grant/fog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Split helmfile into components

Browse Source
This commit is contained in:
Grant 2025-05-19 14:09:30 -06:00
parent 12bcabf7b2
commit dca9e445c2
20 changed files with 246 additions and 491 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
helmfile.d/01-infrastructure.yaml Normal file
View File

@ -0,0 +1,53 @@
repositories:
- name: rook-release
url: https://charts.rook.io/release
- name: traefik
url: https://traefik.github.io/charts
- name: tailscale
url: https://pkgs.tailscale.com/helmcharts
releases:
# networking
- name: metallb
namespace: metallb-system
createNamespace: true
chart: ../metallb
- name: traefik
namespace: traefik
createNamespace: true
chart: traefik/traefik
values:
- ../traefik/values.yaml
setString:
- name: certificatesResolvers.letsencrypt.acme.email
value: {{ requiredEnv "ACME_EMAIL" }}
- name: extraObjects[0].stringData.password
value: {{ requiredEnv "TRAEFIK_ADMIN_PASSWORD" }}
- name: tailscale-operator
namespace: tailscale
createNamespace: true
chart: tailscale/tailscale-operator
values:
- ../tailscale/values.yaml
setString:
- name: oauth.clientId
value: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_ID" }}
- name: oauth.clientSecret
value: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_SECRET" }}
# storage infrastructure
- name: rook-ceph
namespace: rook-ceph
createNamespace: true
chart: rook-release/rook-ceph
values:
- ../rook-ceph/values.yaml
- name: rook-ceph-cluster
namespace: rook-ceph
createNamespace: true
chart: rook-release/rook-ceph-cluster
values:
- ../rook-ceph-cluster/values.yaml
set:
- name: operatorNamespace
value: rook-ceph

46
helmfile.d/02-datastore.yaml Normal file
View File

@ -0,0 +1,46 @@
repositories:
- name: crunchydata
url: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
- name: bitnami
url: https://charts.bitnami.com/bitnami
- name: k8up-io
url: https://k8up-io.github.io/k8up
releases:
# data storage
- name: pgo
namespace: postgres-operator
createNamespace: true
chart: crunchydata/pgo
values:
- ../postgres/operator-values.yaml
- name: postgres
namespace: datastore
createNamespace: true
chart: crunchydata/postgrescluster
values:
- ../postgres/values.yaml
setString:
- name: pgBackRestConfig.global.repo1-s3-key
value: '{{ requiredEnv "HETZNER_S3_ACCESS_KEY" }}'
- name: pgBackRestConfig.global.repo1-s3-key-secret
value: '{{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}'
- name: pgBackRestConfig.global.repo1-cipher-pass
value: '{{ requiredEnv "PG_BACKREST_PASSWORD" }}'
- name: mariadb
namespace: datastore
createNamespace: true
chart: bitnami/mariadb
values:
- ../mariadb/values.yaml
setString:
- name: auth.rootPassword
value: {{ requiredEnv "MARIADB_ROOT_PASSWORD" }}
# backup infrastructure
- name: k8up
namespace: k8up
createNamespace: true
chart: k8up-io/k8up
values:
- ../k8up/values.yaml

110
helmfile.d/03-apps.yaml Normal file
View File

@ -0,0 +1,110 @@
repositories:
- name: ananace-charts
url: https://ananace.gitlab.io/charts
- name: bitnami
url: https://charts.bitnami.com/bitnami
- name: immich
url: https://immich-app.github.io/immich-charts
- name: gitea
url: https://dl.gitea.io/charts
- name: static-site
url: git+https://github.com/cfpb/static-site@charts?ref=main
- name: incngrnt
url: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
releases:
# goatchat matrix
- name: goatchat
namespace: goatchat
createNamespace: true
chart: ananace-charts/matrix-synapse
values:
- ../synapse/values.yaml
setString:
- name: config.macaroonSecretKey
value: {{ requiredEnv "GOATCHAT_SYNAPSE_MACAROON_SECRET_KEY" }}
- name: config.registrationSharedSecret
value: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }}
- name: extraConfig.email.smtp_pass
value: {{ requiredEnv "GOATCHAT_SMTP_PASSWORD" }}
- name: gate
namespace: goatchat
createNamespace: true
chart: incngrnt/matrix-registration
values:
- ../matrix-registration/values.yaml
setString:
- name: registrationSharedSecret
value: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET"}}
- name: adminApiSharedSecret
value: {{ requiredEnv "GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET"}}
- name: immich
namespace: immich
createNamespace: true
chart: immich/immich
values:
- ../immich/values.yaml.gotmpl
# website
- name: incngrnt-web
namespace: incngrnt-web
createNamespace: true
chart: static-site/static-site
values:
- ../incngrnt-web/values.yaml
# ghost blogs
- name: kgnot-ghost
namespace: ghost
createNamespace: true
chart: bitnami/ghost
values:
- ../kgnot/values.yaml
setString:
- name: ghostUsername
value: {{ requiredEnv "KGNOT_GHOST_USER_NAME" }}
- name: ghost-53ll
namespace: ghost
createNamespace: true
chart: bitnami/ghost
values:
- ../53ll/values.yaml
setString:
- name: ghostUsername
value: {{ requiredEnv "GHOST_53LL_USER_NAME" }}
# dev tools
- name: gitea
namespace: gitea
createNamespace: true
chart: gitea/gitea
values:
- ../gitea/values.yaml
setString:
- name: gitea.admin.password
value: {{ requiredEnv "GITEA_ADMIN_PASSWORD" }}
# backups
- name: ghost-backup
namespace: ghost
chart: incngrnt/k8up-backup
createNamespace: true
values:
- ../k8up-backup/values.yaml.gotmpl
- name: goatchat-backup
namespace: goatchat
chart: incngrnt/k8up-backup
createNamespace: true
values:
- ../k8up-backup/values.yaml.gotmpl
- name: gitea-backup
namespace: gitea
chart: incngrnt/k8up-backup
createNamespace: true
values:
- ../k8up-backup/values.yaml.gotmpl
- name: immich-backup
namespace: immich
chart: incngrnt/k8up-backup
createNamespace: true
values:
- ../k8up-backup/values.yaml.gotmpl

24
helmfile.d/04-monitoring.yaml Normal file
View File

@ -0,0 +1,24 @@
repositories:
- name: grafana
url: https://grafana.github.io/helm-charts
- name: prometheus-community
url: https://prometheus-community.github.io/helm-charts
releases:
# monitoring
- name: grafana
namespace: grafana
createNamespace: true
chart: grafana/lgtm-distributed
values:
- ../grafana/values.yaml
- name: alloy
namespace: grafana
createNamespace: true
chart: grafana/alloy
values:
- ../grafana/alloy_values.yaml
- name: kube-state-metrics
namespace: grafana
createNamespace: true
chart: prometheus-community/kube-state-metrics

251
helmfile.yaml
View File

@ -1,251 +0,0 @@
repositories:
- name: rook-release
url: https://charts.rook.io/release
# - name: metallb
# url: https://metallb.github.io/metallb
- name: traefik
url: https://traefik.github.io/charts
- name: ananace-charts
url: https://ananace.gitlab.io/charts
- name: bitnami
url: https://charts.bitnami.com/bitnami
- name: crunchydata
url: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
- name: immich
url: https://immich-app.github.io/immich-charts
- name: k8up-io
url: https://k8up-io.github.io/k8up
- name: tailscale
url: https://pkgs.tailscale.com/helmcharts
- name: gitea
url: https://dl.gitea.io/charts
- name: grafana
url: https://grafana.github.io/helm-charts
- name: prometheus-community
url: https://prometheus-community.github.io/helm-charts
- name: static-site
url: git+https://github.com/cfpb/static-site@charts?ref=main
releases:
# networking
- name: metallb
namespace: metallb-system
createNamespace: true
chart: ./metallb
- name: traefik
namespace: traefik
createNamespace: true
chart: traefik/traefik
values:
- ./traefik/values.yaml
setString:
- name: certificatesResolvers.letsencrypt.acme.email
value: {{ requiredEnv "ACME_EMAIL" }}
- name: extraObjects[0].stringData.password
value: {{ requiredEnv "TRAEFIK_ADMIN_PASSWORD" }}
- name: tailscale-operator
namespace: tailscale
createNamespace: true
chart: tailscale/tailscale-operator
values:
- ./tailscale/values.yaml
setString:
- name: oauth.clientId
value: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_ID" }}
- name: oauth.clientSecret
value: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_SECRET" }}
# storage infrastructure
- name: rook-ceph
namespace: rook-ceph
createNamespace: true
chart: rook-release/rook-ceph
values:
- ./rook-ceph/values.yaml
- name: rook-ceph-cluster
namespace: rook-ceph
createNamespace: true
chart: rook-release/rook-ceph-cluster
values:
- ./rook-ceph-cluster/values.yaml
set:
- name: operatorNamespace
value: rook-ceph
# data storage
- name: pgo
namespace: postgres-operator
createNamespace: true
chart: crunchydata/pgo
values:
- ./postgres/operator-values.yaml
- name: postgres
namespace: datastore
createNamespace: true
chart: crunchydata/postgrescluster
values:
- postgres/values.yaml
setString:
- name: pgBackRestConfig.global.repo1-s3-key
value: '{{ requiredEnv "HETZNER_S3_ACCESS_KEY" }}'
- name: pgBackRestConfig.global.repo1-s3-key-secret
value: '{{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}'
- name: pgBackRestConfig.global.repo1-cipher-pass
value: '{{ requiredEnv "PG_BACKREST_PASSWORD" }}'
- name: mariadb
namespace: datastore
createNamespace: true
chart: bitnami/mariadb
values:
- mariadb/values.yaml
setString:
- name: auth.rootPassword
value: {{ requiredEnv "MARIADB_ROOT_PASSWORD" }}
# monitoring
- name: grafana
namespace: grafana
createNamespace: true
chart: grafana/lgtm-distributed
values:
- grafana/values.yaml
- name: alloy
namespace: grafana
createNamespace: true
chart: grafana/alloy
values:
- grafana/alloy_values.yaml
- name: kube-state-metrics
namespace: grafana
createNamespace: true
chart: prometheus-community/kube-state-metrics
# goatchat matrix
- name: goatchat
namespace: goatchat
createNamespace: true
chart: ananace-charts/matrix-synapse
values:
- ./synapse/values.yaml
setString:
- name: config.macaroonSecretKey
value: {{ requiredEnv "GOATCHAT_SYNAPSE_MACAROON_SECRET_KEY" }}
- name: config.registrationSharedSecret
value: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }}
- name: extraConfig.email.smtp_pass
value: {{ requiredEnv "GOATCHAT_SMTP_PASSWORD" }}
- name: gate
namespace: goatchat
createNamespace: true
chart: ./matrix-registration
values:
- ./matrix-registration/values-overrides.yaml
setString:
- name: registrationSharedSecret
value: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET"}}
- name: adminApiSharedSecret
value: {{ requiredEnv "GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET"}}
- name: immich
namespace: immich
createNamespace: true
chart: immich/immich
values:
- immich/values.yaml.gotmpl
# website
- name: incngrnt-web
namespace: incngrnt-web
createNamespace: true
chart: static-site/static-site
values:
- incngrnt-web/values.yaml
# ghost blogs
- name: kgnot-ghost
namespace: ghost
createNamespace: true
chart: bitnami/ghost
values:
- ./kgnot/values.yaml
setString:
- name: ghostUsername
value: {{ requiredEnv "KGNOT_GHOST_USER_NAME" }}
- name: ghost-53ll
namespace: ghost
createNamespace: true
chart: bitnami/ghost
values:
- ./53ll/values.yaml
setString:
- name: ghostUsername
value: {{ requiredEnv "GHOST_53LL_USER_NAME" }}
# dev tools
- name: gitea
namespace: gitea
createNamespace: true
chart: gitea/gitea
values:
- ./gitea/values.yaml
setString:
- name: gitea.admin.password
value: {{ requiredEnv "GITEA_ADMIN_PASSWORD" }}
# backup
- name: k8up
namespace: k8up
createNamespace: true
chart: k8up-io/k8up
values:
- ./k8up/values.yaml
# backups
- name: ghost-backup
namespace: ghost
chart: ./k8up-backup
createNamespace: true
values:
- ./k8up-backup/values_override.yaml
setString:
- name: credentials.id
value: {{ requiredEnv "HETZNER_S3_ACCESS_KEY" }}
- name: credentials.key
value: {{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}
- name: repoPassword
value: {{ requiredEnv "k8UP_REPO_PASSWORD" }}
- name: goatchat-backup
namespace: goatchat
chart: ./k8up-backup
createNamespace: true
values:
- ./k8up-backup/values_override.yaml
setString:
- name: credentials.id
value: {{ requiredEnv "HETZNER_S3_ACCESS_KEY" }}
- name: credentials.key
value: {{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}
- name: repoPassword
value: {{ requiredEnv "k8UP_REPO_PASSWORD" }}
- name: gitea-backup
namespace: gitea
chart: ./k8up-backup
createNamespace: true
values:
- ./k8up-backup/values_override.yaml
setString:
- name: credentials.id
value: {{ requiredEnv "HETZNER_S3_ACCESS_KEY" }}
- name: credentials.key
value: {{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}
- name: repoPassword
value: {{ requiredEnv "k8UP_REPO_PASSWORD" }}
- name: immich-backup
namespace: immich
chart: ./k8up-backup
createNamespace: true
values:
- ./k8up-backup/values_override.yaml
setString:
- name: credentials.id
value: {{ requiredEnv "HETZNER_S3_ACCESS_KEY" }}
- name: credentials.key
value: {{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}
- name: repoPassword
value: {{ requiredEnv "k8UP_REPO_PASSWORD" }}

6
k8up-backup/Chart.yaml
View File

@ -1,6 +0,0 @@
apiVersion: v2
name: k8up-backup
description: A Helm chart for a k8up backup
type: application
version: 0.0.3

23
k8up-backup/templates/backup.yaml
View File

@ -1,23 +0,0 @@
# {{- if .Values.oneTimeBackup }}
apiVersion: k8up.io/v1
kind: Backup
metadata:
name: {{ .Release.Name }}
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
repoPasswordSecretRef:
name: "{{ .Release.Name }}-repopassword"
key: password
s3:
endpoint: "{{ .Values.endpoint }}"
bucket: "{{ .Values.bucket }}"
accessKeyIDSecretRef:
name: "{{ .Release.Name }}-credentials"
key: id
secretAccessKeySecretRef:
name: "{{ .Release.Name }}-credentials"
key: key
# {{- end }}

35
k8up-backup/templates/schedule.yaml
View File

@ -1,35 +0,0 @@
# {{- if not .Values.oneTimeBackup }}
apiVersion: k8up.io/v1
kind: Schedule
metadata:
name: "{{ .Release.Name }}-schedule"
spec:
backend:
repoPasswordSecretRef:
name: "{{ .Release.Name }}-repopassword"
key: password
s3:
endpoint: "{{ .Values.endpoint }}"
bucket: "{{ .Values.bucket }}"
accessKeyIDSecretRef:
name: "{{ .Release.Name }}-credentials"
key: id
secretAccessKeySecretRef:
name: "{{ .Release.Name }}-credentials"
key: key
backup:
schedule: '@hourly-random'
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 1
check:
schedule: '@daily-random'
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 1
prune:
schedule: '@weekly-random'
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 1
retention:
keepLast: 5
keep Daily: 14
# {{- end }}

14
k8up-backup/templates/secrets.yaml
View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: "{{ .Release.Name }}-credentials"
data:
id: "{{ .Values.credentials.id | b64enc}}"
key: "{{ .Values.credentials.key | b64enc}}"
---
apiVersion: v1
kind: Secret
metadata:
name: "{{ .Release.Name }}-repopassword"
data:
password: "{{ .Values.repoPassword | b64enc}}"

8
k8up-backup/values.yaml
View File

@ -1,8 +0,0 @@
# endpoint:
# bucket
# repoPassword:
# credentials:
# id:
# key:
oneTimeBackup: false

8
k8up-backup/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,8 @@
endpoint: hel1.your-objectstorage.com
bucket: fog
credentials:
id: {{ requiredEnv "HETZNER_S3_ACCESS_KEY" }}
key: {{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}
repoPassword: {{ requiredEnv "k8UP_REPO_PASSWORD" }}

3
k8up-backup/values_override.yaml
View File

@ -1,3 +0,0 @@
endpoint: hel1.your-objectstorage.com
bucket: fog

8
matrix-registration/Chart.yaml
View File

@ -1,8 +0,0 @@
apiVersion: v2
name: matrix-registration
description: A Helm chart for Kubernetes
type: application
version: 0.1.0
appVersion: "0.9.1"

52
matrix-registration/templates/config.yaml
View File

@ -1,52 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-matrix-registration" .Release.Name }}
data:
config.yaml: |
server_location: {{ .Values.serverLocation }}
server_name: {{ .Values.serverName }}
registration_shared_secret: {{ .Values.registrationSharedSecret }}
admin_api_shared_secret: {{ .Values.adminApiSharedSecret }}
base_url: {{ .Values.serverBaseUrl }}
client_redirect: 'https://app.element.io/#/login'
client_logo: 'static/images/element-logo.png' # use '{cwd}' for current working directory
db: 'sqlite:///{cwd}db.sqlite3'
host: '0.0.0.0'
port: 5000
rate_limit: ["100 per day", "10 per minute"]
allow_cors: false
ip_logging: false
logging:
disable_existing_loggers: false
version: 1
root:
level: DEBUG
handlers: [console]
formatters:
brief:
format: '%(name)s - %(levelname)s - %(message)s'
precise:
format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
handlers:
console:
class: logging.StreamHandler
level: INFO
formatter: brief
stream: ext://sys.stdout
file:
class: logging.handlers.RotatingFileHandler
formatter: precise
level: INFO
filename: m_reg.log
maxBytes: 10485760 # 10MB
backupCount: 3
encoding: utf8
# password requirements
password:
min_length: 8
# username requirements
username:
validation_regex: [] #list of regexes that the selected username must match. Example: '[a-zA-Z]\.[a-zA-Z]'
invalidation_regex: ['(admin|support|password)'] #list of regexes that the selected username must NOT match. Example: '(admin|support)'

44
matrix-registration/templates/deployment.yaml
View File

@ -1,44 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ printf "%s-matrix-registration" .Release.Name }}
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
name: matrix-registration
app: matrix-registration
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
labels:
name: matrix-registration
app: matrix-registration
spec:
securityContext: {}
containers:
- image: zeratax/matrix-registration:{{ printf "v%s" .Chart.AppVersion }}
imagePullPolicy: IfNotPresent
name: matrix-registration
args: ["serve"]
ports:
- containerPort: 5000
name: web
protocol: TCP
volumeMounts:
- mountPath: /data/config
name: matrix-registration
restartPolicy: Always
volumes:
- name: matrix-registration
configMap:
name: {{ printf "%s-matrix-registration" .Release.Name }}
- name: data
persistentVolumeClaim:
claimName: {{ printf "%s-matrix-registration" .Release.Name }}

10
matrix-registration/templates/pvc.yaml
View File

@ -1,10 +0,0 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ printf "%s-matrix-registration" .Release.Name }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100M

16
matrix-registration/templates/route.yaml
View File

@ -1,16 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: {{ printf "%s-matrix-registration" .Release.Name }}
spec:
entryPoints:
- websecure
routes:
- match: Host(`goatchat.ca`) && PathPrefix(`/gate/`)
kind: Rule
services:
- kind: Service
name: {{ printf "%s-matrix-registration" .Release.Name }}
port: 5000
tls:
certResolver: letsencrypt

11
matrix-registration/templates/service.yaml
View File

@ -1,11 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-matrix-registration" .Release.Name }}
spec:
selector:
app: matrix-registration
ports:
- name: web
protocol: TCP
port: 5000

5
matrix-registration/values-overrides.yaml
View File

@ -1,5 +0,0 @@
serverLocation: http://goatchat-matrix-synapse:8008
serverName: goatchat.ca
serverBaseUrl: /gate
registrationSharedSecret: # set through cli
adminApiSharedSecret: # set through cli

10
matrix-registration/values.yaml
View File

@ -1,5 +1,5 @@
# serverLocation: serverLocation: http://goatchat-matrix-synapse:8008
# serverName: serverName: goatchat.ca
# serverBaseUrl: serverBaseUrl: /gate
# registrationSharedSecret: registrationSharedSecret: # set through cli
# adminApiSharedSecret: adminApiSharedSecret: # set through cli