Syncthing to specific version

Also smtp-secrets are named to match their namespace in the infisical namespace
for uniqueness.

deploy/00-infisical.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Parse command line arguments
+RECREATE=false
+for arg in "$@"; do
+  case $arg in
+    --recreate)
+      RECREATE=true
+      shift
+      ;;
+  esac
+done
+
+# Check if the secret already exists
+SECRET_EXISTS=$(kubectl get secret universal-auth-credentials -n infisical --ignore-not-found -o name)
+
+if [[ -n "$SECRET_EXISTS" && "$RECREATE" == "true" ]]; then
+  echo "Recreating Infisical bootstrap secret..."
+  kubectl delete secret universal-auth-credentials -n infisical
+  kubectl create secret generic universal-auth-credentials -n infisical \
+    --from-literal clientId=$(gopass show -o homelab/infisical/id) \
+    --from-literal clientSecret=$(gopass show -o homelab/infisical/secret)
+elif [[ -z "$SECRET_EXISTS" ]]; then
+  echo "Creating Infisical bootstrap secret..."
+  kubectl create secret generic universal-auth-credentials -n infisical \
+    --from-literal clientId=$(gopass show -o homelab/infisical/id) \
+    --from-literal clientSecret=$(gopass show -o homelab/infisical/secret)
+else
+  echo "Infisical bootstrap secret already exists, skipping creation (use --recreate to force)"
+fi

deploy/00-infisical/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../namespaces/infisical/

deploy/01-infra.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+echo -n "Checking for Infrastructure CRDs... "
+kubectl wait --for condition=established crd/httproutes.gateway.networking.k8s.io > /dev/null
+kubectl wait --for condition=established crd/volumes.longhorn.io > /dev/null
+kubectl wait --for condition=established crd/certificates.cert-manager.io > /dev/null
+echo "done"

deploy/01-infra/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../namespaces/cert-manager/
+  - ../../namespaces/homelab/
+  - ../../namespaces/longhorn/
+  - ../../namespaces/traefik/

deploy/10-apps/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../namespaces/

justfile

@@ -0,0 +1,43 @@
+set export := true
+verbose := "false"
+diff := "kubectl diff -k"
+apply := "kubectl apply -k"
+redirect := if verbose == "true" { "" } else { "> /dev/null" }
+
+default:
+    @just --list
+
+infisical_bootstrap_secret recreate="":
+    @echo "-- Adding Infisical Bootstrap secret --"
+    @./deploy/00-infisical.sh {{ recreate }}
+
+_diff_infisical:
+    @echo "-- Diffing Infisical resources --"
+    @{{ diff }} deploy/00-infisical || [ $? -eq 1 ]
+_diff_infra:
+    @echo "-- Diffing Infra resources --"
+    @{{ diff }} deploy/01-infra || [ $? -eq 1 ]
+_diff_apps:
+    @echo "-- Diffing Apps --"
+    @{{ diff }} deploy/10-apps || [ $? -eq 1 ]
+    # @./deploy/10-apps.sh
+
+_apply_infisical:
+    @echo "-- Applying Infisical resources --"
+    @{{ apply }} deploy/00-infisical {{ redirect }}
+_apply_infra:
+    @echo "-- Applying Infra resources --"
+    @{{ apply }} deploy/01-infra {{ redirect }}
+    @./deploy/01-infra.sh
+_apply_apps:
+    @echo "-- Applying Apps --"
+    @{{ apply }} deploy/10-apps {{ redirect }}
+
+_apply_post: _apply_infra _apply_apps
+
+diff: _diff_infisical _diff_infra _diff_apps
+apply: _apply_infisical _apply_post
+_deploy recreate="": _apply_infisical (infisical_bootstrap_secret recreate) _apply_post
+deploy: _deploy
+
+redeploy: (_deploy "--recreate")

namespaces/ai/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - ollama/
+  - tabby/
+  - openwebui/

namespaces/ai/openwebui/patches/chart.yaml

@@ -59,7 +59,7 @@ spec:
       - name: RAG_OLLAMA_BASE_URL
         value: "https://ollama.leechpepin.com:11434"
       - name: TIKA_SERVER_URL
-        value: "http://tika.apps.svc.cluster.local:9998"
+        value: "http://tika-svc.core.svc.cluster.local:9998"
       - name: WEBUI_URL
         value: "https://owui.leechpepin.com"
       - name: ENABLE_RAG_WEB_SEARCH

namespaces/apps/atuin/patches/deployment.yaml

@@ -25,7 +25,8 @@ spec:
           envFrom:
             - configMapRef:
                 name: atuin-config
-          image: ghcr.io/atuinsh/atuin:latest
+          image: ghcr.io/atuinsh/atuin:18.4.0
+          imagePullPolicy: IfNotPresent
           name: atuin
           ports:
             - containerPort: 8888

namespaces/apps/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - smtp-secrets.yaml
+  - atuin/
+  - dolibarr/
+  - forgejo/
+  - linkwarden/
+  - mealie/
+  - paperless/
+  - vaultwarden/

namespaces/apps/paperless/kustomization.yaml

@@ -96,8 +96,8 @@ configMapGenerator:
       - PAPERLESS_DBUSER=paperless
       - PAPERLESS_DBNAME=paperlessdb
       - PAPERLESS_TIKA_ENABLED="1"
-      - PAPERLESS_TIKA_ENDPOINT="http://tika-svc.apps:9998"
-      - PAPERLESS_TIKA_GOTENBURG_ENDPOINT="http://gotenburg-svc.apps:3000"
+      - PAPERLESS_TIKA_ENDPOINT="http://tika-svc.core:9998"
+      - PAPERLESS_TIKA_GOTENBURG_ENDPOINT="http://gotenburg-svc.core:3000"
       - PAPERLESS_USE_X_FORWARD_HOST="1"
       - PAPERLESS_TIME_ZONE="America/New_York"
       - PAPERLESS_URL="https://paperless.leechpepin.com"

namespaces/apps/paperless/patches/deployment.yaml

@@ -17,7 +17,8 @@ spec:
                       - arthur
       containers:
         - name: paperless
-          image: ghcr.io/paperless-ngx/paperless-ngx:latest
+          image: ghcr.io/paperless-ngx/paperless-ngx:2.14.7
+          imagePullPolicy: IfNotPresent
           volumeMounts:
             - name: consume-volume
               mountPath: /usr/src/paperless/consume

namespaces/apps/smtp-secrets.yaml

@@ -1,7 +1,7 @@
 apiVersion: secrets.infisical.com/v1alpha1
 kind: InfisicalSecret
 metadata:
-  name: smtp-secrets
+  name: smtp-secrets-apps
   namespace: infisical
   labels:
     label-to-be-passed-to-managed-secret: homelab

namespaces/auth/authentik/kustomization.yaml

@@ -0,0 +1,112 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+transformers:
+  - |-
+    apiVersion: builtin
+    kind: NamespaceTransformer
+    metadata:
+      name: notImportantHere
+      namespace: auth
+    unsetOnly: true
+
+namePrefix: authentik-
+resources:
+  - ../../../kustomize/helmchart
+
+patches:
+  - path: patches/chart.yaml
+    target:
+      kind: HelmChart
+      name: chart
+  # - path: patches/httproute.yaml
+  #   target:
+  #     kind: HTTPRoute
+
+labels:
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/appName: authentik
+  - pairs:
+      app.kubernetes.io/appNamespace: auth
+  - pairs:
+      app.kubernetes.io/chartServiceName: authentik-chart-server
+  - pairs:
+      app.kubernetes.io/routePrefix: auth
+
+replacements:
+  # Update secrets
+  - source:
+      kind: HelmChart
+      name: chart
+      fieldPath: metadata.labels.[app.kubernetes.io/appName]
+    targets:
+      - select:
+          kind: InfisicalSecret
+        options:
+          create: true
+          delimiter: "-"
+          index: 0
+        fieldPaths:
+          - spec.managedSecretReference.secretName
+      - select:
+          kind: InfisicalSecret
+        options:
+          create: true
+          delimiter: "/"
+          index: 2
+        fieldPaths:
+          - spec.authentication.universalAuth.secretsScope.secretsPath
+  - source:
+      kind: HelmChart
+      name: chart
+      fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
+    targets:
+      - select:
+          kind: InfisicalSecret
+        options:
+          create: true
+          delimiter: "/"
+          index: 1
+        fieldPaths:
+          - spec.authentication.universalAuth.secretsScope.secretsPath
+      - select:
+          kind: InfisicalSecret
+        fieldPaths:
+          - spec.managedSecretReference.secretNamespace
+  # HTTPRoute
+  - source:
+      kind: HelmChart
+      name: chart
+      fieldPath: metadata.labels.[app.kubernetes.io/appName]
+    targets:
+      - select:
+          kind: HTTPRoute
+        options:
+          create: true
+          delimiter: "."
+          index: 0
+        fieldPaths:
+          - spec.hostnames.0
+  - source:
+      kind: HelmChart
+      name: chart
+      fieldPath: metadata.labels.[app.kubernetes.io/chartServiceName]
+    targets:
+      - select:
+          kind: HTTPRoute
+        fieldPaths:
+          - spec.rules.0.backendRefs.0.name
+  - source:
+      kind: HTTPRoute
+      name: http
+      fieldPath: metadata.labels.[app.kubernetes.io/routePrefix]
+    targets:
+      - select:
+          kind: HTTPRoute
+        options:
+          create: true
+          delimiter: "."
+          index: 0
+        fieldPaths:
+          - spec.hostnames.0

namespaces/auth/authentik/patches/chart.yaml

@@ -0,0 +1,66 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: chart
+spec:
+  chart: authentik
+  repo: https://charts.goauthentik.io
+  targetNamespace: auth
+  createNamespace: true
+  valuesContent: |-
+    authentik:
+      secret_key: "file:///auth-secrets/SECRET-KEY"
+      postgresql:
+        host: postgres-svc.core.svc.cluster.local
+        port: 5432
+        user: authentik  # Using default directly
+        password: file:///auth-secrets/DB-PASSWORD
+        database: authentik
+      redis:
+        host: redis-svc.core.svc.cluster.local
+        db: 15
+      email:
+        from: homelab@leechpepin.com
+        host: blizzard.mxrouting.net
+        port: 465
+        use_ssl: true
+        username: homelab@leechpepin.com
+        password: file:///smtp-secrets/SMTP_PASSWORD
+
+    postgresql:
+      enabled: false
+    redis:
+      enabled: false
+
+    server:
+      service:
+        type: NodePort
+      volumes:
+        - name: auth-secrets
+          secret:
+            secretName: authentik-secrets
+        - name: smtp-secrets
+          secret:
+            secretName: smtp-secrets
+      volumeMounts:
+        - name: auth-secrets
+          mountPath: /auth-secrets
+          readOnly: true
+        - name: smtp-secrets
+          mountPath: /smtp-secrets
+          readOnly: true
+    worker:
+      volumes:
+        - name: auth-secrets
+          secret:
+            secretName: authentik-secrets
+        - name: smtp-secrets
+          secret:
+            secretName: smtp-secrets
+      volumeMounts:
+        - name: auth-secrets
+          mountPath: /auth-secrets
+          readOnly: true
+        - name: smtp-secrets
+          mountPath: /smtp-secrets
+          readOnly: true

namespaces/auth/authentik/patches/httproute.yaml

@@ -0,0 +1,16 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http
+spec:
+  rules:
+    - backendRefs:
+        - name: authentik-chart-server
+          port: 80
+          namespace: auth
+      filters:
+        - requestHeaderModifier:
+            set:
+              - name: X-Forwarded-Proto
+                value: https
+          type: RequestHeaderModifier

namespaces/auth/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - smtp-secrets.yaml
+  - authentik/

namespaces/auth/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    homelab-access: "true"
+  name: auth

namespaces/auth/smtp-secrets.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: smtp-secrets-auth
+  namespace: infisical
+  labels:
+    label-to-be-passed-to-managed-secret: homelab
+  annotations:
+    example.com/annotation-to-be-passed-to-managed-secret: "homelab"
+spec:
+  hostAPI: https://app.infisical.com/api
+  resyncInterval: 10
+  authentication:
+    # Universal Auth
+    universalAuth:
+      secretsScope:
+        projectSlug: homelab-n-f-yj
+        envSlug: prod
+        secretsPath: "/" # Root is "/"
+        recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
+      credentialsRef:
+        secretName: universal-auth-credentials
+        secretNamespace: infisical
+  managedSecretReference:
+    secretName: smtp-secrets
+    secretNamespace: auth
+    creationPolicy: "Orphan" ## Owner | Orphan

namespaces/cert-manager/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - cert-manager/

namespaces/cert-manager/post-crd/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cluster-issuer.yaml
+  - consultjlpdotcom-cert.yaml
+  - jlptechdotconsulting-cert.yaml
+  - leechpepindotcom-cert.yaml

namespaces/charts/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - gpu-runtime.yaml

namespaces/core/gotenburg/kustomization.yaml

@@ -7,7 +7,7 @@ transformers:
     kind: NamespaceTransformer
     metadata:
       name: notImportantHere
-      namespace: apps
+      namespace: core
     unsetOnly: true
 
 namePrefix: gotenburg-
@@ -45,4 +45,4 @@ labels:
     pairs:
       app.kubernetes.io/appName: gotenburg
   - pairs:
-      app.kubernetes.io/appNamespace: apps
+      app.kubernetes.io/appNamespace: core

namespaces/core/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - postgres/
+  - redis/
+  - tika/
+  - gotenburg/

namespaces/core/syncthing.yaml

@@ -17,7 +17,7 @@ spec:
       restartPolicy: Always
       containers:
         - name: syncthing
-          image: syncthing/syncthing:latest
+          image: syncthing/syncthing:1.29
           ports:
             - name: http
               containerPort: 8384

namespaces/core/tika/kustomization.yaml

@@ -7,7 +7,7 @@ transformers:
     kind: NamespaceTransformer
     metadata:
       name: notImportantHere
-      namespace: apps
+      namespace: core
     unsetOnly: true
 
 namePrefix: tika-
@@ -45,4 +45,4 @@ labels:
     pairs:
       app.kubernetes.io/appName: tika
   - pairs:
-      app.kubernetes.io/appNamespace: apps
+      app.kubernetes.io/appNamespace: core

namespaces/core/tika/patches/deployment.yaml

@@ -7,7 +7,7 @@ spec:
     spec:
       containers:
         - name: tika
-          image: docker.io/apache/tika:latest
+          image: docker.io/apache/tika:3.1.0.0
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 9998

namespaces/homelab/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - gateway.yaml

namespaces/infisical/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - infisical/

namespaces/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cert-manager/post-crd
+  - ai/
+  - apps/
+  - auth/
+  - core/
+  - charts/
+  - monitoring/
+  - public/

namespaces/longhorn/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - longhorn/

namespaces/monitoring/diun/patches/deployment.yaml

@@ -23,8 +23,8 @@ spec:
       serviceAccountName: diun
       containers:
         - name: diun
-          image: crazymax/diun:latest
-          imagePullPolicy: Always
+          image: crazymax/diun:4.29.0
+          imagePullPolicy: IfNotPresent
           args: ["serve"]
           envFrom:
             - configMapRef:

namespaces/monitoring/healthchecks/patches/deployment.yaml

@@ -22,7 +22,8 @@ spec:
                       - "true"
       containers:
         - name: healthchecks
-          image: healthchecks/healthchecks:latest
+          image: healthchecks/healthchecks:v3.9
+          imagePullPolicy: IfNotPresent
           envFrom:
             - configMapRef:
                 name: healthchecks-config

namespaces/monitoring/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - smtp-secrets.yaml
+  - umami/
+  - ntfy/
+  - diun/
+  - healthchecks/

namespaces/monitoring/smtp-secrets.yaml

@@ -1,7 +1,7 @@
 apiVersion: secrets.infisical.com/v1alpha1
 kind: InfisicalSecret
 metadata:
-  name: smtp-secrets
+  name: smtp-secrets-monitoring
   namespace: infisical
   labels:
     label-to-be-passed-to-managed-secret: homelab

namespaces/monitoring/uptime-kuma/kustomization.yaml

@@ -13,7 +13,7 @@ transformers:
 namePrefix: uptime-kuma-
 resources:
   - ../../../kustomize/deployment/
-  - extra/middleware-auth.yaml
+  # - extra/middleware-auth.yaml
 
 replacements:
   - source:

namespaces/monitoring/uptime-kuma/patches/httproute.yaml

@@ -2,13 +2,13 @@ apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
   name: http
-spec:
-  rules:
-    - backendRefs:
-        - port: 80
-      filters:
-        - type: ExtensionRef
-          extensionRef:
-            group: traefik.io
-            kind: Middleware
-            name: authentik-forward-auth
+# spec:
+#   rules:
+#     - backendRefs:
+#         - port: 80
+#       filters:
+#         - type: ExtensionRef
+#           extensionRef:
+#             group: traefik.io
+#             kind: Middleware
+#             name: authentik-forward-auth

namespaces/public/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml

namespaces/traefik/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - traefik/