remoll/k3s-infra
0
0
Fork 0
Code Issues 1 Pull Requests 3 Packages Projects Releases Wiki Activity

Compare commits

base: remoll:9b1303d10ed10b46c9a47443123573101d8b9b21
Branches Tags
remoll:main remoll:renovate/ghcr.io-mealie-recipes-mealie-3.x remoll:renovate/loki-6.x remoll:renovate/ghcr.io-coder-code-server-4.x remoll:feature/music remoll:feature/headscale remoll:feature/media-downloads remoll:feature/crowdsec remoll:feature/matrix remoll:feature/llm remoll:feature/gaming remoll:feature/affine remoll:feature/unified-file-sync
..
compare: remoll:feature/media-downloads
Branches Tags
remoll:main remoll:renovate/ghcr.io-mealie-recipes-mealie-3.x remoll:renovate/loki-6.x remoll:renovate/ghcr.io-coder-code-server-4.x remoll:feature/music remoll:feature/headscale remoll:feature/media-downloads remoll:feature/crowdsec remoll:feature/matrix remoll:feature/llm remoll:feature/gaming remoll:feature/affine remoll:feature/unified-file-sync

2 Commits
9b1303d10e ... feature/me

Author SHA1 Message Date
Remy Moll
ac4d2c3fa3 using an alternative stack 2024-12-02 13:46:04 +01:00
Remy Moll
c237e060fd add incomplete deployment 2024-05-13 14:28:37 +02:00
52 changed files with 803 additions and 176 deletions
Expand all files Collapse all files

2
apps/adguard/kustomization.yaml
View File

@@ -10,7 +10,7 @@ resources:
images: images:
- name: adguard/adguardhome - name: adguard/adguardhome
newName: adguard/adguardhome newName: adguard/adguardhome
newTag: v0.107.51 newTag: v0.107.48
namespace: adguard namespace: adguard

2
apps/files/kustomization.yaml
View File

@@ -13,4 +13,4 @@ namespace: files
images: images:
- name: ocis - name: ocis
newName: owncloud/ocis newName: owncloud/ocis
newTag: "5.0.5" newTag: "5.0.3"

2
apps/finance/kustomization.yaml
View File

@@ -13,4 +13,4 @@ resources:
images: images:
- name: actualbudget - name: actualbudget
newName: actualbudget/actual-server newName: actualbudget/actual-server
newTag: 24.6.0 newTag: 24.5.0

2
apps/homeassistant/kustomization.yaml
View File

@@ -15,4 +15,4 @@ resources:
images: images:
- name: homeassistant/home-assistant - name: homeassistant/home-assistant
newName: homeassistant/home-assistant newName: homeassistant/home-assistant
newTag: "2024.6" newTag: "2024.5"

2
apps/homeassistant/service.yaml
View File

@@ -2,8 +2,6 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: homeassistant-web name: homeassistant-web
labels:
app: homeassistant
spec: spec:
selector: selector:
app: homeassistant app: homeassistant

2
apps/homepage/kustomization.yaml
View File

@@ -14,4 +14,4 @@ resources:
images: images:
- name: homepage - name: homepage
newName: ghcr.io/gethomepage/homepage newName: ghcr.io/gethomepage/homepage
newTag: v0.9.2 newTag: v0.8.13

6
apps/immich/kustomization.yaml
View File

@@ -12,13 +12,13 @@ namespace: immich
helmCharts: helmCharts:
- name: immich - name: immich
releaseName: immich releaseName: immich
version: 0.7.0 version: 0.6.0
valuesFile: values.yaml valuesFile: values.yaml
repo: https://immich-app.github.io/immich-charts repo: https://immich-app.github.io/immich-charts
images: images:
- name: ghcr.io/immich-app/immich-machine-learning - name: ghcr.io/immich-app/immich-machine-learning
newTag: v1.106.4 newTag: v1.103.1
- name: ghcr.io/immich-app/immich-server - name: ghcr.io/immich-app/immich-server
newTag: v1.106.4 newTag: v1.103.1

15
apps/immich/values.yaml
View File

@@ -22,13 +22,10 @@ env:
secretKeyRef: secretKeyRef:
name: postgres-password name: postgres-password
key: password key: password
IMMICH_WEB_URL: '{{ printf "http://%s-web:3000" .Release.Name }}'
IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}' IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}'
IMMICH_METRICS: true
immich: immich:
metrics:
# Enabling this will create the service monitors needed to monitor immich with the prometheus operator
enabled: true
persistence: persistence:
# Main data store for all photos shared between different components. # Main data store for all photos shared between different components.
library: library:
@@ -55,6 +52,16 @@ server:
main: main:
enabled: false enabled: false
microservices:
enabled: true
persistence:
geodata-cache:
enabled: true
size: 1Gi
# Optional: Set this to pvc to avoid downloading the geodata every start.
type: emptyDir
accessMode: ReadWriteMany
machine-learning: machine-learning:
enabled: true enabled: true
persistence: persistence:

47
apps/media-downloads/jackett.deployment.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: jackett
spec:
selector:
matchLabels:
app: jackett
template:
metadata:
labels:
app: jackett
spec:
containers:
- name: jackett
image: jackett
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 9117
volumeMounts:
- name: media
mountPath: /media
- name: config
mountPath: /config
volumes:
- name: media
persistentVolumeClaim:
claimName: media-downloads
- name: config
persistentVolumeClaim:
claimName: transmission-config
---
apiVersion: v1
kind: Service
metadata:
name: jackett
spec:
selector:
app: jackett
ports:
- protocol: TCP
port: 9117
targetPort: 9117
type: ClusterIP

50
apps/media-downloads/kustomization.yaml Normal file
View File

@@ -0,0 +1,50 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: media-downloads
resources:
- namespace.yaml
- pvc.yaml
- transmission.deployment.yaml
- radarr.deployment.yaml
- jackett.deployment.yaml
images:
- name: transmission
newName: haugene/transmission-openvpn
newTag: 5.3.1
- name: jackett
newName: lscr.io/linuxserver/jackett
newTag: latest
- name: radarr
newName: lscr.io/linuxserver/radarr
newTag: 5.4.6
---
# 2nd version
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: media-downloads
resources:
- namespace.yaml
- pvc.yaml
- qbittorrent.deployment.yaml
- qbittorrent.service.yaml
- qbittorrent.configmap.yaml
- radarr.deployment.yaml
- radarr.service.yaml
- radarr.configmap.yaml
- openvpn.secret.yaml
images:
- name: qbittorrent
newName: binhex/arch-qbittorrentvpn
newTag: 5.0.1-1-02
- name: radarr
newName: hotio/radarr
newTag: release-5.14.0.9383

6
apps/media-downloads/namespace.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: placeholder
labels:
pod-security.kubernetes.io/enforce: privileged

35
apps/media-downloads/pvc.yaml Normal file
View File

@@ -0,0 +1,35 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: radarr-config
spec:
storageClassName: "nfs-client"
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "1Gi"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: qbittorrent-config
spec:
storageClassName: "nfs-client"
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "1Gi"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
spec:
storageClassName: "nfs-client"
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "10Gi"

15
apps/media-downloads/qbittorrent.configmap.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: qbittorrent
labels:
app: qbittorrent
data:
VPN_ENABLED: yes
VPN_USER: vpnbook
VPN_PASS: e83zu76
VPN_PROV: custom
VPN_CLIENT: openvpn
LAN_NETWORK: 10.244.0.0/24,10.9.0.0/24
WEBUI_PORT: "8080"
ENABLE_STARTUP_SCRIPTS: no

40
apps/media-downloads/qbittorrent.deployment.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: qbittorrent
spec:
selector:
matchLabels:
app: qbittorrent
replicas: 1
template:
metadata:
labels:
app: qbittorrent
spec:
containers:
- name: qbittorrent
image: qbittorrent
ports:
- containerPort: 8080
envFrom:
- configMapRef:
name: qbittorrent
volumeMounts:
- name: data
mountPath: /data
- name: config
mountPath: /config
securityContext:
capabilities:
add:
- NET_ADMIN
volumes:
- name: data
persistentVolumeClaim:
claimName: data
- name: config
persistentVolumeClaim:
claimName: qbittorrent-config

12
apps/media-downloads/qbittorrent.service.yaml Normal file
View File

@@ -0,0 +1,12 @@
kind: Service
apiVersion: v1
metadata:
name: qbittorrent
spec:
selector:
app: qbittorrent
type: ClusterIP
ports:
- name: qbittorrent
port: 8080
targetPort: 8080

20
apps/media-downloads/radarr.configmap.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: radarr
labels:
app: radarr
data:
# VPN_ENABLED: "true"
# VPN_CONF: "wg0"
# VPN_PROVIDER: "generic"
# VPN_LAN_NETWORK: "192.168.1.0/24"
# VPN_LAN_LEAK_ENABLED: "false"
# VPN_EXPOSE_PORTS_ON_LAN: ""
# VPN_AUTO_PORT_FORWARD: "false"
# VPN_AUTO_PORT_FORWARD_TO_PORTS: ""
# VPN_KEEP_LOCAL_DNS: "false"
# VPN_FIREWALL_TYPE: "auto"
# VPN_HEALTHCHECK_ENABLED: "false"
# PRIVOXY_ENABLED: "false"
# UNBOUND_ENABLED: "false"

34
apps/media-downloads/radarr.deployment.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: radarr
spec:
selector:
matchLabels:
app: radarr
replicas: 1
template:
metadata:
labels:
app: radarr
spec:
containers:
- name: radarr
image: radarr
ports:
- containerPort: 7878
envFrom:
- configMapRef:
name: radarr
volumeMounts:
- name: data
mountPath: /data
- name: config
mountPath: /config
volumes:
- name: data
persistentVolumeClaim:
claimName: data
- name: config
persistentVolumeClaim:
claimName: radarr-config

12
apps/media-downloads/radarr.service.yaml Normal file
View File

@@ -0,0 +1,12 @@
kind: Service
apiVersion: v1
metadata:
name: radarr
spec:
selector:
app: radarr
type: ClusterIP
ports:
- name: radarr
port: 7878
targetPort: 7878

81
apps/media-downloads/transmission.deployment.yaml Normal file
View File

@@ -0,0 +1,81 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: transmission
spec:
selector:
matchLabels:
app: transmission
template:
metadata:
labels:
app: transmission
spec:
containers:
- name: transmission
image: transmission
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 9091
env:
- name: OPENVPN_PROVIDER
value: PROTONVPN
- name: LOCAL_NETWORK
value: 10.42.0.0/16
- name: OPENVPN_CONFIG
valueFrom:
secretKeyRef:
name: protonvpn
key: country
- name: OPENVPN_USERNAME
valueFrom:
secretKeyRef:
name: protonvpn
key: username
- name: OPENVPN_PASSWORD
valueFrom:
secretKeyRef:
name: protonvpn
key: password
volumeMounts:
- name: media
mountPath: /data
- name: config
mountPath: /config
securityContext:
capabilities:
add: ["NET_ADMIN"]
volumes:
- name: media
persistentVolumeClaim:
claimName: media-downloads
- name: config
persistentVolumeClaim:
claimName: transmission-config
---
apiVersion: v1
kind: Service
metadata:
name: transmission
spec:
selector:
app: transmission
ports:
- protocol: TCP
port: 9091
targetPort: 9091
type: ClusterIP
---
apiVersion: v1
kind: Secret
metadata:
name: protonvpn
type: Opaque
stringData:
country: at.protonvpn.udp,fr.protonvpn.udp,pl.protonvpn.udp,ch.protonvpn.udp
username: VOYkNuZs5PHjeB8w
password: WvKCOPijcXKOqcL5d7zjXzOPToS4zPid

21
apps/media/ingress.yaml
View File

@@ -1,5 +1,24 @@
apiVersion: traefik.io/v1alpha1 apiVersion: traefik.io/v1alpha1
kind: IngressRoute kind: IngressRoute
metadata:
name: jellyfin-vue-ingress
namespace: media
spec:
entryPoints:
- websecure
routes:
- match: Host(`media.kluster.moll.re`)
middlewares:
- name: jellyfin-websocket
kind: Rule
services:
- name: jellyfin-web
port: 80
tls:
certResolver: default-tls
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata: metadata:
name: jellyfin-backend-ingress name: jellyfin-backend-ingress
namespace: media namespace: media
@@ -7,7 +26,7 @@ spec:
entryPoints: entryPoints:
- websecure - websecure
routes: routes:
- match: Host(`media.kluster.moll.re`) && !Path(`/metrics`) - match: Host(`media-backend.kluster.moll.re`) && !Path(`/metrics`)
middlewares: middlewares:
- name: jellyfin-websocket - name: jellyfin-websocket
- name: jellyfin-server-headers - name: jellyfin-server-headers

17
apps/media/jellyfin.servicemonitor.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: jellyfin
labels:
metrics: prometheus
spec:
selector:
matchLabels:
app: jellyfin-server-service
endpoints:
- path: /metrics
targetPort: jellyfin
# this exposes metrics on port 8096 as enabled in the jellyfin config
# https://jellyfin.org/docs/general/networking/monitoring/
# the metrics are available at /metrics but blocked by the ingress

11
apps/media/kustomization.yaml
View File

@@ -5,11 +5,16 @@ namespace: media
resources: resources:
- namespace.yaml - namespace.yaml
- pvc.yaml - pvc.yaml
- deployment.yaml - server.deployment.yaml
- service.yaml - server.service.yaml
- web.deployment.yaml
- web.service.yaml
- ingress.yaml - ingress.yaml
images: images:
- name: jellyfin/jellyfin - name: jellyfin/jellyfin
newName: jellyfin/jellyfin newName: jellyfin/jellyfin
newTag: 10.9.6 newTag: 10.9.0
- name: ghcr.io/jellyfin/jellyfin-vue
newName: ghcr.io/jellyfin/jellyfin-vue
newTag: stable-rc.0.3.1

3
apps/media/deployment.yaml → apps/media/server.deployment.yaml
View File

@@ -18,9 +18,6 @@ spec:
limits: limits:
memory: "2Gi" memory: "2Gi"
cpu: "2" cpu: "2"
requests:
memory: "128Mi"
cpu: "250M"
ports: ports:
- containerPort: 8096 - containerPort: 8096
name: jellyfin name: jellyfin

0
apps/media/service.yaml → apps/media/server.service.yaml
View File

27
apps/media/web.deployment.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: jellyfin-web
spec:
selector:
matchLabels:
app: jellyfin-web
template:
metadata:
labels:
app: jellyfin-web
spec:
containers:
- name: jellyfin-web
image: ghcr.io/jellyfin/jellyfin-vue
resources:
limits:
memory: "128Mi"
cpu: "30m"
ports:
- containerPort: 80
env:
- name: TZ
value: Europe/Berlin
- name: DEFAULT_SERVERS
value: "https://media-backend.kluster.moll.re"

12
apps/media/web.service.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: jellyfin-web
spec:
selector:
app: jellyfin-web
ports:
- protocol: TCP
port: 80
targetPort: 80

16
apps/minecraft/curseforge.sealedsecret.yaml
View File

@@ -1,16 +0,0 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: curseforge-api
namespace: minecraft
spec:
encryptedData:
key: AgBYeAiejdmxDBorvgnxQX5YvUhR3NId2vfWybMKlc27e6D/bKglLNyZMk70xSnFAPjcDmZ20mYjFPYvDOr9T6IU/REJ8QlzoKAn0xW779R4SkIxRToT+dJv+OM2avgQ9uqp7vja29xeXMjYAnQML+QGZKcrT8mE04G/Ty8rdUiv3yUXK5HFAR3SUF35aVLdlthLjpRkv1s0R7GAP4L2pNzBJNV3i37viceUSSjU0zpOa23fsQOkPAs67AIukAJBqh/hyF/hR9H1GeYZNTI3OcHcvC2iNk/XGstvv0Zy6ApzoebsfWGdsbVn+QUI0EBw+mSTPqpl71cbkz0v4S4XAVndosxWpe6AIgm5MBTU0FXIyGyoFDe1aMPq8BXiQikYVwB48oVNh9KF0xXX5AOG0whB/FEsL3OJsiNQvQ3R/Hru43JBn64oxjVtLfM3E7u8v/xr1VQahX8dylDmb4s5EV01U6O4y19Ou4td1eEMlhpJb0fBPDRUYuWxZAEDGmp+U4tAakyPed11VkcZPPn9fKAAcv8sGs3TYAbbF18hqsBnv2Wd+i7ZEvKwmdmfR/T0r1TJGsvKI7jaW0QtH256XrSxQp7a52qMKMVQWOSKw2k27t/IkRhxT2Prw4GfJvaVr4RozUaBf3LV/hfDWlDfmM2zg3X9W8HkzjotGg021OLxsa0Wzmhffvb8h4bvZwxeq3U1xaJocqXui7z0rT2pF4z3wYHR/lPtexHcOA2M8gfBGKb1rBKh+kW+N+/ZfVLNI0mokg5vrTO2nR2rb4c=
template:
metadata:
creationTimestamp: null
name: curseforge-api
namespace: minecraft
type: Opaque

27
apps/minecraft/deployment.yaml
View File

@@ -16,31 +16,28 @@ spec:
image: minecraft image: minecraft
resources: resources:
limits: limits:
memory: "6000Mi" memory: "4000Mi"
cpu: "3" cpu: "2500m"
requests: requests:
memory: "1500Mi" memory: "1000Mi"
cpu: "500m" cpu: "500m"
ports: ports:
- containerPort: 25565 - containerPort: 25565
env: env:
- name: EULA - name: EULA
value: "TRUE" value: "TRUE"
- name: TYPE - name: MODPACK
value: "AUTO_CURSEFORGE" value: "https://www.curseforge.com/api/v1/mods/711537/files/5076228/download"
- name: CF_API_KEY
valueFrom:
secretKeyRef:
name: curseforge-api
key: key
- name: CF_SLUG
value: "vault-hunters-1-18-2"
- name: VERSION - name: VERSION
value: "1.18.2" value: "1.18.2"
# - name: VERSION
# value: "1.16.5"
# - name: MODPACK
# value: "https://mediafilez.forgecdn.net/files/3602/5/VaultHunters-OfficialModpack-1.12.1-Server.zip"
- name: INIT_MEMORY - name: INIT_MEMORY
value: "1G" value: "1G"
- name: MAX_MEMORY - name: MAX_MEMORY
value: "5G" value: "3G"
- name: MOTD - name: MOTD
value: "VaultHunters baby!" value: "VaultHunters baby!"
- name: ENABLE_RCON - name: ENABLE_RCON
@@ -49,10 +46,6 @@ spec:
value: "true" value: "true"
- name: ONLINE_MODE - name: ONLINE_MODE
value: "true" value: "true"
- name: ENABLE_AUTOPAUSE
value: "true"
- name: AUTOPAUSE_TIMEOUT_EST
value: "1800"
volumeMounts: volumeMounts:
- name: minecraft-data - name: minecraft-data
mountPath: /data mountPath: /data

2
apps/minecraft/kustomization.yaml
View File

@@ -8,8 +8,6 @@ resources:
- pvc.yaml - pvc.yaml
- deployment.yaml - deployment.yaml
- service.yaml - service.yaml
- curseforge.sealedsecret.yaml
images: images:
- name: minecraft - name: minecraft

2
apps/monitoring/dashboards

Submodule apps/monitoring/dashboards updated: 4597fa43c4...984a69be34

2
apps/monitoring/grafana.values.yaml
View File

@@ -31,7 +31,7 @@ datasources:
datasources: datasources:
- name: Thanos - name: Thanos
type: prometheus type: prometheus
url: http://thanos-querier.prometheus.svc:10902 url: http://thanos-querier.prometheus.svc:9090
isDefault: true isDefault: true
- name: Prometheus - name: Prometheus
type: prometheus type: prometheus

2
apps/monitoring/kustomization.yaml
View File

@@ -16,5 +16,5 @@ helmCharts:
- releaseName: grafana - releaseName: grafana
name: grafana name: grafana
repo: https://grafana.github.io/helm-charts repo: https://grafana.github.io/helm-charts
version: 8.0.2 version: 7.3.9
valuesFile: grafana.values.yaml valuesFile: grafana.values.yaml

2
apps/ntfy/kustomization.yaml
View File

@@ -13,4 +13,4 @@ resources:
images: images:
- name: binwiederhier/ntfy - name: binwiederhier/ntfy
newName: binwiederhier/ntfy newName: binwiederhier/ntfy
newTag: v2.11.0 newTag: v2.10.0

2
apps/recipes/kustomization.yaml
View File

@@ -12,5 +12,5 @@ resources:
images: images:
- name: mealie - name: mealie
newTag: v1.9.0 newTag: v1.6.0
newName: ghcr.io/mealie-recipes/mealie newName: ghcr.io/mealie-recipes/mealie

4
infrastructure/external-dns/kustomization.yaml
View File

@@ -11,8 +11,8 @@ resources:
images: images:
- name: octodns - name: octodns
newName: octodns/octodns # has all plugins newName: octodns/octodns # has all plugins
newTag: "2024.06" newTag: "2024.05"
- name: git - name: git
newName: alpine/git newName: alpine/git
newTag: "v2.45.2" newTag: "2.43.0"

2
infrastructure/external/kustomization.yaml vendored
View File

@@ -8,4 +8,4 @@ resources:
- namespace.yaml - namespace.yaml
- omv-s3.ingress.yaml - omv-s3.ingress.yaml
- openmediavault.ingress.yaml - openmediavault.ingress.yaml
- proxmox.ingress.yaml - proxmox.ingress.yaml

31
infrastructure/gitea/README.md
View File

@@ -1,31 +0,0 @@
# Using gitea actions
The actions deployment allows to use gitea actions from repositories within this instance.
### Building docker images
Docker builds use the kubernetes runner to build the images. For this to work, the pipeline needs to be able to access the kube-api. A service-account is created for this purpose.
To use the correct docker builder use the following action
```yaml
...
- name: Create Kubeconfig
run: |
mkdir $HOME/.kube
echo "${{ secrets.BUILDX_KUBECONFIG }}" > $HOME/.kube/config
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver: kubernetes
driver-opts: |
namespace=act-runner
qemu.install=true
...
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
<other config>
```

51
infrastructure/gitea/actions.deployment.yaml
View File

@@ -1,23 +1,25 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
labels: name: actions-runner
app: act-runner
name: act-runner
spec: spec:
replicas: 1
selector: selector:
matchLabels: matchLabels:
app: act-runner app: actions-runner
template: template:
metadata: metadata:
labels: labels:
app: act-runner app: actions-runner
spec: spec:
restartPolicy: Always hostname: kube-runner
serviceAccountName: actions-runner
containers: containers:
- name: runner - name: actions-runner
image: vegardit/gitea-act-runner:dind-latest image: actions-runner
resources:
requests:
memory: "128Mi"
cpu: "500m"
env: env:
- name: GITEA_INSTANCE_URL - name: GITEA_INSTANCE_URL
value: "https://git.kluster.moll.re" value: "https://git.kluster.moll.re"
@@ -26,35 +28,12 @@ spec:
secretKeyRef: secretKeyRef:
name: actions-runner-secret name: actions-runner-secret
key: runner-token key: runner-token
- name: ACTIONS_RUNNER_POD_NAME - name: GITEA_RUNNER_LABELS
valueFrom: value: k8s
fieldRef:
fieldPath: metadata.name
- name: GITEA_RUNNER_UID
value: '1000'
- name: GITEA_RUNNER_GID
value: '1000'
- name: GITEA_RUNNER_JOB_CONTAINER_PRIVILEGED
value: 'true'
securityContext:
privileged: true
volumeMounts: volumeMounts:
- name: runner-data - name: runner-data
mountPath: /data mountPath: /data
volumes: volumes:
- name: runner-data - name: runner-data
persistentVolumeClaim: emptyDir: {}
claimName: runner-data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: runner-data
spec:
resources:
requests:
storage: 5Gi
storageClassName: "nfs-client"
volumeMode: Filesystem
accessModes:
- ReadWriteMany

38
infrastructure/gitea/actions.rbac.yaml Normal file
View File

@@ -0,0 +1,38 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: actions-runner
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: actions-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "create", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get", "create"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch",]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "create", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "create", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: actions-role-binding
subjects:
- kind: ServiceAccount
name: actions-runner
apiGroup: ""
roleRef:
kind: Role
name: actions-role
apiGroup: rbac.authorization.k8s.io

2
infrastructure/gitea/actions.sealedsecret.yaml
View File

@@ -7,7 +7,7 @@ metadata:
namespace: gitea namespace: gitea
spec: spec:
encryptedData: encryptedData:
runner-token: AgCexZDTtbYOdG3XgvmOh9CwxzTT+dhPVCPYv/arp8cM9R45PFIfwDvFCThnTHQYZJIYpsaUvoxdXSYYdhLyBVhmuAdD0NeH47q7qRh4U6WYUF6RMqUV3Dpri00nrROx2MN8Q+uGN+wq2xloSbkDzLiS+0sD8m+ItIKhEjIMcn9PyA2OheUmbCVfyOVzCEEaOt98nweTlOXgQLJBLPhxUJFCMePfGHudAlu2lZO3dH+T8G9cC86akZnAODuI69iScuIVOtGJvj1EhPNg9d7QjmjWZOKlk0ryPdwEoR/+kD069Jp4STX7IsVqKxZcvnY8yUICbmvj2TzJWzUDMit3leBopO+8+ECSng4uANGwp3QyankmyWD8SXN3fTuASoeoWa5mYN/qCih9m5ih7FxsDNqAFumUzX1QtAN3LDmzgcomdC7D6FHc1PIaOjoEF96TaDgBc8ODMRBWDtjCzD5sTLQ3zGLRieFsOxkdb0d9E+E4pestmnbdtwNTpfgtyT0pr2847FyAmS0DhA6bb4i+JohNswo+83koJQWf1UNyKhQ14kPhPiBRp1cnYieswFjSuvBbWAjB+SYrFIns97qJon2UjwcnlJ6/KewKj5KTOWnTel1Sgxgn4y7qXFnLvReIEKc6SCz+aFFEa4qAqJVmS1STMEwcqkiM7gA+he/8mdEB0BmfwdnGK0pA1I+RD4hOhDqIQlGyTtWGQINqFulbNUS2PcLmf5nX/ERRRPLlwmZNwR27pP3iQg29 runner-token: AgBHwek/Aj/0oOnI/bnZ4FgtRoeJw4tIKvcDzBhaPdQ7bMVHyHUKYUNP7lkPgZrIN+7rhMY7C/j13iGWx4iTdhTgipLiJvyZ70pXKLSix4IpcypJTElggWkW0JW79x1HyJfBtn9iJiHnEZXPi7sEnyKhA0asAOR0ae8NS6mxxei0TIImaPaC2RHL6MOi40xsXpHz2ZaVhDQaTSRWjv0U6+WkCGcueqM2HLYfF1gqqkzGCjjhdOTK1CKvIvApZ5n8x6x94IiywCXJraDCwLz+acF2c2vA/Jb/3p7TwyyRZ5uIF5LZufhTJ6+5sFJSReHYxO4CpPA8KvM880vtiEjN7LxVo/Jruj2459OvjviKZS03ZwLHHrjanom1+HA9Sx2ffRLiR5ayGkfj/6kvpIRt5x1F7BbPp+a0LXuxJX+1nGDyEa1D1WzVKvZASav6/v7cXcom/nKGO91Zb8qHlOv7ZTs5guGQ9G9VCOHOG8szwpW3ZmQwWfFoWsShzqbDqszBYOGeIjIiDllLzTZ8A9dv9J2ELngZ1IPGIkfpQNEW8hsbNXTYhdVIrkh7BIFkRWfYDNWxqZd4iE6XllQcT1rqndusgiNEJX2r+P4nT8dPewATXQ79wzvZU3kB+VHzM8cLymlVGADi7v/qTY9RcrhuE0oMLzHRShr6JU05VfLGbMsttrYKmW7smvBp3lRJitO5A8+r8cRniS1+Xr8mIx87vCvnoWSH6BKkl9pCdDeCGylAWfkJN9UpkaKg
template: template:
metadata: metadata:
creationTimestamp: null creationTimestamp: null

84
infrastructure/gitea/drone-kube-runner.deployment.yaml Normal file
View File

@@ -0,0 +1,84 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: drone-runner
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: drone-runner
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- create
- delete
- list
- watch
- update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: drone-runner
subjects:
- kind: ServiceAccount
name: drone-runner
roleRef:
kind: Role
name: drone-runner
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: drone-runner
labels:
app.kubernetes.io/name: drone-runner
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: drone-runner
template:
metadata:
labels:
app.kubernetes.io/name: drone-runner
spec:
serviceAccountName: drone-runner
containers:
- name: runner
image: drone/drone-runner-kube:latest
ports:
- containerPort: 3000
env:
- name: DRONE_RPC_HOST
value: drone-server:80
- name: DRONE_RPC_PROTO
value: http
- name: DRONE_RPC_SECRET
valueFrom:
secretKeyRef:
name: drone-server-secret
key: rpc_secret
- name: DRONE_NAMESPACE_DEFAULT
value: gitea
# - name: DRONE_NAMESPACE_RULES
# value: "drone-runner:*"
- name: DRONE_SERVICE_ACCOUNT_DEFAULT
value: drone-runner

117
infrastructure/gitea/drone-server.deployment.yaml Normal file
View File

@@ -0,0 +1,117 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: drone-server
labels:
app: drone-server
spec:
replicas: 1
selector:
matchLabels:
app: drone-server
template:
metadata:
labels:
app: drone-server
spec:
containers:
- name: drone
image: drone/drone:latest
env:
- name: DRONE_SERVER_PORT # because the deployment is called drone-server, override this var again!
value: ":80"
- name: DRONE_GITEA_SERVER
value: https://git.kluster.moll.re
- name: DRONE_USER_CREATE
value: username:remoll,admin:true
- name: DRONE_GITEA_CLIENT_ID
valueFrom:
secretKeyRef:
name: drone-server-secret
key: client_id
- name: DRONE_GITEA_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: drone-server-secret
key: client_secret
- name: DRONE_RPC_SECRET
valueFrom:
secretKeyRef:
name: drone-server-secret
key: rpc_secret
- name: DRONE_SERVER_HOST
value: drone.kluster.moll.re
- name: DRONE_SERVER_PROTO
value: https
resources:
requests:
memory: "1Gi"
cpu: 1.5
volumeMounts:
- mountPath: /data
name: drone-data-nfs
volumes:
- name: drone-data-nfs
persistentVolumeClaim:
claimName: drone-data-nfs
---
apiVersion: v1
kind: Service
metadata:
name: drone-server
labels:
app: drone-server
spec:
type: ClusterIP
ports:
- port: 80
name: http
selector:
app: drone-server
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: drone-server-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`drone.kluster.moll.re`)
kind: Rule
services:
- name: drone-server
port: 80
tls:
certResolver: default-tls
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: drone-data-nfs
spec:
capacity:
storage: "1Gi"
accessModes:
- ReadWriteOnce
nfs:
path: /export/kluster/drone
server: 192.168.1.157
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: drone-data-nfs
spec:
storageClassName: ""
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "1Gi"
volumeName: drone-data-nfs

23
infrastructure/gitea/drone-server.sealedsecret.yaml Normal file
View File

@@ -0,0 +1,23 @@
{
"kind": "SealedSecret",
"apiVersion": "bitnami.com/v1alpha1",
"metadata": {
"name": "drone-server-secret",
"namespace": "gitea",
"creationTimestamp": null
},
"spec": {
"template": {
"metadata": {
"name": "drone-server-secret",
"namespace": "gitea",
"creationTimestamp": null
}
},
"encryptedData": {
"client_id": "AgA53a7kGJ6zZcx2ooTvTNwxaW2FvfzHJnxg6co54+HXinTJKsc4+GJ1PtdIbsZ7Dgu/sLi/4X90fT+PT2sgEx9jIilmHPdJeRtwV1UID3Y46A7cJlfcAKwNOFzp2PWvBvizbNp7tbJwxeAYnVX8GfN6fi700QxBGqAI3u8qQvLpU6UGW2RM96gCXI7s1QhE1Le6TgoESy5HX95pB7csDRNSwVE02OWfDHKEjH8QD8UvBB9xct6uwDfu7KrsJiNJvWMP6arvpfhy/X+UtCTFmj5wmFYL7oc6vSiCkq+QyHgQTEHTmGpEjEGKcQxPQaus3KhbhcxQBYLMEMYRlLPH0AEAA4dzbSpoVXM3LuIe9FppgrTCknK1uRB8wyrHUeInWO8mG7UraV6m5PUS+UYODMvfjwY3PyiGhTSf6LgMlhMl8e+2rb+OsWphT8Pbeom33PucrYaRFr9RpQkJSwE6HU3JEh25YLfIJ7caqRND8C/p8kD679C8UMcNpBN8WS4Cswn5jzmwbeJNM5DGp9yQVZNx7Bv3dHzx9i3ShjJ6QQnR/zWJZ/dWLy6weGYmdZMMXRAO8CCdruvcX5YyeieXZfchSIlZ/GqqBHptdcLpwLiZsfmyTWeBvk5pMAsZaKJ1tfWpQ84s4epzMoieTfhTueGXmeRKX+DJBBcriU+5YoqNxpU1lPL+LoInorJSKN7c3ouFx78N3GDOCq7mlWI94lY0bIs5zhrfUN137ITCcED62AJ7vks=",
"client_secret": "AgDQXU7x6RLhE9Hc+goeR2+3rW316SLLLA8tfqx3tsykL+vxhRkY5UCEaak3Rgei0k14jB/Rmme+/O/D1/5tc/i885+sGn0yjU7Jo4L5nkIssUOHlmRSGkRJDb9ABPauFXAjap9KLix9bd8ewI7R0lS3tOK9ZhThYhcfDUqV9qkkbSHzwNptkH7gYWt9qzG/rqqqpFP+PCtjzKVve4LCBgaxetcnh1t+d5oh7VAFnSI9Bt1G/DRzi+K3YZ+YG5+XKevBp06GMiLUMiv/eUvmOfAB/KO79LnNVbOcRsAHfnqLbXgNjFzspr5xDiGMC/ma1245LavywqXDp0S9jjNEe48i51PPQMwHWV8XEovsM6LHcteluNogt+VkL4mOnmP+sba/V3NO51rt1WXl+ca+U4kBq4dLMsdpWUKemz9BlIRC4etEXjwKJ5DznT7u6GUTrXx2RCm1j0OYWM++P10SdyD6tGjKnZf88a33Wrwm8Y7c47JrPTlP4PqLq9gzvD310uVfs1vGYGULaToGy+D/th8qiWWlu7BIfwqlIj8lruVnOhQ4GeEZmUAsqYf8JfsBwuDc0Y+8qbwjFrr2z+5x+2XBL8KGZVopyme45SHijlBZs7YsJqTBsg5oW09grM8/oO731GtzSYmpat2VZlaILuTjALqo/cu//kxwmqh7UX+jnTJ/2N3bKKSAfHWbHDeHeS2XJ+eKaI4onNYW9J70EfAP3vOpU+zmQ8rOzJuJjRt0HarLwzc5CXb1Xhlgsaoj7zKXPQMnqIDngg==",
"rpc_secret": "AgAcJNCFtOhK28vnLredkTgsVpnMPwaXss5NT5ysc0IbVid2vWRk2CTjBZc5DzjxxLwI1Ok88MFXHP08ZGCYy4rIbwoi7Ei1OEevGWfaI4n5CvAxr4ZamQHSfIX9dVAm9BSSx2M/mDtCKqVEGJEzyHCedrxf6LXM/YTNgjD43BuCZZMu35mRsHItpYFZQSttlHiUvR8y2YKrhV2P7fiWRD3cCVao8ldzKfGuvRfal8ByGoxpsYLj2D9CdtPvRF/TQsWUJJWwzbI9DmbW1MMI4/b26Jfa5TBvHxS1MQxFJpSXuMIengO+b0bi7WaR36y/FrKSNxIrQDHI7XCb00yYaSfj3RkSBVoAD0a2p8vNupHCqsKBoaWd8tMv/wGP8wbBk4DgGeQiTIvfhbQZU/Q2/LVDDficjXVn3IuKP/cqgGVf6lUh5YsUSs8qwpMil7XySiHvaZn+iFAnsXoejd4S2e/pbRvyaxP1aa7TCxnINjpU7IrnUEUiI4glQmAte3MqZWLXcc0Uk3Qz9PP0cD+V8qCOryrPMP2kTAI8LT/K4DgcEMAEGes4Vx1l0oBMF0xJvhM2kZXcEcf0NzuQJvYTgZpQF5xp0TchezLshmEUSIkII9NvAvn+iEYJeHsJUDijjmBloSYe4+QTgdYh6FakVUwYI5U4ztDNrvgqhWjExfbn8HxaFzsNTsuzGoYs+jwXH8Wk2z1Q1oQjDdO5YTjmdqvkSTdin/5CiuCDHaQX6a4gNQ=="
}
}
}

12
infrastructure/gitea/kustomization.yaml
View File

@@ -5,18 +5,26 @@ resources:
- gitea.pvc.yaml - gitea.pvc.yaml
- gitea.ingress.yaml - gitea.ingress.yaml
- gitea.servicemonitor.yaml - gitea.servicemonitor.yaml
- drone-kube-runner.deployment.yaml
- drone-server.deployment.yaml
- drone-server.sealedsecret.yaml
- actions.deployment.yaml - actions.deployment.yaml
- actions.sealedsecret.yaml - actions.sealedsecret.yaml
# - actions.rbac.yaml - actions.rbac.yaml
namespace: gitea namespace: gitea
images:
- name: actions-runner
newName: ghcr.io/christopherhx/gitea-actions-runner
newTag: v0.0.11
helmCharts: helmCharts:
- name: gitea - name: gitea
namespace: gitea # needs to be set explicitly for svc to be referenced correctly namespace: gitea # needs to be set explicitly for svc to be referenced correctly
releaseName: gitea releaseName: gitea
version: 10.2.0 version: 10.1.4
valuesFile: gitea.values.yaml valuesFile: gitea.values.yaml
repo: https://dl.gitea.io/charts/ repo: https://dl.gitea.io/charts/

2
infrastructure/prometheus/kustomization.yaml
View File

@@ -17,4 +17,4 @@ resources:
images: images:
- name: thanos - name: thanos
newName: quay.io/thanos/thanos newName: quay.io/thanos/thanos
newTag: v0.35.1 newTag: v0.34.1

15
infrastructure/prometheus/prometheus.yaml
View File

@@ -4,7 +4,7 @@ metadata:
name: prometheus name: prometheus
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole knd: ClusterRole
metadata: metadata:
name: prometheus name: prometheus
rules: rules:
@@ -52,17 +52,26 @@ spec:
requests: requests:
memory: 400Mi memory: 400Mi
retention: 730d retention: 730d
retentionSize: 3GiB retentionSize: 50Gi
serviceAccountName: prometheus serviceAccountName: prometheus
enableAdminAPI: false enableAdminAPI: false
serviceMonitorNamespaceSelector: {} serviceMonitorNamespaceSelector: {}
serviceMonitorSelector: {} serviceMonitorSelector: {}
thanos: thanos:
version: v0.34.1 version: v0.33.0
objectStorageConfig: objectStorageConfig:
# loads the config from a secret named thanos-objstore-config in the same namespace # loads the config from a secret named thanos-objstore-config in the same namespace
key: thanos.yaml key: thanos.yaml
name: thanos-objstore-config name: thanos-objstore-config
volumeClaimTemplate:
metadata:
name: prometheus-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 50Gi
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service

12
infrastructure/prometheus/thanos-query.deployment.yaml
View File

@@ -53,3 +53,15 @@ spec:
protocol: TCP protocol: TCP
port: 10901 port: 10901
targetPort: grpc targetPort: grpc
metadata:
labels:
app: thanos-querier
name: thanos-querier
spec:
ports:
- port: 9090
protocol: TCP
targetPort: http
name: http
selector:
app: thanos-querier

30
infrastructure/prometheus/thanos-store.statefulset.yaml
View File

@@ -1,32 +1,33 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: StatefulSet
metadata: metadata:
name: thanos-store name: thanos-store-gateway
labels: labels:
app: thanos-store app: thanos-store-gateway
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app: thanos-store app: thanos-store-gateway
serviceName: thanos-store-gateway
template: template:
metadata: metadata:
labels: labels:
app: thanos-store app: thanos-store-gateway
thanos-store-api: "true" thanos-store-api: "true"
spec: spec:
containers: containers:
- name: thanos - name: thanos
image: thanos image: thanos
args: args:
- store - "store"
- --log.level=debug - "--log.level=debug"
- --data-dir=/data - "--data-dir=/data"
- --grpc-address=0.0.0.0:10901 - "--grpc-address=0.0.0.0:10901"
- --http-address=0.0.0.0:10902 - "--http-address=0.0.0.0:10902"
- --objstore.config-file=/etc/secret/thanos.yaml - "--objstore.config-file=/etc/secret/thanos.yaml"
- --index-cache-size=500MB - "--index-cache-size=500MB"
- --chunk-pool-size=500MB - "--chunk-pool-size=500MB"
ports: ports:
- name: http - name: http
containerPort: 10902 containerPort: 10902
@@ -60,6 +61,7 @@ metadata:
app.kubernetes.io/name: thanos-store app.kubernetes.io/name: thanos-store
name: thanos-store name: thanos-store
spec: spec:
clusterIP: None
ports: ports:
- name: grpc - name: grpc
port: 10901 port: 10901
@@ -68,4 +70,4 @@ spec:
port: 10902 port: 10902
targetPort: 10902 targetPort: 10902
selector: selector:
app: thanos-store app: thanos-store-gateway

4
infrastructure/traefik-system/configmap.yaml
View File

@@ -77,12 +77,8 @@ data:
address = ":853" address = ":853"
# route dns over https to other pods but provide own certificate # route dns over https to other pods but provide own certificate
[entryPoints.name.http3]
advertisedPort = 443
[metrics] [metrics]
[metrics.prometheus] [metrics.prometheus]
# metrics are enabled and scraping is ensured through a servicemonitor
entryPoint = "metrics" entryPoint = "metrics"
addEntryPointsLabels = true addEntryPointsLabels = true
addServicesLabels = true addServicesLabels = true

2
infrastructure/traefik-system/kustomization.yaml
View File

@@ -13,6 +13,6 @@ namespace: traefik-system
helmCharts: helmCharts:
- name: traefik - name: traefik
releaseName: traefik releaseName: traefik
version: 28.2.0 version: 27.0.2
valuesFile: values.yaml valuesFile: values.yaml
repo: https://traefik.github.io/charts repo: https://traefik.github.io/charts

1
kluster-deployments/kustomization.yaml
View File

@@ -32,7 +32,6 @@ resources:
- immich/ - immich/
- journal/ - journal/
- media/ - media/
- minecraft/application.yaml
- monitoring/ - monitoring/
- ntfy/ - ntfy/
- recipes/ - recipes/

18
kluster-deployments/minecraft/application.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: minecraft-application
namespace: argocd
spec:
project: apps
source:
repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
targetRevision: main
path: apps/minecraft
destination:
server: https://kubernetes.default.svc
namespace: minecraft
syncPolicy:
automated:
prune: true
selfHeal: false