grant/fog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: grant:2a7521e474b19da88d061c793250c64941fcd549
Branches Tags
grant:main
..
compare: grant:main
Branches Tags
grant:main

15 Commits
2a7521e474 ... main

Author SHA1 Message Date
Grant Hunter
b518b96a6d increase postgres memory 2026-01-01 15:20:33 -07:00
Grant Hunter
dff2f4871e add just command to refresh client cert 2026-01-01 15:20:06 -07:00
Grant Hunter
6117c9d826 simplify helm deploy args 2025-12-23 10:45:11 -07:00
Grant Hunter
d9a9187607 bump versions 2025-12-23 10:45:02 -07:00
Grant Hunter
2eb738325b switch gitea to single valkey instance 2025-12-14 22:35:26 -07:00
Grant Hunter
c28540cd44 update certs 2025-12-14 22:27:45 -07:00
Grant Hunter
e733a2584b bump version add skip-deps for speed 2025-12-14 13:03:49 -07:00
Grant Hunter
149506224f update mem limit 2025-12-08 09:11:54 -07:00
Grant Hunter
708efca878 set memory limits 2025-12-07 15:25:24 -07:00
Grant Hunter
6d604c269d update ceph limits 2025-12-07 14:01:39 -07:00
Grant Hunter
8bdff3bcea remove grafana 2025-12-07 13:46:33 -07:00
Grant Hunter
87a5a3a1ab bump versions 2025-12-07 13:27:28 -07:00
Grant Hunter
6b3eb79f88 remove old values.yaml 2025-12-07 13:16:22 -07:00
Grant Hunter
332f776c4f update to gotmpl 2025-12-07 13:14:48 -07:00
Grant Hunter
6aa777f880 update gitignore 2025-12-07 12:50:24 -07:00
45 changed files with 585 additions and 846 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -15,3 +15,6 @@ kgnot/config.production.json
*.key *.key
*.pub *.pub
.envrc
.config

53
53ll/values.yaml
View File

@@ -1,53 +0,0 @@
image:
debug: true
ghostBlogTitle: 53rd Parallel Photography
ghostHost: https://53ll.ca
ghostUsername: # set through cli args
existingSecret: ghost-53ll-user-secret
allowEmptyPassword: false
readinessProbe:
enabled: false
resources:
limits:
cpu: 500m
ephemeral-storage: 2Gi
memory: 250Mi
requests:
cpu: 10m
ephemeral-storage: 50Mi
memory: 128Mi
persistence:
size: 1Gi
smtpHost: "smtp.sendgrid.net"
smtpPort: 465
smtpUser: "apikey"
smtpService: "SendGrid"
smtpProtocol: "tls"
smtpExistingSecret: 53ll-smtp-password
mysql:
enabled: false
externalDatabase:
host: mariadb.datastore.svc.cluster.local
user: 53ll_ghost
database: 53ll_ghost
existingSecret: ghost-53ll-db-secret
updateStrategy:
type: Recreate
service:
type: ClusterIP
ingress:
enabled: true
hostname: 53ll.ca
tls: true
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"

30
53ll/values.yaml.gotmpl
View File

@@ -13,14 +13,14 @@ readinessProbe:
enabled: false enabled: false
resources: resources:
limits:
cpu: 500m
ephemeral-storage: 2Gi
memory: 250Mi
requests: requests:
cpu: 10m cpu: 10m
ephemeral-storage: 50Mi ephemeral-storage: 50Mi
memory: 128Mi memory: 64Mi
limits:
cpu: 500m
ephemeral-storage: 2Gi
memory: 224Mi
persistence: persistence:
size: 1Gi size: 1Gi
@@ -48,5 +48,21 @@ ingress:
enabled: true enabled: true
hostname: 53ll.ca hostname: 53ll.ca
tls: true tls: true
annotations: extraTls:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt" - secretName: 53ll-ca-tls
hosts:
- 53ll.ca
extraDeploy:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: 53ll-ca
namespace: ghost
spec:
secretName: 53ll-ca-tls
issuerRef:
name: letsencrypt-53ll
kind: ClusterIssuer
dnsNames:
- 53ll.ca

11
cert-manager-hetzner-webhook/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,11 @@
groupName: acme.hetzner.com
certManager:
namespace: cert-manager
serviceAccountName: cert-manager
secretName:
- hetzner-dns-credentials
secrets:
apiToken: {{ requiredEnv "HETZNER_API_KEY" }}

5
cert-manager-issuers/Chart.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: v2
name: cert-manager-issuers
description: cert-manager ClusterIssuers for Let's Encrypt
type: application
version: 0.1.0

88
cert-manager-issuers/templates/clusterissuers.yaml Normal file
View File

@@ -0,0 +1,88 @@
apiVersion: v1
kind: Secret
metadata:
name: hetzner-dns-credentials
namespace: cert-manager
type: Opaque
stringData:
api-key: {{ .Values.hetzner.apiToken }}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-incngrnt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: {{ .Values.acme.email }}
privateKeySecretRef:
name: letsencrypt-incngrnt-private-key
solvers:
- dns01:
webhook:
groupName: acme.hetzner.com
solverName: hetzner
config:
secretName: hetzner-dns-credentials
zoneName: incngrnt.ca
apiUrl: https://dns.hetzner.com/api/v1
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-goatchat
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: {{ .Values.acme.email }}
privateKeySecretRef:
name: letsencrypt-goatchat-private-key
solvers:
- dns01:
webhook:
groupName: acme.hetzner.com
solverName: hetzner
config:
secretName: hetzner-dns-credentials
zoneName: goatchat.ca
apiUrl: https://dns.hetzner.com/api/v1
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-53ll
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: {{ .Values.acme.email }}
privateKeySecretRef:
name: letsencrypt-53ll-private-key
solvers:
- dns01:
webhook:
groupName: acme.hetzner.com
solverName: hetzner
config:
secretName: hetzner-dns-credentials
zoneName: 53ll.ca
apiUrl: https://dns.hetzner.com/api/v1
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-kgnot
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: {{ .Values.acme.email }}
privateKeySecretRef:
name: letsencrypt-kgnot-private-key
solvers:
- dns01:
webhook:
groupName: acme.hetzner.com
solverName: hetzner
config:
secretName: hetzner-dns-credentials
zoneName: kgnot.ca
apiUrl: https://dns.hetzner.com/api/v1

5
cert-manager-issuers/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,5 @@
hetzner:
apiToken: {{ requiredEnv "HETZNER_API_KEY" }}
acme:
email: {{ requiredEnv "ACME_EMAIL" }}

27
cert-manager/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,27 @@
installCRDs: true
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 1
memory: 128Mi
webhook:
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 1
memory: 64Mi
cainjector:
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 1
memory: 128Mi

89
gitea/values.yaml
View File

@@ -1,89 +0,0 @@
gitea:
config:
server:
ROOT_URL: https://git.incngrnt.ca/
MINIMUM_KEY_SIZE_CHECK: false
service:
DISABLE_REGISTRATION: true
database:
DB_TYPE: postgres
indexer:
ISSUE_INDEXER_TYPE: bleve
REPO_INDEXER_ENABLED: true
cron:
enabled: true
repository:
DISABLE_DOWNLOAD_SOURCE_ARCHIVES: true
additionalConfigFromEnvs:
- name: GITEA__DATABASE__HOST
valueFrom:
secretKeyRef:
name: postgres-pguser-gitea
key: host
- name: GITEA__DATABASE__NAME
valueFrom:
secretKeyRef:
name: postgres-pguser-gitea
key: dbname
- name: GITEA__DATABASE__USER
valueFrom:
secretKeyRef:
name: postgres-pguser-gitea
key: user
- name: GITEA__DATABASE__PASSWD
valueFrom:
secretKeyRef:
name: postgres-pguser-gitea
key: password
strategy:
type: Recreate
ingress:
enabled: true
hosts:
- host: git.incngrnt.ca
paths:
- path: "/"
pathType: Prefix
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
service:
ssh:
type: ClusterIP
port: 22
clusterIP:
actions:
enabled: true
existingSecret: gitea-runner-token
existingSecretKey: token
redis:
enabled: true
redis-cluster:
enabled: false
postgresql:
enabled: false
postgresql-ha:
enabled: false
extraDeploy:
- apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: gitea-ssh
namespace: gitea
labels:
app: gitea
spec:
entryPoints:
- ssh
routes:
- match: HostSNI(`*`)
services:
- name: gitea-ssh
port: 22

31
gitea/values.yaml.gotmpl
View File

@@ -48,8 +48,10 @@ ingress:
paths: paths:
- path: "/" - path: "/"
pathType: Prefix pathType: Prefix
annotations: tls:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt" - secretName: git-incngrnt-ca-tls
hosts:
- git.incngrnt.ca
service: service:
ssh: ssh:
@@ -57,18 +59,9 @@ service:
port: 22 port: 22
clusterIP: clusterIP:
actions: valkey:
enabled: true enabled: true
giteaRootURL: https://git.incngrnt.ca valkey-cluster:
existingSecret: gitea-runner-token
existingSecretKey: token
provisioning:
enabled: false
persistence:
enabled: false
redis:
enabled: true
redis-cluster:
enabled: false enabled: false
postgresql: postgresql:
enabled: false enabled: false
@@ -77,6 +70,18 @@ postgresql-ha:
extraDeploy: extraDeploy:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: git-incngrnt-ca
namespace: gitea
spec:
secretName: git-incngrnt-ca-tls
issuerRef:
name: letsencrypt-incngrnt
kind: ClusterIssuer
dnsNames:
- git.incngrnt.ca
- apiVersion: traefik.io/v1alpha1 - apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP kind: IngressRouteTCP
metadata: metadata:

199
grafana/alloy_values.yaml
View File

@@ -1,199 +0,0 @@
alloy:
clustering:
enabled: true
configMap:
content: |-
logging {
level = "info"
format = "logfmt"
}
discovery.kubernetes "pods" {
role = "pod"
}
discovery.kubernetes "nodes" {
role = "node"
}
discovery.relabel "pods" {
targets = discovery.kubernetes.pods.targets
rule {
source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_label_app_kubernetes_io_name", "__meta_kubernetes_pod_container_name"]
separator = "/"
target_label = "deployment_name"
action = "replace"
}
}
loki.source.kubernetes "pods" {
targets = discovery.relabel.pods.output
forward_to = [loki.process.process.receiver]
}
loki.process "process" {
forward_to = [loki.write.loki.receiver]
stage.drop {
older_than = "1h"
drop_counter_reason = "too old"
}
stage.match {
selector = "{instance=~\".*\"}"
stage.json {
expressions = {
level = "\"level\"",
}
}
stage.labels {
values = {
level = "level",
}
}
}
stage.label_drop {
values = [ "job", "service_name" ]
}
}
loki.write "loki" {
endpoint {
url = "http://grafana-loki-distributor:3100/loki/api/v1/push"
}
}
discovery.relabel "metrics" {
targets = discovery.kubernetes.pods.targets
rule {
source_labels = ["__meta_kubernetes_pod_annotation_prometheus_io_port"]
target_label = "__meta_kubernetes_pod_container_port_number"
action = "keepequal"
}
rule {
source_labels = ["__meta_kubernetes_pod_container_port_number"]
regex = ""
action = "drop"
}
rule {
source_labels = ["__meta_kubernetes_pod_annotation_prometheus_io_path",]
target_label = "__metrics_path__"
separator = ""
action = "replace"
}
}
prometheus.scrape "metrics" {
clustering {
enabled = true
}
targets = discovery.relabel.metrics.output
forward_to = [prometheus.remote_write.metrics.receiver]
scrape_interval = "30s"
}
discovery.relabel "pods_metrics" {
targets = discovery.kubernetes.nodes.targets
rule {
replacement = "kubernetes.default.svc:443"
target_label = "__address__"
}
rule {
regex = "(.+)"
replacement = "/api/v1/nodes/$1/proxy/metrics/cadvisor"
source_labels = ["__meta_kubernetes_node_name"]
target_label = "__metrics_path__"
}
}
prometheus.scrape "pods_metrics" {
clustering {
enabled = true
}
targets = discovery.relabel.pods_metrics.output
job_name = "integrations/kubernetes/kubelet"
scheme = "https"
honor_labels = true
forward_to = [prometheus.remote_write.metrics.receiver]
bearer_token_file = "/run/secrets/kubernetes.io/serviceaccount/token"
tls_config {
insecure_skip_verify = true
server_name = "kubernetes"
}
scrape_interval = "30s"
}
prometheus.exporter.unix "os_metrics" { }
prometheus.scrape "os_metrics" {
clustering {
enabled = true
}
targets = prometheus.exporter.unix.os_metrics.targets
forward_to = [prometheus.remote_write.metrics.receiver]
scrape_interval = "30s"
}
discovery.kubernetes "kube_state_metrics" {
role = "endpoints"
selectors {
role = "endpoints"
label = "app.kubernetes.io/name=kube-state-metrics"
}
namespaces {
names = ["grafana"]
}
}
discovery.relabel "kube_state_metrics" {
targets = discovery.kubernetes.kube_state_metrics.targets
// only keep targets with a matching port name
rule {
source_labels = ["__meta_kubernetes_endpoint_port_name"]
regex = "http"
action = "keep"
}
rule {
action = "replace"
replacement = "kubernetes"
target_label = "source"
}
}
prometheus.scrape "kube_state_metrics" {
targets = discovery.relabel.kube_state_metrics.output
job_name = "integrations/kubernetes/kube-state-metrics"
scrape_interval = "30s"
scheme = "http"
bearer_token_file = ""
tls_config {
insecure_skip_verify = true
}
clustering {
enabled = true
}
forward_to = [prometheus.relabel.kube_state_metrics.receiver]
}
prometheus.relabel "kube_state_metrics" {
max_cache_size = 100000
rule {
source_labels = ["__name__"]
regex = "up|scrape_samples_scraped|kube_configmap_info|kube_configmap_metadata_resource_version|kube_daemonset.*|kube_deployment_metadata_generation|kube_deployment_spec_replicas|kube_deployment_status_condition|kube_deployment_status_observed_generation|kube_deployment_status_replicas_available|kube_deployment_status_replicas_updated|kube_horizontalpodautoscaler_spec_max_replicas|kube_horizontalpodautoscaler_spec_min_replicas|kube_horizontalpodautoscaler_status_current_replicas|kube_horizontalpodautoscaler_status_desired_replicas|kube_job.*|kube_namespace_status_phase|kube_node.*|kube_persistentvolume_status_phase|kube_persistentvolumeclaim_access_mode|kube_persistentvolumeclaim_info|kube_persistentvolumeclaim_labels|kube_persistentvolumeclaim_resource_requests_storage_bytes|kube_persistentvolumeclaim_status_phase|kube_pod_container_info|kube_pod_container_resource_limits|kube_pod_container_resource_requests|kube_pod_container_status_last_terminated_reason|kube_pod_container_status_restarts_total|kube_pod_container_status_waiting_reason|kube_pod_info|kube_pod_owner|kube_pod_spec_volumes_persistentvolumeclaims_info|kube_pod_start_time|kube_pod_status_phase|kube_pod_status_reason|kube_replicaset.*|kube_resourcequota|kube_secret_metadata_resource_version|kube_statefulset.*"
action = "keep"
}
forward_to = [prometheus.remote_write.metrics.receiver]
}
prometheus.remote_write "metrics" {
endpoint {
url = "http://grafana-mimir-nginx/api/v1/push"
}
}
resources:
requests:
cpu: 1m
memory: 5Mi
limits:
cpu: 1
memory: 400Mi

19
grafana/values.yaml
View File

@@ -1,19 +0,0 @@
grafana:
ingress:
enabled: true
hosts:
- watcher.incngrnt.ca
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
persistence:
enabled: true
mimir:
mimir:
structuredConfig:
limits:
compactor_blocks_retention_period: 2h
ingester:
persistentVolume:
size: 5Gi

36
helmfile.d/01-infrastructure.lock
View File

@@ -1,16 +1,22 @@
version: 0.170.1 version: 1.2.3
dependencies: dependencies:
- name: rook-ceph - name: cert-manager
repository: https://charts.rook.io/release repository: https://charts.jetstack.io
version: v1.18.7 version: v1.19.2
- name: rook-ceph-cluster - name: cert-manager-webhook-hetzner
repository: https://charts.rook.io/release repository: https://vadimkim.github.io/cert-manager-webhook-hetzner
version: v1.18.7 version: 1.4.2
- name: tailscale-operator - name: rook-ceph
repository: https://pkgs.tailscale.com/helmcharts repository: https://charts.rook.io/release
version: 1.90.9 version: v1.18.8
- name: traefik - name: rook-ceph-cluster
repository: https://traefik.github.io/charts repository: https://charts.rook.io/release
version: 37.4.0 version: v1.18.8
digest: sha256:e36f2d6589d83e74cb3a4bf19bc795f09d4a199a46547a2ff703c33ff6264b49 - name: tailscale-operator
generated: "2025-11-25T20:30:30.565674799-07:00" repository: https://pkgs.tailscale.com/helmcharts
version: 1.92.4
- name: traefik
repository: https://traefik.github.io/charts
version: 38.0.1
digest: sha256:3297bc0c10765abe170881882f7daf441a4dd735ed0ee7d1f4233692e8888c3c
generated: "2025-12-23T10:31:34.409765694-07:00"

43
helmfile.d/01-infrastructure.yaml
View File

@@ -5,35 +5,50 @@ repositories:
url: https://traefik.github.io/charts url: https://traefik.github.io/charts
- name: tailscale - name: tailscale
url: https://pkgs.tailscale.com/helmcharts url: https://pkgs.tailscale.com/helmcharts
- name: jetstack
url: https://charts.jetstack.io
- name: cert-manager-webhook-hetzner
url: https://vadimkim.github.io/cert-manager-webhook-hetzner
lockFilePath: ./helmfile.d/01-infrastructure.lock
releases: releases:
# networking # networking
- name: metallb - name: metallb
namespace: metallb-system namespace: metallb-system
createNamespace: true createNamespace: true
chart: ../metallb chart: ../metallb
values:
- ../metallb/values.yaml.gotmpl
- name: cert-manager
namespace: cert-manager
createNamespace: true
chart: jetstack/cert-manager
values:
- ../cert-manager/values.yaml.gotmpl
- name: cert-manager-webhook-hetzner
namespace: cert-manager
createNamespace: true
chart: cert-manager-webhook-hetzner/cert-manager-webhook-hetzner
values:
- ../cert-manager-hetzner-webhook/values.yaml.gotmpl
- name: cert-manager-issuers
namespace: cert-manager
createNamespace: true
chart: ../cert-manager-issuers
values:
- ../cert-manager-issuers/values.yaml.gotmpl
- name: traefik - name: traefik
namespace: traefik namespace: traefik
createNamespace: true createNamespace: true
chart: traefik/traefik chart: traefik/traefik
values: values:
- ../traefik/values.yaml - ../traefik/values.yaml.gotmpl
setString:
- name: certificatesResolvers.letsencrypt.acme.email
value: {{ requiredEnv "ACME_EMAIL" }}
- name: extraObjects[0].stringData.password
value: {{ requiredEnv "TRAEFIK_ADMIN_PASSWORD" }}
- name: tailscale-operator - name: tailscale-operator
namespace: tailscale namespace: tailscale
createNamespace: true createNamespace: true
chart: tailscale/tailscale-operator chart: tailscale/tailscale-operator
values: values:
- ../tailscale/values.yaml - ../tailscale/values.yaml.gotmpl
setString:
- name: oauth.clientId
value: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_ID" }}
- name: oauth.clientSecret
value: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_SECRET" }}
# storage infrastructure # storage infrastructure
- name: rook-ceph - name: rook-ceph
@@ -41,13 +56,13 @@ releases:
createNamespace: true createNamespace: true
chart: rook-release/rook-ceph chart: rook-release/rook-ceph
values: values:
- ../rook-ceph/values.yaml - ../rook-ceph/values.yaml.gotmpl
- name: rook-ceph-cluster - name: rook-ceph-cluster
namespace: rook-ceph namespace: rook-ceph
createNamespace: true createNamespace: true
chart: rook-release/rook-ceph-cluster chart: rook-release/rook-ceph-cluster
values: values:
- ../rook-ceph-cluster/values.yaml - ../rook-ceph-cluster/values.yaml.gotmpl
set: set:
- name: operatorNamespace - name: operatorNamespace
value: rook-ceph value: rook-ceph

30
helmfile.d/02-datastore.lock
View File

@@ -1,16 +1,16 @@
version: 0.170.1 version: 1.2.3
dependencies: dependencies:
- name: k8up - name: k8up
repository: https://k8up-io.github.io/k8up repository: https://k8up-io.github.io/k8up
version: 4.8.6 version: 4.8.6
- name: mariadb - name: mariadb
repository: https://charts.bitnami.com/bitnami repository: https://charts.bitnami.com/bitnami
version: 24.0.0 version: 24.0.2
- name: pgo - name: pgo
repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
version: 5.8.1 version: 5.8.1
- name: postgrescluster - name: postgrescluster
repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
version: 5.7.4 version: 5.7.4
digest: sha256:7be4f89cbc10d297156dd9924e6076659ddd410586434be062dcb6b52c276bde digest: sha256:f8989df670b3574b6d87438486b66fdaf44bc1ed379d3a98e00963a27703003a
generated: "2025-11-25T20:31:00.986270323-07:00" generated: "2025-12-14T14:14:05.060998516-07:00"

19
helmfile.d/02-datastore.yaml
View File

@@ -6,6 +6,7 @@ repositories:
- name: k8up-io - name: k8up-io
url: https://k8up-io.github.io/k8up url: https://k8up-io.github.io/k8up
lockFilePath: ./helmfile.d/02-datastore.lock
releases: releases:
# data storage # data storage
- name: pgo - name: pgo
@@ -13,29 +14,19 @@ releases:
createNamespace: true createNamespace: true
chart: crunchydata/pgo chart: crunchydata/pgo
values: values:
- ../postgres/operator-values.yaml - ../postgres/operator-values.yaml.gotmpl
- name: postgres - name: postgres
namespace: datastore namespace: datastore
createNamespace: true createNamespace: true
chart: crunchydata/postgrescluster chart: crunchydata/postgrescluster
values: values:
- ../postgres/values.yaml - ../postgres/values.yaml.gotmpl
setString:
- name: pgBackRestConfig.global.repo1-s3-key
value: '{{ requiredEnv "HETZNER_S3_ACCESS_KEY" }}'
- name: pgBackRestConfig.global.repo1-s3-key-secret
value: '{{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}'
- name: pgBackRestConfig.global.repo1-cipher-pass
value: '{{ requiredEnv "PG_BACKREST_PASSWORD" }}'
- name: mariadb - name: mariadb
namespace: datastore namespace: datastore
createNamespace: true createNamespace: true
chart: bitnami/mariadb chart: bitnami/mariadb
values: values:
- ../mariadb/values.yaml - ../mariadb/values.yaml.gotmpl
setString:
- name: auth.rootPassword
value: {{ requiredEnv "MARIADB_ROOT_PASSWORD" }}
# backup infrastructure # backup infrastructure
- name: k8up - name: k8up
@@ -43,4 +34,4 @@ releases:
createNamespace: true createNamespace: true
chart: k8up-io/k8up chart: k8up-io/k8up
values: values:
- ../k8up/values.yaml - ../k8up/values.yaml.gotmpl

69
helmfile.d/03-apps.lock
View File

@@ -1,34 +1,37 @@
version: 0.170.1 version: 1.2.3
dependencies: dependencies:
- name: ghost - name: ghost
repository: https://charts.bitnami.com/bitnami repository: https://charts.bitnami.com/bitnami
version: 25.0.4 version: 25.0.4
- name: ghost - name: ghost
repository: https://charts.bitnami.com/bitnami repository: https://charts.bitnami.com/bitnami
version: 25.0.4 version: 25.0.4
- name: immich - name: gitea
repository: https://immich-app.github.io/immich-charts repository: https://dl.gitea.io/charts
version: 0.10.3 version: 12.4.0
- name: k8up-backup - name: immich
repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main repository: https://immich-app.github.io/immich-charts
version: 0.0.3 version: 0.10.3
- name: k8up-backup - name: k8up-backup
repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
version: 0.0.3 version: 0.0.3
- name: k8up-backup - name: k8up-backup
repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
version: 0.0.3 version: 0.0.3
- name: k8up-backup - name: k8up-backup
repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
version: 0.0.3 version: 0.0.3
- name: matrix-registration - name: k8up-backup
repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
version: 0.1.0 version: 0.0.3
- name: matrix-synapse - name: matrix-registration
repository: https://ananace.gitlab.io/charts repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
version: 3.12.16 version: 0.1.0
- name: static-site - name: matrix-synapse
repository: git+https://github.com/cfpb/static-site@charts?ref=main repository: https://ananace.gitlab.io/charts
version: 0.1.1 version: 3.12.17
digest: sha256:59866b3b160d35756885a2db0a3344bba48161e5ba6935350286f9a754b8b219 - name: static-site
generated: "2025-11-25T20:31:24.531424306-07:00" repository: git+https://github.com/cfpb/static-site@charts?ref=main
version: 0.1.1
digest: sha256:b44d082b71203ca6bb4fd881d8c6ce71575db556f432bbcc46078a535c8cd9c3
generated: "2025-12-23T10:31:37.404126839-07:00"

15
helmfile.d/03-apps.yaml
View File

@@ -12,6 +12,7 @@ repositories:
- name: incngrnt - name: incngrnt
url: git+https://git.incngrnt.ca/grant/charts@charts?ref=main url: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
lockFilePath: ./helmfile.d/03-apps.lock
releases: releases:
# goatchat matrix # goatchat matrix
- name: goatchat - name: goatchat
@@ -40,7 +41,7 @@ releases:
createNamespace: true createNamespace: true
chart: static-site/static-site chart: static-site/static-site
values: values:
- ../incngrnt-web/values.yaml - ../incngrnt-web/values.yaml.gotmpl
# ghost blogs # ghost blogs
- name: kgnot-ghost - name: kgnot-ghost
namespace: ghost namespace: ghost
@@ -56,12 +57,12 @@ releases:
- ../53ll/values.yaml.gotmpl - ../53ll/values.yaml.gotmpl
# dev tools # dev tools
# - name: gitea - name: gitea
# namespace: gitea namespace: gitea
# createNamespace: true createNamespace: true
# chart: gitea/gitea chart: gitea/gitea
# values: values:
# - ../gitea/values.yaml.gotmpl - ../gitea/values.yaml.gotmpl
# backups # backups
- name: ghost-backup - name: ghost-backup

13
helmfile.d/04-monitoring.lock
View File

@@ -1,13 +0,0 @@
version: 0.170.1
dependencies:
- name: alloy
repository: https://grafana.github.io/helm-charts
version: 1.4.0
- name: kube-state-metrics
repository: https://prometheus-community.github.io/helm-charts
version: 6.4.2
- name: lgtm-distributed
repository: https://grafana.github.io/helm-charts
version: 3.0.1
digest: sha256:a40ace61a59a7d0262123468c4fc4af581cdbb7a20e7e044bbd3d54ef0d47b8b
generated: "2025-11-25T20:31:47.82049253-07:00"

27
helmfile.d/04-monitoring.yaml
View File

@@ -1,27 +0,0 @@
repositories:
- name: grafana
url: https://grafana.github.io/helm-charts
- name: prometheus-community
url: https://prometheus-community.github.io/helm-charts
releases:
# monitoring
- name: grafana
namespace: grafana
installed: false
createNamespace: true
chart: grafana/lgtm-distributed
values:
- ../grafana/values.yaml
- name: alloy
namespace: grafana
installed: false
createNamespace: true
chart: grafana/alloy
values:
- ../grafana/alloy_values.yaml
- name: kube-state-metrics
namespace: grafana
installed: false
createNamespace: true
chart: prometheus-community/kube-state-metrics

18
immich/values.yaml.gotmpl
View File

@@ -3,7 +3,7 @@ controllers:
containers: containers:
main: main:
image: image:
tag: v2.3.1 tag: v2.4.1
env: env:
DB_HOSTNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.host | base64decode }}'") }} DB_HOSTNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.host | base64decode }}'") }}
@@ -26,8 +26,10 @@ valkey:
resources: resources:
requests: requests:
cpu: 10m cpu: 10m
memory: 64Mi
limits: limits:
cpu: 1 cpu: 1
memory: 32Mi
server: server:
enabled: true enabled: true
@@ -39,13 +41,17 @@ server:
resources: resources:
requests: requests:
cpu: 10m cpu: 10m
memory: 256Mi
limits: limits:
cpu: 1 cpu: 1
memory: 700Mi
ingress: ingress:
main: main:
enabled: true enabled: true
annotations: tls:
traefik.ingress.kubernetes.io/router.tls.certresolver: "letsencrypt" - secretName: photos-incngrnt-ca-tls
hosts:
- photos.incngrnt.ca
hosts: hosts:
- host: photos.incngrnt.ca - host: photos.incngrnt.ca
paths: paths:
@@ -62,5 +68,9 @@ machine-learning:
resources: resources:
requests: requests:
cpu: 10m cpu: 10m
memory: 128Mi
limits: limits:
cpu: 1 cpu: 1
memory: 1Gi

15
incngrnt-web/values.yaml → incngrnt-web/values.yaml.gotmpl
View File

@@ -3,12 +3,23 @@ init:
wget: wget:
url: https://git.incngrnt.ca/grant/incngrnt/releases/download/v0.0.8/v0.0.8.tar url: https://git.incngrnt.ca/grant/incngrnt/releases/download/v0.0.8/v0.0.8.tar
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 500m
memory: 32Mi
ingress: ingress:
enabled: true enabled: true
annotations: tls:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt" - secretName: incngrnt-ca-tls
hosts:
- incngrnt.ca
hosts: hosts:
- host: incngrnt.ca - host: incngrnt.ca
paths: paths:
- path: / - path: /
pathType: ImplementationSpecific pathType: ImplementationSpecific

20
justfile
View File

@@ -1,11 +1,11 @@
update: update:
bws run 'helmfile deps' bws run 'helmfile deps'
deploy ARGS='--output simple -i': deploy ARGS='':
bws run 'helmfile apply {{ARGS}}' bws run 'helmfile apply --output simple --skip-deps {{ARGS}}'
diff ARGS='': diff ARGS='':
bws run 'helmfile diff --output dyff {{ARGS}}' bws run 'helmfile diff --output dyff --skip-deps {{ARGS}}'
cleanuppods: cleanuppods:
#!/bin/bash #!/bin/bash
@@ -38,3 +38,17 @@ goatchat-register-review:
bws run 'curl -v -H '\"'Authorization: SharedSecret $GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET'\"' \ bws run 'curl -v -H '\"'Authorization: SharedSecret $GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET'\"' \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
https://goatchat.ca/gate/api/token' | jq https://goatchat.ca/gate/api/token' | jq
refresh-client-cert:
#!/bin/bash
yq -r .machine.ca.crt controlplane.yaml | base64 -d > ca.crt
yq -r .machine.ca.key controlplane.yaml | base64 -d > ca.key
talosctl gen key --name admin
talosctl gen csr --key admin.key --ip 127.0.0.1
talosctl gen crt --ca ca --csr admin.csr --name admin
yq -i '.contexts.fog.ca = "'"$(base64 -w0 ca.crt)"\
'" | .contexts.fog.crt = "'"$(base64 -w0 admin.crt)"\
'" | .contexts.fog.key = "'"$(base64 -w0 admin.key)"'"' \
.config/talosconfig
talosctl kubeconfig .config/kubeconfig -n 192.168.1.43

8
k8up-backup/values.yaml.gotmpl
View File

@@ -6,3 +6,11 @@ credentials:
key: {{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }} key: {{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}
repoPassword: {{ requiredEnv "k8UP_REPO_PASSWORD" }} repoPassword: {{ requiredEnv "k8UP_REPO_PASSWORD" }}
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 500m
memory: 128Mi

4
k8up/values.yaml
View File

@@ -1,4 +0,0 @@
k8up:
envVars:
- name: BACKUP_GLOBAL_CONCURRENT_BACKUP_JOBS_LIMIT
values: 1

11
k8up/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,11 @@
k8up:
envVars:
- name: BACKUP_GLOBAL_CONCURRENT_BACKUP_JOBS_LIMIT
values: 1
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 500m
memory: 64Mi

54
kgnot/values.yaml
View File

@@ -1,54 +0,0 @@
image:
debug: true
ghostBlogTitle: K&G Tie the Kgnot
ghostHost: https://kgnot.ca
ghostUsername: # set through cli args
existingSecret: ghost-kgnot-user-secret
allowEmptyPassword: false
readinessProbe:
enabled: false
resources:
limits:
cpu: 500m
ephemeral-storage: 2Gi
memory: 250Mi
requests:
cpu: 10m
ephemeral-storage: 50Mi
memory: 128Mi
persistence:
size: 1Gi
smtpHost: "smtp.sendgrid.net"
smtpPort: 465
smtpUser: "apikey"
smtpService: "SendGrid"
smtpProtocol: "tls"
smtpExistingSecret: kgnot-smtp-password
mysql:
enabled: false
externalDatabase:
host: mariadb.datastore.svc.cluster.local
user: kgnot_ghost
database: kgnot_ghost
existingSecret: ghost-kgnot-db-secret
updateStrategy:
type: Recreate
service:
type: ClusterIP
ingress:
enabled: true
hostname: kgnot.ca
tls: true
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"

30
kgnot/values.yaml.gotmpl
View File

@@ -13,14 +13,14 @@ readinessProbe:
enabled: false enabled: false
resources: resources:
limits:
cpu: 500m
ephemeral-storage: 2Gi
memory: 250Mi
requests: requests:
cpu: 10m cpu: 10m
ephemeral-storage: 50Mi ephemeral-storage: 50Mi
memory: 128Mi memory: 64Mi
limits:
cpu: 500m
ephemeral-storage: 2Gi
memory: 350Mi
persistence: persistence:
size: 1Gi size: 1Gi
@@ -50,5 +50,21 @@ ingress:
enabled: true enabled: true
hostname: kgnot.ca hostname: kgnot.ca
tls: true tls: true
annotations: extraTls:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt" - secretName: kgnot-ca-tls
hosts:
- kgnot.ca
extraDeploy:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kgnot-ca
namespace: ghost
spec:
secretName: kgnot-ca-tls
issuerRef:
name: letsencrypt-kgnot
kind: ClusterIssuer
dnsNames:
- kgnot.ca

14
mariadb/values.yaml
View File

@@ -1,14 +0,0 @@
persistent:
size: 5Gi
primary:
resources:
limits:
cpu: 375m
ephemeral-storage: 2Gi
memory: 384Mi
requests:
cpu: 50m
ephemeral-storage: 50Mi
memory: 256Mi

16
mariadb/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,16 @@
auth:
rootPassword: {{ requiredEnv "MARIADB_ROOT_PASSWORD" }}
persistent:
size: 5Gi
primary:
resources:
requests:
cpu: 50m
ephemeral-storage: 50Mi
memory: 96Mi
limits:
cpu: 1
ephemeral-storage: 2Gi
memory: 192Mi

5
matrix-registration/values.yaml
View File

@@ -1,5 +0,0 @@
serverLocation: http://goatchat-matrix-synapse:8008
serverName: goatchat.ca
serverBaseUrl: /gate
registrationSharedSecret: # set through cli
adminApiSharedSecret: # set through cli

8
matrix-registration/values.yaml.gotmpl
View File

@@ -3,3 +3,11 @@ serverName: goatchat.ca
serverBaseUrl: /gate serverBaseUrl: /gate
registrationSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }} registrationSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }}
adminApiSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET" }} adminApiSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET" }}
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 500m
memory: 64Mi

0
metallb/values.yaml
View File

17
metallb/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,17 @@
controller:
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 500m
memory: 64Mi
speaker:
resources:
requests:
cpu: 10m
memory: 48Mi
limits:
cpu: 500m
memory: 96Mi

2
postgres/operator-values.yaml
View File

@@ -1,2 +0,0 @@
pgoControllerLeaseName: ''
replicas: 1

10
postgres/operator-values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,10 @@
pgoControllerLeaseName: ''
replicas: 1
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 500m
memory: 160Mi

21
postgres/values.yaml → postgres/values.yaml.gotmpl
View File

@@ -1,5 +1,21 @@
instanceSize: 50Gi instanceSize: 50Gi
instanceMemory: 1Gi
instanceCPU: 2
instances:
- name: instance1
resources:
requests:
cpu: 100m
memory: 192Mi
limits:
cpu: 2
memory: 1Gi
dataVolumeClaimSpec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: 50Gi
patroni: patroni:
dynamicConfiguration: dynamicConfiguration:
postgresql: postgresql:
@@ -33,6 +49,9 @@ pgBackRestConfig:
repo1-path: /pgbackrest/datastore/postgres/repo1 repo1-path: /pgbackrest/datastore/postgres/repo1
repo1-retention-full: "10" repo1-retention-full: "10"
repo1-retention-full-type: count repo1-retention-full-type: count
repo1-s3-key: {{ requiredEnv "HETZNER_S3_ACCESS_KEY" }}
repo1-s3-key-secret: {{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}
repo1-cipher-pass: {{ requiredEnv "PG_BACKREST_PASSWORD" }}
repos: repos:
- name: repo1 - name: repo1

31
rook-ceph-cluster/values.yaml → rook-ceph-cluster/values.yaml.gotmpl
View File

@@ -6,6 +6,8 @@ cephClusterSpec:
useAllNodes: true useAllNodes: true
useAllDevices: false useAllDevices: false
deviceFilter: "^sda" deviceFilter: "^sda"
config:
osd_memory_target: "1073741824" # 1GB per OSD to maintain 70% node capacity
resources: resources:
mgr: mgr:
requests: requests:
@@ -13,18 +15,21 @@ cephClusterSpec:
memory: 256Mi memory: 256Mi
limits: limits:
cpu: "1" cpu: "1"
memory: 704Mi
mon: mon:
requests: requests:
cpu: 100m cpu: 100m
memory: 256Mi memory: 256Mi
limits: limits:
cpu: "1" cpu: "1"
memory: 64Mi
osd: osd:
requests: requests:
cpu: 100m cpu: 100m
memory: 256Mi memory: 896Mi
limits: limits:
cpu: "1" cpu: "1"
memory: 1280Mi
ingress: ingress:
dashboard: dashboard:
@@ -32,10 +37,27 @@ ingress:
name: fog.incngrnt.ca name: fog.incngrnt.ca
path: /fog/ceph path: /fog/ceph
pathType: Prefix pathType: Prefix
tls:
- secretName: fog-incngrnt-ca-tls
hosts:
- fog.incngrnt.ca
annotations: annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
"traefik.ingress.kubernetes.io/router.middlewares": "rook-ceph-ceph-stripprefix@kubernetescrd" "traefik.ingress.kubernetes.io/router.middlewares": "rook-ceph-ceph-stripprefix@kubernetescrd"
extraDeploy:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: fog-ceph-incngrnt-ca
namespace: rook-ceph
spec:
secretName: fog-incngrnt-ca-tls
issuerRef:
name: letsencrypt-incngrnt
kind: ClusterIssuer
dnsNames:
- fog.incngrnt.ca
cephFileSystems: cephFileSystems:
- name: ceph-filesystem - name: ceph-filesystem
# see https://github.com/rook/rook/blob/master/Documentation/ceph-filesystem-crd.md#filesystem-settings for available configuration # see https://github.com/rook/rook/blob/master/Documentation/ceph-filesystem-crd.md#filesystem-settings for available configuration
@@ -55,9 +77,10 @@ cephFileSystems:
resources: resources:
requests: requests:
cpu: 50m cpu: 50m
memory: 256Mi memory: 64Mi
limit: limits:
cpu: "1" cpu: "1"
memory: 32Mi
storageClass: storageClass:
enabled: true enabled: true
isDefault: false isDefault: false

3
rook-ceph/values.yaml → rook-ceph/values.yaml.gotmpl
View File

@@ -2,3 +2,6 @@ resources:
requests: requests:
cpu: 100m cpu: 100m
memory: 128Mi memory: 128Mi
limits:
cpu: 1
memory: 300Mi

84
synapse/values.yaml
View File

@@ -1,84 +0,0 @@
serverName: 'goatchat.ca'
publicServerName: 'goatchat.ca'
wellknown:
enabled: true
signingkey:
job:
enabled: false
existingSecret: goatchatca-signingkey
existingSecretKey: signing.key
synapse:
strategy:
type: Recreate
resources:
requests:
cpu: 10m
memory: 160Mi
limits:
cpu: '1'
memory: 320Mi
config:
macaroonSecretKey: # set through cli args
registrationSharedSecret: # set through cli args
extraConfig:
url_preview_enabled: true
url_preview_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
max_upload_size: 100M
email:
enable_notifs: true
smtp_host: "smtp.sendgrid.net"
smtp_port: 587
smtp_user: "apikey"
smtp_pass: # set through cli args
require_transport_security: true
notif_from: "Your Friendly %(app)s homeserver <noreply@goatchat.ca>"
app_name: Goatchat
validation_token_lifetime: 1h
user_directory:
enabled: true
search_all_users: true
prefer_local_users: true
server_notices:
system_mxid_localpart: notices
system_mxid_display_name: "Screaming Goat"
system_mxid_avatar_url: ""
room_name: "Goatchat Notices"
room_avatar_url: ""
room_topic: "Room used by your server admin to notify you of important information"
auto_join: true
ingress:
traefikPaths: true
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
persistence:
size: 30Gi
postgresql:
enabled: false
externalPostgresql:
host: postgres-primary.datastore.svc
existingSecret: postgres-pguser-synapse
existingSecretPasswordKey: password

10
synapse/values.yaml.gotmpl
View File

@@ -16,10 +16,10 @@ synapse:
resources: resources:
requests: requests:
cpu: 10m cpu: 10m
memory: 160Mi memory: 128Mi
limits: limits:
cpu: '1' cpu: '1'
memory: 320Mi memory: 256Mi
config: config:
macaroonSecretKey: {{ requiredEnv "GOATCHAT_SYNAPSE_MACAROON_SECRET_KEY" }} macaroonSecretKey: {{ requiredEnv "GOATCHAT_SYNAPSE_MACAROON_SECRET_KEY" }}
@@ -69,8 +69,10 @@ extraConfig:
ingress: ingress:
traefikPaths: true traefikPaths: true
annotations: tls:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt" - secretName: goatchat-ca-tls
hosts:
- goatchat.ca
persistence: persistence:

4
tailscale/values.yaml
View File

@@ -1,4 +0,0 @@
operatorConfig:
extraEnv:
- name: PROXY_PRIORITY_CLASS_NAME
value: critical

8
tailscale/values.yaml.gotmpl
View File

@@ -3,6 +3,14 @@ operatorConfig:
- name: PROXY_PRIORITY_CLASS_NAME - name: PROXY_PRIORITY_CLASS_NAME
value: critical value: critical
resources:
requests:
cpu: 10m
memory: 48Mi
limits:
cpu: 500m
memory: 64Mi
oauth: oauth:
clientId: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_ID" }} clientId: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_ID" }}
clientSecret: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_SECRET" }} clientSecret: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_SECRET" }}

102
traefik/values.yaml
View File

@@ -1,102 +0,0 @@
deployment:
initContainers:
- name: volume-permissions
image: busybox:latest
command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
volumeMounts:
- name: data
mountPath: /data
updateStrategy:
type: Recreate
env:
- name: HETZNER_API_KEY
valueFrom:
secretKeyRef:
name: hetzner-api-key
key: token
additionalArguments:
- "--api.basePath=/fog/traefik"
persistence:
enabled: true
logs:
format: json
access:
enabled: true
format: json
service:
spec:
externalTrafficPolicy: Local
ingressRoute:
dashboard:
enabled: true
matchRule: Host(`fog.incngrnt.ca`) && (PathPrefix(`/fog/traefik/dashboard`) || PathPrefix(`/fog/traefik/api`))
entryPoints: ["websecure"]
middlewares:
- name: traefik-dashboard-auth
tls:
certResolver: letsencrypt
ports:
websecure:
middlewares:
- traefik-rate-limit@kubernetescrd
web:
middlewares:
- traefik-redirectscheme@kubernetescrd
ssh:
port: 2222
expose:
default: true
exposedPort: 2222
protocol: TCP
extraObjects:
- apiVersion: v1
kind: Secret
metadata:
name: traefik-dashboard-auth-secret
type: kubernetes.io/basic-auth
stringData:
username: admin
password: # set through cli args
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: traefik-dashboard-auth
spec:
basicAuth:
secret: traefik-dashboard-auth-secret
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rate-limit
spec:
rateLimit:
average: 50
burst: 100
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: redirectscheme
spec:
redirectScheme:
scheme: https
permanent: true
certificatesResolvers:
letsencrypt:
acme:
dnschallenge:
provider: hetzner
delaybeforecheck: 30
email: # set through cli args
storage: /data/acme.json

104
traefik/values.yaml.gotmpl
View File

@@ -1,27 +1,42 @@
deployment: deployment:
initContainers: replicas: 2
- name: volume-permissions
image: busybox:latest resources:
command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] requests:
volumeMounts: cpu: 50m
- name: data memory: 64Mi
mountPath: /data limits:
cpu: 1
memory: 128Mi
updateStrategy: updateStrategy:
type: Recreate type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
maxSurge: 1
env: podDisruptionBudget:
- name: HETZNER_API_KEY enabled: true
valueFrom: minAvailable: 1
secretKeyRef:
name: hetzner-api-key affinity:
key: token podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- traefik
topologyKey: kubernetes.io/hostname
additionalArguments: additionalArguments:
- "--api.basePath=/fog/traefik" - "--api.basePath=/fog/traefik"
persistence: persistence:
enabled: true enabled: false
logs: logs:
format: json format: json
@@ -41,7 +56,7 @@ ingressRoute:
middlewares: middlewares:
- name: traefik-dashboard-auth - name: traefik-dashboard-auth
tls: tls:
certResolver: letsencrypt secretName: fog-incngrnt-ca-tls
ports: ports:
websecure: websecure:
@@ -91,12 +106,53 @@ extraObjects:
redirectScheme: redirectScheme:
scheme: https scheme: https
permanent: true permanent: true
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: fog-incngrnt-ca
namespace: traefik
spec:
secretName: fog-incngrnt-ca-tls
issuerRef:
name: letsencrypt-incngrnt
kind: ClusterIssuer
dnsNames:
- fog.incngrnt.ca
certificatesResolvers: # other certs
letsencrypt: - apiVersion: cert-manager.io/v1
acme: kind: Certificate
dnschallenge: metadata:
provider: hetzner name: goatchat-ca
delaybeforecheck: 30 namespace: goatchat
email: {{ requiredEnv "ACME_EMAIL" }} spec:
storage: /data/acme.json secretName: goatchat-ca-tls
issuerRef:
name: letsencrypt-goatchat
kind: ClusterIssuer
dnsNames:
- goatchat.ca
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: incngrnt-ca
namespace: incngrnt-web
spec:
secretName: incngrnt-ca-tls
issuerRef:
name: letsencrypt-incngrnt
kind: ClusterIssuer
dnsNames:
- incngrnt.ca
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: photos-incngrnt-ca
namespace: immich
spec:
secretName: photos-incngrnt-ca-tls
issuerRef:
name: letsencrypt-incngrnt
kind: ClusterIssuer
dnsNames:
- photos.incngrnt.ca