keligrubb/kubernetes
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

sync with latest changes

Browse Source
This commit is contained in:
Keli Grubb
2025-03-25 09:44:40 -04:00
parent dfc22ce440
commit 887250b3e3
20 changed files with 232 additions and 153 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
.woodpecker.yml
View File

@@ -1,22 +0,0 @@
steps:
dry-run:
when:
- branch:
exclude:
- main
image: bitnami/kubectl
secrets:
- kube_config
commands:
- echo "$KUBE_CONFIG" > ~/.kube/config
- DRU_RUN=true ./deploy.sh
deploy:
when:
- branch:
main
image: bitnami/kubectl
secrets:
- kube_config
commands:
- echo "$KUBE_CONFIG" > ~/.kube/config
- ./deploy.sh

44
namespaces/authentik/authentik-chart.yml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: authentik
namespace: authentik
spec:
chart: authentik
targetNamespace: authentik
repo: https://charts.goauthentik.io
# https://artifacthub.io/packages/helm/goauthentik/authentik
version: 2025.2.1
valuesContent: |-
authentik:
secret_key: "0hETw0LhioALQ6vhNTiN5MuW1349KjPlol3Q3D6sC8BV+IlzyhIfZYth/7WapdmOM8ib3qyyGLC5/8Xk"
postgresql:
password: "dead_forest_coast_rain_bones"
server:
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-cluster-issuer"
hosts:
- login.keligrubb.com
tls:
- secretName: authentik-tls
hosts:
- login.keligrubb.com
metrics:
enabled: true
serviceMonitor:
enabled: true
labels:
release: prometheus
postgresql:
enabled: true
auth:
password: "dead_forest_coast_rain_bones"
redis:
enabled: true
#client id: klpuDnVSaQHY5Z5bpjwfKXmy6uGdbbWWxYyROknW
#client secret: UCBNLEAdyy2BmCpuzimPSlZ1RoVdasfAMeCxaFCr7DEeA2c7VS9XGzA7OhM5WS0Bzpb3h00AQUtCGNPd6rEMwoPt7z76gtPvHcoGXaPVGvfrwDcGxjpRnhkWxrxt27Oo

2
namespaces/jellyfin/namespace.yml → namespaces/authentik/namespace.yml
View File

@@ -1,4 +1,4 @@
kind: Namespace
apiVersion: v1
metadata:
name: jellyfin
name: authentik

21
namespaces/git/gitea-chart.yml
View File

@@ -10,17 +10,19 @@ spec:
targetNamespace: git
repo: https://dl.gitea.io/charts/
# https://gitea.com/gitea/helm-chart/releases
version: 10.6.0
version: 11.0.0
valuesContent: |-
resources:
limits:
cpu: 200m
memory: 256Mi
cpu: 400m
memory: 512Mi
requests:
cpu: 200m
memory: 256Mi
image:
tag: 1.23.4
memory: 512Mi
postgresql:
enabled: false
postgresql-ha:
enabled: false
gitea:
admin:
existingSecret: gitea-admin-secret
@@ -30,11 +32,14 @@ spec:
serviceMonitor:
enabled: true
config:
ui:
DEFAULT_THEME: gitea-dark
picture:
ENABLE_FEDERATED_AVATAR: false
DISABLE_GRAVATAR: true
actions:
ENABLED: true
database:
DB_TYPE: sqlite3
NAME: /data/gitea/gitea.db
actions:
enabled: true
provisioning:

0
namespaces/immich/immich-chart.yml
View File

4
namespaces/immich/namespace.yml
View File

@@ -1,4 +0,0 @@
kind: Namespace
apiVersion: v1
metadata:
name: immich

3
namespaces/ingress-nginx/ingress-nginx-chart.yml
View File

@@ -26,5 +26,8 @@ spec:
memory: 200Mi
extraArgs:
enable-ssl-passthrough: "true"
allowSnippetAnnotations: true
config:
annotations-risk-level: Critical
tcp:
22: git/gitea-ssh:22

13
namespaces/jellyfin/ingress.yml
View File

@@ -1,13 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: jellyfin-ingress
namespace: jellyfin
spec:
entryPoints:
- jellyfin
routes:
- services:
- name: jellyfin
port: 8096

29
namespaces/jellyfin/jellyfin-deployment.yml
View File

@@ -1,29 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: jellyfin-deployment
labels:
app: jellyfin
spec:
replicas: 1
selector:
matchLabels:
app: jellyfin
template:
metadata:
labels:
app: jellyfin
spec:
containers:
- name: jellyfin
image: jellyfin/jellyfin
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 8096
protocol: TCP

13
namespaces/jellyfin/jellyfin-service.yml
View File

@@ -1,13 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: jellyfin
spec:
selector:
app: jellyfin
ports:
- protocol: TCP
port: 8096
targetPort: 8096
type: LoadBalancer

6
namespaces/longhorn-system/longhorn-basic-auth-secret.yml
View File

@@ -1,8 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: longhorn-basic-auth-secret
name: basic-auth
namespace: longhorn-system
type: Opaque
stringData:
auth: PNHrc9lt60CW
data:
auth: a2VsaWdydWJiOiRhcHIxJGpUTHdHQkFQJEhOUndKZjFxUmRVUzk5UFZpZlRaNi8K

6
namespaces/longhorn-system/longhorn-chart.yml
View File

@@ -8,7 +8,7 @@ spec:
targetNamespace: longhorn-system
repo: https://charts.longhorn.io
# https://artifacthub.io/packages/helm/longhorn/longhorn
version: 1.8.0
version: 1.8.1
valuesContent: |-
ingress:
enabled: true
@@ -19,8 +19,8 @@ spec:
nginx.ingress.kubernetes.io/auth-type: basic
# prevent the controller from redirecting (308) to HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: 'false'
nginx.ingress.kubernetes.io/auth-secret: longhorn-basic-auth-secret
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required '
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
nginx.ingress.kubernetes.io/proxy-body-size: 10000m
tls:
- secretName: longhorn-tls

2
namespaces/mineclonia/mineclonia-deployment.yml
View File

@@ -40,7 +40,7 @@ spec:
mountPath: /var/lib/minetest
containers:
- name: mineclonia
image: ghcr.io/minetest/minetest
image: ghcr.io/luanti-org/luanti
ports:
- containerPort: 30000
protocol: UDP

21
namespaces/monitoring/grafana-config.yml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-config
namespace: monitoring # Change if using a different namespace
data:
grafana.ini: |
[auth]
signout_redirect_url = https://authentik.company/application/o/<Slug of the application>/end-session/
oauth_auto_login = true
[auth.generic_oauth]
name = authentik
enabled = true
client_id = "<Client ID from above>"
client_secret = "<Client Secret from above>"
scopes = openid profile email
auth_url = https://authentik.company/application/o/authorize/
token_url = https://authentik.company/application/o/token/
api_url = https://authentik.company/application/o/userinfo/
role_attribute_path = contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'

35
namespaces/monitoring/kube-prometheus-stack-chart.yml
View File

@@ -8,8 +8,26 @@ spec:
targetNamespace: monitoring
repo: https://prometheus-community.github.io/helm-charts
# https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack
version: 69.4.1
version: 70.0.2
valuesContent: |-
grafana.ini:
auth:
signout_redirect_url: "https://login.keligrubb.com/application/o/<Slug of the application from above>/end-session/"
oauth_auto_login: true
auth.generic_oauth:
name: authentik
enabled: true
client_id: "<Client ID from above>"
client_secret: "<Client Secret from above>"
scopes: "openid profile email"
auth_url: "https://login.keligrubb.com/application/o/authorize/"
token_url: "https://login.keligrubb.com/application/o/ti needoken/"
api_url: "https://login.keligrubb.com/application/o/userinfo/"
# Optionally map user groups to Grafana roles
role_attribute_path: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'
grafana:
defaultDashboardsTimezone: "US/Eastern"
ingress:
@@ -32,6 +50,21 @@ spec:
access: proxy
basicAuth: false
url: http://loki-gateway.monitoring.svc.cluster.local
config:
auth:
signout_redirect_url: "https://login.keligrubb.com/application/o/grafana/end-session/"
oauth_auto_login: true
auth.generic_oauth:
name: authentik
enabled: true
client_id: "<Client ID from above>"
client_secret: "<Client Secret from above>"
scopes: "openid profile email"
auth_url: "https://login.keligrubb.com/application/o/authorize/"
token_url: "https://login.keligrubb.com/application/o/token/"
api_url: "https://login.keligrubb.com/application/o/userinfo/"
role_attribute_path: "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"
kubelet:
serviceMonitor:
metricRelabelings:

2
namespaces/monitoring/loki-chart.yml
View File

@@ -8,7 +8,7 @@ spec:
targetNamespace: monitoring
repo: https://grafana.github.io/helm-charts
# https://artifacthub.io/packages/helm/grafana/loki
version: 6.27.0
version: 6.28.0
valuesContent: |-
loki:
commonConfig:

2
namespaces/pihole/namespace.yml → namespaces/nextcloud/namespace.yml
View File

@@ -1,4 +1,4 @@
kind: Namespace
apiVersion: v1
metadata:
name: git
name: authentik

107
namespaces/nextcloud/nextcloud-chart.yml Normal file
View File

@@ -0,0 +1,107 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: nextcloud
namespace: nextcloud
spec:
chart: nextcloud
targetNamespace: nextcloud
repo: https://nextcloud.github.io/helm/
# https://artifacthub.io/packages/helm/nextcloud/nextcloud
version: 6.6.9
valuesContent: |-
# resources:
# requests:
# cpu: 200m
# memory: 200Mi
# limits:
# cpu: 200m
# memory: 200Mi
lifecycle:
postStartCommand: ["/bin/bash", "-c", "apt update -y && apt install ffmpeg -y"]
metrics:
enabled: true
serviceMonitor:
enabled: true
labels:
release: prometheus
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-cluster-issuer"
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "GET HEAD POST OPTIONS PUT PATCH DELETE PROPFIND MKCOL REPORT"
nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Forwarded-For"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/server-snippet: |-
server_tokens off;
proxy_hide_header X-Powered-By;
rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
deny all;
}
tls:
- secretName: nextcloud-tls
hosts:
- cloud.keligrubb.com
nextcloud:
host: cloud.keligrubb.com
password: "east_task_law_fastened"
configs:
proxy.config.php: |-
<?php
$CONFIG = array (
'trusted_proxies' => array(
0 => '127.0.0.1',
1 => '10.0.0.0/8',
),
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
'allow_local_remote_servers' => true,
);
internalDatabase:
enabled: false
postgresql:
enabled: true
global:
postgresql:
auth:
password: "east_task_law_fastened"
primary:
persistence:
enabled: true
resources:
requests:
memory: 256Mi
cpu: 200m
limits:
memory: 384Mi
cpu: 300m
externalDatabase:
enabled: true
host: nextcloud-postgresql.nextcloud.svc.cluster.local
persistence:
enabled: true
storageClass: longhorn
size: 512Gi
nextcloudData.size: 512Gi
cronjob:
enabled: true

15
namespaces/pihole/ingress.yml
View File

@@ -1,15 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: gitea-ingress
namespace: git
spec:
entryPoints:
- web
routes:
- match: Path(`/`)
kind: Rule
services:
- name: gitea-http
port: 3000

38
namespaces/pihole/pihole-chart.yml
View File

@@ -1,38 +0,0 @@
# helm repo add mojo2600 https://mojo2600.github.io/pihole-kubernetes/
# helm install pihole mojo2600/pihole
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: pihole
namespace: pihole
spec:
chart: pihole
targetNamespace: pihole
repo: https://mojo2600.github.io/pihole-kubernetes/
valuesContent: |-
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 1
memory: 512Mi
persistentVolumeClaim:
enabled: true
podDnsConfig:
enabled: true
policy: "None"
nameservers:
- 68.94.156.11
- 68.94.157.11
service:
web:
type: LoadBalancer
loadBalancerIP: 192.168.178.252
annotations:
metallb.universe.tf/allow-shared-ip: pihole-svc
dns:
type: LoadBalancer
loadBalancerIP: 192.168.178.252
annotations:
metallb.universe.tf/allow-shared-ip: pihole-svc