jleechpe/k3s
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: jleechpe:52d28702fe8a71032e27fdbfa12f1f867c84ca2d
Branches Tags
jleechpe:main
jleechpe:testing
..
compare: jleechpe:46e64631c64d45bb1a9f7605c86a288297e06b5c
Branches Tags
jleechpe:main
jleechpe:testing

No commits in common. "52d28702fe8a71032e27fdbfa12f1f867c84ca2d" and "46e64631c64d45bb1a9f7605c86a288297e06b5c" have entirely different histories.
52d28702fe ... 46e64631c6

68 changed files with 104 additions and 1225 deletions
Show stats Expand all files Collapse all files

8
charts/gpu-runtime.yaml
View file

@ -2,15 +2,9 @@ apiVersion: helm.cattle.io/v1
kind: HelmChart kind: HelmChart
metadata: metadata:
name: nvidia-device-plugin name: nvidia-device-plugin
namespace: charts namespace: kube-system
spec: spec:
chart: nvidia-device-plugin chart: nvidia-device-plugin
repo: https://nvidia.github.io/k8s-device-plugin repo: https://nvidia.github.io/k8s-device-plugin
valuesContent: |- valuesContent: |-
runtimeClassName: nvidia runtimeClassName: nvidia
namespaceOverride: kube-system
tolerations:
- key: "gpu"
value: "true"
operator: "Equal"
effect: "NoSchedule"

1
namespaces/infisical/infisical/patches/chart.yaml → charts/infisical.yaml
View file

@ -7,6 +7,7 @@ metadata:
- wrangler.cattle.io/on-helm-chart-remove - wrangler.cattle.io/on-helm-chart-remove
generation: 1 generation: 1
name: infisical-install name: infisical-install
namespace: default
spec: spec:
chart: secrets-operator chart: secrets-operator
repo: https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/ repo: https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/

1
namespaces/longhorn/longhorn/patches/chart.yaml → charts/longhorn.yaml
View file

@ -7,6 +7,7 @@ metadata:
- wrangler.cattle.io/on-helm-chart-remove - wrangler.cattle.io/on-helm-chart-remove
generation: 1 generation: 1
name: longhorn-install name: longhorn-install
namespace: default # This should be elsewhere but changing it would delete
spec: spec:
version: v1.7.2 version: v1.7.2
chart: longhorn chart: longhorn

6
namespaces/traefik/traefik/patches/chart.yaml → charts/traefik.yaml
View file

@ -34,12 +34,6 @@ spec:
default: true default: true
port: 2222 port: 2222
exposedPort: 2222 exposedPort: 2222
service:
annotations:
svccontroller.k3s.cattle.io/tolerations: |
- effect: NoSchedule
key: public
operator: Exists
tolerations: tolerations:
- key: "public" - key: "public"
value: "true" value: "true"

48
kustomize/backups/batch.yaml
View file

@ -1,48 +0,0 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: backup
spec:
schedule: "0 3 * * *"
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: backup
image: busybox
command:
- /bin/bash
- -c
- |
echo $HEALTHCHECK_BASE_URL/${HEALTHCHECK_ID}
# Start signal
curl -fsS -m 10 --retry 5 ${HEALTHCHECK_BASE_URL}/${HEALTHCHECK_ID}/start
# Perform backup
if ! ${BACKUP_COMMAND} | gzip > /backup/${ROTATE_PREFIX}-$(date +%Y%m%d).sql.gz; then
curl -fsS -m 10 --retry 5 ${HEALTHCHECK_BASE_URL}/${HEALTHCHECK_ID}/fail
exit 1
fi
# list backups
ls /backup
# Rotate old backups
find /backup -name "${ROTATE_PREFIX}-*.sql.gz" -mtime +7 -delete
# Success signal
curl -fsS -m 10 --retry 5 ${HEALTHCHECK_BASE_URL}/${HEALTHCHECK_ID}
envFrom:
- configMapRef:
name: backup-config
- secretRef:
name: core-secrets
volumeMounts:
- mountPath: /backup
name: backup
subPath: "data"
volumes:
- name: backup
persistentVolumeClaim:
claimName: backup-pvc

9
kustomize/backups/kustomization.yaml
View file

@ -1,9 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- batch.yaml
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/managed-by: kustomize

5
kustomize/deployment/configmap.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: config
data:

1
kustomize/deployment/kustomization.yaml
View file

@ -9,6 +9,7 @@ resources:
- secret.yaml - secret.yaml
- httproute-http.yaml - httproute-http.yaml
- httproute-https.yaml - httproute-https.yaml
# - configmap.yaml
labels: labels:
- includeSelectors: true - includeSelectors: true

7
kustomize/helmchart-noaddons/helmchart.yaml
View file

@ -1,7 +0,0 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: chart
namespace: charts
spec:
targetNamespace: default

10
kustomize/helmchart-noaddons/kustomization.yaml
View file

@ -1,10 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helmchart.yaml
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/managed-by: kustomize

5
kustomize/noservice/configmap.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: config
data:

14
kustomize/statefulset/httproute-http.yaml → kustomize/noservice/httproute-http.yaml
View file

@ -11,16 +11,10 @@ spec:
hostnames: hostnames:
- web.leechpepin.com - web.leechpepin.com
rules: rules:
- filters: - matches:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: "X-Forwarded-Proto"
value: "https"
backendRefs:
- name: web
port: 80
matches:
- path: - path:
type: PathPrefix type: PathPrefix
value: / value: /
backendRefs:
- name: web
port: 80

0
kustomize/statefulset/httproute-https.yaml → kustomize/noservice/httproute-https.yaml
View file

1
kustomize/noservice/kustomization.yaml
View file

@ -6,6 +6,7 @@ resources:
- deployment.yaml - deployment.yaml
- pvc.yaml - pvc.yaml
- secret.yaml - secret.yaml
# - configmap.yaml
labels: labels:
- includeSelectors: true - includeSelectors: true

0
kustomize/statefulset/service.yaml → kustomize/noservice/service.yaml
View file

14
kustomize/statefulset/kustomization.yaml
View file

@ -1,14 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- statefulset.yaml
- service.yaml
- httproute-http.yaml
- httproute-https.yaml
- secret.yaml
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/managed-by: kustomize

27
kustomize/statefulset/secret.yaml
View file

@ -1,27 +0,0 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: secrets
namespace: infisical
labels:
label-to-be-passed-to-managed-secret: homelab
annotations:
example.com/annotation-to-be-passed-to-managed-secret: "homelab"
spec:
hostAPI: https://app.infisical.com/api
resyncInterval: 10
authentication:
# Universal Auth
universalAuth:
secretsScope:
projectSlug: homelab-n-f-yj
envSlug: prod
secretsPath: "/apps/appname" # Root is "/"
recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
credentialsRef:
secretName: universal-auth-credentials
secretNamespace: infisical
managedSecretReference:
secretName: app-secrets
secretNamespace: ns
creationPolicy: "Orphan" ## Owner | Orphan

23
kustomize/statefulset/statefulset.yaml
View file

@ -1,23 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: ss
namespace: core
spec:
serviceName: ss-svc
replicas: 1
template:
spec:
restartPolicy: Always
volumeClaimTemplates:
- metadata:
name: ss-data
annotations:
name: ss-data
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn-private
resources:
requests:
storage: 5Gi

3
namespaces/ai/ollama/patches/deployment.yaml
View file

@ -13,8 +13,7 @@ spec:
effect: "NoSchedule" effect: "NoSchedule"
containers: containers:
- name: ollama - name: ollama
image: ollama/ollama:0.5.13 image: ollama/ollama:latest
imagePullPolicy: IfNotPresent
resources: resources:
limits: limits:
nvidia.com/gpu: 1 nvidia.com/gpu: 1

4
namespaces/ai/openwebui/patches/chart.yaml
View file

@ -12,7 +12,7 @@ spec:
- https://ollama.leechpepin.com:11434 - https://ollama.leechpepin.com:11434
websocket: websocket:
enabled: true enabled: true
url: redis://redis-svc.core.svc.cluster.local:6379/0 url: redis://redis.core.svc.cluster.local:6379/0
redis: redis:
enabled: false enabled: false
persistence: persistence:
@ -20,7 +20,7 @@ spec:
subPath: "data" subPath: "data"
storageClass: longhorn-private storageClass: longhorn-private
image: image:
tag: 0.5.20 tag: 0.5.10
extraEnvVars: extraEnvVars:
- name: ENABLE_OAUTH_SIGNUP - name: ENABLE_OAUTH_SIGNUP
value: "true" value: "true"

2
namespaces/ai/tabby/config.toml
View file

@ -13,5 +13,5 @@ api_endpoint = "http://ollama-svc:11434/v1"
# Embedding model # Embedding model
[model.embedding.http] [model.embedding.http]
kind = "ollama/embedding" kind = "ollama/embedding"
model_name = "ordis/jina-embeddings-v2-base-code:latest" model_name = "ordis/jina-embeddings-v2-base-code"
api_endpoint = "http://ollama-svc:11434" api_endpoint = "http://ollama-svc:11434"

3
namespaces/ai/tabby/patches/deployment.yaml
View file

@ -12,8 +12,7 @@ spec:
effect: "NoSchedule" effect: "NoSchedule"
containers: containers:
- name: tabby - name: tabby
image: tabbyml/tabby:0.25.2 image: tabbyml/tabby:latest
imagePullPolicy: IfNotPresent
ports: ports:
- name: tabby - name: tabby
containerPort: 8080 containerPort: 8080

94
namespaces/apps/dolibarr/kustomization.yaml
View file

@ -1,94 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: apps
unsetOnly: true
namePrefix: dolibarr-
resources:
- ../../../kustomize/public-oidc/
replacements:
- source:
kind: Service
name: svc
targets:
- select:
kind: HTTPRoute
options:
create: true
fieldPaths:
- spec.rules.0.backendRefs.0.name
- source:
kind: Deployment
fieldPath: metadata.labels.[app.kubernetes.io/appName]
targets:
- select:
kind: HTTPRoute
options:
create: true
delimiter: "."
index: 0
fieldPaths:
- spec.hostnames.0
- select:
kind: InfisicalSecret
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.managedSecretReference.secretName
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 2
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- select:
kind: Service
fieldPaths:
- spec.ports.0.name
- spec.ports.0.targetPort
- source:
kind: Deployment
fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
targets:
- select:
kind: InfisicalSecret
fieldPaths:
- spec.managedSecretReference.secretNamespace
patches:
- path: patches/deployment.yaml
target:
kind: Deployment
- path: patches/pvc.yaml
target:
kind: PersistentVolumeClaim
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: dolibarr
- pairs:
app.kubernetes.io/appNamespace: apps
configMapGenerator:
- name: config
literals:
- PHP_INI_DATE_TIMEZONE=America/New_York
- DOLI_INSTALL_AUTO=0
- DOLI_DB_TYPE=pgsql
- DOLI_DB_HOST=postgres-svc.core.svc.cluster.local
- DOLI_DB_HOST_PORT=5432
- DOLI_DB_USER=dolidbuser
- DOLI_COMPANY_NAME="JLP Tech Consulting, LLC"
- DOLI_COMPANY_COUNTRYCODE="US"
- DOLI_URL_ROOT=https://dolibarr.leechpepin.com

47
namespaces/apps/dolibarr/patches/deployment.yaml
View file

@ -1,47 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
spec:
template:
spec:
containers:
- name: dolibarr
image: dolibarr/dolibarr:20.0.3
envFrom:
- configMapRef:
name: dolibarr-config
env:
- name: DOLI_DB_PASSWORD
valueFrom:
secretKeyRef:
name: dolibarr-secrets
key: DB_PASSWORD
optional: false
- name: DOLI_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: dolibarr-secrets
key: ADMIN_PASSWORD
optional: false
- name: DOLI_INSTANCE_UNIQUE_ID
valueFrom:
secretKeyRef:
name: dolibarr-secrets
key: SECRET_KEY
optional: false
ports:
- containerPort: 80
protocol: TCP
name: dolibarr
volumeMounts:
- mountPath: /var/www/documents
name: dolibarr
subPath: "documents"
- mountPath: /var/www/html/custom
name: dolibarr
subPath: html_custom
volumes:
- name: dolibarr
persistentVolumeClaim:
claimName: dolibarr-pvc

8
namespaces/apps/dolibarr/patches/pvc.yaml
View file

@ -1,8 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc
spec:
resources:
requests:
storage: 10Gi

2
namespaces/apps/forgejo/kustomization.yaml
View file

@ -100,7 +100,7 @@ configMapGenerator:
- USER_UID=1000 - USER_UID=1000
- USER_GID=1000 - USER_GID=1000
- FORGEJO__database__DB_TYPE=postgres - FORGEJO__database__DB_TYPE=postgres
- FORGEJO__database__HOST=postgres-svc.core.svc.cluster.local:5432 - FORGEJO__database__HOST=postgres.core.svc.cluster.local:5432
- FORGEJO__database__NAME=forgejo - FORGEJO__database__NAME=forgejo
- FORGEJO__database__USER=forgejo - FORGEJO__database__USER=forgejo
- FORGEJO__mailer__ENABLED=true - FORGEJO__mailer__ENABLED=true

4
namespaces/apps/linkwarden/kustomization.yaml
View file

@ -84,8 +84,8 @@ configMapGenerator:
- name: config - name: config
literals: literals:
- NEXTAUTH_URL="https://linkwarden.leechpepin.com/api/v1/auth" - NEXTAUTH_URL="https://linkwarden.leechpepin.com/api/v1/auth"
- NEXT_PUBLIC_OLLAMA_ENDPOINT_URL="https://ollama.leechpepin.com:11434" - NEXT_PUBLIC_OLLAMA_ENDPOINT_URL="http://ollama.ai.svc.cluster.local:11434"
- OLLAMA_MODEL="granite3.1-moe:3b" - OLLAMA_MODEL="phi3:mini-4k"
- NEXT_PUBLIC_AUTHENTIK_ENABLED="true" - NEXT_PUBLIC_AUTHENTIK_ENABLED="true"
- AUTHENTIK_CUSTOM_NAME="Authentik" - AUTHENTIK_CUSTOM_NAME="Authentik"
- AUTHENTIK_ISSUER="https://auth.leechpepin.com/application/o/linkwarden" - AUTHENTIK_ISSUER="https://auth.leechpepin.com/application/o/linkwarden"

2
namespaces/apps/mealie/kustomization.yaml
View file

@ -88,7 +88,7 @@ configMapGenerator:
# Database Settings # Database Settings
- DB_ENGINE=postgres - DB_ENGINE=postgres
- POSTGRES_USER=mealie - POSTGRES_USER=mealie
- POSTGRES_SERVER=postgres-svc.core.svc.cluster.local - POSTGRES_SERVER=postgres.core.svc.cluster.local
- POSTGRES_PORT=5432 - POSTGRES_PORT=5432
- POSTGRES_DB=mealie - POSTGRES_DB=mealie
# Use Ollama # Use Ollama

4
namespaces/apps/paperless/kustomization.yaml
View file

@ -91,8 +91,8 @@ labels:
configMapGenerator: configMapGenerator:
- name: config - name: config
literals: literals:
- PAPERLESS_REDIS=redis://redis-svc.core.svc.cluster.local - PAPERLESS_REDIS=redis://redis.core.svc.cluster.local
- PAPERLESS_DBHOST=postgres-svc.core.svc.cluster.local - PAPERLESS_DBHOST=postgres.core.svc.cluster.local
- PAPERLESS_DBUSER=paperless - PAPERLESS_DBUSER=paperless
- PAPERLESS_DBNAME=paperlessdb - PAPERLESS_DBNAME=paperlessdb
- PAPERLESS_TIKA_ENABLED="1" - PAPERLESS_TIKA_ENABLED="1"

28
namespaces/apps/smtp-secrets.yaml
View file

@ -1,28 +0,0 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: smtp-secrets
namespace: infisical
labels:
label-to-be-passed-to-managed-secret: homelab
annotations:
example.com/annotation-to-be-passed-to-managed-secret: "homelab"
spec:
hostAPI: https://app.infisical.com/api
resyncInterval: 10
authentication:
# Universal Auth
universalAuth:
secretsScope:
projectSlug: homelab-n-f-yj
envSlug: prod
secretsPath: "/" # Root is "/"
recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
credentialsRef:
secretName: universal-auth-credentials
secretNamespace: infisical
managedSecretReference:
secretName: smtp-secrets
secretNamespace: apps
creationPolicy: "Orphan" ## Owner | Orphan
---

7
namespaces/apps/vaultwarden/kustomization.yaml
View file

@ -83,10 +83,3 @@ labels:
configMapGenerator: configMapGenerator:
- name: config - name: config
literals: literals:
- SIGNUPS_ALLOWED="false"
- PUSH_ENABLED="true"
- DOMAIN=https://vaultwarden.leechpepin.com
- SMTP_FROM=homelab@leechpepin.com
- SMTP_FROM_NAME="Vaultwarden"
- SMTP_USERNAME=homelab
- SMTP_HOST=blizzard.mxrouting.net

3
namespaces/apps/vaultwarden/patches/deployment.yaml
View file

@ -7,8 +7,7 @@ spec:
spec: spec:
containers: containers:
- name: vaultwarden - name: vaultwarden
image: vaultwarden/server:1.33.2 image: vaultwarden/server:latest
imagePullPolicy: IfNotPresent
envFrom: envFrom:
- configMapRef: - configMapRef:
name: vaultwarden-config name: vaultwarden-config

29
namespaces/cert-manager/cert-manager/kustomization.yaml
View file

@ -1,29 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: cert-manager
unsetOnly: true
namePrefix: cert-manager-
resources:
- ../../../kustomize/helmchart-noaddons
- extras/cloudflare-token.yaml
patches:
- path: patches/chart.yaml
target:
kind: HelmChart
name: chart
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: cert-manager
- pairs:
app.kubernetes.io/appNamespace: cert-manager

0
namespaces/cert-manager/cert-manager/patches/chart.yaml → namespaces/cert-manager/chart.yaml
View file

0
namespaces/cert-manager/cert-manager/extras/cloudflare-token.yaml → namespaces/cert-manager/cloudflare-token.yaml
View file

0
namespaces/cert-manager/cert-manager/post/cluster-issuer.yaml → namespaces/cert-manager/cluster-issuer.yaml
View file

0
namespaces/cert-manager/cert-manager/post/consultjlpdotcom-cert.yaml → namespaces/cert-manager/consultjlpdotcom-cert.yaml
View file

0
namespaces/cert-manager/cert-manager/post/jlptechdotconsulting-cert.yaml → namespaces/cert-manager/jlptechdotconsulting-cert.yaml
View file

0
namespaces/cert-manager/cert-manager/post/leechpepindotcom-cert.yaml → namespaces/cert-manager/leechpepindotcom-cert.yaml
View file

7
namespaces/charts/namespace.yaml
View file

@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
homelab-access: "true"
name: charts

12
namespaces/core/backup-pvc.yaml
View file

@ -1,12 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: backup-pvc
namespace: core
spec:
storageClassName: longhorn-private
accessModes:
- ReadWriteMany
resources:
requests:
storage: 20Gi

7
namespaces/core/namespace.yaml
View file

@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
homelab-access: "true"
name: core

51
namespaces/core/pgdump/kustomization.yaml
View file

@ -1,51 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: core
unsetOnly: true
namePrefix: pgdump-
resources:
- ../../../kustomize/backups/
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: pgdump
- pairs:
app.kubernetes.io/appNamespace: core
configMapGenerator:
- name: config
literals:
- HEALTHCHECK_BASE_URL="https://healthchecks.leechpepin.com"
- HEALTHCHECK_ID="ping/7iBSS9akyokIWq-sbfEjHQ/pgdump"
- ROTATE_PREFIX="pgdump"
- BACKUP_COMMAND="pg_dumpall -U postgres -h postgres-svc.core -p 5432"
patches:
- path: patches/batch.yaml
target:
kind: CronJob
name: backup
replacements:
- source:
kind: CronJob
name: backup
fieldPath: metadata.labels.[app.kubernetes.io/appName]
targets:
- select:
kind: CronJob
name: backup
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.jobTemplate.spec.template.spec.containers.0.envFrom.0.configMapRef.name

13
namespaces/core/pgdump/patches/batch.yaml
View file

@ -1,13 +0,0 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: backup
spec:
schedule: "0 2 * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: backup
image: cimg/postgres:17.4

16
namespaces/core/postgres/extras/tcproute.yaml
View file

@ -1,16 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
name: tcproute
namespace: core
spec:
parentRefs:
- name: homelab-gateway
sectionName: postgres
kind: Gateway
namespace: homelab
rules:
- backendRefs:
- name: postgres-svc
namespace: core
port: 5432

97
namespaces/core/postgres/kustomization.yaml
View file

@ -1,97 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: core
unsetOnly: true
namePrefix: postgres-
resources:
- ../../../kustomize/statefulset/
- extras/tcproute.yaml
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: postgres
- pairs:
app.kubernetes.io/appNamespace: core
patches:
- path: patches/statefulset.yaml
target:
kind: StatefulSet
name: ss
- path: patches/httproutes-delete.yaml
target:
kind: HTTPRoute
replacements:
- source:
kind: StatefulSet
name: ss
fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
targets:
- select:
kind: InfisicalSecret
fieldPaths:
- spec.managedSecretReference.secretNamespace
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 1
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- source:
kind: StatefulSet
name: ss
fieldPath: metadata.labels.[app.kubernetes.io/appName]
targets:
- select:
kind: StatefulSet
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.volumeClaimTemplates.0.metadata.annotations.name
- spec.volumeClaimTemplates.0.metadata.name
- spec.serviceName
- select:
kind: InfisicalSecret
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.managedSecretReference.secretName
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 2
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- source:
kind: StatefulSet
name: ss
fieldPath: spec.template.spec.containers.0.ports.0.name
targets:
- select:
kind: Service
fieldPaths:
- spec.ports.0.name
- spec.ports.0.targetPort
- source:
kind: StatefulSet
name: ss
fieldPath: spec.template.spec.containers.0.ports.0.containerPort
targets:
- select:
kind: Service
fieldPaths:
- spec.ports.0.port

5
namespaces/core/postgres/patches/httproutes-delete.yaml
View file

@ -1,5 +0,0 @@
$patch: delete
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: https

46
namespaces/core/postgres/patches/statefulset.yaml
View file

@ -1,46 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: app
spec:
template:
spec:
securityContext:
fsGroup: 999
containers:
- name: postgres
image: postgres:17.4
ports:
- name: postgres
containerPort: 5432
protocol: TCP
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: postgres-data
subPath: "data"
env:
- name: POSTGRES_USER
value: postgres
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: ROOT_PASSWORD
name: postgres-secrets
startupProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U ${POSTGRES_USER}
livenessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U ${POSTGRES_USER}
readinessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U ${POSTGRES_USER}

112
namespaces/core/redis/kustomization.yaml
View file

@ -1,112 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: core
unsetOnly: true
namePrefix: redis-
resources:
- ../../../kustomize/statefulset/
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: redis
- pairs:
app.kubernetes.io/appNamespace: core
patches:
- path: patches/statefulset.yaml
target:
kind: StatefulSet
name: ss
replacements:
- source:
kind: StatefulSet
name: ss
fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
targets:
- select:
kind: InfisicalSecret
fieldPaths:
- spec.managedSecretReference.secretNamespace
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 1
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- source:
kind: StatefulSet
name: ss
fieldPath: metadata.labels.[app.kubernetes.io/appName]
targets:
- select:
kind: StatefulSet
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.volumeClaimTemplates.0.metadata.annotations.name
- spec.volumeClaimTemplates.0.metadata.name
- spec.serviceName
- select:
kind: InfisicalSecret
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.managedSecretReference.secretName
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 2
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- select:
kind: HTTPRoute
options:
create: true
delimiter: "."
index: 0
fieldPaths:
- spec.hostnames.0
- source:
kind: StatefulSet
name: ss
fieldPath: spec.template.spec.containers.0.ports.0.name
targets:
- select:
kind: Service
fieldPaths:
- spec.ports.0.name
- spec.ports.0.targetPort
- source:
kind: Service
targets:
- select:
kind: HTTPRoute
fieldPaths:
- spec.rules.0.backendRefs.0.name
- source:
kind: StatefulSet
name: ss
fieldPath: spec.template.spec.containers.0.ports.0.containerPort
targets:
- select:
kind: Service
fieldPaths:
- spec.ports.0.port
- select:
kind: HTTPRoute
fieldPaths:
- spec.rules.0.backendRefs.0.port

19
namespaces/core/redis/patches/statefulset.yaml
View file

@ -1,19 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: app
spec:
template:
spec:
restartPolicy: Always
containers:
- name: redis
image: redis:7.4.2-alpine3.21
ports:
- name: redis
containerPort: 6379
protocol: TCP
volumeMounts:
- mountPath: /data
name: redis-data
subPath: "data"

91
namespaces/core/syncthing.yaml
View file

@ -1,91 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: syncthing
namespace: core
spec:
replicas: 1
selector:
matchLabels:
name: syncthing
template:
metadata:
labels:
name: syncthing
spec:
restartPolicy: Always
containers:
- name: syncthing
image: syncthing/syncthing:latest
ports:
- name: http
containerPort: 8384
protocol: TCP
volumeMounts:
- mountPath: /var/syncthing
name: syncthing-data
subPath: "data"
env:
- name: PUID
value: "976"
- name: PGID
value: "976"
volumes:
- name: syncthing-data
persistentVolumeClaim:
claimName: syncthing-data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: syncthing-data
namespace: core
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn-private
resources:
requests:
storage: 50Gi
---
apiVersion: v1
kind: Service
metadata:
name: syncthing
namespace: core
spec:
type: ClusterIP
selector:
name: syncthing
ports:
- port: 8384
name: http
targetPort: http
protocol: TCP
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: syncthing
namespace: core
spec:
parentRefs:
- name: homelab-gateway
sectionName: web
kind: Gateway
namespace: homelab
hostnames:
- syncthing.leechpepin.local
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: syncthing
namespace: core
port: 8384

14
namespaces/core/secrets.yaml → namespaces/homelab/secrets.yaml
View file

@ -1,7 +1,8 @@
---
apiVersion: secrets.infisical.com/v1alpha1 apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret kind: InfisicalSecret
metadata: metadata:
name: core-postgres-secrets name: homelab-sslcert-secrets
namespace: infisical namespace: infisical
labels: labels:
label-to-be-passed-to-managed-secret: homelab label-to-be-passed-to-managed-secret: homelab
@ -16,12 +17,17 @@ spec:
secretsScope: secretsScope:
projectSlug: homelab-n-f-yj projectSlug: homelab-n-f-yj
envSlug: prod envSlug: prod
secretsPath: "/core/postgres" # Root is "/" secretsPath: "/homelab" # Root is "/"
recursive: true # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false recursive: true # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
credentialsRef: credentialsRef:
secretName: universal-auth-credentials secretName: universal-auth-credentials
secretNamespace: infisical secretNamespace: infisical
managedSecretReference: managedSecretReference:
secretName: postgres-secrets secretName: infisical-self-signed-cert
secretNamespace: core secretNamespace: homelab
creationPolicy: "Orphan" ## Owner | Orphan creationPolicy: "Orphan" ## Owner | Orphan
secretType: kubernetes.io/tls
template:
data:
tls.crt: "{{ .TLS_CERT.Value }}"
tls.key: "{{ .TLS_KEY.Value }}"

28
namespaces/infisical/infisical/kustomization.yaml
View file

@ -1,28 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: infisical
unsetOnly: true
namePrefix: infisical-
resources:
- ../../../kustomize/helmchart-noaddons
patches:
- path: patches/chart.yaml
target:
kind: HelmChart
name: chart
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: infisical
- pairs:
app.kubernetes.io/appNamespace: infisical

7
namespaces/infisical/namespace.yaml
View file

@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
homelab-access: "false"
name: infisical

39
namespaces/longhorn-system/longhorn-gateway.yaml Normal file
View file

@ -0,0 +1,39 @@
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-routes-to-services
namespace: longhorn-system
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: traefik
to:
- group: ""
kind: Service
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: longhorn-ui
namespace: traefik
spec:
parentRefs:
- name: traefik-gateway
sectionName: web
kind: Gateway
namespace: traefik
hostnames:
- longhorn.leechpepin.local
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: longhorn-frontend
namespace: longhorn-system
port: 80

23
namespaces/longhorn-system/storageclasses.yaml Normal file
View file

@ -0,0 +1,23 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: longhorn-private
provisioner: driver.longhorn.io
allowVolumeExpansion: true
parameters:
numberOfReplicas: "2"
dataLocality: "best-effort"
diskSelector: "private"
nodeSelector: "private"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: longhorn-public
provisioner: driver.longhorn.io
allowVolumeExpansion: true
parameters:
numberOfReplicas: "2"
dataLocality: "best-effort"
diskSelector: "public"

12
namespaces/longhorn/longhorn/extras/longhorn-private-storageclass.yaml
View file

@ -1,12 +0,0 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: private
provisioner: driver.longhorn.io
allowVolumeExpansion: true
parameters:
numberOfReplicas: "2"
dataLocality: "best-effort"
diskSelector: "private"
nodeSelector: "private"

11
namespaces/longhorn/longhorn/extras/longhorn-public-storageclass.yaml
View file

@ -1,11 +0,0 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: public
provisioner: driver.longhorn.io
allowVolumeExpansion: true
parameters:
numberOfReplicas: "2"
dataLocality: "best-effort"
diskSelector: "public"

99
namespaces/longhorn/longhorn/kustomization.yaml
View file

@ -1,99 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: longhorn
unsetOnly: true
namePrefix: longhorn-
resources:
- ../../../kustomize/helmchart
- extras/longhorn-public-storageclass.yaml
- extras/longhorn-private-storageclass.yaml
patches:
- path: patches/chart.yaml
target:
kind: HelmChart
name: chart
- path: patches/secrets.yaml
target:
kind: InfisicalSecret
name: secrets
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: longhorn
- pairs:
app.kubernetes.io/appNamespace: longhorn
- pairs:
app.kubernetes.io/chartServiceName: longhorn-frontend
replacements:
- source:
kind: HTTPRoute
name: http
fieldPath: metadata.labels.[app.kubernetes.io/chartServiceName]
targets:
- select:
kind: HTTPRoute
options:
create: true
delimiter: "."
index: 0
fieldPaths:
- spec.rules.0.backendRefs.0.name
- source:
kind: HTTPRoute
name: http
fieldPath: metadata.labels.[app.kubernetes.io/appName]
targets:
- select:
kind: HTTPRoute
options:
create: true
delimiter: "."
index: 0
fieldPaths:
- spec.hostnames.0
- select:
kind: InfisicalSecret
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.managedSecretReference.secretName
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 2
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- source:
kind: HTTPRoute
name: http
fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
targets:
- select:
kind: HelmChart
name: chart
fieldPaths:
- spec.targetNamespace
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 1
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- select:
kind: InfisicalSecret
fieldPaths:
- spec.managedSecretReference.secretNamespace

5
namespaces/longhorn/longhorn/patches/secrets.yaml
View file

@ -1,5 +0,0 @@
$patch: delete
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: secrets

7
namespaces/longhorn/namespace.yaml
View file

@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
homelab-access: "true"
name: longhorn

2
namespaces/monitoring/healthchecks/kustomization.yaml
View file

@ -96,7 +96,7 @@ configMapGenerator:
literals: literals:
- ADMINS=jonathan@leechpepin.com - ADMINS=jonathan@leechpepin.com
- DB=postgres - DB=postgres
- DB_HOST=postgres-svc.core.svc.cluster.local - DB_HOST=postgres.core.svc.cluster.local
- DB_NAME=hc - DB_NAME=hc
- DB_PORT=5432 - DB_PORT=5432
- DB_USER=hc - DB_USER=hc

97
namespaces/monitoring/umami/kustomization.yaml
View file

@ -1,97 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: monitoring
unsetOnly: true
namePrefix: umami-
resources:
- ../../../kustomize/public-oidc/
replacements:
- source:
kind: Service
name: svc
targets:
- select:
kind: HTTPRoute
options:
create: true
fieldPaths:
- spec.rules.0.backendRefs.0.name
- source:
kind: Deployment
name: app
fieldPath: metadata.labels.[app.kubernetes.io/appName]
targets:
- select:
kind: HTTPRoute
options:
create: true
delimiter: "."
index: 0
fieldPaths:
- spec.hostnames.0
- select:
kind: InfisicalSecret
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.managedSecretReference.secretName
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 2
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- select:
kind: Service
fieldPaths:
- spec.ports.0.name
- spec.ports.0.targetPort
- source:
kind: Deployment
name: app
fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
targets:
- select:
kind: InfisicalSecret
fieldPaths:
- spec.managedSecretReference.secretNamespace
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 1
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
patches:
- path: patches/deployment.yaml
target:
kind: Deployment
name: app
- path: patches/delete-pvc.yaml
target:
kind: PersistentVolumeClaim
name: pvc
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: umami
- pairs:
app.kubernetes.io/appNamespace: monitoring
configMapGenerator:
- name: config
literals:
- DATABASE_TYPE=postgresql

5
namespaces/monitoring/umami/patches/delete-pvc.yaml
View file

@ -1,5 +0,0 @@
$patch: delete
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc

42
namespaces/monitoring/umami/patches/deployment.yaml
View file

@ -1,42 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
spec:
template:
spec:
tolerations:
- key: "public"
operator: "Equal"
value: "true"
effect: "NoSchedule"
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
preference:
matchExpressions:
- key: public
operator: In
values:
- "true"
containers:
- name: umami
image: ghcr.io/umami-software/umami:postgresql-v2.17.0
envFrom:
- configMapRef:
name: umami-config
env:
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: umami-secrets
key: UMAMI_APP_SECRET
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: umami-secrets
key: UMAMI_POSTGRESQL_CONNECTION
ports:
- containerPort: 3000
name: umami

7
namespaces/public/namespace.yaml
View file

@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
homelab-access: "true"
name: public

7
namespaces/traefik/namespace.yaml
View file

@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
homelab-access: "true"
name: traefik

28
namespaces/traefik/traefik/kustomization.yaml
View file

@ -1,28 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: traefik
unsetOnly: true
namePrefix: traefik-lb
resources:
- ../../../kustomize/helmchart-noaddons/
patches:
- path: patches/chart.yaml
target:
kind: HelmChart
name: chart
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: traefik-lb
- pairs:
app.kubernetes.io/appNamespace: traefik