From 887250b3e3fc1946dd08a10b32a5ec949df91c13 Mon Sep 17 00:00:00 2001 From: Keli Grubb Date: Tue, 25 Mar 2025 09:44:40 -0400 Subject: [PATCH] sync with latest changes --- .woodpecker.yml | 22 ---- namespaces/authentik/authentik-chart.yml | 44 +++++++ .../{jellyfin => authentik}/namespace.yml | 2 +- namespaces/git/gitea-chart.yml | 21 ++-- namespaces/immich/immich-chart.yml | 0 namespaces/immich/namespace.yml | 4 - .../ingress-nginx/ingress-nginx-chart.yml | 3 + namespaces/jellyfin/ingress.yml | 13 --- namespaces/jellyfin/jellyfin-deployment.yml | 29 ----- namespaces/jellyfin/jellyfin-service.yml | 13 --- .../longhorn-basic-auth-secret.yml | 6 +- namespaces/longhorn-system/longhorn-chart.yml | 6 +- .../mineclonia/mineclonia-deployment.yml | 2 +- namespaces/monitoring/grafana-config.yml | 21 ++++ .../kube-prometheus-stack-chart.yml | 35 +++++- namespaces/monitoring/loki-chart.yml | 2 +- .../{pihole => nextcloud}/namespace.yml | 2 +- namespaces/nextcloud/nextcloud-chart.yml | 107 ++++++++++++++++++ namespaces/pihole/ingress.yml | 15 --- namespaces/pihole/pihole-chart.yml | 38 ------- 20 files changed, 232 insertions(+), 153 deletions(-) delete mode 100644 .woodpecker.yml create mode 100644 namespaces/authentik/authentik-chart.yml rename namespaces/{jellyfin => authentik}/namespace.yml (69%) delete mode 100644 namespaces/immich/immich-chart.yml delete mode 100644 namespaces/immich/namespace.yml delete mode 100644 namespaces/jellyfin/ingress.yml delete mode 100644 namespaces/jellyfin/jellyfin-deployment.yml delete mode 100644 namespaces/jellyfin/jellyfin-service.yml create mode 100644 namespaces/monitoring/grafana-config.yml rename namespaces/{pihole => nextcloud}/namespace.yml (69%) create mode 100644 namespaces/nextcloud/nextcloud-chart.yml delete mode 100644 namespaces/pihole/ingress.yml delete mode 100644 namespaces/pihole/pihole-chart.yml diff --git a/.woodpecker.yml b/.woodpecker.yml deleted file mode 100644 index 6d6cd12..0000000 --- a/.woodpecker.yml +++ /dev/null @@ -1,22 +0,0 @@ -steps: - dry-run: - when: - - branch: - exclude: - - main - image: bitnami/kubectl - secrets: - - kube_config - commands: - - echo "$KUBE_CONFIG" > ~/.kube/config - - DRU_RUN=true ./deploy.sh - deploy: - when: - - branch: - main - image: bitnami/kubectl - secrets: - - kube_config - commands: - - echo "$KUBE_CONFIG" > ~/.kube/config - - ./deploy.sh diff --git a/namespaces/authentik/authentik-chart.yml b/namespaces/authentik/authentik-chart.yml new file mode 100644 index 0000000..2daa9be --- /dev/null +++ b/namespaces/authentik/authentik-chart.yml @@ -0,0 +1,44 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: authentik + namespace: authentik +spec: + chart: authentik + targetNamespace: authentik + repo: https://charts.goauthentik.io + # https://artifacthub.io/packages/helm/goauthentik/authentik + version: 2025.2.1 + valuesContent: |- + authentik: + secret_key: "0hETw0LhioALQ6vhNTiN5MuW1349KjPlol3Q3D6sC8BV+IlzyhIfZYth/7WapdmOM8ib3qyyGLC5/8Xk" + postgresql: + password: "dead_forest_coast_rain_bones" + server: + ingress: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-cluster-issuer" + hosts: + - login.keligrubb.com + tls: + - secretName: authentik-tls + hosts: + - login.keligrubb.com + metrics: + enabled: true + serviceMonitor: + enabled: true + labels: + release: prometheus + postgresql: + enabled: true + auth: + password: "dead_forest_coast_rain_bones" + redis: + enabled: true + + +#client id: klpuDnVSaQHY5Z5bpjwfKXmy6uGdbbWWxYyROknW +#client secret: UCBNLEAdyy2BmCpuzimPSlZ1RoVdasfAMeCxaFCr7DEeA2c7VS9XGzA7OhM5WS0Bzpb3h00AQUtCGNPd6rEMwoPt7z76gtPvHcoGXaPVGvfrwDcGxjpRnhkWxrxt27Oo diff --git a/namespaces/jellyfin/namespace.yml b/namespaces/authentik/namespace.yml similarity index 69% rename from namespaces/jellyfin/namespace.yml rename to namespaces/authentik/namespace.yml index b2d7885..df5f9be 100644 --- a/namespaces/jellyfin/namespace.yml +++ b/namespaces/authentik/namespace.yml @@ -1,4 +1,4 @@ kind: Namespace apiVersion: v1 metadata: - name: jellyfin \ No newline at end of file + name: authentik diff --git a/namespaces/git/gitea-chart.yml b/namespaces/git/gitea-chart.yml index f7b343d..e649bac 100644 --- a/namespaces/git/gitea-chart.yml +++ b/namespaces/git/gitea-chart.yml @@ -10,17 +10,19 @@ spec: targetNamespace: git repo: https://dl.gitea.io/charts/ # https://gitea.com/gitea/helm-chart/releases - version: 10.6.0 + version: 11.0.0 valuesContent: |- resources: limits: - cpu: 200m - memory: 256Mi + cpu: 400m + memory: 512Mi requests: cpu: 200m - memory: 256Mi - image: - tag: 1.23.4 + memory: 512Mi + postgresql: + enabled: false + postgresql-ha: + enabled: false gitea: admin: existingSecret: gitea-admin-secret @@ -30,11 +32,14 @@ spec: serviceMonitor: enabled: true config: + ui: + DEFAULT_THEME: gitea-dark picture: ENABLE_FEDERATED_AVATAR: false DISABLE_GRAVATAR: true - actions: - ENABLED: true + database: + DB_TYPE: sqlite3 + NAME: /data/gitea/gitea.db actions: enabled: true provisioning: diff --git a/namespaces/immich/immich-chart.yml b/namespaces/immich/immich-chart.yml deleted file mode 100644 index e69de29..0000000 diff --git a/namespaces/immich/namespace.yml b/namespaces/immich/namespace.yml deleted file mode 100644 index 8c8c726..0000000 --- a/namespaces/immich/namespace.yml +++ /dev/null @@ -1,4 +0,0 @@ -kind: Namespace -apiVersion: v1 -metadata: - name: immich diff --git a/namespaces/ingress-nginx/ingress-nginx-chart.yml b/namespaces/ingress-nginx/ingress-nginx-chart.yml index 485887c..525bbd2 100644 --- a/namespaces/ingress-nginx/ingress-nginx-chart.yml +++ b/namespaces/ingress-nginx/ingress-nginx-chart.yml @@ -26,5 +26,8 @@ spec: memory: 200Mi extraArgs: enable-ssl-passthrough: "true" + allowSnippetAnnotations: true + config: + annotations-risk-level: Critical tcp: 22: git/gitea-ssh:22 diff --git a/namespaces/jellyfin/ingress.yml b/namespaces/jellyfin/ingress.yml deleted file mode 100644 index c0e3d68..0000000 --- a/namespaces/jellyfin/ingress.yml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: jellyfin-ingress - namespace: jellyfin - -spec: - entryPoints: - - jellyfin - routes: - - services: - - name: jellyfin - port: 8096 diff --git a/namespaces/jellyfin/jellyfin-deployment.yml b/namespaces/jellyfin/jellyfin-deployment.yml deleted file mode 100644 index c72e887..0000000 --- a/namespaces/jellyfin/jellyfin-deployment.yml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: jellyfin-deployment - labels: - app: jellyfin -spec: - replicas: 1 - selector: - matchLabels: - app: jellyfin - template: - metadata: - labels: - app: jellyfin - spec: - containers: - - name: jellyfin - image: jellyfin/jellyfin - resources: - requests: - memory: "64Mi" - cpu: "250m" - limits: - memory: "128Mi" - cpu: "500m" - ports: - - containerPort: 8096 - protocol: TCP diff --git a/namespaces/jellyfin/jellyfin-service.yml b/namespaces/jellyfin/jellyfin-service.yml deleted file mode 100644 index 452fbaa..0000000 --- a/namespaces/jellyfin/jellyfin-service.yml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: jellyfin -spec: - selector: - app: jellyfin - ports: - - protocol: TCP - port: 8096 - targetPort: 8096 - type: LoadBalancer - \ No newline at end of file diff --git a/namespaces/longhorn-system/longhorn-basic-auth-secret.yml b/namespaces/longhorn-system/longhorn-basic-auth-secret.yml index d534833..1c371f1 100644 --- a/namespaces/longhorn-system/longhorn-basic-auth-secret.yml +++ b/namespaces/longhorn-system/longhorn-basic-auth-secret.yml @@ -1,8 +1,8 @@ apiVersion: v1 kind: Secret metadata: - name: longhorn-basic-auth-secret + name: basic-auth namespace: longhorn-system type: Opaque -stringData: - auth: PNHrc9lt60CW \ No newline at end of file +data: + auth: a2VsaWdydWJiOiRhcHIxJGpUTHdHQkFQJEhOUndKZjFxUmRVUzk5UFZpZlRaNi8K diff --git a/namespaces/longhorn-system/longhorn-chart.yml b/namespaces/longhorn-system/longhorn-chart.yml index 444ab48..e0a6121 100644 --- a/namespaces/longhorn-system/longhorn-chart.yml +++ b/namespaces/longhorn-system/longhorn-chart.yml @@ -8,7 +8,7 @@ spec: targetNamespace: longhorn-system repo: https://charts.longhorn.io # https://artifacthub.io/packages/helm/longhorn/longhorn - version: 1.8.0 + version: 1.8.1 valuesContent: |- ingress: enabled: true @@ -19,8 +19,8 @@ spec: nginx.ingress.kubernetes.io/auth-type: basic # prevent the controller from redirecting (308) to HTTPS nginx.ingress.kubernetes.io/ssl-redirect: 'false' - nginx.ingress.kubernetes.io/auth-secret: longhorn-basic-auth-secret - nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required ' + nginx.ingress.kubernetes.io/auth-secret: basic-auth + nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required' nginx.ingress.kubernetes.io/proxy-body-size: 10000m tls: - secretName: longhorn-tls diff --git a/namespaces/mineclonia/mineclonia-deployment.yml b/namespaces/mineclonia/mineclonia-deployment.yml index 6cf2764..ccac635 100644 --- a/namespaces/mineclonia/mineclonia-deployment.yml +++ b/namespaces/mineclonia/mineclonia-deployment.yml @@ -40,7 +40,7 @@ spec: mountPath: /var/lib/minetest containers: - name: mineclonia - image: ghcr.io/minetest/minetest + image: ghcr.io/luanti-org/luanti ports: - containerPort: 30000 protocol: UDP diff --git a/namespaces/monitoring/grafana-config.yml b/namespaces/monitoring/grafana-config.yml new file mode 100644 index 0000000..edb7687 --- /dev/null +++ b/namespaces/monitoring/grafana-config.yml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-config + namespace: monitoring # Change if using a different namespace +data: + grafana.ini: | + [auth] + signout_redirect_url = https://authentik.company/application/o//end-session/ + oauth_auto_login = true + + [auth.generic_oauth] + name = authentik + enabled = true + client_id = "" + client_secret = "" + scopes = openid profile email + auth_url = https://authentik.company/application/o/authorize/ + token_url = https://authentik.company/application/o/token/ + api_url = https://authentik.company/application/o/userinfo/ + role_attribute_path = contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer' diff --git a/namespaces/monitoring/kube-prometheus-stack-chart.yml b/namespaces/monitoring/kube-prometheus-stack-chart.yml index 4bc8144..318e8ee 100644 --- a/namespaces/monitoring/kube-prometheus-stack-chart.yml +++ b/namespaces/monitoring/kube-prometheus-stack-chart.yml @@ -8,8 +8,26 @@ spec: targetNamespace: monitoring repo: https://prometheus-community.github.io/helm-charts # https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack - version: 69.4.1 + version: 70.0.2 valuesContent: |- + + grafana.ini: + auth: + signout_redirect_url: "https://login.keligrubb.com/application/o//end-session/" + oauth_auto_login: true + auth.generic_oauth: + name: authentik + enabled: true + client_id: "" + client_secret: "" + scopes: "openid profile email" + auth_url: "https://login.keligrubb.com/application/o/authorize/" + token_url: "https://login.keligrubb.com/application/o/ti needoken/" + api_url: "https://login.keligrubb.com/application/o/userinfo/" + # Optionally map user groups to Grafana roles + role_attribute_path: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer' + + grafana: defaultDashboardsTimezone: "US/Eastern" ingress: @@ -32,6 +50,21 @@ spec: access: proxy basicAuth: false url: http://loki-gateway.monitoring.svc.cluster.local + config: + auth: + signout_redirect_url: "https://login.keligrubb.com/application/o/grafana/end-session/" + oauth_auto_login: true + auth.generic_oauth: + name: authentik + enabled: true + client_id: "" + client_secret: "" + scopes: "openid profile email" + auth_url: "https://login.keligrubb.com/application/o/authorize/" + token_url: "https://login.keligrubb.com/application/o/token/" + api_url: "https://login.keligrubb.com/application/o/userinfo/" + role_attribute_path: "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'" + kubelet: serviceMonitor: metricRelabelings: diff --git a/namespaces/monitoring/loki-chart.yml b/namespaces/monitoring/loki-chart.yml index bf4fd71..eb71c2b 100644 --- a/namespaces/monitoring/loki-chart.yml +++ b/namespaces/monitoring/loki-chart.yml @@ -8,7 +8,7 @@ spec: targetNamespace: monitoring repo: https://grafana.github.io/helm-charts # https://artifacthub.io/packages/helm/grafana/loki - version: 6.27.0 + version: 6.28.0 valuesContent: |- loki: commonConfig: diff --git a/namespaces/pihole/namespace.yml b/namespaces/nextcloud/namespace.yml similarity index 69% rename from namespaces/pihole/namespace.yml rename to namespaces/nextcloud/namespace.yml index b1f2782..df5f9be 100644 --- a/namespaces/pihole/namespace.yml +++ b/namespaces/nextcloud/namespace.yml @@ -1,4 +1,4 @@ kind: Namespace apiVersion: v1 metadata: - name: git \ No newline at end of file + name: authentik diff --git a/namespaces/nextcloud/nextcloud-chart.yml b/namespaces/nextcloud/nextcloud-chart.yml new file mode 100644 index 0000000..a3278e3 --- /dev/null +++ b/namespaces/nextcloud/nextcloud-chart.yml @@ -0,0 +1,107 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: nextcloud + namespace: nextcloud +spec: + chart: nextcloud + targetNamespace: nextcloud + repo: https://nextcloud.github.io/helm/ + # https://artifacthub.io/packages/helm/nextcloud/nextcloud + version: 6.6.9 + valuesContent: |- + # resources: + # requests: + # cpu: 200m + # memory: 200Mi + # limits: + # cpu: 200m + # memory: 200Mi + lifecycle: + postStartCommand: ["/bin/bash", "-c", "apt update -y && apt install ffmpeg -y"] + metrics: + enabled: true + serviceMonitor: + enabled: true + labels: + release: prometheus + ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-cluster-issuer" + nginx.ingress.kubernetes.io/affinity: "cookie" + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/cors-allow-methods: "GET HEAD POST OPTIONS PUT PATCH DELETE PROPFIND MKCOL REPORT" + nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Forwarded-For" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/server-snippet: |- + server_tokens off; + proxy_hide_header X-Powered-By; + rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last; + rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last; + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json; + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + location ~ ^/(?:autotest|occ|issue|indie|db_|console) { + deny all; + } + tls: + - secretName: nextcloud-tls + hosts: + - cloud.keligrubb.com + nextcloud: + host: cloud.keligrubb.com + password: "east_task_law_fastened" + configs: + proxy.config.php: |- + array( + 0 => '127.0.0.1', + 1 => '10.0.0.0/8', + ), + 'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'), + 'allow_local_remote_servers' => true, + ); + internalDatabase: + enabled: false + postgresql: + enabled: true + global: + postgresql: + auth: + password: "east_task_law_fastened" + primary: + persistence: + enabled: true + resources: + requests: + memory: 256Mi + cpu: 200m + limits: + memory: 384Mi + cpu: 300m + externalDatabase: + enabled: true + host: nextcloud-postgresql.nextcloud.svc.cluster.local + persistence: + enabled: true + storageClass: longhorn + size: 512Gi + nextcloudData.size: 512Gi + cronjob: + enabled: true diff --git a/namespaces/pihole/ingress.yml b/namespaces/pihole/ingress.yml deleted file mode 100644 index 327bfe8..0000000 --- a/namespaces/pihole/ingress.yml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: gitea-ingress - namespace: git - -spec: - entryPoints: - - web - routes: - - match: Path(`/`) - kind: Rule - services: - - name: gitea-http - port: 3000 diff --git a/namespaces/pihole/pihole-chart.yml b/namespaces/pihole/pihole-chart.yml deleted file mode 100644 index 0de2148..0000000 --- a/namespaces/pihole/pihole-chart.yml +++ /dev/null @@ -1,38 +0,0 @@ -# helm repo add mojo2600 https://mojo2600.github.io/pihole-kubernetes/ -# helm install pihole mojo2600/pihole -apiVersion: helm.cattle.io/v1 -kind: HelmChart -metadata: - name: pihole - namespace: pihole -spec: - chart: pihole - targetNamespace: pihole - repo: https://mojo2600.github.io/pihole-kubernetes/ - valuesContent: |- - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 1 - memory: 512Mi - persistentVolumeClaim: - enabled: true - podDnsConfig: - enabled: true - policy: "None" - nameservers: - - 68.94.156.11 - - 68.94.157.11 - service: - web: - type: LoadBalancer - loadBalancerIP: 192.168.178.252 - annotations: - metallb.universe.tf/allow-shared-ip: pihole-svc - dns: - type: LoadBalancer - loadBalancerIP: 192.168.178.252 - annotations: - metallb.universe.tf/allow-shared-ip: pihole-svc