remoll/k3s-infra
0
0
Fork 0
Code Issues 1 Pull Requests 7 Packages Projects Releases Wiki Activity

Compare commits

base: remoll:eeaed091ab8a62d6a2d6a33b8161e400a6fbc668
Branches Tags
remoll:main remoll:feature/music remoll:renovate/immich-app-images remoll:renovate/traefik-38.x remoll:renovate/ghcr.io-mealie-recipes-mealie-3.x remoll:renovate/redis-24.x remoll:renovate/grafana-10.x remoll:renovate/docker.io-bitnami-sealed-secrets-controller-0.x remoll:renovate/ghcr.io-coder-code-server-4.x remoll:feature/headscale remoll:feature/media-downloads remoll:feature/crowdsec remoll:feature/matrix remoll:feature/llm remoll:feature/gaming remoll:feature/affine remoll:feature/unified-file-sync
...
compare: remoll:feature/unified-file-sync
Branches Tags
remoll:main remoll:feature/music remoll:renovate/immich-app-images remoll:renovate/traefik-38.x remoll:renovate/ghcr.io-mealie-recipes-mealie-3.x remoll:renovate/redis-24.x remoll:renovate/grafana-10.x remoll:renovate/docker.io-bitnami-sealed-secrets-controller-0.x remoll:renovate/ghcr.io-coder-code-server-4.x remoll:feature/headscale remoll:feature/media-downloads remoll:feature/crowdsec remoll:feature/matrix remoll:feature/llm remoll:feature/gaming remoll:feature/affine remoll:feature/unified-file-sync

49 Commits
eeaed091ab ... feature/un

Author SHA1 Message Date
Remy Moll
d143a90228 testing a few sample (joint) configurations 2024-03-03 20:35:37 +01:00
Remy Moll
1ad56fd27e Merge pull request 'Update Helm release traefik to v26.1.0' (#42) from renovate/traefik-26.x into main 
Reviewed-on: #42
 2024-03-03 19:33:13 +00:00
Renovate Bot
773a155627 Update Helm release traefik to v26.1.0 2024-03-03 19:33:13 +00:00
Remy Moll
61945b3507 Merge pull request 'Update Helm release metallb to v0.14.3' (#34) from renovate/metallb-0.x into main 
Reviewed-on: #34
 2024-03-03 19:32:16 +00:00
Renovate Bot
4aa21cb0cd Update Helm release metallb to v0.14.3 2024-03-03 19:32:16 +00:00
Remy Moll
d233ab96eb Merge pull request 'Update Helm release gitea to v10.1.3' (#46) from renovate/gitea-10.x into main 
Reviewed-on: #46
 2024-03-03 19:31:04 +00:00
Renovate Bot
df581e0110 Update Helm release gitea to v10.1.3 2024-03-03 19:31:04 +00:00
Remy Moll
8a114b9384 remove homarr 2024-03-03 20:30:06 +01:00
Remy Moll
ab6506f4f2 update immich 2024-02-21 18:35:13 +01:00
Remy Moll
87242d293a Merge pull request 'Update Helm release homarr to v1.0.6' (#38) from renovate/homarr-1.x into main 
Reviewed-on: #38
 2024-02-13 10:34:15 +00:00
Remy Moll
11d46ec295 Merge pull request 'Update Helm release gitea to v10.1.1' (#35) from renovate/gitea-10.x into main 
Reviewed-on: #35
 2024-02-13 10:33:42 +00:00
Renovate Bot
1b3702c4c8 Update Helm release gitea to v10.1.1 2024-02-13 10:33:42 +00:00
Remy Moll
9b68b4a915 lets be more generous with memory 2024-02-11 18:15:11 +01:00
Remy Moll
18889d7391 add other recipes 2024-02-11 11:28:30 +01:00
Remy Moll
a38ad1d7e6 bye bye 2024-02-10 19:35:22 +01:00
Remy Moll
edcb9158f5 what now? 2024-02-10 19:21:04 +01:00
Remy Moll
71b1c252f3 turns out it was important 2024-02-10 19:17:28 +01:00
Remy Moll
b30f44d2c6 last chance 2024-02-10 19:16:08 +01:00
Remy Moll
85abf0fda6 with services? 2024-02-10 19:04:08 +01:00
Remy Moll
5e21ceaad3 lets try this 2024-02-10 18:58:20 +01:00
Remy Moll
3f5c1a5a5c add configmap 2024-02-10 10:56:59 +01:00
Remy Moll
0195833fc3 service account not needed 2024-02-10 10:54:41 +01:00
Remy Moll
64835e16de slight fix 2024-02-10 10:53:20 +01:00
Remy Moll
4e11a33855 correct backend 2024-02-10 10:46:38 +01:00
Remy Moll
bad024861a add recipes 2024-02-10 10:45:53 +01:00
Remy Moll
fe5d6a9014 Merge pull request 'Update adguard/adguardhome Docker tag to v0.107.44' (#39) from renovate/adguard-adguardhome-0.x into main 
Reviewed-on: #39
 2024-02-08 09:24:43 +00:00
Remy Moll
f2898d7e0b Merge pull request 'Update homeassistant/home-assistant Docker tag to v2024.2' (#40) from renovate/homeassistant-home-assistant-2024.x into main 
Reviewed-on: #40
 2024-02-08 09:24:05 +00:00
Renovate Bot
f67f0c8889 Update homeassistant/home-assistant Docker tag to v2024.2 2024-02-07 21:02:14 +00:00
Renovate Bot
0ccb17d8e1 Update adguard/adguardhome Docker tag to v0.107.44 2024-02-07 11:01:45 +00:00
Remy Moll
bb6d417937 Merge pull request 'Update actualbudget/actual-server Docker tag to v24.2.0' (#36) from renovate/actualbudget-actual-server-24.x into main 
Reviewed-on: #36
 2024-02-07 10:09:46 +00:00
Remy Moll
4e2ebe2540 Merge pull request 'Update octodns/octodns Docker tag to v2024' (#37) from renovate/octodns-octodns-2024.x into main 
Reviewed-on: #37
 2024-02-07 10:09:26 +00:00
Renovate Bot
c5310b0f00 Update Helm release homarr to v1.0.6 2024-02-04 17:01:35 +00:00
Renovate Bot
46ef973f70 Update octodns/octodns Docker tag to v2024 2024-02-03 22:02:18 +00:00
Remy Moll
c12d2dc7a6 whoopsie 2024-02-03 22:27:29 +01:00
Remy Moll
e28c6ffd52 add physics 2024-02-03 22:19:09 +01:00
Renovate Bot
7ba6860ea0 Update actualbudget/actual-server Docker tag to v24.2.0 2024-02-03 21:01:51 +00:00
Remy Moll
33c23ee42b Merge pull request 'Update ghcr.io/immich-app/immich-machine-learning Docker tag to v1.94.1' (#31) from renovate/ghcr.io-immich-app-immich-machine-learning-1.x into main 
Reviewed-on: #31
 2024-02-03 20:58:07 +00:00
Remy Moll
b2f8c8bced Merge branch 'main' into renovate/ghcr.io-immich-app-immich-machine-learning-1.x 2024-02-03 20:57:54 +00:00
Remy Moll
d5277d3d6a Merge pull request 'Update ghcr.io/immich-app/immich-server Docker tag to v1.94.1' (#32) from renovate/ghcr.io-immich-app-immich-server-1.x into main 
Reviewed-on: #32
 2024-02-03 20:56:19 +00:00
Remy Moll
e3c90f5ede Merge branch 'main' into renovate/ghcr.io-immich-app-immich-server-1.x 2024-02-03 20:55:47 +00:00
Remy Moll
eb5bda63db Merge pull request 'Update Helm release grafana to v7.3.0' (#26) from renovate/grafana-7.x into main 
Reviewed-on: #26
 2024-02-03 20:54:45 +00:00
Renovate Bot
a10a216f0e Update ghcr.io/immich-app/immich-server Docker tag to v1.94.1 2024-01-31 20:01:05 +00:00
Renovate Bot
3cf9fd0b87 Update ghcr.io/immich-app/immich-machine-learning Docker tag to v1.94.1 2024-01-31 20:01:03 +00:00
Renovate Bot
ea1fa1637f Update Helm release grafana to v7.3.0 2024-01-30 15:00:50 +00:00
Remy Moll
96abe2a0f5 auto admin 2024-01-23 18:16:40 +01:00
Remy Moll
9623f33b59 Merge pull request 'Update Helm release gitea to v10' (#16) from renovate/gitea-10.x into main 
Reviewed-on: #16
 2024-01-22 10:30:17 +00:00
Remy Moll
b065fc7e59 idioto 2024-01-22 11:27:58 +01:00
Remy Moll
617ed5601c allow renovate to fetch release notes 2024-01-22 11:11:34 +01:00
Renovate Bot
7e21ce4181 Update Helm release gitea to v10 2024-01-22 10:00:35 +00:00
64 changed files with 1924 additions and 150 deletions
Expand all files Collapse all files

2
apps/adguard/kustomization.yaml
View File

@@ -10,7 +10,7 @@ resources:
images:
- name: adguard/adguardhome
newName: adguard/adguardhome
newTag: v0.107.43
newTag: v0.107.44
namespace: adguard

8
apps/files/README.md Normal file
View File

@@ -0,0 +1,8 @@
# File sync
My personal cross-platform filesync. Using syncthing for my android and linux clients. And nextcloud for my ios clients.
## Overview
Both services share a common persistence which allows them to apply each their own logic for synching to other devices. The server acts as a relay.

11
apps/files/kustomization.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: files
resources:
- namespace.yaml
- pvc.yaml
- syncthing/
- nextcloud/

0
apps/homarr/namespace.yaml → apps/files/namespace.yaml
View File

16
apps/files/nextcloud/ingress.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nextcloud-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`nextcloud2.kluster.moll.re`)
kind: Rule
services:
- name: nextcloud
port: 8080
tls:
certResolver: default-tls

15
apps/files/nextcloud/kustomization.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- pvc.yaml
- ingress.yaml
- postgres.yaml
- postgres-credentials.sealedsecret.yaml
helmCharts:
- name: nextcloud
releaseName: nextcloud
version: 4.5.5
valuesFile: values.yaml
repo: https://nextcloud.github.io/helm/

17
apps/files/nextcloud/postgres-credentials.sealedsecret.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: postgres-credentials
namespace: files
spec:
encryptedData:
database: AgBOgmqlfgiN2VqxNyYL6O+/jdzPmGg97zOXxZ7KiD07b4/2FdmlWgOZZp7oUpQ9RMV0WybC0jau2YVlgXB32afgJ3uinaAAhzZwvzy8dgapNpe8ClxnFINRhKKC9kxK7YeDwtptbDQn7YtEmVGHI66/71VyGy7NME4Pk0Y4FxxpF6KAZMAHNyez4JMa9V+XFtYV5G5bOkPY/ku4LcYntiMAlEaArF+re1m5nLQmZ4SVkWlOc41N4Hv1HrCv8qq2kj7zVR5/J2qW8NlzmdJJqv1AP1foELuITZZKxwNspxynNxhjXTX0fP6vzfJpxtzb2s/4Yh2uT/UPb2rOdcGaXjjHKxjSX23tG5ZT+z5lt0y9UEmUYytlcsYv9vsRqCmeFsB63S7aABeCRSOJyGLsuUc7xqSZ2ijDG38qLij+JPgoEIbSLfRYVGE5GMo9EbHt4N+ZIMpJYQXq0VhDip/r11SENfUa3XoautQ5uVR1D50FuSrN16t24bQXai9uifkBpDyvqbiqgv7s3qOjF9u8I0eyeJA0ZO1JO174B9SO3IcZYys8c87fSuWvFbGepLNqfneSIx93klDUdx3YEjqcrqib49+3/dn3RO9/puyhJ6O0TEZneToyauV3lxpR+XG/PDx7EQ88lELgD/AmtulsLHkYNgpoblFPbgDUeHhOgoBRAe22Hiy0Co4eh0SPVPyKhj8MyYhPtLEV+UY=
password: AgB2eY5aKJhEcJIgArGRrsqYf5pJJoXHRkplFpaqCCQW7X7WLREb+35HDijhnJSWRI2/LXDVy/8ArJe1LiiW+05aRY/9nvmjdpUmvsdQ6DK1mvirl8Py4JYueNrk2iUmI1h+ROyubBCvRBKxueQNkuwipKvk7nIlON6cwFnqp6GPcuWihSG/GZ2nSZmxmu+thdsM/S8DPaTW/N+Sut8DyarlCN94ZRiFVZIJialibfsJGQtL/uPX0W61GTkEU4m34IN9e+POdEdg3HuFMd3RvNQpndgPjaTv4A22TJRFs+rcHlcHr+5r8acVy1V+sZy97126Z7moeKDp1rFbG2/yMT1iS2oxQN4GJceTgMzSagqdn+KgD0N38OYvp+mRUQsl7+Fpglcq03vqbvxsc1fC78XpAAPMNA/pQDvtlS1qjuB7WCa5b3mkJxjc8efIuna9GAnDGh+djhlGHLEERnEfjlnpeDb/afRejUX+i6r00GnBxuRJfV+lKh4BJsnJm29nC4t10F6ff91Ngcjf+wCm5yWSFETZ9oFrPn10igGvoZwROJYABdtfMNjidGLkdKQnG1dj3EFu5XDn9vRqt8Iu/dEyoh7a2iGYDQ1lGpz+zxA/OZ9l/SuL6JUUwXq5W1/fSbtaBPdit4cwUTopq7AcpZkMuAQyVy6N9D0Hvjx432rCxmqyGU8PyjKHoAN+nuvTi79HtHR2wo4hJeIDoktdpxswSCe9VJEvqTFGQyCZtX3uEg==
username: AgATMaQ/BRCO9vx329YxGGUGl3E68Tm3coU6IO6pYm8f+Uf7ImH4l/P84mjGDLho1zBUfILPAvM4G5xG2qkkyW4mEuB8A7NNWAhXMOS5i1msNaV2oqLYNWCOG2lFO7unkYwPSyu9EyGn/Hq/kbGPAKfUf6dtDLEc+Y0S5Ue9YA2gYK4VYUec491+02EOoprGcfM1QdGPLBrunXn4krxtGm+eTsK8nd/lnm3DK+f5uGupO844i8T0mXE1xcliysBTZzxEVpmzPN8q4TMay6qcB2wOvEyngnGCfxJGTSjTrkydPFLcI4p6IONW5QAX9eQwo6ZDo56WVNgvyNW+ZJ6hmPP9nLeHnKb3rM91CIMM0GDRYc3VFsVXwBY/sj12hiompXEVQEp+EJUbgnDLK2lW+J602ZnzyHFgwGKnfdI8PHfKoxRVf06TXPdROu1mfXr5jOXc+++LoRotkVOuf2KXMip/7HlTkRlZXKkenhIqrTtQkENJ+aaxCKdQwgE8iDtmB6ZEBiMJq/dZgvn7qbcMc/SYF3l6YZKSU2L1359CRTeuQ6J6aDml+WHvgtwLH6sIgR9Sjgxid9XlhQ3/8f9UQdR6OpblsBZYn8gYEQ1WRr7H1R3IjENpA7LtburPYyogSk4eSFWR1hkwfiiTJrfwJCPEka28a7MqX0nCKZqzzUOQqXNGPX8W9rU8aA2HcnSPrzLoOV2av9h4icw=
template:
metadata:
creationTimestamp: null
name: postgres-credentials
namespace: files

20
apps/files/nextcloud/postgres.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: nextcloud-postgres
spec:
instances: 1
imageName: ghcr.io/cloudnative-pg/postgresql:16
bootstrap:
initdb:
owner: nextcloud
database: nextcloud
secret:
name: postgres-credentials
storage:
size: 1Gi
storageClass: nfs-client
monitoring:
enablePodMonitor: true

11
apps/files/nextcloud/pvc.yaml Normal file
View File

@@ -0,0 +1,11 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: nextcloud-config
spec:
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

155
apps/files/nextcloud/values.yaml Normal file
View File

@@ -0,0 +1,155 @@
## Official nextcloud image version
## ref: https://hub.docker.com/r/library/nextcloud/tags/
ingress:
enabled: false
nextcloud:
host: nextcloud2.kluster.moll.re
username: admin
password: changeme
## Use an existing secret
existingSecret:
enabled: false
update: 0
# If web server is not binding default port, you can define it
# containerPort: 8080
datadir: /var/www/html/data
persistence:
subPath:
mail:
enabled: false
# PHP Configuration files
# Will be injected in /usr/local/etc/php/conf.d for apache image and in /usr/local/etc/php-fpm.d when nginx.enabled: true
phpConfigs: {}
# Default config files
# IMPORTANT: Will be used only if you put extra configs, otherwise default will come from nextcloud itself
# Default confgurations can be found here: https://github.com/nextcloud/docker/tree/master/16.0/apache/config
defaultConfigs:
# To protect /var/www/html/config
.htaccess: true
# Redis default configuration
redis.config.php: true
# Apache configuration for rewrite urls
apache-pretty-urls.config.php: true
# Define APCu as local cache
apcu.config.php: true
# Apps directory configs
apps.config.php: true
# Used for auto configure database
autoconfig.php: true
# SMTP default configuration
smtp.config.php: true
extraVolumes:
- name: files-nfs
persistentVolumeClaim:
claimName: files-nfs
extraVolumeMounts:
- name: files-nfs
mountPath: /files
# Extra config files created in /var/www/html/config/
# ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
# configs:
# config.php: |-
# For example, to use S3 as primary storage
# ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3
#
# configs:
# s3.config.php: |-
# <?php
# $CONFIG = array (
# 'objectstore' => array(
# 'class' => '\\OC\\Files\\ObjectStore\\S3',
# 'arguments' => array(
# 'bucket' => 'my-bucket',
# 'autocreate' => true,
# 'key' => 'xxx',
# 'secret' => 'xxx',
# 'region' => 'us-east-1',
# 'use_ssl' => true
# )
# )
# );
nginx:
## You need to set an fpm version of the image for nextcloud if you want to use nginx!
enabled: false
internalDatabase:
enabled: false
##
## External database configuration
##
externalDatabase:
enabled: true
type: postgresql
host: nextcloud-postgres-rw
database: nextcloud
existingSecret:
enabled: true
secretName: postgres-credentials
usernameKey: username
passwordKey: password
mariadb:
enabled: false
postgresql:
enabled: false
redis:
enabled: false
cronjob:
enabled: false
persistence:
# Nextcloud Data (/var/www/html)
enabled: true
annotations: {}
## If defined, PVC must be created manually before volume will be bound
existingClaim: nextcloud-config
## Use an additional pvc for the data directory rather than a subpath of the default PVC
## Useful to store data on a different storageClass (e.g. on slower disks)
nextcloudData:
enabled: false
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits:
cpu: 2000m
memory: 2Gi
requests:
cpu: 100m
memory: 128Mi
livenessProbe:
enabled: false
# disable when upgrading from a previous chart version
hpa:
enabled: false
## Prometheus Exporter / Metrics
##
metrics:
enabled: false
rbac:
enabled: false

11
apps/files/pvc.yaml Normal file
View File

@@ -0,0 +1,11 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: files-nfs
spec:
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 100Gi

40
apps/files/syncthing/deployment.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: syncthing
spec:
selector:
matchLabels:
app: syncthing
template:
metadata:
labels:
app: syncthing
spec:
containers:
- name: syncthing
image: syncthing
resources:
limits:
memory: "256Mi"
cpu: "500m"
ports:
- containerPort: 8384
protocol: TCP
name: syncthing-web
- containerPort: 22000
protocol: TCP
- containerPort: 22000
protocol: UDP
volumeMounts:
- name: persistence
mountPath: /files
- name: config
mountPath: /var/syncthing/config
volumes:
- name: persistence
persistentVolumeClaim:
claimName: files-nfs
- name: config
persistentVolumeClaim:
claimName: syncthing-config

16
apps/files/syncthing/ingress.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: rss-ingressroute
spec:
entryPoints:
- websecure
routes:
- match: Host(`syncthing2.kluster.moll.re`)
kind: Rule
services:
- name: syncthing-web
port: 8384
tls:
certResolver: default-tls

15
apps/files/syncthing/kustomization.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- pvc.yaml
- deployment.yaml
- service.yaml
- ingress.yaml
- servicemonitor.yaml
# - syncthing-api.sealedsecret.yaml
images:
- name: syncthing
newName: syncthing/syncthing
newTag: "1.27"

11
apps/files/syncthing/pvc.yaml Normal file
View File

@@ -0,0 +1,11 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: syncthing-config
spec:
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

46
apps/files/syncthing/service.yaml Normal file
View File

@@ -0,0 +1,46 @@
apiVersion: v1
kind: Service
metadata:
name: syncthing-web
labels:
app: syncthing
spec:
selector:
app: syncthing
type: ClusterIP
ports:
- port: 8384
targetPort: 8384
name: syncthing-web
---
apiVersion: v1
kind: Service
metadata:
name: syncthing-listen
annotations:
metallb.universe.tf/allow-shared-ip: syncthing-service
spec:
selector:
app: syncthing
type: LoadBalancer
loadBalancerIP: 192.168.3.5
ports:
- port: 22000
targetPort: 22000
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: syncthing-discover
annotations:
metallb.universe.tf/allow-shared-ip: syncthing-service
spec:
selector:
app: syncthing
type: LoadBalancer
loadBalancerIP: 192.168.3.5
ports:
- port: 22000
targetPort: 22000
protocol: UDP

16
apps/files/syncthing/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: syncthing-servicemonitor
labels:
app: syncthing
spec:
selector:
matchLabels:
app: syncthing
endpoints:
- port: syncthing-web
path: /metrics
bearerTokenSecret:
name: syncthing-api
key: token

30
apps/files1/deployment.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: spacedrive
spec:
selector:
matchLabels:
app: spacedrive
template:
metadata:
labels:
app: spacedrive
spec:
containers:
- name: spacedrive
image: spacedrive
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 80
volumeMounts:
- name: storage
mountPath: /data
volumes:
- name: storage
persistentVolumeClaim:
claimName: spacedrive-nfs

15
apps/files1/kustomization.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: files1
resources:
- namespace.yaml
- pvc.yaml
- deployment.yaml
images:
- name: spacedrive
newName: ghcr.io/spacedriveapp/spacedrive/server
newTag: 0.2.4

4
apps/files1/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: placeholder

11
apps/files1/pvc.yaml Normal file
View File

@@ -0,0 +1,11 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: spacedrive-nfs
spec:
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 100Gi

2
apps/finance/kustomization.yaml
View File

@@ -13,4 +13,4 @@ resources:
images:
- name: actualbudget
newName: actualbudget/actual-server
newTag: 24.1.0
newTag: 24.2.0

17
apps/homarr/kustomization.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: homarr
resources:
- namespace.yaml
- pvc.yaml
- ingress.yaml
helmCharts:
- name: homarr
releaseName: homarr
repo: https://oben01.github.io/charts/
version: 1.0.4
valuesFile: values.yaml

0
apps/homarr/pvc.yaml
View File

60
apps/homarr/values.yaml
View File

@@ -1,60 +0,0 @@
# -- Default values for homarr
# -- Declare variables to be passed into your templates.
# -- Number of replicas
replicaCount: 1
env:
# -- Your local time zone
TZ: "Europe/Berlin"
# -- Colors and preferences, possible values dark / light
DEFAULT_COLOR_SCHEME: "dark"
# -- Service configuration
service:
# -- Service type
type: ClusterIP
# -- Service port
port: 7575
# -- Service target port
targetPort: 7575
# -- Ingress configuration
ingress:
enabled: false
persistence:
- name: homarr-config
# -- Enable homarr-config persistent storage
enabled: true
# -- homarr-config storage class name
storageClassName: "nfs-client"
# -- homarr-config access mode
accessMode: "ReadWriteOnce"
persistentVolumeReclaimPolicy: Retain
# -- homarr-config storage size
size: "50Mi"
# -- homarr-config mount path inside the pod
mountPath: "/app/data/configs"
- name: homarr-database
# -- Enable homarr-database persistent storage
enabled: true
# -- homarr-database storage class name
storageClassName: "nfs-client"
# -- homarr-database access mode
accessMode: "ReadWriteOnce"
# -- homarr-database storage size
size: "50Mi"
# -- homarr-database mount path inside the pod
mountPath: "/app/database"
- name: homarr-icons
# -- Enable homarr-icons persistent storage
enabled: true
# -- homarr-icons storage class name
storageClassName: "nfs-client"
# -- homarr-icons access mode
accessMode: "ReadWriteOnce"
# -- homarr-icons storage size
size: "50Mi"
# -- homarr-icons mount path inside the pod
mountPath: "/app/public/icons"

2
apps/homeassistant/kustomization.yaml
View File

@@ -13,4 +13,4 @@ resources:
images:
- name: homeassistant/home-assistant
newName: homeassistant/home-assistant
newTag: "2024.1"
newTag: "2024.2"

17
apps/immich/kustomization.yaml
View File

@@ -1,11 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- ingress.yaml
- pvc.yaml
- postgres.yaml
- postgres.sealedsecret.yaml
- namespace.yaml
- ingress.yaml
- pvc.yaml
- postgres.yaml
- postgres.sealedsecret.yaml
namespace: immich
@@ -15,3 +15,10 @@ helmCharts:
version: 0.3.1
valuesFile: values.yaml
repo: https://immich-app.github.io/immich-charts
images:
- name: ghcr.io/immich-app/immich-machine-learning
newTag: v1.95.1
- name: ghcr.io/immich-app/immich-server
newTag: v1.95.1

2
apps/immich/postgres.yaml
View File

@@ -5,7 +5,7 @@ metadata:
name: immich-postgres
spec:
instances: 1
imageName: ghcr.io/bo0tzz/cnpgvecto.rs:16-v0.1.11
imageName: ghcr.io/tensorchord/cloudnative-pgvecto.rs:16.2
bootstrap:
initdb:
owner: immich

4
apps/immich/values.yaml
View File

@@ -2,10 +2,6 @@
## You can find it at https://github.com/bjw-s/helm-charts/tree/main/charts/library/common
## Refer there for more detail about the supported values
image:
tag: v1.92.1
# These entries are shared between all the Immich components
env:

30
apps/matrix/kustomization.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- postgres.yaml
- synapse.deployment.yaml
- synapse.service.yaml
- synapse.configmap.yaml
- synapse.ingress.yaml
- postgres-credentials.secret.yaml
- mautrix.pvc.yaml
- mautrix-telegram.statefulset.yaml
- mautrix-telegram.configmap.yaml
- mautrix-whatsapp.statefulset.yaml
namespace: matrix
images:
- name: mautrix-telegram
newName: dock.mau.dev/mautrix/telegram
newTag: "v0.15.1"
- name: mautrix-whatsapp
newName: dock.mau.dev/mautrix/whatsapp
newTag: "v0.10.5"
- name: synapse
newName: ghcr.io/element-hq/synapse
newTag: "v1.100.0"

511
apps/matrix/mautrix-telegram.configmap.yaml Normal file
View File

@@ -0,0 +1,511 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: mautrix-telegram
data:
config.yaml: |
# Homeserver details
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: http://synapse:8448
# The domain of the homeserver (for MXIDs, etc).
domain: matrix.kluster.moll.re
# Whether or not to verify the SSL certificate of the homeserver.
# Only applies if address starts with https://
verify_ssl: false
# What software is the homeserver running?
# Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
software: standard
# Number of retries for all HTTP requests if the homeserver isn't reachable.
http_retry_count: 4
# The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's Telegram connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint: null
# Endpoint for reporting per-message status.
message_send_checkpoint_endpoint: null
# Whether asynchronous uploads via MSC2246 should be enabled for media.
# Requires a media repo that supports MSC2246.
async_media: false
# Application service host/registration related details
# Changing these values requires regeneration of the registration.
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://mautrix-telegram:29318
# When using https:// the TLS certificate and key files for the address.
tls_cert: false
tls_key: false
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29317
# The maximum body size of appservice API requests (from the homeserver) in mebibytes
# Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
max_body_size: 1
# The full URI to the database. SQLite and Postgres are supported.
# Format examples:
# SQLite: sqlite:filename.db
# Postgres: postgres://username:password@hostname/dbname
database: sqlite:mautrix-telegram.db
# The unique ID of this appservice.
id: telegram
# Username of the appservice bot.
bot_username: telegrambot
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
bot_displayname: Telegram bridge bot
bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX
# Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
# You should disable bridge -> sync_with_custom_puppets when this is enabled.
ephemeral_events: true
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
as_token: "This value is generated when generating the registration"
hs_token: "This value is generated when generating the registration"
# Bridge config
bridge:
# Localpart template of MXIDs for Telegram users.
# {userid} is replaced with the user ID of the Telegram user.
username_template: "telegram_{userid}"
# Localpart template of room aliases for Telegram portal rooms.
# {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} )
alias_template: "telegram_{groupname}"
# Displayname template for Telegram users.
# {displayname} is replaced with the display name of the Telegram user.
displayname_template: "{displayname} (Telegram)"
# Set the preferred order of user identifiers which to use in the Matrix puppet display name.
# In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user
# ID is used.
#
# If the bridge is working properly, a phone number or an username should always be known, but
# the other one can very well be empty.
#
# Valid keys:
# "full name" (First and/or last name)
# "full name reversed" (Last and/or first name)
# "first name"
# "last name"
# "username"
# "phone number"
displayname_preference:
- full name
- username
- phone number
# Maximum length of displayname
displayname_max_length: 100
# Remove avatars from Telegram ghost users when removed on Telegram. This is disabled by default
# as there's no way to determine whether an avatar is removed or just hidden from some users. If
# you're on a single-user instance, this should be safe to enable.
allow_avatar_remove: false
# Should contact names and profile pictures be allowed?
# This is only safe to enable on single-user instances.
allow_contact_info: false
# Maximum number of members to sync per portal when starting up. Other members will be
# synced when they send messages. The maximum is 10000, after which the Telegram server
# will not send any more members.
# -1 means no limit (which means it's limited to 10000 by the server)
max_initial_member_sync: 100
# Maximum number of participants in chats to bridge. Only applies when the portal is being created.
# If there are more members when trying to create a room, the room creation will be cancelled.
# -1 means no limit (which means all chats can be bridged)
max_member_count: -1
# Whether or not to sync the member list in channels.
# If no channel admins have logged into the bridge, the bridge won't be able to sync the member
# list regardless of this setting.
sync_channel_members: false
# Whether or not to skip deleted members when syncing members.
skip_deleted_members: true
# Whether or not to automatically synchronize contacts and chats of Matrix users logged into
# their Telegram account at startup.
startup_sync: false
# Number of most recently active dialogs to check when syncing chats.
# Set to 0 to remove limit.
sync_update_limit: 0
# Number of most recently active dialogs to create portals for when syncing chats.
# Set to 0 to remove limit.
sync_create_limit: 15
# Should all chats be scheduled to be created later?
# This is best used in combination with MSC2716 infinite backfill.
sync_deferred_create_all: false
# Whether or not to sync and create portals for direct chats at startup.
sync_direct_chats: false
# The maximum number of simultaneous Telegram deletions to handle.
# A large number of simultaneous redactions could put strain on your homeserver.
max_telegram_delete: 10
# Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames)
# at startup and when creating a bridge.
sync_matrix_state: true
# Allow logging in within Matrix. If false, users can only log in using login-qr or the
# out-of-Matrix login website (see appservice.public config section)
allow_matrix_login: true
# Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix.
public_portals: false
# Whether or not to use /sync to get presence, read receipts and typing notifications
# when double puppeting is enabled
sync_with_custom_puppets: false
# Whether or not to update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# Servers to always allow double puppeting from
double_puppet_server_map:
example.com: https://example.com
# Allow using double puppeting from any server with a valid client .well-known file.
double_puppet_allow_discovery: false
# Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
#
# If set, custom puppets will be enabled automatically for local users
# instead of users having to find an access token and run `login-matrix`
# manually.
# If using this for other servers than the bridge's server,
# you must also set the URL in the double_puppet_server_map.
login_shared_secret_map:
example.com: foobar
# Set to false to disable link previews in messages sent to Telegram.
telegram_link_preview: true
# Whether or not the !tg join command should do a HTTP request
# to resolve redirects in invite links.
invite_link_resolve: false
# Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552.
# This is currently not supported in most clients.
caption_in_message: false
# Maximum size of image in megabytes before sending to Telegram as a document.
image_as_file_size: 10
# Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 4096x4096 = 16777216.
image_as_file_pixels: 16777216
# Enable experimental parallel file transfer, which makes uploads/downloads much faster by
# streaming from/to Matrix and using many connections for Telegram.
# Note that generating HQ thumbnails for videos is not possible with streamed transfers.
# This option uses internal Telethon implementation details and may break with minor updates.
parallel_file_transfer: false
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
federate_rooms: true
# Should the bridge send all unicode reactions as custom emoji reactions to Telegram?
# By default, the bridge only uses custom emojis for unicode emojis that aren't allowed in reactions.
always_custom_emoji_reaction: false
# Settings for converting animated stickers.
animated_sticker:
# Format to which animated stickers should be converted.
# disable - No conversion, send as-is (gzipped lottie)
# png - converts to non-animated png (fastest),
# gif - converts to animated gif
# webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
# webp - converts to animated webp, requires ffmpeg executable with webp codec/container support
target: gif
# Should video stickers be converted to the specified format as well?
convert_from_webm: false
# Arguments for converter. All converters take width and height.
args:
width: 256
height: 256
fps: 25 # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended)
# Settings for converting animated emoji.
# Same as animated_sticker, but webm is not supported as the target
# (because inline images can only contain images, not videos).
animated_emoji:
target: webp
args:
width: 64
height: 64
fps: 25
# # End-to-bridge encryption support options.
# #
# # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
# encryption:
# # Allow encryption, work in group chat rooms with e2ee enabled
# allow: false
# # Default to encryption, force-enable encryption in all portals the bridge creates
# # This will cause the bridge bot to be in private chats for the encryption to work properly.
# default: false
# # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
# appservice: false
# # Require encryption, drop any unencrypted messages.
# require: false
# # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# # You must use a client that supports requesting keys from other users to use this feature.
# allow_key_sharing: false
# # Options for deleting megolm sessions from the bridge.
# delete_keys:
# # Beeper-specific: delete outbound sessions when hungryserv confirms
# # that the user has uploaded the key to key backup.
# delete_outbound_on_ack: false
# # Don't store outbound sessions in the inbound table.
# dont_store_outbound: false
# # Ratchet megolm sessions forward after decrypting messages.
# ratchet_on_decrypt: false
# # Delete fully used keys (index >= max_messages) after decrypting messages.
# delete_fully_used_on_decrypt: false
# # Delete previous megolm sessions from same device when receiving a new one.
# delete_prev_on_new_session: false
# # Delete megolm sessions received from a device when the device is deleted.
# delete_on_device_delete: false
# # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
# periodically_delete_expired: false
# # Delete inbound megolm sessions that don't have the received_at field used for
# # automatic ratcheting and expired session deletion. This is meant as a migration
# # to delete old keys prior to the bridge update.
# delete_outdated_inbound: false
# # What level of device verification should be required from users?
# #
# # Valid levels:
# # unverified - Send keys to all device in the room.
# # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
# # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
# # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
# # Note that creating user signatures from the bridge bot is not currently possible.
# # verified - Require manual per-device verification
# # (currently only possible by modifying the `trust` column in the `crypto_device` database table).
# verification_levels:
# # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix.
# receive: unverified
# # Minimum level that the bridge should accept for incoming Matrix messages.
# send: unverified
# # Minimum level that the bridge should require for accepting key requests.
# share: cross-signed-tofu
# # Options for Megolm room key rotation. These options allow you to
# # configure the m.room.encryption event content. See:
# # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
# # more information about that event.
# rotation:
# # Enable custom Megolm room key rotation settings. Note that these
# # settings will only apply to rooms created after this option is
# # set.
# enable_custom: false
# # The maximum number of milliseconds a session should be used
# # before changing it. The Matrix spec recommends 604800000 (a week)
# # as the default.
# milliseconds: 604800000
# # The maximum number of messages that should be sent with a given a
# # session before changing it. The Matrix spec recommends 100 as the
# # default.
# messages: 100
# # Disable rotating keys when a user's devices change?
# # You should not enable this option unless you understand all the implications.
# disable_device_change_key_rotation: false
# Whether to explicitly set the avatar and room name for private chat portal rooms.
# If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
# If set to `always`, all DM rooms will have explicit names and avatars set.
# If set to `never`, DM rooms will never have names and avatars set.
private_chat_portal_meta: default
# Disable generating reply fallbacks? Some extremely bad clients still rely on them,
# but they're being phased out and will be completely removed in the future.
disable_reply_fallbacks: false
# Should cross-chat replies from Telegram be bridged? Most servers and clients don't support this.
cross_room_replies: false
# Whether or not the bridge should send a read receipt from the bridge bot when a message has
# been sent to Telegram.
delivery_receipts: false
# Whether or not delivery errors should be reported as messages in the Matrix room.
delivery_error_reports: false
# Should errors in incoming message handling send a message to the Matrix room?
incoming_bridge_error_reports: false
# Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
message_status_events: false
# Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
# This field will automatically be changed back to false after it,
# except if the config file is not writable.
resend_bridge_info: false
# When using double puppeting, should muted chats be muted in Matrix?
mute_bridging: false
# When using double puppeting, should pinned chats be moved to a specific tag in Matrix?
# The favorites tag is `m.favourite`.
pinned_tag: null
# Same as above for archived chats, the low priority tag is `m.lowpriority`.
archive_tag: null
# Whether or not mute status and tags should only be bridged when the portal room is created.
tag_only_on_create: true
# Should leaving the room on Matrix make the user leave on Telegram?
bridge_matrix_leave: true
# Should the user be kicked out of all portals when logging out of the bridge?
kick_on_logout: true
# Should the "* user joined Telegram" notice always be marked as read automatically?
always_read_joined_telegram_notice: true
# Should the bridge auto-create a group chat on Telegram when a ghost is invited to a room?
# Requires the user to have sufficient power level and double puppeting enabled.
create_group_on_invite: true
# Settings for backfilling messages from Telegram.
backfill:
# Allow backfilling at all?
enable: true
# Whether or not to enable backfilling in normal groups.
# Normal groups have numerous technical problems in Telegram, and backfilling normal groups
# will likely cause problems if there are multiple Matrix users in the group.
normal_groups: false
# If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Telegram.
# Set to -1 to let any chat be unread.
unread_hours_threshold: 720
# Forward backfilling limits.
#
# Using a negative initial limit is not recommended, as it would try to backfill everything in a single batch.
forward_limits:
# Number of messages to backfill immediately after creating a portal.
initial:
user: 50
normal_group: 100
supergroup: 10
channel: 10
# Number of messages to backfill when syncing chats.
sync:
user: 100
normal_group: 100
supergroup: 100
channel: 100
# Timeout for forward backfills in seconds. If you have a high limit, you'll have to increase this too.
forward_timeout: 900
# Settings for incremental backfill of history. These only apply to Beeper, as upstream abandoned MSC2716.
incremental:
# Maximum number of messages to backfill per batch.
messages_per_batch: 100
# The number of seconds to wait after backfilling the batch of messages.
post_batch_delay: 20
# The maximum number of batches to backfill per portal, split by the chat type.
# If set to -1, all messages in the chat will eventually be backfilled.
max_batches:
# Direct chats
user: -1
# Normal groups. Note that the normal_groups option above must be enabled
# for these to be backfilled.
normal_group: -1
# Supergroups
supergroup: 10
# Broadcast channels
channel: -1
# Overrides for base power levels.
initial_power_level_overrides:
user: {}
group: {}
# Whether to bridge Telegram bot messages as m.notices or m.texts.
bot_messages_as_notices: true
bridge_notices:
# Whether or not Matrix bot messages (type m.notice) should be bridged.
default: false
# List of user IDs for whom the previous flag is flipped.
# e.g. if bridge_notices.default is false, notices from other users will not be bridged, but
# notices from users listed here will be bridged.
exceptions: []
# An array of possible values for the $distinguisher variable in message formats.
# Each user gets one of the values here, based on a hash of their user ID.
# If the array is empty, the $distinguisher variable will also be empty.
relay_user_distinguishers: ["\U0001F7E6", "\U0001F7E3", "\U0001F7E9", "⭕️", "\U0001F536", "⬛️", "\U0001F535", "\U0001F7E2"]
# The formats to use when sending messages to Telegram via the relay bot.
# Text msgtypes (m.text, m.notice and m.emote) support HTML, media msgtypes don't.
#
# Available variables:
# $sender_displayname - The display name of the sender (e.g. Example User)
# $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
# $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com)
# $distinguisher - A random string from the options in the relay_user_distinguishers array.
# $message - The message content
message_formats:
m.text: "$distinguisher <b>$sender_displayname</b>: $message"
m.notice: "$distinguisher <b>$sender_displayname</b>: $message"
m.emote: "* $distinguisher <b>$sender_displayname</b> $message"
m.file: "$distinguisher <b>$sender_displayname</b> sent a file: $message"
m.image: "$distinguisher <b>$sender_displayname</b> sent an image: $message"
m.audio: "$distinguisher <b>$sender_displayname</b> sent an audio file: $message"
m.video: "$distinguisher <b>$sender_displayname</b> sent a video: $message"
m.location: "$distinguisher <b>$sender_displayname</b> sent a location: $message"
# Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated
# users are sent to telegram. All fields in message_formats are supported. Additionally, the
# Telegram user info is available in the following variables:
# $displayname - Telegram displayname
# $username - Telegram username (may not exist)
# $mention - Telegram @username or displayname mention (depending on which exists)
emote_format: "* $mention $formatted_body"
# The formats to use when sending state events to Telegram via the relay bot.
#
# Variables from `message_formats` that have the `sender_` prefix are available without the prefix.
# In name_change events, `$prev_displayname` is the previous displayname.
#
# Set format to an empty string to disable the messages for that event.
state_event_formats:
join: "$distinguisher <b>$displayname</b> joined the room."
leave: "$distinguisher <b>$displayname</b> left the room."
name_change: "$distinguisher <b>$prev_displayname</b> changed their name to $distinguisher <b>$displayname</b>"
# Filter rooms that can/can't be bridged. Can also be managed using the `filter` and
# `filter-mode` management commands.
#
# An empty blacklist will essentially disable the filter.
filter:
# Filter mode to use. Either "blacklist" or "whitelist".
# If the mode is "blacklist", the listed chats will never be bridged.
# If the mode is "whitelist", only the listed chats can be bridged.
mode: blacklist
# The list of group/channel IDs to filter.
list: []
# How to handle direct chats:
# If users is "null", direct chats will follow the previous settings.
# If users is "true", direct chats will always be bridged.
# If users is "false", direct chats will never be bridged.
users: true
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!tg"
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.
management_room_text:
# Sent when joining a room.
welcome: "Hello, I'm a Telegram bridge bot."
# Sent when joining a management room and the user is already logged in.
welcome_connected: "Use `help` for help."
# Sent when joining a management room and the user is not logged in.
welcome_unconnected: "Use `help` for help or `login` to log in."
# Optional extra text sent when joining a management room.
additional_help: ""
# Send each message separately (for readability in some clients)
management_room_multiple_messages: false
# Permissions for using the bridge.
# Permitted values:
# relaybot - Only use the bridge via the relaybot, no access to commands.
# user - Relaybot level + access to commands to create bridges.
# puppeting - User level + logging in with a Telegram account.
# full - Full access to use the bridge, i.e. previous levels + Matrix login.
# admin - Full access to use the bridge and some extra administration commands.
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions:
"matrix.kluster.moll.re": "full"
"@remy:matrix.kluster.moll.re": "admin"
# Options related to the message relay Telegram bot.
relaybot:
private_chat:
# List of users to invite to the portal when someone starts a private chat with the bot.
# If empty, private chats with the bot won't create a portal.
invite: []
# Whether or not to bridge state change messages in relaybot private chats.
state_changes: true
# When private_chat_invite is empty, this message is sent to users /starting the
# relaybot. Telegram's "markdown" is supported.
message: This is a Matrix bridge relaybot and does not support direct chats
# List of users to invite to all group chat portals created by the bridge.
group_chat_invite: []
# Whether or not the relaybot should not bridge events in unbridged group chats.
# If false, portals will be created when the relaybot receives messages, just like normal
# users. This behavior is usually not desirable, as it interferes with manually bridging
# the chat to another room.
ignore_unbridged_group_chat: true
# Whether or not to allow creating portals from Telegram.
authless_portals: true
# Whether or not to allow Telegram group admins to use the bot commands.
whitelist_group_admins: true
# Whether or not to ignore incoming events sent by the relay bot.
ignore_own_incoming_events: true
# List of usernames/user IDs who are also allowed to use the bot commands.
whitelist:
- myusername
- 12345678
# Telegram config
telegram:
# Get your own API keys at https://my.telegram.org/apps
api_id: 862555
api_hash: 7387a7b6ba71793d6f3fa98261117e4e
# (Optional) Create your own bot at https://t.me/BotFather
bot_token: disabled
# Should the bridge request missed updates from Telegram when restarting?
catch_up: true
# Should incoming updates be handled sequentially to make sure order is preserved on Matrix?
sequential_updates: true
exit_on_update_error: false

32
apps/matrix/mautrix-telegram.statefulset.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mautrix-telegram
spec:
selector:
matchLabels:
app: mautrix-telegram
serviceName: mautrix-telegram
replicas: 1
template:
metadata:
labels:
app: mautrix-telegram
spec:
containers:
- name: mautrix-telegram
image: mautrix-telegram
volumeMounts:
- name: config
mountPath: /data/config.yaml
subPath: config.yaml
- name: persistence
mountPath: /data
args:
- --no-update # disable overwriting config.yaml
volumes:
- name: config
configMap:
name: mautrix-telegram
- name: persistence
emptyDir: {}

428
apps/matrix/mautrix-whatsapp.configmap.yaml Normal file
View File

@@ -0,0 +1,428 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: mautrix-whatsapp
data:
config.yaml: |
# Homeserver details.
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: http://synapse:8448
# The domain of the homeserver (also known as server_name, used for MXIDs, etc).
domain: matrix.kluster.moll.re
# What software is the homeserver running?
# Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
software: standard
# The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's whatsapp connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint: null
# Endpoint for reporting per-message status.
message_send_checkpoint_endpoint: null
# Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
async_media: false
# Should the bridge use a websocket for connecting to the homeserver?
# The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
# mautrix-asmux (deprecated), and hungryserv (proprietary).
websocket: false
# How often should the websocket be pinged? Pinging will be disabled if this is zero.
ping_interval_seconds: 0
# Application service host/registration related details.
# Changing these values requires regeneration of the registration.
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://mautrix-whatsapp:29318
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29318
# Database config.
database:
# The database type. "sqlite3-fk-wal" and "postgres" are supported.
type: sqlite3-fk-wal
# The database URI.
# SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
# https://github.com/mattn/go-sqlite3#connection-string
# Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
# To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
uri: file:/data/mautrix-whatsapp.db?_txlock=immediate
# Maximum number of connections. Mostly relevant for Postgres.
max_open_conns: 20
max_idle_conns: 2
# Maximum connection idle time and lifetime before they're closed. Disabled if null.
# Parsed with https://pkg.go.dev/time#ParseDuration
max_conn_idle_time: null
max_conn_lifetime: null
# The unique ID of this appservice.
id: whatsapp
# Appservice bot details.
bot:
# Username of the appservice bot.
username: whatsappbot
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
displayname: WhatsApp bridge bot
avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr
# Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
ephemeral_events: true
# Should incoming events be handled asynchronously?
# This may be necessary for large public instances with lots of messages going through.
# However, messages will not be guaranteed to be bridged in the same order they were sent in.
async_transactions: false
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
as_token: "This value is generated when generating the registration"
hs_token: "This value is generated when generating the registration"
# Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors.
analytics:
# Hostname of the tracking server. The path is hardcoded to /v1/track
host: api.segment.io
# API key to send with tracking requests. Tracking is disabled if this is null.
token: null
# Optional user ID for tracking events. If null, defaults to using Matrix user ID.
user_id: null
# Prometheus config.
metrics:
# Enable prometheus metrics?
enabled: false
# IP and port where the metrics listener should be. The path is always /metrics
listen: 127.0.0.1:8001
# Config for things that are directly sent to WhatsApp.
whatsapp:
# Device name that's shown in the "WhatsApp Web" section in the mobile app.
os_name: Mautrix-WhatsApp bridge
# Browser name that determines the logo shown in the mobile app.
# Must be "unknown" for a generic icon or a valid browser name if you want a specific icon.
# List of valid browser names: https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64
browser_name: unknown
# Bridge config
bridge:
# Localpart template of MXIDs for WhatsApp users.
# {{.}} is replaced with the phone number of the WhatsApp user.
username_template: whatsapp_{{.}}
# Displayname template for WhatsApp users.
# {{.PushName}} - nickname set by the WhatsApp user
# {{.BusinessName}} - validated WhatsApp business name
# {{.Phone}} - phone number (international format)
# The following variables are also available, but will cause problems on multi-user instances:
# {{.FullName}} - full name from contact list
# {{.FirstName}} - first name from contact list
displayname_template: "{{or .BusinessName .PushName .JID}} (WA)"
# Should the bridge create a space for each logged-in user and add bridged rooms to it?
# Users who logged in before turning this on should run `!wa sync space` to create and fill the space for the first time.
personal_filtering_spaces: false
# Should the bridge send a read receipt from the bridge bot when a message has been sent to WhatsApp?
delivery_receipts: false
# Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
message_status_events: false
# Whether the bridge should send error notices via m.notice events when a message fails to bridge.
message_error_notices: true
# Should incoming calls send a message to the Matrix room?
call_start_notices: true
# Should another user's cryptographic identity changing send a message to Matrix?
identity_change_notices: false
portal_message_buffer: 128
# Settings for handling history sync payloads.
history_sync:
# Enable backfilling history sync payloads from WhatsApp?
backfill: true
# The maximum number of initial conversations that should be synced.
# Other conversations will be backfilled on demand when receiving a message or when initiating a direct chat.
max_initial_conversations: -1
# Maximum number of messages to backfill in each conversation.
# Set to -1 to disable limit.
message_count: 50
# Should the bridge request a full sync from the phone when logging in?
# This bumps the size of history syncs from 3 months to 1 year.
request_full_sync: false
# Configuration parameters that are sent to the phone along with the request full sync flag.
# By default (when the values are null or 0), the config isn't sent at all.
full_sync_config:
# Number of days of history to request.
# The limit seems to be around 3 years, but using higher values doesn't break.
days_limit: null
# This is presumably the maximum size of the transferred history sync blob, which may affect what the phone includes in the blob.
size_mb_limit: null
# This is presumably the local storage quota, which may affect what the phone includes in the history sync blob.
storage_quota_mb: null
# If this value is greater than 0, then if the conversation's last message was more than
# this number of hours ago, then the conversation will automatically be marked it as read.
# Conversations that have a last message that is less than this number of hours ago will
# have their unread status synced from WhatsApp.
unread_hours_threshold: 0
# Should puppet avatars be fetched from the server even if an avatar is already set?
user_avatar_sync: true
# Should Matrix users leaving groups be bridged to WhatsApp?
bridge_matrix_leave: true
# Should the bridge update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# Should the bridge use MSC2867 to bridge manual "mark as unread"s from
# WhatsApp and set the unread status on initial backfill?
# This will only work on clients that support the m.marked_unread or
# com.famedly.marked_unread room account data.
sync_manual_marked_unread: true
# When double puppeting is enabled, users can use `!wa toggle` to change whether
# presence is bridged. This setting sets the default value.
# Existing users won't be affected when these are changed.
default_bridge_presence: true
# Send the presence as "available" to whatsapp when users start typing on a portal.
# This works as a workaround for homeservers that do not support presence, and allows
# users to see when the whatsapp user on the other side is typing during a conversation.
send_presence_on_typing: false
# Should the bridge always send "active" delivery receipts (two gray ticks on WhatsApp)
# even if the user isn't marked as online (e.g. when presence bridging isn't enabled)?
#
# By default, the bridge acts like WhatsApp web, which only sends active delivery
# receipts when it's in the foreground.
force_active_delivery_receipts: false
# Servers to always allow double puppeting from
double_puppet_server_map:
example.com: https://example.com
# Allow using double puppeting from any server with a valid client .well-known file.
double_puppet_allow_discovery: false
# Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
#
# If set, double puppeting will be enabled automatically for local users
# instead of users having to find an access token and run `login-matrix`
# manually.
login_shared_secret_map:
example.com: foobar
# Whether to explicitly set the avatar and room name for private chat portal rooms.
# If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
# If set to `always`, all DM rooms will have explicit names and avatars set.
# If set to `never`, DM rooms will never have names and avatars set.
private_chat_portal_meta: default
# Should group members be synced in parallel? This makes member sync faster
parallel_member_sync: false
# Should Matrix m.notice-type messages be bridged?
bridge_notices: true
# Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
# This field will automatically be changed back to false after it, except if the config file is not writable.
resend_bridge_info: false
# When using double puppeting, should muted chats be muted in Matrix?
mute_bridging: false
# When using double puppeting, should archived chats be moved to a specific tag in Matrix?
# Note that WhatsApp unarchives chats when a message is received, which will also be mirrored to Matrix.
# This can be set to a tag (e.g. m.lowpriority), or null to disable.
archive_tag: null
# Same as above, but for pinned chats. The favorite tag is called m.favourite
pinned_tag: null
# Should mute status and tags only be bridged when the portal room is created?
tag_only_on_create: true
# Should WhatsApp status messages be bridged into a Matrix room?
# Disabling this won't affect already created status broadcast rooms.
enable_status_broadcast: true
# Should sending WhatsApp status messages be allowed?
# This can cause issues if the user has lots of contacts, so it's disabled by default.
disable_status_broadcast_send: true
# Should the status broadcast room be muted and moved into low priority by default?
# This is only applied when creating the room, the user can unmute it later.
mute_status_broadcast: true
# Tag to apply to the status broadcast room.
status_broadcast_tag: m.lowpriority
# Should the bridge use thumbnails from WhatsApp?
# They're disabled by default due to very low resolution.
whatsapp_thumbnail: false
# Allow invite permission for user. User can invite any bots to room with whatsapp
# users (private chat and groups)
allow_user_invite: false
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
federate_rooms: true
# Should the bridge never send alerts to the bridge management room?
# These are mostly things like the user being logged out.
disable_bridge_alerts: false
# Should the bridge stop if the WhatsApp server says another user connected with the same session?
# This is only safe on single-user bridges.
crash_on_stream_replaced: false
# Should the bridge detect URLs in outgoing messages, ask the homeserver to generate a preview,
# and send it to WhatsApp? URL previews can always be sent using the `com.beeper.linkpreviews`
# key in the event content even if this is disabled.
url_previews: false
# Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552.
# This is currently not supported in most clients.
caption_in_message: false
# Send galleries as a single event? This is not an MSC (yet).
beeper_galleries: false
# Should polls be sent using MSC3381 event types?
extev_polls: false
# Should cross-chat replies from WhatsApp be bridged? Most servers and clients don't support this.
cross_room_replies: false
# Disable generating reply fallbacks? Some extremely bad clients still rely on them,
# but they're being phased out and will be completely removed in the future.
disable_reply_fallbacks: false
# Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration
# Null means there's no enforced timeout.
message_handling_timeout:
# Send an error message after this timeout, but keep waiting for the response until the deadline.
# This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay.
# If the message is older than this when it reaches the bridge, the message won't be handled at all.
error_after: null
# Drop messages after this timeout. They may still go through if the message got sent to the servers.
# This is counted from the time the bridge starts handling the message.
deadline: 120s
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!wa"
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.
management_room_text:
# Sent when joining a room.
welcome: "Hello, I'm a WhatsApp bridge bot."
# Sent when joining a management room and the user is already logged in.
welcome_connected: "Use `help` for help."
# Sent when joining a management room and the user is not logged in.
welcome_unconnected: "Use `help` for help or `login` to log in."
# Optional extra text sent when joining a management room.
additional_help: ""
# End-to-bridge encryption support options.
#
# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: false
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: false
# Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
appservice: false
# Require encryption, drop any unencrypted messages.
require: false
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow_key_sharing: false
# Should users mentions be in the event wire content to enable the server to send push notifications?
plaintext_mentions: false
# Options for deleting megolm sessions from the bridge.
delete_keys:
# Beeper-specific: delete outbound sessions when hungryserv confirms
# that the user has uploaded the key to key backup.
delete_outbound_on_ack: false
# Don't store outbound sessions in the inbound table.
dont_store_outbound: false
# Ratchet megolm sessions forward after decrypting messages.
ratchet_on_decrypt: false
# Delete fully used keys (index >= max_messages) after decrypting messages.
delete_fully_used_on_decrypt: false
# Delete previous megolm sessions from same device when receiving a new one.
delete_prev_on_new_session: false
# Delete megolm sessions received from a device when the device is deleted.
delete_on_device_delete: false
# Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
periodically_delete_expired: false
# Delete inbound megolm sessions that don't have the received_at field used for
# automatic ratcheting and expired session deletion. This is meant as a migration
# to delete old keys prior to the bridge update.
delete_outdated_inbound: false
# What level of device verification should be required from users?
#
# Valid levels:
# unverified - Send keys to all device in the room.
# cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
# cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
# cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
# Note that creating user signatures from the bridge bot is not currently possible.
# verified - Require manual per-device verification
# (currently only possible by modifying the `trust` column in the `crypto_device` database table).
verification_levels:
# Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix.
receive: unverified
# Minimum level that the bridge should accept for incoming Matrix messages.
send: unverified
# Minimum level that the bridge should require for accepting key requests.
share: cross-signed-tofu
# Options for Megolm room key rotation. These options allow you to
# configure the m.room.encryption event content. See:
# https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
# more information about that event.
rotation:
# Enable custom Megolm room key rotation settings. Note that these
# settings will only apply to rooms created after this option is
# set.
enable_custom: false
# The maximum number of milliseconds a session should be used
# before changing it. The Matrix spec recommends 604800000 (a week)
# as the default.
milliseconds: 604800000
# The maximum number of messages that should be sent with a given a
# session before changing it. The Matrix spec recommends 100 as the
# default.
messages: 100
# Disable rotating keys when a user's devices change?
# You should not enable this option unless you understand all the implications.
disable_device_change_key_rotation: false
# Settings for provisioning API
provisioning:
# Prefix for the provisioning API paths.
prefix: /_matrix/provision
# Shared secret for authentication. If set to "generate", a random secret will be generated,
# or if set to "disable", the provisioning API will be disabled.
shared_secret: generate
# Enable debug API at /debug with provisioning authentication.
debug_endpoints: false
# Permissions for using the bridge.
# Permitted values:
# relay - Talk through the relaybot (if enabled), no access otherwise
# user - Access to use the bridge to chat with a WhatsApp account.
# admin - User level and some additional administration tools
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions:
"*": relay
"example.com": user
"@admin:example.com": admin
# Settings for relay mode
relay:
# Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any
# authenticated user into a relaybot for that chat.
enabled: false
# Should only admins be allowed to set themselves as relay users?
admin_only: true
# The formats to use when sending messages to WhatsApp via the relaybot.
message_formats:
m.text: "<b>{{ .Sender.Displayname }}</b>: {{ .Message }}"
m.notice: "<b>{{ .Sender.Displayname }}</b>: {{ .Message }}"
m.emote: "* <b>{{ .Sender.Displayname }}</b> {{ .Message }}"
m.file: "<b>{{ .Sender.Displayname }}</b> sent a file"
m.image: "<b>{{ .Sender.Displayname }}</b> sent an image"
m.audio: "<b>{{ .Sender.Displayname }}</b> sent an audio file"
m.video: "<b>{{ .Sender.Displayname }}</b> sent a video"
m.location: "<b>{{ .Sender.Displayname }}</b> sent a location"
# Logging config. See https://github.com/tulir/zeroconfig for details.
logging:
min_level: debug
writers:
- type: stdout
format: pretty-colored
- type: file
format: json
filename: ./logs/mautrix-whatsapp.log
max_size: 100
max_backups: 10
compress: true

30
apps/matrix/mautrix-whatsapp.statefulset.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mautrix-whatsapp
spec:
selector:
matchLabels:
app: mautrix-whatsapp
serviceName: mautrix-whatsapp
replicas: 1
template:
metadata:
labels:
app: mautrix-whatsapp
spec:
containers:
- name: mautrix-whatsapp
image: mautrix-whatsapp
volumeMounts:
- name: persistence
mountPath: /data
# contains config.yaml
securityContext:
fsGroup: 1337
volumes:
- name: persistence
persistentVolumeClaim:
claimName: mautrix-whatsapp

23
apps/matrix/mautrix.pvc.yaml Normal file
View File

@@ -0,0 +1,23 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: mautrix-telegram
spec:
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: mautrix-whatsapp
spec:
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

4
apps/matrix/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: placeholder

20
apps/matrix/postgres.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: matrix-postgres
spec:
instances: 1
imageName: ghcr.io/cloudnative-pg/postgresql:16
bootstrap:
initdb:
owner: matrix
database: matrix
secret:
name: postgres-credentials
storage:
size: 1Gi
storageClass: nfs-client
monitoring:
enablePodMonitor: true

62
apps/matrix/synapse.configmap.yaml Normal file
View File

@@ -0,0 +1,62 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: synapse
data:
# matrix.kluster.moll.re.log.config: |
# version: 1
# formatters:
# precise:
# format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
# handlers:
# console:
# class: logging.StreamHandler
# formatter: precise
# loggers:
# # This is just here so we can leave `loggers` in the config regardless of whether
# # we configure other loggers below (avoid empty yaml dict error).
# _placeholder:
# level: "INFO"
# synapse.storage.SQL:
# # beware: increasing this to DEBUG will make synapse log sensitive
# # information such as access tokens.
# level: INFO
# root:
# level: INFO
# handlers: [console]
homeserver.yaml: |
server_name: "matrix.kluster.moll.re"
report_stats: false
# enable_registration: true
# enable_registration_without_verification: true
listeners:
- port: 8448
tls: false
type: http
x_forwarded: true
bind_addresses: ['::1', '127.0.0.1']
resources:
- names: [client, federation]
compress: false
# log_config: "./matrix.kluster.moll.re.log.config"
media_store_path: /media_store
trusted_key_servers:
- server_name: "matrix.org"
database:
name: psycopg2
args:
user: matrix
password: "0ssdsdsdM6vbxhs.kdjsdasd9Z0qK5bdTwM6vbxh9Z"
dbname: matrix
host: matrix-postgres-rw
cp_min: 5
cp_max: 10

43
apps/matrix/synapse.deployment.yaml Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: synapse
spec:
selector:
matchLabels:
app: synapse
template:
metadata:
labels:
app: synapse
spec:
containers:
- name: synapse
image: synapse
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 8448
env:
- name: SYNAPSE_CONFIG_PATH
value: /config/homeserver.yaml
volumeMounts:
- name: config
mountPath: /config/homeserver.yaml
subPath: homeserver.yaml
- name: config-persistence
mountPath: /config
- name: media
mountPath: /media_store
securityContext:
fsGroup: 1001
volumes:
- name: config
configMap:
name: synapse
- name: config-persistence
emptyDir: {}
- name: media
emptyDir: {}

29
apps/matrix/synapse.ingress.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: synapse-federation
spec:
entryPoints:
- websecure
routes:
- match: Host(`matrix.kluster.moll.re`)
kind: Rule
services:
- name: synapse
port: 8448
# auto route to the _matrix path
middlewares:
- name: matrix-redirect
tls:
certResolver: default-tls
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: matrix-redirect
spec:
redirectRegex:
regex: "^https://matrix.kluster.moll.re/(.*)"
replacement: "https://matrix.kluster.moll.re/_matrix/$${1}"
permanent: true

11
apps/matrix/synapse.service.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: synapse
spec:
selector:
app: synapse
ports:
- protocol: TCP
port: 8448
targetPort: 8448

2
apps/monitoring/kustomization.yaml
View File

@@ -18,7 +18,7 @@ helmCharts:
- releaseName: grafana
name: grafana
repo: https://grafana.github.io/helm-charts
version: 7.0.21
version: 7.3.0
valuesFile: grafana.values.yaml
- releaseName: influxdb

26
apps/nextcloud/pvc.yaml
View File

@@ -23,3 +23,29 @@ spec:
requests:
storage: "150Gi"
volumeName: nextcloud-nfs
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: nextcloud-syncthing-shared
spec:
capacity:
storage: "150Gi"
accessModes:
- ReadWriteOnce
nfs:
path: /kluster/syncthing
server: 192.168.1.157
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-syncthing-shared
spec:
storageClassName: ""
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "150Gi"
volumeName: nextcloud-syncthing-shared

17
apps/nextcloud/readme.md Normal file
View File

@@ -0,0 +1,17 @@
## Running occ commands
Sometimes you need to run a command on the Nextcloud container directly. You can do that by running commands as the user www-data via the kubectl exec command.
```
# $NEXTCLOUD_POD should be the name of *your* nextcloud pod :)
kubectl exec $NEXTCLOUD_POD -- su -s /bin/sh www-data -c "php occ myocccomand"
```
Here are some examples below.
Putting Nextcloud into maintanence mode
Some admin actions require you to put your Nextcloud instance into
(e.g. backups):
```
# $NEXTCLOUD_POD should be the name of *your* nextcloud pod :)
kubectl exec $NEXTCLOUD_POD -- su -s /bin/sh www-data -c "php occ maintenance:mode --on"
```

21
apps/nextcloud/values.yaml
View File

@@ -1,9 +1,6 @@
## Official nextcloud image version
## ref: https://hub.docker.com/r/library/nextcloud/tags/
image:
tag: "28"
ingress:
enabled: false
@@ -49,6 +46,15 @@ nextcloud:
# ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
configs: {}
extraVolumes:
- name: my-volume
persistentVolumeClaim:
claimName: nextcloud-nfs
extraVolumeMounts:
- name: my-volume
mountPath: /var/www/html/my-volume
# For example, to use S3 as primary storage
# ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3
#
@@ -74,8 +80,7 @@ nginx:
enabled: false
internalDatabase:
enabled: true
name: nextcloud
enabled: false
##
## External database configuration
@@ -89,13 +94,7 @@ externalDatabase:
## Database host
host: postgres-postgresql.postgres
## Database user
# user: nextcloud
# ## Database password
# password: test
## Database name
database: nextcloud
## Use a existing secret

37
apps/recipes/deployment.yaml Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: mealie
spec:
selector:
matchLabels:
app: mealie
template:
metadata:
labels:
app: mealie
spec:
containers:
- name: mealie
image: mealie
resources:
limits:
memory: "500Mi"
cpu: "500m"
ports:
- containerPort: 9000
env:
- name: ALLOW_SIGNUP
value: "true"
- name: TZ
value: Europe/Paris
- name: BASE_URL
value: https://recipes.kluster.moll.re
volumeMounts:
- name: mealie-data
mountPath: /app/data
volumes:
- name: mealie-data
persistentVolumeClaim:
claimName: mealie-data

9
apps/homarr/ingress.yaml → apps/recipes/ingress.yaml
View File

@@ -1,15 +1,16 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: homarr-ingress
name: mealie-ingressroute
spec:
entryPoints:
- websecure
routes:
- match: Host(`start.kluster.moll.re`)
- match: Host(`recipes.kluster.moll.re`)
kind: Rule
services:
- name: homarr
port: 7575
- name: mealie-web
port: 9000
tls:
certResolver: default-tls

16
apps/recipes/kustomization.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: recipes
resources:
- namespace.yaml
- deployment.yaml
- pvc.yaml
- service.yaml
- ingress.yaml
images:
- name: mealie
newTag: v1.2.0
newName: ghcr.io/mealie-recipes/mealie

4
apps/recipes/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: placeholder

12
apps/recipes/pvc.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mealie-data
spec:
resources:
requests:
storage: 1Gi
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce

10
apps/recipes/service.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: Service
metadata:
name: mealie-web
spec:
selector:
app: mealie
ports:
- port: 9000
targetPort: 9000

2
infrastructure/external-dns/kustomization.yaml
View File

@@ -11,7 +11,7 @@ resources:
images:
- name: octodns
newName: octodns/octodns # has all plugins
newTag: "2023.12"
newTag: "2024.02"
- name: git
newName: alpine/git

2
infrastructure/gitea/drone-server.deployment.yaml
View File

@@ -22,6 +22,8 @@ spec:
value: ":80"
- name: DRONE_GITEA_SERVER
value: https://git.kluster.moll.re
- name: DRONE_USER_CREATE
value: username:remoll,admin:true
- name: DRONE_GITEA_CLIENT_ID
valueFrom:
secretKeyRef:

2
infrastructure/gitea/kustomization.yaml
View File

@@ -16,6 +16,6 @@ helmCharts:
- name: gitea
namespace: gitea # needs to be set explicitly for svc to be referenced correctly
releaseName: gitea
version: 9.6.1
version: 10.1.3
valuesFile: gitea.values.yaml
repo: https://dl.gitea.io/charts/

2
infrastructure/metallb-system/kustomization.yaml
View File

@@ -10,6 +10,6 @@ namespace: metallb-system
helmCharts:
- name: metallb
repo: https://metallb.github.io/metallb
version: 0.13.12
version: 0.14.3
releaseName: metallb
valuesFile: values.yaml

51
infrastructure/renovate/env.sealedsecret.yaml
View File

@@ -1,28 +1,23 @@
{
"kind": "SealedSecret",
"apiVersion": "bitnami.com/v1alpha1",
"metadata": {
"name": "renovate-env",
"namespace": "renovate",
"creationTimestamp": null
},
"spec": {
"template": {
"metadata": {
"name": "renovate-env",
"namespace": "renovate",
"creationTimestamp": null
},
"type": "Opaque"
},
"encryptedData": {
"RENOVATE_AUTODISCOVER": "AgCi+SttRaCTLc7WgBxUiYS56TFgY67zBsMDtRSYbCSXs1XpoTyzOiT0X1gRki8VkGUiI4KQSu/Tph5qbgLnmqrGi7SvzMYzz+vuvPNH9vTPHNnuu92deG1MOxzogybmu3utJyybImWCiv1r7huZuKOLnBhs+r3qC+tImQ6ZcBSvSvVzTQsX5MIed68Xhkx/ZJkoDMAI7MkqZsNsWZbbuQ2HSBpnAkcgUTey3nbO3168aV4Pa/fQhomyTp62v71lVmoYtPmElCrhJUCOlMSSqKxv8zNSCiZImJRTszb1+VeJF2OrfGh8PK6qVWBlY0COiy/VXuVPgJLzPmUJD5yv0qTWITh0c23N4KahNrTfx6l96ctQWY6pU9dJo8fnMLBR4RLxVnQiq8vVDrwFytzQkLtj1E1SP/DCKhk84b2ZfPji+y4teQN0L68VQeZJCvzsxzgkksqDfatOxMyAmx1prkuNM1AlUmYuba8mDvLeViSWxk1pS+qYiaZTAl5GSVHDWSCU02HmoQkmUsSfvEgHUna4Jp86io0GXAyTXjidJf+RpbQ+dTNXAL+m1/3HxhlSDG48idclJJ0oIedF/FzVD53B6QvkqGqAypYrHm4A61DZLSZrvTYE4GuHXKbF75rbvktnC07sTMm/a1tr4zym9Q7ngG3NtDA+WrCe4P/e8m+tO1GwRuC2OW2owWrhpAelAQEu0Ten",
"RENOVATE_ENDPOINT": "AgAZuBCJeukXw54Na4CR8hJT/OW4KnO7ztLk2IGFGknkwFv7olxfE8X/j9IDps+EKL5Sq0I27jq5ZYaAg8i7mmrF6IxeC25Ri2nhl9/vIzFs6h+UtbBe7Yqel7ysnQ/wZ9+cOfedOr0vO7s4edYAKwmmHNDwKFG/YwXs4XyfS/f5lMQ3W3Ecu0ML9z0wfzzzjbixaE4jPHEkTD6FegiP3tPN1xoU3hQO91Sv46hZ5eh7dDwXwH8BU6GUUb/nKeIGrKekQVrBxDt867A+sRiRtcSvhMxg7w9fFV+CyY4z9cehOUwh/Mf6BTANIoGXCFdWZcWP8RvnpkcDTaolhlKkBZ3CHbyGUPdtENVK/0mPyWC8lss2BXIl5bV7SGoTIlCxWLOdfP/RIGL+1FcpDg+n/H46jeDI+4vSWZapu8jGAaDTlDtwMvq3XbKHcpjBmIr8aKG++LU8gNrGf+lhulbFjn+VZC26+M/aGVrY1U7rOt7HTF/L1Q40k1J6IDbpsX08UiacQwvIpcgs6RZ0bdng2xY+3kEfdFVxwKGwHkL3LJrxb09P3WfSEDpV7aTh/dhXwVCfRJpiTeOopiZMRH4etXNmLPoZi2E+NZSAnYVV8BuQAS0ETopTu8WKK41+yr2r0PXbiYBLElji8ckfnMaA5//ocgwUqtaBTNs4duKRfUI6f1tunZWvlkwzzU++ib5pn81D35dYFrN9cM7I/+P6fCaUt2yYaJHzQtcNvrn0N/P6zYHI",
"RENOVATE_GIT_AUTHOR": "AgCtYOZW5mAfiMqhx4CZfPFCtT/MSMmnYOWG210yrac88zx1epHgMlaVoZ1eD9l5kIjOw86QoYLHCOXFm/aE88BbEmuCWG3fh+/sHiXgztBHwOaHBd9EkS48/aVRx/CeapNfjtqB9HpvdV4uD9/zxfRz9+f1kQiibW4cy5Jmbd69L1i4k1h4NW/9LdznBZGIaw4XM8At5sXYNfetQH/IG7OJCwZ+nG/ESfHayF2p0s44R+lkDVHNcy7193iznfFHZjgZ13dr3Sy14JNPmrRba0ySRkcsXW8+oiUckKqaW6SMFNxev5o0ys1S8dothyxDJIPeKfRLVnqkO7aWsQqpVQVFnXBCs1bA1A90gkpMow1qm2WDAa80qI79GZWbNWOyHUzt0Y7UcjPcVyiJjd2DhWBVA8vn9UGhj7FN2vU2L0zrB3DDTYP6dKmVCo61Z2P3RGP7+BFk7+bIb65cE+LZvDhM3ED94aTuZ+ol2pQWzp/Kxle6zGznS7NZ1Lb04997UKW8isrebmYsALh3ljXmcgB4X/jH8F29wqeAMsY0ystotzeRZ/rtB06qa7qmlBkYXBY5sV8GqohAxRotr6I+CKeFIf9wm4DBQaVMc7lJqstvuCA5G94Rh30QRGMInfRW0vaXukhLMpuOYtBSXLNjlYFRLxTT7tjUJdhyQqbdTNRHNIA4noABoXIXPCscpAGPhgNipoiOfadmsNZEhf/rBlAZtDTSOg19LV82RwfJ3lhB0eDp",
"RENOVATE_GIT_URL": "AgBzTC6keBSA+o7Ppfj/af7D+ebwpbDkIH7Vv8oRePPWvnbamtzcTmsamjW11Xn0w6eRGYZm6cnbP9GnGnjn6/VyCFpl+jTUm/pZNQjthpm4VEi3stvQtt9TdSnguWZILWbb60JwFQcBVNdyOlj+ow/yD39LgK28McOfSHg5zw93IX8OkqqHyI2VIZ53u5xtARTL04Hni6/KF8qY6rjukncV7pwn5y+zWvcfMICmBiazI1FJjuj6O3jznDffYmvOUOOaxCQK82OipY5zGg3sznjdJnXt6emAznO+i0NIc9xYl5qWWm9onXdjLxDzoLjxdQQNwQ2JNvROCeWs7E7LZzcUYhjfhNUBTRZb3Y1mqH4OcVKauEZcKhp5kFKM2gwI1SutGmZltMjCvbnEav7Hjp0ZQN4ybIP+yJVNNTpUtSw7sdu3Ectoe7rsSBOPgT8fQvLeWyqLL/cBxkOnmsVBmt7tTfgBmrodhYM/p2Fl1MFpxNQQsXDB7PdArs3s6ZQrgWmvvuZAk73knUxWL9vGZRJU6EbXb6clPrLNJlNz8xJjCvub4o2U8rykhTV6n/g/IgcO0GKm/vDijWgaktFS9zzQLWdpdyV2ptAbPm2o0CWW04WBxthhY8NOG7C2HcRWB9IvZByED2ghLDXA9Rzcn7VfP7Qo9ed7ZoJRlChwmY8kcFS2lccPvqKzV+oQq1cQkWpIyMzv+TZK0w==",
"RENOVATE_GIT_USERNAME": "AgBfBA0vZhMRs7SU2zMaVzYzCQ01q4wVBfU0YkYbs8WrWAPVl+1DWt+c7q5XaBU5QG3hXCZKiyXTq8nldTT06zXswd41DuYN473c3de2PJwuLpyC3Kxp40od7flcMiUOGznm8MlPtn/SteN4GDIifud7y0sawbvNsm5Mfqu6aqMRQamzhxnJw/hUXXd07O5G1A1QXYmSiWLKAGykjdOphad/OScW+gJ+gNjnh2RsFhrUxZqP7Lwa7echhTkMcVmfFX0BQFK7pRbAKqQwxFBWWRbFQvfdYTqOqkkYa4abEUzNz8rcVbsDTIGVJHUGxMWcy2CkqjeeAYFO96NIr34LQ92gF+in6EQVZhKmbdOWDFhV7mrV84Wew7qJLnzWVNOAacm+E1cSh1pWBX71SIJ9oTHm64Lz8T6+YLR/WxbETMKs+HoYBZRnyISOTMtnQFOyiC9rPhBpUFtC8Q7UuQlntiXubz/JtXxu1mbT1Rq69y9QDRObIE0597XxOrxMCuwCOWU27SrbQd3ne923d1UmSWpaN8O5DYuu5GTJQuG6C669uBzO6L9f2iL7ykLZTcs37i7rAzLqBjWKwCm6zyz2MdztXhllJNgblYB943Whx8Rw9GbAZnmapQ8DAd5fzPaR6FjhUuZ/C4XnmhsQ8h81iCssWiI/sXW1Jl68mP48/aMVXDJCar+9avMls+p7pYjt7g+/RHQ6SehqmA==",
"RENOVATE_PLATFORM": "AgAWNczM1n5N2YtAFClfIRRJ3l1iP34fSP/dx+ffbtDsfQJvp8EqJmAOIyrSXbcY9aqST6jGQvTaHpUMBbtaUXyakAn5sGC7CtAJYo5pJ6wKUygJ36q5uhpfj4ocyqNZuipBEVMbPcE3Jt+s0bnS1bmQRCQOSSm89nWf669gZGCfgVEvEYmHXGmXLgYbPTCBhjLLPyx5ZzeVoF+D+RG945a/GtOxChRAkm4eTFMJ6gzzSThbi3/9rFWohpXM6VJynpv8/X1sYEbaUuGh4sYSxYK9X9YGYR9vn+U5uPBvpBtsctvHY3JoLL/9pNKw9fu6JltBm8ynItV+I2nkssP4UROkVamu8Q8YzXuXYS+H5D5q74qy+J21QgKIKzxhQ08gvCbYH+1C2x0NSjZtjqKHutzhp6rLAEXQrMUS+1HwHxYzsxLJZzI2xwPNc829EwSWq/VkeS8jS7sUU1oKOikfbxpatvvMUX6t0VNDlsFoAbcTVrOwipTs6Cosu5ttiwr213KkuZ6eTWUnOxyZgLyNYBimuwhcvfEazmn/VG74qWTCRM2b7EtBcj/q997K7euMIEPAYfMZ1L3tr58szJ/ZSUYoe3x5W5DOAwv7Ut9gmtf4GlmajLkUmgP/bIInae8D/LweWXnPRb7PrQE46za7aNVcMBN6xLVeuIStA+g9dSsYpVfflhbGsuTAKo8g7oveaHOuPxKARg==",
"RENOVATE_TOKEN": "AgB2UWMGLKcFyG0PTMrykaZaUqFJmM5JEPYAMRxzMWR00JfAXjnArCkWFZtyQ/oc7YKmHUGE1D2ChFYJrxZzCyRwgukLf2w0vUh+lfS8Iv9bpZv6PHhGLSXw1IaBan7Bm1f1GN5ig1S4jrZNqCJI4Lc8w/Wb8Mtw8Zsk+toBMZjaa7bfhceoFKhFbaKRc8LDMCwatV0gGM8m8TPji5rpCAJJ2xd9HQdDkoAFu75aYV0qbXsE7MOm5cjjqrxKQWtevOWYi5tcbUvwQFm+1mAkpe/52a61j4Iu1hIqjTb8f6ONu8ut88UfpbYoiZNgtjASrbCYAiEK49qY3HAHcoYhnuWHdREQbxjOk2f/vx12QXEvs/1QzdK3CF67qctZ9QEWn6xI8MRKw/KiUWCXjh8WEQvdAhQ9MGLH1kWMLq/km+TQm6N6gDjbCo3kov/qhLl4iqMJYR0A4mqJGN9yJHG4kC3YcYmOElw0K8/P4zKR6HBJNCQU47+pvhOnaiiMyH9uOOek3Sad52mRdhFa9f7o/Suojlep0W17GETvyz5Z5W4YqxBk0qPcVc2dK8YkpQnAoZ8pJoJSX7N+mI3jsHyTT3swu6PR1sAL9owpV2lVcs3GWDN4I8IAmQ4ZuBXhfkRDnLq7EYhD0HyZ2w1ySfHc8P43PfTBrUFllkDuxpwv6LuimTuR6kgVAaSAvuIrOkfq53OhWtYWRJzt5JPxu+V40QpeSZXetLb/iqEY1lgVEYeKAEHc5SfPwtTN"
}
}
}
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: renovate-env
namespace: renovate
spec:
encryptedData:
GITHUB_COM_TOKEN: AgAUbw4S60DvCn+tRs7KGFkW0geB9OB/H2UzUonoHDShrMugMBL/lXN/ICE+kIRFX3GMK7DwCP3fxxJpJb8v1WYe8fjwFsQTB2cuHYU/HRJ7/Df1iesG5FWZXzeE5WdLFz5r+gunisbcjrIvnY+r5xO4Jxhd6/EnX2AKcTPldp0btj0+Axut+Ox4R7sNjXCfYNgjVfKorGwUcujG/tnu6P6ggNNjE+OsPMd3xV4KuY0EE4qg6hHwzoEXrG9r/V2XHyan6Y7LMPqxPhFd4Or6bgEJQThqqPMua7wLtARyayc6iwm9MB0U5/Z3/RB5kE6e/oXB5RuBONR6dY6H6rPoRoXGRHEdkC/3PzDfGaGSH+geleFHl1lwS+hOGj+icCJUpAoe2VHjvWbvWBxfZb1FW0MFybiA11zR2ki0auuHBXn6BV0qk/zmG7VzNJkBnF4Dtvd9aLw8F1zTulKY7C8APDeXRghA4+ggVDjCiyBmiw7qQDGyt3pEVANCNlkpATVNB2fHXDZqd3CHsvk3hkqPImTZx2dhZAeskUVzeZLqeIw5Vj2tRzneRchxXh/2d5qp5O2s/bfc+2MwtLB1pKDb2k6c62SBz4eou1ILq0C7DSTTptGDQ2u6YabcW18sb6kN7j+G6Xz7RR8My4uZCclRzwYkdXeePlckVYi7jWhP21nNRfxT0CtgyPUnRfEcRzrr9k+OE80hugJxZtq9QUrXaFNEe0ikhe+FIRjYvAy62ibVoIHrev1inEAx
RENOVATE_AUTODISCOVER: AgAShtle7hbkHoQ9edd2mawUGPaAdYk2rW0+7W1frPobEAmkQ0MXgk+6S0MWqZ4k0YRSfBVXY6sNpX2FW8ZPTl6EZOKf4gl6kY+ZhmAlbdCInapabCFSHln5KRaIfYKk42KacNp0gvfEooVNVB3xzwSQvvbmDsN1NfhPjUf+0xH2yoR8FimF1OeDOMWwkIwbKtG/l2SFZ8XvpUoArSy7WCLZ0BTqMUHG8TK+VdRrS1ZvBcSE9QXtg/jK5iM1N9Dnd3ho9nBqC/GaBuOzqJ36d36lVyDen8/KizHDFMpVTzQTsXZW44NWQHjbJyTsx+VzktWLuurt50nKoj0VQumvMiramjINbUIh6JhyKlvyMirRCog7eQBDho1I8rC5xGfcDF1QimyZhFH/Rsgit2KrWSswFOAJotU4wcJS6HJccLsm4OJP7A+5/Iy/HuD+a+5xKi7ZUnIyf/TdL1f0jWGSGYNEZCWS9c6SQBbwUT4bNMV+2kbTte2ATKqAP4f2L7qnjYKqtFj0OT/L168BXciimgktDyLc7jm6A+DqlDHa88p9mTeNT5k/eg9PE5JfIQki9DW7maU5kcp6FtqJabTHlHaMf65IF8zc1/UTKJyAd91lmyJdevwIDKPWB+qq5scbHs7R8jyhgRnmdgp4BDkq3lUbcwNmDJfXG8gJO+qxV1dw/UlBs9o3NS5AcnF1rVTwKguzDWqA
RENOVATE_ENDPOINT: AgBL0fiAo7+lYc0CC2smzyt8QIlflx/6ur991hbpoJ2jPn94kO+9ECT5qhMNeBIosF8Eb9G32A44XbCjHncVSJQh1JEKB9/brIx6EBKjShkqnL+QAz5MibYW5yoykowvsdi0grB8rkeEvUOlKTOL+HmRrpS4JqDYeqaKOibdYP68bKIWmsvBceM8hLD+l2p+7D0iRYcFSxhpjR+gIiWmtwgkaAxt9cXmBalBuUFrr4wfYzxN3uav0+TPwISk8HhVWVNQCz+BO/HHQ+COQ8bN1Srxa6cE67LaCUSxArcX8vl/PCl9atf99F98TJ7S1R7MCxTLpPyd61rvwgVrBDfV8IUBqJ6LqYfyigMKUGPUMTVmihccWrgJr3lyCGC0FcPB1F1jBromMpG4CDHewvx+Pq+KzpoH+EYo/se4yUxhUy27vl0yh6m7aFBOvyixq6F/nKDDm/wa1e8ntflfjiB3JpsgvTXZPdvnBNY6UVDjQm1AgT/IbVJ6N+ZH8ZP0gD0ExqsaChvEaiEmI8sZSTqj+TZDAUQWDHRfRN3X4RtRLsbP1ZzUKgQdtF+dJ0CdcEOanVxRpzBwpxm3Bwd8sYSbxDb+GONQF7ZHkSzAx/hKiE/yQ/f/UWs/pNrHuBcIJ7kn5y0YjQ/7KBiHz4qJU3vSTr9LvhN71z/CLqnCD6udhKAc4qShWM0ozMBQO4b5hfQ8hHtCcxPva7shF3NEoUlfV84qVjbl62jNpNC+Z5TSghgMc/dO
RENOVATE_GIT_AUTHOR: AgA9rIb5PcqeA3AdS9eUv9CEBmSI37s/VrpVOaStL/CKVQTnlzTF5zEoKxVxuOd4t+QkgZqxrO63IIVjyeBvqL2MHbdkoOS1jAhIeSMqJkYB5PCozMOY5puWTd0TIAg85BMpjvkrGK6SsdLZ4O/TEDzeagtvHFfNhW/6wwQaBX+NUWJUa61KV9xHINDjmCrIPot23t2kioINxgWG7yydHIDvgXF11yN1LrmcZdntRPUvaCcQKF8pgemWn0XhN6JEC0/8BEk0AWq3C3mn2VqnqKoAxCnM4bJ/gTw4OK8kTL2XlolTSxf53UydqUJG8p/Wen3bgd82wXYPLeISsuLplvCxhEV+puHHld23q0oqpyiTZSOC+sDjyP5H/5iHwTk79YBjrmmjO0lQjRpZuPVBYqnsiNXQbqxRA+9S9ceTFRfPglYmshocTZ8xFypaGCrIHdi7KqSIGl7NA1rMbN1NMN/eJ/JqkD2R+EnAEagcdPFEd9tYWAj5hAIWcsApdbWlbc/nCMInCtlJnLceH7JbqY4o513xv2vhGZHefShadPQnM7FNTrV7cRQTZc8MnsMPUrMsmbsAAEqMBKbCBwhV0UVOKbyLEigiXvpoigf8LUtiAS8U1b9G4xMxNs31ayJ8th4qAhBRabXqzNCIAcks8FlZSGp9SDs6WiETOl6auZyLk1nSScshN03zSudQV/Kzjj7gKXbaUkyni9no4maZpjPTRrbyLWZMGTnRKDSgeEe5W0wH
RENOVATE_GIT_URL: AgAOqVnkWLda7l7jJ3BuYnuy/HLV98aXarO5lJYcH2BG8u4QIShqFnLU7bnvivjeQDe2OM2qckm+1JvG3L/ggXkPt0m3gLcqMqoRYjqb9OUYJBUivCjjdWg9ylE8gj/EZqqcB+duLmIu58Gc+sboVMUJtGhVXmqk1jotHcKI5KojjPPdVDpJGglqiRbCvdQP6X21YeH1RMurG0i3isak6+qt0PclsdLWfOaK79vNKZkV3XGqeauELrRMv3ZaaCkLsoYiJz4l+bS4BgFtiFAFQJ/rad8vZEUgW3RzerVArUvl1I5tk8IZX8DeNugS/lfZVesQ48PCZV3ok+DOFnc2nITFFYIxTM/XzUl9VyQg8eQqfs6gsekypRkichb6Crw3e68AN6mUXQCLbIe6RajjIT1q722hwW/Vzivt4TmXuzPIQs2IjCWVnTf3cPAoGTT/YrFi6+PRl60FIhqjhJamgvWg47rKfLzuJ6aDVhxI3r6E4oVsU7AiOs0gYS5t7Jec/5bWxew3/S7mt2QBh2On78z7hL2VVyofknpa7tXZEAz8dEptjzGLkhIcKfPz/WNX0Imvzej87ihKx6/l0YrSpqhd4Bx0hlYZi8+TU2A5pbhFEAoDAOuvn/F/13UiLwh2yWRGGQsD6q94dy34WJNfrwUK5rnNIvRKErLKcQdy2VMS+9uBcfm7XAH+mIQUDvdHfzpLOK9ZHZakLQ==
RENOVATE_GIT_USERNAME: AgAqpRl7jvkJigWFaLgjebC17azWigiIxyiiA2ohfOPvB1y8BrgU5hxHj+ONRiu6UlKBuN1S8rNH2jqW9XN+8qHxZ79FF++27T/gnTHL0UEHmYYZNZiOphi8Ei0nixf6rMVCS3P8GW+2mFsuVWVn+AGbuWnSWYT3ILMuoAYQ4Gipz9k55sqXzen0mf+hUH+cYm8t3UCGXmXWm/GQZzKCfiB39Cx6qMzaSQQ0lkmJcjHRV+c3GeYPcgsU6HOwa1yubIpD8p+tQYrMRdl9M0ITgWiGFBJWUqYx59wDF2Agmfb2HBQj5s/ixG9GosR7WhafXCrqWf3LvClI7BM6b0iSgR5l4AdgGpFyBOzeU5WDVjlENcOZucRR+i5gRjUEPHJX7CQgvLM3/6BsOGtfZAn/XA25f6WLXNx/vrDIhS2KucaoA9jhwwbMNKo3jbWyUFilvrPowLWlB7Tj1uDOrXyte3sBZEXhsYOaNupqIm4IqTOW/uCY89SSxLtUVtkHGNSXfOW4waEMZoafgzsLE3C1W0UelXm4Q0BfHsdZlzkapFW2E4jGAsnTt55sdwsDy9DdG2/EFQ/ugPfqQlEmLRrEv48Z2nIuUcUWoIfP/5WyZdxsDLGfRFmZY4OLyEZ52ul0SXuwPIqsYuuzrAIvJe3ou6XKEWS7i+DbUX7cx4/f1Bk3IqZrZugNmRaMZlDrjitLX8DQfK7L01Kskw==
RENOVATE_PLATFORM: AgCwa6VX+N2GRSu4lJEmI4BmK21IXq3SItRU9HAIsNv7kkJoRFtY+mFmWqaUF757ZKrK4Sf1H+l3f9sCgbsLujN6bMgqPCFtGR5v4d2SdHJVrhQ6q0xsjAm/AvSZknNC3h8/1AyS6nMTjhJvA6ns+12HT20n2SjaPjh/ug1FQqe0NGHndFKN+ttsXUhtpkwyACQQYkWYsfXJRpwKfqFSdEjA5CTFsHKHAiGbIYt7KVi87hf63rmWPmzr18jNKflHFTbwO/r+/wo63SPvKDjuvTe5mzVVtP+Y8GykGI2d49u5Ebvdd/CnoClyy/dEVJ630kMe5PxB3Pl0Ai1LpDk7uoTbvVkylFtW2/B+9UWKBIy7HTsgKtbQJHZI+fqw6MMH2vLH8ey0SlRCKxA0ZSsx9aWIVfoytnmPGxnAYbHxcKbYIFQXlfnE+M8EiCIBFYEVJL8sk0jxgAkgMRgc8M7MjXYif1EM1nGHUeivO1m5KUVAF6PSL07YR2JDu32KXfEVw9xPHeTySwE/Hfzr3Ce+PjZ2WwA4MIwA+v7clBwxvpBOlby5g3/CudNUerOg0WW3dt39AyDbD696Ybjml70NUHMecCnRGXVhk/yJUzUWaWyRlnipmaID2WMfFfQ0BHV9T3cfmQGmKOBE38SkEx74kuLAesU4xgfNJSVtAQKIjMruJg92erXK9ilEGHps88Md/r2yKjvo/A==
RENOVATE_TOKEN: AgA3YGnzCWbp9+srwWRExEnCO7Gv/oCVruJLiyp1pdI18qM76GugUOsPRwNydYbi9g3I/a8fCGaF0rAtkKR5Vc3TVo2/m78fc4qRYVGpgtKgcJSwvlbx/pfoe9WU6Ynd3QYigsN0WWfUNmMncQb2I4UoYR7e/B5B9FqNQMC6XMzp3hxQhRLH9Eba0AH1U1HQNDnAaEp7sXNQ6KRvdguWU+iB1DmO/HLAAsFa6Bd2fgO8Vaw0TcFpqKbkBCUoaKVmQT7eWCN6g1XrkTpPJTkARnlhdbb23sPczF0zUJ/WJp2BliKEfey2zzKk8qBeCI917114yPm0uvHFxc4moTnfLqp1AFHTFkFj+soVTe/A8Br1iplmE4xknLZJFe/XA8TSyVkctKlAHLwDewOV4v4YvU7W5FsREyBPCEtFpszsAgmsxSlUiwRQzhW4s5JBb6oEwlpFqWBgvGZzzVB0e2DSostAk1MDYF6RQ2xinYB35/P++qg6UdWSwHA35ueoODP/re6rRAd/TS6bijEzCmSWP4nnwRWAGYzyce+d+CCTRW5QCbGpLru+Uli/wwP0C8QHlM/iWlopsYxG0AYyvgg8operPH81D3hzuVYiRO19dqzQKNVSQYN5k63n+PmheJYlOrz+91Aw4Tna3Y7v9GVLQdtzkVVJ9+kJLnrX5C6qov869jVg1UDjqXGP5XZSEUa8zMy8FOb+RPXNRpOJKNyosF7IUrsOoZOjg09tu7W9TOYkpZFi+WCM+se7
template:
metadata:
creationTimestamp: null
name: renovate-env
namespace: renovate
type: Opaque

2
infrastructure/traefik-system/kustomization.yaml
View File

@@ -11,6 +11,6 @@ namespace: traefik-system
helmCharts:
- name: traefik
releaseName: traefik
version: 26.0.0
version: 26.1.0
valuesFile: values.yaml
repo: https://helm.traefik.io/traefik

19
kluster-deployments/eth-physics/application.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: physics-application
namespace: argocd
annotations:
spec:
project: apps
source:
repoURL: ssh://git@git.kluster.moll.re:2222/remoll/eth-physics.git
targetRevision: v4
path: deployment/
destination:
server: https://kubernetes.default.svc
namespace: eth-physics
syncPolicy:
automated:
prune: true
selfHeal: true

5
kluster-deployments/eth-physics/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- application.yaml
- repo.sealedsecret.yaml

19
kluster-deployments/eth-physics/repo.sealedsecret.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: eth-physics-repo
namespace: argocd
spec:
encryptedData:
sshPrivateKey: AgAs/2OnA/yFDMQc9cIbnOlNDh3CFRsh20WWxRLtxYuX9mR99gy2oV1wD/jbZPWL0r501eHLidBq9Jz58LOuWI3aZYIUGe42jF/SK4CBF5NVZsrhN9GeC4IYTig7XvwcD1BekBxOxPnU2Q2/aEaiT9knUm7TidXnAPU/2wi99Zt01Va50iP3glalQsmsKeVZ09oK/p7RRrWhUZHCSBWyvkjMPL5+z1f4/4OWvpY/6kRXIS9VXIcge9CgIptlTH0t4X6OQewHeMoznZa9jQty3kBK/gs4cMqcvY/q/Qs5F7geka/4c9eUQul/1tS9SpdOVYjE4Le8N5uDO81xBx2ChAwBCXAR/DIh3FYEcdeg0liJRU5Rre4DkqSsWOsSoUbQgBCqv9l1la555bVVjMns4NfRz2felEp7QOhTNZJePK3+qYtngTw+d+KLaV1aR5ym8yJE10CP+1/mPOzw9Qy5TNrclr+vLs+PqOFMpmK+Yvjt24M/2J8CF/yBppbkEtnfDigDa1FnmgwM7ZKvvzwIfXfPrRfGPl3YYe1/7iFISvj6lu6+aso8xnIk6Co3T1fT8LDNFSZt1W17bDuiKk6Dork0EU/y5D0VhgwfhTK2PXkCwE4WGuWTFRCyS2HiLGkSBnxAkKQAdaBJRpJjjuKbTADlFUw0qIZseRnsk4wvAFEpruis7z9lnViqP79QePUxUh/C87ptrBh8VoNbbW9hNZCAAxu7d0yRRqoDTCIcmpRSJS0mH646JD74Gkx3PH/HL00t1eJQD+Kf5p2iCaSP7AHGySXxtr6rheQn7MkLk04X/hxmZ0D19YddwAL4ByIeC5IuzbbBSKdm98t0FbBTIx8Qv9Ch4BX1RSqcUFQ2gEfF4P8gDvGUA3daz38FPclRhDer8eYc1HRU1kFZQ5qnUTeRkFdHHujMrqvk2i7FnwRa55PJjCCPG+X3/Wve3GYdC9fB77JecCnZLldtxXVCjdN91bfD6L89DeHcHBe0uZVeY/kHTBj5O0DOxYULyNcSRRbJLUbwp/R6cIwaIsFYh4337xyEqbkvhKDVB9PXDR45CGj9/gRufkOXKGx6VFo3+Le3cjSyk8nLHISScFj3BQ1lsYRPkD4/cx1x3rMIRhjTVNoWLKEtDmumBX6vKwPsP1BULET8e7eCzx7FmYZuV8YGCk0WyzRJmcUsSwodJ2paq0aCJBhvhhjd6zTdLdp/8lg+fS2UDXcVb0vZjuhdZyoEHeHeM+PqhzcgM/U=
type: AgBbRcC8ytF0iErbVCrmCMuNW3hAoxJwY6+5CICsED8IdTLBFZPHZKJAC+1LWjv65G92xVFqJUnNc8eAq1A6KTYcjn5kplKUt4OMQ1RaRviXhN/kr1e31ojY7omPozCbJ4OXYbmBrVxEBGSNFn2qp6Cu8VIUeCMHT9O+7PsoXsU0YnVC2loJsnNAIpOpcP26fhiThDM2qHXg8QsIyp4IfWVMpzXQ9vviagtxK+QStCLlJpCPx+lU7Nmb+9xFrn8DSW2vyBm9eChqof6ZcllAkJVXqx/7dlM91E2hUZIJq9CE7Ht9kr0Dts/4nUxCqFesLzXlLMXZf9GvWuQ2PSy/aNSDUaCxAu7G+6sV2UssQOgpi8eRQ0wDJO8c3x22+K7f+0asYPQllKLRXXYIzDb4LquBBGvwOXt96Grf6Vyap5bma9ZGkVdqO8MQgP94M4VwfKqDsaW/GmX8NWpQIgfNtPglfKDrso5V2PM/8naAOaLVEWuzPbr2sdzXH2uU/3wGVB7WtT75VuiiEF2iYM3yhbotcyEU3B3jG4xRjLDnRVP8XI5vAxu7WecTOYx3G1eJF9R8X9aTruNd/E6VWqQkRtQeLgRQVIOoRztx9OlpiQXPAgoMFEmv/KesgKyneTy9qv2lLGkzby0Gxd3zfT4I9eZ9y9IuX2ttW//GUiRjsa4SdPYrgemgAWKIqT4g129wOS9nEGU=
url: AgCw6dQVXbpCuyYLjGPV6e7oP5MCJmrmbOMbPx+S8pJkgDV958blxciQzuP14CYoyBN8HHdIxIFSYs2mSm2YaqP1OJ4bQU7IqriYoY6pHQcpx/fd4wmIcW51HphS4Ll4l6aE0YCEy8iDLJXuFn8Ln2BwmlZiMOtkqn3mLE2+E5ujJkHNvC6aMF98waATK9idIFLmJSucWjd67H2lnycF/5vDwwSkDX9XEIu/zFjmfCyQA5Lz1ldaouqva+aB/PwJCndhNy0/X0rxlK+n6576bcDK8PHWmdRPX9l0IdyZyDP8Wh/FaRNlK1WeWdTFGkKj09g8BtLh0FoA7WGH77xROCRgfzWqDa71DnI5wfpEGLmMSZoxSq+IC7S13ybp2EhDC2ynvecnXEeSkWM+BA26WFia0pnkDt9IzKTYyMMOkEp5r7LOY/Oo031I649oQal9Yy84O9JoPG7Vd8bWV1Px6SUiFAIhaoXaczzfllZv+G7Q6hXjnquIuNU6AIKglc5P2WUg2/8t36u4HKD6WuZqWw/MOrttRny5sKOb1PFUXPUb04j5W6Jn5epS1z5RwXdujJObfp+z2et80E9F9RXcPFH5Kok+8eq2BzXdP7TRN9DcxpGWYZ0ZLIsQIlvKJYbTUD5kzTEprccX2GJZz6VEbE5SmQu0ygQCWz1duz0LlIK34kWljiVsetNerKEshhW171vcPhoBLj9Ge5azI+yGYEzmlZn/aXz495WyRwwkccHlMrTqW3LSet26u1b1mdXCPlGL6EvzqCB0BYE=
template:
metadata:
creationTimestamp: null
labels:
argocd.argoproj.io/secret-type: repository
name: eth-physics-repo
namespace: argocd

6
kluster-deployments/journal/application.yaml
View File

@@ -4,12 +4,6 @@ metadata:
name: journal-application
namespace: argocd
annotations:
argocd-image-updater.argoproj.io/image-list: mollre/journal-bot # no version constraints, use newest
argocd-image-updater.argoproj.io/alias.update-strategy: latest
argocd-image-updater.argoproj.io/git-branch: main
argocd-image-updater.argoproj.io/write-back-target: kustomization:/deployment/
argocd-image-updater.argoproj.io/write-back-method: git:secret:argocd/journal-repo
spec:
project: apps
source:

3
kluster-deployments/kustomization.yaml
View File

@@ -23,7 +23,6 @@ resources:
# simple apps
- monitoring/
- homarr/
- whoami/
- journal/
- immich/
@@ -35,3 +34,5 @@ resources:
- nextcloud/
- syncthing/
- finance/
- eth-physics/
- recipes/

8
kluster-deployments/homarr/application.yaml → kluster-deployments/recipes/application.yaml
View File

@@ -1,18 +1,18 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: homarr-application
name: recipes-application
namespace: argocd
spec:
project: apps
source:
repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
targetRevision: main
path: apps/homarr
path: apps/recipes/
destination:
server: https://kubernetes.default.svc
namespace: homarr
namespace: recipes
syncPolicy:
automated:
prune: true
selfHeal: true
selfHeal: true

2
kluster-deployments/homarr/kustomization.yaml → kluster-deployments/recipes/kustomization.yaml
View File

@@ -1,4 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- application.yaml
- application.yaml