diff --git a/53ll/values.yaml.gotmpl b/53ll/values.yaml.gotmpl new file mode 100644 index 0000000..fad7603 --- /dev/null +++ b/53ll/values.yaml.gotmpl @@ -0,0 +1,52 @@ +image: + debug: true + +ghostBlogTitle: 53rd Parallel Photography +ghostHost: https://53ll.ca +ghostUsername: {{ requiredEnv "GHOST_53LL_USER_NAME" }} +existingSecret: ghost-53ll-user-secret + +allowEmptyPassword: false + + +readinessProbe: + enabled: false + +resources: + limits: + cpu: 500m + ephemeral-storage: 2Gi + memory: 250Mi + requests: + cpu: 10m + ephemeral-storage: 50Mi + memory: 128Mi +persistence: + size: 1Gi + +smtpHost: "smtp.sendgrid.net" +smtpPort: 465 +smtpUser: "apikey" +smtpService: "SendGrid" +smtpProtocol: "tls" +smtpExistingSecret: 53ll-smtp-password + +mysql: + enabled: false +externalDatabase: + host: mariadb.datastore.svc.cluster.local + user: 53ll_ghost + database: 53ll_ghost + existingSecret: ghost-53ll-db-secret + +updateStrategy: + type: Recreate + +service: + type: ClusterIP +ingress: + enabled: true + hostname: 53ll.ca + tls: true + annotations: + "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt" \ No newline at end of file diff --git a/gitea/values.yaml.gotmpl b/gitea/values.yaml.gotmpl new file mode 100644 index 0000000..e26e185 --- /dev/null +++ b/gitea/values.yaml.gotmpl @@ -0,0 +1,94 @@ +gitea: + config: + server: + ROOT_URL: https://git.incngrnt.ca/ + MINIMUM_KEY_SIZE_CHECK: false + service: + DISABLE_REGISTRATION: true + database: + DB_TYPE: postgres + indexer: + ISSUE_INDEXER_TYPE: bleve + REPO_INDEXER_ENABLED: true + cron: + enabled: true + repository: + DISABLE_DOWNLOAD_SOURCE_ARCHIVES: true + additionalConfigFromEnvs: + - name: GITEA__DATABASE__HOST + valueFrom: + secretKeyRef: + name: postgres-pguser-gitea + key: host + - name: GITEA__DATABASE__NAME + valueFrom: + secretKeyRef: + name: postgres-pguser-gitea + key: dbname + - name: GITEA__DATABASE__USER + valueFrom: + secretKeyRef: + name: postgres-pguser-gitea + key: user + - name: GITEA__DATABASE__PASSWD + valueFrom: + secretKeyRef: + name: postgres-pguser-gitea + key: password + admin: + password: {{ requiredEnv "GITEA_ADMIN_PASSWORD" }} + +strategy: + type: Recreate + +ingress: + enabled: true + hosts: + - host: git.incngrnt.ca + paths: + - path: "/" + pathType: Prefix + annotations: + "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt" + +service: + ssh: + type: ClusterIP + port: 22 + clusterIP: + +actions: + enabled: true + giteaRootURL: https://git.incngrnt.ca + existingSecret: gitea-runner-token + existingSecretKey: token + provisioning: + enabled: false + persistence: + enabled: false +redis: + enabled: true +redis-cluster: + enabled: false +postgresql: + enabled: false +postgresql-ha: + enabled: false + + +extraDeploy: +- apiVersion: traefik.io/v1alpha1 + kind: IngressRouteTCP + metadata: + name: gitea-ssh + namespace: gitea + labels: + app: gitea + spec: + entryPoints: + - ssh + routes: + - match: HostSNI(`*`) + services: + - name: gitea-ssh + port: 22 \ No newline at end of file diff --git a/helmfile.d/01-infrastructure.lock b/helmfile.d/01-infrastructure.lock index bfa57fc..744a1fa 100644 --- a/helmfile.d/01-infrastructure.lock +++ b/helmfile.d/01-infrastructure.lock @@ -2,15 +2,15 @@ version: 0.170.1 dependencies: - name: rook-ceph repository: https://charts.rook.io/release - version: v1.18.2 + version: v1.18.7 - name: rook-ceph-cluster repository: https://charts.rook.io/release - version: v1.18.2 + version: v1.18.7 - name: tailscale-operator repository: https://pkgs.tailscale.com/helmcharts - version: 1.86.5 + version: 1.90.9 - name: traefik repository: https://traefik.github.io/charts - version: 37.1.1 -digest: sha256:390b9f11dc9645c5add8f2efdbaa28bbbaf9ad8ab3056ef5b83580a53abdc112 -generated: "2025-09-16T10:37:17.844160925-06:00" + version: 37.4.0 +digest: sha256:e36f2d6589d83e74cb3a4bf19bc795f09d4a199a46547a2ff703c33ff6264b49 +generated: "2025-11-25T20:30:30.565674799-07:00" diff --git a/helmfile.d/02-datastore.lock b/helmfile.d/02-datastore.lock index 34124a6..11b26ba 100644 --- a/helmfile.d/02-datastore.lock +++ b/helmfile.d/02-datastore.lock @@ -2,15 +2,15 @@ version: 0.170.1 dependencies: - name: k8up repository: https://k8up-io.github.io/k8up - version: 4.8.5 + version: 4.8.6 - name: mariadb repository: https://charts.bitnami.com/bitnami - version: 22.0.0 + version: 24.0.0 - name: pgo repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main version: 5.8.1 - name: postgrescluster repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main version: 5.7.4 -digest: sha256:df6cd58e23f8c570ef0f3d57e26720a29685275bee12525ca9abb2e70e28e491 -generated: "2025-09-16T10:37:30.538389689-06:00" +digest: sha256:7be4f89cbc10d297156dd9924e6076659ddd410586434be062dcb6b52c276bde +generated: "2025-11-25T20:31:00.986270323-07:00" diff --git a/helmfile.d/03-apps.lock b/helmfile.d/03-apps.lock index 8a07db9..285eb70 100644 --- a/helmfile.d/03-apps.lock +++ b/helmfile.d/03-apps.lock @@ -8,7 +8,7 @@ dependencies: version: 25.0.4 - name: immich repository: https://immich-app.github.io/immich-charts - version: 0.9.3 + version: 0.10.3 - name: k8up-backup repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main version: 0.0.3 @@ -26,9 +26,9 @@ dependencies: version: 0.1.0 - name: matrix-synapse repository: https://ananace.gitlab.io/charts - version: 3.12.8 + version: 3.12.16 - name: static-site repository: git+https://github.com/cfpb/static-site@charts?ref=main version: 0.1.1 -digest: sha256:a7f2ab0e045290264fd7675f2e8979e449ccc60df6518ac20eb4d0c4c007fd96 -generated: "2025-09-16T10:37:47.891825732-06:00" +digest: sha256:59866b3b160d35756885a2db0a3344bba48161e5ba6935350286f9a754b8b219 +generated: "2025-11-25T20:31:24.531424306-07:00" diff --git a/helmfile.d/04-monitoring.lock b/helmfile.d/04-monitoring.lock index 8b54d8b..5c16983 100644 --- a/helmfile.d/04-monitoring.lock +++ b/helmfile.d/04-monitoring.lock @@ -2,12 +2,12 @@ version: 0.170.1 dependencies: - name: alloy repository: https://grafana.github.io/helm-charts - version: 1.2.1 + version: 1.4.0 - name: kube-state-metrics repository: https://prometheus-community.github.io/helm-charts - version: 6.3.0 + version: 6.4.2 - name: lgtm-distributed repository: https://grafana.github.io/helm-charts - version: 2.1.0 -digest: sha256:8a06f8a58058fcc5487b01542d48a745189ab4d01a8f9aad6710ffda3cab765a -generated: "2025-09-16T10:38:05.465270419-06:00" + version: 3.0.1 +digest: sha256:a40ace61a59a7d0262123468c4fc4af581cdbb7a20e7e044bbd3d54ef0d47b8b +generated: "2025-11-25T20:31:47.82049253-07:00" diff --git a/immich/values.yaml.gotmpl b/immich/values.yaml.gotmpl index 604d53c..d1e1b3c 100644 --- a/immich/values.yaml.gotmpl +++ b/immich/values.yaml.gotmpl @@ -1,19 +1,23 @@ -image: - tag: v1.142.1 - -env: - DB_HOSTNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.host | base64decode }}'") }} - DB_USERNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.user | base64decode }}'") }} - DB_DATABASE_NAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.dbname | base64decode }}'") }} - DB_PASSWORD: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.password | base64decode }}'") }} - DB_VECTOR_EXTENSION: pgvector +controllers: + main: + containers: + main: + image: + tag: v2.3.1 + + env: + DB_HOSTNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.host | base64decode }}'") }} + DB_USERNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.user | base64decode }}'") }} + DB_DATABASE_NAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.dbname | base64decode }}'") }} + DB_PASSWORD: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.password | base64decode }}'") }} + DB_VECTOR_EXTENSION: pgvector immich: persistence: library: existingClaim: immich-data -redis: +valkey: enabled: true master: persistence: @@ -26,27 +30,37 @@ redis: cpu: 1 server: + enabled: true + controllers: + main: + strategy: Recreate + containers: + main: + resources: + requests: + cpu: 10m + limits: + cpu: 1 ingress: main: enabled: true annotations: - "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt" + traefik.ingress.kubernetes.io/router.tls.certresolver: "letsencrypt" hosts: - host: photos.incngrnt.ca paths: - path: "/" - pathType: Prefix - resources: - requests: - cpu: 10m - limits: - cpu: 1 - controller: - strategy: Recreate + service: + identifier: main machine-learning: - resources: - requests: - cpu: 10m - limits: - cpu: 1 + enabled: true + controllers: + main: + containers: + main: + resources: + requests: + cpu: 10m + limits: + cpu: 1 diff --git a/kgnot/values.yaml.gotmpl b/kgnot/values.yaml.gotmpl new file mode 100644 index 0000000..465ba07 --- /dev/null +++ b/kgnot/values.yaml.gotmpl @@ -0,0 +1,54 @@ +image: + debug: true + +ghostBlogTitle: K&G Tie the Kgnot +ghostHost: https://kgnot.ca +ghostUsername: {{ requiredEnv "KGNOT_GHOST_USER_NAME" }} +existingSecret: ghost-kgnot-user-secret + +allowEmptyPassword: false + + +readinessProbe: + enabled: false + +resources: + limits: + cpu: 500m + ephemeral-storage: 2Gi + memory: 250Mi + requests: + cpu: 10m + ephemeral-storage: 50Mi + memory: 128Mi + +persistence: + size: 1Gi + +smtpHost: "smtp.sendgrid.net" +smtpPort: 465 +smtpUser: "apikey" +smtpService: "SendGrid" +smtpProtocol: "tls" +smtpExistingSecret: kgnot-smtp-password + +mysql: + enabled: false +externalDatabase: + host: mariadb.datastore.svc.cluster.local + user: kgnot_ghost + database: kgnot_ghost + existingSecret: ghost-kgnot-db-secret + +updateStrategy: + type: Recreate + +service: + type: ClusterIP + +ingress: + enabled: true + hostname: kgnot.ca + tls: true + annotations: + "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt" \ No newline at end of file diff --git a/matrix-registration/values.yaml.gotmpl b/matrix-registration/values.yaml.gotmpl new file mode 100644 index 0000000..c58388b --- /dev/null +++ b/matrix-registration/values.yaml.gotmpl @@ -0,0 +1,5 @@ +serverLocation: http://goatchat-matrix-synapse:8008 +serverName: goatchat.ca +serverBaseUrl: /gate +registrationSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }} +adminApiSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET" }} \ No newline at end of file diff --git a/synapse/values.yaml.gotmpl b/synapse/values.yaml.gotmpl new file mode 100644 index 0000000..d4c15bc --- /dev/null +++ b/synapse/values.yaml.gotmpl @@ -0,0 +1,84 @@ +serverName: 'goatchat.ca' +publicServerName: 'goatchat.ca' + +wellknown: + enabled: true + +signingkey: + job: + enabled: false + existingSecret: goatchatca-signingkey + existingSecretKey: signing.key + +synapse: + strategy: + type: Recreate + resources: + requests: + cpu: 10m + memory: 160Mi + limits: + cpu: '1' + memory: 320Mi + +config: + macaroonSecretKey: {{ requiredEnv "GOATCHAT_SYNAPSE_MACAROON_SECRET_KEY" }} + registrationSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }} + +extraConfig: + url_preview_enabled: true + url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + + max_upload_size: 100M + + email: + enable_notifs: true + smtp_host: "smtp.sendgrid.net" + smtp_port: 587 + smtp_user: "apikey" + smtp_pass: {{ requiredEnv "GOATCHAT_SMTP_PASSWORD" }} + require_transport_security: true + notif_from: "Your Friendly %(app)s homeserver " + app_name: Goatchat + validation_token_lifetime: 1h + + + user_directory: + enabled: true + search_all_users: true + prefer_local_users: true + + server_notices: + system_mxid_localpart: notices + system_mxid_display_name: "Screaming Goat" + system_mxid_avatar_url: "" + room_name: "Goatchat Notices" + room_avatar_url: "" + room_topic: "Room used by your server admin to notify you of important information" + auto_join: true + + +ingress: + traefikPaths: true + annotations: + "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt" + + +persistence: + size: 30Gi + +postgresql: + enabled: false +externalPostgresql: + host: postgres-primary.datastore.svc + existingSecret: postgres-pguser-synapse + existingSecretPasswordKey: password \ No newline at end of file diff --git a/tailscale/values.yaml.gotmpl b/tailscale/values.yaml.gotmpl new file mode 100644 index 0000000..796c043 --- /dev/null +++ b/tailscale/values.yaml.gotmpl @@ -0,0 +1,8 @@ +operatorConfig: + extraEnv: + - name: PROXY_PRIORITY_CLASS_NAME + value: critical + +oauth: + clientId: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_ID" }} + clientSecret: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_SECRET" }} \ No newline at end of file diff --git a/traefik/values.yaml.gotmpl b/traefik/values.yaml.gotmpl new file mode 100644 index 0000000..922fa4f --- /dev/null +++ b/traefik/values.yaml.gotmpl @@ -0,0 +1,102 @@ +deployment: + initContainers: + - name: volume-permissions + image: busybox:latest + command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] + volumeMounts: + - name: data + mountPath: /data + +updateStrategy: + type: Recreate + +env: + - name: HETZNER_API_KEY + valueFrom: + secretKeyRef: + name: hetzner-api-key + key: token + +additionalArguments: + - "--api.basePath=/fog/traefik" + +persistence: + enabled: true + +logs: + format: json + access: + enabled: true + format: json + +service: + spec: + externalTrafficPolicy: Local + +ingressRoute: + dashboard: + enabled: true + matchRule: Host(`fog.incngrnt.ca`) && (PathPrefix(`/fog/traefik/dashboard`) || PathPrefix(`/fog/traefik/api`)) + entryPoints: ["websecure"] + middlewares: + - name: traefik-dashboard-auth + tls: + certResolver: letsencrypt + +ports: + websecure: + middlewares: + - traefik-rate-limit@kubernetescrd + web: + middlewares: + - traefik-redirectscheme@kubernetescrd + ssh: + port: 2222 + expose: + default: true + exposedPort: 2222 + protocol: TCP + + +extraObjects: + - apiVersion: v1 + kind: Secret + metadata: + name: traefik-dashboard-auth-secret + type: kubernetes.io/basic-auth + stringData: + username: admin + password: {{ requiredEnv "TRAEFIK_ADMIN_PASSWORD" }} + + - apiVersion: traefik.io/v1alpha1 + kind: Middleware + metadata: + name: traefik-dashboard-auth + spec: + basicAuth: + secret: traefik-dashboard-auth-secret + - apiVersion: traefik.io/v1alpha1 + kind: Middleware + metadata: + name: rate-limit + spec: + rateLimit: + average: 50 + burst: 100 + - apiVersion: traefik.io/v1alpha1 + kind: Middleware + metadata: + name: redirectscheme + spec: + redirectScheme: + scheme: https + permanent: true + +certificatesResolvers: + letsencrypt: + acme: + dnschallenge: + provider: hetzner + delaybeforecheck: 30 + email: {{ requiredEnv "ACME_EMAIL" }} + storage: /data/acme.json \ No newline at end of file