grant/fog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: grant:2a7521e474b19da88d061c793250c64941fcd549
Branches Tags
grant:main
..
compare: grant:bbd382c667368a29d86dd058c844ed4599056acf
Branches Tags
grant:main

No commits in common. "2a7521e474b19da88d061c793250c64941fcd549" and "bbd382c667368a29d86dd058c844ed4599056acf" have entirely different histories.
2a7521e474 ... bbd382c667

13 changed files with 43 additions and 462 deletions
Show Stats Expand all files Collapse all files

52
53ll/values.yaml.gotmpl
View File

@ -1,52 +0,0 @@
image:
debug: true
ghostBlogTitle: 53rd Parallel Photography
ghostHost: https://53ll.ca
ghostUsername: {{ requiredEnv "GHOST_53LL_USER_NAME" }}
existingSecret: ghost-53ll-user-secret
allowEmptyPassword: false
readinessProbe:
enabled: false
resources:
limits:
cpu: 500m
ephemeral-storage: 2Gi
memory: 250Mi
requests:
cpu: 10m
ephemeral-storage: 50Mi
memory: 128Mi
persistence:
size: 1Gi
smtpHost: "smtp.sendgrid.net"
smtpPort: 465
smtpUser: "apikey"
smtpService: "SendGrid"
smtpProtocol: "tls"
smtpExistingSecret: 53ll-smtp-password
mysql:
enabled: false
externalDatabase:
host: mariadb.datastore.svc.cluster.local
user: 53ll_ghost
database: 53ll_ghost
existingSecret: ghost-53ll-db-secret
updateStrategy:
type: Recreate
service:
type: ClusterIP
ingress:
enabled: true
hostname: 53ll.ca
tls: true
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"

94
gitea/values.yaml.gotmpl
View File

@ -1,94 +0,0 @@
gitea:
config:
server:
ROOT_URL: https://git.incngrnt.ca/
MINIMUM_KEY_SIZE_CHECK: false
service:
DISABLE_REGISTRATION: true
database:
DB_TYPE: postgres
indexer:
ISSUE_INDEXER_TYPE: bleve
REPO_INDEXER_ENABLED: true
cron:
enabled: true
repository:
DISABLE_DOWNLOAD_SOURCE_ARCHIVES: true
additionalConfigFromEnvs:
- name: GITEA__DATABASE__HOST
valueFrom:
secretKeyRef:
name: postgres-pguser-gitea
key: host
- name: GITEA__DATABASE__NAME
valueFrom:
secretKeyRef:
name: postgres-pguser-gitea
key: dbname
- name: GITEA__DATABASE__USER
valueFrom:
secretKeyRef:
name: postgres-pguser-gitea
key: user
- name: GITEA__DATABASE__PASSWD
valueFrom:
secretKeyRef:
name: postgres-pguser-gitea
key: password
admin:
password: {{ requiredEnv "GITEA_ADMIN_PASSWORD" }}
strategy:
type: Recreate
ingress:
enabled: true
hosts:
- host: git.incngrnt.ca
paths:
- path: "/"
pathType: Prefix
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
service:
ssh:
type: ClusterIP
port: 22
clusterIP:
actions:
enabled: true
giteaRootURL: https://git.incngrnt.ca
existingSecret: gitea-runner-token
existingSecretKey: token
provisioning:
enabled: false
persistence:
enabled: false
redis:
enabled: true
redis-cluster:
enabled: false
postgresql:
enabled: false
postgresql-ha:
enabled: false
extraDeploy:
- apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: gitea-ssh
namespace: gitea
labels:
app: gitea
spec:
entryPoints:
- ssh
routes:
- match: HostSNI(`*`)
services:
- name: gitea-ssh
port: 22

12
helmfile.d/01-infrastructure.lock
View File

@ -2,15 +2,15 @@ version: 0.170.1
dependencies: dependencies:
- name: rook-ceph - name: rook-ceph
repository: https://charts.rook.io/release repository: https://charts.rook.io/release
version: v1.18.7 version: v1.18.2
- name: rook-ceph-cluster - name: rook-ceph-cluster
repository: https://charts.rook.io/release repository: https://charts.rook.io/release
version: v1.18.7 version: v1.18.2
- name: tailscale-operator - name: tailscale-operator
repository: https://pkgs.tailscale.com/helmcharts repository: https://pkgs.tailscale.com/helmcharts
version: 1.90.9 version: 1.86.5
- name: traefik - name: traefik
repository: https://traefik.github.io/charts repository: https://traefik.github.io/charts
version: 37.4.0 version: 37.1.1
digest: sha256:e36f2d6589d83e74cb3a4bf19bc795f09d4a199a46547a2ff703c33ff6264b49 digest: sha256:390b9f11dc9645c5add8f2efdbaa28bbbaf9ad8ab3056ef5b83580a53abdc112
generated: "2025-11-25T20:30:30.565674799-07:00" generated: "2025-09-16T10:37:17.844160925-06:00"

8
helmfile.d/02-datastore.lock
View File

@ -2,15 +2,15 @@ version: 0.170.1
dependencies: dependencies:
- name: k8up - name: k8up
repository: https://k8up-io.github.io/k8up repository: https://k8up-io.github.io/k8up
version: 4.8.6 version: 4.8.5
- name: mariadb - name: mariadb
repository: https://charts.bitnami.com/bitnami repository: https://charts.bitnami.com/bitnami
version: 24.0.0 version: 22.0.0
- name: pgo - name: pgo
repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
version: 5.8.1 version: 5.8.1
- name: postgrescluster - name: postgrescluster
repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
version: 5.7.4 version: 5.7.4
digest: sha256:7be4f89cbc10d297156dd9924e6076659ddd410586434be062dcb6b52c276bde digest: sha256:df6cd58e23f8c570ef0f3d57e26720a29685275bee12525ca9abb2e70e28e491
generated: "2025-11-25T20:31:00.986270323-07:00" generated: "2025-09-16T10:37:30.538389689-06:00"

8
helmfile.d/03-apps.lock
View File

@ -8,7 +8,7 @@ dependencies:
version: 25.0.4 version: 25.0.4
- name: immich - name: immich
repository: https://immich-app.github.io/immich-charts repository: https://immich-app.github.io/immich-charts
version: 0.10.3 version: 0.9.3
- name: k8up-backup - name: k8up-backup
repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
version: 0.0.3 version: 0.0.3
@ -26,9 +26,9 @@ dependencies:
version: 0.1.0 version: 0.1.0
- name: matrix-synapse - name: matrix-synapse
repository: https://ananace.gitlab.io/charts repository: https://ananace.gitlab.io/charts
version: 3.12.16 version: 3.12.8
- name: static-site - name: static-site
repository: git+https://github.com/cfpb/static-site@charts?ref=main repository: git+https://github.com/cfpb/static-site@charts?ref=main
version: 0.1.1 version: 0.1.1
digest: sha256:59866b3b160d35756885a2db0a3344bba48161e5ba6935350286f9a754b8b219 digest: sha256:a7f2ab0e045290264fd7675f2e8979e449ccc60df6518ac20eb4d0c4c007fd96
generated: "2025-11-25T20:31:24.531424306-07:00" generated: "2025-09-16T10:37:47.891825732-06:00"

10
helmfile.d/04-monitoring.lock
View File

@ -2,12 +2,12 @@ version: 0.170.1
dependencies: dependencies:
- name: alloy - name: alloy
repository: https://grafana.github.io/helm-charts repository: https://grafana.github.io/helm-charts
version: 1.4.0 version: 1.2.1
- name: kube-state-metrics - name: kube-state-metrics
repository: https://prometheus-community.github.io/helm-charts repository: https://prometheus-community.github.io/helm-charts
version: 6.4.2 version: 6.3.0
- name: lgtm-distributed - name: lgtm-distributed
repository: https://grafana.github.io/helm-charts repository: https://grafana.github.io/helm-charts
version: 3.0.1 version: 2.1.0
digest: sha256:a40ace61a59a7d0262123468c4fc4af581cdbb7a20e7e044bbd3d54ef0d47b8b digest: sha256:8a06f8a58058fcc5487b01542d48a745189ab4d01a8f9aad6710ffda3cab765a
generated: "2025-11-25T20:31:47.82049253-07:00" generated: "2025-09-16T10:38:05.465270419-06:00"

60
immich/values.yaml.gotmpl
View File

@ -1,23 +1,19 @@
controllers: image:
main: tag: v1.142.1
containers:
main:
image:
tag: v2.3.1
env: env:
DB_HOSTNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.host | base64decode }}'") }} DB_HOSTNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.host | base64decode }}'") }}
DB_USERNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.user | base64decode }}'") }} DB_USERNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.user | base64decode }}'") }}
DB_DATABASE_NAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.dbname | base64decode }}'") }} DB_DATABASE_NAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.dbname | base64decode }}'") }}
DB_PASSWORD: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.password | base64decode }}'") }} DB_PASSWORD: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.password | base64decode }}'") }}
DB_VECTOR_EXTENSION: pgvector DB_VECTOR_EXTENSION: pgvector
immich: immich:
persistence: persistence:
library: library:
existingClaim: immich-data existingClaim: immich-data
valkey: redis:
enabled: true enabled: true
master: master:
persistence: persistence:
@ -30,37 +26,27 @@ valkey:
cpu: 1 cpu: 1
server: server:
enabled: true
controllers:
main:
strategy: Recreate
containers:
main:
resources:
requests:
cpu: 10m
limits:
cpu: 1
ingress: ingress:
main: main:
enabled: true enabled: true
annotations: annotations:
traefik.ingress.kubernetes.io/router.tls.certresolver: "letsencrypt" "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
hosts: hosts:
- host: photos.incngrnt.ca - host: photos.incngrnt.ca
paths: paths:
- path: "/" - path: "/"
service: pathType: Prefix
identifier: main resources:
requests:
cpu: 10m
limits:
cpu: 1
controller:
strategy: Recreate
machine-learning: machine-learning:
enabled: true resources:
controllers: requests:
main: cpu: 10m
containers: limits:
main: cpu: 1
resources:
requests:
cpu: 10m
limits:
cpu: 1

6
justfile
View File

@ -23,12 +23,6 @@ cleanupjobs:
pgrestart: pgrestart:
kubectl patch postgrescluster/postgres --type merge --patch '{"spec":{"metadata":{"annotations":{"restarted":"'"$(date)"'"}}}}' kubectl patch postgrescluster/postgres --type merge --patch '{"spec":{"metadata":{"annotations":{"restarted":"'"$(date)"'"}}}}'
talos-upgrade VERSION NODE:
talosctl upgrade \
--image factory.talos.dev/metal-installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba:{{VERSION}} \
-n {{NODE}}
goatchat-register: goatchat-register:
bws run 'curl -v -H '\"'Authorization: SharedSecret $GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET'\"' \ bws run 'curl -v -H '\"'Authorization: SharedSecret $GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET'\"' \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \

54
kgnot/values.yaml.gotmpl
View File

@ -1,54 +0,0 @@
image:
debug: true
ghostBlogTitle: K&G Tie the Kgnot
ghostHost: https://kgnot.ca
ghostUsername: {{ requiredEnv "KGNOT_GHOST_USER_NAME" }}
existingSecret: ghost-kgnot-user-secret
allowEmptyPassword: false
readinessProbe:
enabled: false
resources:
limits:
cpu: 500m
ephemeral-storage: 2Gi
memory: 250Mi
requests:
cpu: 10m
ephemeral-storage: 50Mi
memory: 128Mi
persistence:
size: 1Gi
smtpHost: "smtp.sendgrid.net"
smtpPort: 465
smtpUser: "apikey"
smtpService: "SendGrid"
smtpProtocol: "tls"
smtpExistingSecret: kgnot-smtp-password
mysql:
enabled: false
externalDatabase:
host: mariadb.datastore.svc.cluster.local
user: kgnot_ghost
database: kgnot_ghost
existingSecret: ghost-kgnot-db-secret
updateStrategy:
type: Recreate
service:
type: ClusterIP
ingress:
enabled: true
hostname: kgnot.ca
tls: true
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"

5
matrix-registration/values.yaml.gotmpl
View File

@ -1,5 +0,0 @@
serverLocation: http://goatchat-matrix-synapse:8008
serverName: goatchat.ca
serverBaseUrl: /gate
registrationSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }}
adminApiSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET" }}

84
synapse/values.yaml.gotmpl
View File

@ -1,84 +0,0 @@
serverName: 'goatchat.ca'
publicServerName: 'goatchat.ca'
wellknown:
enabled: true
signingkey:
job:
enabled: false
existingSecret: goatchatca-signingkey
existingSecretKey: signing.key
synapse:
strategy:
type: Recreate
resources:
requests:
cpu: 10m
memory: 160Mi
limits:
cpu: '1'
memory: 320Mi
config:
macaroonSecretKey: {{ requiredEnv "GOATCHAT_SYNAPSE_MACAROON_SECRET_KEY" }}
registrationSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }}
extraConfig:
url_preview_enabled: true
url_preview_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
max_upload_size: 100M
email:
enable_notifs: true
smtp_host: "smtp.sendgrid.net"
smtp_port: 587
smtp_user: "apikey"
smtp_pass: {{ requiredEnv "GOATCHAT_SMTP_PASSWORD" }}
require_transport_security: true
notif_from: "Your Friendly %(app)s homeserver <noreply@goatchat.ca>"
app_name: Goatchat
validation_token_lifetime: 1h
user_directory:
enabled: true
search_all_users: true
prefer_local_users: true
server_notices:
system_mxid_localpart: notices
system_mxid_display_name: "Screaming Goat"
system_mxid_avatar_url: ""
room_name: "Goatchat Notices"
room_avatar_url: ""
room_topic: "Room used by your server admin to notify you of important information"
auto_join: true
ingress:
traefikPaths: true
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
persistence:
size: 30Gi
postgresql:
enabled: false
externalPostgresql:
host: postgres-primary.datastore.svc
existingSecret: postgres-pguser-synapse
existingSecretPasswordKey: password

8
tailscale/values.yaml.gotmpl
View File

@ -1,8 +0,0 @@
operatorConfig:
extraEnv:
- name: PROXY_PRIORITY_CLASS_NAME
value: critical
oauth:
clientId: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_ID" }}
clientSecret: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_SECRET" }}

102
traefik/values.yaml.gotmpl
View File

@ -1,102 +0,0 @@
deployment:
initContainers:
- name: volume-permissions
image: busybox:latest
command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
volumeMounts:
- name: data
mountPath: /data
updateStrategy:
type: Recreate
env:
- name: HETZNER_API_KEY
valueFrom:
secretKeyRef:
name: hetzner-api-key
key: token
additionalArguments:
- "--api.basePath=/fog/traefik"
persistence:
enabled: true
logs:
format: json
access:
enabled: true
format: json
service:
spec:
externalTrafficPolicy: Local
ingressRoute:
dashboard:
enabled: true
matchRule: Host(`fog.incngrnt.ca`) && (PathPrefix(`/fog/traefik/dashboard`) || PathPrefix(`/fog/traefik/api`))
entryPoints: ["websecure"]
middlewares:
- name: traefik-dashboard-auth
tls:
certResolver: letsencrypt
ports:
websecure:
middlewares:
- traefik-rate-limit@kubernetescrd
web:
middlewares:
- traefik-redirectscheme@kubernetescrd
ssh:
port: 2222
expose:
default: true
exposedPort: 2222
protocol: TCP
extraObjects:
- apiVersion: v1
kind: Secret
metadata:
name: traefik-dashboard-auth-secret
type: kubernetes.io/basic-auth
stringData:
username: admin
password: {{ requiredEnv "TRAEFIK_ADMIN_PASSWORD" }}
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: traefik-dashboard-auth
spec:
basicAuth:
secret: traefik-dashboard-auth-secret
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rate-limit
spec:
rateLimit:
average: 50
burst: 100
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: redirectscheme
spec:
redirectScheme:
scheme: https
permanent: true
certificatesResolvers:
letsencrypt:
acme:
dnschallenge:
provider: hetzner
delaybeforecheck: 30
email: {{ requiredEnv "ACME_EMAIL" }}
storage: /data/acme.json