remoll/k3s-infra
0
0
Fork 0
Code Issues 1 Pull Requests 3 Packages Projects Releases Wiki Activity

Compare commits

base: remoll:main
Branches Tags
remoll:main remoll:renovate/loki-6.x remoll:renovate/prometheus-node-exporter-4.x remoll:renovate/prometheus-operator-prometheus-operator-0.x remoll:feature/headscale remoll:feature/media-downloads remoll:feature/crowdsec remoll:feature/matrix remoll:feature/llm remoll:feature/gaming remoll:feature/affine remoll:feature/unified-file-sync
..
compare: remoll:e4e9835507fff50ef93a0f4ba567fc8fd7e0bc68
Branches Tags
remoll:renovate/loki-6.x remoll:main remoll:renovate/prometheus-node-exporter-4.x remoll:renovate/prometheus-operator-prometheus-operator-0.x remoll:feature/headscale remoll:feature/media-downloads remoll:feature/crowdsec remoll:feature/matrix remoll:feature/llm remoll:feature/gaming remoll:feature/affine remoll:feature/unified-file-sync

1 Commits
main ... e4e9835507

Author SHA1 Message Date
Remy Moll
e4e9835507 add vaultwarden, self manage argo 2025-10-13 11:22:11 +02:00
43 changed files with 161 additions and 268 deletions
Expand all files Collapse all files

2
apps/files/kustomization.yaml
View File

@@ -13,4 +13,4 @@ namespace: files
images:
- name: ocis
newName: owncloud/ocis
newTag: "7.3.0"
newTag: "7.2.0"

2
apps/grafana/kustomization.yaml
View File

@@ -17,5 +17,5 @@ helmCharts:
- releaseName: grafana
name: grafana
repo: https://grafana.github.io/helm-charts
version: 10.1.4
version: 10.0.0
valuesFile: grafana.values.yaml

20
apps/homeassistant/base/kustomization.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# - namespace.yaml # not managed by kustomize but created as needed by the argo app. creates conflicts otherwise since both overlays share the same namespace
- ingress.yaml
- pvc.yaml
- service.yaml
- deployment.yaml
- servicemonitor.yaml
images:
- name: homeassistant
newName: homeassistant/home-assistant
newTag: "2025.10"
configurations:
# allow nameReference to work with different mentions of the same resource as well
- name_reference.yaml

32
apps/homeassistant/base/name_reference.yaml
View File

@@ -1,32 +0,0 @@
nameReference:
# Tie target Service metadata.name to other ingressroute fields
- kind: Service
fieldSpecs:
# rewrite the backend service name
- kind: IngressRoute
group: traefik.io
version: v1alpha1
path: spec/routes/services/name
# adapt the ingress url
# DOES NOT WORK
- kind: IngressRoute
group: traefik.io
version: v1alpha1
path: /spec/routes/match
create: false
# adapt any middleware names
- kind: IngressRoute
group: traefik.io
version: v1alpha1
path: spec/routes/middlewares/name
# Update deployment volume mounts according to name changes in the sealedsecret
- kind: SealedSecret
fieldSpecs:
# volume mounts:
- kind: Deployment
group: apps
version: v1
path: spec/template/spec/volumes/secret/secretName

1
apps/homeassistant/base/deployment.yaml → apps/homeassistant/deployment.yaml
View File

@@ -34,3 +34,4 @@ spec:
- name: config-dir
persistentVolumeClaim:
claimName: config

10
apps/homeassistant/base/ingress.yaml → apps/homeassistant/ingress.yaml
View File

@@ -1,17 +1,17 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: homeassistant
name: homeassistant-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`homeassistant.kluster.moll.re`)
- match: Host(`home.kluster.moll.re`) && !Path(`/api/prometheus`)
middlewares:
- name: homeassistant
- name: homeassistant-websocket
kind: Rule
services:
- name: homeassistant
- name: homeassistant-web
port: 8123
tls:
certResolver: default-tls
@@ -19,7 +19,7 @@ spec:
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: homeassistant
name: homeassistant-websocket
spec:
headers:
customRequestHeaders:

18
apps/homeassistant/kustomization.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: homeassistant
resources:
- namespace.yaml
- ingress.yaml
- pvc.yaml
- service.yaml
- deployment.yaml
- servicemonitor.yaml
images:
- name: homeassistant
newName: homeassistant/home-assistant
newTag: "2025.10"

0
apps/homeassistant/base/namespace.yaml → apps/homeassistant/namespace.yaml
View File

3
apps/homeassistant/overlays/flat/ingress.patch.yaml
View File

@@ -1,3 +0,0 @@
- op: replace
path: /spec/routes/0/match
value: Host(`home.kluster.moll.re`)

17
apps/homeassistant/overlays/flat/kustomization.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
namespace: homeassistant
nameSuffix: -flat
labels:
- includeSelectors: true
pairs:
env: flat
patches:
- path: ingress.patch.yaml
target:
kind: IngressRoute

3
apps/homeassistant/overlays/house/ingress.patch.yaml
View File

@@ -1,3 +0,0 @@
- op: replace
path: /spec/routes/0/match
value: Host(`home-house.kluster.moll.re`)

28
apps/homeassistant/overlays/house/kustomization.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
- wireguard-config.sealedsecret.yaml
namespace: homeassistant
nameSuffix: -house
labels:
- includeSelectors: true
pairs:
env: house
images:
- name: wireguard
newName: ghcr.io/linuxserver/wireguard
newTag: "1.0.20250521"
patches:
- path: wireguard.deployment.yaml
target:
kind: Deployment
name: homeassistant
- path: ingress.patch.yaml
target:
kind: IngressRoute

17
apps/homeassistant/overlays/house/wireguard-config.sealedsecret.yaml
View File

@@ -1,17 +0,0 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
# WARNING - the originial secret was named wireguard-config-house, but we remove the suffix here, anticipating that it will be created by the kustomization overlay
name: wireguard-config
namespace: homeassistant
spec:
encryptedData:
wireguard.conf: AgAz726k7X6IsabWUPX8kQ8r19mBq/N+YytlFS1gW2LUiYqc6H/O5/tqma5lLcazuxtsQhebeoitp2SkH7jTU8vRxn2tDWpyzcJr+BW4vKnghw5NhMbkNOzl7mvc7QIJk6rmRyD1umu33v6x8u3St9TVsUOI1zXJyXHxlbLdHVCORhgV79CGLjghpi23KyyFu6LzNrE5rhpB0Q7NzPUmbm5MHPNbtLsmImd/CZ9XjbyXSq0be8BgpUtGDE/NMx65G2+lLIw3EgbNwlirw/XKrM+pUIvEI6CxuNhbEM7KxCYlq2Du6bm7XsKHRzNu9oSfH+P4DaDoDt+M5k5miv4B8TIKXg7piy5mThXSTcVf5YpLJCiTfMDZOriG1ygr9gbJPYY1jumZA+vsZCvBx1o21BlNycWZWKBeYZZh47Hz9FGI/Smn8dOs5exZ34MrQtM4OuEqC/cJY8fdQ+nmGMezL0IKdbtpWgq5UqNH/wWv3F9kItB4KlSD4YtEGaY2z68BJG6t+9igSJCWmVca0EbOzhV0s5rI39ASVXOO50x774EEWUueoyfI+l5vwtQhc96I5Qn3kbFhwov0tHMg/IGBtS/7XdBBtOBx9KbcUHq1GlwWzQdw8WnRB6yyUVCqXyuExRhMPz5orqkTQwiUM2Fjse7xxnaEA0mbi0TVPKV/sFgWixvHqy3VAc1Jj6MEAWFAu+kPVlOFFCckEC5kPhNPFhBMeYX/3IblRjly/EHvrbrW/eFjNYE7bqpSCVhkB8bOXbJqt29V3+ffM1z/RkdSusgqdwid9CXhQw6SKAI/vcAqqxXdzcsbG1wsgP9bJ1Gk/i9ch8zUn7MwcFe6Tla86+xeiDIAmQmA7rhtmWhyyuxXdw+HXAFNhrbxHaUw3LZOExM+RzhWNepjSLnCBqnrtPkzFrHE02JKebWzX+IRZIOsEXJVhKTiSSjoB2v8h956kO+C7bdHz8GbxoJKJ7anrqFG13A//XLy5PvKr50qs/gQptrl9UtR7oj981bSDTVVa8h3OXbGLkZXly/qxsh5DlEjwnw2/2UqS+5yTT4FO/dNVtHryJ2tbc8ZuIHb6C/pQygqpseagthkm5T+Dv0T2xWpXFrvuktGNm58Cwg9bwNMcC6iofcjQP5JeNcat3RwzbJ9xwU4Nm8xLRMMc0ul6xUHRrL3ZjDfWHLuSuTp28HqXZ6xSKLlrRVjwZ6Mp/hhxj58SfVfLVIQxatGkwnIaHEFWE2n3S7m/iQO9tZIWCx5Yfs15atb1Ze8HjKjQ4o3sfaMD8Eokj9aFnXQQxpnOuSI3NLETe79QQ==
template:
metadata:
creationTimestamp: null
name: wireguard-config-house
namespace: homeassistant
type: Opaque

24
apps/homeassistant/overlays/house/wireguard.deployment.yaml
View File

@@ -1,24 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: homeassistant
spec:
template:
spec:
containers:
- name: wireguard-sidecar
image: wireguard
securityContext:
privileged: true
volumeMounts:
- name: wireguard-config
mountPath: /config/wg_confs/
volumes:
- name: wireguard-config
secret:
secretName: wireguard-config

0
apps/homeassistant/base/pvc.yaml → apps/homeassistant/pvc.yaml
View File

4
apps/homeassistant/base/service.yaml → apps/homeassistant/service.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: v1
kind: Service
metadata:
name: homeassistant
name: homeassistant-web
labels:
app: homeassistant
spec:
@@ -10,4 +10,4 @@ spec:
ports:
- port: 8123
targetPort: 8123
name: http
name: http

0
apps/homeassistant/base/servicemonitor.yaml → apps/homeassistant/servicemonitor.yaml
View File

4
apps/immich/immich.postgres.yaml
View File

@@ -32,8 +32,8 @@ spec:
resources:
limits:
cpu: '2'
memory: 1Gi
cpu: 2
memory: 1024Mi
requests:
cpu: 50m
memory: 512Mi

15
apps/immich/kustomization.yaml
View File

@@ -6,7 +6,7 @@ resources:
- pvc.yaml
- immich.postgres.yaml
- postgres.sealedsecret.yaml
# - servicemonitor.yaml
- servicemonitor.yaml
namespace: immich
@@ -15,13 +15,20 @@ namespace: immich
helmCharts:
- name: immich
releaseName: immich
version: 0.10.1
version: 0.9.3
valuesFile: values.yaml
repo: https://immich-app.github.io/immich-charts
images:
- name: ghcr.io/immich-app/immich-machine-learning
newTag: v2.0.1
newTag: v1.143.1
- name: ghcr.io/immich-app/immich-server
newTag: v2.0.1
newTag: v1.143.1
patches:
- path: patch-redis-pvc.yaml
target:
kind: StatefulSet
name: immich-redis-master

17
apps/immich/patch-redis-pvc.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: immich-redis-master
spec:
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: redis-data
spec:
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 2Gi

60
apps/immich/values.yaml
View File

@@ -4,30 +4,26 @@
# These entries are shared between all the Immich components
controllers:
main:
containers:
main:
env:
# some non-default vars
DB_HOSTNAME: "immich-postgresql-rw"
DB_USERNAME:
valueFrom:
secretKeyRef:
name: postgres-password
key: username
DB_DATABASE_NAME:
valueFrom:
secretKeyRef:
name: postgres-password
key: database
DB_PASSWORD:
valueFrom:
secretKeyRef:
name: postgres-password
key: password
IMMICH_METRICS: true
env:
REDIS_HOSTNAME: '{{ printf "%s-redis-master" .Release.Name }}'
DB_HOSTNAME: "immich-postgresql-rw"
DB_USERNAME:
valueFrom:
secretKeyRef:
name: postgres-password
key: username
DB_DATABASE_NAME:
valueFrom:
secretKeyRef:
name: postgres-password
key: database
DB_PASSWORD:
valueFrom:
secretKeyRef:
name: postgres-password
key: password
IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}'
IMMICH_METRICS: true
immich:
metrics:
@@ -41,15 +37,13 @@ immich:
existingClaim: data
# Dependencies
valkey:
redis:
enabled: true
persistence:
data:
enabled: true
size: 1Gi
# Optional: Set this to persistentVolumeClaim to keep job queues persistent
type: emptyDir
accessMode: ReadWriteOnce
architecture: standalone
auth:
enabled: false
# Immich components
server:
enabled: true
@@ -62,7 +56,7 @@ machine-learning:
persistence:
cache:
enabled: true
size: 10Gi
size: 200Gi
# Optional: Set this to pvc to avoid downloading the ML models every start.
type: emptyDir
accessMode: ReadWriteMany

2
apps/paperless/kustomization.yaml
View File

@@ -21,7 +21,7 @@ helmCharts:
- name: redis
releaseName: redis
repo: https://charts.bitnami.com/bitnami
version: 23.2.2
version: 22.0.7
valuesInline:
auth:
enabled: false

1
default.nix
View File

@@ -7,7 +7,6 @@ pkgs.mkShell {
kubeseal
yq
jq
kubernetes-helm-wrapped
];
env = {

2
infrastructure/argocd/kustomization.yaml
View File

@@ -4,7 +4,7 @@ kind: Kustomization
namespace: argocd
resources:
- namespace.yaml
- https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.1.9
- https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.1.8
- ingress.yaml
- argo-apps.application.yaml
- bootstrap-repo.sealedsecret.yaml

6
infrastructure/authelia/authelia.values.yaml
View File

@@ -264,16 +264,16 @@ configMap:
access_token_signed_response_alg: 'none'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
- client_id: 'vaultwarden'
- client_id: 'vaulwarden'
client_name: 'VaultWarden'
client_secret:
path: '/secrets/authelia-oidc/client.vaultwarden'
path: '/secrets/authelia-oidc/client.vaulwarden'
public: false
authorization_policy: 'one_factor'
require_pkce: false
pkce_challenge_method: ''
redirect_uris:
- 'https://passwords.kluster.moll.re/identity/connect/oidc-signin'
- 'https://passwords.kluster.moll.re/openid/callback'
scopes:
- 'openid'
- 'profile'

2
infrastructure/authelia/kustomization.yaml
View File

@@ -27,6 +27,6 @@ images:
helmCharts:
- name: authelia
releaseName: authelia
version: 0.10.47
version: 0.10.46
repo: https://charts.authelia.com
valuesFile: authelia.values.yaml

44
infrastructure/external-dns/cronjob.yaml
View File

@@ -9,15 +9,55 @@ spec:
jobTemplate:
spec:
backoffLimit: 0
template:
spec:
initContainers:
- name: git
image: git
command: ["git"]
args:
- clone
- https://git.kluster.moll.re/remoll/dns.git
- /etc/octodns
volumeMounts:
- name: octodns-config
mountPath: /etc/octodns
containers:
- name: dns
image: dns
- name: octodns
image: octodns
env:
# - name: CLOUDFLARE_ACCOUNT_ID
# valueFrom:
# secretKeyRef:
# name: cloudflare-api
# key: CLOUDFLARE_ACCOUNT_ID
- name: CLOUDFLARE_TOKEN
valueFrom:
secretKeyRef:
name: cloudflare-api
key: CLOUDFLARE_TOKEN
# - name: CLOUDFLARE_EMAIL
# valueFrom:
# secretKeyRef:
# name: cloudflare-api
# key: CLOUDFLARE_EMAIL
command: ["/bin/sh", "-c"]
args:
- >-
cd /etc/octodns
&&
pip install -r ./requirements.txt
&&
octodns-sync --config-file ./config.yaml --doit
&&
echo "done..."
volumeMounts:
- name: octodns-config
mountPath: /etc/octodns
volumes:
- name: octodns-config
emptyDir: {}
restartPolicy: Never

10
infrastructure/external-dns/kustomization.yaml
View File

@@ -9,6 +9,10 @@ resources:
- cronjob.yaml
images:
- name: dns
newName: git.kluster.moll.re/remoll/dns
newTag: 0.0.2-build.100
- name: octodns
newName: octodns/octodns # has all plugins
newTag: "2025.08"
- name: git
newName: alpine/git
newTag: "v2.49.1"

14
infrastructure/external-dns/renovate.json
View File

@@ -1,14 +0,0 @@
{
"hostRules": [
{
"hostType": "docker",
"matchHost": "git.kluster.moll.re"
}
],
"packageRules": [
{
"matchDatasources": ["docker"],
"versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-build.(?<build>\\d+)$"
}
]
}

2
infrastructure/gitea/kustomization.yaml
View File

@@ -23,6 +23,6 @@ helmCharts:
- name: gitea
namespace: gitea # needs to be set explicitly for svc to be referenced correctly
releaseName: gitea
version: 12.4.0
version: 12.3.0
valuesFile: gitea.values.yaml
repo: https://dl.gitea.io/charts/

2
infrastructure/monitoring/kustomization.yaml
View File

@@ -24,7 +24,7 @@ helmCharts:
- name: loki
releaseName: loki
repo: https://grafana.github.io/helm-charts
version: 6.44.0
version: 6.42.0
valuesFile: loki.values.yaml
- name: prometheus-node-exporter
releaseName: prometheus-node-exporter

1
infrastructure/passwords/configmap.yaml
View File

@@ -11,5 +11,4 @@ data:
SSO_ENABLED: "true"
SSO_ONLY: "true" # disable email+Master password authentication
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: "true"
# remaining SSO_ variables are set in a secret

2
infrastructure/passwords/deployment.yaml
View File

@@ -16,7 +16,7 @@ spec:
- name: passwords
image: vaultwarden
ports:
- containerPort: 80
- containerPort: 8000
envFrom:
- configMapRef:
name: config

2
infrastructure/passwords/ingress.yaml
View File

@@ -11,7 +11,7 @@ spec:
kind: Rule
services:
- name: passwords-web
port: 80
port: 8000
tls:
certResolver: default-tls

4
infrastructure/passwords/service.yaml
View File

@@ -6,5 +6,5 @@ spec:
selector:
app: passwords
ports:
- port: 80
targetPort: 80
- port: 8000
targetPort: 8000

12
infrastructure/passwords/smtp.sealedsecret.yaml
View File

@@ -7,12 +7,12 @@ metadata:
namespace: passwords
spec:
encryptedData:
SMTP_FROM: AgAbhbyTdArio1wEn4/zj+AK4YaLyMtMkaPFqtVOU8UWAtEg8ko/tIXHj7nn/NVQt6sS2O9x02ShoVJC1HXqzG8reMLkzZg5cb0wtCSNpzHnLH2voH1p4KrgnHo1AznIkXoajcOHjWSYQ2/rAeCmuuEfPZ7jOWNMN2c5GWqm0mXsfqAUVxznC8sHCmIVdeHUcSaLRpwnvr2fjSrOqh+AI6df3tzCpQjfu+zf4Z2JSgvAPLCyCzj9NDDFqawpRRHinhbXk34ZYO00CrjCMqnxaBev7qXmPeDx4eTPR8WNyMzdO2Yx5vmmXNay+QhoO3eP6leQQyaGtYkQSep35wMyA46MmM+A4nQCMIFPFzBGAqle32L+u6KP5D9GWtmiGXWmdM8LOf2qt1wKiEfEZXldtc3hoKjM4NTb+0wgUXE+ZpVOQiorGta6jhAwJYhTDPO0rP6lC31G9EQ9bI5N+OpZpRK+EELNPrjEfTIfPUMg40B9DG3WK5yXTmC3DvHsCj25dnKokNvxcaZ3EhG6+k/5Z5zTESAMWuGepr34ROE5a0+zRLcOfVD9S5QwpqIxi8GJJuJvI/SAjUEPLY7pPsBLYKMl3zAGgAcI8yjAWhurgVS1DKhufTmp+hh+JypyLnCc4hUJIXaRwSJrBhezsajkxMmORboHM/d19SmUorzczo2i54LtTTTIRfAWui/EWc3QCSbfoPF6asESXD45M/yblI++EVfc
SMTP_HOST: AgA2KfKxxUvzHrkbL4ZDUU/TuylhnhRSm3OGVSVGt54OFJqBuh4fCA2PSPzw84Kh46zJjX8vh5fjzN00gfHfqtm0K4W1D+i+UAz/JAIcQVAjPyjgVNPZUSNSrZrV2CDRMJ8HhbVYx8xiRb2kHV+HTjtINccdxjxR+OpfMn1lb+aA3zoI8yv9s2pkVrt1+T1GepXm9KMCd+rS3XSx2w9ujkPTaT3MwY66l/1i6agpY3MtNVXt+Y8pK9yx5mhjNRAnyfbCZfHzaswKGfDetOzkfmSy3ddP22uHOjbEKp99yQPxgY0bNwGhA137oUAgzmWu0Yn9z3KFz0G2as/tKTQT5240aJlHzFSsWfbW4Y4DQahQzbF45aS61SlKAsSXzPc/kyEE/Tizuh3eACY6yfw6Zs+R1y5Y27oS5/GNyAYdk/acM/C0nO3da5qBL0ItzMKYy3kufbOvDwt9na0uWV32JusYAeP81e9LRcxO7+a/oFlmwBtFMLExXWQEHwIIwWFC6RGlF0OOfZN9mXsqr1IDlRvDWN4b/YXkFQJBpySByxQ0xYUeHOAFSacGC8rPq68Scc7djyq8mTh87plBQzo4FL/rAch61Mmlp4VVsN6hyJ50CC1qfzsZ0bcFd+lh45T+lSg5OSGrw14F/01dhS5EoH5DVv6Ug9UY+0q0w1iST+6KH4/nxTJe/lBF9eAQEU+FHvyUfVZksHua0jdCQKSxXzLp
SMTP_PASSWORD: AgBf3JVFUU16IVhPBcYkzZY4Qn5tNRahtsGygd8E6WGAxw90MY9/gmm+LWAEAYWc4ZNonCZiGR+JegkN4nmmxpiseYShW2Dp3rH33BOmVSAvnQttTCq4zV8jEk52Y49hmpIvEVh9nO6UVP4KujnEqz7rnL6I6dIsdkyXdDjZTnSgZlkn7FaAkfEdmpRtYH31qYOa8TyL0Q7PIzr/sJGn0YKvSH7a6w0FJ9RV0+t4pNuqLpiPltMX9B7RLLNm+TgzO37oA3cePAAtUR0PXFW8GnCB0KcAeoqZFc4UAzhwp9FX6oa7KUfvoWAq0RHzJfdAa8laVJtZcWP1lLOgyW6z7PeoUahjFscfDisp2aRl4jAIV5ZaOe3ZAYGOMFR0VyIt1vCaYKtdplSzlNVlGj8jvLY1rg5VVnXHNheaqmL1xAhB8uCCIcRKquCSU0wvd6YBKrUIDJX9d9IXkLvVfvAhdBnTLSkMHJErxWvu2dRm5HqiiGrvRjJewIz4n8rwUapykKX8ujlu9mf6sGxGuVbaOU+gZrNSIffz5GUewf38ZHcidAiPVsA6WnX93ZDVfZk0xObrzUQ+s4dmlZMrQFgvhv9Q2zJP0cEtMnGPsTy8klC4FeYVEWJyAXCyt3+2MbUZYf2H+yCOnHeRkzOejrrfvEep3BF8dzKmYnrmNClP2skZEPr2afttUo8a5CTs6gX6mckplUqHz2R4oi8/kispJf8Y
SMTP_PORT: AgCYfANfQLW15FIgRb0AQoBXJ7mOBh8vb59eelZdm1aX66GlXMQOIi9yAIm/2fe1xOsYui+6do4JV7xlvYBOkC8JJ3MNZLdTrepRf6ejuM8QI7V7L2lXsRrPIqLEJOfO/rn3tHnuWbfXOw7UdSvt7x2BoB1XWGZuigsa66FGkTSCMlqKhJJngeSu5VeFGpSc4LANL/XGnXNc4tQdpZN9AjpPdSUTpexgY10Zd4ppvBR174XidRabe4WDs9H6uZj92Bpht3axq0fEYRwkDiNPQLFx8kkOKCU98xV7RVyqT8UnRE/Q+eng26lGNMa+c3bbN/6MYUmSe2RU2Ymaz2AJqMOBn72Y4blDMgOdrZEz/ITiOE3zzZG890qFq/lfLueIEwd7LmBpAZMDzsKYWs+7UI1EKAfavWIO9BUoH9JbVkUgAQ7YtPXLCxUeBvMTci5YlZKmNyhMP2fWnqYvhZXJNZYJqHEbtTQGAoLuD/5xupVhB0ouguwkjRvGwLHpQncbFfybhWIflcVjAgHH3AelKyhWNDLNZatIVqWIfmEcZpj1CbNbO3Pzb/kSa57cNZc0S/N/rrYQKR8vK6vpXxrmC5MouhdH0x45ONA2GqXHehqgdNayN8T6y3xfY7UqSUbksM2smWFY0gxqBoFdEkosSyvFPpqQnAzbiJWlsQDmSTmj0dodENotHQhRdrZSEuhFGkI7MVaW
SMTP_SECURITY: AgApP3Kzb1qAZCassr3Q2YPCcc4zi0Py0ezXnixHF0GXVjbyEjjw+5EZ6LmtE4In+hu7HXhYKqwVi50VXmtb1sI17wK3hF8EXa+4jSZtAo/PKKKh4CkVVFqwIjyvtdnokXIJUkSHDMnIWLFG9Lblr5qib8tUyeyJH6vzbC7ai/nXZ7amGTJOx2HLKPal7QM1y7TAdeee1IFdlg05vJ/Dp2+EY13DLWwNvTr5+DgBVDGKALwHu54KnuKJCuXtptZvS1PuVL+55sEByUikU00u8ZZ0GVSNIJFHfYjtYMHWbw1gUiKvUb0GngEQ58/v8QPTsZNTDWcUjONy1ncGGQT7mrsarCZvY5EzJmWQgkzrLcEKOtQfSEJZvUAaxTa3WgvfUchhMAkLYN4Bml+wajQfnjmyKpPsMc11n4yQ0O+5pu17lIImtLiMA2+g1dSDs0mr6+AQIjOw6TDwU7u/7qM1xTUUvWBiOHaT4xnDi6TYOEHiQmGLXVz1TYCX1RX7Y0RtHkZHPTPACs+zY6VfWEaxFgK0r8+aykgRGMZLSsw+MVwzgxWt96iLQLpcO1qVhLpbOKFFdtxbava3FiSRlLdGHRX12WVcFmn2gun0SsxF2HAg5fT2Kt7aC9qSVoxH5ExtDg2uVFVpeltFPZ3UyyOLhXhwGF1VJR4tCts/MJKD0pWOpKCe92LMm4FGjt4ytWlMErbcfIbtCy1oqQ==
SMTP_USERNAME: AgAWUwitsOQ1MGS4mJ4UzNsLvL8sgtVuMlua6sTdukpFPfZEcZaHBgWzw+Rv0HKCn8ebjp4dfGzmr/cIiMRGRe/ZbA8f6FMQg4lIlmHIJ1EbpGmfRL9m2bJRfl/aNifxTZD6Qgk4JBzlZIlwI6d9xB51sjFAPnEJmTM4AhC7bAhtTGHWLLdn33bXW/+aBWEz465cQdksTrketrHbz6O/Z77bL6Zh+zNwS7AwoQ2bUg/g9ORjRBirYJcojEYdQeDeBNWN3VUrbWENF/ouISvgSJFKeka/G2a9lMNbraSSLlru2xZOLdM5OTald+mi+VgdTDARiJFPL5tyhdUMe+8ZpIG1t2dUEasZZernXpoHyOckijufN92zyxfdXJu0RPIkC1w9zH5ArpoYjCxIzHz6e/wMvjqfEPbE7FtMfGHlzZZCikjt2+8+sDJ/mApgqYKNo68v6773ou6P0HTrti9fM8e2jlZ/nfe3xnzQL2XNjIC5wBc+f825y0U37QduoEeDCE+R3Uihxjq7dAg0omeNeKXChUJkPaX7QvDr1TnXaqSZZgoXZ3U0WujF9Z6A34CwAjJY0ao55ggwai0w0FyFOdUDv5P/bQU+1ex5l5m94MG3KwLmy9Pb3xyDXzpB9oWIskaBzN+v1XdWSRoRzzoZHV/KFJ1HYn1m4yww/JgAxTqiq4pNPKdxDGX+pL4e7U0SmuEPIRw85PpA
SMTP_FROM: AgA2bN0tkQhhsTtenjjECo2kSR1HJFS7bRhL8FMIsBb81gObN4EI2CnE38RE5R1RMsszsces7F9YH/husYY9Q3SAuLMPNgos6wHEB0cg8lY8tkXmXn2n9a5SnLy3+adnhAIMEJ+wPKpxELrhIjyE2Jgz4ZKX+s5WXWv8+mu1Sk1sMOqf2p0/MTpfRtOJtziShNmTyG9W4H4pckuE0uE5Fi1NGey9iSEN/g7FzlDCxujzSsLS7PkpKVqplUKtp/QLfH6afEcrmkZGIErdXfbg4jFGc/LWstuHDcBa9y7W+Wz2hWInQqWOeLlV54MlIYth4MMjNi1FHsxXuzQRkkmi0KTIXd0J4M/+C85KetQeFlOV+fhybRJWhtYVS46xUaf0jTaWeRTGsqlXU1fa8xPOFsN7nStQgyDh1Hk868CAR5K9lrbFcwTO/XOPs7ZyI33CGwHTbC07B9OK/Y+oENeYymdB5ICmJQ4fB1m5SDtElRu7hlf33C5Elu9aGFvECAJPsMpHE0t2HUqqfPUZtnQ1D78BJa7Coa8+J6prbubqmJTpw1sR7kFtHJR+SbTezPGbKVG8+NUmzwHzUQssz75jb4coqStRvx3tGA3q+ObC0KNn6AwUItH8R7ctVEd69qfFjdMTgRzJJwo2+thDQGVo5ZSENb8C+E7yL7xELK+FEkL6kt1Xo0FTIAIj6pWB6aTktu8a0hSIGho5rc0TI/49kYpfRekX9ZZByZtxwFdT64Y06Bo=
SMTP_HOST: AgA22D8NGJiVPrOHTet6X6hNabuYR3gPebOnmkYy2Lt5adufloo4ohvvkoQFVGYel5270OhIOQigFPZhqSurTRHZrQXMRFQ4R0X7q0WqkrrGJSFK22E/hI6jMpPUXcG+SI/rliYXV3jBAXKoUAuX7xPpvWjmU7ES5y3RGqj5lLfCmK+9+uDEYH1uY/EyZcjfwsJBkDYWVn5Zpl49L6wjgLp81307cYu0BndLznXPEFmRANDKzM3zIMFZFReXpi8SzUSiAZTXBppP5USWr6M5x88NrxB6K9v9kqJJNAgbCwxi7H2eO4IYd5lf+mLEyJm+AKt9u0QbUbE6IKkYxtoKN9d/OsHjyNmVEr1db+BGySRuoyEWPJWVUMtuMDLzxPX6syLqHrg9OJ9sF3iBIuTKerAEg7fKDQZ8dKGIUtMTKM82+Y1aJqJ+w++uO16faxeOhMeCdFUfPtenIKEFNvhxLv37rX6GLBsbqu33q/IKfBOikrhY/yua/SHr8okoRO9DyBLvC6uuUXwTsicamajC3h0lkaI56mxqwYBpNq9bXDCYqHgTm5uc3awKzbzGsd5AmBwff2gWvQuR8FfB4uWDqu19SR0DCIxFoUEhE2zKfBmuiOwXbbb2WeaxAAiTBqyoyJjrT+5Tb/9AdxOyNvNJ7Noaa/aSqRFtqrbU289dX7gZrcobag34zNp7bGV8/+5jucIBnlpaGBBLYhzHaiRgruOE
SMTP_PASSWORD: AgBv9A4w8hsjZCfodrNW0FIC2P+Tmd3Lo3bdY1Tdone2WeMKGEY/tvg66Nyn0P6LHAVMn3xZf4Fs3K3VlhMx53/uHWP5D/1PYVYNmbI08aJmrVUS5pop57KRW1abrUvf5eFwvtb0VYlmonZ1BDK+LIZEL/fqculkqelFmUXj0D1/Uq1dmz6/zfGK2Dpa71sjevY72pDedIhOwdavrwRkMvP1nd36hCYMrDaBodUpw6f0ZwyKucQThcT7UdgfBzR6ekvNfzkfIQnrgvVhmhDgUs5n6/KMkA5hC+ZztgLshF1+aBkM2VwVbrNjSDFbUJJguZnz6z4WlS/gGppeBj5ZWWeM01ARDlmbXZabz07hBApQ66/6H7gKW3AmMyaoAdbWnbK94XX+zapcNd5hPEYOIEx2q2/l4+ak6tSAPcuBSu048uTyUpf9/eUizhyWAmJQJ0FPsrVZ4ZYL8Yim8sGXx6Vgl6jJaT58HbnrimOINkEkqhu2Cuai3LAdHbN8nTFEu8F3qzWJkeYkBHAHxOrpJe/U5vVWLuMXywd8j3+rWWit7RFzZEEl4tdTsifFtF7Ml6pdqiwIOpH609Mn0Zr1Cz4iAgt3nU1i76X4g9YLRd4S3V93CmWQyaGBEgPjw8CswhEEKwcMUlkBD809QUx/4Ot655qA6F+i+NhCgeAujO58IL8V8+/EMSfK3sJ+XZFloRYyQrJ+adX6vL3C08dxSOXq
SMTP_PORT: AgARQ5le4SZE5gI+0sfUexHTI3xKtTp13xFj8NEAvZe5XBGWHbOqz0E/GGzNK0U31eKWi4hlDjy8oU0QyYnGiNdFwav2epqdLAFhUyGTwSAzV8ix6zS0B495imtYCxiNzdIAJWfHiVOV30CCn3IZTbjar5OIzf7FbCRx/qbqeIpTEYh73NnTLr1FueEe54yoBy0SxfAmgcAFIhBLd/dz9l1z/9jY/rvj4DSGYkZV4mdRaRusnoH9SrBBc52KIXbd1PMWPxltGQvzGtm/zbS9U82mLkJyDOPLhxhcP+z82O0NAKScfAzp7tq0p/PFooqyNmxaHiNFfUYjTxn6rDktZz3rBgST5cUFW3mUr3wSRKFdNTJQFe03GNVQM8n22KD+s8ZHErEsOCDa40ojcQihs3rOG03hKimcng6kW4MGZt90shPwoGWQqLEycY00MGNXCm6wtbIIHACGM9zdot8q3Adok3MrlT3wHZSloCpm5Vo4YuFNKSP7pN0l4MlrIq4scqMaEqNORtJGlwNHK/7LoOV7UbdYUsPx5QxkZYEaecviu+gFHZWT8bD5Do53i/cHl3TrL526qUphpFqoyjrOpDFgy8axQuSE5h/ARanDSaLrSiQKl+dn5p9V4h+baETNCSd2ebRGo4EuwrqbPCDM/Jxe+8vp5kK2xXLi1i4GW+7IVq8smXrYTxwSsme1xtFkR3mqjQQD
SMTP_SECURITY: AgCr84ATmegm4Bw4h8UVp3lARrSwy4DHuR59rlhf/il5pca/Z0rv478JQ2MW18e4LJSdtAHVIuEYb+PGbrFiJQ9gRTLGZAs3pBeWxKd6pyZyD1hMt376Q3kO2UaWrKBqJibTawItFmqCRraIZh84vCWNA41eddCbIZn1+JtSin8+9zwvLUScR2/7Y3iOkhhsi/dB6THXxKLMAHrr0lZGU0Mf2a3mhivqa6uHDkWZkLV4hWXTdXhhvK/VJlUekOXEgpg3zzFVESBcXGHno1Pj2ataVNUER6KGz1MzVXxF+DSVfem8pjeIHq1XTrQth0O2DQtifDP/smFGJvOMT4oghZsxKKY86uDzt4tKIswcR0bv+kbPBiepcnf1uUqJhoALlA4zeVaaQq25Dzhv550xM0XkW+ISgt64Er0qOAiI1V0sLeGBPazU+vUeEL7oa1nDr26K8CVk4Q6Hto8tuFACiVD0vh1NFw8FzR2tuILZmmoYUW4Imfwq6GWXw7ni5hRiZhUEYG2k0savVKyLLiPENfjlBLiLaA+TTAXcK7RtrDGY0M4y9qyHU/W3FG4BxReaF0lylhHaYFhMKRc/J3NCHlIIg+ob0mHEskvaexljf1pfdLUt3VvY9kHJSjGvJYBsHHkpeDU2xPvGF/usP0aDaa+Xy4IQCgQwXKmMadwplZv+FKV1ImZUayHhLxLfjZCMre9SfiqTr4968A==
SMTP_USERNAME: AgBDm7HojupWtK/s5yXKq/6y1aYsAzYkbfyuKQ6vujWaQZUUkm6pXHNlSW39si8KW8FG45tGAdZABl2Mv/nbNcsJ4bJzaICbcQzm3aGF8Bfv9NZKfO7Zrw3SmiZd+oXYkKGpPqtv2Nj9xMXIBYf1Ll4naBFCzLLgK6LJfKPiVChjEmVnX7XR1vDWJL5+BuXN3qb6ZAoEuzJ80RjUcKLSLfjeMxk7gNyUnxQSpyTZGMSK/XrkGLlkGTMdGDbuY9/vjNopeYpouGFiPFz5N6kaivUN9o2fKhP3SfBYSEpI2H3F/cbBPNWLGxfweokRbZZmjxC9K1N99UES8z268ZV9rv/6sri+Hf1FqdV9+2V38owAUByXUzKUBqs3Kb29kuv2+jDVDBm1FPQbkRWnK/6r3BHZQL4wJIg/3sKcjnWDXMwH79htcFF9bU7tcGVO1If4FHZYBbczUPdGeN59IIjHkvYqASVQBeew7JwhWRJkesbGcXW6EfUeIE6AwGoQudgRcHk140/0OupXnFwPcwy0EEg6vGNU4n2ejzavisA42gZGyrgO8Fr5boSqLnx2mSGi1jR3U3NR2ZEzh8dsOnbrjiffYIjnAOwMxTlvdF+x4le1DBOlHKwmVKeIgpFfab9KKG7I3s0VhMVILkeRMNPPy6P9G69k8HXvn+sDnVSOSno0/eiguz49iIt+JqzUbwLb0wWbp16S5NOc
template:
metadata:
creationTimestamp: null

2
infrastructure/pg-ha/kustomization.yaml
View File

@@ -9,6 +9,6 @@ namespace: pg-ha
helmCharts:
- name: cloudnative-pg
releaseName: pg-controller
version: 0.26.1
version: 0.26.0
valuesFile: values.yaml
repo: https://cloudnative-pg.io/charts/

2
infrastructure/traefik-system/kustomization.yaml
View File

@@ -13,6 +13,6 @@ namespace: traefik-system
helmCharts:
- name: traefik
releaseName: traefik
version: 37.2.0
version: 37.1.2
valuesFile: values.yaml
repo: https://traefik.github.io/charts

5
kluster-deployments/argocd/application.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: argocd-application
name: metallb-application
namespace: argocd
spec:
project: infrastructure
@@ -14,6 +14,5 @@ spec:
namespace: argocd
syncPolicy:
automated:
prune: false
# since other argo projects are added to this namespace (but not managed in this repo), they should not be deleted even though they are not referenced in this manifest
prune: true
selfHeal: true

8
kluster-deployments/homeassistant/application.yaml
View File

@@ -1,20 +1,18 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: homeassistant-flat-application
name: homeassistant-application
namespace: argocd
spec:
project: apps
source:
repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
targetRevision: main
path: apps/homeassistant/overlays/flat
path: apps/homeassistant
destination:
server: https://kubernetes.default.svc
namespace: homeassistant
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
prune: true
selfHeal: true
selfHeal: true

23
kluster-deployments/homeassistant/house.application.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: homeassistant-house-application
namespace: argocd
spec:
project: apps
source:
repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
targetRevision: main
path: apps/homeassistant/overlays/house
destination:
server: https://kubernetes.default.svc
namespace: homeassistant
syncPolicy:
managedNamespaceMetadata:
labels:
pod-security.kubernetes.io/enforce: privileged
syncOptions:
- CreateNamespace=true
automated:
prune: true
selfHeal: true

3
kluster-deployments/homeassistant/kustomization.yaml
View File

@@ -1,5 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- application.yaml
- house.application.yaml
- application.yaml

3
renovate.json
View File

@@ -2,8 +2,7 @@
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"dependencyDashboard": true,
"extends": [
"local>remoll/k3s-infra//apps/immich/renovate.json",
"local>remoll/k3s-infra//infrastructure/external-dns/renovate.json"
"local>remoll/k3s-infra//apps/immich/renovate.json"
],
"packageRules": [
{