JU6xYRn1HCK1/H4zGLNzG05E75dkdTlJ5yDYhJxw0O5rO6WslkSInqMwUkMWRG0eDTnMoEXjj4CMXdcsTr2NhxEEaLngUsWozbVyW9+ZgnwCXcTb9tNGmKMFLwhVq9MtpE6XIi4e/rLAn4y0yAC/8iSU/loxRRO2la3IaaqPfyOE2gro8IA8PRD2b9Eita0AvnkMU+FcBm3qPrF9TMd4R0+ytzg0b8NHrtQ67nz4qoFbjVN93MvTQ2EIUTqkSFQvBxfi1Xw8RXoeQ1F2o2qpslNkJVxbSDdK8/zuOinO2eUuWNhJhbXTsBcub8TGK7N6eoWu7rLjQUTMrAnA4rHlJVt7BmnnurGmQQ98CONn7DD5kW1p8CAYsJThA+gxpk4Or8xhqZhyZ4w5rMuqa9o89uve6TnyywqNj7fcrkPE82UsVhuJPmcwF9fj2gbwo7akvVIlPZGY6KecI5J0xJZyWeN5dVhRrp9LY7eAsWorD07zskQmD2EoXMPtyHJcE9r1mdbsqYtB6LVPz9QnhuprMQtQoNqk8TPA9k9fruBjD5VJK7Ps56E+OxhN3KaOwbWVHysgb5X77JZsk4JRnGNUQlCfSCh1F93+1NBZDsJRnJ81sr0w2uCH0fZz8GiDFBhsMC9onI/ddQo/oXdMpBJxQ3QvJQ3Yowh7hNR9GtuijnhOSZQQU3HXgaDisiRfeo8kddNzC3FHPyDlI+JSYOwok0ztf2A7pdPfignphddc2hcF3pytX7VBWaKRLrShLyNlyU2vx1T+2w8Iwx49ptCDZxk+HIIaGLdI6gSnWsr2J5DqxinDOm1jcuJsRDm/hCS9HAIass0qUL+Qd7zLfJ/PeeYcT07QcFr8YwxhUPDhviAgBncRpYd+IMEi3mZ2LWQpEDpJnwdIDDNxWCKJQl/5AcPMG/bVcLSIlyg4t2s1FzaW6xuWRrs/FDpDQcdSWCvdbpwY3Lm5dfhx3vutvlaJ9lyhFcMROug/w6e50j5wjbN2AXKNEhYDX+46A30ob11P0qYvH+rDuq2/0wus16BbOKPzaZTKEaG3W1xwJJxmXcJ3u78rGo8VOb4rQsuVXvy9EE95W2vy2oArtbnKH2pm2E144Ioe6VZslS/nhZmoDZbHiQmfrAb0zPGd3HZIZAdS3IY8nkcdQSOGTN1bbPVmawVKJdvAC+Gj4leHUydVbr57jfm4rwLg9hi0d2VvmdIpyfKzkgVcp4MglJSCnehqOHFRyx++EpFariSP1E530vSV/jECjqdmXyvl+saaLQcK63LHIjls1bnhnikEpbqiudFX90Szbss9XpnFEVxK90Qol3rb1WX+ZeK9gizfcviCNvvBkkHTYnsDB1/yCgYnA/ZVGLjaoxubdMhVn/HRv3W/NmzCYe9yejOlaZnElRBEMQOc0xavGX17yAP0GdLYq2130SzGgtTLv6SLK4VoXkKL7MFnyKU6mJkyvnUh8YXkXDLXxtqmLFHrTCygq0Z8kyKf8BMO8ZxgCSdlC3DucokiRR1kTMdHVR3vnbgxfHxNzZivFg7gOa/W62fMW3Fb6bicLZWx84Qv4GdVknsxAYK7CIppZuzVQnEin5EC4cfG1Ml8Zo5EG0c0q2gpvZFYYwqhocoRfnCPlrS+kvPfedP1vQujML4Y0YbXMLay3H7wlnFHRtRiL8xy82ZEgG7pzYD1w1EIwdFLqF377UbZJKOCcggNCrlVOXnIBtNabsJVxzj5se0uN3tyrcRdkOYOgjs1TfTpnGqmWDrk+dSzcC8FCVrIsEmmT4G2Q50aLNi/bS6yqhIvh8kgLCvkT1oECFKpTws1qxf0T/fVuN/olVxXxQ+Li7zS5gwhV/kfhEAKnYDNw5yF8eqLqqHqZUqDkPkBaNdhSf4Lv89Gx0XvWGKbyUWG3fSa2PlpVtrdfx6+dwyKCAF88wuIoEMSxFXSd1ZRLw/yzF8ewl9K4ka1MmKqk2+dr1FBzMAJKE2ZKH/5lkTBVRKXsnxuZg9oE4ZNY8uGV+zc2vAnWHpY+nFX5m9sHOzU0V4JtsPonUK7AxvNcWgYHWPP5X588BW4pPKHfwDTLMAUXKM7s3LJvaXjZuPqzvnN4zsqqFarCRau5k6ObdigEwKLECGCSB+vNrVTOK4wpw6BoIpHudzzaqPR6bxZLlGCOrk/6p8ZMJ1IVjSCXY/FCVhFhw8RryDFpA58/gci9ofHTXDVo8t6oGcYQOOJTq9/SsYqUEjy952es+h6TULhopaFm1Exc4RAxObhDgT5+FM2h8IYIAajnhTvJYVrmlG6qg3kTaW20CoPpggbxlcOf3IAA+wPQr3t+FiRZ95iKHgIlIsAwpv6xrmOyvmeFwl9PAaMNOuTR9EUsbO59Fk3R8KvhhuaZIODHSMoMiMT+4o10wcq59p2CuEf5q5bty6YsdZhwO6tTdL3p/sx7xzrdu0xycN1pqqYawara6mnClD+IoiySrRNOmYWqrxz2wLtYQT7hiCyLsyozCm4txiOD/GlwWbvGR4LuytLM152QsBpZ2EGXjXlyTSDZhjmTonm411Ac2GF2dv8xjR1tj3y18rplBtLfo0ZD1EiJZSvuN2YbiQhnz1ykw04VC/fUt/VKDfA0vRQXlj1B+12sByETOOGjg9+6WO8rgwbJMZwJn86dAXdfAaLuWNNoAwOnJGos2addSiwv2Pr/lETIsh+ta1Fdr4ZFR2TQFz3nlx8aeFhluxEC2u/iAEfnnX2KdB3wsdSGH8W/6tI1+jvuH6ksXgyYJO6o+RuCxYWSnxjlnp6GMGdJ9OdnrvtMjpbBI4tzLbaeCsWW6NSrA76bNzYQVSQbeApzY0wlN9/EfAb2s/n+L47vQggUKOijuSt41vOpx5V7qvxCAzkofkppqu8k4LsgsZawu289a7HzYQF/leD1ZR8/Y+ZydTHSoURLTHbGqeVGz8nuUFdANDRkWvh5fEErzNHRGckoklba2T+jgTlG1f3laofBhQ4myPUfOhRvzRFroRE2ZtEpFXcdwp7IuQmTuIE4zxbRu7SZ+4IRP1ZVgTiL/0uSb8KD2PaQpijQoe8oTh+Vjx8I3WKiE970wjiL04g6Zz6oXOC3G3rpcNxgqTPzkPPz89VDJLfGsAKkEmHUODCDZM0uxyK/NvzfZw+wDwzBlnRaWorhKwUJ96UQ1Z4V56xvdAp0EAEVYdD5VNuIov8X3OQ5aGqc/k9lIqhMwxJUwH3zp0HylSZMpZOW8+lcgZlNta77siXmIODxgQ/Rj5jatwuiULQlkRt1JKjuc3O6aZDVHtGMS8VO8M7fAT/hN3jD+/DU9G8Y3j3pIXdc2hwNF8kxHpmld2ZC+trwPG//qCav9ntNXd5UlkTDPBFiyhFLpdQMzm4sCPRtdEFFN25wc0M0IH2Zc61Trk7fd8tKxu8OgCykxZNCCtER5lNictEdo8p0I8j/Q8rvq3AxJwQNunMrpABvNjLpz13PNPef2icaprTzNVtnQlTfLvAyM9j2RWKV3CI+rOStUssxezRCh0MeLsP4ps++OKLhtMuJyzN4VQNHOmfwNAFhwrKWyrcgfO3JafPqTQv+LRRodvb0W5CY1/xoCXEnaZLIisBXvHJw2oJDjQNXMQyapHoRpNkqBImZ1dsnmo2qavk+nJDNaMWwjq28JvMRPNbQ9L3SjC6wvcGTp2oGKmA3SdHDPhkRE+sgyRhsqnQ3u+bF4lIHpVSNHXt4CmVt7Vvdmv8cvacF7hZMNPHZu9nIGenGl1APPtA7rh6VGNmYng5Jtqe9XP7N3/WJVH4hUUvUT2j2EvJ9ev8rWPcKYhsxnJl4BFNzLYEuHbN9Izt2yaKVvIlt52Q3nu6AJo1pQAgsvpnhotz9Pae7oX/G6NCW1PYmdUAX8HvLJD1qW2Mp6zpH0Gdg56a4rxNY98XrTwtbDGXYEQLbfPNxyKbHrY4TdxUPcbFUjAouRSHwcUFgkFYyNuyzcrmtzTYviQD3TOJgqLSiEYSP0x0lHqluQJ6io3a8x5ulNQFj5yMRZEevXlEMNilh0jN8V2NGWMjnu4zuB95k31AC+GHCyQUX2CtVWbFukk6Vi5JtUTZ8380gTaB54Ybl4RSKj5DhLa/Iilwm/aJxR4DFogWJYrs6czxe1ByryWC7W0byEOnStnq/Wf8Pz/9qpfk17DghczzdROV9jfWgB2AaeEu/W21jy+dSQwcasYZPreOEzWDN4XwBbWfCPQJj3N+uZDJuFl/D6kL5jdWEko69QVg4Gw3Ax1X958pXe8qHH+eBOQ4M/A20WTrMVuLacdCfdvfAQZPQ9UhhwzPkiWiywWHDqWuEiAwo4sxLXvxXQ/rZQ1LG7SgZrzymlWMwYYhn3PWgg7yTOIbjAuBOJ3Y+OV6bVAbL+guAMiilzVSWeQ01rKGv0r2GkZXfUy7oc6ug/XazCUy2r/OXKPHa6jzs5A==
+ template:
+ metadata:
+ creationTimestamp: null
+ name: ocis-config
+ namespace: default
+ type: Opaque
diff --git a/apps/ocis/pvc.yaml b/apps/ocis/pvc.yaml
new file mode 100644
index 0000000..6eb8172
--- /dev/null
+++ b/apps/ocis/pvc.yaml
@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: ocis-data
+spec:
+ storageClassName: nfs-client
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 100Gi
diff --git a/apps/ocis/service.yaml b/apps/ocis/service.yaml
new file mode 100644
index 0000000..4138191
--- /dev/null
+++ b/apps/ocis/service.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: ocis-web
+spec:
+ selector:
+ app: ocis
+ ports:
+ - port: 9200
+ targetPort: 9200
diff --git a/infrastructure/external/kustomization.yaml b/infrastructure/external/kustomization.yaml
new file mode 100644
index 0000000..1881636
--- /dev/null
+++ b/infrastructure/external/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: external
+
+
+resources:
+ - omv-s3.ingress.yaml
+ - openmediavault.ingress.yaml
+ - proxmox.ingress.yaml
\ No newline at end of file
diff --git a/infrastructure/external/omv-s3.ingress.yaml b/infrastructure/external/omv-s3.ingress.yaml
index f767c67..cde38a2 100644
--- a/infrastructure/external/omv-s3.ingress.yaml
+++ b/infrastructure/external/omv-s3.ingress.yaml
@@ -2,7 +2,6 @@ apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: omv-s3-ingressroute
- namespace: external
spec:
entryPoints:
- websecure
@@ -20,7 +19,6 @@ apiVersion: v1
kind: Endpoints
metadata:
name: omv-s3
- namespace: external
subsets:
- addresses:
- ip: 192.168.1.157
@@ -31,7 +29,6 @@ apiVersion: v1
kind: Service
metadata:
name: omv-s3
- namespace: external
spec:
ports:
- port: 9000
diff --git a/infrastructure/nfs/kustomization.yaml b/infrastructure/nfs/kustomization.yaml
index 5cb2497..169f0af 100644
--- a/infrastructure/nfs/kustomization.yaml
+++ b/infrastructure/nfs/kustomization.yaml
@@ -3,8 +3,6 @@ kind: Kustomization
namespace: nfs-provisioner
-bases:
-
resources:
- github.com/kubernetes-sigs/nfs-subdir-external-provisioner//deploy
- namespace.yaml
diff --git a/infrastructure/sealedsecrets/README.md b/infrastructure/sealedsecrets/README.md
new file mode 100644
index 0000000..a7d6cd3
--- /dev/null
+++ b/infrastructure/sealedsecrets/README.md
@@ -0,0 +1,9 @@
+### Restoring sealed secrets
+```bash
+# install the sealed secrets controller
+kubectl kustomize . | kubectl apply -f -
+# restore the sealed secrets
+kubectl apply -f main.key
+# restart pod
+kubectl delete pod -n kube-system -l name=sealed-secrets-controller
+```
\ No newline at end of file
diff --git a/infrastructure/sealedsecrets/controller.yaml b/infrastructure/sealedsecrets/controller.yaml
index 7b7ded0..3ae9d2a 100644
--- a/infrastructure/sealedsecrets/controller.yaml
+++ b/infrastructure/sealedsecrets/controller.yaml
@@ -6,7 +6,6 @@ metadata:
labels:
name: sealed-secrets-service-proxier
name: sealed-secrets-service-proxier
- namespace: kube-system
rules:
- apiGroups:
- ""
@@ -35,7 +34,6 @@ metadata:
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
- namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -43,7 +41,6 @@ roleRef:
subjects:
- kind: ServiceAccount
name: sealed-secrets-controller
- namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@@ -52,7 +49,6 @@ metadata:
labels:
name: sealed-secrets-key-admin
name: sealed-secrets-key-admin
- namespace: kube-system
rules:
- apiGroups:
- ""
@@ -116,7 +112,6 @@ metadata:
labels:
name: sealed-secrets-service-proxier
name: sealed-secrets-service-proxier
- namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -133,7 +128,6 @@ metadata:
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
- namespace: kube-system
spec:
minReadySeconds: 30
replicas: 1
@@ -157,7 +151,7 @@ spec:
command:
- controller
env: []
- image: docker.io/bitnami/sealed-secrets-controller:v0.23.1
+ image: controller
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@@ -342,7 +336,6 @@ metadata:
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
- namespace: kube-system
spec:
ports:
- port: 8080
@@ -365,7 +358,6 @@ roleRef:
subjects:
- kind: ServiceAccount
name: sealed-secrets-controller
- namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
@@ -374,4 +366,3 @@ metadata:
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
- namespace: kube-system
diff --git a/infrastructure/sealedsecrets/kustomization.yaml b/infrastructure/sealedsecrets/kustomization.yaml
new file mode 100644
index 0000000..0468002
--- /dev/null
+++ b/infrastructure/sealedsecrets/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kube-system
+
+resources:
+ - controller.yaml
+
+images:
+ - name: controller
+ newName: docker.io/bitnami/sealed-secrets-controller
+ newTag: v0.23.1
diff --git a/kluster-deployments/external-services/application.yaml b/kluster-deployments/external-services/application.yaml
new file mode 100644
index 0000000..7171f0e
--- /dev/null
+++ b/kluster-deployments/external-services/application.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: external-application
+ namespace: argocd
+
+spec:
+ project: infrastructure
+ source:
+ repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
+ targetRevision: main
+ path: infrastructure/external
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: external
+ syncPolicy:
+ automated:
+ prune: true
+ selfHeal: true
diff --git a/kluster-deployments/external-services/kustomization.yaml b/kluster-deployments/external-services/kustomization.yaml
new file mode 100644
index 0000000..0b082ba
--- /dev/null
+++ b/kluster-deployments/external-services/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- application.yaml
\ No newline at end of file
diff --git a/kluster-deployments/ocis/application.yaml b/kluster-deployments/ocis/application.yaml
new file mode 100644
index 0000000..3a122d3
--- /dev/null
+++ b/kluster-deployments/ocis/application.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: ocis-application
+ namespace: argocd
+
+spec:
+ project: apps
+ source:
+ repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
+ targetRevision: main
+ path: apps/ocis
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: ocis
+ syncPolicy:
+ automated:
+ prune: true
+ selfHeal: true
diff --git a/kluster-deployments/ocis/kustomization.yaml b/kluster-deployments/ocis/kustomization.yaml
new file mode 100644
index 0000000..0b082ba
--- /dev/null
+++ b/kluster-deployments/ocis/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- application.yaml
\ No newline at end of file