Add ntfy and diun

namespaces/monitoring/diun/extra/clusterrole.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: diun
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - watch
+      - list

namespaces/monitoring/diun/extra/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: diun
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: diun
+subjects:
+  - kind: ServiceAccount
+    name: diun
+    namespace: monitoring

namespaces/monitoring/diun/extra/serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: diun

namespaces/monitoring/diun/kustomization.yaml

@@ -0,0 +1,92 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+transformers:
+  - |-
+    apiVersion: builtin
+    kind: NamespaceTransformer
+    metadata:
+      name: notImportantHere
+      namespace: monitoring
+    unsetOnly: true
+
+namePrefix: diun-
+resources:
+  - ../../../kustomize/noservice/
+  - extra/serviceaccount.yaml
+  - extra/clusterrole.yaml
+  - extra/clusterrolebinding.yaml
+
+replacements:
+  - source:
+      kind: Deployment
+      name: app
+      fieldPath: metadata.labels.[app.kubernetes.io/appName]
+    targets:
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "-"
+          index: 0
+        fieldPaths:
+          - spec.managedSecretReference.secretName
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "/"
+          index: 2
+        fieldPaths:
+          - spec.authentication.universalAuth.secretsScope.secretsPath
+  - source:
+      kind: Deployment
+      name: app
+      fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
+    targets:
+      - select:
+          kind: InfisicalSecret
+        fieldPaths:
+          - spec.managedSecretReference.secretNamespace
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "/"
+          index: 1
+        fieldPaths:
+          - spec.authentication.universalAuth.secretsScope.secretsPath
+
+patches:
+  - path: patches/deployment.yaml
+    target:
+      kind: Deployment
+      name: app
+  - path: patches/pvc.yaml
+    target:
+      kind: PersistentVolumeClaim
+      name: pvc
+
+labels:
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/appName: diun
+  - pairs:
+      app.kubernetes.io/appNamespace: monitoring
+
+configMapGenerator:
+  - name: config
+    literals:
+      - TZ=America/New_York
+      - DIUN_DEFAULTS_MAXTAGS=10
+      # Watch setup
+      - DIUN_WATCH_WORKERS=10
+      - DIUN_WATCH_JITTER=30s
+      - DIUN_WATCH_SCHEDULE=0 */6 * * *
+      - DIUN_WATCH_FIRSTCHECKNOTIF=true
+      # Diun k8s provider
+      - DIUN_PROVIDERS_KUBERNETES=true
+      - DIUN_PROVIDERS_KUBERNETES_NAMESPACES=ai,apps,auth,core,homelab,monitoring
+      - DIUN_PROVIDERS_KUBERNETES_WATCHBYDEFAULT=true
+      # # Notifications to self-hosted healthcheck.io
+      # - DIUN_WATCH_HEALTHCHECKS_BASEURL=https://health.leechpepin.com
+      # - DIUN_WATCH_HEALTHCHECKS_UUID=<UUID>
+      # Ntfy
+      - DIUN_NOTIF_NTFY_ENDPOINT=https://ntfy.leechpepin.com

namespaces/monitoring/diun/patches/deployment.yaml

@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app
+spec:
+  template:
+    spec:
+      tolerations:
+        - key: "public"
+          operator: "Equal"
+          value: "true"
+          effect: "NoSchedule"
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              preference:
+                matchExpressions:
+                  - key: public
+                    operator: In
+                    values:
+                      - "true"
+      serviceAccountName: diun
+      containers:
+        - name: diun
+          image: crazymax/diun:latest
+          imagePullPolicy: Always
+          args: ["serve"]
+          envFrom:
+            - configMapRef:
+                name: diun-config
+          env:
+            - name: DIUN_NOTIF_NTFY_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: diun-secrets
+                  key: DIUN_NTFY_TOKEN
+            - name: DIUN_NOTIF_NTFY_TOPIC
+              valueFrom:
+                secretKeyRef:
+                  name: diun-secrets
+                  key: DIUN_NTFY_TOPIC
+          volumeMounts:
+            - mountPath: "/data"
+              name: diun-data
+              subPath: data
+      restartPolicy: Always
+      volumes:
+        # Set up a data directory for diun
+        # For production usage, you should consider using PV/PVC instead(or simply using storage like NAS)
+        # For more details, please see https://kubernetes.io/docs/concepts/storage/volumes/
+        - name: diun-data
+          persistentVolumeClaim:
+            claimName: diun-pvc

namespaces/monitoring/diun/patches/pvc.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc
+spec:
+  storageClassName: longhorn-public

namespaces/monitoring/ntfy/kustomization.yaml

@@ -0,0 +1,108 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+transformers:
+  - |-
+    apiVersion: builtin
+    kind: NamespaceTransformer
+    metadata:
+      name: notImportantHere
+      namespace: monitoring
+    unsetOnly: true
+
+namePrefix: ntfy-
+resources:
+  - ../../../kustomize/deployment/
+
+replacements:
+  - source:
+      kind: Service
+      name: svc
+    targets:
+      - select:
+          kind: HTTPRoute
+        options:
+          create: true
+        fieldPaths:
+          - spec.rules.0.backendRefs.0.name
+  - source:
+      kind: Deployment
+      name: app
+      fieldPath: metadata.labels.[app.kubernetes.io/appName]
+    targets:
+      - select:
+          kind: HTTPRoute
+        options:
+          create: true
+          delimiter: "."
+          index: 0
+        fieldPaths:
+          - spec.hostnames.0
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "-"
+          index: 0
+        fieldPaths:
+          - spec.managedSecretReference.secretName
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "/"
+          index: 2
+        fieldPaths:
+          - spec.authentication.universalAuth.secretsScope.secretsPath
+      - select:
+          kind: Service
+        fieldPaths:
+          - spec.ports.0.name
+          - spec.ports.0.targetPort
+  - source:
+      kind: Deployment
+      name: app
+      fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
+    targets:
+      - select:
+          kind: InfisicalSecret
+        fieldPaths:
+          - spec.managedSecretReference.secretNamespace
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "/"
+          index: 1
+        fieldPaths:
+          - spec.authentication.universalAuth.secretsScope.secretsPath
+
+patches:
+  - path: patches/deployment.yaml
+    target:
+      kind: Deployment
+      name: app
+  - path: patches/pvc.yaml
+    target:
+      kind: PersistentVolumeClaim
+      name: pvc
+
+labels:
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/appName: ntfy
+  - pairs:
+      app.kubernetes.io/appNamespace: monitoring
+
+configMapGenerator:
+  - name: config
+    literals:
+      - TZ=America/New_York
+      - NTFY_BASE_URL=https://ntfy.leechpepin.com
+      - NTFY_CACHE_FILE=/var/cache/ntfy/cache.db
+      - NTFY_ATTACHMENT_CACHE_DIR=/var/cache/ntfy/attachments
+      - NTFY_AUTH_FILE=/var/cache/ntfy/auth.db
+      - NTFY_AUTH_DEFAULT_ACCESS=deny-all
+      - NTFY_BEHIND_PROXY=true
+      - NTFY_ENABLE_LOGIN=true
+      - NTFY_WEB_PUSH_FILE=/var/cache/ntfy/webpush.db
+      - NTFY_WEB_PUSH_PUBLIC_KEY=BMsh_qTqBI5D9BNPgXBLUsKd5O9PBycfkEyk5ikLx2KAgIxxXfPe8r_cjDPkaU-eMF2sptm6p__bvht70qcuu3
+      - NTFY_WEB_PUSH_EMAIL_ADDRESS=homelab@leechpepin.com
+      # - NTFY_WEB_ROOT=disable

namespaces/monitoring/ntfy/patches/deployment.yaml

@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app
+spec:
+  template:
+    spec:
+      tolerations:
+        - key: "public"
+          operator: "Equal"
+          value: "true"
+          effect: "NoSchedule"
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              preference:
+                matchExpressions:
+                  - key: public
+                    operator: In
+                    values:
+                      - "true"
+      containers:
+        - name: ntfy
+          image: binwiederhier/ntfy:v2.11.0 # set deployed version
+          args: ["serve"]
+          ports:
+            - containerPort: 80
+              name: ntfy
+          resources:
+            limits:
+              memory: 300Mi
+              cpu: 200m
+            requests:
+              cpu: 150m
+              memory: 150Mi
+          volumeMounts:
+            - mountPath: /var/cache/ntfy
+              name: ntfy-data
+              subPath: "data"
+          envFrom:
+            - configMapRef:
+                name: ntfy-config
+          env:
+            - name: NTFY_WEB_PUSH_PRIVATE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: ntfy-secrets
+                  key: VAPID_PRIVATE_KEY
+                  optional: false
+          livenessProbe:
+            httpGet:
+              path: /v1/health
+              port: ntfy
+          readinessProbe:
+            httpGet:
+              path: /v1/health
+              port: ntfy
+          startupProbe:
+            httpGet:
+              path: /v1/health
+              port: ntfy
+      volumes:
+        - name: ntfy-data
+          persistentVolumeClaim:
+            claimName: ntfy-pvc

namespaces/monitoring/ntfy/patches/pvc.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc
+spec:
+  storageClassName: longhorn-public