deploy/00-infisical.sh

@@ -1,30 +0,0 @@
-#!/bin/bash
-
-# Parse command line arguments
-RECREATE=false
-for arg in "$@"; do
-  case $arg in
-    --recreate)
-      RECREATE=true
-      shift
-      ;;
-  esac
-done
-
-# Check if the secret already exists
-SECRET_EXISTS=$(kubectl get secret universal-auth-credentials -n infisical --ignore-not-found -o name)
-
-if [[ -n "$SECRET_EXISTS" && "$RECREATE" == "true" ]]; then
-  echo "Recreating Infisical bootstrap secret..."
-  kubectl delete secret universal-auth-credentials -n infisical
-  kubectl create secret generic universal-auth-credentials -n infisical \
-    --from-literal clientId=$(gopass show -o homelab/infisical/id) \
-    --from-literal clientSecret=$(gopass show -o homelab/infisical/secret)
-elif [[ -z "$SECRET_EXISTS" ]]; then
-  echo "Creating Infisical bootstrap secret..."
-  kubectl create secret generic universal-auth-credentials -n infisical \
-    --from-literal clientId=$(gopass show -o homelab/infisical/id) \
-    --from-literal clientSecret=$(gopass show -o homelab/infisical/secret)
-else
-  echo "Infisical bootstrap secret already exists, skipping creation (use --recreate to force)"
-fi

deploy/00-infisical/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - ../../namespaces/infisical/

deploy/01-infra.sh

@@ -1,6 +0,0 @@
-#!/bin/bash
-echo -n "Checking for Infrastructure CRDs... "
-kubectl wait --for condition=established crd/httproutes.gateway.networking.k8s.io > /dev/null
-kubectl wait --for condition=established crd/volumes.longhorn.io > /dev/null
-kubectl wait --for condition=established crd/certificates.cert-manager.io > /dev/null
-echo "done"

deploy/01-infra/kustomization.yaml

@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - ../../namespaces/cert-manager/
-  - ../../namespaces/homelab/
-  - ../../namespaces/longhorn/
-  - ../../namespaces/traefik/

deploy/10-apps/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - ../../namespaces/

justfile

@@ -1,43 +0,0 @@
-set export := true
-verbose := "false"
-diff := "kubectl diff -k"
-apply := "kubectl apply -k"
-redirect := if verbose == "true" { "" } else { "> /dev/null" }
-
-default:
-    @just --list
-
-infisical_bootstrap_secret recreate="":
-    @echo "-- Adding Infisical Bootstrap secret --"
-    @./deploy/00-infisical.sh {{ recreate }}
-
-_diff_infisical:
-    @echo "-- Diffing Infisical resources --"
-    @{{ diff }} deploy/00-infisical || [ $? -eq 1 ]
-_diff_infra:
-    @echo "-- Diffing Infra resources --"
-    @{{ diff }} deploy/01-infra || [ $? -eq 1 ]
-_diff_apps:
-    @echo "-- Diffing Apps --"
-    @{{ diff }} deploy/10-apps || [ $? -eq 1 ]
-    # @./deploy/10-apps.sh
-
-_apply_infisical:
-    @echo "-- Applying Infisical resources --"
-    @{{ apply }} deploy/00-infisical {{ redirect }}
-_apply_infra:
-    @echo "-- Applying Infra resources --"
-    @{{ apply }} deploy/01-infra {{ redirect }}
-    @./deploy/01-infra.sh
-_apply_apps:
-    @echo "-- Applying Apps --"
-    @{{ apply }} deploy/10-apps {{ redirect }}
-
-_apply_post: _apply_infra _apply_apps
-
-diff: _diff_infisical _diff_infra _diff_apps
-apply: _apply_infisical _apply_post
-_deploy recreate="": _apply_infisical (infisical_bootstrap_secret recreate) _apply_post
-deploy: _deploy
-
-redeploy: (_deploy "--recreate")

namespaces/ai/kustomization.yaml

@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml
-  - ollama/
-  - tabby/
-  - openwebui/

namespaces/ai/openwebui/patches/chart.yaml

@@ -59,7 +59,7 @@ spec:
       - name: RAG_OLLAMA_BASE_URL
         value: "https://ollama.leechpepin.com:11434"
       - name: TIKA_SERVER_URL
-        value: "http://tika-svc.core.svc.cluster.local:9998"
+        value: "http://tika.apps.svc.cluster.local:9998"
       - name: WEBUI_URL
         value: "https://owui.leechpepin.com"
       - name: ENABLE_RAG_WEB_SEARCH

namespaces/apps/atuin/patches/deployment.yaml

@@ -25,8 +25,7 @@ spec:
           envFrom:
             - configMapRef:
                 name: atuin-config
-          image: ghcr.io/atuinsh/atuin:18.4.0
-          imagePullPolicy: IfNotPresent
+          image: ghcr.io/atuinsh/atuin:latest
           name: atuin
           ports:
             - containerPort: 8888

namespaces/apps/gotenburg/kustomization.yaml

@@ -7,7 +7,7 @@ transformers:
     kind: NamespaceTransformer
     metadata:
       name: notImportantHere
-      namespace: core
+      namespace: apps
     unsetOnly: true
 
 namePrefix: gotenburg-
@@ -45,4 +45,4 @@ labels:
     pairs:
       app.kubernetes.io/appName: gotenburg
   - pairs:
-      app.kubernetes.io/appNamespace: core
+      app.kubernetes.io/appNamespace: apps

namespaces/apps/kustomization.yaml

@@ -1,13 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml
-  - smtp-secrets.yaml
-  - atuin/
-  - dolibarr/
-  - forgejo/
-  - linkwarden/
-  - mealie/
-  - paperless/
-  - vaultwarden/

namespaces/apps/paperless/kustomization.yaml

@@ -96,8 +96,8 @@ configMapGenerator:
       - PAPERLESS_DBUSER=paperless
       - PAPERLESS_DBNAME=paperlessdb
       - PAPERLESS_TIKA_ENABLED="1"
-      - PAPERLESS_TIKA_ENDPOINT="http://tika-svc.core:9998"
-      - PAPERLESS_TIKA_GOTENBURG_ENDPOINT="http://gotenburg-svc.core:3000"
+      - PAPERLESS_TIKA_ENDPOINT="http://tika-svc.apps:9998"
+      - PAPERLESS_TIKA_GOTENBURG_ENDPOINT="http://gotenburg-svc.apps:3000"
       - PAPERLESS_USE_X_FORWARD_HOST="1"
       - PAPERLESS_TIME_ZONE="America/New_York"
       - PAPERLESS_URL="https://paperless.leechpepin.com"

namespaces/apps/paperless/patches/deployment.yaml

@@ -17,8 +17,7 @@ spec:
                       - arthur
       containers:
         - name: paperless
-          image: ghcr.io/paperless-ngx/paperless-ngx:2.14.7
-          imagePullPolicy: IfNotPresent
+          image: ghcr.io/paperless-ngx/paperless-ngx:latest
           volumeMounts:
             - name: consume-volume
               mountPath: /usr/src/paperless/consume

namespaces/apps/smtp-secrets.yaml

@@ -1,7 +1,7 @@
 apiVersion: secrets.infisical.com/v1alpha1
 kind: InfisicalSecret
 metadata:
-  name: smtp-secrets-apps
+  name: smtp-secrets
   namespace: infisical
   labels:
     label-to-be-passed-to-managed-secret: homelab

namespaces/apps/tika/kustomization.yaml

@@ -7,7 +7,7 @@ transformers:
     kind: NamespaceTransformer
     metadata:
       name: notImportantHere
-      namespace: core
+      namespace: apps
     unsetOnly: true
 
 namePrefix: tika-
@@ -45,4 +45,4 @@ labels:
     pairs:
       app.kubernetes.io/appName: tika
   - pairs:
-      app.kubernetes.io/appNamespace: core
+      app.kubernetes.io/appNamespace: apps

namespaces/apps/tika/patches/deployment.yaml

@@ -7,7 +7,7 @@ spec:
     spec:
       containers:
         - name: tika
-          image: docker.io/apache/tika:3.1.0.0
+          image: docker.io/apache/tika:latest
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 9998

namespaces/auth/authentik/kustomization.yaml

@@ -1,112 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-transformers:
-  - |-
-    apiVersion: builtin
-    kind: NamespaceTransformer
-    metadata:
-      name: notImportantHere
-      namespace: auth
-    unsetOnly: true
-
-namePrefix: authentik-
-resources:
-  - ../../../kustomize/helmchart
-
-patches:
-  - path: patches/chart.yaml
-    target:
-      kind: HelmChart
-      name: chart
-  # - path: patches/httproute.yaml
-  #   target:
-  #     kind: HTTPRoute
-
-labels:
-  - includeSelectors: true
-    pairs:
-      app.kubernetes.io/appName: authentik
-  - pairs:
-      app.kubernetes.io/appNamespace: auth
-  - pairs:
-      app.kubernetes.io/chartServiceName: authentik-chart-server
-  - pairs:
-      app.kubernetes.io/routePrefix: auth
-
-replacements:
-  # Update secrets
-  - source:
-      kind: HelmChart
-      name: chart
-      fieldPath: metadata.labels.[app.kubernetes.io/appName]
-    targets:
-      - select:
-          kind: InfisicalSecret
-        options:
-          create: true
-          delimiter: "-"
-          index: 0
-        fieldPaths:
-          - spec.managedSecretReference.secretName
-      - select:
-          kind: InfisicalSecret
-        options:
-          create: true
-          delimiter: "/"
-          index: 2
-        fieldPaths:
-          - spec.authentication.universalAuth.secretsScope.secretsPath
-  - source:
-      kind: HelmChart
-      name: chart
-      fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
-    targets:
-      - select:
-          kind: InfisicalSecret
-        options:
-          create: true
-          delimiter: "/"
-          index: 1
-        fieldPaths:
-          - spec.authentication.universalAuth.secretsScope.secretsPath
-      - select:
-          kind: InfisicalSecret
-        fieldPaths:
-          - spec.managedSecretReference.secretNamespace
-  # HTTPRoute
-  - source:
-      kind: HelmChart
-      name: chart
-      fieldPath: metadata.labels.[app.kubernetes.io/appName]
-    targets:
-      - select:
-          kind: HTTPRoute
-        options:
-          create: true
-          delimiter: "."
-          index: 0
-        fieldPaths:
-          - spec.hostnames.0
-  - source:
-      kind: HelmChart
-      name: chart
-      fieldPath: metadata.labels.[app.kubernetes.io/chartServiceName]
-    targets:
-      - select:
-          kind: HTTPRoute
-        fieldPaths:
-          - spec.rules.0.backendRefs.0.name
-  - source:
-      kind: HTTPRoute
-      name: http
-      fieldPath: metadata.labels.[app.kubernetes.io/routePrefix]
-    targets:
-      - select:
-          kind: HTTPRoute
-        options:
-          create: true
-          delimiter: "."
-          index: 0
-        fieldPaths:
-          - spec.hostnames.0

namespaces/auth/authentik/patches/chart.yaml

@@ -1,66 +0,0 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
-metadata:
-  name: chart
-spec:
-  chart: authentik
-  repo: https://charts.goauthentik.io
-  targetNamespace: auth
-  createNamespace: true
-  valuesContent: |-
-    authentik:
-      secret_key: "file:///auth-secrets/SECRET-KEY"
-      postgresql:
-        host: postgres-svc.core.svc.cluster.local
-        port: 5432
-        user: authentik  # Using default directly
-        password: file:///auth-secrets/DB-PASSWORD
-        database: authentik
-      redis:
-        host: redis-svc.core.svc.cluster.local
-        db: 15
-      email:
-        from: homelab@leechpepin.com
-        host: blizzard.mxrouting.net
-        port: 465
-        use_ssl: true
-        username: homelab@leechpepin.com
-        password: file:///smtp-secrets/SMTP_PASSWORD
-
-    postgresql:
-      enabled: false
-    redis:
-      enabled: false
-
-    server:
-      service:
-        type: NodePort
-      volumes:
-        - name: auth-secrets
-          secret:
-            secretName: authentik-secrets
-        - name: smtp-secrets
-          secret:
-            secretName: smtp-secrets
-      volumeMounts:
-        - name: auth-secrets
-          mountPath: /auth-secrets
-          readOnly: true
-        - name: smtp-secrets
-          mountPath: /smtp-secrets
-          readOnly: true
-    worker:
-      volumes:
-        - name: auth-secrets
-          secret:
-            secretName: authentik-secrets
-        - name: smtp-secrets
-          secret:
-            secretName: smtp-secrets
-      volumeMounts:
-        - name: auth-secrets
-          mountPath: /auth-secrets
-          readOnly: true
-        - name: smtp-secrets
-          mountPath: /smtp-secrets
-          readOnly: true

namespaces/auth/authentik/patches/httproute.yaml

@@ -1,16 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http
-spec:
-  rules:
-    - backendRefs:
-        - name: authentik-chart-server
-          port: 80
-          namespace: auth
-      filters:
-        - requestHeaderModifier:
-            set:
-              - name: X-Forwarded-Proto
-                value: https
-          type: RequestHeaderModifier

namespaces/auth/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml
-  - smtp-secrets.yaml
-  - authentik/

namespaces/auth/namespace.yaml

@@ -1,7 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    homelab-access: "true"
-  name: auth

namespaces/auth/smtp-secrets.yaml

@@ -1,28 +0,0 @@
----
-apiVersion: secrets.infisical.com/v1alpha1
-kind: InfisicalSecret
-metadata:
-  name: smtp-secrets-auth
-  namespace: infisical
-  labels:
-    label-to-be-passed-to-managed-secret: homelab
-  annotations:
-    example.com/annotation-to-be-passed-to-managed-secret: "homelab"
-spec:
-  hostAPI: https://app.infisical.com/api
-  resyncInterval: 10
-  authentication:
-    # Universal Auth
-    universalAuth:
-      secretsScope:
-        projectSlug: homelab-n-f-yj
-        envSlug: prod
-        secretsPath: "/" # Root is "/"
-        recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
-      credentialsRef:
-        secretName: universal-auth-credentials
-        secretNamespace: infisical
-  managedSecretReference:
-    secretName: smtp-secrets
-    secretNamespace: auth
-    creationPolicy: "Orphan" ## Owner | Orphan

namespaces/cert-manager/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml
-  - cert-manager/

namespaces/cert-manager/post-crd/kustomization.yaml

@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - cluster-issuer.yaml
-  - consultjlpdotcom-cert.yaml
-  - jlptechdotconsulting-cert.yaml
-  - leechpepindotcom-cert.yaml

namespaces/charts/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml
-  - gpu-runtime.yaml

namespaces/core/kustomization.yaml

@@ -1,9 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml
-  - postgres/
-  - redis/
-  - tika/
-  - gotenburg/

namespaces/core/syncthing.yaml

@@ -17,7 +17,7 @@ spec:
       restartPolicy: Always
       containers:
         - name: syncthing
-          image: syncthing/syncthing:1.29
+          image: syncthing/syncthing:latest
           ports:
             - name: http
               containerPort: 8384

namespaces/homelab/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml
-  - gateway.yaml

namespaces/infisical/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml
-  - infisical/

namespaces/kustomization.yaml

@@ -1,12 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - cert-manager/post-crd
-  - ai/
-  - apps/
-  - auth/
-  - core/
-  - charts/
-  - monitoring/
-  - public/

namespaces/longhorn/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml
-  - longhorn/

namespaces/monitoring/diun/patches/deployment.yaml

@@ -23,8 +23,8 @@ spec:
       serviceAccountName: diun
       containers:
         - name: diun
-          image: crazymax/diun:4.29.0
-          imagePullPolicy: IfNotPresent
+          image: crazymax/diun:latest
+          imagePullPolicy: Always
           args: ["serve"]
           envFrom:
             - configMapRef:

namespaces/monitoring/healthchecks/patches/deployment.yaml

@@ -22,8 +22,7 @@ spec:
                       - "true"
       containers:
         - name: healthchecks
-          image: healthchecks/healthchecks:v3.9
-          imagePullPolicy: IfNotPresent
+          image: healthchecks/healthchecks:latest
           envFrom:
             - configMapRef:
                 name: healthchecks-config

namespaces/monitoring/kustomization.yaml

@@ -1,10 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml
-  - smtp-secrets.yaml
-  - umami/
-  - ntfy/
-  - diun/
-  - healthchecks/

namespaces/monitoring/smtp-secrets.yaml

@@ -1,7 +1,7 @@
 apiVersion: secrets.infisical.com/v1alpha1
 kind: InfisicalSecret
 metadata:
-  name: smtp-secrets-monitoring
+  name: smtp-secrets
   namespace: infisical
   labels:
     label-to-be-passed-to-managed-secret: homelab

namespaces/monitoring/uptime-kuma/kustomization.yaml

@@ -13,7 +13,7 @@ transformers:
 namePrefix: uptime-kuma-
 resources:
   - ../../../kustomize/deployment/
-  # - extra/middleware-auth.yaml
+  - extra/middleware-auth.yaml
 
 replacements:
   - source:

namespaces/monitoring/uptime-kuma/patches/httproute.yaml

@@ -2,13 +2,13 @@ apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
   name: http
-# spec:
-#   rules:
-#     - backendRefs:
-#         - port: 80
-#       filters:
-#         - type: ExtensionRef
-#           extensionRef:
-#             group: traefik.io
-#             kind: Middleware
-#             name: authentik-forward-auth
+spec:
+  rules:
+    - backendRefs:
+        - port: 80
+      filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: authentik-forward-auth

namespaces/public/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml

namespaces/traefik/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml
-  - traefik/