catalin/fukuops
1
0
Fork 1
Code Issues Pull requests 2 Releases Packages 1 Activity

Compare commits

base: catalin:main
Branches Tags
catalin:main
catalin:renovate/renovate-46.x
catalin:renovate/portainer-239.x
catalin:feat/woodpecker-ci
catalin:feat/oxicloud-chart
catalin:feat/mc
catalin:feat/miniflux-helm
catalin:feat/tailscale
catalin:feat/ganymede
catalin:feat/tandoor
catalin:feat/valheim
..
compare: catalin:feat/tailscale
Branches Tags
catalin:renovate/renovate-46.x
catalin:renovate/portainer-239.x
catalin:main
catalin:feat/woodpecker-ci
catalin:feat/oxicloud-chart
catalin:feat/mc
catalin:feat/miniflux-helm
catalin:feat/tailscale
catalin:feat/ganymede
catalin:feat/tandoor
catalin:feat/valheim

No commits in common. "main" and "feat/tailscale" have entirely different histories.
main ... feat/tails

78 changed files with 980 additions and 1383 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.forgejo/workflows/ci.yaml
View file

@ -7,11 +7,11 @@ jobs:
pre-commit:
runs-on: ubuntu-22.04
steps:
- uses: https://code.forgejo.org/actions/checkout@v6
- uses: https://code.forgejo.org/actions/checkout@v5
- uses: https://code.forgejo.org/actions/setup-python@v6
with:
python-version: '3.10'
- uses: opentofu/setup-opentofu@v2
- uses: opentofu/setup-opentofu@v1
with:
tofu_version: 1.7.0
- uses: pre-commit/action@v3.0.1
@ -19,7 +19,7 @@ jobs:
k8s:
runs-on: ubuntu-22.04
steps:
- uses: https://code.forgejo.org/actions/checkout@v6
- uses: https://code.forgejo.org/actions/checkout@v5
- name: Set up Kubeconform
uses: bmuschko/setup-kubeconform@v1
@ -30,7 +30,7 @@ jobs:
tflint:
runs-on: ubuntu-22.04
steps:
- uses: https://code.forgejo.org/actions/checkout@v6
- uses: https://code.forgejo.org/actions/checkout@v5
- uses: terraform-linters/setup-tflint@v6
name: Setup TFLint
with:

8
.forgejo/workflows/deploy-tofu.yaml
View file

@ -10,8 +10,8 @@ jobs:
authentik:
runs-on: ubuntu-22.04
steps:
- uses: https://code.forgejo.org/actions/checkout@v6
- uses: opentofu/setup-opentofu@v2
- uses: https://code.forgejo.org/actions/checkout@v5
- uses: opentofu/setup-opentofu@v1
with:
tofu_version: 1.8.1
- name: Deploy
@ -40,8 +40,8 @@ jobs:
adguard:
runs-on: ubuntu-22.04
steps:
- uses: https://code.forgejo.org/actions/checkout@v6
- uses: opentofu/setup-opentofu@v2
- uses: https://code.forgejo.org/actions/checkout@v5
- uses: opentofu/setup-opentofu@v1
with:
tofu_version: 1.7.0
- name: Deploy

8
.pre-commit-config.yaml
View file

@ -1,7 +1,7 @@
---
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v6.0.0
rev: v5.0.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
@ -15,18 +15,18 @@ repos:
- id: trailing-whitespace
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.105.0
rev: v1.92.1
hooks:
- id: terraform_fmt
- repo: https://github.com/adrienverge/yamllint.git
rev: v1.38.0
rev: v1.35.1
hooks:
- id: yamllint
args: [--format, parsable, --strict]
- repo: https://github.com/shellcheck-py/shellcheck-py
rev: v0.11.0.1
rev: v0.10.0.1
hooks:
- id: shellcheck
files: \.sh

41
docker/forgejo-runner/docker-compose.yml Normal file
View file

@ -0,0 +1,41 @@
---
x-runner-common: &runner-common
image: code.forgejo.org/forgejo/runner:11.3.1
links:
- docker-in-docker
depends_on:
docker-in-docker:
condition: service_started
user: 1001:1001
restart: unless-stopped
command: '/bin/sh -c "sleep 5; forgejo-runner daemon"'
environment:
DOCKER_HOST: tcp://docker-in-docker:2375
networks:
forgejo:
external: false
services:
docker-in-docker:
image: docker:dind
container_name: 'docker_dind'
privileged: true
command: ['dockerd', '-H', 'tcp://0.0.0.0:2375', '--tls=false']
restart: 'unless-stopped'
runner:
<<: *runner-common
container_name: 'runner'
volumes:
- ${FORGEJO_RUNNER_DATA:-/mnt/nas1/shared/forgejo-runner/data}:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
runner-2:
<<: *runner-common
container_name: 'runner2'
volumes:
- ${FORGEJO_RUNNER_DATA:-/mnt/nas1/shared/forgejo-runner/data2}:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro

2
docker/ganymede/docker-compose.yml
View file

@ -2,7 +2,7 @@
services:
ganymede:
container_name: ganymede
image: ghcr.io/zibbp/ganymede:4.16.0
image: ghcr.io/zibbp/ganymede:4.11.3
restart: unless-stopped
environment:
DEBUG: ${GANYMEDE_DEBUG:-false}

61
docker/nextcloud/Dockerfile Normal file
View file

@ -0,0 +1,61 @@
FROM nextcloud:32.0.3-apache
RUN set -ex; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
ffmpeg \
ghostscript \
libmagickcore-7.q16-10-extra \
procps \
smbclient \
supervisor \
libreoffice \
; \
rm -rf /var/lib/apt/lists/*
RUN set -ex; \
\
savedAptMark="$(apt-mark showmanual)"; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
libbz2-dev \
#libc-client-dev \
libkrb5-dev \
libsmbclient-dev \
; \
\
#docker-php-ext-configure imap --with-kerberos --with-imap-ssl; \
docker-php-ext-install \
bz2 \
# imap \
; \
pecl install smbclient; \
docker-php-ext-enable smbclient; \
\
# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
apt-mark auto '.*' > /dev/null; \
apt-mark manual $savedAptMark; \
ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
| awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' \
| sort -u \
| xargs -r dpkg-query --search \
| cut -d: -f1 \
| sort -u \
| xargs -rt apt-mark manual; \
\
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
rm -rf /var/lib/apt/lists/*
RUN mkdir -p \
/var/log/supervisord \
/var/run/supervisord \
;
COPY supervisord.conf /
ENV NEXTCLOUD_UPDATE=1
CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

40
docker/nextcloud/docker-compose.yml Normal file
View file

@ -0,0 +1,40 @@
---
services:
imaginary:
image: nextcloud/aio-imaginary:latest
cap_add:
- SYS_NICE
volumes:
- type: tmpfs
target: /tmp:exec
environment:
- TZ=Europe/Madrid
restart: unless-stopped
networks:
- nextcloud
nextcloud:
image: git.roboces.dev/catalin/fukuops:nextcloud-32.0.3
volumes:
- /mnt/nas1/legacy-storage/cloud/cloud/data:/var/www/html/data
- /mnt/nas1/legacy-storage/cloud/cloud/config:/var/www/html/config
- /mnt/nas1/legacy-storage/cloud/cloud/custom_apps:/var/www/html/custom_apps
- /mnt/nas1/legacy-storage/cloud/cloud/apps:/var/www/html/apps
- type: tmpfs
target: /tmp:exec
- supervisorlog:/var/log/supervisor:z
- supervisorpid:/var/run/supervisord/:z
environment:
PHP_MEMORY_LIMIT: ${PHP_MEMORY_LIMIT:-2048M}
NEXTCLOUD_INIT_HTACCESS: ${NEXTCLOUD_INIT_HTACCESS:-1}
restart: unless-stopped
ports:
- '8080:80'
networks:
- nextcloud
networks:
nextcloud: {}
volumes:
supervisorlog: {}
supervisorpid: {}

22
docker/nextcloud/supervisord.conf Normal file
View file

@ -0,0 +1,22 @@
[supervisord]
nodaemon=true
logfile=/var/log/supervisord/supervisord.log
pidfile=/var/run/supervisord/supervisord.pid
childlogdir=/var/log/supervisord/
logfile_maxbytes=50MB ; maximum size of logfile before rotation
logfile_backups=10 ; number of backed up logfiles
loglevel=error
[program:apache2]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=apache2-foreground
[program:cron]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=/cron.sh

2
docker/paperless/docker-compose.yml
View file

@ -14,7 +14,7 @@ services:
webserver:
image: ghcr.io/paperless-ngx/paperless-ngx:2.20.15
image: ghcr.io/paperless-ngx/paperless-ngx:2.20.5
restart: unless-stopped
ports:
- 8002:8000

3
docker/rustical/docker-compose.yml
View file

@ -1,8 +1,7 @@
---
services:
rustical:
image: ghcr.io/lennart-k/rustical:0.12.12
restart: unless-stopped
image: ghcr.io/lennart-k/rustical:0.12.3
ports:
- '4000:4000'
volumes:

2
docker/tailscale/docker-compose.yml
View file

@ -1,7 +1,7 @@
---
services:
tailscale:
image: tailscale/tailscale:v1.96.5
image: tailscale/tailscale:v1.92.4
hostname: tailscale
environment:
TS_AUTHKEY: ${TS_AUTHKEY}

21
docker/tandoor/docker-compose.yml Normal file
View file

@ -0,0 +1,21 @@
---
services:
web_recipes:
restart: always
image: vabene1111/recipes:2.3.6
volumes:
- ${TANDOOR_STATICFILES:-/mnt/nas1/shared/tandoor/staticfiles}:/opt/recipes/staticfiles
- ${TANDOOR_MEDIAFILES:-/mnt/nas1/shared/tandoor/mediafiles}:/opt/recipes/mediafiles
environment:
SECRET_KEY: ${TANDOOR_SECRET_KEY}
TZ: ${TANDOOR_TZ:-Europe/Madrid}
ALLOWED_HOSTS: ${TANDOOR_ALLOWED_HOSTS:-recipes.roboces.dev}
SOCIAL_PROVIDERS: ${TANDOOR_SOCIAL_PROVIDERS:-allauth.socialaccount.providers.openid_connect}
SOCIALACCOUNT_PROVIDERS: ${TANDOOR_SOCIALACCOUNT_PROVIDERS}
POSTGRES_HOST: ${TANDOOR_POSTGRES_HOST:-192.168.1.3}
POSTGRES_DB: ${TANDOOR_POSTGRES_DB:-tandoor}
POSTGRES_PORT: ${TANDOOR_POSTGRES_PORT:-5432}
POSTGRES_USER: ${TANDOOR_POSTGRES_USER}
POSTGRES_PASSWORD: ${TANDOOR_POSTGRES_PASSWORD}
ports:
- "8081:80"

11
docker/tandoor/sample.env Normal file
View file

@ -0,0 +1,11 @@
TANDOOR_STATICFILES=
TANDOOR_MEDIAFILES=
TANDOOR_SECRET_KEY=
TANDOOR_TZ=Europe/Madrid
TANDOOR_ALLOWED_HOSTS=
TANDOOR_SOCIALACCOUNT_PROVIDERS=
TANDOOR_POSTGRES_HOST=
TANDOOR_POSTGRES_DB=
TANDOOR_POSTGRES_PORT=
TANDOOR_POSTGRES_USER=
TANDOOR_POSTGRES_PASSWORD=

2
docker/vaultwarden/docker-compose.yml
View file

@ -1,7 +1,7 @@
---
services:
vaultwarden:
image: vaultwarden/server:1.36.0-alpine
image: vaultwarden/server:1.35.2-alpine
restart: unless-stopped
environment:
DATABASE_URL: ${DATABASE_URL}

4
k8s/argo-apps/authentik.yaml
View file

@ -12,7 +12,7 @@ spec:
sources:
- chart: authentik
repoURL: https://charts.goauthentik.io/
targetRevision: 2026.2.*
targetRevision: 2025.12.*
helm:
valuesObject:
authentik:
@ -26,7 +26,7 @@ spec:
timeout: 30
from: auth@fukurokuju.dev
postgresql:
host: 192.168.1.3
host: psql15-postgres.apps-fuku.svc.cluster.local
port: 5432
name: auth
user: file:///authentik-creds/pg_username

46
k8s/argo-apps/elastic.yaml Normal file
View file

@ -0,0 +1,46 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: elastic
namespace: argocd
spec:
destination:
name: ''
namespace: apps-fuku
server: https://kubernetes.default.svc
sources:
- chart: elasticsearch
repoURL: registry-1.docker.io/bitnamicharts
targetRevision: 22.1.6
helm:
valuesObject:
service:
type: LoadBalancer
master:
persistence:
enabled: true
storageClass: truenas-nfs-csi
accessModes:
- ReadWriteMany
size: 50Gi
ingress:
enabled: true
hostname: elastic.fuku
tls: true
selfSigned: true
ingressClassName: traefik
data:
persistence:
enabled: true
storageClass: truenas-nfs-csi
accessModes:
- ReadWriteMany
size: 50Gi
autoscaling:
enabled: true
maxReplicas: 3
minReplicas: 1
project: fuku
syncPolicy:
automated: {}

16
k8s/argo-apps/forgejo.yaml
View file

@ -14,10 +14,10 @@ spec:
sources:
- chart: forgejo
repoURL: code.forgejo.org/forgejo-helm
targetRevision: 17.0.1
targetRevision: 16.0.1
helm:
valuesObject:
replicaCount: 1
replicaCount: 2
service:
http:
type: LoadBalancer
@ -49,8 +49,15 @@ spec:
serviceMonitor:
enabled: true
config:
indexer:
ISSUE_INDEXER_CONN_STR: http://elastic-elasticsearch.apps-fuku.svc.cluster.local:9200
ISSUE_INDEXER_ENABLED: true
ISSUE_INDEXER_TYPE: elasticsearch
REPO_INDEXER_ENABLED: false
REPO_INDEXER_TYPE: elasticsearch
actions:
ENABLED: false
ENABLED: true
DEFAULT_ACTIONS_URL: https://github.com
picture:
DISABLE_GRAVATAR: false
ENABLE_FEDERATED_AVATAR: true
@ -99,6 +106,9 @@ spec:
enabled: false
redis-cluster:
enabled: false
- path: k8s/services/forgejo
repoURL: https://git.roboces.dev/catalin/fukuops.git
targetRevision: main
project: roboces
syncPolicy:
automated: {}

38
k8s/argo-apps/kubetail.yaml Normal file
View file

@ -0,0 +1,38 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kubetail
namespace: argocd
spec:
destination:
name: ''
namespace: apps-fuku
server: https://kubernetes.default.svc
sources:
- chart: kubetail
repoURL: https://kubetail-org.github.io/helm-charts/
targetRevision: 0.17.0
helm:
valuesObject:
kubetail:
dashboard:
ingress:
enabled: true
className: traefik
tls: []
rules:
- host: logs.fuku
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubetail-dashboard
port:
number: 8080
project: fuku
syncPolicy:
automated: {}

2
k8s/argo-apps/kured.yaml
View file

@ -13,7 +13,7 @@ spec:
source:
chart: kured
repoURL: https://kubereboot.github.io/charts
targetRevision: 5.11.*
targetRevision: 5.10.*
helm:
valuesObject:
configuration.rebootDays:

4
k8s/argo-apps/meili.yaml
View file

@ -18,13 +18,13 @@ spec:
targetRevision: main
- chart: meilisearch
repoURL: https://meilisearch.github.io/meilisearch-kubernetes
targetRevision: 0.32.*
targetRevision: 0.17.*
helm:
valuesObject:
environment:
MEILI_ENV: production
auth:
existingMasterKeySecret: meili
existingMasterKeySecret: meilisearch-master-key
service:
type: NodePort
port: 7700

94
k8s/argo-apps/miniflux.yaml
View file

@ -2,84 +2,18 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: miniflux
namespace: argocd
name: miniflux
namespace: argocd
spec:
destination:
name: ''
namespace: apps-roboces
server: https://kubernetes.default.svc
sources:
- path: k8s/charts/miniflux
repoURL: https://git.roboces.dev/catalin/fukuops.git
targetRevision: main
helm:
valuesObject:
replicaCount: 3
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 10000
runAsGroup: 10000
capabilities:
drop:
- all
service:
type: LoadBalancer
ingress:
enabled: true
className: "traefik"
hosts:
- host: feeds.roboces.dev
paths:
- path: /
pathType: Prefix
resources:
requests:
cpu: 300m
memory: 300Mi
ephemeral-storage: 2Gi
limits:
cpu: 400m
memory: 500Mi
ephemeral-storage: 4Gi
livenessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 3
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 15
timeoutSeconds: 2
successThreshold: 1
failureThreshold: 3
periodSeconds: 10
podDisruptionBudget:
enabled: true
maxUnavailable: 1
env:
RUN_MIGRATIONS: "1"
CREATE_ADMIN: "1"
OAUTH2_PROVIDER: oidc
OAUTH2_REDIRECT_URL: https://feeds.roboces.dev/oauth2/oidc/callback
OAUTH2_OIDC_DISCOVERY_ENDPOINT: https://auth.fukurokuju.dev/application/o/miniflux/
OAUTH2_USER_CREATION: "1"
FETCH_YOUTUBE_WATCH_TIME: "1"
WORKER_POOL_SIZE: "1"
POLLING_FREQUENCY: "120"
BATCH_SIZE: "25"
METRICS_COLLECTOR: "1"
METRICS_ALLOWED_NETWORKS: 10.42.1.0/16
secret:
existingSecretName: miniflux
project: roboces
syncPolicy:
automated:
prune: true
selfHeal: true
destination:
name: ''
namespace: apps-roboces
server: https://kubernetes.default.svc
source:
path: k8s/services/miniflux
repoURL: https://git.roboces.dev/catalin/fukuops.git
targetRevision: main
sources: []
project: roboces
syncPolicy:
automated: {}

54
k8s/argo-apps/oxicloud.yaml
View file

@ -1,54 +0,0 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: oxicloud
namespace: argocd
spec:
destination:
name: ''
namespace: apps-roboces
server: https://kubernetes.default.svc
sources:
- path: k8s/charts/oxicloud
repoURL: https://git.roboces.dev/catalin/fukuops.git
targetRevision: main
helm:
valuesObject:
image:
repository: diocrafts/oxicloud
pullPolicy: Always
tag: "0.5.6"
persistence:
enabled: true
storageClass: "truenas-nfs-csi"
accessMode: ReadWriteMany
size: 50Gi
service:
type: LoadBalancer
config:
server:
port: 8086
host: "0.0.0.0"
baseUrl: "https://cloud.roboces.dev"
features:
enableAuth: "true"
enableSharing: "true"
mimalloc:
purgeDelay: "0"
allowLargeOsPages: "0"
secrets:
existingSecret: oxicloud
wopi:
enabled: false
ingress:
className: "traefik"
hosts:
- host: cloud.roboces.dev
paths:
- path: /
pathType: ImplementationSpecific
tls: []
project: roboces
syncPolicy:
automated: {}

2
k8s/argo-apps/portainer.yaml
View file

@ -15,7 +15,7 @@ spec:
sources:
- repoURL: https://portainer.github.io/k8s/
chart: portainer
targetRevision: 239.1.*
targetRevision: 2.33.*
helm:
valuesObject:
service:

26
k8s/argo-apps/psql.yaml Normal file
View file

@ -0,0 +1,26 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: psql15
namespace: argocd
spec:
destination:
namespace: apps-fuku
server: 'https://kubernetes.default.svc'
sources:
- chart: postgres
targetRevision: 1.3.6
repoURL: https://groundhog2k.github.io/helm-charts/
helm:
valuesObject:
service:
type: LoadBalancer
storage:
accessModes:
- ReadWriteMany
className: truenas-nfs-csi
requestedSize: 150Gi
project: fuku
syncPolicy:
automated: {}

43
k8s/argo-apps/pulse.yaml Normal file
View file

@ -0,0 +1,43 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: pulse
namespace: argocd
spec:
destination:
name: ''
namespace: apps-fuku
server: https://kubernetes.default.svc
project: fuku
syncPolicy:
automated: {}
sources:
- repoURL: https://rcourtman.github.io/Pulse
chart: pulse
targetRevision: v5.0.*
helm:
valuesObject:
persistence:
enabled: true
size: 10Gi
storageClass: truenas-nfs-csi
accessModes:
- ReadWriteMany
service:
type: LoadBalancer
ingress:
enabled: true
hosts:
- host: pulse.fukurokuju.dev
paths:
- path: /
pathType: Prefix
tls: []
monitoring:
serviceMonitor:
enabled: true
- path: k8s/services/pulse
repoURL: https://git.roboces.dev/catalin/fukuops.git
targetRevision: main

32
k8s/argo-apps/redis.yaml Normal file
View file

@ -0,0 +1,32 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: redis
namespace: argocd
spec:
destination:
name: ''
namespace: apps-fuku
server: https://kubernetes.default.svc
sources:
- chart: redis
repoURL: registry-1.docker.io/cloudpirates
targetRevision: "0.9.*"
helm:
valuesObject:
auth:
existingSecret: secrets-redis
existingSecretPasswordKey: redis-password
persistence:
storageClass: truenas-nfs-csi
size: 10Gi
accessMode: ReadWriteMany
service:
type: LoadBalancer
- repoURL: https://git.roboces.dev/catalin/fukuops.git
path: k8s/services/redis
targetRevision: main
project: fuku
syncPolicy:
automated: {}

2
k8s/argo-apps/renovate.yaml
View file

@ -13,7 +13,7 @@ spec:
sources:
- chart: renovate
repoURL: https://docs.renovatebot.com/helm-charts
targetRevision: 46.142.*
targetRevision: 45.86.*
helm:
valuesObject:
renovate:

64
k8s/argo-apps/vault-sm.yaml
View file

@ -1,64 +0,0 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: vault-sm
namespace: argocd
spec:
destination:
name: ''
namespace: apps-fuku
server: https://kubernetes.default.svc
sources:
- chart: vaultwarden-kubernetes-secrets
repoURL: ghcr.io/antoniolago/charts
targetRevision: 1.4.01
helm:
valuesObject:
api:
enabled: true
service:
type: LoadBalancer
persistence:
storageClass: truenas-nfs-csi
dashboard:
enabled: true
service:
type: LoadBalancer
ingress:
enabled: true
className: traefik
hosts:
- host: vault-secrets.fuku
paths:
- path: /
pathType: Prefix
backend: dashboard
port: 80
- path: /api
pathType: Prefix
backend: api
port: 8080
env:
config:
VAULTWARDEN__SERVERURL: "https://vault.roboces.dev"
secrets:
BW_CLIENTID:
secretName: "vaultwarden-kubernetes-secrets"
secretKey: "BW_CLIENTID"
BW_CLIENTSECRET:
secretName: "vaultwarden-kubernetes-secrets"
secretKey: "BW_CLIENTSECRET"
VAULTWARDEN__MASTERPASSWORD:
secretName: "vaultwarden-kubernetes-secrets"
secretKey: "VAULTWARDEN__MASTERPASSWORD"
- path: k8s/services/vaultwarden-kubernetes-secrets
repoURL: https://git.roboces.dev/catalin/fukuops.git
targetRevision: main
project: fuku
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

57
k8s/argo-apps/woodpecker.yaml
View file

@ -1,57 +0,0 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: woodpecker
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: Force=true,Replace=true
spec:
destination:
name: ''
namespace: apps-roboces
server: https://kubernetes.default.svc
sources:
- chart: woodpecker
repoURL: ghcr.io/woodpecker-ci/helm
targetRevision: 3.5.1
helm:
valuesObject:
agent:
persistence:
storageClass: truenas-nfs-csi
accessModes:
- ReadWriteMany
server:
env:
WOODPECKER_ADMIN: 'woodpecker,admin,catalin'
WOODPECKER_HOST: 'https://ci.roboces.dev'
WOODPECKER_FORGEJO: "true"
WOODPECKER_FORGEJO_URL: "https://git.roboces.dev"
WOODPECKER_FORGEJO_CLIENT:
valueFrom:
secretKeyRef:
name: woodpecker
key: WOODPECKER_FORGEJO_CLIENT
WOODPECKER_FORGEJO_SECRET:
valueFrom:
secretKeyRef:
name: woodpecker
key: WOODPECKER_FORGEJO_SECRET
persistentVolume:
storageClass: truenas-nfs-csi
accessModes:
- ReadWriteMany
service:
type: LoadBalancer
ingress:
enabled: true
ingressClassName: traefik
hosts:
- host: ci.roboces.dev
paths:
- path: /
tls: []
project: roboces
syncPolicy:
automated: {}

6
k8s/charts/miniflux/Chart.yaml
View file

@ -1,6 +0,0 @@
apiVersion: v2
name: miniflux
description: A Helm chart for Miniflux RSS reader
type: application
version: 0.1.0
appVersion: "2.2.18"

62
k8s/charts/miniflux/templates/_helpers.tpl
View file

@ -1,62 +0,0 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "miniflux.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "miniflux.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "miniflux.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "miniflux.labels" -}}
helm.sh/chart: {{ include "miniflux.chart" . }}
{{ include "miniflux.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "miniflux.selectorLabels" -}}
app.kubernetes.io/name: {{ include "miniflux.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "miniflux.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "miniflux.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

73
k8s/charts/miniflux/templates/deployment.yaml
View file

@ -1,73 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "miniflux.fullname" . }}
labels:
{{- include "miniflux.labels" . | nindent 4 }}
annotations:
kube-score/ignore: pod-networkpolicy,deployment-has-host-podantiaffinity
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "miniflux.selectorLabels" . | nindent 6 }}
strategy:
rollingUpdate:
maxSurge: 50%
maxUnavailable: 50%
type: RollingUpdate
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "miniflux.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
envFrom:
- secretRef:
name: {{ .Values.secret.existingSecretName | default (include "miniflux.fullname" .) }}
env:
{{- range $key, $value := .Values.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
ports:
- name: http
containerPort: 8080
protocol: TCP
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: Always
automountServiceAccountToken: false

45
k8s/charts/miniflux/templates/ingress.yaml
View file

@ -1,45 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "miniflux.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "miniflux.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
pathType: {{ .pathType }}
{{- end }}
backend:
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}

18
k8s/charts/miniflux/templates/poddisruptionbudget.yaml
View file

@ -1,18 +0,0 @@
{{- if .Values.podDisruptionBudget.enabled -}}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "miniflux.fullname" . }}
labels:
{{- include "miniflux.labels" . | nindent 4 }}
spec:
{{- if .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "miniflux.selectorLabels" . | nindent 6 }}
{{- end }}

13
k8s/charts/miniflux/templates/secret.yaml
View file

@ -1,13 +0,0 @@
{{- if and .Values.secret.enabled (not .Values.secret.existingSecretName) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "miniflux.fullname" . }}
labels:
{{- include "miniflux.labels" . | nindent 4 }}
type: Opaque
stringData:
{{- range $key, $value := .Values.secret.data }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}

15
k8s/charts/miniflux/templates/service.yaml
View file

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "miniflux.fullname" . }}
labels:
{{- include "miniflux.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: {{ .Values.service.targetPort }}
protocol: TCP
name: http
selector:
{{- include "miniflux.selectorLabels" . | nindent 4 }}

42
k8s/charts/miniflux/values.yaml
View file

@ -1,42 +0,0 @@
# Configuration is managed in k8s/argo-apps/miniflux.yaml
replicaCount: 1
image:
repository: miniflux/miniflux
pullPolicy: Always
tag: ""
imagePullSecrets: []
podAnnotations: {}
podSecurityContext: {}
securityContext: {}
service:
type: ClusterIP
port: 8888
targetPort: 8080
ingress:
enabled: false
resources: {}
livenessProbe: {}
readinessProbe: {}
autoscaling:
enabled: false
nodeSelector: {}
tolerations: []
affinity: {}
podDisruptionBudget:
enabled: false
env: {}
secret:
enabled: false
existingSecretName: ""
data: {}

23
k8s/charts/oxicloud/.helmignore
View file

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

8
k8s/charts/oxicloud/Chart.yaml
View file

@ -1,8 +0,0 @@
---
apiVersion: v2
name: oxicloud
description: |
Ultra-fast, secure & lightweight self-hosted cloud storage — your files, photos, calendars & contacts, all in one place. Built in Rust.
type: application
version: 0.1.0
appVersion: "0.5.2"

32
k8s/charts/oxicloud/templates/_helpers.tpl
View file

@ -1,32 +0,0 @@
{{/* Expand the name of the chart. */}}
{{- define "oxicloud.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/* Create a default fully qualified app name. */}}
{{- define "oxicloud.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/* Common labels */}}
{{- define "oxicloud.labels" -}}
helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{ include "oxicloud.selectorLabels" . }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/* Selector labels */}}
{{- define "oxicloud.selectorLabels" -}}
app.kubernetes.io/name: {{ include "oxicloud.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

22
k8s/charts/oxicloud/templates/configmap.yaml
View file

@ -1,22 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "oxicloud.fullname" . }}-config
data:
OXICLOUD_SERVER_PORT: {{ .Values.config.server.port | quote }}
OXICLOUD_SERVER_HOST: {{ .Values.config.server.host | quote }}
{{- if .Values.config.server.baseUrl }}
OXICLOUD_BASE_URL: {{ .Values.config.server.baseUrl | quote }}
{{- end }}
OXICLOUD_ENABLE_AUTH: {{ .Values.config.features.enableAuth | quote }}
OXICLOUD_ENABLE_FILE_SHARING: {{ .Values.config.features.enableSharing | quote }}
MIMALLOC_PURGE_DELAY: {{ .Values.config.mimalloc.purgeDelay | quote }}
MIMALLOC_ALLOW_LARGE_OS_PAGES: {{ .Values.config.mimalloc.allowLargeOsPages | quote }}
{{- if .Values.wopi.enabled }}
OXICLOUD_WOPI_ENABLED: "true"
OXICLOUD_WOPI_DISCOVERY_URL: "{{ .Values.config.server.baseUrl }}/hosting/discovery"
{{- else }}
OXICLOUD_WOPI_ENABLED: "false"
{{- end }}

64
k8s/charts/oxicloud/templates/ingress.yaml
View file

@ -1,64 +0,0 @@
---
{{- if .Values.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "oxicloud.fullname" . }}
labels:
{{- include "oxicloud.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ (index .Values.ingress.hosts 0).host | quote }}
http:
paths:
{{- if .Values.wopi.enabled }}
# Route Collabora traffic to the WOPI pod
- path: /browser
pathType: Prefix
backend:
service:
name: {{ include "oxicloud.fullname" $ }}-wopi
port:
number: {{ .Values.wopi.collabora.service.port }}
- path: /hosting
pathType: Prefix
backend:
service:
name: {{ include "oxicloud.fullname" $ }}-wopi
port:
number: {{ .Values.wopi.collabora.service.port }}
- path: /cool
pathType: Prefix
backend:
service:
name: {{ include "oxicloud.fullname" $ }}-wopi
port:
number: {{ .Values.wopi.collabora.service.port }}
{{- end }}
# Default Catch-All: Route everything else to OxiCloud
- path: /
pathType: Prefix
backend:
service:
name: {{ include "oxicloud.fullname" $ }}
port:
number: {{ $.Values.service.port }}
{{- end }}

19
k8s/charts/oxicloud/templates/secret.yaml
View file

@ -1,19 +0,0 @@
---
{{- if not .Values.secrets.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "oxicloud.fullname" . }}-secret
labels:
{{- include "oxicloud.labels" . | nindent 4 }}
type: Opaque
data:
{{- if .Values.secrets.jwtSecret }}
OXICLOUD_JWT_SECRET: {{ .Values.secrets.jwtSecret | b64enc | quote }}
{{- end }}
DB_PASSWORD: {{ .Values.database.password | b64enc | quote }}
{{- if .Values.wopi.enabled }}
WOPI_ADMIN_USERNAME: {{ .Values.wopi.collabora.admin.username | b64enc | quote }}
WOPI_ADMIN_PASSWORD: {{ .Values.wopi.collabora.admin.password | b64enc | quote }}
{{- end }}
{{- end }}

32
k8s/charts/oxicloud/templates/service.yaml
View file

@ -1,32 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "oxicloud.fullname" . }}
labels:
{{- include "oxicloud.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "oxicloud.selectorLabels" . | nindent 4 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "oxicloud.fullname" . }}-headless
labels:
{{- include "oxicloud.labels" . | nindent 4 }}
spec:
clusterIP: None
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "oxicloud.selectorLabels" . | nindent 4 }}

53
k8s/charts/oxicloud/templates/statefulset.yaml
View file

@ -1,53 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "oxicloud.fullname" . }}
labels:
{{- include "oxicloud.labels" . | nindent 4 }}
spec:
serviceName: {{ include "oxicloud.fullname" . }}-headless
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "oxicloud.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "oxicloud.selectorLabels" . | nindent 8 }}
spec:
containers:
- name: oxicloud
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 8086
protocol: TCP
envFrom:
- configMapRef:
name: {{ include "oxicloud.fullname" . }}-config
- secretRef:
name: {{ if .Values.secrets.existingSecret }}{{ .Values.secrets.existingSecret }}{{ else }}{{ include "oxicloud.fullname" . }}-secret{{ end }}
volumeMounts:
- name: storage-data
mountPath: /app/storage
{{- if not .Values.persistence.enabled }}
volumes:
- name: storage-data
emptyDir: {}
{{- end }}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
- metadata:
name: storage-data
spec:
accessModes:
- {{ .Values.persistence.accessMode }}
{{- if .Values.persistence.storageClass }}
storageClassName: {{ .Values.persistence.storageClass }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size }}
{{- end }}

58
k8s/charts/oxicloud/templates/wopi-deployment.yaml
View file

@ -1,58 +0,0 @@
---
{{- if .Values.wopi.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "oxicloud.fullname" . }}-wopi
labels:
{{- include "oxicloud.labels" . | nindent 4 }}
app.kubernetes.io/component: wopi
spec:
replicas: 1
selector:
matchLabels:
{{- include "oxicloud.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: wopi
template:
metadata:
labels:
{{- include "oxicloud.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: wopi
spec:
containers:
- name: collabora
image: "{{ .Values.wopi.collabora.image.repository }}:{{ .Values.wopi.collabora.image.tag }}"
imagePullPolicy: {{ .Values.wopi.collabora.image.pullPolicy }}
# Required for Collabora to build chroot jails
securityContext:
capabilities:
add:
- MKNOD
ports:
- name: wopi
containerPort: 9980
protocol: TCP
env:
- name: aliasgroup1
value: "http://{{ .Values.wopi.collabora.domain }}"
- name: server_name
value: {{ .Values.wopi.collabora.domain | quote }}
- name: extra_params
value: {{ .Values.wopi.collabora.extraParams | quote }}
- name: username
valueFrom:
secretKeyRef:
name: {{ if .Values.secrets.existingSecret }}{{ .Values.secrets.existingSecret }}{{ else }}{{ include "oxicloud.fullname" . }}-secret{{ end }}
key: WOPI_ADMIN_USERNAME
- name: password
valueFrom:
secretKeyRef:
name: {{ if .Values.secrets.existingSecret }}{{ .Values.secrets.existingSecret }}{{ else }}{{ include "oxicloud.fullname" . }}-secret{{ end }}
key: WOPI_ADMIN_PASSWORD
readinessProbe:
httpGet:
path: /hosting/discovery
port: wopi
initialDelaySeconds: 10
periodSeconds: 10
{{- end }}

20
k8s/charts/oxicloud/templates/wopi-service.yaml
View file

@ -1,20 +0,0 @@
---
{{- if .Values.wopi.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "oxicloud.fullname" . }}-wopi
labels:
{{- include "oxicloud.labels" . | nindent 4 }}
app.kubernetes.io/component: wopi
spec:
type: ClusterIP
ports:
- port: {{ .Values.wopi.collabora.service.port }}
targetPort: wopi
protocol: TCP
name: wopi
selector:
{{- include "oxicloud.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: wopi
{{- end }}

67
k8s/charts/oxicloud/values.yaml
View file

@ -1,67 +0,0 @@
---
replicaCount: 1
image:
repository: oxicloud
pullPolicy: IfNotPresent
tag: "latest"
database:
host: "postgres.example.com"
port: 5432
username: "postgres"
password: "change_me_in_production"
name: "oxicloud"
config:
server:
port: 8086
host: "0.0.0.0"
baseUrl: "https://cloud.example.com"
features:
enableAuth: "true"
enableSharing: "true"
mimalloc:
purgeDelay: "0"
allowLargeOsPages: "0"
persistence:
enabled: true
storageClass: ""
accessMode: ReadWriteOnce
size: 50Gi
wopi:
enabled: true
collabora:
url: "cloud.example.com"
image:
repository: collabora/code
tag: latest
pullPolicy: IfNotPresent
service:
port: 9980
admin:
username: admin
password: "wopi_admin_password"
extraParams: "--o:ssl.enable=false --o:ssl.termination=false --o:net.frame_ancestors=http://* https://*"
secrets:
existingSecret: ""
jwtSecret: ""
oidcClientSecret: ""
service:
type: ClusterIP
port: 8086
ingress:
enabled: true
className: "traefik"
annotations: {}
hosts:
- host: cloud.example.com
paths:
- path: /
pathType: ImplementationSpecific
tls: []

2
k8s/charts/valheim-server/values.yaml
View file

@ -3,7 +3,7 @@ image:
# -- Docker repository to use
repository: mbround18/valheim
# -- Docker tag to use - use "latest" for most current version
tag: "3.6"
tag: "3.4"
# -- Image pull policy
pullPolicy: Always

3
k8s/services/argo/project-fuku.yaml
View file

@ -25,6 +25,7 @@ spec:
- https://charts.crystalnet.org
- https://portainer.github.io/k8s/
- https://docs.renovatebot.com/helm-charts
- registry-1.docker.io/bitnamicharts
- https://meilisearch.github.io/meilisearch-kubernetes
- https://kubetail-org.github.io/helm-charts/
- https://groundhog2k.github.io/helm-charts/
@ -32,5 +33,3 @@ spec:
- https://vmware-tanzu.github.io/helm-charts/
- https://helm.runix.net
- https://rcourtman.github.io/Pulse
- ghcr.io/antoniolago/charts
- https://helm.elastic.co

3
k8s/services/argo/project-roboces.yaml
View file

@ -8,11 +8,8 @@ spec:
destinations:
- namespace: apps-roboces
server: https://kubernetes.default.svc
- namespace: woodpecker
server: https://kubernetes.default.svc
sourceRepos:
- https://git.roboces.dev/catalin/fukuops.git
- code.forgejo.org/forgejo-helm
- https://git.roboces.dev/catalin/huesoporro.git
- https://gitlab.com/api/v4/projects/64552889/packages/helm/release
- ghcr.io/woodpecker-ci/helm

18
k8s/services/factorio/sealedsecrets.yaml Normal file
View file

@ -0,0 +1,18 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp:
name: secrets-factorio
namespace: apps-fuku
spec:
encryptedData:
game_password: AgCmUZilQTlqof5so2DyvjbCh3J8OAkz4lSQv++z+9XUz4/+KjwgEjP5SI9nf2WVfIHt7WiJN8oaPlYnm2XIdbBUrvKlTEuMAy2XeI8DE2+wKHXdbmLg7t3oZR/8kw3py9W3o4dlXp5XY2G4S3cG8TX0fkN58ni61mYv+zSvc6stcT/iveJqO5E+hXPcDSexzxQ/8DybS4D5g8W3N2OMhRoU0wwhYfXAuxN90BzFKgD6X/9Xy1c7pPQQkEidpA6l1uP5qIG/vChmIpqsOmQWbibGQn53el5ulPvaybx1wRu33eJJcSPRS+XthZv9dtwduFlboMT6QPWcVL5gSQ0ceCBidQIHGLRLxcHYPZz83miCeVYFY1xFegrwPBsXYEdfar5mufxgSQGtSHGzwEV0Ry+tcmjz9JqWpQBQVg10Bs0GYwvy/XGHi1BLCouAXXL//eVbGp1s9cl4uyN9Ymzt5zNrf/SvUweFsaCYrC6xVFA2CCsLbsyu/YbmKkO+cd1IwAle4luGmJHnZgrXKMwQFYoMTGsgEGYt87Itz7eOSmHEm/ZJwZ3oL6n0LGgHpJu1gb4Op0ZA9p44DKeg2fy5Go9rWeMOP0RIw8/SApE6QmT0Bw8QccddnTHhwuCLet2PoiUodKhFffTfGN6PGPeIcyQJpiEDxUI7nquWSNGTcMJDsR3LbzU6A8MpDQrrg5Az6YzyZOo7NLEMbitKLrqt9lfH5g7g # yamllint disable rule:line-length
password: AgCTY4hn/wTGipH9oX7SgS44PE6wEe34AB2Pz9IeB5KcISZVGgWAUMtcffexV31jcNwz5TrztNam22Ys7qYbsZZVNOWm27/KZP3U04Jrq1cIPhY+xE1xF3vMqCd54r+kaeMO4hlDhBlE7Hs6BHdURTpPz8ocqihT2bft+Q8p2Myf3vPHXcDwoUyQj/AFYJdJJhyVfD5NDdacFhOmPTB/tUE4AW1Rz9oND6sy0x7NaP44vswVbhREpMA9wkltJRugRKUwXdfC6kOrfKa1R88aNOwkqc22F1U1PhcqUSAMYQxOA+zz3xMjrP8o70V1/FBKxnTBYVIpdHuwl2RpvC/TewJYVEu1xzp3texfgkTn6XXMp9InxfA6y1wpSVpMPYK5zPRCnmuyPTdSd+DrD6C6y2rstrHvvHxnLPtqo5REVjkfTGkEilmQ1+SllPMPk/6hKivahdmORixoI2MtOz4k4d+7rdPrrsRscMHAheyJTNdKC3wGoKFqbm+0zFV3GFaxM65K0USlYhPwyKG3FlHGj0t8HmXOr+M2cQKd4vqIrq8betRp08YPGMOT0Ea1KIvoP3z4yiJg2Z64d8d0Brof/h4fFd4kKgfMYm/CvkNh5zjFzEYi+K/6G/G99RBxwl7kK3eMB6CiuOnLITCw/Ok/LiRcdnIcAe7yobHG6FWHas4KPL5t4dPTxo12catoWtuJG7L20AIl3171+gO3jS0e4zAvZ+7S # yamllint disable rule:line-length
token: AgByS4w6xSn0/FzWkgNazh7hyZjKTTmg9WtQ3oyKQUVF6FYg+qvPYYLuNu7rTwQOa4LGw3Cvf/yYT0+WU93BjfNCSVMfes1lE2dQzukK4+zEeDhZ4MSpBOBgYYwHJkrFyHpvVSAQkaPi40T0M8iJmFv+Oq1s8zRWmx84LMllaJuRGH/t9jMfmR3rF6JBcSmEmkmB7N8cD+ytPPtZKXGJXaWE0qvuNKNveqirLRt7E+B7z7yvhroaEHahHEseOQnJ6dKY83KzH1riHBTUNOVcI62hSkiYEbbZXAzxznxMKDs04w/BpOksTeg3OWD/RzwuRdX5M2zb3wrrqbF9r9yoLUbWBMS2bdUbUyLiqvfzKUWKAd8eZsS4+P8N5fbPrLgXmB+xRz5xiCQ+r/ZL4Nj9pfuSZMDKytIglldB6BT5gtnodiaCgAPrtLz2OMtBvvojpWOaaBbYWxbrnMhCG2YYU7Kd4UFXEttL/MVs7YkZow12AIngKqzz7vXo3K2iwRYoi2CjOwv3NeXSWk9LdTrTxs00iO8RT55wbAcg9HiNkYZFtrI+6sygvnHhDmNhYG0z7yHCpx13KIjoFEtVEcx2F9bbMftxBmZoOFaGtBhFSgH323CLGoFecdhv41cH9F5HHzpc13Pc5dShm6ZPgWrWG88w0Q4WIT6hiXlriSnd9xw0At4kl7wRBqusZgwDVTBCFbtKS6Gg9msBZnZzADI/aeljY3QXGg2YT/2Ra2c3quY= # yamllint disable rule:line-length
template: # yamllint disable rule:line-length
metadata:
creationTimestamp:
name: secrets-factorio
namespace: apps-fuku
type: Opaque

12
k8s/services/forgejo/sealedsecrets.yaml
View file

@ -102,15 +102,17 @@ spec:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: gitea-ini-redis
namespace: apps-roboces
spec:
encryptedData:
cache: AgBfhhRVgy0VonwvXF+qqhh1x9+Z1e0o/OJCI11srR6XLVCf+SIBejOSYyoYChS8HYgBdIuqKNS7Un5bdws5NF1HC0gbf8/XRCfivocceoXVta2MugJxz7Y0+9Ro3RH9uEKi6KVqAyHcev1oOW0eqmkNqHust06+VKa5Bw8F4NHa/3a1Rl9b9xaMwrJLxVMKZMyAIl2/WISUovKFPTjPU1HK9ftEaXwzj5HG/s2jm/MjrrvcoA5z1OGUm02xjqyooUNM6gsuNy8LTXDQybeav+PxlQztcOfNaqipTUkHLjmGWiste/Yl6ik05Dkh7BKmL2czY0KPhxtNGcUq4e2oE+b6DKGcJpbuSVxZLSqTKhg6Jing1GwNyembfRE3nwsvYgj9nzit1SZoQXWnIuBjxlfWGjGJeaj6PmcG1YK4wvwFFqBKIhUGH6fhWjxDl7y1FPsxxGvFg9Fnvcjex34K4J6UmnGO3G2Dts/V4pgJTGx5lp6wpvYVtr7U9ENRTym8GM5oVZ3DT0lONKcfZXRH4EDcMHKMfJ/nDnpQWJC+lihcTRVeSznxu8I073hk6MMAZ8Ho5/28rOCOdJc2HI807ipe39BzTn4U+ows34uFG55GgaTdfbbeFwLjrcVc9ht1WaApkdj8Bnt9inmFPsI14Zwb4Ap/gSSO+ztwhnwrA2rWD7fko53INLJLUb4/49H1xRpMeqEkjoUb76zpdnazuF0ksqs1zhPOUTpnQniduotkwZZrtdU2WPRxVzHXTaZD6/1oTrmFBoBOLnkBPz1CXY/rxMoxHrFoS3zdUtLYWXKqVZy5
queue: AgC1CxaTdBFeP3M4x8TMJKK2QsWydXC/eAslML9T1yzl4ZStKioMh8QJKbhj6oY3KTLyqBHpLZSGFuhtX/y9Z4JvkFhihfsKtlYL8OrNvO3kxjzku5l3vR6tJ5vCQfIi27hUjVKHN4L/6DGsegbgBGIidCsN5kHRv4C5ToAw/EvxgbHIRILIo+KOBALT1kqKIF+Zdd4fQGbIExwclhFl5SgzumXPh+/j1NUZ1peYYFRnvr5G9aeKPpgJ2wK4eMPQ3ZyaAcRCtxdEhZUF1DF0ESBQ++Nr/gU4GMoron/wSr5cUFmNjSoUTJA3xJeEROyoSGaaH45mLDYH5QZdeA/av8e6vaiMIuWr/UgV7wONFKsJLf0q9Fcr726maJwGiMmIjeCwLq4k+ZI+N6S8/xNe2sTrRUmwjWtbL82ZmafvoUwv0lmxxXpmFqZmG/Zy/KCx9QSDaBJBCStoCgMZZ04HdnxnxFdFj2DMXyshVxH3wqEFAKY0oDfrnIBxzngOEXxu0APp7rlMvFq++HMJ7+JC+JBLG6zfNSfpQyuXEwfSkvowA1i9uhAQVb3D7nSS39xKF7oK8aYDVK4j9QL3w9qxOkYW7bHVd4zDgtiidKDAFWoloMnjPYQDwJojc/dc52+SxJGH8qpYJ8cn7BOy80cvmkwQ2ITGGPo9FXyvMttD0hUmFRouNb4t4PHdmKauuml6hcfF3dqLqrvBhJ0H7tKRJMCK+rHehIQt8VNPhp2JN7n5/KKt5vtMFDUDpc/BbHiDqg3qnICTMESzWZD752tOucW7TJAA89JU
session: AgA+o9DsObwNhAaDpkgh7ZJ9Vx+xzjex+JG2k4yfv1EbLFDpdrSnKOl5BzEZyvydxoWG7Jtlhf/QoWKPUMBMgoRS+cMAH4R3C1FHxFbiEzh/olQBH2DyGnK5d+hAy3RmTC+Kgwgh4sdePWJ3KxwbaAa18tsju9fThQOBD+TOw5khZi2YUehDiviqCV3VGH+caJgDxAmXtut1mHaFLB4QXLzX9vPoULGmxGMARiMSrEqMruTRff17dZ3s0VPeu/s/Lau5yP7oPeMjhNw8P9W8QP/KnW28y0QETtXZyvmNQGCwxyVp7sHfDgo1slxWsgjDpep/jXiyfVeV8KL2AWE2pekGD0CVaCWPOV/MOrU+pe8xBrEcaXQMpWLT5d4/Unu8TLZ7RdEdgrOI8bOVrl9TO51itw0V7EorfeaKxB6j/flRMd8vU0i29+/UOTbEeRtxuHoyH4zy+v7h49b5ODN88z7f6uEp7diuS3WEHs30EHYtXRSMA6V6+H1aaUMEM0lWG6CXtccgAToqlw3k/+Mod8kVagPNQnJ6YB7BFqu74nHo/3lGKHT6+jRfLWUhbJ5teG0pLTutNN0jIqEUY4NfeLVtKhab5Nkxr6UFSUltQwO/dwVD2mqC80yXjf1Bhq07YGIV/M5DYf7oV1+z6UWoQwALcjCdZNgPkbyGqznfGsBpafJwv3MCmZwt50r8FH4ksb8P8lo28Eqepcf+vVL6C+tJGwm3F0CbawhU9mTLb0ksiYXrY3VYmYzUZVWHsosWI05bhQgN2g+B4+ANYX0SXtEc0/YbD8HusQvnoXWbj3CkQd0=
cache: AgAd4e8faLRBWaHzBxEF8VQbPQ1Kg6d4jfSwesrdJVijhmvE+ruGfbiwL0FXhn0XLfVAB1f99+Wvus93fOwfeh3RA95L1AZK/7+QntNHQe6LP2+ydZaPQfAOdkQBf+7ZQG04QiTqr3Ckkh3eNIvAyFMIrmaYf9qY5BwVMYrjg8iNi0jRgfgSBm5w3Dd3V0G3ry3yI4aawQN7pj9PuhA3pSqq3ynK4qXdf/6nEqvA5+7m/Ys0xWSOJwAgWHUVT2KLQ7rvI4y1TiCciWEpFvhIbwtE+bc+lOARJBBUCmRcDKOD5N3qXYX4846XUTTm3W8LhO7e9cIE0saPsPkS/qKkMgW51hh2r70hgTKi9/174I6tVYU4t208UScrNlF3AkGqHzXsisI8Yw28OApLrwxkFbh/y9zbci/KmQGpw2RZYdFeXuS1RGzGDDaiCwZIUONChchAPxb0PGpDZpGrW/MOAdJFj700YW+Abzihr0GV0bSnKHf/uYdXn+3+Oz2Uk35B+Vwc+tqKCHpSzoa4SRNlwGlQ71ysEKx6zUmcPEalqKnNHMmVOocRuQuxGnRasj62tNwZmg9hC/1IriMEJJkdEcymlo7pQqQ8YXmkKAUu3w69S5v9LKBG/DGzhxUagqhErM8KSMOjXmfoNIZEVE3ey9sUDtRZTnLgDj2rl9avAAnGo7+qF6etPNuKGFknK+xTegy3DwyzBEjXzgNaKhkBqvDS+Iggko+CEspBdUqerjIydU2dXwdiY2t+wm5gztDAimROvgouW5GqwUFK50s4tcSJjvsiw4OsOBZp6r/61lejlggk
queue: AgC2LtW2jJPhh062ezMvWLLIAlyUNYO084VrSHsJ/K9UvZNVhFc6CnUrgcrvT/AIQflMYTm4RHKJgt4P5slzmKzHT/hc8RqB3L5FIhBsnmy/w55bXkrsohwcwzmw867a7bmnbAlyUglsAkKraMSpasTW4rOiMoCwXYKVtGcsDn1JLUj9Hp62BPXkQJ1Cr36lK/6Z4dHUwStVmq+wYAnm9sp1axnlwAqPgZ3mfqndKh9qZYjI2CIMuQ46HFDiwZGUSgspaVezMb7nkCk9CaoUTi1zHxsbCBMVv/abdvTPmZjqgXzR88EsAGTZMSpljc2ZB8zU9zwkkEBA5TPV4kVUNHTpDJirFvlofc7gST7CkCeoBhQ6P+vgokPa2AhcWeXVgR0PUoecpqpIqdFkAOluS7Gcu3GNu43IRzR6+9oHgbL/SHebQvK/hzVVq3yGAKaGmIXTLJS1wMm4k2KBqqaT1MpWFwO4YowRuKrOMXf634WzPsU3zOpkSbHEke6vvU2glDEdSwOGs1zPbO6Xzhqj5kTtDIiCs70mnxk1Zwve/1kYhBE/JZTi6QcQbG1uEDq8bsygj1qJZbGQMekUHQzIIfGTeOuXfoBch77MEMHu4h/2F+IC5O487FiPrQ64uBZ4I6gRM1PsiPxWnvmtNEXtLt+mMNp+l8Uuk5mvET5i0RpIH62/JYinhheDNgxwubXVEFuUClSzXomNt3GWy0KNAWsxouZEh0CQDfxmw4lTnjPcGegcZtrIqncDpe6/6gTIblOs7L41LEkOyOmBSHROQBeA11fVvE4Y
session: AgAwlEuCZq+5T0AXDJ8PXllX5lzaiBK0nlZsMlvJQKl+FNgGhuZkqZhQQSPq53W9KlJbVkRr5KFAkLY0p0CznGoI2xPaxbZ3z6c/kVU1mBqmTOF8HJ2oKBhjRKaZhlwFARpbgrqYkZRS5syb6SwtNT48NPuTKwRgzu3xxwUBkfuyHxZX4IP7/9GtEAWK1nqYXU3rxLYbRq/utSuQYnOd3Uu3ZYjQZz0din0R8VTHp01STMHgGzbX08PEwz2JH/C4Q6CUC/GcXSgSajg0PJECbibGoGEJXTVT1HWucWH7B0CQSAMYzosqPZV3JwTN+4HESZ2H9YBRHbGWpp5KGBicT+rleQ36+jva6qWmwfcXXZgsYDUCx+kb8e+b7cBZhPHDf9w9ZEzXe2OUUoKZQBt5LbjTSRtt//PhWQy16mxi0996zGAWUwshVefWsbdSFZiKOI+lL/i0yVZUn3R/olmP7de9b4iapZ7TUzvovm7ZTFU+5SgCLRk125NJNoUXdrh7Y1Hym8xlMSnajHGDjuMxrwtAU/Nq7JN9WQr5XFSEdiuP38sLdQzHdXaht4lXJn5KUf8H55ie0JNVvspwtZ2fQGo/dJXBf9EMa6s6qW/Lf9O2JVU/0sSCAl/jz2tMI9VZ4scHzOlpscmKyBFcoGFb7JtYzkPTCQn7Hz7RlgUeLLir6D6+q3vLXrz+oMbwNChlENlBS1M1Ho1BKwZgBRj75nog3k5EOEi3ym6B/g3xc2YWnlZkL+ZM0TFuTFy2y36RMKb90744tAVXNXHaVz0i85ATJJ8Vs/OogMDN8yKHBPaqlZQ=
template:
metadata:
creationTimestamp: null
name: gitea-ini-redis
namespace: apps-roboces
type: Opaque
@ -118,13 +120,15 @@ spec:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: secrets-forgejo-db
namespace: apps-roboces
spec:
encryptedData:
database: AgBouV3XhCd3Z66sDHDz0nbqbvAfip94yr9R90stLz2H/vJFGyx4xumE/9xe3b5GUd9aYQbTonhzHFl+zP3yoeTsGIGAbuvpeDimDKUIdnI6MJ2oGVHSn08QY/eu2vuj4nUODCeWPE7W5EFqxCxCq1YxZZpoBLzE3zBuIf8R48KAxs7aau8k4WPPSBxHgXuIeUWR/fNtQrA032f1wS5p6bae8403ro4aithq7J6DiOz69MXIQWwqufay+krsEEqIoE8CioQP993w+AUH1q2tk6O7WQLuzKt4T0mZm6F3cWyNbpCV9GT7q5LtejFn1NAwsmM4UG2toZfuWe9NgiSwyqNNUW7IjzfW/+CF3UfAtkgDfn7IAFu1Wg0yzufsnJuazFy2FiVDYNiHYS3Rq1iboKQl84svuq6oYdgvK6kf4IUfU2j02TgCyYc79/sLFqlbLOsZI07fAg/tDIzRkWQyG5P1HreIiDYZdgm50BgAzyEsvLjguKqPUl/c0LLwS6IxleN6RgcxfczCnaf3lezPXol37qCcyTqCqyiYlpI0i0Y45RTpLmTlyATVpzXCiir3IM0yEbK0ff2y2c7czTdoQSaIowAguUD3SamNY5y3530ZQDbZAXF0U4nDq7Pn59tfrlvvlsA8cSGjgyjwGJobGJUCsGWfOtKSbTNV0zd6EFHlqN5ilf15BSaWXU+6g/UbJKxjgk5aNpXH8LHuAQBVAxpRQR6CNlaz6kp87b5CEnLtPCE9nlQGYBXA9sqdvABGSTGdJzf5k57w7Q5LiTLwA6h8x8TCbkRgArl4r5RGEdtfBr3ZBCzKL+EHJGYGHas=
database: AgCPUgtry8Pctkfr+pQvJ8TQpj2YJ9TwUBaRXo7JP4MMsWOXazfVxd8A7sqnNicpmXJ5hx3OMwfxTFg3KcyGWGbTxTGkwJj0Lxwo92sDxhd59NORadlqQYOx19z8foQ+3HSdkhPAEAHzNq2IBgUcTPRZTKuAXyIsrSVbgaAEwWz8fCkwP/CEJvgC7xztQA0MzrPagH2hlbD4MZ0E7mBhrpo9YTQfvSEDQo0dNKsh/4xvXQoriayDtxoRq2mF8jc3f4f6wmbNWrGsdOv84KAXgLm7bzmffTwqCM1dTbuOCLtxvt1M5r39HQTAsBp1H5yWCFsx4paWyhdVh9t3sjDzEYZNYSLrga/bLJ2+CaQWaLpLJBC9u8r4ANHs+KqwdiMyo1RXqlJsfg1gn/udBpXelzpwtWIWIMtsvNrWxOBhOFsWCFnVvxJWwdcxLoe5wmH75OhbP6Ewl7SddL/4kyXqgZfQi1DsbK5VftWdo7aDEVrwTa4Jq4WF7TbTX9GwIxUQ6ahuBzq4De+vZ/jCV0rE7WtGBvxLHIXb6pX7sNsJFwGYvy63SIhWnQXadeTjLNdy3Tq9aK/HeQJsqXPOAAm/oc2udBkygWs2D77NM0wEcH0YU8i0wPS5ig6HxLQTrf0qLew3E8KOjNyetar1QHVl3iTqGQ0C4U5TgIke54eh8/X1Vgd11dgZBpRx8JsUWMe7Itm+819FB+0tMwWJqrmoFyCEBL7rLl+VAS+oabIXD/ruHJFc/blgtLRqatLtOTARqDsfVK9Bm0YpcsDjEbqAiRGHmOaK8Qp9ywle9sh+iVUG4ODFun2goVfgwYcsD62B7CUMb80ZYiY04dTmXjcIzYww+zGkjhqaIPmB/OHovw==
template:
metadata:
creationTimestamp: null
name: secrets-forgejo-db
namespace: apps-roboces
type: Opaque

16
k8s/services/meili/sealedsecrets.yaml Normal file
View file

@ -0,0 +1,16 @@
# yamllint disable rule:line-length
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: meilisearch-master-key
namespace: apps-fuku
spec:
encryptedData:
MEILI_MASTER_KEY: AgBcQDv79lsUJF09YTd+zsuC9Ufhgs74mk5sxIrgaAQW/5yBupPgIsZw+g33qDqejuG+hfdhvkTOFHYetNuEDjnPWEpySjMLiB6N/HXMSuPimbOSjhHP3d7jgnWnIluUPs3RsvxDzaHCygVsS2a5ul7+qJGbiQTlmcV/rMVkqiw95mxwswkZhWi1Da1QYPgjRkazbCV0JAVhYYoo7VBnxceyGOS7Um5BsdyDMmXCn0qegU2FDlXTcBBur48hlyRqie/DxyZi3Yx/yiOnVH7g7H41H6hLJpKhQTMQbnohAqUC2UZZJlwrc8b/3kisFw/pxBP7S47hn9iseQcw18mXs6SzlXbhWm+CyNsKEvuXJAMVlaCrOCqs8Kf8ZlraCJYYq8mx+zoA7yAHnRdC4uByR5SGwnXJgq4WJD3wx90NuVbTcJfpQ+bNMPpRS8W+66S9j+rBVk6YcqCqL62JPSf0I9ZKCrNJrtbx5WyxbcVAgZdd2oxxXq6fG4I/wvqn/LN7nAqDwaCjU0395R+vM89o24h8pMTNOUhY1Dqxh0rKQOnTACc12kmhwQucdtjwkFzM7PJxW8d8GGdvgPoIxe27sguUMvn6IFo8h0JmGrbAyDEeR113s/gwQm9ozM9KJXXyImfiRJCcDSlny0rTNWZaGonXuSezFuhcSazepd0v85ofHgIflQQjMfLUNz1b9+ci4SbnpoJwzlrY2d6SyJSIA7Bz223j9UcRgDvRvIz3
template:
metadata:
creationTimestamp: null
name: meilisearch-master-key
namespace: apps-fuku

96
k8s/services/miniflux/deployment.yaml Normal file
View file

@ -0,0 +1,96 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: miniflux-deployment
namespace: apps-roboces
labels:
app.kubernetes.io/name: miniflux
app.kubernetes.io/managed-by: argo
app.kubernetes.io/version: 2.2.13
annotations:
kube-score/ignore: pod-networkpolicy,deployment-has-host-podantiaffinity
spec:
selector:
matchLabels:
app.kubernetes.io/name: miniflux
replicas: 3
strategy:
rollingUpdate:
maxSurge: 50%
maxUnavailable: 50%
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/name: miniflux
app.kubernetes.io/version: 2.2.13
spec:
containers:
- name: miniflux
image: miniflux/miniflux:2.2.13
imagePullPolicy: Always
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 10000
runAsGroup: 10000
capabilities:
drop:
- all
resources:
requests:
cpu: 300m
memory: 300Mi
ephemeral-storage: 2Gi
limits:
cpu: 400m
memory: 500Mi
ephemeral-storage: 4Gi
livenessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 3
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 15
timeoutSeconds: 2
successThreshold: 1
failureThreshold: 3
periodSeconds: 10
envFrom:
- secretRef:
name: miniflux
env:
- name: RUN_MIGRATIONS
value: '1'
- name: CREATE_ADMIN
value: '1'
- name: OAUTH2_PROVIDER
value: oidc
- name: OAUTH2_REDIRECT_URL
value: https://feeds.roboces.dev/oauth2/oidc/callback
- name: OAUTH2_OIDC_DISCOVERY_ENDPOINT
value: https://auth.fukurokuju.dev/application/o/miniflux/
- name: OAUTH2_USER_CREATION
value: '1'
- name: FETCH_YOUTUBE_WATCH_TIME
value: '1'
- name: WORKER_POOL_SIZE
value: '1'
- name: POLLING_FREQUENCY
value: '120'
- name: BATCH_SIZE
value: '25'
- name: METRICS_COLLECTOR
value: '1'
- name: METRICS_ALLOWED_NETWORKS
value: 10.42.1.0/16
restartPolicy: Always
automountServiceAccountToken: false

21
k8s/services/miniflux/ingress.yaml Normal file
View file

@ -0,0 +1,21 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: miniflux
namespace: apps-roboces
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: traefik
rules:
- host: feeds.roboces.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: miniflux-service
port:
number: 8888

11
k8s/services/miniflux/poddisruptionbudget.yaml Normal file
View file

@ -0,0 +1,11 @@
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: miniflux-pdb
namespace: apps-roboces
spec:
selector:
matchLabels:
app.kubernetes.io/name: miniflux
maxUnavailable: 1

20
k8s/services/miniflux/sealedsecrets.yaml Normal file
View file

@ -0,0 +1,20 @@
# yamllint disable rule:line-length
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: miniflux
namespace: apps-roboces
spec:
encryptedData:
ADMIN_PASSWORD: AgBbFquTKFmBFHnsexbzAFrfPtr0ipW7Hs/2aBFdITZJG87rHmvDo5l/sW//fPjW24kVgbey1YEwdPMcwyhd9AX6dkxXxlrAwshMk3mZc7ZefBne2dT/cGBBvY1EhTaIhtvJwEzsOJ0LEV6Lr5NtZeFMxqpgwd5ap93qGS5F/pZPkYwHHZZ7pv8pjXwVMqOlFFhgG+Lo8915Q1SSo7gvkMOz26gFel/FaYAAuA0Rj+NTAlBbgXaDraabhWX71J5fzyLt8vxqlEvpaXzLFJBqlvvo0HLI6ODS9XDuAfEsng70qT+zoSXwcb/zKuTjQ7nlC9Bsri73NBY4wqzxFTE6a4kb7XTmHDFMjetSraAqewJP7kjI/4/hlKO3ioawnQD9GCnfMEGlcdW0Cf9ENaoiJro+3Bi/ya0x3Zuf20fPY7ALh0TcIV5FvUh40gMkcY2mqGabkerPcXozCpY+RV00N3CjDpqLvux69LL7gFKAN+mZJ7+V2XxHTgtCMww+VhCG3BvRqC8zLGaU+QYN0VIsqb6f82J19Ok12hyn6w3quh+SgSQRenhO205cg579pUA//QneiFLYOKx8C+4rUobj2J8Q594xYR8Qu6/6yJzuzO1vCDDsVuaWewcOB31rsZhRIKu+0eogCSK0AOenYLqFmNcMYXJzbvfsuw5+yK24jW3Vhux4lTQ4qbUuaz3O/8AZJTrC5raEzerm7heElYAqig==
ADMIN_USERNAME: AgCDJJHFCX0GiNN92fsmuDXk+p/jqyovj48PbrP9SDBoA1W3ehq8GBbcI+ZkOJ5ogHK/LHDQ+Dr9+Ral341nJ1G64oZimUYarJQHpqJNmnTnFx5qPGXayf06bE9xXZdLBxv/f/AuB9dgDHLJO/M0p0XSjsVjAtTAcGb5hdb281gvOIgf3PsOHyRL8qx8W+KkQ9Q7AufvvAzmszRY7VLaOzdW6X+34sgMeclsuPJ41uArod0qYt2MEZt/ssBDsr94EiAnITX/n3qb29xwhPUJV7UIEtTtM/Z0W4bjbG5YMVGnyIlNNdl8/B9gmFX2TLH8TEu4ynC8cxVvZytnk+N8AUHrK/d2BwpAHPeUPETkfCa9TGdtuMP9xtf5pPDsaAKFKxkKFFcjn497K78yMyCtm8VJn21L+e2bylfE6Nrry6L5Mc8LUCViqoR+CHF9vk590uFKM9FhIZEQ7Jb5DYiftyE0stYt3b1vLeBSZCt1VFaQBBKkth3N4EIEY48tTrE4pDmuesz/phgQtZO7ulp/t+Hq+wej8P1xbh1HjQ5Sq8xc8oysCMvdQy6bYckFHd73Ctn2VeMEZYH81x6GhlYp1Q8lgHl6fUwbWWDFvlDD2oyfjAD9hQEmt3qF4b73So4h+pNiG32o9Nv4t8yKj7ACPD3wJZi5RSLPeaDonX/SnX0ocV0uitR+LlzaI81gwzpgIe4jYpqNpQ==
DATABASE_URL: AgApgzFV2gNZtppBMCo1WtPVS+WrNly+6JvrZQAiv1FHQuqQYPmaZvFJ9VHXZ7cOFVH+8gSVBYgDSUdPfhjkVaK4frFrxAPLdNjqjqXNRQngI+yF5YtlZr74TP6mLlmY3wqRKS5w2M8mEX+7ME+E5XxIalweUoFecRri6ZsJ8ubNnJUA3afGFvHugnLCrMzmIlur1x3rz5HTv7crxWajECvHpjYvb5hIjdbIWDV6OiKMYpUIjGJFFylP5X6O14PJpQXtN5vAIz5Kvf/1zLuAG9lxsR+P0Ab7wCLIqIQG6utoZMIpNP3PvscD2D4DJnRsH3soUdHSUe+8RIpR0os3nl7Q+YKD5cuP1dS7NJdb7ER6l/RagFUCDMbrFpP13QInIPI3oiMyW6hPNkVs9kCM9efL9POG/O2PMaE0SlJzK0i1HKUT/DDiyTnXFdjVk5UY1Ltt0t7i67/nBoq0GZwZjJBVCyCOz68icISW/kZprI1/7XssukQyaRw8Nwk68jYHg3iXazBz3NR+RPTl8JcKimv+GhSewEToSHemAGO4kWAZXunVP3Pnn/D9+4Ng7wTypE7xUReXlkwJMIEoMad3Scdx/DdIwbbmhOONjgl9Sd5twl7Bj6UWPDf6/awL+fVhz/brr51jV0dF/+2uty6CATxhPvf7CdKP4rsXIE3iLzqiLtaHD2hQN/b43/ipuhULu3ymqA1RJPsOQfSu7exR5pabWUxQ7rDZAS05h1+NumGxCmPUudRHGid3Djj3S8Eq730TlOBW9LDoVPml33icLp1HEV3pa2yTN0t5oU0=
OAUTH2_CLIENT_ID: AgCEyqsIU2Q6PCXzmQDyl/aIZBtUSuWmkgr8MWVmWTrwnTKxTKq60wQzbjpA42x5QI7761xftvFjPx0UYwv+06PdvG8eJDhCYEjimrq9oSuuTq/SwBhxT3NwcwUJ9H/N+pe1K4qwARwgfAowoXiWQ8d1PHKTQ2NleOlXNGuIy83e9KDGWjMDnIbQr3NqFn5Kdv4V1A5eFZyDkm6FmpXl0JbuWNVBzC/kQDhsgZzRKDBYMqXAlp1CymvT2KsGa+PEDXZsYAGnf//JfIx30Qtqc8urmDzWIedHGBtDhNQPI+1P4mZCJ5ue5XmvlZr35C1w6EMsBzK/B+a0MRSqO5l2zyWdSTFXLWR7XjqvtCYt4XTSAqJNnVd8H4y/V9AD3hyQGnTPHFhqfTyO0JXdFdHWPt99Xk7yRENnRrnCPs/2IWympqsi7dYF/hrXUeQO3bTW5qMttDWblDDzPvOaz9egRjDfVk7HDiFTC3q0v8d4zlVpDcWPkduVNbI9OaKSzIW/9kSrF2aI8KtG8QYMoKWQMAKBNEyy3u53pmZ1JNGVFweRvOjUPj69aqOAjI+4T81TPDlbitujVyaFr5qKAcNVMNJhUCkJJtVyVPlUbShAh1OKpIclpK8QaB/a3BS8OPZQYTg2G++7wrPbDlP4BszjhGdJZuAJ4X/TRRra+IfjTYS0QVxWCq1x8uj3jhT1XBpoSNCuQNcBQHjlKFFXKW7oXbAa077CCtI550QOJKblnBIicsQLcySyZVjd
OAUTH2_CLIENT_SECRET: AgBX99LPH02S5NgguyWm9cj7NDgafTzygg5qkv1GG2Z23fe7ebuH9AQmvV0LQKZx6NosZsH/mG5d3etrc+zQXfsuzGfp5ubzlSwJOfFjUQDBc+h91IKJLmTgLSCYWkt5hrxMp2sAqzDQ+uFQr7VF7hA1G79HTKSd4NzLFLas967ft0Rgqm7hOSnPbE8lqoWOy+WezjzdmHfNqqFFdyYy8X5G18gEglaBta/cYzorSwESv/oZhuQK+RaNeyb8bShWrbw5NVudAYidWTouuZxp21bv4wYYzqFi4Lzwn57bYLFf5L/1JhVklWsF7cWLSVRQch86kgScV8gp9DK5OI+g7xKI9fwM4v7D8JkujC3pp0ONtLku0Wv/498J4yqWf43ZNyqBi7HiX/4jl4Rwy2J3IDN2Uj18GR1FxS8TgWI4NChugIzmuYKywk7fKd+2NxulOe9X8dtflLLiSuwOWkIzWMB8MYOtR+RqJVLyEA2GZaKRtskiRGfzPYcacj/FHRHwWuO2uuXQhHSZetcW+YjOCmwm+q7WKbH0wRpMoMOIeMwQJ9Tew0NgOepOrtwkx0mj0qdNu5O0HvQU3tCxt7wKLN9hk6zt50iWFnoloQCjK1CmTVr01JoIhKh+LUH+sHVt5dtW0LVR1+757uh35/DYqdTK4KcHQEGf8Cf08yfAv5ZyfTluBxp35iORsVCm63Py7txVaBwoJO1qg5Hmpvj0G7woBPC2V/0DOJJ0+QAGqtrFvbNTcRORS3G6mmKwJObA1WsqWifdBLArrF52Z+9vncLxHw/ty2/++R4ljISrkAMQilrfNc9xqNeG+KE+PSRfQFS1Kc/lcotJLgbbpUjr/bOwB+8TuG1EHXBRINgcWXFcXw==
template:
metadata:
creationTimestamp: null
name: miniflux
namespace: apps-roboces

19
k8s/services/miniflux/service.yaml Normal file
View file

@ -0,0 +1,19 @@
---
apiVersion: v1
kind: Service
metadata:
name: miniflux-service
namespace: apps-roboces
labels:
app.kubernetes.io/name: miniflux
app.kubernetes.io/managed-by: argo
app.kubernetes.io/version: 2.2.13
spec:
selector:
app.kubernetes.io/name: miniflux
type: LoadBalancer
ports:
- name: miniflux-service
protocol: TCP
port: 8888
targetPort: 8080

105
k8s/services/pulse/ds.yaml Normal file
View file

@ -0,0 +1,105 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: pulse-agent
namespace: apps-fuku
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pulse-agent-read
rules:
- apiGroups: [""]
resources: ["nodes", "pods"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: pulse-agent-read
subjects:
- kind: ServiceAccount
name: pulse-agent
namespace: apps-fuku
roleRef:
kind: ClusterRole
name: pulse-agent-read
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: pulse-agent
namespace: apps-fuku
spec:
selector:
matchLabels:
app: pulse-agent
template:
metadata:
labels:
app: pulse-agent
spec:
serviceAccountName: pulse-agent
containers:
- name: pulse-agent
image: rcourtman/pulse:v5.0.17
command: ["/opt/pulse/bin/pulse-agent-linux-amd64"]
args:
- --enable-kubernetes
env:
- name: PULSE_URL
value: "https://pulse.fukurokuju.dev"
- name: PULSE_TOKEN
valueFrom:
secretKeyRef:
name: pulse-agent-secrets
key: PULSE_TOKEN
- name: PULSE_AGENT_ID
value: "k8s-cluster"
- name: PULSE_ENABLE_HOST
value: "true"
- name: HOST_PROC
value: "/host/proc"
- name: HOST_SYS
value: "/host/sys"
- name: HOST_ETC
value: "/host/etc"
- name: PULSE_KUBE_INCLUDE_ALL_PODS
value: "true"
- name: PULSE_KUBE_INCLUDE_ALL_DEPLOYMENTS
value: "true"
securityContext:
privileged: true
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
memory: 512Mi
volumeMounts:
- name: host-proc
mountPath: /host/proc
readOnly: true
- name: host-sys
mountPath: /host/sys
readOnly: true
- name: host-root
mountPath: /host/root
readOnly: true
volumes:
- name: host-proc
hostPath:
path: /proc
- name: host-sys
hostPath:
path: /sys
- name: host-root
hostPath:
path: /
tolerations:
- operator: Exists

17
k8s/services/pulse/sealedsecrets.yaml Normal file
View file

@ -0,0 +1,17 @@
# yamllint disable rule:line-length
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: pulse-agent-secrets
namespace: apps-fuku
spec:
encryptedData:
PULSE_TOKEN: AgBBxrJ80IpJ0RvYKQuN6p3G8vIdSL9nESO9OTAR0NiMjSGZNbNEELKE/a1f2ixQUSsNc/k31c+7GlAi+8PmNC4c7rmRJTe+z3uO/BNNLYeTi7DsEk9/oJZTWn7iOcLogiZJQKxbGozCp/S8zrWisH67N2ZHmzz5UEJAzq57+fBEyAk22/WR0QMfW3oOYHGZFNR5AdAxrdfyRwTvSEOz4R2YlrQKRtOFVIPG/aEaAn42AGYfrq2cLVEiCygjE+8nZQ62TMmQqMiwiCjk5do9uRhhiRimuD78FrNnFU5dSwe/11ji5sSrEPjszPB8O0TBbsCssxfz48cKRm/6IdI9B5pKHYob68Ed8u5UgpRU/ZhUWJLyXuZF/Tgw+WcIsVkQXb3eqQTARBeZueugnA23lnzxh5gjR17wjPw7ePYaLiUWTYikOK5HvgpJyiuB0ev2cjGSqYeeAAn5ewCGM/NODXUAlFdC+N9S7ft1+chJrHoaXgHy8J9LWm/maKW99+yT08a68RvGGoZtFPZNlFjzurNF6EY9SLUFf0RLzShkyq6uuOzLm8gENyDIQ+Ru7wWEwyEcUz4ceAR5I78k0gCIDR1o4Ti22asdbRjMptZdOTbep+PWmu2K1oUvxXtXwgKkn8pvTkJpcdejqehnYPWfRAI3Guxi7LQDf++yShKS1NdXMdjhtFoNLa03xHM/G94sF3/mnJwivNhur1V7iC1yCY5NlruPr4KCd5AgOnKqoreRRvRbCVlFO1mtP6XV4sjqEIhmZyXWFJ76bwAC+hxSlFzL
template:
metadata:
creationTimestamp: null
name: pulse-agent-secrets
namespace: apps-fuku
type: Opaque

17
k8s/services/redis/sealedsecrets.yaml Normal file
View file

@ -0,0 +1,17 @@
# yamllint disable rule:line-length
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: secrets-redis
namespace: apps-fuku
spec:
encryptedData:
redis-password: AgBqJ2pqIbdtOtbGnmalrdzSEZYBDhkyhZNv3fEsgLmvZ55ehXreELEZGKcOCqgVKCQZnfLTA7X4vyR6oZVhSdvcJeULmHrmO7ynItoyowvmY5njE7jTWTsSKypCXJXS0u81TD8+sF0DCRrALo4fzCfyxHWg2x7qyVOllOfhaWpggFsqqn7fMLUdhumnW2C5bEj2x/8PkW4aLI86osjKlwDiMXTE6nULQ4Fx76zzjuhCDLN0RGG4xTqVzDcbt+F7cpULyTJ9Kvq53UPMMaCq0huIkU/JYmAHMUcXF2Q1HUdh/K/R0KYqhlEN7t9JPJgsi7s7IKpp0EFRHOfvkZAm5bAqG34q0p/1Hce+0ifOZsQYp4nmj/1uEGshXhWETSI7mAw/sEdG+uJvLP6Sz7KkaLXhV8tGHfyXqwNyo+jV6JqIsynOY5UZc8zN170nQXwM5KzQyIsNz1yjDFGBIC4y/gjwaDXioaMGVg+PRxFEUAahssdPPZ8ug3M8EaqqgPlHTye+LwHDVDJZAWmnYJ6ajYWGqeCx7pKw2+vhr8V4ToSyG3hsPEbREwVSO50fKOL/MelRC24Rrzv8uthtHjHniLt1DJzPkXJUAnMaV4UsJ21Ge5PQo7Op0G/RNSnka2LAt3I6CVbUb0UoBhSNPmDVD5/0pn5oM/PSd0oqszUsFdxoIOpCIt3ReZUD6eHOlcuK8H65nwsb7Cbyde8a8GTD9q7SoDo2IQ==
template:
metadata:
creationTimestamp: null
name: secrets-redis
namespace: apps-fuku
type: Opaque

16
k8s/services/valheim/sealedsecrets.yaml Normal file
View file

@ -0,0 +1,16 @@
# yamllint disable rule:line-length
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: valheim-secrets
namespace: apps-fuku
spec:
encryptedData:
server-password: AgBsm7Qg9ej7FtFh5twb4ALyL0I/fzVukURvFg17aweeDX7bM/9p/Yq7S2XG8gbqOYbC1GxknGMHQUnTXqXC9YZ4tZVUAptTCrAsPZHhHiet8bM39KCo2tGa5mCyC7lcmxae26cHuKj8Df6iMQCHL9ZH58A2SU8OIaszkonjwvSnbk6u7/HLCE8UyqP1JjXBMd4wx4BFDrhbauZr10f51tI55ksY+x44QQNrz84QEXmQ/dgwdzGAWqcPQTf57BebSI+ZKtUIvrMpNtz1ioqGnH3vWlb7QnqyqcyAYri3W3j8DB03EpfI2QjYi5Rs1NaJoO8L5HFdHW5p+rmttuwRxiEUPmURftH25o6Mgv/EcWGsB1TpyyFXM8JNU01lWJ+Wty316YF1BV3zHqdQeKu82R/wSv+iVm1dYKTfSOLe3YJr+aFnhYX3hCpBup1cB2KeOe/X9wTo2ETdvKhcIJPz8x7TRcXaCerVmVBw6LagmmdtMsCL4AIXw2gdkBeGONQmOzR1hDyTBAmpTv59WYzAJcCPZRE6gGxCPqH32G36E7WGEI4UOsjvT3GkVDnYx4FUDppzSP0ebnHZOwwAPFtXojHUaHg7ZTjZiuXDQa9Hkqt4mIOKa0i1HI0MyPu8eZJjoRXNS4j1yLfDCP2eSuhGjtVNbbyQthaITolitZ0VeUU8St1iKB7rvAGHqhBoPSw9TOBVSsBcHgIAV64oRqto4kM8
template:
metadata:
creationTimestamp: null
name: valheim-secrets
namespace: apps-fuku

17
k8s/services/vaultwarden-kubernetes-secrets/sealedsecrets.yaml
View file

@ -1,17 +0,0 @@
# yamllint disable rule:line-length
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: vaultwarden-kubernetes-secrets
namespace: apps-fuku
spec:
encryptedData:
BW_CLIENTID: AgB6UpzjiBqifwHwm4YfevKVQLTt/2JxrTdJ0O29i416TrvPvYlrofG6ihWQDIr7zAROq5RE1YI1mFdczzcHTccMV+/rPPBTY04rdkoypc17/+P5eVLO03dcSldhbcgiMJQYgji+U59SFebPxxPI9gn6GmOss368Wqgdffu/d7V6RtvBNN+qgIu1FjS26FYxKRKi/mEjPmF6GCkkWRHkkpimdjKalVkuQXiu04cwDTSRYNmgePv5ihem/5tP7ZqgQCFpYafpia6CnQwhHNoPP4Dq+cV5VVPw7AfVdm28HgFLiZhiUWXoGiiFvTZcDwViG4T80gqxtfN/2ur94V7zc/PTGXSsVWBJYM93/jf3zcK7h5wag0nXeYm7nD+NT1JM/2NZguqLVl3iX4qE+f0C83dPTUrBv8+9H3aw0YLI/zgnT8Fdg6VAdbGrXMXrTEqm2IChRZ65/WIgwaRWIH+ETsWPFqUj3mH9Cx8NkNNSRfTqmZS28VEfcCzutSgTJ4zs2VwTYDBBD1QQSMrhUSLrCihWLK3ZTjVTEwAaoUObnaFrYpNBGVZQne9zzWO38/y4NQ2D1Q1YTx0cBP8qcKit9v1GFmOcNDsVG1WCFkZh0qz4j37SOBH0J00sG1lwGvkb05pOjcGVUexjzvHloUjSauFypW+2XQqnVshMbNgKgZYZmZmWbHf8nyq7+wssivbjB5qX5foiCN/Qp2WtIG92k08ZU1+hTq/w/GX8DI/UsbSLU7p/0vpAKMDBuw==
BW_CLIENTSECRET: AgBfsr/ECO+lxSojrp1Ailv7SOYMqtGzmQCmXI3g7+K0W+RT7dOHuZOk7VlvYG5l4qVjriXhMo1xGcGYf8WeAebx+OWTs9Y9sRQ7eGnQW/KD7ihV3vCy2+jEdWZas9wEN1coUUt7Lbg09jz+nrt8Di2xFigJWSjuWejyAwmnRC0O0gLSudidf2x1aTeclid1tFvubbKbYUrLbTCLPW1bDuDs8BseRX6sF8/CVR1ZKWbcADUYvP7Amygc4WMElRREMQJjKBiPYNA4OuepvpQDlNVz/wq499XJAnFMDP8BhKxYalwOqTYzWQT0DA4mwBokMnpRE0VJ3erAAKQwzDHqO8pFE5bqhgzjwTWryH0ZmRF96JVLxx5IMetb8jYEPAHA/ymz9GmSUyVDXDRoeyH2xM4vuD/6A2JXc6kgcpfRx+5UJUybajO7urvHBCS/5X5cEiEOyEtqPMqkRdv2LgN1wXMEU88eK2NqpVX7zhLIJgoMusdHtkDmSlS+pFIb3GwGQRmn5khj5xkyQKweMoPvC5Pq+T/F5/2NziJGRj56HYvaiOPfyfzetaw7Zh3I+umMfZ6mtKD7ntYB1EYaqIMhTlAQv8DxS98t19LOke3h5QKcX6SdKeAqAvlqxuYZ5rweNtZsDevtnaFdmDzbve6xbZrtNwAurpZMYC/7tetyH+jFHrcFjDCuMMLdD5t4d8NW50nks71Pofe6KO/8lkzNOjiQwBIUfG+8Y6bAmPiBBr0=
VAULTWARDEN__MASTERPASSWORD: AgBlRRDUcWw8Kq8IJ/dBk1RQwA6jg4VtpDTzU9eRtkdZfBoEI+KnQt2QHtGv7ZMmyCHztRAoJcEWyoN25RMdG4dQQN40IOPBiv7D8e036nQv7rQqZWE7mPPs9veskS+8sE+h3HFlwIEytn4721nHw4DNl2Uwbtgo1rTRRyJ3Px2UoCfnCU1xVtimWhj7uLjf2kPkSvWRUFZFfzSkuMWtiAPDxspk7q8CTktdiUHV6ZsuuIcZfJ1mHkuredVGYpOcrKLJcwGE7Auzn382lILNwkSuiZjt0T+O5A0c406SPVGU/ovofbRgdUQmmIbS+q6y17HMDkwLutdmIyJgqMEPJXR0KfebjzdtaNdSbmL68QsdECqCbQm6Az3uMEOJ8TVm9rH5yfZZoXLMVjzHgwtQbV9vBb0ubMUKdqJahD0zUQ/1FqDtYHt9OBv8bLh8SXiTKNxz2GByHjcGFUNZhZac1eTqmtYxxUhk4KNFsqx7FvJNUi0VTfINvHAd9Tjlrd0vQbST3VgdiIEHcuxW5HShdSnl8o5WXKmEtlecMqB3Y/C6IIPF+CZ6HoMgfE59G2dchnNccSwdZRa0n6OWt3BWJi7fuhrBXvTBpa5Zxrqh6o1VX3k5wXDgBRN7a8pZawhuCXbcBcrhcs+wDm7YlK3Gj3F01dIOGc7qMpdMWUHcUxCikC9Wlnp5b+OKB2huiHWr2p8v0IeOu8MfC65GEkx/dInxW1CkitHsGVA=
template:
metadata:
name: vaultwarden-kubernetes-secrets
namespace: apps-fuku
type: Opaque

162
scripts/k3scale.sh
View file

@ -1,162 +0,0 @@
#!/usr/bin/env bash
usage() {
cat <<EOF
Usage: $(basename "$0") REPLICAS [RESOURCE...] [OPTIONS]
Scale up or down one or several deployments/statefulsets.
Arguments:
REPLICAS Number of replicas to scale to
RESOURCE Resource to scale in "namespace/name" format, or just "name"
(uses current context namespace). Can be specified multiple times.
Commands:
--all Scale all deployments and statefulsets in the namespace
--all-namespaces
Scale all deployments and statefulsets across all namespaces
Options:
-h, --help Show this help message
-n, --namespace NAMESPACE
Namespace to use (default: current context namespace)
--dry-run Print what would be scaled without making changes
-v Pass -v to kubectl (minimal output)
-vv Pass -vv to kubectl (more output)
-vvv Pass -vvv to kubectl (debug output)
Examples:
$(basename "$0") 1 mynamespace/mydeployment
$(basename "$0") 1 mynamespace/mydeployment mydeployment2
$(basename "$0") 1 --all
$(basename "$0") 1 --all --namespace mynamespace
$(basename "$0") 0 --all-namespaces --dry-run
EOF
}
KUBECTL_V=""
NAMESPACE=""
DRY_RUN=false
REPLICAS=""
RESOURCES=()
ALL=false
ALL_NAMESPACES=false
while [[ $# -gt 0 ]]; do
case "$1" in
-h|--help)
usage
exit 0
;;
-n|--namespace)
NAMESPACE="$2"
shift 2
;;
--dry-run)
DRY_RUN=true
shift
;;
-v|-vv|-vvv)
KUBECTL_V="$1"
shift
;;
--all)
ALL=true
shift
;;
--all-namespaces)
ALL_NAMESPACES=true
shift
;;
-*)
echo "Error: Unknown option: $1" >&2
usage >&2
exit 1
;;
*)
if [[ -z "$REPLICAS" ]]; then
REPLICAS="$1"
else
RESOURCES+=("$1")
fi
shift
;;
esac
done
if [[ -z "$REPLICAS" ]]; then
echo "Error: REPLICAS is required" >&2
usage >&2
exit 1
fi
if [[ "$ALL" == false && "$ALL_NAMESPACES" == false && ${#RESOURCES[@]} -eq 0 ]]; then
echo "Error: Must specify --all, --all-namespaces, or at least one RESOURCE" >&2
usage >&2
exit 1
fi
NAMESPACE_ARG=()
if [[ -n "$NAMESPACE" ]]; then
NAMESPACE_ARG=("-n" "$NAMESPACE")
fi
DRY_RUN_ARG=()
if [[ "$DRY_RUN" == true ]]; then
DRY_RUN_ARG=("--dry-run=client")
fi
KUBECTL_BASE=(kubectl)
if [[ -n "$KUBECTL_V" ]]; then
KUBECTL_BASE+=( "$KUBECTL_V" )
fi
KUBECTL_BASE+=( "${NAMESPACE_ARG[@]}" )
KUBECTL_BASE+=( "${DRY_RUN_ARG[@]}" )
scale_resource() {
local resource="$1"
local ns name
if [[ "$resource" == */* ]]; then
ns="${resource%%/*}"
name="${resource#*/}"
else
ns="${NAMESPACE:-$(kubectl "${NAMESPACE_ARG[@]}" config view --minify --output jsonpath='{.contexts[0].context.namespace}' 2>/dev/null || echo "default")}"
name="$resource"
fi
for kind in deployment statefulset; do
if "${KUBECTL_BASE[@]}" get "$kind" "$name" -n "$ns" &>/dev/null; then
echo "Scaling $kind/$ns/$name to $REPLICAS replicas${DRY_RUN:+ (dry-run)}"
"${KUBECTL_BASE[@]}" scale "$kind" "$name" -n "$ns" --replicas="$REPLICAS"
return 0
fi
done
echo "Error: Resource '$resource' not found as deployment or statefulset" >&2
return 1
}
get_resources() {
local ns_flag=()
if [[ "$ALL_NAMESPACES" == true ]]; then
ns_flag=("--all-namespaces")
elif [[ -n "$NAMESPACE" ]]; then
ns_flag=("-n" "$NAMESPACE")
fi
"${KUBECTL_BASE[@]}" get "${ns_flag[@]}" deployment,statefulset -o jsonpath='{range .items[*]}{.metadata.namespace}/{.kind}/{.metadata.name}{"\n"}{end}' 2>/dev/null | while IFS=/ read -r ns kind name; do
echo "$ns/$name"
done
}
if [[ "$ALL" == true || "$ALL_NAMESPACES" == true ]]; then
while IFS= read -r resource; do
[[ -n "$resource" ]] && scale_resource "$resource"
done < <(get_resources)
else
for resource in "${RESOURCES[@]}"; do
scale_resource "$resource"
done
fi

0
scripts/proxmox-power.sh Executable file → Normal file
View file

129
scripts/update-argo.sh
View file

@ -1,129 +0,0 @@
#!/usr/bin/env bash
check_kubectl() {
if ! command -v kubectl &>/dev/null; then
echo "Error: kubectl is not installed or not in PATH" >&2
exit 1
fi
log_info "kubectl found at $(command -v kubectl)"
}
VERBOSE=0
log_debug() { [[ $VERBOSE -ge 3 ]] && echo "[DEBUG] $*" || true; }
log_verbose() { [[ $VERBOSE -ge 2 ]] && echo "[VERBOSE] $*" || true; }
log_info() { [[ $VERBOSE -ge 1 ]] && echo "[INFO] $*" || true; }
log_error() { echo "[ERROR] $*" >&2; }
usage() {
cat <<EOF
Usage: $(basename "$0") [OPTIONS] [VERSION]
Upgrade ArgoCD to a new version. Requires an existing ArgoCD installation.
Examples:
$(basename "$0") # queries the current argo version and tries to update to the immediate newest version
$(basename "$0") v4.3.0 # incrementally update to target version
Options:
-h, --help Show this help message
--dry-run Show what would be done without making changes
-v Verbose output (info level)
-vv More verbose output (info + verbose level)
-vvv Debug output (all log levels)
EOF
}
DRY_RUN=false
while [[ $# -gt 0 ]]; do
case "$1" in
-h|--help)
usage
exit 0
;;
--dry-run)
DRY_RUN=true
shift
;;
-v|-vv|-vvv)
case "$1" in
-v) VERBOSE=1 ;;
-vv) VERBOSE=2 ;;
-vvv) VERBOSE=3 ;;
esac
shift
;;
-*)
echo "Error: Unknown option: $1" >&2
usage >&2
exit 1
;;
*)
TARGET_VERSION="$1"
shift
;;
esac
done
log_debug "Script started with target version: ${TARGET_VERSION:-auto}"
check_kubectl
log_info "Checking current kubectl context"
CURRENT_CONTEXT=$(kubectl config current-context 2>/dev/null)
log_verbose "Current context: $CURRENT_CONTEXT"
log_info "Checking for ArgoCD installation"
if ! kubectl get ns argocd &>/dev/null; then
log_error "ArgoCD namespace not found. This script only upgrades existing installations."
exit 1
fi
log_verbose "ArgoCD namespace found"
log_info "Checking current ArgoCD version"
CURRENT_VERSION=$(kubectl get deployment argocd-server -n argocd -o jsonpath='{.spec.template.spec.containers[0].image}' 2>/dev/null)
if [[ -n "$CURRENT_VERSION" ]]; then
CURRENT_VERSION=$(echo "$CURRENT_VERSION" | sed 's/.*argocd:v\?//' | tr -d ' \n')
if [[ -n "$CURRENT_VERSION" ]]; then
CURRENT_VERSION="${CURRENT_VERSION#v}"
log_verbose "Current ArgoCD version: $CURRENT_VERSION"
else
log_error "Could not extract ArgoCD version from image: $CURRENT_VERSION"
exit 1
fi
fi
if [[ -z "$TARGET_VERSION" ]]; then
log_info "No target version specified, querying for latest version"
log_verbose "Fetching latest release from GitHub"
LATEST_VERSION=$(curl -s https://api.github.com/repos/argoproj/argo-cd/releases/latest | grep -oP '"tag_name":\s*"\K[^"]+' | sed 's/^v//')
if [[ -n "$LATEST_VERSION" ]]; then
log_verbose "Latest version available: $LATEST_VERSION"
TARGET_VERSION="$LATEST_VERSION"
else
echo "Error: Could not fetch latest version" >&2
exit 1
fi
fi
log_info "Target version: $TARGET_VERSION"
log_debug "Determining update path from $CURRENT_VERSION to $TARGET_VERSION"
log_info "Applying ArgoCD manifests"
log_verbose "Downloading manifest from https://raw.githubusercontent.com/argoproj/argo-cd/v${TARGET_VERSION}/manifests/install.yaml"
curl -sLO "https://raw.githubusercontent.com/argoproj/argo-cd/v${TARGET_VERSION}/manifests/install.yaml"
log_debug "Applying manifest with kubectl"
if [[ "$DRY_RUN" == true ]]; then
log_verbose "Dry-run mode: would apply manifest"
kubectl apply -n argocd -f install.yaml --dry-run=client
else
kubectl apply -n argocd -f install.yaml
fi
log_verbose "Cleaning up downloaded manifest"
rm -f install.yaml
log_info "Update to ArgoCD $TARGET_VERSION initiated"

58
tofu/adguard/.terraform.lock.hcl generated
View file

@ -2,35 +2,37 @@
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/gmichels/adguard" {
version = "1.7.0"
constraints = "1.7.0"
version = "1.6.2"
constraints = "1.6.2"
hashes = [
"h1:1vvJ6KcLUR8U2BHNtj7tMsgEsGXzTKMIFsHfcZYEVyc=",
"h1:5BDrsrU/Sdain/+KkhbNzxVL81rh69wG4iKOIBf9qys=",
"h1:70gWtux/jVZQgsDjr8+j0aRHKkGZqRWCmzoX9ddC7f4=",
"h1:Qdqipgukxph9vqXiEKVzFSgXfEmGiGw1JrrQvwJOtco=",
"h1:QveIrziFNxu+Go7pl7qjH5tqPOb8pgzfTdunVgsJ3vg=",
"h1:UrJdOlCLAWC7/I2Co02RtOKT3tSGb8TwOgJ7s0sOtCo=",
"h1:W6nZfQzWb3Ds1JRytBqzsZoNBa6x4OOe9J87f1nyCRA=",
"h1:c3RK8fSEr2yfPySC0WemOC/CR3608Ra4vFwGhvdrswg=",
"h1:jizPinVWDQUN6rKwiBgRm7PcgUJe4AWlCWghgH0v7xI=",
"h1:lb9gv3IiUZDA4P/kpuvOqZmidWMIbpG+sUecM1QclNo=",
"h1:sRIMccvZq71/CxTknprnRozCChEZSq4Nmt+M+DOjTq8=",
"h1:uOdtIfvNVEHheucpt51bSCYtX2W1LKELlOkBTbjBm6o=",
"h1:woGvhSgZDFj5+yH5uHonXSIn6AaeZekb3t9oXMZB/DQ=",
"zh:0b83aa1ade1a6f7c9b1af0488dad43bf00e733d1517463d4bee51c17612546da",
"zh:15d784c16545efaf6c368b642995bb0d0ef61b6961e67b072430d445ef6c02fc",
"zh:1c4da4d20c98795fee1ac0cd9ffd880a68f06992d6fe849342c4b19f79c8aff9",
"zh:41afcdcc5236fa40a0b7ec614cb830ef03d45f8f1b8988d24d80ec999ef34b9b",
"zh:4c8e832a5a842420b5163eb5eb2bd7d460ece524efc618bdba64e4f4a2d403b5",
"zh:58e19d2f9e4bd9f2a13b631c3213157ea80ef3aa7b3b8edcd8fb341f9c06c5e5",
"zh:7380ca4d053255f787ded10c26b19ebd23d3563ddbb36d0be66bb2cef293d27d",
"zh:7b21589bb31084bb68b2deb96bd4130b8b13c1c71614704d13d4cbdfc583f3c7",
"zh:82aee49172286676cdccbc97b809b84acf3edeb164ae77cafa837118ee3769a6",
"zh:95431a266520cce112474616c27c80f0017625ef7d80aaf69118360222d7974b",
"zh:a6dc4b60beafc471d049b856df4bf793838b1e8b2079efe4a12ebf6fbd482098",
"zh:d9c5c35be3ae54a52fb444b61e442445e74df6a4ab5bc4884b0f5d55eacc4ced",
"zh:f6bd2db5d9a178c9b5b020e505affc245a0ceaa8e662f37ad9743d65e1153322",
"h1:4rfmv0e8MoRPw+CTZBxTlPZbOSvPnIIt8kwVIIRIqbc=",
"h1:FUOYxkRfDHxiAlTKpvfZpNpRdCkq7Gs9JcZjLWo+guM=",
"h1:FewdC+pt/Z8XC1M5M49D74MYnMzVjwVoAcnonmbxhwA=",
"h1:RAXQ/T7oF42hDSuXH7hH85uj8QmHRS+ArP5pO4ILslc=",
"h1:a5SEI5KSX0cENGjd+IrxMj4l0Cr5GWvTP8Ng3cJaLTg=",
"h1:gNdYW6qM5jJTA2M9BHzVtuCTSmY2Fi/r08A/duZR8Yg=",
"h1:gnBusJUhlOSxn2JG5V0N3aHWAcTtMLcSjRSMKm8+6S4=",
"h1:hwB3SSfBITtOIggACNkdTnA8hG2AzYaFgG3WJny3290=",
"h1:iGjswHan6q6vYBTxR+WFBCUwCN7jmg7mAvFnv4P3/m8=",
"h1:mBxI5srrplxBHZLuXfEVZzwph3mCl9SQv0e9nR2GhQ4=",
"h1:o3CYF1B/kMBktAn1cWJuqW84VqZkM5K3A1BPw6v5fnA=",
"h1:sX4l50R6dzuHdQJFBfGDY6lZc4bCGKjxkKRtoKmx/1g=",
"h1:shVeqrDxxOvnsD//ryu7IoxwPsGb+6FeLmum3szd/mU=",
"h1:wY3pI9C3lEZ9nZRIqky5cqfwLm+u7Wi/9HBVCo4o9/M=",
"zh:0337224a2b6418ba38cedf7f2cef9b154f51db4791b03d6b5745cb26f60614d2",
"zh:09addda402962c46cd236ae1703ba9632f377897e8d321678cf0e4428a5071f7",
"zh:1f7b511933d6ca8fbdcd5bb50bba910e88b73fee57ae2922e01f18470350929e",
"zh:2bd2a45c4cddd19b2a55d6d658184df25f002e0b7a929da48b5086922ae846d6",
"zh:30ed44fd468132273029302fc16de4e76a1f10b816862e2e5dfca545e5b67f70",
"zh:3f73e37f6410509f7811db77b53f6e332c24344ad800a1d56bcf6af2a706d998",
"zh:5215dbeb6edbe0e7fae238580bb649745824d3744cc0d3b407244383ddeefd96",
"zh:543a6b4d814607884791306ae661a1d3475af90785712fb6c94e2b616f75afba",
"zh:8402d7a2d501ff0c9fe2216bf80f6bc133f0277cc3f184d3d37f4628b778f18b",
"zh:894ac1fce4fd92c66684d64d41356d5d02ebcf3a68e4ae1150314732f9ac384f",
"zh:ad547c8c8413de6886cf563129b117a0aab79b9841e7486e58a639c74eeacc12",
"zh:b9d69a6f99256cbd741ddc881f8665eec6e51ee1a4b99918ae8e9bdcf73cf31d",
"zh:d254d2dae145dbe5435be32b821198d9d5dca81fb67e06499eb8a8bd78a34ba5",
"zh:df327c22ba4437fa5e879ae70ce8330363a4e6f320711e7bd2ac249db3a3a551",
"zh:f809ab383cca0a5f83072981c64208cbd7fa67e986a86ee02dd2c82333221e32",
]
}

2
tofu/adguard/main.tf
View file

@ -9,7 +9,7 @@ terraform {
required_providers {
adguard = {
source = "gmichels/adguard"
version = "1.7.0"
version = "1.6.2"
}
}
}

58
tofu/authentik/.terraform.lock.hcl generated
View file

@ -2,34 +2,36 @@
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/goauthentik/authentik" {
version = "2026.2.0"
constraints = "2026.2.0"
version = "2025.12.0"
constraints = "2025.12.0"
hashes = [
"h1:/y7//ItB3vYvtDzSgrd7eY4QHGQ7b2G/rF/rtXdvUiY=",
"h1:2MTCDpaUJ9AAckFf+lfhq5VNkl4/e1is7XIHfjFX20U=",
"h1:EECfgcbT6h+ppgQ3x06iQZSheZ4vJ6NVwXGYGzyuQQ4=",
"h1:Hg5gBZc/mPbMwH3r5AVbDycUFoeh1LlHtAvVKsnruTY=",
"h1:J9+XlKbvc8x99ZV779XH0swZhsJo+Zcrh7UCK5pKQKY=",
"h1:On3/Zzv3W72aGsJ4AhW/tnpi4hvq9cxwgf7tF6Tg+a4=",
"h1:imSeB1o2GiuyBKsK6prOkOT7dQVDK42TaxGWAb+wEvg=",
"h1:jpOkyfrzbb/LBCdW/0R2Ag+X9bRw6X1/2BRMoImfgQ8=",
"h1:pT8YP3VDxKxhT1X+UXmjN78C+8NNb3fIANWNjR0xRX4=",
"h1:pum2uBRNDUjPeP9aYszm+6GU+K7tZIpbbLrsN39l8iw=",
"h1:qYcmNSTHIU6XefHE11SmywKqgp84B6n2Fzwdj/8dRN8=",
"h1:zH1hHNBUvxXZBzxyQa6OPjDAlZyr3rA7LqwTVVZDW9s=",
"h1:zacZCsqLyCstv+qE+VhFvwCIGLQEdNBsMIM7r9umUSQ=",
"zh:00c44e8ee842e75de9cc4fd6193b10258d1dc840e5be4aaaf118ffc180dceee0",
"zh:13057f08bce3b63613e1be3997dd454ff9568c569dd983987b1550280fbe3d01",
"zh:410a1ff2ae4647cc0ab37894f81e4d474b588a0a7f005d05d55e8c3a40978dd2",
"zh:43830834d12b3c0eeabe397842f82ca3a6b58a5bc8dd837d55b821419b55ed61",
"zh:56eaedd196ed7c4003cee0434b891b38242b4fde2031978d0ddcfdf6e16ee5ad",
"zh:5b3c10bb63c3c215ed9e0918e5808b240e3f2ee8248d10cd4d824a4998a213c5",
"zh:99c14891bcb92a6b21ef4c0e60f6c0df23e3452808f3eefd67cde78d132c80d9",
"zh:9a32cdda9f939f8484e27d4200d004c44f016fe97579a111201083f4beea78e8",
"zh:ae5086816144f68de9a0002e7696321169a71473f9d161793f4ae996388f56de",
"zh:bd09409dd34608a4ef3ea80cfc5e397268e7872f2e84c1ccdc9b5698e36ddad5",
"zh:be7af8b9eb61b0eb5053f14360e5a68caeb32c115efe8e1b583f2e7c91352a2a",
"zh:e11726812a1b2caf6b6784a3d074d1f50e3d406e9629c02096a001e5a5979331",
"zh:e39183d10d8158ccab51208f4f727c7419b1b1e596f4feb23dc42aebb36d01e3",
"h1:1WOionGZogRGfcwgsBshgGDDMFWqioq62s/FmpTonI8=",
"h1:7EkbL1fO5vkX5IvlGhKIjWcEPIc7U3zS/x0+rMC+NKE=",
"h1:N65bk3gPCHEJE8c68LCjQ2NMwDKDJlt0+ofnmeNM4FI=",
"h1:S2NDeRAxbfKPGvBqM7WES5znedi0V2AWc5wxkczYDd8=",
"h1:ZmqC2orWU2UItPZJZfsSnBBX7Ds0OEk8EarBtWjuFsc=",
"h1:aofPDDDWm9c87uip8IwKlhGDePNNr6Sy0Q+m9NgOols=",
"h1:f3+jlDlxpgKdCbcB7ac4lVn5pdSMM1e2Qh0AB0RDNsA=",
"h1:jt+Gtla0Z7zN4gCltMg//aDfCoSIdCyFF4ept4Qwc6E=",
"h1:msEjekUeIUKY6lipADjuQpaU1HPrp0MU19R9LpZv5UM=",
"h1:t61WX+9iOOCLlZ8tt/vZP7X8M/Q7F5k6QUyduYtpVf8=",
"h1:tI7fyxvSatX28mp0woFsBbhrnzgeZTZAaitzKThlyAo=",
"h1:wzjwM6RA9Jth4iCN5J9dzxnfjO56ZFl1T5rAQhuU1og=",
"h1:xZZSwrSXnUCPmP9U3EY9fKPmBru58wZozovF2+i//oY=",
"h1:z/+UpU0PH5hae3WEqJO7Lreo0wYO77UuJrimJyV3Mcg=",
"zh:0ce23bd10c1782a3ae9321a572093df2c283df9003fc1cf33f6e63df18a81b7a",
"zh:0de1db5b3363603e6bd25c9c420e24e872bcfe8d43a7015b710a0292ffa7a649",
"zh:1d719e62eb5195a6461cdf2e175960093cdb77b190a7b15eb3fd0e1fc38409e1",
"zh:3adba178a720c90f296183479872a82719f5497b24e90224c044bcc9e29092b7",
"zh:54e5895e61a39b955be26977c273d9581beccf0e22ec58932708472cab40b03b",
"zh:59b8df5b3be8bf9e8a8dcc7b5edf96b0ca505f93fc0db022cc33513172dbc2c8",
"zh:6d86630e353b874ad43d09e3d3541ba4f824c578122a21c7895a452a0534ca05",
"zh:b6c7466446ce685971dee0c7b2dcb16917e3d23805a51d7a2091e475908c8d87",
"zh:ca306de78ea0f99f698548d51b094501e8299340ccc9c6549d1b62fc1fe29456",
"zh:cc6bd38417c0a6c0d7a1c8533007c113155d82d085ea705d955dadf62b2f9f66",
"zh:da657c9db5647620fca377fdc934db6a0f6d05d4cc0dd91a47404850805fd6da",
"zh:dc0b1effedb7a35d1756be915ff8b48d0f422b7a9da75e7f14a2d3efa2d4806f",
"zh:eef8d1715e9cfcb6cbe05dc071390ee91276d12f6fd870bac116af47518f6176",
"zh:f4c0cd2168f59d4fbf4b1fada95a9c973224bbf81975e948f741ad18ef665690",
]
}

74
tofu/authentik/main.tf
View file

@ -8,7 +8,7 @@ terraform {
required_providers {
authentik = {
source = "goauthentik/authentik"
version = "2026.2.0"
version = "2025.12.0"
}
}
}
@ -37,11 +37,22 @@ resource "authentik_group" "arrs" {
is_superuser = false
}
resource "authentik_group" "cloud" {
name = "cloud"
resource "authentik_group" "vpn" {
name = "vpn"
is_superuser = false
}
resource "authentik_group" "ftp" {
name = "ftp"
is_superuser = false
}
resource "authentik_group" "mediamanager" {
name = "mediamanager"
is_superuser = false
}
module "gitea" {
source = "../modules/authentik-oidc"
app_name = "Gitea"
@ -170,6 +181,30 @@ module "prowlarr" {
internal_host_ssl_validation = false
}
module "sftpgo" {
source = "../modules/authentik-oidc"
app_name = "SFTPGo"
app_slug = "SFTPGo"
client_id = var.sftpgo_client_id
client_secret = var.sftpgo_client_secret
client_type = "confidential"
app_access_group_id = authentik_group.ftp.id
redirect_uris = [
{
matching_mode = "regex",
url = "https://ftp.fukurokuju.dev/.*"
}
]
extra_property_mappings = [
]
app_icon = "https://ftp.fukurokuju.dev/static/img/logo.png"
access_token_validity = "days=10"
app_url = "https://ftp.fukurokuju.dev"
app_description = "SFTPGo"
sub_mode = "user_username"
}
module "rustical" {
source = "../modules/authentik-oidc"
app_name = "rustical"
@ -192,6 +227,17 @@ module "jellyfin" {
app_access_group_id = authentik_group.arrs.id
}
module "tandoor" {
source = "../modules/authentik-oidc"
app_name = "Tandoor"
app_slug = "tandoor"
app_access_group_id = ""
app_url = "https://recipes.roboces.dev"
redirect_uris = [{ matching_mode = "strict", url = "https://recipes.roboces.dev/accounts/oidc/authentik/login/callback/" }]
app_icon = "https://recipes.roboces.dev/static/assets/logo_color_192.c9b9177ff941.png"
client_id = var.tandoor_client_id
client_secret = var.tandoor_client_secret
}
module "ganymede" {
source = "../modules/authentik-oidc"
@ -215,16 +261,14 @@ module "jellyseerr" {
app_access_group_id = authentik_group.arrs.id
}
module "cloud" {
source = "../modules/authentik-oidc"
app_name = "Cloud"
app_slug = "cloud"
app_url = "https://cloud.roboces.dev"
client_id = var.oxicloud_client_id
client_secret = var.oxicloud_client_secret
app_icon = "https://cloud.roboces.dev/themes/opencloud/assets/favicon.svg"
redirect_uris = [{
matching_mode = "strict", url = "https://cloud.roboces.dev/api/auth/oidc/callback"
}]
app_access_group_id = authentik_group.cloud.id
module "pulse" {
source = "../modules/authentik-oidc"
app_name = "Pulse"
app_slug = "pulse"
app_url = "https://pulse.fukurokuju.dev"
client_id = var.pulse_client_id
client_secret = var.pulse_client_secret
app_icon = "https://pulse.fukurokuju.dev/logo.svg"
redirect_uris = [{ matching_mode = "strict", url = "https://pulse.fukurokuju.dev/api/oidc/callback" }]
app_access_group_id = authentik_group.admins.id
}

8
tofu/authentik/sample.env
View file

@ -8,9 +8,13 @@ TF_VAR_portainer_client_id=
TF_VAR_portainer_client_secret=
TF_VAR_paperless_client_id=
TF_VAR_paperless_client_secret=
TF_VAR_sftpgo_client_id=
TF_VAR_sftpgo_client_secret=
TF_VAR_rustical_client_id=
TF_VAR_rustical_client_secret=
TF_VAR_tandoor_client_id=
TF_VAR_tandoor_client_secret=
TF_VAR_ganymede_client_id=
TF_VAR_ganymede_client_secret=
TF_VAR_oxicloud_client_id=aef61f77326b813cf8d8ba71d1ac994b5642685ca37e4710ab0079e91d87702d55fd9775d473b05aff45603bf08e78dba26850af3a815f3c3ac171d163368aa0
TF_VAR_oxicloud_client_secret=a4038df17c9fd06f86372aeaaae8f3fd1374d8978983af7b398d948ef15d1efe522a1faa2fc7652bc410c516d96cd2e4211dad4e05ba6297bdd8d9090460d5fc
TF_VAR_pulse_client_id=
TF_VAR_pulse_client_secret=

26
tofu/authentik/vars.tf
View file

@ -39,6 +39,15 @@ variable "paperless_client_secret" {
type = string
}
variable "sftpgo_client_id" {
description = "SFTPGo client ID"
type = string
}
variable "sftpgo_client_secret" {
description = "SFTPGo client secret"
type = string
}
variable "rustical_client_id" {
description = "Rustical client ID"
@ -50,6 +59,15 @@ variable "rustical_client_secret" {
type = string
}
variable "tandoor_client_id" {
description = "Tandoor client ID"
type = string
}
variable "tandoor_client_secret" {
description = "Tandoor client secret"
type = string
}
variable "ganymede_client_id" {
description = "Ganymede client ID"
@ -61,12 +79,12 @@ variable "ganymede_client_secret" {
type = string
}
variable "oxicloud_client_id" {
description = "Oxicloud client ID"
variable "pulse_client_id" {
description = "Pulse client ID"
type = string
}
variable "oxicloud_client_secret" {
description = "Oxicloud client secret"
variable "pulse_client_secret" {
description = "Pulse client secret"
type = string
}

2
tofu/modules/authentik-app/main.tf
View file

@ -3,7 +3,7 @@ terraform {
required_providers {
authentik = {
source = "goauthentik/authentik"
version = "2026.2.0"
version = "2025.12.0"
}
}
}

58
tofu/modules/authentik-ldap/.terraform.lock.hcl generated
View file

@ -2,34 +2,36 @@
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/goauthentik/authentik" {
version = "2026.2.0"
constraints = "2026.2.0"
version = "2025.12.0"
constraints = "2025.12.0"
hashes = [
"h1:/y7//ItB3vYvtDzSgrd7eY4QHGQ7b2G/rF/rtXdvUiY=",
"h1:2MTCDpaUJ9AAckFf+lfhq5VNkl4/e1is7XIHfjFX20U=",
"h1:EECfgcbT6h+ppgQ3x06iQZSheZ4vJ6NVwXGYGzyuQQ4=",
"h1:Hg5gBZc/mPbMwH3r5AVbDycUFoeh1LlHtAvVKsnruTY=",
"h1:J9+XlKbvc8x99ZV779XH0swZhsJo+Zcrh7UCK5pKQKY=",
"h1:On3/Zzv3W72aGsJ4AhW/tnpi4hvq9cxwgf7tF6Tg+a4=",
"h1:imSeB1o2GiuyBKsK6prOkOT7dQVDK42TaxGWAb+wEvg=",
"h1:jpOkyfrzbb/LBCdW/0R2Ag+X9bRw6X1/2BRMoImfgQ8=",
"h1:pT8YP3VDxKxhT1X+UXmjN78C+8NNb3fIANWNjR0xRX4=",
"h1:pum2uBRNDUjPeP9aYszm+6GU+K7tZIpbbLrsN39l8iw=",
"h1:qYcmNSTHIU6XefHE11SmywKqgp84B6n2Fzwdj/8dRN8=",
"h1:zH1hHNBUvxXZBzxyQa6OPjDAlZyr3rA7LqwTVVZDW9s=",
"h1:zacZCsqLyCstv+qE+VhFvwCIGLQEdNBsMIM7r9umUSQ=",
"zh:00c44e8ee842e75de9cc4fd6193b10258d1dc840e5be4aaaf118ffc180dceee0",
"zh:13057f08bce3b63613e1be3997dd454ff9568c569dd983987b1550280fbe3d01",
"zh:410a1ff2ae4647cc0ab37894f81e4d474b588a0a7f005d05d55e8c3a40978dd2",
"zh:43830834d12b3c0eeabe397842f82ca3a6b58a5bc8dd837d55b821419b55ed61",
"zh:56eaedd196ed7c4003cee0434b891b38242b4fde2031978d0ddcfdf6e16ee5ad",
"zh:5b3c10bb63c3c215ed9e0918e5808b240e3f2ee8248d10cd4d824a4998a213c5",
"zh:99c14891bcb92a6b21ef4c0e60f6c0df23e3452808f3eefd67cde78d132c80d9",
"zh:9a32cdda9f939f8484e27d4200d004c44f016fe97579a111201083f4beea78e8",
"zh:ae5086816144f68de9a0002e7696321169a71473f9d161793f4ae996388f56de",
"zh:bd09409dd34608a4ef3ea80cfc5e397268e7872f2e84c1ccdc9b5698e36ddad5",
"zh:be7af8b9eb61b0eb5053f14360e5a68caeb32c115efe8e1b583f2e7c91352a2a",
"zh:e11726812a1b2caf6b6784a3d074d1f50e3d406e9629c02096a001e5a5979331",
"zh:e39183d10d8158ccab51208f4f727c7419b1b1e596f4feb23dc42aebb36d01e3",
"h1:1WOionGZogRGfcwgsBshgGDDMFWqioq62s/FmpTonI8=",
"h1:7EkbL1fO5vkX5IvlGhKIjWcEPIc7U3zS/x0+rMC+NKE=",
"h1:N65bk3gPCHEJE8c68LCjQ2NMwDKDJlt0+ofnmeNM4FI=",
"h1:S2NDeRAxbfKPGvBqM7WES5znedi0V2AWc5wxkczYDd8=",
"h1:ZmqC2orWU2UItPZJZfsSnBBX7Ds0OEk8EarBtWjuFsc=",
"h1:aofPDDDWm9c87uip8IwKlhGDePNNr6Sy0Q+m9NgOols=",
"h1:f3+jlDlxpgKdCbcB7ac4lVn5pdSMM1e2Qh0AB0RDNsA=",
"h1:jt+Gtla0Z7zN4gCltMg//aDfCoSIdCyFF4ept4Qwc6E=",
"h1:msEjekUeIUKY6lipADjuQpaU1HPrp0MU19R9LpZv5UM=",
"h1:t61WX+9iOOCLlZ8tt/vZP7X8M/Q7F5k6QUyduYtpVf8=",
"h1:tI7fyxvSatX28mp0woFsBbhrnzgeZTZAaitzKThlyAo=",
"h1:wzjwM6RA9Jth4iCN5J9dzxnfjO56ZFl1T5rAQhuU1og=",
"h1:xZZSwrSXnUCPmP9U3EY9fKPmBru58wZozovF2+i//oY=",
"h1:z/+UpU0PH5hae3WEqJO7Lreo0wYO77UuJrimJyV3Mcg=",
"zh:0ce23bd10c1782a3ae9321a572093df2c283df9003fc1cf33f6e63df18a81b7a",
"zh:0de1db5b3363603e6bd25c9c420e24e872bcfe8d43a7015b710a0292ffa7a649",
"zh:1d719e62eb5195a6461cdf2e175960093cdb77b190a7b15eb3fd0e1fc38409e1",
"zh:3adba178a720c90f296183479872a82719f5497b24e90224c044bcc9e29092b7",
"zh:54e5895e61a39b955be26977c273d9581beccf0e22ec58932708472cab40b03b",
"zh:59b8df5b3be8bf9e8a8dcc7b5edf96b0ca505f93fc0db022cc33513172dbc2c8",
"zh:6d86630e353b874ad43d09e3d3541ba4f824c578122a21c7895a452a0534ca05",
"zh:b6c7466446ce685971dee0c7b2dcb16917e3d23805a51d7a2091e475908c8d87",
"zh:ca306de78ea0f99f698548d51b094501e8299340ccc9c6549d1b62fc1fe29456",
"zh:cc6bd38417c0a6c0d7a1c8533007c113155d82d085ea705d955dadf62b2f9f66",
"zh:da657c9db5647620fca377fdc934db6a0f6d05d4cc0dd91a47404850805fd6da",
"zh:dc0b1effedb7a35d1756be915ff8b48d0f422b7a9da75e7f14a2d3efa2d4806f",
"zh:eef8d1715e9cfcb6cbe05dc071390ee91276d12f6fd870bac116af47518f6176",
"zh:f4c0cd2168f59d4fbf4b1fada95a9c973224bbf81975e948f741ad18ef665690",
]
}

2
tofu/modules/authentik-ldap/main.tf
View file

@ -3,7 +3,7 @@ terraform {
required_providers {
authentik = {
source = "goauthentik/authentik"
version = "2026.2.0"
version = "2025.12.0"
}
}
}

2
tofu/modules/authentik-oidc/main.tf
View file

@ -3,7 +3,7 @@ terraform {
required_providers {
authentik = {
source = "goauthentik/authentik"
version = "2026.2.0"
version = "2025.12.0"
}
}
}

2
tofu/modules/authentik-proxy/main.tf
View file

@ -3,7 +3,7 @@ terraform {
required_providers {
authentik = {
source = "goauthentik/authentik"
version = "2026.2.0"
version = "2025.12.0"
}
}
}