jleechpe/k3s
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: jleechpe:46e64631c64d45bb1a9f7605c86a288297e06b5c
Branches Tags
jleechpe:main
jleechpe:testing
..
compare: jleechpe:52d28702fe8a71032e27fdbfa12f1f867c84ca2d
Branches Tags
jleechpe:main
jleechpe:testing

10 commits
46e64631c6 ... 52d28702fe

Author SHA1 Message Date
Jonathan Leech-Pepin
52d28702fe
Update redis and postgres internal routes 
And add smtp-secrets file for apps namespace
 2025-03-30 13:14:32 -04:00
Jonathan Leech-Pepin
27e6408665
Vaultwarden to fixed image and re-add smtp settings 2025-03-30 13:10:00 -04:00
Jonathan Leech-Pepin
296ad3c364
Switch postgres and redis to kustomize 2025-03-30 13:00:00 -04:00
Jonathan Leech-Pepin
a002006169
Move longhorn, cert-manager and traefik to kustomize 2025-03-27 22:00:00 -04:00
Jonathan Leech-Pepin
2017459a07
Some cleanup 2025-03-27 21:25:55 -04:00
Jonathan Leech-Pepin
cdb58bb742
Version bumps and switch to actual tags not latest 2025-03-11 20:39:33 -04:00
Jonathan Leech-Pepin
11f65da54d
Cleanup kustomize templates and add batch 2025-02-26 17:02:56 -05:00
Jonathan Leech-Pepin
e97111a775
Add pg_dumpall backup and core services 
Services are non-kustomize so will likely be rebuilt in the future
 2025-02-20 20:29:07 -05:00
Jonathan Leech-Pepin
78ecd63c50
Deploy dolibarr 2025-02-20 20:03:57 -05:00
Jonathan Leech-Pepin
f6a4beb263
Add analytics 2025-02-18 16:27:23 -05:00
68 changed files with 1225 additions and 104 deletions
Show stats Expand all files Collapse all files

8
charts/gpu-runtime.yaml
View file

@ -2,9 +2,15 @@ apiVersion: helm.cattle.io/v1
kind: HelmChart kind: HelmChart
metadata: metadata:
name: nvidia-device-plugin name: nvidia-device-plugin
namespace: kube-system namespace: charts
spec: spec:
chart: nvidia-device-plugin chart: nvidia-device-plugin
repo: https://nvidia.github.io/k8s-device-plugin repo: https://nvidia.github.io/k8s-device-plugin
valuesContent: |- valuesContent: |-
runtimeClassName: nvidia runtimeClassName: nvidia
namespaceOverride: kube-system
tolerations:
- key: "gpu"
value: "true"
operator: "Equal"
effect: "NoSchedule"

48
kustomize/backups/batch.yaml Normal file
View file

@ -0,0 +1,48 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: backup
spec:
schedule: "0 3 * * *"
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: backup
image: busybox
command:
- /bin/bash
- -c
- |
echo $HEALTHCHECK_BASE_URL/${HEALTHCHECK_ID}
# Start signal
curl -fsS -m 10 --retry 5 ${HEALTHCHECK_BASE_URL}/${HEALTHCHECK_ID}/start
# Perform backup
if ! ${BACKUP_COMMAND} | gzip > /backup/${ROTATE_PREFIX}-$(date +%Y%m%d).sql.gz; then
curl -fsS -m 10 --retry 5 ${HEALTHCHECK_BASE_URL}/${HEALTHCHECK_ID}/fail
exit 1
fi
# list backups
ls /backup
# Rotate old backups
find /backup -name "${ROTATE_PREFIX}-*.sql.gz" -mtime +7 -delete
# Success signal
curl -fsS -m 10 --retry 5 ${HEALTHCHECK_BASE_URL}/${HEALTHCHECK_ID}
envFrom:
- configMapRef:
name: backup-config
- secretRef:
name: core-secrets
volumeMounts:
- mountPath: /backup
name: backup
subPath: "data"
volumes:
- name: backup
persistentVolumeClaim:
claimName: backup-pvc

9
kustomize/backups/kustomization.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- batch.yaml
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/managed-by: kustomize

5
kustomize/deployment/configmap.yaml
View file

@ -1,5 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: config
data:

1
kustomize/deployment/kustomization.yaml
View file

@ -9,7 +9,6 @@ resources:
- secret.yaml - secret.yaml
- httproute-http.yaml - httproute-http.yaml
- httproute-https.yaml - httproute-https.yaml
# - configmap.yaml
labels: labels:
- includeSelectors: true - includeSelectors: true

7
kustomize/helmchart-noaddons/helmchart.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: chart
namespace: charts
spec:
targetNamespace: default

10
kustomize/helmchart-noaddons/kustomization.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helmchart.yaml
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/managed-by: kustomize

5
kustomize/noservice/configmap.yaml
View file

@ -1,5 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: config
data:

1
kustomize/noservice/kustomization.yaml
View file

@ -6,7 +6,6 @@ resources:
- deployment.yaml - deployment.yaml
- pvc.yaml - pvc.yaml
- secret.yaml - secret.yaml
# - configmap.yaml
labels: labels:
- includeSelectors: true - includeSelectors: true

14
kustomize/noservice/httproute-http.yaml → kustomize/statefulset/httproute-http.yaml
View file

@ -11,10 +11,16 @@ spec:
hostnames: hostnames:
- web.leechpepin.com - web.leechpepin.com
rules: rules:
- matches: - filters:
- path: - type: RequestHeaderModifier
type: PathPrefix requestHeaderModifier:
value: / set:
- name: "X-Forwarded-Proto"
value: "https"
backendRefs: backendRefs:
- name: web - name: web
port: 80 port: 80
matches:
- path:
type: PathPrefix
value: /

0
kustomize/noservice/httproute-https.yaml → kustomize/statefulset/httproute-https.yaml
View file

14
kustomize/statefulset/kustomization.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- statefulset.yaml
- service.yaml
- httproute-http.yaml
- httproute-https.yaml
- secret.yaml
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/managed-by: kustomize

27
kustomize/statefulset/secret.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: secrets
namespace: infisical
labels:
label-to-be-passed-to-managed-secret: homelab
annotations:
example.com/annotation-to-be-passed-to-managed-secret: "homelab"
spec:
hostAPI: https://app.infisical.com/api
resyncInterval: 10
authentication:
# Universal Auth
universalAuth:
secretsScope:
projectSlug: homelab-n-f-yj
envSlug: prod
secretsPath: "/apps/appname" # Root is "/"
recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
credentialsRef:
secretName: universal-auth-credentials
secretNamespace: infisical
managedSecretReference:
secretName: app-secrets
secretNamespace: ns
creationPolicy: "Orphan" ## Owner | Orphan

0
kustomize/noservice/service.yaml → kustomize/statefulset/service.yaml
View file

23
kustomize/statefulset/statefulset.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: ss
namespace: core
spec:
serviceName: ss-svc
replicas: 1
template:
spec:
restartPolicy: Always
volumeClaimTemplates:
- metadata:
name: ss-data
annotations:
name: ss-data
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn-private
resources:
requests:
storage: 5Gi

3
namespaces/ai/ollama/patches/deployment.yaml
View file

@ -13,7 +13,8 @@ spec:
effect: "NoSchedule" effect: "NoSchedule"
containers: containers:
- name: ollama - name: ollama
image: ollama/ollama:latest image: ollama/ollama:0.5.13
imagePullPolicy: IfNotPresent
resources: resources:
limits: limits:
nvidia.com/gpu: 1 nvidia.com/gpu: 1

4
namespaces/ai/openwebui/patches/chart.yaml
View file

@ -12,7 +12,7 @@ spec:
- https://ollama.leechpepin.com:11434 - https://ollama.leechpepin.com:11434
websocket: websocket:
enabled: true enabled: true
url: redis://redis.core.svc.cluster.local:6379/0 url: redis://redis-svc.core.svc.cluster.local:6379/0
redis: redis:
enabled: false enabled: false
persistence: persistence:
@ -20,7 +20,7 @@ spec:
subPath: "data" subPath: "data"
storageClass: longhorn-private storageClass: longhorn-private
image: image:
tag: 0.5.10 tag: 0.5.20
extraEnvVars: extraEnvVars:
- name: ENABLE_OAUTH_SIGNUP - name: ENABLE_OAUTH_SIGNUP
value: "true" value: "true"

2
namespaces/ai/tabby/config.toml
View file

@ -13,5 +13,5 @@ api_endpoint = "http://ollama-svc:11434/v1"
# Embedding model # Embedding model
[model.embedding.http] [model.embedding.http]
kind = "ollama/embedding" kind = "ollama/embedding"
model_name = "ordis/jina-embeddings-v2-base-code" model_name = "ordis/jina-embeddings-v2-base-code:latest"
api_endpoint = "http://ollama-svc:11434" api_endpoint = "http://ollama-svc:11434"

3
namespaces/ai/tabby/patches/deployment.yaml
View file

@ -12,7 +12,8 @@ spec:
effect: "NoSchedule" effect: "NoSchedule"
containers: containers:
- name: tabby - name: tabby
image: tabbyml/tabby:latest image: tabbyml/tabby:0.25.2
imagePullPolicy: IfNotPresent
ports: ports:
- name: tabby - name: tabby
containerPort: 8080 containerPort: 8080

94
namespaces/apps/dolibarr/kustomization.yaml Normal file
View file

@ -0,0 +1,94 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: apps
unsetOnly: true
namePrefix: dolibarr-
resources:
- ../../../kustomize/public-oidc/
replacements:
- source:
kind: Service
name: svc
targets:
- select:
kind: HTTPRoute
options:
create: true
fieldPaths:
- spec.rules.0.backendRefs.0.name
- source:
kind: Deployment
fieldPath: metadata.labels.[app.kubernetes.io/appName]
targets:
- select:
kind: HTTPRoute
options:
create: true
delimiter: "."
index: 0
fieldPaths:
- spec.hostnames.0
- select:
kind: InfisicalSecret
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.managedSecretReference.secretName
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 2
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- select:
kind: Service
fieldPaths:
- spec.ports.0.name
- spec.ports.0.targetPort
- source:
kind: Deployment
fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
targets:
- select:
kind: InfisicalSecret
fieldPaths:
- spec.managedSecretReference.secretNamespace
patches:
- path: patches/deployment.yaml
target:
kind: Deployment
- path: patches/pvc.yaml
target:
kind: PersistentVolumeClaim
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: dolibarr
- pairs:
app.kubernetes.io/appNamespace: apps
configMapGenerator:
- name: config
literals:
- PHP_INI_DATE_TIMEZONE=America/New_York
- DOLI_INSTALL_AUTO=0
- DOLI_DB_TYPE=pgsql
- DOLI_DB_HOST=postgres-svc.core.svc.cluster.local
- DOLI_DB_HOST_PORT=5432
- DOLI_DB_USER=dolidbuser
- DOLI_COMPANY_NAME="JLP Tech Consulting, LLC"
- DOLI_COMPANY_COUNTRYCODE="US"
- DOLI_URL_ROOT=https://dolibarr.leechpepin.com

47
namespaces/apps/dolibarr/patches/deployment.yaml Normal file
View file

@ -0,0 +1,47 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
spec:
template:
spec:
containers:
- name: dolibarr
image: dolibarr/dolibarr:20.0.3
envFrom:
- configMapRef:
name: dolibarr-config
env:
- name: DOLI_DB_PASSWORD
valueFrom:
secretKeyRef:
name: dolibarr-secrets
key: DB_PASSWORD
optional: false
- name: DOLI_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: dolibarr-secrets
key: ADMIN_PASSWORD
optional: false
- name: DOLI_INSTANCE_UNIQUE_ID
valueFrom:
secretKeyRef:
name: dolibarr-secrets
key: SECRET_KEY
optional: false
ports:
- containerPort: 80
protocol: TCP
name: dolibarr
volumeMounts:
- mountPath: /var/www/documents
name: dolibarr
subPath: "documents"
- mountPath: /var/www/html/custom
name: dolibarr
subPath: html_custom
volumes:
- name: dolibarr
persistentVolumeClaim:
claimName: dolibarr-pvc

8
namespaces/apps/dolibarr/patches/pvc.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc
spec:
resources:
requests:
storage: 10Gi

2
namespaces/apps/forgejo/kustomization.yaml
View file

@ -100,7 +100,7 @@ configMapGenerator:
- USER_UID=1000 - USER_UID=1000
- USER_GID=1000 - USER_GID=1000
- FORGEJO__database__DB_TYPE=postgres - FORGEJO__database__DB_TYPE=postgres
- FORGEJO__database__HOST=postgres.core.svc.cluster.local:5432 - FORGEJO__database__HOST=postgres-svc.core.svc.cluster.local:5432
- FORGEJO__database__NAME=forgejo - FORGEJO__database__NAME=forgejo
- FORGEJO__database__USER=forgejo - FORGEJO__database__USER=forgejo
- FORGEJO__mailer__ENABLED=true - FORGEJO__mailer__ENABLED=true

4
namespaces/apps/linkwarden/kustomization.yaml
View file

@ -84,8 +84,8 @@ configMapGenerator:
- name: config - name: config
literals: literals:
- NEXTAUTH_URL="https://linkwarden.leechpepin.com/api/v1/auth" - NEXTAUTH_URL="https://linkwarden.leechpepin.com/api/v1/auth"
- NEXT_PUBLIC_OLLAMA_ENDPOINT_URL="http://ollama.ai.svc.cluster.local:11434" - NEXT_PUBLIC_OLLAMA_ENDPOINT_URL="https://ollama.leechpepin.com:11434"
- OLLAMA_MODEL="phi3:mini-4k" - OLLAMA_MODEL="granite3.1-moe:3b"
- NEXT_PUBLIC_AUTHENTIK_ENABLED="true" - NEXT_PUBLIC_AUTHENTIK_ENABLED="true"
- AUTHENTIK_CUSTOM_NAME="Authentik" - AUTHENTIK_CUSTOM_NAME="Authentik"
- AUTHENTIK_ISSUER="https://auth.leechpepin.com/application/o/linkwarden" - AUTHENTIK_ISSUER="https://auth.leechpepin.com/application/o/linkwarden"

2
namespaces/apps/mealie/kustomization.yaml
View file

@ -88,7 +88,7 @@ configMapGenerator:
# Database Settings # Database Settings
- DB_ENGINE=postgres - DB_ENGINE=postgres
- POSTGRES_USER=mealie - POSTGRES_USER=mealie
- POSTGRES_SERVER=postgres.core.svc.cluster.local - POSTGRES_SERVER=postgres-svc.core.svc.cluster.local
- POSTGRES_PORT=5432 - POSTGRES_PORT=5432
- POSTGRES_DB=mealie - POSTGRES_DB=mealie
# Use Ollama # Use Ollama

4
namespaces/apps/paperless/kustomization.yaml
View file

@ -91,8 +91,8 @@ labels:
configMapGenerator: configMapGenerator:
- name: config - name: config
literals: literals:
- PAPERLESS_REDIS=redis://redis.core.svc.cluster.local - PAPERLESS_REDIS=redis://redis-svc.core.svc.cluster.local
- PAPERLESS_DBHOST=postgres.core.svc.cluster.local - PAPERLESS_DBHOST=postgres-svc.core.svc.cluster.local
- PAPERLESS_DBUSER=paperless - PAPERLESS_DBUSER=paperless
- PAPERLESS_DBNAME=paperlessdb - PAPERLESS_DBNAME=paperlessdb
- PAPERLESS_TIKA_ENABLED="1" - PAPERLESS_TIKA_ENABLED="1"

28
namespaces/apps/smtp-secrets.yaml Normal file
View file

@ -0,0 +1,28 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: smtp-secrets
namespace: infisical
labels:
label-to-be-passed-to-managed-secret: homelab
annotations:
example.com/annotation-to-be-passed-to-managed-secret: "homelab"
spec:
hostAPI: https://app.infisical.com/api
resyncInterval: 10
authentication:
# Universal Auth
universalAuth:
secretsScope:
projectSlug: homelab-n-f-yj
envSlug: prod
secretsPath: "/" # Root is "/"
recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
credentialsRef:
secretName: universal-auth-credentials
secretNamespace: infisical
managedSecretReference:
secretName: smtp-secrets
secretNamespace: apps
creationPolicy: "Orphan" ## Owner | Orphan
---

7
namespaces/apps/vaultwarden/kustomization.yaml
View file

@ -83,3 +83,10 @@ labels:
configMapGenerator: configMapGenerator:
- name: config - name: config
literals: literals:
- SIGNUPS_ALLOWED="false"
- PUSH_ENABLED="true"
- DOMAIN=https://vaultwarden.leechpepin.com
- SMTP_FROM=homelab@leechpepin.com
- SMTP_FROM_NAME="Vaultwarden"
- SMTP_USERNAME=homelab
- SMTP_HOST=blizzard.mxrouting.net

3
namespaces/apps/vaultwarden/patches/deployment.yaml
View file

@ -7,7 +7,8 @@ spec:
spec: spec:
containers: containers:
- name: vaultwarden - name: vaultwarden
image: vaultwarden/server:latest image: vaultwarden/server:1.33.2
imagePullPolicy: IfNotPresent
envFrom: envFrom:
- configMapRef: - configMapRef:
name: vaultwarden-config name: vaultwarden-config

0
namespaces/cert-manager/cloudflare-token.yaml → namespaces/cert-manager/cert-manager/extras/cloudflare-token.yaml
View file

29
namespaces/cert-manager/cert-manager/kustomization.yaml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: cert-manager
unsetOnly: true
namePrefix: cert-manager-
resources:
- ../../../kustomize/helmchart-noaddons
- extras/cloudflare-token.yaml
patches:
- path: patches/chart.yaml
target:
kind: HelmChart
name: chart
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: cert-manager
- pairs:
app.kubernetes.io/appNamespace: cert-manager

0
namespaces/cert-manager/chart.yaml → namespaces/cert-manager/cert-manager/patches/chart.yaml
View file

0
namespaces/cert-manager/cluster-issuer.yaml → namespaces/cert-manager/cert-manager/post/cluster-issuer.yaml
View file

0
namespaces/cert-manager/consultjlpdotcom-cert.yaml → namespaces/cert-manager/cert-manager/post/consultjlpdotcom-cert.yaml
View file

0
namespaces/cert-manager/jlptechdotconsulting-cert.yaml → namespaces/cert-manager/cert-manager/post/jlptechdotconsulting-cert.yaml
View file

0
namespaces/cert-manager/leechpepindotcom-cert.yaml → namespaces/cert-manager/cert-manager/post/leechpepindotcom-cert.yaml
View file

7
namespaces/charts/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
homelab-access: "true"
name: charts

12
namespaces/core/backup-pvc.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: backup-pvc
namespace: core
spec:
storageClassName: longhorn-private
accessModes:
- ReadWriteMany
resources:
requests:
storage: 20Gi

7
namespaces/core/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
homelab-access: "true"
name: core

51
namespaces/core/pgdump/kustomization.yaml Normal file
View file

@ -0,0 +1,51 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: core
unsetOnly: true
namePrefix: pgdump-
resources:
- ../../../kustomize/backups/
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: pgdump
- pairs:
app.kubernetes.io/appNamespace: core
configMapGenerator:
- name: config
literals:
- HEALTHCHECK_BASE_URL="https://healthchecks.leechpepin.com"
- HEALTHCHECK_ID="ping/7iBSS9akyokIWq-sbfEjHQ/pgdump"
- ROTATE_PREFIX="pgdump"
- BACKUP_COMMAND="pg_dumpall -U postgres -h postgres-svc.core -p 5432"
patches:
- path: patches/batch.yaml
target:
kind: CronJob
name: backup
replacements:
- source:
kind: CronJob
name: backup
fieldPath: metadata.labels.[app.kubernetes.io/appName]
targets:
- select:
kind: CronJob
name: backup
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.jobTemplate.spec.template.spec.containers.0.envFrom.0.configMapRef.name

13
namespaces/core/pgdump/patches/batch.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: backup
spec:
schedule: "0 2 * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: backup
image: cimg/postgres:17.4

16
namespaces/core/postgres/extras/tcproute.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
name: tcproute
namespace: core
spec:
parentRefs:
- name: homelab-gateway
sectionName: postgres
kind: Gateway
namespace: homelab
rules:
- backendRefs:
- name: postgres-svc
namespace: core
port: 5432

97
namespaces/core/postgres/kustomization.yaml Normal file
View file

@ -0,0 +1,97 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: core
unsetOnly: true
namePrefix: postgres-
resources:
- ../../../kustomize/statefulset/
- extras/tcproute.yaml
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: postgres
- pairs:
app.kubernetes.io/appNamespace: core
patches:
- path: patches/statefulset.yaml
target:
kind: StatefulSet
name: ss
- path: patches/httproutes-delete.yaml
target:
kind: HTTPRoute
replacements:
- source:
kind: StatefulSet
name: ss
fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
targets:
- select:
kind: InfisicalSecret
fieldPaths:
- spec.managedSecretReference.secretNamespace
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 1
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- source:
kind: StatefulSet
name: ss
fieldPath: metadata.labels.[app.kubernetes.io/appName]
targets:
- select:
kind: StatefulSet
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.volumeClaimTemplates.0.metadata.annotations.name
- spec.volumeClaimTemplates.0.metadata.name
- spec.serviceName
- select:
kind: InfisicalSecret
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.managedSecretReference.secretName
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 2
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- source:
kind: StatefulSet
name: ss
fieldPath: spec.template.spec.containers.0.ports.0.name
targets:
- select:
kind: Service
fieldPaths:
- spec.ports.0.name
- spec.ports.0.targetPort
- source:
kind: StatefulSet
name: ss
fieldPath: spec.template.spec.containers.0.ports.0.containerPort
targets:
- select:
kind: Service
fieldPaths:
- spec.ports.0.port

5
namespaces/core/postgres/patches/httproutes-delete.yaml Normal file
View file

@ -0,0 +1,5 @@
$patch: delete
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: https

46
namespaces/core/postgres/patches/statefulset.yaml Normal file
View file

@ -0,0 +1,46 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: app
spec:
template:
spec:
securityContext:
fsGroup: 999
containers:
- name: postgres
image: postgres:17.4
ports:
- name: postgres
containerPort: 5432
protocol: TCP
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: postgres-data
subPath: "data"
env:
- name: POSTGRES_USER
value: postgres
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: ROOT_PASSWORD
name: postgres-secrets
startupProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U ${POSTGRES_USER}
livenessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U ${POSTGRES_USER}
readinessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U ${POSTGRES_USER}

112
namespaces/core/redis/kustomization.yaml Normal file
View file

@ -0,0 +1,112 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: core
unsetOnly: true
namePrefix: redis-
resources:
- ../../../kustomize/statefulset/
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: redis
- pairs:
app.kubernetes.io/appNamespace: core
patches:
- path: patches/statefulset.yaml
target:
kind: StatefulSet
name: ss
replacements:
- source:
kind: StatefulSet
name: ss
fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
targets:
- select:
kind: InfisicalSecret
fieldPaths:
- spec.managedSecretReference.secretNamespace
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 1
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- source:
kind: StatefulSet
name: ss
fieldPath: metadata.labels.[app.kubernetes.io/appName]
targets:
- select:
kind: StatefulSet
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.volumeClaimTemplates.0.metadata.annotations.name
- spec.volumeClaimTemplates.0.metadata.name
- spec.serviceName
- select:
kind: InfisicalSecret
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.managedSecretReference.secretName
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 2
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- select:
kind: HTTPRoute
options:
create: true
delimiter: "."
index: 0
fieldPaths:
- spec.hostnames.0
- source:
kind: StatefulSet
name: ss
fieldPath: spec.template.spec.containers.0.ports.0.name
targets:
- select:
kind: Service
fieldPaths:
- spec.ports.0.name
- spec.ports.0.targetPort
- source:
kind: Service
targets:
- select:
kind: HTTPRoute
fieldPaths:
- spec.rules.0.backendRefs.0.name
- source:
kind: StatefulSet
name: ss
fieldPath: spec.template.spec.containers.0.ports.0.containerPort
targets:
- select:
kind: Service
fieldPaths:
- spec.ports.0.port
- select:
kind: HTTPRoute
fieldPaths:
- spec.rules.0.backendRefs.0.port

19
namespaces/core/redis/patches/statefulset.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: app
spec:
template:
spec:
restartPolicy: Always
containers:
- name: redis
image: redis:7.4.2-alpine3.21
ports:
- name: redis
containerPort: 6379
protocol: TCP
volumeMounts:
- mountPath: /data
name: redis-data
subPath: "data"

14
namespaces/homelab/secrets.yaml → namespaces/core/secrets.yaml
View file

@ -1,8 +1,7 @@
---
apiVersion: secrets.infisical.com/v1alpha1 apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret kind: InfisicalSecret
metadata: metadata:
name: homelab-sslcert-secrets name: core-postgres-secrets
namespace: infisical namespace: infisical
labels: labels:
label-to-be-passed-to-managed-secret: homelab label-to-be-passed-to-managed-secret: homelab
@ -17,17 +16,12 @@ spec:
secretsScope: secretsScope:
projectSlug: homelab-n-f-yj projectSlug: homelab-n-f-yj
envSlug: prod envSlug: prod
secretsPath: "/homelab" # Root is "/" secretsPath: "/core/postgres" # Root is "/"
recursive: true # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false recursive: true # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
credentialsRef: credentialsRef:
secretName: universal-auth-credentials secretName: universal-auth-credentials
secretNamespace: infisical secretNamespace: infisical
managedSecretReference: managedSecretReference:
secretName: infisical-self-signed-cert secretName: postgres-secrets
secretNamespace: homelab secretNamespace: core
creationPolicy: "Orphan" ## Owner | Orphan creationPolicy: "Orphan" ## Owner | Orphan
secretType: kubernetes.io/tls
template:
data:
tls.crt: "{{ .TLS_CERT.Value }}"
tls.key: "{{ .TLS_KEY.Value }}"

91
namespaces/core/syncthing.yaml Normal file
View file

@ -0,0 +1,91 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: syncthing
namespace: core
spec:
replicas: 1
selector:
matchLabels:
name: syncthing
template:
metadata:
labels:
name: syncthing
spec:
restartPolicy: Always
containers:
- name: syncthing
image: syncthing/syncthing:latest
ports:
- name: http
containerPort: 8384
protocol: TCP
volumeMounts:
- mountPath: /var/syncthing
name: syncthing-data
subPath: "data"
env:
- name: PUID
value: "976"
- name: PGID
value: "976"
volumes:
- name: syncthing-data
persistentVolumeClaim:
claimName: syncthing-data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: syncthing-data
namespace: core
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn-private
resources:
requests:
storage: 50Gi
---
apiVersion: v1
kind: Service
metadata:
name: syncthing
namespace: core
spec:
type: ClusterIP
selector:
name: syncthing
ports:
- port: 8384
name: http
targetPort: http
protocol: TCP
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: syncthing
namespace: core
spec:
parentRefs:
- name: homelab-gateway
sectionName: web
kind: Gateway
namespace: homelab
hostnames:
- syncthing.leechpepin.local
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: syncthing
namespace: core
port: 8384

28
namespaces/infisical/infisical/kustomization.yaml Normal file
View file

@ -0,0 +1,28 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: infisical
unsetOnly: true
namePrefix: infisical-
resources:
- ../../../kustomize/helmchart-noaddons
patches:
- path: patches/chart.yaml
target:
kind: HelmChart
name: chart
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: infisical
- pairs:
app.kubernetes.io/appNamespace: infisical

1
charts/infisical.yaml → namespaces/infisical/infisical/patches/chart.yaml
View file

@ -7,7 +7,6 @@ metadata:
- wrangler.cattle.io/on-helm-chart-remove - wrangler.cattle.io/on-helm-chart-remove
generation: 1 generation: 1
name: infisical-install name: infisical-install
namespace: default
spec: spec:
chart: secrets-operator chart: secrets-operator
repo: https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/ repo: https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/

7
namespaces/infisical/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
homelab-access: "false"
name: infisical

39
namespaces/longhorn-system/longhorn-gateway.yaml
View file

@ -1,39 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-routes-to-services
namespace: longhorn-system
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: traefik
to:
- group: ""
kind: Service
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: longhorn-ui
namespace: traefik
spec:
parentRefs:
- name: traefik-gateway
sectionName: web
kind: Gateway
namespace: traefik
hostnames:
- longhorn.leechpepin.local
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: longhorn-frontend
namespace: longhorn-system
port: 80

23
namespaces/longhorn-system/storageclasses.yaml
View file

@ -1,23 +0,0 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: longhorn-private
provisioner: driver.longhorn.io
allowVolumeExpansion: true
parameters:
numberOfReplicas: "2"
dataLocality: "best-effort"
diskSelector: "private"
nodeSelector: "private"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: longhorn-public
provisioner: driver.longhorn.io
allowVolumeExpansion: true
parameters:
numberOfReplicas: "2"
dataLocality: "best-effort"
diskSelector: "public"

12
namespaces/longhorn/longhorn/extras/longhorn-private-storageclass.yaml Normal file
View file

@ -0,0 +1,12 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: private
provisioner: driver.longhorn.io
allowVolumeExpansion: true
parameters:
numberOfReplicas: "2"
dataLocality: "best-effort"
diskSelector: "private"
nodeSelector: "private"

11
namespaces/longhorn/longhorn/extras/longhorn-public-storageclass.yaml Normal file
View file

@ -0,0 +1,11 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: public
provisioner: driver.longhorn.io
allowVolumeExpansion: true
parameters:
numberOfReplicas: "2"
dataLocality: "best-effort"
diskSelector: "public"

99
namespaces/longhorn/longhorn/kustomization.yaml Normal file
View file

@ -0,0 +1,99 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: longhorn
unsetOnly: true
namePrefix: longhorn-
resources:
- ../../../kustomize/helmchart
- extras/longhorn-public-storageclass.yaml
- extras/longhorn-private-storageclass.yaml
patches:
- path: patches/chart.yaml
target:
kind: HelmChart
name: chart
- path: patches/secrets.yaml
target:
kind: InfisicalSecret
name: secrets
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: longhorn
- pairs:
app.kubernetes.io/appNamespace: longhorn
- pairs:
app.kubernetes.io/chartServiceName: longhorn-frontend
replacements:
- source:
kind: HTTPRoute
name: http
fieldPath: metadata.labels.[app.kubernetes.io/chartServiceName]
targets:
- select:
kind: HTTPRoute
options:
create: true
delimiter: "."
index: 0
fieldPaths:
- spec.rules.0.backendRefs.0.name
- source:
kind: HTTPRoute
name: http
fieldPath: metadata.labels.[app.kubernetes.io/appName]
targets:
- select:
kind: HTTPRoute
options:
create: true
delimiter: "."
index: 0
fieldPaths:
- spec.hostnames.0
- select:
kind: InfisicalSecret
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.managedSecretReference.secretName
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 2
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- source:
kind: HTTPRoute
name: http
fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
targets:
- select:
kind: HelmChart
name: chart
fieldPaths:
- spec.targetNamespace
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 1
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- select:
kind: InfisicalSecret
fieldPaths:
- spec.managedSecretReference.secretNamespace

1
charts/longhorn.yaml → namespaces/longhorn/longhorn/patches/chart.yaml
View file

@ -7,7 +7,6 @@ metadata:
- wrangler.cattle.io/on-helm-chart-remove - wrangler.cattle.io/on-helm-chart-remove
generation: 1 generation: 1
name: longhorn-install name: longhorn-install
namespace: default # This should be elsewhere but changing it would delete
spec: spec:
version: v1.7.2 version: v1.7.2
chart: longhorn chart: longhorn

5
namespaces/longhorn/longhorn/patches/secrets.yaml Normal file
View file

@ -0,0 +1,5 @@
$patch: delete
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: secrets

7
namespaces/longhorn/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
homelab-access: "true"
name: longhorn

2
namespaces/monitoring/healthchecks/kustomization.yaml
View file

@ -96,7 +96,7 @@ configMapGenerator:
literals: literals:
- ADMINS=jonathan@leechpepin.com - ADMINS=jonathan@leechpepin.com
- DB=postgres - DB=postgres
- DB_HOST=postgres.core.svc.cluster.local - DB_HOST=postgres-svc.core.svc.cluster.local
- DB_NAME=hc - DB_NAME=hc
- DB_PORT=5432 - DB_PORT=5432
- DB_USER=hc - DB_USER=hc

97
namespaces/monitoring/umami/kustomization.yaml Normal file
View file

@ -0,0 +1,97 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: monitoring
unsetOnly: true
namePrefix: umami-
resources:
- ../../../kustomize/public-oidc/
replacements:
- source:
kind: Service
name: svc
targets:
- select:
kind: HTTPRoute
options:
create: true
fieldPaths:
- spec.rules.0.backendRefs.0.name
- source:
kind: Deployment
name: app
fieldPath: metadata.labels.[app.kubernetes.io/appName]
targets:
- select:
kind: HTTPRoute
options:
create: true
delimiter: "."
index: 0
fieldPaths:
- spec.hostnames.0
- select:
kind: InfisicalSecret
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.managedSecretReference.secretName
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 2
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- select:
kind: Service
fieldPaths:
- spec.ports.0.name
- spec.ports.0.targetPort
- source:
kind: Deployment
name: app
fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
targets:
- select:
kind: InfisicalSecret
fieldPaths:
- spec.managedSecretReference.secretNamespace
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 1
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
patches:
- path: patches/deployment.yaml
target:
kind: Deployment
name: app
- path: patches/delete-pvc.yaml
target:
kind: PersistentVolumeClaim
name: pvc
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: umami
- pairs:
app.kubernetes.io/appNamespace: monitoring
configMapGenerator:
- name: config
literals:
- DATABASE_TYPE=postgresql

5
namespaces/monitoring/umami/patches/delete-pvc.yaml Normal file
View file

@ -0,0 +1,5 @@
$patch: delete
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc

42
namespaces/monitoring/umami/patches/deployment.yaml Normal file
View file

@ -0,0 +1,42 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
spec:
template:
spec:
tolerations:
- key: "public"
operator: "Equal"
value: "true"
effect: "NoSchedule"
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
preference:
matchExpressions:
- key: public
operator: In
values:
- "true"
containers:
- name: umami
image: ghcr.io/umami-software/umami:postgresql-v2.17.0
envFrom:
- configMapRef:
name: umami-config
env:
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: umami-secrets
key: UMAMI_APP_SECRET
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: umami-secrets
key: UMAMI_POSTGRESQL_CONNECTION
ports:
- containerPort: 3000
name: umami

7
namespaces/public/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
homelab-access: "true"
name: public

7
namespaces/traefik/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
homelab-access: "true"
name: traefik

28
namespaces/traefik/traefik/kustomization.yaml Normal file
View file

@ -0,0 +1,28 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: traefik
unsetOnly: true
namePrefix: traefik-lb
resources:
- ../../../kustomize/helmchart-noaddons/
patches:
- path: patches/chart.yaml
target:
kind: HelmChart
name: chart
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: traefik-lb
- pairs:
app.kubernetes.io/appNamespace: traefik

6
charts/traefik.yaml → namespaces/traefik/traefik/patches/chart.yaml
View file

@ -34,6 +34,12 @@ spec:
default: true default: true
port: 2222 port: 2222
exposedPort: 2222 exposedPort: 2222
service:
annotations:
svccontroller.k3s.cattle.io/tolerations: |
- effect: NoSchedule
key: public
operator: Exists
tolerations: tolerations:
- key: "public" - key: "public"
value: "true" value: "true"