using an alternative stack

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "infrastructure/external-dns/octodns"]
+	path = infrastructure/external-dns/octodns
+	url = ssh://git@git.kluster.moll.re:2222/remoll/dns.git
+[submodule "apps/monitoring/dashboards"]
+	path = apps/monitoring/dashboards
+	url = ssh://git@git.kluster.moll.re:2222/remoll/grafana-dashboards.git

apps/adguard/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: adguard/adguardhome
     newName: adguard/adguardhome
-    newTag: v0.107.52
+    newTag: v0.107.48
 
 namespace: adguard
 

apps/audiobookshelf/deployment.yaml

@@ -1,42 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: audiobookshelf
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: audiobookshelf
-  template:
-    metadata:
-      labels:
-        app: audiobookshelf
-    spec:
-      containers:
-        - name: audiobookshelf
-          image: audiobookshelf
-          ports:
-            - containerPort: 80
-            
-          env:
-          - name: TZ
-            value: Europe/Berlin
-          - name: CONFIG_PATH
-            value: /data/config
-          - name: METADATA_PATH
-            value: /data/metadata
-          volumeMounts:
-            - name: data
-              mountPath: /data
-          resources:
-            requests:
-              cpu: "100m"
-              memory: "200Mi"
-            limits:
-              cpu: "2"
-              memory: "1Gi"
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-            claimName: audiobookshelf-data
-

apps/audiobookshelf/ingress.yaml

@@ -1,17 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: audiobookshelf-ingressroute
-
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`audiobookshelf.kluster.moll.re`)
-    kind: Rule
-    services:
-    - name: audiobookshelf-web
-      port: 80
-
-  tls:
-    certResolver: default-tls 

apps/audiobookshelf/pvc.yaml

@@ -1,11 +0,0 @@
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: audiobookshelf-data
-spec:
-  storageClassName: "nfs-client"
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 10Gi

apps/audiobookshelf/service.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: audiobookshelf-web
-spec:
-  selector:
-    app: audiobookshelf
-  ports:
-  - port: 80
-    targetPort: 80

apps/files/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: files
 images:
   - name: ocis
     newName: owncloud/ocis
-    newTag: "5.0.7"
+    newTag: "5.0.3"

apps/finance/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 24.9.0
+    newTag: 24.5.0

apps/games/kustomization.yaml

@@ -1,15 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: games
-
-resources: 
-  - namespace.yaml
-
-helmCharts:
-  - name: games-on-whales
-    releaseName: games-on-whales
-    version: 2.0.0
-    valuesFile: values.yaml
-    repo: https://angelnu.github.io/helm-charts
-

apps/games/values.yaml

@@ -1,143 +0,0 @@
-#
-# IMPORTANT NOTE
-#
-# This chart inherits from our common library chart. You can check the default values/options here:
-# https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml
-#
-
-ingress:
-  # -- Enable and configure ingress settings for the chart under this key.
-  # @default -- See values.yaml
-  main:
-    enabled: false
-
-service:
-  # -- Enable and configure TCP service settings for the chart under this key.
-  # @default -- See values.yaml
-  main: {}
-  # type: LoadBalancer
-  # loadBalancerIP: 192.168.1.129
-
-  # -- Enable and configure UDP service settings for the chart under this key.
-  # @default -- See values.yaml
-  udp: {}
-  # type: LoadBalancer
-  # loadBalancerIP: 192.168.1.129
-
-# -- Configure persistence settings for the chart under this key.
-# @default -- See values.yaml
-persistence:
-  home:
-    enabled: true
-    type: emptyDir
-    mountPath: /home/retro
-
-# -- (object) Pass GPU resources to Xorg, steam and retroarch containers
-# See Custom configuration section in the Readme
-graphic_resources:
-
-sunshine:
-  image:
-    # -- sunshine image repository
-    repository: ghcr.io/games-on-whales/sunshine
-    # -- sunshine image tag
-    tag: 1.0.0
-    # -- sunshine image pull policy
-    pullPolicy: IfNotPresent
-  # -- sunshine web interface user
-  user: admin
-  # -- sunshine web interface pasword
-  password: admin
-  # -- sunshine log level
-  logLevel: info
-  # -- sunshine additional env settings
-  env: {}
-xorg:
-  image:
-    # -- xorg image repository
-    repository: ghcr.io/games-on-whales/xorg
-    # -- xorg image tag
-    tag: 1.0.0
-    # -- xorg image pull policy
-    pullPolicy: IfNotPresent
-  # -- xorg display ID
-  # display: :99
-  # -- xorg refresh rate
-  # refreshrate: 60
-  # -- xorg resolution
-  resolution: 1920x1080
-pulseaudio:
-  image:
-    # -- pulseaudio image repository
-    repository: ghcr.io/games-on-whales/pulseaudio
-    # -- pulseaudio image tag
-    tag: 1.0.0
-    # -- pulseaudio image pull policy
-    pullPolicy: IfNotPresent
-retroarch:
-  # -- enable/disable retroarch container
-  enabled: true
-  image:
-    # -- retroarch image repository
-    repository: ghcr.io/games-on-whales/retroarch
-    # -- retroarch image tag
-    tag: 1.0.0
-    # -- retroarch image pull policy
-    pullPolicy: IfNotPresent
-  # -- retroarch log level
-  logLevel: info
-  # -- retroarch extra volume mounts
-  volumeMounts: []
-steam:
-  # -- enable/disable steam container
-  enabled: true
-  image:
-    # -- steam image repository
-    repository: ghcr.io/games-on-whales/steam
-    # -- steam image tag
-    tag: 1.0.0
-    # -- steam image pull policy
-    pullPolicy: IfNotPresent
-  # -- enable proton log
-  protonLog: 1
-  # -- steam extra volume mounts
-  volumeMounts: []
-firefox:
-  # -- enable/disable firefox container
-  enabled: true
-  image:
-    # -- image repository
-    repository: andrewmackrodt/firefox-x11
-    # -- image tag
-    tag: 125.0.2-r1
-    # -- image pull policy
-    pullPolicy: IfNotPresent
-  # -- firefox log level
-  logLevel: info
-  # -- firefox extra volume mounts
-  volumeMounts: []
-mkhomeretrodirs:
-  image:
-    # -- image repository
-    repository: busybox
-    # -- image tag
-    tag: 1.36.1
-    # -- image pull policy
-    pullPolicy: IfNotPresent
-
-# -- Configure pulse audio settings
-# @default -- See values.yaml
-pulse:
-  config:
-    default.pa: |-
-      .fail
-          load-module module-null-sink sink_name=sunshine
-          set-default-sink sunshine
-          load-module module-native-protocol-unix auth-anonymous=1 socket=/tmp/pulse/pulse-socket
-    client.conf: |-
-      default-sink = sink-sunshine-stereo
-      autospawn = no
-      daemon-binary = /bin/true
-    daemon.conf: |-
-      exit-idle-time = -1
-      flat-volumes = yes

apps/homeassistant/kustomization.yaml

@@ -15,4 +15,4 @@ resources:
 images:
   - name: homeassistant/home-assistant
     newName: homeassistant/home-assistant
-    newTag: "2024.9"
+    newTag: "2024.5"

apps/homeassistant/service.yaml

@@ -2,8 +2,6 @@ apiVersion: v1
 kind: Service
 metadata:
   name: homeassistant-web
-  labels:
-    app: homeassistant
 spec:
   selector:
     app: homeassistant

apps/homepage/configmap.yaml

@@ -0,0 +1,98 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config
+  labels:
+    app.kubernetes.io/name: homepage
+data:
+  kubernetes.yaml: "" #|
+  #  mode: cluster
+  settings.yaml: |
+    title: "Homepage"
+    background: https://images.unsplash.com/photo-1547327132-5d20850c62b5?q=80&w=3870&auto=format&fit=crop
+    cardBlur: sm
+  #settings.yaml: |
+  #  providers:
+  #    longhorn:
+  #      url: https://longhorn.my.network
+  custom.css: ""
+  custom.js: ""
+  bookmarks.yaml: |
+    - Developer:
+        - Github:
+            - abbr: GH
+              href: https://github.com/moll-re
+  services.yaml: |
+    - Media:
+        - Jellyfin backend:
+            href: https://media-backend.kluster.moll.re
+            ping: media-backend.kluster.moll.re
+        - Jellyfin vue:
+            href: https://media.kluster.moll.re
+            ping: media.kluster.moll.re
+        - Immich:
+            href: https://immich.kluster.moll.re
+            ping: immich.kluster.moll.re
+
+    - Productivity:
+        - OwnCloud:
+            href: https://ocis.kluster.moll.re
+            ping: ocis.kluster.moll.re
+        - ToDo:
+            href: https://todos.kluster.moll.re
+            ping: todos.kluster.moll.re
+        - Finance:
+            href: https://finance.kluster.moll.re
+            ping: finance.kluster.moll.re
+
+    - Home:
+        - Home Assistant:
+            href: https://home.kluster.moll.re
+            ping: home.kluster.moll.re
+        - Grafana:
+            href: https://grafana.kluster.moll.re
+            ping: grafana.kluster.moll.re
+        - Recipes:
+            href: https://recipes.kluster.moll.re
+            ping: recipes.kluster.moll.re
+    
+    - Infra:
+        - Gitea:
+            href: https://git.kluster.moll.re
+            ping: git.kluster.moll.re
+        - ArgoCD:
+            href: https://argocd.kluster.moll.re
+            ping: argocd.kluster.moll.re
+
+  widgets.yaml: |
+    # - kubernetes:
+    #     cluster:
+    #       show: true
+    #       cpu: true
+    #       memory: true
+    #       showLabel: true
+    #       label: "cluster"
+    #     nodes:
+    #       show: true
+    #       cpu: true
+    #       memory: true
+    #       showLabel: true
+    - search:
+        provider: duckduckgo
+    - openmeteo:
+        label: Zürich # optional
+        latitude: 47.24236
+        longitude: 8.30439
+        units: metric # or imperial
+        cache: 30 # Time in minutes to cache API responses, to stay within limits
+        format: # optional, Intl.NumberFormat options
+            maximumFractionDigits: 1
+    - datetime:
+        locale: de
+        format:
+          dateStyle: long
+          timeStyle: short
+    - adguard:
+        url: http://adguard-home-web.adguard-home:3000
+
+  docker.yaml: ""

apps/homepage/deployment.yaml

@@ -0,0 +1,64 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: homepage
+  labels:
+    app.kubernetes.io/name: homepage
+spec:
+  revisionHistoryLimit: 3
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: homepage
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: homepage
+    spec:
+      # serviceAccountName: homepage
+      # automountServiceAccountToken: true
+      dnsPolicy: ClusterFirst
+      # enableServiceLinks: true
+      containers:
+        - name: homepage
+          image: homepage
+          imagePullPolicy: Always
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /app/config/custom.js
+              name: config
+              subPath: custom.js
+            - mountPath: /app/config/custom.css
+              name: config
+              subPath: custom.css
+            - mountPath: /app/config/bookmarks.yaml
+              name: config
+              subPath: bookmarks.yaml
+            - mountPath: /app/config/docker.yaml
+              name: config
+              subPath: docker.yaml
+            - mountPath: /app/config/kubernetes.yaml
+              name: config
+              subPath: kubernetes.yaml
+            - mountPath: /app/config/services.yaml
+              name: config
+              subPath: services.yaml
+            - mountPath: /app/config/settings.yaml
+              name: config
+              subPath: settings.yaml
+            - mountPath: /app/config/widgets.yaml
+              name: config
+              subPath: widgets.yaml
+            - mountPath: /app/config/logs
+              name: logs
+      volumes:
+        - name: config
+          configMap:
+            name: config
+        - name: logs
+          emptyDir: {}

apps/homepage/ingress.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: homepage-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`start.kluster.moll.re`)
+      kind: Rule
+      services:
+        - name: homepage-web
+          port: 3000
+  tls:
+    certResolver: default-tls

apps/homepage/kustomization.yaml

@@ -1,15 +1,17 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: 
+
+namespace: homepage
+
+resources:
   - namespace.yaml
-  - pvc.yaml
   - deployment.yaml
   - service.yaml
+  - configmap.yaml
   - ingress.yaml
 
-namespace: audiobookshelf
 
 images:
-  - name: audiobookshelf
-    newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.13.4"
+  - name: homepage
+    newName: ghcr.io/gethomepage/homepage
+    newTag: v0.8.13

apps/homepage/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: homepage-web
+  labels:
+    app.kubernetes.io/name: homepage
+spec:
+  type: ClusterIP
+  ports:
+    - port: 3000
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: homepage

apps/immich/kustomization.yaml

@@ -1,33 +1,24 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
-  - namespace.yaml
-  - ingress.yaml
-  - pvc.yaml
-  - postgres.yaml
-  - postgres.sealedsecret.yaml
-
+- namespace.yaml
+- ingress.yaml
+- pvc.yaml
+- postgres.yaml
+- postgres.sealedsecret.yaml
 
 namespace: immich
 
-
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.7.2
+    version: 0.6.0
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.116.2
+    newTag: v1.103.1
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.116.2
-
-
-patches:
-  - path: patch-redis-pvc.yaml
-    target:
-      kind: StatefulSet
-      name: immich-redis-master
+    newTag: v1.103.1

apps/immich/patch-redis-pvc.yaml

@@ -1,17 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: immich-redis-master
-spec:
-  volumeClaimTemplates:
-  - apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: redis-data
-    spec:
-      storageClassName: nfs-client
-      accessModes:
-        - ReadWriteMany
-      resources:
-        requests:
-          storage: 2Gi

apps/immich/postgres.yaml

@@ -12,24 +12,18 @@ spec:
       secret:
         name: postgres-password
 
-  # Enable the VECTORS extension
-      postInitSQL:
-        - CREATE EXTENSION IF NOT EXISTS "vectors";
-
   postgresql:
     shared_preload_libraries:
       - "vectors.so"
 
-  # Persistent storage configuration
   storage:
-    size: 2Gi
+    size: 1Gi
     pvcTemplate:
-      accessModes:
-        - ReadWriteOnce
+      storageClassName: ""
       resources:
         requests:
-          storage: 2Gi
-      storageClassName: nfs-client
-      volumeMode: Filesystem
+          storage: "1Gi"
+      volumeName: immich-postgres
+
   monitoring:
     enablePodMonitor: true

apps/immich/pvc.yaml

@@ -1,11 +1,40 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: immich-nfs
+spec:
+  capacity:
+    storage: "50Gi"
+  accessModes:
+    - ReadWriteOnce
+  nfs:
+    path: /kluster/immich
+    server: 192.168.1.157
+---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: data
+  name: immich-nfs
 spec:
-  storageClassName: "nfs-client"
+  storageClassName: ""
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
-      storage: "100Gi"
+      storage: "50Gi"
+  volumeName: immich-nfs
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: immich-postgres
+spec:
+  capacity:
+    storage: "1Gi"
+  accessModes:
+    - ReadWriteOnce
+  nfs:
+    path: /kluster/immich-postgres
+    server: 192.168.1.157
+# later used by cnpg

apps/immich/values.yaml

@@ -22,19 +22,16 @@ env:
       secretKeyRef:
         name: postgres-password
         key: password
+  IMMICH_WEB_URL: '{{ printf "http://%s-web:3000" .Release.Name }}'
   IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}'
-  IMMICH_METRICS: true
 
 immich:
-  metrics:
-    # Enabling this will create the service monitors needed to monitor immich with the prometheus operator
-    enabled: true
   persistence:
     # Main data store for all photos shared between different components.
     library:
       # Automatically creating the library volume is not supported by this chart
       # You have to specify an existing PVC to use
-      existingClaim: data
+      existingClaim: immich-nfs
 
 # Dependencies
 
@@ -55,6 +52,16 @@ server:
     main:
       enabled: false
 
+microservices:
+  enabled: true
+  persistence:
+    geodata-cache:
+      enabled: true
+      size: 1Gi
+      # Optional: Set this to pvc to avoid downloading the geodata every start.
+      type: emptyDir
+      accessMode: ReadWriteMany
+
 machine-learning:
   enabled: true
   persistence:

apps/media-downloads/jackett.deployment.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jackett
+spec:
+  selector:
+    matchLabels:
+      app: jackett
+  template:
+    metadata:
+      labels:
+        app: jackett
+    spec:
+      containers:
+      - name: jackett
+        image: jackett
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        ports:
+        - containerPort: 9117
+        volumeMounts:
+        - name: media
+          mountPath: /media
+        - name: config
+          mountPath: /config
+      volumes:
+      - name: media
+        persistentVolumeClaim:
+          claimName: media-downloads
+      - name: config
+        persistentVolumeClaim:
+          claimName: transmission-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: jackett
+spec:
+  selector:
+    app: jackett
+  ports:
+    - protocol: TCP
+      port: 9117
+      targetPort: 9117
+  type: ClusterIP

apps/media-downloads/kustomization.yaml

@@ -0,0 +1,50 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: media-downloads
+
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - transmission.deployment.yaml
+  - radarr.deployment.yaml
+  - jackett.deployment.yaml
+
+
+images:
+  - name: transmission
+    newName: haugene/transmission-openvpn
+    newTag: 5.3.1
+  - name: jackett
+    newName: lscr.io/linuxserver/jackett
+    newTag: latest
+  - name: radarr
+    newName: lscr.io/linuxserver/radarr
+    newTag: 5.4.6
+
+
+---
+# 2nd version
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: media-downloads
+
+
+resources: 
+  - namespace.yaml
+  - pvc.yaml
+  - qbittorrent.deployment.yaml
+  - qbittorrent.service.yaml
+  - qbittorrent.configmap.yaml
+  - radarr.deployment.yaml
+  - radarr.service.yaml
+  - radarr.configmap.yaml
+  - openvpn.secret.yaml
+
+images:
+  - name: qbittorrent
+    newName: binhex/arch-qbittorrentvpn
+    newTag: 5.0.1-1-02
+  - name: radarr
+    newName: hotio/radarr
+    newTag: release-5.14.0.9383

apps/media-downloads/pvc.yaml

@@ -1,23 +1,35 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: games
+  name: radarr-config
 spec:
   storageClassName: "nfs-client"
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
-      storage: "25Gi"
+      storage: "1Gi"
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: home
+  name: qbittorrent-config
 spec:
   storageClassName: "nfs-client"
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
-      storage: "5Gi"
+      storage: "1Gi"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: "10Gi"

apps/media-downloads/qbittorrent.configmap.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: qbittorrent
+  labels:
+    app: qbittorrent
+data:
+  VPN_ENABLED: yes
+  VPN_USER: vpnbook
+  VPN_PASS: e83zu76
+  VPN_PROV: custom
+  VPN_CLIENT: openvpn
+  LAN_NETWORK: 10.244.0.0/24,10.9.0.0/24
+  WEBUI_PORT: "8080"
+  ENABLE_STARTUP_SCRIPTS: no

apps/media-downloads/qbittorrent.deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: qbittorrent
+spec:
+  selector:
+    matchLabels:
+      app: qbittorrent
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: qbittorrent
+    spec:
+      containers:
+      - name: qbittorrent
+        image: qbittorrent
+        ports:
+        - containerPort: 8080
+        envFrom:
+        - configMapRef:
+            name: qbittorrent
+        volumeMounts:
+        - name: data
+          mountPath: /data
+        - name: config
+          mountPath: /config
+
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: data
+      - name: config
+        persistentVolumeClaim:
+          claimName: qbittorrent-config

apps/media-downloads/qbittorrent.service.yaml

@@ -0,0 +1,12 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: qbittorrent
+spec:
+  selector:
+    app: qbittorrent
+  type:  ClusterIP
+  ports:
+  - name: qbittorrent
+    port:  8080
+    targetPort:  8080

apps/media-downloads/radarr.configmap.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: radarr
+  labels:
+    app: radarr
+data:
+  # VPN_ENABLED: "true"
+  # VPN_CONF: "wg0"
+  # VPN_PROVIDER: "generic"
+  # VPN_LAN_NETWORK: "192.168.1.0/24"
+  # VPN_LAN_LEAK_ENABLED: "false"
+  # VPN_EXPOSE_PORTS_ON_LAN: ""
+  # VPN_AUTO_PORT_FORWARD: "false"
+  # VPN_AUTO_PORT_FORWARD_TO_PORTS: ""
+  # VPN_KEEP_LOCAL_DNS: "false"
+  # VPN_FIREWALL_TYPE: "auto"
+  # VPN_HEALTHCHECK_ENABLED: "false"
+  # PRIVOXY_ENABLED: "false"
+  # UNBOUND_ENABLED: "false"

apps/media-downloads/radarr.deployment.yaml

@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: radarr
+spec:
+  selector:
+    matchLabels:
+      app: radarr
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: radarr
+    spec:
+      containers:
+      - name: radarr
+        image: radarr
+        ports:
+        - containerPort: 7878
+        envFrom:
+        - configMapRef:
+            name: radarr
+        volumeMounts:
+        - name: data
+          mountPath: /data
+        - name: config
+          mountPath: /config
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: data
+      - name: config
+        persistentVolumeClaim:
+          claimName: radarr-config

apps/media-downloads/radarr.service.yaml

@@ -0,0 +1,12 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: radarr
+spec:
+  selector:
+    app: radarr
+  type:  ClusterIP
+  ports:
+  - name: radarr
+    port:  7878
+    targetPort:  7878

apps/media-downloads/transmission.deployment.yaml

@@ -0,0 +1,81 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: transmission
+spec:
+  selector:
+    matchLabels:
+      app: transmission
+  template:
+    metadata:
+      labels:
+        app: transmission
+    spec:
+      containers:
+      - name: transmission
+        image: transmission
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        ports:
+        - containerPort: 9091
+        env:
+        - name: OPENVPN_PROVIDER
+          value: PROTONVPN
+        - name: LOCAL_NETWORK
+          value: 10.42.0.0/16
+        - name: OPENVPN_CONFIG
+          valueFrom:
+            secretKeyRef:
+              name: protonvpn
+              key: country
+        - name: OPENVPN_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: protonvpn
+              key: username
+        - name: OPENVPN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: protonvpn
+              key: password
+        volumeMounts:
+        - name: media
+          mountPath: /data
+        - name: config
+          mountPath: /config
+        securityContext:
+          capabilities:
+            add: ["NET_ADMIN"]
+      volumes:
+      - name: media
+        persistentVolumeClaim:
+          claimName: media-downloads
+      - name: config
+        persistentVolumeClaim:
+          claimName: transmission-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: transmission
+spec:
+  selector:
+    app: transmission
+  ports:
+    - protocol: TCP
+      port: 9091
+      targetPort: 9091
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: protonvpn
+type: Opaque
+stringData:
+  country: at.protonvpn.udp,fr.protonvpn.udp,pl.protonvpn.udp,ch.protonvpn.udp
+  username: VOYkNuZs5PHjeB8w
+  password: WvKCOPijcXKOqcL5d7zjXzOPToS4zPid

apps/media/ingress.yaml

@@ -1,5 +1,24 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
+metadata:
+  name: jellyfin-vue-ingress
+  namespace: media
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`media.kluster.moll.re`)
+      middlewares:
+        - name: jellyfin-websocket
+      kind: Rule
+      services:
+        - name: jellyfin-web
+          port: 80
+  tls:
+    certResolver: default-tls
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
 metadata:
   name: jellyfin-backend-ingress
   namespace: media
@@ -7,7 +26,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`media.kluster.moll.re`) && !Path(`/metrics`)
+    - match: Host(`media-backend.kluster.moll.re`) && !Path(`/metrics`)
       middlewares:
         - name: jellyfin-websocket
         - name: jellyfin-server-headers

apps/media/jellyfin.servicemonitor.yaml

@@ -0,0 +1,17 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: jellyfin
+  labels:
+    metrics: prometheus
+spec:
+  selector:
+    matchLabels:
+      app: jellyfin-server-service
+  endpoints:
+  - path: /metrics
+    targetPort: jellyfin
+
+# this exposes metrics on port 8096 as enabled in the jellyfin config
+# https://jellyfin.org/docs/general/networking/monitoring/
+# the metrics are available at /metrics but blocked by the ingress

apps/media/kustomization.yaml

@@ -5,11 +5,16 @@ namespace: media
 resources: 
   - namespace.yaml
   - pvc.yaml
-  - deployment.yaml
-  - service.yaml
+  - server.deployment.yaml
+  - server.service.yaml
+  - web.deployment.yaml
+  - web.service.yaml
   - ingress.yaml
 
 images:
   - name: jellyfin/jellyfin
     newName: jellyfin/jellyfin
-    newTag: 10.9.11
+    newTag: 10.9.0
+  - name: ghcr.io/jellyfin/jellyfin-vue
+    newName: ghcr.io/jellyfin/jellyfin-vue
+    newTag: stable-rc.0.3.1

apps/media/server.deployment.yaml

@@ -18,9 +18,6 @@ spec:
           limits:
             memory: "2Gi"
             cpu: "2"
-          requests:
-            memory: "128Mi"
-            cpu: "250m"
         ports:
         - containerPort: 8096
           name: jellyfin

apps/media/web.deployment.yaml

@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jellyfin-web
+spec:
+  selector:
+    matchLabels:
+      app: jellyfin-web
+  template:
+    metadata:
+      labels:
+        app: jellyfin-web
+    spec:
+      containers:
+      - name: jellyfin-web
+        image: ghcr.io/jellyfin/jellyfin-vue
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "30m"
+        ports:
+        - containerPort: 80
+        env:
+        - name: TZ
+          value: Europe/Berlin
+        - name: DEFAULT_SERVERS
+          value: "https://media-backend.kluster.moll.re"

apps/media/web.service.yaml

@@ -0,0 +1,12 @@
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: jellyfin-web
+spec:
+  selector:
+    app: jellyfin-web
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80

apps/minecraft/curseforge.sealedsecret.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: curseforge-api
-  namespace: minecraft
-spec:
-  encryptedData:
-    key: AgBYeAiejdmxDBorvgnxQX5YvUhR3NId2vfWybMKlc27e6D/bKglLNyZMk70xSnFAPjcDmZ20mYjFPYvDOr9T6IU/REJ8QlzoKAn0xW779R4SkIxRToT+dJv+OM2avgQ9uqp7vja29xeXMjYAnQML+QGZKcrT8mE04G/Ty8rdUiv3yUXK5HFAR3SUF35aVLdlthLjpRkv1s0R7GAP4L2pNzBJNV3i37viceUSSjU0zpOa23fsQOkPAs67AIukAJBqh/hyF/hR9H1GeYZNTI3OcHcvC2iNk/XGstvv0Zy6ApzoebsfWGdsbVn+QUI0EBw+mSTPqpl71cbkz0v4S4XAVndosxWpe6AIgm5MBTU0FXIyGyoFDe1aMPq8BXiQikYVwB48oVNh9KF0xXX5AOG0whB/FEsL3OJsiNQvQ3R/Hru43JBn64oxjVtLfM3E7u8v/xr1VQahX8dylDmb4s5EV01U6O4y19Ou4td1eEMlhpJb0fBPDRUYuWxZAEDGmp+U4tAakyPed11VkcZPPn9fKAAcv8sGs3TYAbbF18hqsBnv2Wd+i7ZEvKwmdmfR/T0r1TJGsvKI7jaW0QtH256XrSxQp7a52qMKMVQWOSKw2k27t/IkRhxT2Prw4GfJvaVr4RozUaBf3LV/hfDWlDfmM2zg3X9W8HkzjotGg021OLxsa0Wzmhffvb8h4bvZwxeq3U1xaJocqXui7z0rT2pF4z3wYHR/lPtexHcOA2M8gfBGKb1rBKh+kW+N+/ZfVLNI0mokg5vrTO2nR2rb4c=
-  template:
-    metadata:
-      creationTimestamp: null
-      name: curseforge-api
-      namespace: minecraft
-    type: Opaque

apps/minecraft/deployment.yaml

@@ -1,41 +1,43 @@
-apiVersion: batch/v1
-kind: Job
+apiVersion: apps/v1
+kind: Deployment
 metadata:
-  name: start-server
+  name: minecraft-server
 spec:
+  selector:
+    matchLabels:
+      app: minecraft-server
   template:
+    metadata:
+      labels:
+        app: minecraft-server
     spec:
-      restartPolicy: OnFailure
       containers:
       - name: minecraft-server
         image: minecraft
         resources:
           limits:
-            memory: "10000Mi"
-            cpu: "5"
+            memory: "4000Mi"
+            cpu: "2500m"
           requests:
-            memory: "1500Mi"
+            memory: "1000Mi"
             cpu: "500m"
         ports:
         - containerPort: 25565
         env:
         - name: EULA
           value: "TRUE"
-        - name: TYPE
-          value: "AUTO_CURSEFORGE"
-        - name: CF_API_KEY
-          valueFrom:
-            secretKeyRef:
-              name: curseforge-api
-              key: key
-        - name: CF_PAGE_URL
-          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5413446"
+        - name: MODPACK
+          value: "https://www.curseforge.com/api/v1/mods/711537/files/5076228/download"
         - name: VERSION
           value: "1.18.2"
+        # - name: VERSION
+        #   value: "1.16.5"
+        # - name: MODPACK
+        #   value: "https://mediafilez.forgecdn.net/files/3602/5/VaultHunters-OfficialModpack-1.12.1-Server.zip"
         - name: INIT_MEMORY
           value: "1G"
         - name: MAX_MEMORY
-          value: "8G"
+          value: "3G"
         - name: MOTD
           value: "VaultHunters baby!"
         - name: ENABLE_RCON
@@ -44,9 +46,6 @@ spec:
           value: "true"
         - name: ONLINE_MODE
           value: "true"
-        - name: ENABLE_AUTOSTOP
-          value: "true"
-        
         volumeMounts:
         - name: minecraft-data
           mountPath: /data

apps/minecraft/kustomization.yaml

@@ -6,10 +6,8 @@ namespace: minecraft
 resources:
   - namespace.yaml
   - pvc.yaml
-  - job.yaml
+  - deployment.yaml
   - service.yaml
-  - curseforge.sealedsecret.yaml
-
 
 images:
   - name: minecraft

apps/monitoring/grafana-admin.sealedsecret.yaml

@@ -7,8 +7,8 @@ metadata:
   namespace: monitoring
 spec:
   encryptedData:
-    password: AgAwMLnsYN1y8JQSqgGQbNG/8jKensTDsEw6ogITdkhDRlJcg8HQ5t7a6xLzNCrLHLJiQW8YOoyLT4lvFkBRMOa2EYcrDvBiRD0PjygWLIscKa7dA+jpAUf/icD9zsiDnTym2yf+VUANcmEgE6DiNvlcsrcmYqiR4pKVUTDlKPNOjOpTJ3nXETb3/sbt69E0JSGwtkvusYQSXKLU9KLbciihv+ycdkdlC9xy9myd4+vYZYXSh/eAvyZeb/hsmdSX7yaASmupMvet6Qsdt99PNzFQxtbQH+LQvYalVZ8bjWZQvCN/p0bA4H15otKBfe8rtEwVthgvyEvo6TK0Mg0pFY/b3AOGFmImnT3rDmgG6S8KTZH0Jce17ksFqvELQmHjqHuYpQsPDl44glM8kWRJ9Mf/Z424LRwZlJNVcOkuVl4qFqPUjzd2rWIyF0RaD0BE012C0ThJxKn2l17lVJbNtdUiR3qNpW01ot2m0CgKd2kXbjDmgRgAll4WgrukfCIn9ZnE0gVCFLJuK3MOQAaipFYy/bDO0izwl9T8nldgcI8OfiC3NTk2O+Es5jJRXu0oJGaC3HrTB7wXiwOoELvAsxLTPxKBiN9mCHCMtZX0PEtrio0dFRQ6Pi5xPng0KVT0I9dvGNsPdhPETNOB913WEvbgP8Gt3cj016nCzk51eUsYbXPpNL2B4kmbIhecqW/8kwKQPwYjVlBSXj3NxjzwMY6PvOl1
-    user: AgBqmjCYGMqy5zBE+vhtsynOvhWdHWDJDyl1D+laBtLjXTJwzRbNTdunHYo1ekwyqQ6Cr5pi4YMiLxAl1LIHF+Lfsp2QlY+ResAGzp9WgSBtNQDX3EmLDQofeWxMUDdMtMsE9wiKLCfNGDkRDsGquXTz+YFq03m1vH9cB8Bp+1ClWOTui+/Ce0MZlWsJZX1W8WXH7XTirtwUo0s53pc4AplUUH97ZEK3KSIxWa3gLCn0sAPDDLPX+JVA2xtpMq1XuVFiFifjzEtG2h0dejiF35FtSAR+rR4YmEfimk3QpRDfOqV5QUxvjCG+dTV49upSevF2mvbHW+o+lB6vEc6l9cZXvlbnMdaep3NmOsJcJ8wQIdFpFK4iVzFOTKSEbzLPlZ/J+sjS5vDXsfthorIO2faMA1iIf+I663zNxQU5btaK4TNYOZQlrFVjAmioRLkDhGZ6tDUPX/zMv+Crt+0HCwyEyhmvFZckDvezTZrxARSXXMKBVcvjHCyUNkz7ubZRiMU0PGM7fYuHr659e+XMRvj+LFA68ZaEIzCQpCFJenWWYAXgUdRG4LQ1LP2MwvRHpkOYSoRkHIpX7jOfhX82A60h/ta/CdbWifqNyL9OecvE3FKsZu/Kr0taw9W6nm6FBhQLgFkOnFrqp9dWnxfHruXuDBgcn0iE8nR7Ht2zS7hfQPeR4a3Y0xK3Plqbzdrb9HKnWQQhf14=
+    password: AgBe8isrCWd5MuaQq5CpA+P3fDizCCDo23BVauaBJLuMRIYbVwpfahaJW7Ocj3LTXwdeVVPBrOk2D6vESUXu6I0EWc3y/NFN4ZezScxMcjmeaAb+z1zWwdH0FynTPJYOxv1fis1FDTkXDmGy3FXo5NDK9ET899TtulKFkh7UqSxdrRWbD3pegJgqKGPIqDCTAxZN/ssiccfWGS4lHqQBJkXn8DeampcKwjOCvgaBdilF03GoSfpgsqa2Iw2SfTDEobWBWVMMK/RB3/Oi/YJkGwMW3ECUxvTDam8gb0RFA1xjWXoYTLVVP5fK7q7x63ns51HebloxAP1GBrt138N/iDrfbGfjNP8Lx0NFl5y5bTgYN/z8DVTOFf90xxWe+YYERdwllg0Ci1JLNbA+NszXTD4L/HC7a8XuBfjRzxMTeymNjR76jzfPkH6v1EvesOduTfSrahPgS0qS+eGOier1rHxj3EBRhOScY1ut5Bq4oJMNId9nMVbVa6xyq2HyxuJHXV+j6h5FGHmEXn9gIR7wGp8RhtPhKgVGLrHcbHZ5Th2E7eomz1T2NK/ezNP8ZhcwOj/lyGywlW0vhU798zpWhMf57k2OPeuMlfs8Y8y74epBdyBjsrMR4EDctF8RZR3vraxENiMJ6kk1gqKj04ir6HwL7blqwiybIFFnJrp2j7MzgjS4SQ687qMX5Zf5XT03aEE+9W9Epy73tT7zVQKdENCQlcm5
+    user: AgAdiOivMn0d+nYjYycMZz9QSiS/9QqwHPJQMHkE7/IOou+CJtBknlETNtdv84KZgBQTucufYqu3LR3djOBpdnQsYbIXDxPFgRZQ11pwu/sO2EGifDk218yyzzfZMvx1FL7JL4LI1rKoiHycZowCwsAjEtlICVOOYv1/Plki+6MHXiAGG4r/yUhugGx3VLLX+Poq8oaTeHndgSsFXJege8SfgYR4TsC7pQgsM1UQEFncGIhJYTD2ashmUxFJ+7CJjHqPR0lFRrZXmFvPwTYTCMT+tnSHnCFWtTht8cEi1NxA4kD/eKEX0rOol15EUZnFUws2WqWI634TbyGwZ7km/Yw4XoDxiQR4ar6ulkqb/djcc3cWDYE7PF1m1c+r3iog85S5CSfZ5EvdCHHrbPN9uO2gmoRQWiR5qI70YMxBSnkeLZWN05O1vUuopdXFDTafY7YskxLEdIGHGqFUpUrJZOvBB0zNBdHGgYxFzb5pNmMCC5LPlOuoKjV4yskh9Tgovz06aAvsPxn2WWx6NOJambeziKB5OmSKvPsFofViyGBekVAWSWtt9yJe6lu5OKpBEiA6xhGhQ4ZryTXu9wvVALuPSIwBFITv85sIxjJb80qhJ51wb12QgzLLcPby0HSanyBI1M4jfsXWpK8gIAbDNO+eD7z3PhD9Y/5hPqYKXZ37Geyq23xiyxG8XDj6cL+Ie6k8XipayI4=
   template:
     metadata:
       creationTimestamp: null

apps/monitoring/grafana.pvc.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: grafana-nfs
+spec:
+  capacity:
+    storage: "1Gi"
+  accessModes:
+    - ReadWriteOnce
+  nfs:
+    path: /export/kluster/grafana
+    server: 192.168.1.157
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: grafana-nfs
+spec:
+  storageClassName: ""
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: "1Gi"
+  volumeName: grafana-nfs

apps/monitoring/grafana.values.yaml

@@ -31,7 +31,7 @@ datasources:
     datasources:
       - name: Thanos
         type: prometheus
-        url: http://thanos-querier.prometheus.svc:10902
+        url: http://thanos-querier.prometheus.svc:9090
         isDefault: true
       - name: Prometheus
         type: prometheus

apps/monitoring/influxdb.pvc.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: influxdb-nfs
+spec:
+  capacity:
+    storage: "10Gi"
+  accessModes:
+    - ReadWriteOnce
+  nfs:
+    path: /export/kluster/influxdb
+    server: 192.168.1.157
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: influxdb-nfs
+spec:
+  storageClassName: ""
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: "10Gi"
+  volumeName: influxdb-nfs

apps/monitoring/influxdb.values.yaml

@@ -0,0 +1,26 @@
+## Create default user through docker entrypoint
+## Defaults indicated below
+##
+adminUser:
+  organization: "influxdata"
+  bucket: "default"
+  user: "admin"
+  retention_policy: "0s"
+  ## Leave empty to generate a random password and token.
+  ## Or fill any of these values to use fixed values.
+  password: ""
+  token: ""
+
+
+## Persist data to a persistent volume
+##
+persistence:
+  enabled: true
+  ## If true will use an existing PVC instead of creating one
+  useExisting: true
+  ## Name of existing PVC to be used in the influx deployment
+  name: influxdb-nfs
+
+
+ingress:
+  enabled: false

apps/monitoring/kustomization.yaml

@@ -5,16 +5,16 @@ namespace: monitoring
 
 resources: 
   - namespace.yaml
+  - grafana.pvc.yaml
+  # - influxdb.pvc.yaml
   - grafana.ingress.yaml
   - grafana-admin.sealedsecret.yaml
-  # grafana dashboards are provisioned from a git repository
-  # in the initial bootstrap of the app of apps, the git repo won't be available, so this sync will initially fail
-  - https://git.kluster.moll.re/remoll/grafana-dashboards//?timeout=10&ref=main
+  - dashboards/
 
 
 helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 8.5.1
+    version: 7.3.9
     valuesFile: grafana.values.yaml

apps/monitoring/telegraf-speedtest.values.yaml

@@ -0,0 +1,52 @@
+env:
+  - name: HOSTNAME
+    value: "telegraf-speedtest"
+
+service:
+  enabled: false
+rbac:
+  # Specifies whether RBAC resources should be created
+  create: false
+
+serviceAccount:
+  # Specifies whether a ServiceAccount should be created
+  create: false
+
+
+## Exposed telegraf configuration
+## For full list of possible values see `/docs/all-config-values.yaml` and `/docs/all-config-values.toml`
+## ref: https://docs.influxdata.com/telegraf/v1.1/administration/configuration/
+config:
+  agent:
+    interval: "2h"
+    round_interval: true
+    metric_batch_size: 1000
+    metric_buffer_limit: 10000
+    collection_jitter: "0s"
+    flush_interval: "10s"
+    flush_jitter: "0s"
+    precision: ""
+    debug: false
+    quiet: false
+    logfile: ""
+    hostname: "$HOSTNAME"
+    omit_hostname: false
+  processors:
+    - enum:
+        mapping:
+          field: "status"
+          dest: "status_code"
+          value_mappings:
+            healthy: 1
+            problem: 2
+            critical: 3
+  outputs:
+    - influxdb_v2:
+        urls:
+          - "http://influxdb-influxdb2.monitoring:80"
+        token: We64mk4L4bqYCL77x3fAUSYfOse9Kktyf2eBLyrryG9c3-y8PQFiKPIh9EvSWuq78QSQz6hUcsm7XSFR2Zj1MA==
+        organization: "influxdata"
+        bucket: "homeassistant"
+  inputs:
+    - internet_speed:
+        enable_file_download: false

apps/ntfy/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: binwiederhier/ntfy
     newName: binwiederhier/ntfy
-    newTag: v2.11.0
+    newTag: v2.10.0

apps/recipes/kustomization.yaml

@@ -12,5 +12,5 @@ resources:
 
 images:
   - name: mealie
-    newTag: v1.12.0
+    newTag: v1.6.0
     newName: ghcr.io/mealie-recipes/mealie

apps/steam/deployment.yaml

@@ -1,106 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: steam-headless
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: steam-headless
-  template:
-    metadata:
-      labels:
-        app: steam-headless
-    spec:
-      hostNetwork: true
-      securityContext:
-        fsGroup: 1000
-      nodeSelector:
-        gpu: full
-      containers:
-      - name: steam-headless
-        securityContext:
-          privileged: true
-        image: josh5/steam-headless:latest
-        resources: #Change CPU and Memory below
-          requests:
-            memory: "4G"
-            cpu: "1"
-          limits:
-            memory: "12G"
-            cpu: "4"
-        # set nodeSelector to the node label that matches the node you want to run the pod on
-        volumeMounts:
-        - name: home-dir
-          mountPath: /home/default/
-        - name: games-dir
-          mountPath: /mnt/games/
-        - name: input-devices
-          mountPath: /dev/input/
-        - name: dshm
-          mountPath: /dev/shm
-        - name: dri
-          mountPath: /dev/dri/
-        env: #Environmental Vars
-        - name: NAME
-          value: 'SteamHeadless'
-        - name: TZ
-          value: 'Europe/Zurich'
-        - name: USER_LOCALES
-          value: 'en_US.UTF-8 UTF-8'
-        - name: DISPLAY
-          value: ':55'
-        - name: SHM_SIZE
-          value: '2G'
-        - name: PUID
-          value: '1000'
-        - name: PGID
-          value: '1000'
-        - name: UMASK
-          value: '000'
-        - name: USER_PASSWORD
-          value: 'password' #changeme
-        - name: MODE
-          value: 'primary'
-        - name: WEB_UI_MODE
-          value: 'vnc'
-        - name: ENABLE_VNC_AUDIO
-          value: 'false'
-        - name: PORT_NOVNC_WEB
-          value: '8083'
-        - name: ENABLE_SUNSHINE
-          value: 'true'
-        - name: SUNSHINE_USER
-          value: 'sam'
-        - name: SUNSHINE_PASS
-          value: 'password'
-        - name: ENABLE_EVDEV_INPUTS
-          value: 'false'
-        ports:
-        # novnc
-        - containerPort: 8083
-        # moonlight webui
-        - containerPort: 47990
-        # moonlight stream
-        - containerPort: 47989
-        - containerPort: 47984
-        - containerPort: 48010
-        - containerPort: 47998
-        - containerPort: 47999
-        - containerPort: 47800
-      volumes:
-      - name: home-dir
-        persistentVolumeClaim:
-          claimName: home
-      - name: games-dir
-        persistentVolumeClaim:
-          claimName: games
-      - name: input-devices
-        hostPath:
-          path: /dev/input/
-      - name: dri
-        hostPath:
-          path: /dev/dri/
-      - name: dshm
-        emptyDir:
-          medium: Memory

apps/steam/kustomization.yaml

@@ -1,12 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: steam
-
-resources: 
-  - namespace.yaml
-  - deployment.yaml
-  - service.yaml
-  - pvc.yaml
-
-

apps/steam/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: placeholder
-  labels:
-    pod-security.kubernetes.io/enforce: privileged 

apps/steam/service.yaml

@@ -1,38 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: steam-vnc
-spec:
-  selector:
-    app: steam-headless
-  ports:
-  - port: 8083
-    targetPort: 8083
-    name: novnc
-  - port: 47990
-    targetPort: 47990
-    name: moonlight-web
-  - port: 47989
-    targetPort: 47989
-    name: moonlight0
-  - port: 47984
-    targetPort: 47984
-    name: moonlight1
-  - port: 48010
-    targetPort: 48010
-    name: moonlight2
-    protocol: UDP
-  - port: 47998
-    targetPort: 47998
-    name: moonlight3
-    protocol: UDP
-  - port: 47999
-    targetPort: 47999
-    name: moonlight4
-    protocol: UDP
-  - port: 47800
-    targetPort: 47800
-    name: moonlight5
-    protocol: UDP
-  type: LoadBalancer
-  loadBalancerIP: 192.168.3.5

infrastructure/backup/backblaze-credentials.sealedsecret.yaml

@@ -1,19 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: backblaze-credentials
-  namespace: backup
-spec:
-  encryptedData:
-    bucket-id: AgBwwjlkGjskxMXXpXrnfcT9fJGgDXtbOO/6WcpqsX0exoADw31dADjLTHztiddsGYipiGFf2DBWge69UEnL04NXIzh/xTwWtWaqlz6yOJm/89FMQE1mfbrrLc7tk98TO3oS8i+IDAnkUiYyvDXJexgJg56QLY595PXkpplYit2bAk43mAB02yUZAK0gMs3KRDIvhHFsMq8Uiqx78En5KGGXwEg6KbVDyNvI2k8suEyy+C0yNO/M6dlczoUQiIJbllQzbqIzuxbOp609PfvGFAYHuPlz1kwsg+feZJ3kNsHYi4hWvpd64BWb30iO9J3dAYfW6d7C61t3S5uabmnd9E7bMYZA/OppD8SCknBFalXF91BUiJao9qBVd/BB7TCZOzhdzhxTW+FhgARcA+GIfg+nIzgBqHfAfQQmAOO2RZnsWrvMysyZaUpODvU8kSsLWZJ3CESVRVU3BHmJZpyxjX/s6QEXShQXZaLq54zoFJULZU/kbom5yFNNDWW5sKbURPvbKJcf/J9QabY5toO4yOwDk96Sr/FI+CHHvMh8/amigva0Upq6naiTHXMf4BR6+w3VKP5ALn5cbD5jG7EpUA/j1roMoLn68GMAtTJDLvSq2BGeJENWrUpOmjWZHDKZy8DEKorJk/Wbp46ksteSALE8eXpi4DRKXYDPvDb57EhzoJGQ9NMXgAvU9+1vw2nyTZE4gAWKpg0JkiHglu4Om79HfuGuewzJXlY=
-    key-id: AgBe4Iytjw9CkT7CqqNLHWyG4F8F+R6m8W1fnQZdGJvLy7D81+nB2ZDMCUZgUQV/mppGnXCkSxHyelcyTYCswQ9bD8hZsAIiQACq39v2UFxdORFEgNMj4bTWPo65fwhSK2giozPqN/4lzPopP91uyq1Z0gQaiqn/HDtbfNjq+Nu9kPmV06O1NUj1f7QqvfsMK+Xadv0G+DAA+ClGaq1q3fZPDkl2MSDdbEPGq+fLPK2DSdYu9fr1bc9TPyaU5JDFvGrCg8Nyigugi4wVGjQFtVwR1QsHAADmnoDAdXoj1Sz65QO5F+zNaDZWvnLnVFxAFrXJHihilc4ilAc8hSpE6YHQm7dGO5gGejLRNaaCspb/fPJD1g2XlnkckhFCSwd9sHNrXb07BZk8gFTHfndEC0t2UyUNloYpXsfap6fvehPK91ey35jbxDk9zYdgKZ7bz/tY0450CkofSbhisf2DwS3prt5YCEDaXasrpUqlk4dSbmLaGm6aee8lM5VpO8qYE56nvXY7qr0yB6z/NGWuLX3oH3fV+C8hH1P4mxDjvVEFdtewlF50Bf9WFoE7KpboSvmChZhBfjOkbtsGmQE41ZuNoYVupetXn6IfvYo6MzGoG6dTRVpJ5S2KLQDtsUljQfXJDFCSYwo87DD2dGBEn/z9GFCIPAYNO2ewzU4RUgcXPuDD4I2tdNIC+xdEBZq7BaWn/46Yfc1+FAWUA9VWEL/9kz5tK6hFD3Ww
-    key-secret: AgBcKSHdXHeNBzkZRtbaOEZra7AAWVlzmubaQoklECr14gKNL7rTReqX87qQObjQjmGKXtnJlKXIVHGDuiuHGkqfxQ9PCxccvpA3/7LdbFZnZtlFDWpAv+VB6Tp7H7Quho/GeAo8u6de0BXz85lz7+RyDCssBpuuzpchMgOlcEmhhfgQM5E6ye7bD6LpAZWcay3PV6FW2xTrJvLobpCcJordye6iTdSySPKdk6zflkon9h1KuQT+njmW4cfTQg/u7iS/NDQYcHdCpDHRLCor4GkVmi7NW8q+WuYhUSGWBy55SGvcUobhUL7GEHFJZpKmyrBOwSbwiWUDoN+NjI2TR5xvG0Ldjd/Hj32Vk29I+xSnj/O7pZj5ho35qExlZ/WCe42i0VHjzHFbOoU1MkqB+Skm24L1cLufhyNBtA8NNN3GWZhkcozpe164gpx4H/Vfe0UyzxUn4VJIws/IXYiLb4DgDkGrV+wzigN2QfSgTgs6syQkSs4UJ4gUZeN0jsyq0YHIhq1VZ8qPtLH310d8LZLxpTjZdO0obBwJfnHkg3blwSABEt5756C5DvjKmvO1pjG+JX/PJ0yAINL9Sc+FsY7TnGlItVzD830NcZ3Gg9C4Tg4xBEHybUWCSl1rJjwMvmUvVKNcIzLBHPAOyle1VLTZ37zb13MnhwNwdUtBu7+RZTy9wVO26iqemXTtFVj13kgZkJsyLjM6bo2y2wvFmjBCV9EKQtm87ROStM7iKB46
-    repository-string: AgAEYSqT6VR4OKW9/ZDgjYV+rm4tK3uucZsQG2u7W+8rRO0Rowkuba1AbybjgTE+G3q8si/GtlgsB1J8suvztHcVLNxg0y0Olb40pn2sZjKd85Q8AzsM0pFMkzme1lvnwu1Bcgd6Ck+FCr4CuUnh+UvJM5iWhAoSHJtdBb/EKw2F1BhewAqMXSX4oWM7V/T8RTtW2wBUk4wgX4ia+gCBPMpTo6i00ZtSpRB3Ub9VfGJfRmiXZA7oh5j3yN9nJlXonbJYBp4DNWod76CF7s35HBnSzS7YfIV80R4lH4xAPgRbZ0tvPWkTLMhSBX8rJCEnxT7DjL2lS7WfyboLdL4Uy8WmP7n2difZSr7p2iic6SCP44YgQ8JY5UgXh2QZENQ6oLvjK/PpFTjQ4bfw3E1/dakg1EdCYc/6DPyK3YekccUe/pXvVBrazpgObxXWeKKT6RMDeYWLUXTBHWhJ5OaJHHePD5t9IM65FlFTtkuUFbxExTi/u+RczBlWWcy10Yow3I3LGrDPJ/PfBy4RPfHCeQDQ+WoLJkNT20nu5mBXEYYKgNvgdn4yogifSiNG8vsNpo4dO89aHppbnHdmdp7F9asfbn27btEoFoHzIFku/mEnY5srs+Smrhhzy0+iPKge9LOuW33Gi4oJban1UYFvLAjq8YsZGkbIO82r2p+v15UjwU3girWPl1KBUc8WzLJtnqBvRPWS1ul6/X9JIdmmrHJjC0KlcGiVMU/Ls9ljnQj7dgLXuDW7JzuK3MhTWV3Y2kS39ze3TskCKcbL
-  template:
-    metadata:
-      creationTimestamp: null
-      name: backblaze-credentials
-      namespace: backup
-    type: Opaque

infrastructure/backup/cronjobs-base/cronjob.yaml

@@ -46,27 +46,14 @@ spec:
                 name: backup-nfs-access
 
             env:
-              # secrets live in the same namespace as per kustomization.yaml
+              - name: RESTIC_REPOSITORY
+                value: rest:http://rclone-gcloud:8000/kluster
+                # lives in the same namespace
               - name: RESTIC_PASSWORD
                 valueFrom:
                   secretKeyRef:
                     name: restic-gdrive-credentials
                     key: restic-password
-              - name: RESTIC_REPOSITORY
-                valueFrom:
-                  secretKeyRef:
-                    name: backblaze-credentials
-                    key: repository-string
-              - name: AWS_ACCESS_KEY_ID
-                valueFrom:
-                  secretKeyRef:
-                    name: backblaze-credentials
-                    key: key-id
-              - name: AWS_ACCESS_KEY
-                valueFrom:
-                  secretKeyRef:
-                    name: backblaze-credentials
-                    key: key-secret
           volumes:
             - name: backup-nfs-access
               persistentVolumeClaim:

infrastructure/backup/cronjobs-overlays/prune/restic-commands.yaml

@@ -17,12 +17,10 @@ spec:
             # RESTIC_ARGS Can be for instance: --verbose --dry-run
             # RESTIC_REPOSITORY is set in the secret
               - >-
-                  restic unlock
-                  &&
                   restic forget
                   -r $(RESTIC_REPOSITORY)
                   --verbose=2
-                  --keep-daily 7 --keep-weekly 10
+                  --keep-daily 7 --keep-weekly 5
                   --prune
           containers:
           - name: ntfy-command-send

infrastructure/backup/kustomization.yaml

@@ -8,6 +8,7 @@ resources:
   - namespace.yaml
   - pvc.yaml
   - restic-password.sealedsecret.yaml
-  - backblaze-credentials.sealedsecret.yaml
+  - rclone-config.sealedsecret.yaml
+  - rclone-gcloud.deployment.yaml
   - cronjobs-overlays/prune/
   - cronjobs-overlays/backup/

infrastructure/external-dns/kustomization.yaml

@@ -11,8 +11,8 @@ resources:
 images:
   - name: octodns
     newName: octodns/octodns # has all plugins
-    newTag: "2024.08"
+    newTag: "2024.05"
 
   - name: git
     newName: alpine/git
-    newTag: "v2.45.2"
+    newTag: "2.43.0"

infrastructure/external/kustomization.yaml

@@ -8,4 +8,4 @@ resources:
   - namespace.yaml
   - omv-s3.ingress.yaml
   - openmediavault.ingress.yaml
-  - proxmox.ingress.yaml
+  - proxmox.ingress.yaml

infrastructure/gitea/README.md

@@ -1,31 +0,0 @@
-# Using gitea actions
-The actions deployment allows to use gitea actions from repositories within this instance.
-
-### Building docker images
-Docker builds use the kubernetes runner to build the images. For this to work, the pipeline needs to be able to access the kube-api. A service-account is created for this purpose.
-
-To use the correct docker builder use the following action
-```yaml
-    ...
-
-    - name: Create Kubeconfig
-      run: |
-        mkdir $HOME/.kube
-        echo "${{ secrets.BUILDX_KUBECONFIG }}" > $HOME/.kube/config
-
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
-      with:
-        driver: kubernetes
-        driver-opts: |
-          namespace=act-runner
-          qemu.install=true
-
-    ...
-
-    - name: Build and push
-      uses: docker/build-push-action@v5
-      with:
-        context: .
-        <other config>
-```

infrastructure/gitea/actions.deployment.yaml

@@ -1,23 +1,25 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  labels:
-    app: act-runner
-  name: act-runner
+  name: actions-runner
 spec:
-  replicas: 1
   selector:
     matchLabels:
-      app: act-runner
+      app: actions-runner
   template:
     metadata:
       labels:
-        app: act-runner
+        app: actions-runner
     spec:
-      restartPolicy: Always
+      hostname: kube-runner
+      serviceAccountName: actions-runner
       containers:
-      - name: runner
-        image: vegardit/gitea-act-runner:dind-latest
+      - name: actions-runner
+        image: actions-runner
+        resources:
+          requests:
+            memory: "128Mi"
+            cpu: "500m"
         env:
         - name: GITEA_INSTANCE_URL
           value: "https://git.kluster.moll.re"
@@ -26,35 +28,12 @@ spec:
             secretKeyRef:
               name: actions-runner-secret
               key: runner-token
-        - name: ACTIONS_RUNNER_POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: GITEA_RUNNER_UID
-          value: '1000'
-        - name: GITEA_RUNNER_GID
-          value: '1000'
-        - name: GITEA_RUNNER_JOB_CONTAINER_PRIVILEGED
-          value: 'true'
-        securityContext:
-          privileged: true
+        - name: GITEA_RUNNER_LABELS
+          value: k8s
         volumeMounts:
         - name: runner-data
           mountPath: /data
       volumes:
       - name: runner-data
-        persistentVolumeClaim:
-          claimName: runner-data
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: runner-data
-spec:
-  resources:
-    requests:
-      storage: 5Gi
-  storageClassName: "nfs-client"
-  volumeMode: Filesystem
-  accessModes:
-    - ReadWriteMany
+        emptyDir: {}
+

infrastructure/gitea/actions.rbac.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: actions-runner
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: actions-role
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "create", "delete"]
+- apiGroups: [""]
+  resources: ["pods/exec"]
+  verbs: ["get", "create"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get", "list", "watch",]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["get", "list", "create", "delete"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "create", "delete"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: actions-role-binding
+subjects:
+- kind: ServiceAccount
+  name: actions-runner
+  apiGroup: ""
+roleRef:
+  kind: Role
+  name: actions-role
+  apiGroup: rbac.authorization.k8s.io

infrastructure/gitea/actions.sealedsecret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: gitea
 spec:
   encryptedData:
-    runner-token: AgAUU0jMe3bhoaOdqRZjRzvuQyRMagahDQtX2eqoJ78xihMPkL2yK5MZoCbcps2+xq2zSBgtdwA8xAMyVC4aKkeqYaPSlvBcvuGbcEsnGYJB1Fmjqn2CbvF4nbfaio+XMBmhZXW+GiPWmeiID6LhMwZghzVmcLEuqSmBJ0uB203j0wqsz/k9haL5zZ3vZRE0ofNFceDiVE55TrvTBiLQf1H6R9kFSaRRvcuCH8desX3OmkcSZ0PktULM7KElF9pX1gndrbwiEL5XK60KzE9URl2qpTK/mRrN88ZBa6IuX7u7M579yD3d7yS/JgYi2TL8s3Z69v8JF/nF1ha19xJFhEp1iiyS40xo8cuGHbfVzDSExbJ9fQMpG+1w8ZmyiARXT0EMjuz7tBSruKlr21R6lvwyri71Zg6cUKoVcmQlcmEW7Y6TkH4dsOGlpBX2KsLai7ObGgsQePZ7BHaMTEl54omtdsNsQaquElKhhhBVLEGGQgbP/YZ0wT244mgQkjuMLjVxAM1IWsu4THUY16F+bphzw4xYesZTYYCJUpNO3FDvcsyqlMgPlLMnO3CZyt+Y1avrfz/id5eJUxlVFx9y5htzXA1GaBgrnoRkrpv2OVRFIxatASGbbQgqcDIWx3VXfjVF32fnzVUNtiTZ+pvC/UcyAvFZmaZIrdbK42cA85O1FaOThHJg+8rpc4RXWOOiVg8+8BAQUd/c9bdPJeYLavDefaI5O9DZT4UqiQioBCET2yZPIhwm9JBT
+    runner-token: AgBHwek/Aj/0oOnI/bnZ4FgtRoeJw4tIKvcDzBhaPdQ7bMVHyHUKYUNP7lkPgZrIN+7rhMY7C/j13iGWx4iTdhTgipLiJvyZ70pXKLSix4IpcypJTElggWkW0JW79x1HyJfBtn9iJiHnEZXPi7sEnyKhA0asAOR0ae8NS6mxxei0TIImaPaC2RHL6MOi40xsXpHz2ZaVhDQaTSRWjv0U6+WkCGcueqM2HLYfF1gqqkzGCjjhdOTK1CKvIvApZ5n8x6x94IiywCXJraDCwLz+acF2c2vA/Jb/3p7TwyyRZ5uIF5LZufhTJ6+5sFJSReHYxO4CpPA8KvM880vtiEjN7LxVo/Jruj2459OvjviKZS03ZwLHHrjanom1+HA9Sx2ffRLiR5ayGkfj/6kvpIRt5x1F7BbPp+a0LXuxJX+1nGDyEa1D1WzVKvZASav6/v7cXcom/nKGO91Zb8qHlOv7ZTs5guGQ9G9VCOHOG8szwpW3ZmQwWfFoWsShzqbDqszBYOGeIjIiDllLzTZ8A9dv9J2ELngZ1IPGIkfpQNEW8hsbNXTYhdVIrkh7BIFkRWfYDNWxqZd4iE6XllQcT1rqndusgiNEJX2r+P4nT8dPewATXQ79wzvZU3kB+VHzM8cLymlVGADi7v/qTY9RcrhuE0oMLzHRShr6JU05VfLGbMsttrYKmW7smvBp3lRJitO5A8+r8cRniS1+Xr8mIx87vCvnoWSH6BKkl9pCdDeCGylAWfkJN9UpkaKg
   template:
     metadata:
       creationTimestamp: null

infrastructure/gitea/drone-kube-runner.deployment.yaml

@@ -0,0 +1,84 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: drone-runner
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: drone-runner
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/log
+  verbs:
+  - get
+  - create
+  - delete
+  - list
+  - watch
+  - update
+
+---
+
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: drone-runner
+subjects:
+- kind: ServiceAccount
+  name: drone-runner
+roleRef:
+  kind: Role
+  name: drone-runner
+  apiGroup: rbac.authorization.k8s.io
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone-runner
+  labels:
+    app.kubernetes.io/name: drone-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: drone-runner
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: drone-runner
+    spec:
+      serviceAccountName: drone-runner
+      containers:
+      - name: runner
+        image: drone/drone-runner-kube:latest
+        ports:
+        - containerPort: 3000
+        env:
+        - name: DRONE_RPC_HOST
+          value: drone-server:80
+        - name: DRONE_RPC_PROTO
+          value: http
+        - name: DRONE_RPC_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: drone-server-secret
+              key: rpc_secret
+        - name: DRONE_NAMESPACE_DEFAULT
+          value: gitea
+        # - name: DRONE_NAMESPACE_RULES
+        #   value: "drone-runner:*"
+        - name: DRONE_SERVICE_ACCOUNT_DEFAULT
+          value: drone-runner

infrastructure/gitea/drone-server.deployment.yaml

@@ -0,0 +1,117 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone-server
+  labels:
+    app: drone-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: drone-server
+  template:
+    metadata:
+      labels:
+        app: drone-server
+    spec:
+      containers:
+      - name: drone
+        image: drone/drone:latest
+        env:
+          - name: DRONE_SERVER_PORT # because the deployment is called drone-server, override this var again!
+            value: ":80"
+          - name: DRONE_GITEA_SERVER
+            value: https://git.kluster.moll.re
+          - name: DRONE_USER_CREATE
+            value: username:remoll,admin:true
+          - name: DRONE_GITEA_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: drone-server-secret
+                key: client_id
+          - name: DRONE_GITEA_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: drone-server-secret
+                key: client_secret
+          - name: DRONE_RPC_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: drone-server-secret
+                key: rpc_secret
+          - name: DRONE_SERVER_HOST
+            value: drone.kluster.moll.re
+          - name: DRONE_SERVER_PROTO
+            value: https
+        resources:
+          requests:
+            memory: "1Gi"
+            cpu: 1.5
+        volumeMounts:
+        - mountPath: /data
+          name: drone-data-nfs
+      volumes:
+      - name: drone-data-nfs
+        persistentVolumeClaim:
+          claimName: drone-data-nfs
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: drone-server
+  labels:
+    app: drone-server
+
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    name: http
+  selector:
+    app: drone-server
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: drone-server-ingress
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`drone.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: drone-server
+      port: 80
+  tls:
+    certResolver: default-tls
+
+
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: drone-data-nfs
+spec:
+  capacity:
+    storage: "1Gi"
+  accessModes:
+    - ReadWriteOnce
+  nfs:
+    path: /export/kluster/drone
+    server: 192.168.1.157
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: drone-data-nfs
+spec:
+  storageClassName: ""
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: "1Gi"
+  volumeName: drone-data-nfs

infrastructure/gitea/drone-server.sealedsecret.yaml

@@ -0,0 +1,23 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "drone-server-secret",
+    "namespace": "gitea",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "drone-server-secret",
+        "namespace": "gitea",
+        "creationTimestamp": null
+      }
+    },
+    "encryptedData": {
+      "client_id": "AgA53a7kGJ6zZcx2ooTvTNwxaW2FvfzHJnxg6co54+HXinTJKsc4+GJ1PtdIbsZ7Dgu/sLi/4X90fT+PT2sgEx9jIilmHPdJeRtwV1UID3Y46A7cJlfcAKwNOFzp2PWvBvizbNp7tbJwxeAYnVX8GfN6fi700QxBGqAI3u8qQvLpU6UGW2RM96gCXI7s1QhE1Le6TgoESy5HX95pB7csDRNSwVE02OWfDHKEjH8QD8UvBB9xct6uwDfu7KrsJiNJvWMP6arvpfhy/X+UtCTFmj5wmFYL7oc6vSiCkq+QyHgQTEHTmGpEjEGKcQxPQaus3KhbhcxQBYLMEMYRlLPH0AEAA4dzbSpoVXM3LuIe9FppgrTCknK1uRB8wyrHUeInWO8mG7UraV6m5PUS+UYODMvfjwY3PyiGhTSf6LgMlhMl8e+2rb+OsWphT8Pbeom33PucrYaRFr9RpQkJSwE6HU3JEh25YLfIJ7caqRND8C/p8kD679C8UMcNpBN8WS4Cswn5jzmwbeJNM5DGp9yQVZNx7Bv3dHzx9i3ShjJ6QQnR/zWJZ/dWLy6weGYmdZMMXRAO8CCdruvcX5YyeieXZfchSIlZ/GqqBHptdcLpwLiZsfmyTWeBvk5pMAsZaKJ1tfWpQ84s4epzMoieTfhTueGXmeRKX+DJBBcriU+5YoqNxpU1lPL+LoInorJSKN7c3ouFx78N3GDOCq7mlWI94lY0bIs5zhrfUN137ITCcED62AJ7vks=",
+      "client_secret": "AgDQXU7x6RLhE9Hc+goeR2+3rW316SLLLA8tfqx3tsykL+vxhRkY5UCEaak3Rgei0k14jB/Rmme+/O/D1/5tc/i885+sGn0yjU7Jo4L5nkIssUOHlmRSGkRJDb9ABPauFXAjap9KLix9bd8ewI7R0lS3tOK9ZhThYhcfDUqV9qkkbSHzwNptkH7gYWt9qzG/rqqqpFP+PCtjzKVve4LCBgaxetcnh1t+d5oh7VAFnSI9Bt1G/DRzi+K3YZ+YG5+XKevBp06GMiLUMiv/eUvmOfAB/KO79LnNVbOcRsAHfnqLbXgNjFzspr5xDiGMC/ma1245LavywqXDp0S9jjNEe48i51PPQMwHWV8XEovsM6LHcteluNogt+VkL4mOnmP+sba/V3NO51rt1WXl+ca+U4kBq4dLMsdpWUKemz9BlIRC4etEXjwKJ5DznT7u6GUTrXx2RCm1j0OYWM++P10SdyD6tGjKnZf88a33Wrwm8Y7c47JrPTlP4PqLq9gzvD310uVfs1vGYGULaToGy+D/th8qiWWlu7BIfwqlIj8lruVnOhQ4GeEZmUAsqYf8JfsBwuDc0Y+8qbwjFrr2z+5x+2XBL8KGZVopyme45SHijlBZs7YsJqTBsg5oW09grM8/oO731GtzSYmpat2VZlaILuTjALqo/cu//kxwmqh7UX+jnTJ/2N3bKKSAfHWbHDeHeS2XJ+eKaI4onNYW9J70EfAP3vOpU+zmQ8rOzJuJjRt0HarLwzc5CXb1Xhlgsaoj7zKXPQMnqIDngg==",
+      "rpc_secret": "AgAcJNCFtOhK28vnLredkTgsVpnMPwaXss5NT5ysc0IbVid2vWRk2CTjBZc5DzjxxLwI1Ok88MFXHP08ZGCYy4rIbwoi7Ei1OEevGWfaI4n5CvAxr4ZamQHSfIX9dVAm9BSSx2M/mDtCKqVEGJEzyHCedrxf6LXM/YTNgjD43BuCZZMu35mRsHItpYFZQSttlHiUvR8y2YKrhV2P7fiWRD3cCVao8ldzKfGuvRfal8ByGoxpsYLj2D9CdtPvRF/TQsWUJJWwzbI9DmbW1MMI4/b26Jfa5TBvHxS1MQxFJpSXuMIengO+b0bi7WaR36y/FrKSNxIrQDHI7XCb00yYaSfj3RkSBVoAD0a2p8vNupHCqsKBoaWd8tMv/wGP8wbBk4DgGeQiTIvfhbQZU/Q2/LVDDficjXVn3IuKP/cqgGVf6lUh5YsUSs8qwpMil7XySiHvaZn+iFAnsXoejd4S2e/pbRvyaxP1aa7TCxnINjpU7IrnUEUiI4glQmAte3MqZWLXcc0Uk3Qz9PP0cD+V8qCOryrPMP2kTAI8LT/K4DgcEMAEGes4Vx1l0oBMF0xJvhM2kZXcEcf0NzuQJvYTgZpQF5xp0TchezLshmEUSIkII9NvAvn+iEYJeHsJUDijjmBloSYe4+QTgdYh6FakVUwYI5U4ztDNrvgqhWjExfbn8HxaFzsNTsuzGoYs+jwXH8Wk2z1Q1oQjDdO5YTjmdqvkSTdin/5CiuCDHaQX6a4gNQ=="
+    }
+  }
+}

infrastructure/gitea/gitea.values.yaml

@@ -119,7 +119,7 @@ gitea:
       TYPE: level
     indexer:
       ISSUE_INDEXER_TYPE: bleve
-      REPO_INDEXER_ENABLED: false
+      REPO_INDEXER_ENABLED: true
 
 
 

infrastructure/gitea/kustomization.yaml

@@ -5,18 +5,26 @@ resources:
   - gitea.pvc.yaml
   - gitea.ingress.yaml
   - gitea.servicemonitor.yaml
+  - drone-kube-runner.deployment.yaml
+  - drone-server.deployment.yaml
+  - drone-server.sealedsecret.yaml
   - actions.deployment.yaml
   - actions.sealedsecret.yaml
-  # - actions.rbac.yaml
+  - actions.rbac.yaml
 
 
 namespace: gitea
 
+images:
+  - name: actions-runner
+    newName: ghcr.io/christopherhx/gitea-actions-runner
+    newTag: v0.0.11
+
 
 helmCharts:
   - name: gitea
     namespace: gitea # needs to be set explicitly for svc to be referenced correctly
     releaseName: gitea
-    version: 10.4.1
+    version: 10.1.4
     valuesFile: gitea.values.yaml
     repo: https://dl.gitea.io/charts/

infrastructure/gitea/namespace.yaml

@@ -1,6 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: placeholder
-  labels:
-    pod-security.kubernetes.io/enforce: privileged 
+  name: placeholder

infrastructure/gitea/postgres.yaml

@@ -1,28 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: gitea-postgres
-spec:
-  instances: 1
-  imageName: ghcr.io/tensorchord/cloudnative-pgvecto.rs:16.2
-  bootstrap:
-    initdb:
-      import:
-        type: monolith
-        databases:
-          
-
-    # Persistent storage configuration
-  storage:
-    size: 10Gi
-    pvcTemplate:
-      accessModes:
-        - ReadWriteOnce
-      resources:
-        requests:
-          storage: 10Gi
-      storageClassName: nfs-client
-      volumeMode: Filesystem
-  
-  monitoring:
-    enablePodMonitor: true

infrastructure/metallb-system/kustomization.yaml

@@ -10,6 +10,6 @@ namespace: metallb-system
 helmCharts:
   - name: metallb
     repo: https://metallb.github.io/metallb
-    version: 0.14.8
+    version: 0.14.5
     releaseName: metallb
     valuesFile: values.yaml

infrastructure/metallb-system/namespace.yaml

@@ -1,6 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: placeholder
-  labels:
-    pod-security.kubernetes.io/enforce: privileged 
+  name: placeholder

infrastructure/pg-ha/kustomization.yaml

@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
   - name: cloudnative-pg
     releaseName: pg-controller
-    version: 0.22.0
+    version: 0.21.0
     valuesFile: values.yaml
     repo: https://cloudnative-pg.io/charts/

infrastructure/prometheus/kustomization.yaml

@@ -17,4 +17,4 @@ resources:
 images:
   - name: thanos
     newName: quay.io/thanos/thanos
-    newTag: v0.36.1
+    newTag: v0.34.1

infrastructure/prometheus/prometheus.yaml

@@ -4,7 +4,7 @@ metadata:
   name: prometheus
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+knd: ClusterRole
 metadata:
   name: prometheus
 rules:
@@ -52,17 +52,26 @@ spec:
     requests:
       memory: 400Mi
   retention: 730d
-  retentionSize: 3GiB
+  retentionSize: 50Gi
   serviceAccountName: prometheus
   enableAdminAPI: false
   serviceMonitorNamespaceSelector: {}
   serviceMonitorSelector: {}
   thanos:
-    version: v0.34.1
+    version: v0.33.0
     objectStorageConfig:
       # loads the config from a secret named thanos-objstore-config in the same namespace
       key: thanos.yaml
       name: thanos-objstore-config
+  volumeClaimTemplate:
+    metadata:
+      name: prometheus-data
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 50Gi
 ---
 apiVersion: v1
 kind: Service

infrastructure/prometheus/thanos-objstore-config.sealedsecret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: prometheus
 spec:
   encryptedData:
-    thanos.yaml: AgByW/LKzPh0QeNsHR8Us4bJ/0chIQErhfh5plY1tjqiZyNLlxZ+NygYYzVggW02k4gAsKs68trbLBbeTTEhpKYP8hUphNb13lrgp07wYpOQjUF57i6RjPM2QNJpO0qLSk/nOPIOtR3XKn+nXxdJDmh3j5y0zxVz5O7MLh7adwOaHlyWTLMJjI1cda8YljDp2FYs24lHHMw4gXAYUecGDJNQqw5Xy9IiGh8kBbcKe3j6bVCj1yxPbHszmvZ2s+Q+mnndXnoeLMhwjZhMF8/PETxmSZ2bs41k3lHm/2rcPQCJsl9CuJEGKhu6ndKrVhtury4/US/FheEOoGF0YZk/AQMHII/mxy8haPNxtQTDs4rfYz/BA8cMMZll44wxOY9gAOmhm3sG6GI9wcB1Z65p98xSuDaInknO80l07vwMAAvmrZbT53Fmefrxl+jE1pImcGEsL0MfP621nTXlOBW9keF+6aUOubrwjPKKSXdqZU21acNbaIeRQSJyaOBStAKLfnPFmaryGisgNu0hCk/WmszZ0/s/ilvdMdAD6kKoiKL/NWfXtHATh/fnd76bKfSzNQk6e+WWfomToYVU0HRgAaWnIzjB9Q4tjxkbRwteEodU+K1BvD4xQ0sfQB2vHlDjQGC3pjIUFCWG0SzQGb7oe6+X2CJpcNIBHwF661iELJpJkg8dLsPtwb+8Rj6BL+ZtyVKYv18nDNON0WVpwJb/IHHSmxfYD5b/q6fATCFj55IXK5Nr4VO65a2Sv5Iv0/TTUVkwb8dkMmwfs5qcQiZ4oKWx8Ol6GkjDZrFARUtHQ/9KiZ9xDj3tPic2TeQfKr27sgc4lEL8RSxaRKHkkxIAioea3YgFfBm7ZfoxMlzJnQ1vI2vDvJcRXhWKSGdXiKOddwLSVMZFsSRRi9AxH87Sjt7j1wvsA7xgBqc=
+    thanos.yaml: AgAvZbqz5bYVzhbpfYXKoVHt+wKKuOI2C8pBCkBxuBcORoEf2f6eGVYS+aaojipQk8LaYP2yw/ffRmucKuAH0mVmZllRkVoZTOP7L1ciDmrOpbfrfPtoMJagFY90HKd1FZcI45C64MUYvqHCvF40Jk6rEii9aSmOPj9WyGqh5GrqCO24tt1Prk3o+ZS6Z2tlPRF1PdBpyZcQYYMnSuTgA4aCVuXQF/H5rR1luP85jzJAESp1VEV+xEOUY98ZLaA071fySndFZEn6YflfpixqNWFkloYENMfGL+x9jc/zbvbLyG4Q4FG5etz331GQe29OW7uIibXXGwdKO+a6Wd7a6I9ygA5+V8UdeT9mvB2AZRV6aY3aHifOgTTDDg/9YkXfUnmEwowhzsx7mtumxHOmHssFsWmRCX04wHz596/8/RyqmQrShCdGjtVkhVcEuJPPacC6awj9AZOQcW86uatZgnvnNJPlHjgSYFGxnHS89AWRgY68IF6h4Xhs8CpIcVoujK8Oi05vL3Ypi3g/r0iJ65tbYVo3LfyTnSk4pUgERJHGCPpBmiSo4DG+K9pA+cYyqjgZZGXaGKzLNCUDrBEWg5nY5gNMCyjTEeoQUurz2uPLD07Jme9KUd0a1TpoEsUOvfyyiM1DKW30XTKvIfm5m3voBatV+3oX1XfqyZEqkS7+VtWzqRqYAr0y5MEnBTpIMXQBa8M5SlVvcpaovKk1A6ZzNZExfF77o71v650axcLT3U+sxV8IIRS7y+BDRJGYiXaX0EFOIlIe+YDGFbf2k1kUi1kbhHBQEPCQkTgt79yTLEyXNAGrpNUsNYivWIQ+8GPM6+wDY9NjS2QLFKBt5sPe0VjqxzCeSoUY6rDgmR8rEtWpqOHWfuD5IuyCerzxmh0kMr9vVKjEjfJoSjES2MQRM5wOdVLHJSc=
   template:
     metadata:
       creationTimestamp: null

infrastructure/prometheus/thanos-query.deployment.yaml

@@ -53,3 +53,15 @@ spec:
       protocol: TCP
       port: 10901
       targetPort: grpc
+metadata:
+  labels:
+    app: thanos-querier
+  name: thanos-querier
+spec:
+  ports:
+  - port: 9090
+    protocol: TCP
+    targetPort: http
+    name: http
+  selector:
+    app: thanos-querier

infrastructure/prometheus/thanos-store.statefulset.yaml

@@ -1,32 +1,33 @@
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
-  name: thanos-store
+  name: thanos-store-gateway
   labels:
-    app: thanos-store
+    app: thanos-store-gateway
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: thanos-store
+      app: thanos-store-gateway
+  serviceName: thanos-store-gateway
   template:
     metadata:
       labels:
-        app: thanos-store
+        app: thanos-store-gateway
         thanos-store-api: "true"
     spec:
       containers:
         - name: thanos
           image: thanos
           args:
-          - store
-          - --log.level=debug
-          - --data-dir=/data
-          - --grpc-address=0.0.0.0:10901
-          - --http-address=0.0.0.0:10902
-          - --objstore.config-file=/etc/secret/thanos.yaml
-          - --index-cache-size=500MB
-          - --chunk-pool-size=500MB
+          - "store"
+          - "--log.level=debug"
+          - "--data-dir=/data"
+          - "--grpc-address=0.0.0.0:10901"
+          - "--http-address=0.0.0.0:10902"
+          - "--objstore.config-file=/etc/secret/thanos.yaml"
+          - "--index-cache-size=500MB"
+          - "--chunk-pool-size=500MB"
           ports:
           - name: http
             containerPort: 10902
@@ -60,6 +61,7 @@ metadata:
     app.kubernetes.io/name: thanos-store
   name: thanos-store
 spec:
+  clusterIP: None
   ports:
   - name: grpc
     port: 10901
@@ -68,4 +70,4 @@ spec:
     port: 10902
     targetPort: 10902
   selector:
-    app: thanos-store
+    app: thanos-store-gateway

infrastructure/renovate/kustomization.yaml

@@ -11,4 +11,4 @@ resources:
 images:
   - name: renovate/renovate
     newName: renovate/renovate
-    newTag: "38"
+    newTag: "37"

infrastructure/sealedsecrets/kustomization.yaml

@@ -9,4 +9,4 @@ resources:
 images:
   - name: controller
     newName: docker.io/bitnami/sealed-secrets-controller
-    newTag: 0.27.1
+    newTag: 0.26.2

infrastructure/traefik-system/configmap.yaml

@@ -74,13 +74,11 @@ data:
         address = ":9000"
       
       [entryPoints.dnsovertls]
-        address = ":8853"
+        address = ":853"
         # route dns over https to other pods but provide own certificate
 
-
     [metrics]
       [metrics.prometheus]
-      # metrics are enabled and scraping is ensured through a servicemonitor
       entryPoint = "metrics"
       addEntryPointsLabels = true
       addServicesLabels = true

infrastructure/traefik-system/kustomization.yaml

@@ -5,14 +5,14 @@ resources:
   - pvc.yaml
   - configmap.yaml
   - servicemonitor.yaml
-  - https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-  - https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+  - https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+  - https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 
 namespace: traefik-system
 
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 31.1.1
+    version: 27.0.2
     valuesFile: values.yaml
     repo: https://traefik.github.io/charts

infrastructure/traefik-system/namespace.yaml

@@ -2,5 +2,3 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: placeholder
-  labels:
-    pod-security.kubernetes.io/enforce: privileged 

infrastructure/traefik-system/pvc.yaml

@@ -1,11 +1,25 @@
 apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: traefik-certificate
+spec:
+  capacity:
+    storage: "10Mi"
+  accessModes:
+    - ReadWriteOnce
+  nfs:
+    path: /export/kluster/traefik/certs
+    server: 192.168.1.157
+---
+apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: certs
+  name: traefik-certificate
 spec:
-  storageClassName: "nfs-client"
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
-      storage: "50Mi"
+      storage: "10Mi"
+  volumeName: traefik-certificate
+  storageClassName: ""

infrastructure/traefik-system/telegraf.values.yaml

@@ -0,0 +1,151 @@
+## Default values.yaml for Telegraf
+## This is a YAML-formatted file.
+## ref: https://hub.docker.com/r/library/telegraf/tags/
+
+replicaCount: 1
+image:
+  repo: "telegraf"
+  tag: "1.24"
+  pullPolicy: IfNotPresent
+podAnnotations: {}
+podLabels: {}
+imagePullSecrets: []
+## Configure args passed to Telegraf containers
+args: []
+# The name of a secret in the same kubernetes namespace which contains values to
+# be added to the environment (must be manually created)
+# This can be useful for auth tokens, etc.
+
+# envFromSecret: "telegraf-tokens"
+env:
+  - name: HOSTNAME
+    value: "telegraf-polling-service"
+# An older "volumeMounts" key was previously added which will likely
+# NOT WORK as you expect. Please use this newer configuration.
+
+volumes:
+- name: traefik-logs
+  persistentVolumeClaim:
+    claimName: traefik-logs
+mountPoints:
+- name: traefik-logs
+  mountPath: /traefik_logs
+
+
+## Node labels for pod assignment
+## ref: https://kubernetes.io/docs/user-guide/node-selection/
+nodeSelector: {}
+## Affinity for pod assignment
+## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+##
+affinity: # to read the traefik logs the pod must be on the same node as traefik
+  podAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions: # matches labels: app.kubernetes.io/name=traefik
+        - key: app.kubernetes.io/name
+          operator: In
+          values:
+          - traefik
+      topologyKey: "kubernetes.io/hostname"
+
+## Tolerations for pod assignment
+## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+##
+tolerations: []
+# - key: "key"
+#   operator: "Equal|Exists"
+#   value: "value"
+#   effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
+
+service:
+  enabled: false
+  type: ClusterIP
+  annotations: {}
+rbac:
+  # Specifies whether RBAC resources should be created
+  create: true
+  # Create only for the release namespace or cluster wide (Role vs ClusterRole)
+  clusterWide: false
+  # Rules for the created rule
+  rules: []
+# When using the prometheus input to scrape all pods you need extra rules set to the ClusterRole to be
+# able to scan the pods for scraping labels. The following rules have been taken from:
+# https://github.com/helm/charts/blob/master/stable/prometheus/templates/server-clusterrole.yaml#L8-L46
+#    - apiGroups:
+#        - ""
+#      resources:
+#        - nodes
+#        - nodes/proxy
+#        - nodes/metrics
+#        - services
+#        - endpoints
+#        - pods
+#        - ingresses
+#        - configmaps
+#      verbs:
+#        - get
+#        - list
+#        - watch
+#    - apiGroups:
+#        - "extensions"
+#      resources:
+#        - ingresses/status
+#        - ingresses
+#      verbs:
+#        - get
+#        - list
+#        - watch
+#    - nonResourceURLs:
+#        - "/metrics"
+#      verbs:
+#        - get
+
+serviceAccount:
+  # Specifies whether a ServiceAccount should be created
+  create: true
+  # The name of the ServiceAccount to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+  # Annotations for the ServiceAccount
+  annotations: {}
+## Exposed telegraf configuration
+## For full list of possible values see `/docs/all-config-values.yaml` and `/docs/all-config-values.toml`
+## ref: https://docs.influxdata.com/telegraf/v1.1/administration/configuration/
+config:
+  agent:
+    interval: "10s"
+    round_interval: true
+    metric_batch_size: 1000
+    metric_buffer_limit: 10000
+    collection_jitter: "0s"
+    flush_interval: "10s"
+    flush_jitter: "0s"
+    precision: ""
+    debug: false
+    quiet: false
+    logfile: ""
+    hostname: "$HOSTNAME"
+    omit_hostname: true
+  # processors:
+  #   - enum:
+  #       mapping:
+  #         field: "status"
+  #         dest: "status_code"-+
+  #         value_mappings:
+  #           healthy: 1
+  #           problem: 2
+  #           critical: 3
+  outputs:
+    - influxdb_v2:
+        urls:
+          - "http://influxdb-influxdb2.monitoring:80"
+        token: N_jNm1hZTfyhJneTJj2G357mQ7EJdNzdvebjSJX6JkbyaXNup_IAqeYowblMgV8EjLypNvauTl27ewJvI_rbqQ==
+        organization: "influxdata"
+        bucket: "kluster"
+        # retention_policy: "2w"
+  inputs:
+    - docker_log:
+        endpoint: "unix:///var/run/docker.sock"
+        from_beginning: false
+        container_name_include: ["traefik"]

infrastructure/traefik-system/values.yaml

@@ -7,15 +7,60 @@ deployment:
   kind: Deployment
   # Number of pods of the deployment (only applies when kind == Deployment)
   replicas: 1
-
+  # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)
+  # revisionHistoryLimit: 1
+  # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down
+  terminationGracePeriodSeconds: 60
+  # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available
+  minReadySeconds: 0
+  # Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
+  annotations: {}
+  # Additional deployment labels (e.g. for filtering deployment by custom labels)
+  labels: {}
+  # Additional pod annotations (e.g. for mesh injection or prometheus scraping)
+  podAnnotations: {}
+  # Additional Pod labels (e.g. for filtering Pod by custom labels)
+  podLabels: {}
+  # Additional containers (e.g. for metric offloading sidecars)
+  additionalContainers: []
+    # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
+    # - name: socat-proxy
+    # image: alpine/socat:1.0.5
+    # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
+    # volumeMounts:
+    #   - name: dsdsocket
+    #     mountPath: /socket
   # Additional volumes available for use with initContainers and additionalContainers
   additionalVolumes:
-    - name: certs
+    # - name: traefik-logs
+    #   persistentVolumeClaim:
+    #     claimName: traefik-logs
+    - name: traefik-certificate
       persistentVolumeClaim:
-        claimName: certs
+        claimName: traefik-certificate
     - name: traefik-config
       configMap:
         name: traefik-config
+    # - name: dsdsocket
+    #   hostPath:
+    #     path: /var/run/statsd-exporter
+  # Additional initContainers (e.g. for setting file permission as shown below)
+  initContainers: []
+    # The "volume-permissions" init container is required if you run into permission issues.
+    # Related issue: https://github.com/traefik/traefik/issues/6972
+    # - name: volume-permissions
+    #   image: busybox:1.31.1
+    #   command: ["sh", "-c", "chmod -Rv 600 /data/*"]
+    #   volumeMounts:
+    #     - name: data
+    #       mountPath: /data
+  # Use process namespace sharing
+  shareProcessNamespace: false
+  # Custom pod DNS policy. Apply if `hostNetwork: true`
+  # dnsPolicy: ClusterFirstWithHostNet
+  # Additional imagePullSecrets
+  imagePullSecrets: []
+    # - name: myRegistryKeySecretName
 
 
 # Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
@@ -33,7 +78,7 @@ pilot:
   # Toggle Pilot Dashboard
   # dashboard: false
 
-# Enable experimental featureskdes+
+# Enable experimental features
 experimental:
   http3:
     enabled: false
@@ -54,6 +99,11 @@ experimental:
 ingressRoute:
   dashboard:
     enabled: false
+    # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
+    annotations: {}
+    # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
+    labels: {}
+
 
 
 #
@@ -64,26 +114,65 @@ providers:
     enabled: true
     allowCrossNamespace: false
     allowExternalNameServices: true
+    allowEmptyServices: false
+    # ingressClass: traefik-internal
+    # labelSelector: environment=production,method=traefik
+    namespaces: []
+      # - "default"
+
   kubernetesIngress:
     enabled: true
     allowExternalNameServices: true
+    allowEmptyServices: false
     ingressClass: traefik
     # labelSelector: environment=production,method=traefik
+    namespaces: []
+      # - "default"
+    # IP used for Kubernetes Ingress endpoints
+    publishedService:
+      enabled: false
+      # Published Kubernetes Service to copy status from. Format: namespace/servicename
+      # By default this Traefik service
+      # pathOverride: ""
+
+
+# Add volumes to the traefik pod. The volume name will be passed to tpl.
+# This can be used to mount a cert pair or a configmap that holds a config.toml file.
+# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
+# additionalArguments:
+# - "--providers.file.filename=/config/dynamic.toml"
+# - "--ping"
+# - "--ping.entrypoint=web"
+volumes: []
+  # - name: traefik-config
+  #   mountPath: /config
+  #   configMap:
+  #     name: traefik-config
 
   
 
 # Additional volumeMounts to add to the Traefik container
 additionalVolumeMounts:
-  - name: certs
+#   - name: traefik-logs
+#     mountPath: /var/log/traefik
+#     nfs:
+#       server: 192.168.1.157
+#       path: /kluster/traefik
+#   # For instance when using a logshipper for access logs
+  # - name: traefik-logs
+  #   # claimName: traefik-logs
+  #   mountPath: /var/log/traefik
+  - name: traefik-certificate
     # claimName: traefik-certificate
     mountPath: /certs
   - name: traefik-config
     mountPath: /config
 
 
-additionalArguments:
+globalArguments:
   - "--configfile=/config/traefik.toml"
 
+additionalArguments: []
 
 # Environment variables to be passed to Traefik's binary
 env:
@@ -96,13 +185,18 @@ env:
 ports:
   # add a new one, the other ones are kept the same.
   dnsovertls:
-    port: 8853
-    expose:
-      default: true
+    port: 853
+    expose: true
     exposedPort: 853
     protocol: TCP
 
 
+envFrom: []
+# - configMapRef:
+#     name: config-map-name
+# - secretRef:
+#     name: secret-name
+
 
 tlsOptions: {}
 
@@ -124,4 +218,3 @@ service:
   spec:
     # externalTrafficPolicy: Local
     loadBalancerIP: 192.168.3.1
-

kluster-deployments/audiobookshelf/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - application.yaml

kluster-deployments/homepage/application.yaml

@@ -1,17 +1,18 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: audiobookshelf-application
+  name: homepage-application
   namespace: argocd
+
 spec:
   project: apps
   source:
     repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
     targetRevision: main
-    path: apps/audiobookshelf
+    path: apps/homepage
   destination:
     server: https://kubernetes.default.svc
-    namespace: audiobookshelf
+    namespace: homepage
   syncPolicy:
     automated:
       prune: true

kluster-deployments/kustomization.yaml

@@ -24,15 +24,14 @@ resources:
 
   # simple apps
   - adguard/
-  - audiobookshelf/
   - eth-physics/
   - files/
   - finance/
   - homeassistant/
+  - homepage/application.yaml
   - immich/
   - journal/
   - media/
-  - minecraft/application.yaml
   - monitoring/
   - ntfy/
   - recipes/

kluster-deployments/minecraft/application.yaml

@@ -1,18 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: minecraft-application
-  namespace: argocd
-spec:
-  project: apps
-  source:
-    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
-    targetRevision: main
-    path: apps/minecraft
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: minecraft
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: false