set memory limits

.gitignore

@@ -14,4 +14,7 @@ kgnot/config.production.json
 53ll/config.production.json
 
 *.key
-*.pub
+*.pub
+
+.envrc
+.kubeconfig

53ll/values.yaml

@@ -1,53 +0,0 @@
-image:
-  debug: true
-
-ghostBlogTitle: 53rd Parallel Photography
-ghostHost: https://53ll.ca
-ghostUsername: # set through cli args
-existingSecret: ghost-53ll-user-secret
-
-allowEmptyPassword: false
-
-
-readinessProbe:
-  enabled: false
-
-resources:
-  limits:                        
-    cpu: 500m                    
-    ephemeral-storage: 2Gi
-    memory: 250Mi
-  requests:
-    cpu: 10m
-    ephemeral-storage: 50Mi
-    memory: 128Mi
-persistence:
-  size: 1Gi
-
-smtpHost: "smtp.sendgrid.net"
-smtpPort: 465
-smtpUser: "apikey"
-smtpService: "SendGrid"
-smtpProtocol: "tls"
-smtpExistingSecret: 53ll-smtp-password
-
-mysql:
-  enabled: false
-externalDatabase:
-  host: mariadb.datastore.svc.cluster.local
-  user: 53ll_ghost
-  database: 53ll_ghost
-  existingSecret: ghost-53ll-db-secret
-   
-updateStrategy:
-  type: Recreate
-
-service:
-  type: ClusterIP    
-ingress:
-  enabled: true
-  hostname: 53ll.ca
-  tls: true
-  annotations:
-    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
-

53ll/values.yaml.gotmpl

@@ -13,14 +13,14 @@ readinessProbe:
   enabled: false
 
 resources:
-  limits:                        
-    cpu: 500m                    
-    ephemeral-storage: 2Gi
-    memory: 250Mi
   requests:
     cpu: 10m
     ephemeral-storage: 50Mi
-    memory: 128Mi
+    memory: 64Mi
+  limits:
+    cpu: 500m
+    ephemeral-storage: 2Gi
+    memory: 224Mi
 persistence:
   size: 1Gi
 

gitea/values.yaml

@@ -1,89 +0,0 @@
-gitea:
-  config:
-    server:
-      ROOT_URL: https://git.incngrnt.ca/
-      MINIMUM_KEY_SIZE_CHECK: false
-    service:
-      DISABLE_REGISTRATION: true
-    database:
-      DB_TYPE: postgres
-    indexer:
-      ISSUE_INDEXER_TYPE: bleve
-      REPO_INDEXER_ENABLED: true
-    cron:
-      enabled: true
-    repository:
-      DISABLE_DOWNLOAD_SOURCE_ARCHIVES: true
-  additionalConfigFromEnvs:
-    - name: GITEA__DATABASE__HOST
-      valueFrom:
-        secretKeyRef:
-          name: postgres-pguser-gitea
-          key: host 
-    - name: GITEA__DATABASE__NAME
-      valueFrom:
-        secretKeyRef:
-          name: postgres-pguser-gitea
-          key: dbname  
-    - name: GITEA__DATABASE__USER
-      valueFrom:
-        secretKeyRef:
-          name: postgres-pguser-gitea
-          key: user
-    - name: GITEA__DATABASE__PASSWD
-      valueFrom:
-        secretKeyRef:
-          name: postgres-pguser-gitea
-          key: password
-
-strategy:
-  type: Recreate
-
-ingress:
-  enabled: true
-  hosts:
-    - host: git.incngrnt.ca
-      paths:
-        - path: "/"
-          pathType: Prefix
-  annotations:
-    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
-
-service:
-  ssh:
-    type: ClusterIP
-    port: 22
-    clusterIP:
-      
-actions:
-  enabled: true
-  existingSecret: gitea-runner-token
-  existingSecretKey: token
- 
-redis:
-  enabled: true
-redis-cluster:
-  enabled: false
-postgresql:
-  enabled: false
-postgresql-ha:
-  enabled: false
-
-
-extraDeploy:
-- apiVersion: traefik.io/v1alpha1
-  kind: IngressRouteTCP
-  metadata:
-    name: gitea-ssh
-    namespace: gitea
-    labels:
-      app: gitea
-  spec:
-    entryPoints:
-      - ssh
-    routes:
-      - match: HostSNI(`*`)
-        services:
-          - name: gitea-ssh
-            port: 22
-      

grafana/alloy_values.yaml

@@ -1,199 +0,0 @@
-alloy:
-  clustering:
-    enabled: true
-  configMap:
-    content: |-
-      logging {
-      	level  = "info"
-      	format = "logfmt"
-      }
-      
-      discovery.kubernetes "pods" {
-        role = "pod"
-      }
-      discovery.kubernetes "nodes" {
-        role = "node"
-      }
-      
-      discovery.relabel "pods" {
-        targets = discovery.kubernetes.pods.targets
-
-        rule {
-          source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_label_app_kubernetes_io_name", "__meta_kubernetes_pod_container_name"]
-          separator     = "/"
-          target_label  = "deployment_name"
-          action        = "replace"
-        }
-      }
-      loki.source.kubernetes "pods" {
-        targets    = discovery.relabel.pods.output
-        forward_to = [loki.process.process.receiver]
-      }
-      loki.process "process" {
-        forward_to = [loki.write.loki.receiver]
-
-        stage.drop {
-          older_than          = "1h"
-          drop_counter_reason = "too old"
-        }
-        stage.match { 
-          selector = "{instance=~\".*\"}"
-          stage.json {
-            expressions = {
-              level = "\"level\"",
-            }
-          }
-          stage.labels {
-            values = { 
-              level = "level",
-            }
-          }
-        }
-        stage.label_drop {
-          values = [ "job", "service_name" ]
-        }
-      }      
-      loki.write "loki" {
-         endpoint {
-           url = "http://grafana-loki-distributor:3100/loki/api/v1/push"
-         }
-       }
-       
-      discovery.relabel "metrics" {
-        targets = discovery.kubernetes.pods.targets
-        rule {
-          source_labels = ["__meta_kubernetes_pod_annotation_prometheus_io_port"]
-          target_label  = "__meta_kubernetes_pod_container_port_number"
-          action = "keepequal"
-        }
-        rule {
-          source_labels = ["__meta_kubernetes_pod_container_port_number"]
-          regex = ""
-          action = "drop"
-        }    
-        rule {
-          source_labels = ["__meta_kubernetes_pod_annotation_prometheus_io_path",]
-          target_label  = "__metrics_path__"
-          separator = ""
-          action = "replace"
-        }        
-      }
-      prometheus.scrape "metrics" {
-        clustering {
-            enabled = true
-        }
-        targets    = discovery.relabel.metrics.output
-        forward_to = [prometheus.remote_write.metrics.receiver]
-        scrape_interval = "30s"
-      }
-      discovery.relabel "pods_metrics" {
-        targets = discovery.kubernetes.nodes.targets
-        rule {
-          replacement  = "kubernetes.default.svc:443"
-          target_label = "__address__"
-        }
-        rule {
-          regex         = "(.+)"
-          replacement   = "/api/v1/nodes/$1/proxy/metrics/cadvisor"
-          source_labels = ["__meta_kubernetes_node_name"]
-          target_label  = "__metrics_path__"
-        }
-      }
-      prometheus.scrape "pods_metrics" {
-        clustering {
-            enabled = true
-        }
-        targets      = discovery.relabel.pods_metrics.output
-        job_name     = "integrations/kubernetes/kubelet"
-        scheme       = "https"
-        honor_labels = true
-        forward_to = [prometheus.remote_write.metrics.receiver]
-        bearer_token_file = "/run/secrets/kubernetes.io/serviceaccount/token"
-        tls_config {
-          insecure_skip_verify = true
-          server_name          = "kubernetes"
-        }
-        scrape_interval = "30s"
-      }
-      prometheus.exporter.unix "os_metrics" { }
-      prometheus.scrape "os_metrics" {
-        clustering {
-            enabled = true
-        }
-        targets    = prometheus.exporter.unix.os_metrics.targets
-        forward_to = [prometheus.remote_write.metrics.receiver]
-        scrape_interval = "30s"
-      }
-
-      discovery.kubernetes "kube_state_metrics" {
-        role = "endpoints"
-
-        selectors {
-          role = "endpoints"
-          label = "app.kubernetes.io/name=kube-state-metrics"
-        }
-        namespaces {
-          names = ["grafana"]
-        }
-      }
-
-      discovery.relabel "kube_state_metrics" {
-        targets = discovery.kubernetes.kube_state_metrics.targets
-
-        // only keep targets with a matching port name
-        rule {
-          source_labels = ["__meta_kubernetes_endpoint_port_name"]
-          regex = "http"
-          action = "keep"
-        }
-
-        rule {
-          action = "replace"
-          replacement = "kubernetes"
-          target_label = "source"
-        }
-
-      }
-
-      prometheus.scrape "kube_state_metrics" {
-        targets = discovery.relabel.kube_state_metrics.output
-        job_name = "integrations/kubernetes/kube-state-metrics"
-        scrape_interval = "30s"
-        scheme = "http"
-        bearer_token_file = ""
-        tls_config {
-          insecure_skip_verify = true
-        }
-
-        clustering {
-          enabled = true
-        }
-        forward_to = [prometheus.relabel.kube_state_metrics.receiver]
-      }
-
-      prometheus.relabel "kube_state_metrics" {
-        max_cache_size = 100000
-        rule {
-          source_labels = ["__name__"]
-          regex = "up|scrape_samples_scraped|kube_configmap_info|kube_configmap_metadata_resource_version|kube_daemonset.*|kube_deployment_metadata_generation|kube_deployment_spec_replicas|kube_deployment_status_condition|kube_deployment_status_observed_generation|kube_deployment_status_replicas_available|kube_deployment_status_replicas_updated|kube_horizontalpodautoscaler_spec_max_replicas|kube_horizontalpodautoscaler_spec_min_replicas|kube_horizontalpodautoscaler_status_current_replicas|kube_horizontalpodautoscaler_status_desired_replicas|kube_job.*|kube_namespace_status_phase|kube_node.*|kube_persistentvolume_status_phase|kube_persistentvolumeclaim_access_mode|kube_persistentvolumeclaim_info|kube_persistentvolumeclaim_labels|kube_persistentvolumeclaim_resource_requests_storage_bytes|kube_persistentvolumeclaim_status_phase|kube_pod_container_info|kube_pod_container_resource_limits|kube_pod_container_resource_requests|kube_pod_container_status_last_terminated_reason|kube_pod_container_status_restarts_total|kube_pod_container_status_waiting_reason|kube_pod_info|kube_pod_owner|kube_pod_spec_volumes_persistentvolumeclaims_info|kube_pod_start_time|kube_pod_status_phase|kube_pod_status_reason|kube_replicaset.*|kube_resourcequota|kube_secret_metadata_resource_version|kube_statefulset.*"
-          action = "keep"
-        }
-
-        forward_to = [prometheus.remote_write.metrics.receiver]
-      }
-
-      prometheus.remote_write "metrics" {
-        endpoint {
-          url = "http://grafana-mimir-nginx/api/v1/push"
-        }
-      }
-
-
-
-  resources:
-    requests:
-      cpu: 1m
-      memory: 5Mi
-    limits:
-      cpu: 1
-      memory: 400Mi

grafana/values.yaml

@@ -1,19 +0,0 @@
-grafana:
-  ingress:
-    enabled: true
-    hosts:
-      - watcher.incngrnt.ca
-    annotations:
-      "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
-
-  persistence:
-    enabled: true    
-
-mimir:
-  mimir:
-    structuredConfig:
-      limits:
-        compactor_blocks_retention_period: 2h
-  ingester:
-    persistentVolume:
-      size: 5Gi

helmfile.d/01-infrastructure.lock

@@ -2,15 +2,15 @@ version: 0.170.1
 dependencies:
 - name: rook-ceph
   repository: https://charts.rook.io/release
-  version: v1.18.7
+  version: v1.18.8
 - name: rook-ceph-cluster
   repository: https://charts.rook.io/release
-  version: v1.18.7
+  version: v1.18.8
 - name: tailscale-operator
   repository: https://pkgs.tailscale.com/helmcharts
   version: 1.90.9
 - name: traefik
   repository: https://traefik.github.io/charts
   version: 37.4.0
-digest: sha256:e36f2d6589d83e74cb3a4bf19bc795f09d4a199a46547a2ff703c33ff6264b49
+digest: sha256:66b2e4b590af3ee51f97d61435400977ceb8d70ddfc50d638ccfaeede79e8a6f
-generated: "2025-11-25T20:30:30.565674799-07:00"
+generated: "2025-12-07T13:19:28.002423348-07:00"

helmfile.d/01-infrastructure.yaml

@@ -12,28 +12,20 @@ releases:
     namespace: metallb-system
     createNamespace: true
     chart: ../metallb
+    values:
+      - ../metallb/values.yaml.gotmpl
   - name: traefik
     namespace: traefik
     createNamespace: true
     chart: traefik/traefik
     values:
-      - ../traefik/values.yaml
+      - ../traefik/values.yaml.gotmpl
-    setString:
-      - name: certificatesResolvers.letsencrypt.acme.email
-        value: {{ requiredEnv "ACME_EMAIL" }}
-      - name: extraObjects[0].stringData.password
-        value: {{ requiredEnv "TRAEFIK_ADMIN_PASSWORD" }}
   - name: tailscale-operator
     namespace: tailscale
     createNamespace: true
     chart: tailscale/tailscale-operator
     values:
-      - ../tailscale/values.yaml
+      - ../tailscale/values.yaml.gotmpl
-    setString:
-      - name: oauth.clientId
-        value: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_ID" }}
-      - name: oauth.clientSecret
-        value: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_SECRET" }}
 
   # storage infrastructure
   - name: rook-ceph
@@ -41,13 +33,13 @@ releases:
     createNamespace: true
     chart: rook-release/rook-ceph
     values:
-      - ../rook-ceph/values.yaml
+      - ../rook-ceph/values.yaml.gotmpl
   - name: rook-ceph-cluster
     namespace: rook-ceph
     createNamespace: true
     chart: rook-release/rook-ceph-cluster
     values:
-      - ../rook-ceph-cluster/values.yaml
+      - ../rook-ceph-cluster/values.yaml.gotmpl
     set:
       - name: operatorNamespace
-        value: rook-ceph 
+        value: rook-ceph 

helmfile.d/02-datastore.lock

@@ -12,5 +12,5 @@ dependencies:
 - name: postgrescluster
   repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
   version: 5.7.4
-digest: sha256:7be4f89cbc10d297156dd9924e6076659ddd410586434be062dcb6b52c276bde
+digest: sha256:cd960bd2adfc6d5bbfadd4d8ba745904717ba888da8dee9cde7c83ba71e5f8a4
-generated: "2025-11-25T20:31:00.986270323-07:00"
+generated: "2025-12-07T13:19:41.655599535-07:00"

helmfile.d/02-datastore.yaml

@@ -13,29 +13,19 @@ releases:
     createNamespace: true
     chart: crunchydata/pgo
     values:
-      - ../postgres/operator-values.yaml
+      - ../postgres/operator-values.yaml.gotmpl
   - name: postgres
     namespace: datastore
     createNamespace: true
     chart: crunchydata/postgrescluster
     values:
-      - ../postgres/values.yaml
+      - ../postgres/values.yaml.gotmpl
-    setString:
-      - name: pgBackRestConfig.global.repo1-s3-key
-        value: '{{ requiredEnv "HETZNER_S3_ACCESS_KEY" }}'
-      - name: pgBackRestConfig.global.repo1-s3-key-secret
-        value: '{{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}'
-      - name: pgBackRestConfig.global.repo1-cipher-pass
-        value: '{{ requiredEnv "PG_BACKREST_PASSWORD" }}'
   - name: mariadb
     namespace: datastore
     createNamespace: true
     chart: bitnami/mariadb
     values:
-      - ../mariadb/values.yaml
+      - ../mariadb/values.yaml.gotmpl
-    setString:
-      - name: auth.rootPassword
-        value: {{ requiredEnv "MARIADB_ROOT_PASSWORD" }}
 
   # backup infrastructure
   - name: k8up
@@ -43,4 +33,4 @@ releases:
     createNamespace: true
     chart: k8up-io/k8up
     values:
-      - ../k8up/values.yaml 
+      - ../k8up/values.yaml.gotmpl 

helmfile.d/03-apps.yaml

@@ -40,7 +40,7 @@ releases:
     createNamespace: true
     chart: static-site/static-site
     values:
-      - ../incngrnt-web/values.yaml
+      - ../incngrnt-web/values.yaml.gotmpl
   # ghost blogs
   - name: kgnot-ghost
     namespace: ghost

helmfile.d/04-monitoring.lock

@@ -1,13 +0,0 @@
-version: 0.170.1
-dependencies:
-- name: alloy
-  repository: https://grafana.github.io/helm-charts
-  version: 1.4.0
-- name: kube-state-metrics
-  repository: https://prometheus-community.github.io/helm-charts
-  version: 6.4.2
-- name: lgtm-distributed
-  repository: https://grafana.github.io/helm-charts
-  version: 3.0.1
-digest: sha256:a40ace61a59a7d0262123468c4fc4af581cdbb7a20e7e044bbd3d54ef0d47b8b
-generated: "2025-11-25T20:31:47.82049253-07:00"

helmfile.d/04-monitoring.yaml

@@ -1,27 +0,0 @@
-repositories:
-  - name: grafana
-    url: https://grafana.github.io/helm-charts
-  - name: prometheus-community
-    url: https://prometheus-community.github.io/helm-charts
-    
-releases:
-  # monitoring
-  - name: grafana
-    namespace: grafana
-    installed: false
-    createNamespace: true
-    chart: grafana/lgtm-distributed
-    values:
-      - ../grafana/values.yaml
-  - name: alloy
-    namespace: grafana
-    installed: false    
-    createNamespace: true
-    chart: grafana/alloy
-    values:
-      - ../grafana/alloy_values.yaml
-  - name: kube-state-metrics
-    namespace: grafana
-    installed: false    
-    createNamespace: true
-    chart: prometheus-community/kube-state-metrics 

immich/values.yaml.gotmpl

@@ -26,8 +26,10 @@ valkey:
     resources:
       requests:
         cpu: 10m
-      limits: 
+        memory: 64Mi
-          cpu: 1
+      limits:
+        cpu: 1
+        memory: 32Mi
 
 server:
   enabled: true
@@ -39,8 +41,10 @@ server:
           resources:
             requests:
               cpu: 10m
-            limits: 
+              memory: 256Mi
+            limits:
               cpu: 1
+              memory: 512Mi
   ingress:
     main:
       enabled: true
@@ -62,5 +66,7 @@ machine-learning:
           resources:
             requests:
               cpu: 10m
-            limits: 
+              memory: 128Mi
+            limits:
               cpu: 1
+              memory: 384Mi

incngrnt-web/values.yaml.gotmpl

@@ -3,6 +3,14 @@ init:
   wget:
     url: https://git.incngrnt.ca/grant/incngrnt/releases/download/v0.0.8/v0.0.8.tar
 
+resources:
+  requests:
+    cpu: 10m
+    memory: 32Mi
+  limits:
+    cpu: 500m
+    memory: 32Mi
+
 ingress:
   enabled: true
   annotations:

k8up-backup/values.yaml.gotmpl

@@ -6,3 +6,11 @@ credentials:
   key: {{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}
 
 repoPassword: {{ requiredEnv "k8UP_REPO_PASSWORD" }}
+
+resources:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+  limits:
+    cpu: 500m
+    memory: 128Mi

k8up/values.yaml

@@ -1,4 +0,0 @@
-k8up:
-  envVars:
-    - name: BACKUP_GLOBAL_CONCURRENT_BACKUP_JOBS_LIMIT
-      values: 1

k8up/values.yaml.gotmpl

@@ -0,0 +1,11 @@
+k8up:
+  envVars:
+    - name: BACKUP_GLOBAL_CONCURRENT_BACKUP_JOBS_LIMIT
+      values: 1
+  resources:
+    requests:
+      cpu: 10m
+      memory: 64Mi
+    limits:
+      cpu: 500m
+      memory: 64Mi

kgnot/values.yaml

@@ -1,54 +0,0 @@
-image:
-  debug: true
-
-ghostBlogTitle: K&G Tie the Kgnot
-ghostHost: https://kgnot.ca
-ghostUsername: # set through cli args
-existingSecret: ghost-kgnot-user-secret
-
-allowEmptyPassword: false
-
-
-readinessProbe:
-  enabled: false
-
-resources:
-  limits:                        
-    cpu: 500m                    
-    ephemeral-storage: 2Gi
-    memory: 250Mi
-  requests:
-    cpu: 10m
-    ephemeral-storage: 50Mi
-    memory: 128Mi
-
-persistence:
-  size: 1Gi
-
-smtpHost: "smtp.sendgrid.net"
-smtpPort: 465
-smtpUser: "apikey"
-smtpService: "SendGrid"
-smtpProtocol: "tls"
-smtpExistingSecret: kgnot-smtp-password
-
-mysql:
-  enabled: false
-externalDatabase:
-  host: mariadb.datastore.svc.cluster.local
-  user: kgnot_ghost
-  database: kgnot_ghost
-  existingSecret: ghost-kgnot-db-secret
-   
-updateStrategy:
-  type: Recreate
-
-service:
-  type: ClusterIP
-  
-ingress:
-  enabled: true
-  hostname: kgnot.ca
-  tls: true
-  annotations:
-    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"

kgnot/values.yaml.gotmpl

@@ -13,14 +13,14 @@ readinessProbe:
   enabled: false
 
 resources:
-  limits:                        
-    cpu: 500m                    
-    ephemeral-storage: 2Gi
-    memory: 250Mi
   requests:
     cpu: 10m
     ephemeral-storage: 50Mi
-    memory: 128Mi
+    memory: 64Mi
+  limits:
+    cpu: 500m
+    ephemeral-storage: 2Gi
+    memory: 224Mi
 
 persistence:
   size: 1Gi

mariadb/values.yaml

@@ -1,14 +0,0 @@
-persistent:
-  size: 5Gi
-
-primary:
-  resources:
-        limits:
-          cpu: 375m
-          ephemeral-storage: 2Gi
-          memory: 384Mi
-        requests:
-          cpu: 50m
-          ephemeral-storage: 50Mi
-          memory: 256Mi
-  

mariadb/values.yaml.gotmpl

@@ -0,0 +1,16 @@
+auth:
+  rootPassword: {{ requiredEnv "MARIADB_ROOT_PASSWORD" }}
+
+persistent:
+  size: 5Gi
+
+primary:
+  resources:
+    requests:
+      cpu: 50m
+      ephemeral-storage: 50Mi
+      memory: 96Mi
+    limits:
+      cpu: 1
+      ephemeral-storage: 2Gi
+      memory: 192Mi

matrix-registration/values.yaml

@@ -1,5 +0,0 @@
-serverLocation: http://goatchat-matrix-synapse:8008
-serverName: goatchat.ca
-serverBaseUrl: /gate
-registrationSharedSecret: # set through cli
-adminApiSharedSecret: # set through cli

matrix-registration/values.yaml.gotmpl

@@ -2,4 +2,12 @@ serverLocation: http://goatchat-matrix-synapse:8008
 serverName: goatchat.ca
 serverBaseUrl: /gate
 registrationSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }}
-adminApiSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET" }} 
+adminApiSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET" }}
+
+resources:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+  limits:
+    cpu: 500m
+    memory: 64Mi 

metallb/values.yaml.gotmpl

@@ -0,0 +1,17 @@
+controller:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 32Mi
+    limits:
+      cpu: 500m
+      memory: 64Mi
+
+speaker:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 48Mi
+    limits:
+      cpu: 500m
+      memory: 96Mi

postgres/operator-values.yaml

@@ -1,2 +0,0 @@
-pgoControllerLeaseName: ''
-replicas: 1

postgres/operator-values.yaml.gotmpl

@@ -0,0 +1,10 @@
+pgoControllerLeaseName: ''
+replicas: 1
+
+resources:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+  limits:
+    cpu: 500m
+    memory: 160Mi

postgres/values.yaml.gotmpl

@@ -1,5 +1,21 @@
 instanceSize: 50Gi
-
+instanceMemory: 1Gi
+instanceCPU: 2
+instances:
+  - name: instance1
+    resources:
+      requests:
+        cpu: 100m
+        memory: 192Mi
+      limits:
+        cpu: 2
+        memory: 256Mi
+    dataVolumeClaimSpec:
+      accessModes:
+      - "ReadWriteOnce"
+      resources:
+        requests:
+          storage: 50Gi
 patroni:
   dynamicConfiguration:
     postgresql:
@@ -32,7 +48,10 @@ pgBackRestConfig:
   global:
     repo1-path: /pgbackrest/datastore/postgres/repo1
     repo1-retention-full: "10"
-    repo1-retention-full-type: count    
+    repo1-retention-full-type: count
+    repo1-s3-key: {{ requiredEnv "HETZNER_S3_ACCESS_KEY" }}
+    repo1-s3-key-secret: {{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}
+    repo1-cipher-pass: {{ requiredEnv "PG_BACKREST_PASSWORD" }}
 
   repos:
   - name: repo1

rook-ceph-cluster/values.yaml.gotmpl

@@ -6,6 +6,8 @@ cephClusterSpec:
     useAllNodes: true
     useAllDevices: false
     deviceFilter: "^sda"
+    config:
+      osd_memory_target: "1073741824"  # 1GB per OSD to maintain 70% node capacity
   resources:
     mgr:
       requests:
@@ -13,18 +15,21 @@ cephClusterSpec:
         memory: 256Mi
       limits:
         cpu: "1"
+        memory: 704Mi
     mon:
       requests:
         cpu: 100m
         memory: 256Mi
       limits:
-        cpu: "1"        
+        cpu: "1"
+        memory: 64Mi
     osd:
       requests:
         cpu: 100m
-        memory: 256Mi
+        memory: 896Mi
       limits:
         cpu: "1"
+        memory: 1280Mi
 
 ingress:
   dashboard:
@@ -55,9 +60,10 @@ cephFileSystems:
         resources:
           requests:
             cpu: 50m
-            memory: 256Mi
+            memory: 64Mi
-          limit:
+          limits:
             cpu: "1"
+            memory: 32Mi
     storageClass:
       enabled: true
       isDefault: false

rook-ceph/values.yaml.gotmpl

@@ -2,3 +2,6 @@ resources:
   requests:
     cpu: 100m
     memory: 128Mi
+  limits:
+    cpu: 1
+    memory: 300Mi

synapse/values.yaml

@@ -1,84 +0,0 @@
-serverName: 'goatchat.ca'
-publicServerName: 'goatchat.ca'
-
-wellknown:
-  enabled: true
-  
-signingkey:
-  job:
-    enabled: false
-  existingSecret: goatchatca-signingkey
-  existingSecretKey: signing.key
-
-synapse:
-  strategy:
-    type: Recreate
-  resources:
-    requests:
-      cpu: 10m
-      memory: 160Mi
-    limits:
-      cpu: '1'
-      memory: 320Mi
-
-config:
-  macaroonSecretKey: # set through cli args
-  registrationSharedSecret: # set through cli args
-
-extraConfig:
-  url_preview_enabled: true    
-  url_preview_ip_range_blacklist:
-     - '127.0.0.0/8'
-     - '10.0.0.0/8'
-     - '172.16.0.0/12'
-     - '192.168.0.0/16'
-     - '100.64.0.0/10'
-     - '169.254.0.0/16'
-     - '::1/128'
-     - 'fe80::/64'
-     - 'fc00::/7'
-
-  max_upload_size: 100M
-
-  email:
-    enable_notifs: true
-    smtp_host: "smtp.sendgrid.net"
-    smtp_port: 587
-    smtp_user: "apikey"
-    smtp_pass: # set through cli args
-    require_transport_security: true
-    notif_from: "Your Friendly %(app)s homeserver <noreply@goatchat.ca>"
-    app_name: Goatchat
-    validation_token_lifetime: 1h
-
-
-  user_directory:
-    enabled: true
-    search_all_users: true
-    prefer_local_users: true
-
-  server_notices:
-    system_mxid_localpart: notices
-    system_mxid_display_name: "Screaming Goat"
-    system_mxid_avatar_url: ""
-    room_name: "Goatchat Notices"
-    room_avatar_url: ""
-    room_topic: "Room used by your server admin to notify you of important information"
-    auto_join: true
-  
-
-ingress:
-  traefikPaths: true
-  annotations:
-    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
-
-
-persistence:
-  size: 30Gi    
-
-postgresql:
-  enabled: false    
-externalPostgresql:
-  host: postgres-primary.datastore.svc
-  existingSecret: postgres-pguser-synapse
-  existingSecretPasswordKey: password

synapse/values.yaml.gotmpl

@@ -16,10 +16,10 @@ synapse:
   resources:
     requests:
       cpu: 10m
-      memory: 160Mi
+      memory: 128Mi
     limits:
       cpu: '1'
-      memory: 320Mi
+      memory: 192Mi
 
 config:
   macaroonSecretKey: {{ requiredEnv "GOATCHAT_SYNAPSE_MACAROON_SECRET_KEY" }}

tailscale/values.yaml

@@ -1,4 +0,0 @@
-operatorConfig:
-  extraEnv:
-    - name: PROXY_PRIORITY_CLASS_NAME
-      value: critical

tailscale/values.yaml.gotmpl

@@ -3,6 +3,14 @@ operatorConfig:
     - name: PROXY_PRIORITY_CLASS_NAME
       value: critical
 
+resources:
+  requests:
+    cpu: 10m
+    memory: 48Mi
+  limits:
+    cpu: 500m
+    memory: 64Mi
+
 oauth:
   clientId: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_ID" }}
   clientSecret: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_SECRET" }} 

traefik/values.yaml

@@ -1,102 +0,0 @@
-deployment:
-  initContainers:
-    - name: volume-permissions
-      image: busybox:latest
-      command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
-      volumeMounts:
-        - name: data
-          mountPath: /data
-
-updateStrategy:
-  type: Recreate
-    
-env:
- - name: HETZNER_API_KEY
-   valueFrom:
-     secretKeyRef:
-       name: hetzner-api-key
-       key: token
-
-additionalArguments:
- - "--api.basePath=/fog/traefik"
-
-persistence:
-  enabled: true
-    
-logs:
-  format: json    
-  access:
-    enabled: true
-    format: json    
-
-service:
-  spec:
-    externalTrafficPolicy: Local
-    
-ingressRoute:
-  dashboard:
-    enabled: true
-    matchRule: Host(`fog.incngrnt.ca`) && (PathPrefix(`/fog/traefik/dashboard`) || PathPrefix(`/fog/traefik/api`))
-    entryPoints: ["websecure"]
-    middlewares:
-      - name: traefik-dashboard-auth
-    tls:
-      certResolver: letsencrypt
-
-ports:
-  websecure:
-    middlewares:
-      - traefik-rate-limit@kubernetescrd
-  web:
-    middlewares:
-      - traefik-redirectscheme@kubernetescrd      
-  ssh:
-    port: 2222
-    expose:
-      default: true
-    exposedPort: 2222
-    protocol: TCP
-    
-    
-extraObjects:
-  - apiVersion: v1
-    kind: Secret
-    metadata:
-      name: traefik-dashboard-auth-secret
-    type: kubernetes.io/basic-auth
-    stringData:
-      username: admin
-      password: # set through cli args
-
-  - apiVersion: traefik.io/v1alpha1
-    kind: Middleware
-    metadata:
-      name: traefik-dashboard-auth
-    spec:
-      basicAuth:
-        secret: traefik-dashboard-auth-secret
-  - apiVersion: traefik.io/v1alpha1
-    kind: Middleware
-    metadata:
-      name: rate-limit
-    spec:
-      rateLimit:
-        average: 50
-        burst: 100
-  - apiVersion: traefik.io/v1alpha1
-    kind: Middleware
-    metadata:
-      name: redirectscheme
-    spec:
-      redirectScheme:
-        scheme: https
-        permanent: true
-
-certificatesResolvers:
-  letsencrypt:
-    acme:
-      dnschallenge:
-        provider: hetzner
-        delaybeforecheck: 30
-      email: # set through cli args
-      storage: /data/acme.json

traefik/values.yaml.gotmpl

@@ -7,6 +7,14 @@ deployment:
         - name: data
           mountPath: /data
 
+resources:
+  requests:
+    cpu: 50m
+    memory: 64Mi
+  limits:
+    cpu: 1
+    memory: 128Mi
+
 updateStrategy:
   type: Recreate
     
@@ -99,4 +107,4 @@ certificatesResolvers:
         provider: hetzner
         delaybeforecheck: 30
       email: {{ requiredEnv "ACME_EMAIL" }}
-      storage: /data/acme.json 
+      storage: /data/acme.json