grant/fog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: grant:bbd382c667368a29d86dd058c844ed4599056acf
Branches Tags
grant:main
...
compare: grant:main
Branches Tags
grant:main

17 Commits
bbd382c667 ... main

Author SHA1 Message Date
Grant Hunter
b518b96a6d increase postgres memory 2026-01-01 15:20:33 -07:00
Grant Hunter
dff2f4871e add just command to refresh client cert 2026-01-01 15:20:06 -07:00
Grant Hunter
6117c9d826 simplify helm deploy args 2025-12-23 10:45:11 -07:00
Grant Hunter
d9a9187607 bump versions 2025-12-23 10:45:02 -07:00
Grant Hunter
2eb738325b switch gitea to single valkey instance 2025-12-14 22:35:26 -07:00
Grant Hunter
c28540cd44 update certs 2025-12-14 22:27:45 -07:00
Grant Hunter
e733a2584b bump version add skip-deps for speed 2025-12-14 13:03:49 -07:00
Grant Hunter
149506224f update mem limit 2025-12-08 09:11:54 -07:00
Grant Hunter
708efca878 set memory limits 2025-12-07 15:25:24 -07:00
Grant Hunter
6d604c269d update ceph limits 2025-12-07 14:01:39 -07:00
Grant Hunter
8bdff3bcea remove grafana 2025-12-07 13:46:33 -07:00
Grant Hunter
87a5a3a1ab bump versions 2025-12-07 13:27:28 -07:00
Grant Hunter
6b3eb79f88 remove old values.yaml 2025-12-07 13:16:22 -07:00
Grant Hunter
332f776c4f update to gotmpl 2025-12-07 13:14:48 -07:00
Grant Hunter
6aa777f880 update gitignore 2025-12-07 12:50:24 -07:00
Grant Hunter
2a7521e474 add talos upgrade just command 2025-11-25 22:17:56 -07:00
Grant Hunter
83eedaa96e bump version 2025-11-25 21:48:13 -07:00
41 changed files with 722 additions and 564 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -15,3 +15,6 @@ kgnot/config.production.json
*.key
*.pub
.envrc
.config

31
53ll/values.yaml → 53ll/values.yaml.gotmpl
View File

@@ -3,7 +3,7 @@ image:
ghostBlogTitle: 53rd Parallel Photography
ghostHost: https://53ll.ca
ghostUsername: # set through cli args
ghostUsername: {{ requiredEnv "GHOST_53LL_USER_NAME" }}
existingSecret: ghost-53ll-user-secret
allowEmptyPassword: false
@@ -13,14 +13,14 @@ readinessProbe:
enabled: false
resources:
limits:
cpu: 500m
ephemeral-storage: 2Gi
memory: 250Mi
requests:
cpu: 10m
ephemeral-storage: 50Mi
memory: 128Mi
memory: 64Mi
limits:
cpu: 500m
ephemeral-storage: 2Gi
memory: 224Mi
persistence:
size: 1Gi
@@ -48,6 +48,21 @@ ingress:
enabled: true
hostname: 53ll.ca
tls: true
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
extraTls:
- secretName: 53ll-ca-tls
hosts:
- 53ll.ca
extraDeploy:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: 53ll-ca
namespace: ghost
spec:
secretName: 53ll-ca-tls
issuerRef:
name: letsencrypt-53ll
kind: ClusterIssuer
dnsNames:
- 53ll.ca

11
cert-manager-hetzner-webhook/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,11 @@
groupName: acme.hetzner.com
certManager:
namespace: cert-manager
serviceAccountName: cert-manager
secretName:
- hetzner-dns-credentials
secrets:
apiToken: {{ requiredEnv "HETZNER_API_KEY" }}

5
cert-manager-issuers/Chart.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: v2
name: cert-manager-issuers
description: cert-manager ClusterIssuers for Let's Encrypt
type: application
version: 0.1.0

88
cert-manager-issuers/templates/clusterissuers.yaml Normal file
View File

@@ -0,0 +1,88 @@
apiVersion: v1
kind: Secret
metadata:
name: hetzner-dns-credentials
namespace: cert-manager
type: Opaque
stringData:
api-key: {{ .Values.hetzner.apiToken }}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-incngrnt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: {{ .Values.acme.email }}
privateKeySecretRef:
name: letsencrypt-incngrnt-private-key
solvers:
- dns01:
webhook:
groupName: acme.hetzner.com
solverName: hetzner
config:
secretName: hetzner-dns-credentials
zoneName: incngrnt.ca
apiUrl: https://dns.hetzner.com/api/v1
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-goatchat
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: {{ .Values.acme.email }}
privateKeySecretRef:
name: letsencrypt-goatchat-private-key
solvers:
- dns01:
webhook:
groupName: acme.hetzner.com
solverName: hetzner
config:
secretName: hetzner-dns-credentials
zoneName: goatchat.ca
apiUrl: https://dns.hetzner.com/api/v1
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-53ll
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: {{ .Values.acme.email }}
privateKeySecretRef:
name: letsencrypt-53ll-private-key
solvers:
- dns01:
webhook:
groupName: acme.hetzner.com
solverName: hetzner
config:
secretName: hetzner-dns-credentials
zoneName: 53ll.ca
apiUrl: https://dns.hetzner.com/api/v1
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-kgnot
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: {{ .Values.acme.email }}
privateKeySecretRef:
name: letsencrypt-kgnot-private-key
solvers:
- dns01:
webhook:
groupName: acme.hetzner.com
solverName: hetzner
config:
secretName: hetzner-dns-credentials
zoneName: kgnot.ca
apiUrl: https://dns.hetzner.com/api/v1

5
cert-manager-issuers/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,5 @@
hetzner:
apiToken: {{ requiredEnv "HETZNER_API_KEY" }}
acme:
email: {{ requiredEnv "ACME_EMAIL" }}

27
cert-manager/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,27 @@
installCRDs: true
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 1
memory: 128Mi
webhook:
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 1
memory: 64Mi
cainjector:
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 1
memory: 128Mi

30
gitea/values.yaml → gitea/values.yaml.gotmpl
View File

@@ -35,6 +35,8 @@ gitea:
secretKeyRef:
name: postgres-pguser-gitea
key: password
admin:
password: {{ requiredEnv "GITEA_ADMIN_PASSWORD" }}
strategy:
type: Recreate
@@ -46,8 +48,10 @@ ingress:
paths:
- path: "/"
pathType: Prefix
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
tls:
- secretName: git-incngrnt-ca-tls
hosts:
- git.incngrnt.ca
service:
ssh:
@@ -55,14 +59,9 @@ service:
port: 22
clusterIP:
actions:
valkey:
enabled: true
existingSecret: gitea-runner-token
existingSecretKey: token
redis:
enabled: true
redis-cluster:
valkey-cluster:
enabled: false
postgresql:
enabled: false
@@ -71,6 +70,18 @@ postgresql-ha:
extraDeploy:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: git-incngrnt-ca
namespace: gitea
spec:
secretName: git-incngrnt-ca-tls
issuerRef:
name: letsencrypt-incngrnt
kind: ClusterIssuer
dnsNames:
- git.incngrnt.ca
- apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
@@ -86,4 +97,3 @@ extraDeploy:
services:
- name: gitea-ssh
port: 22

199
grafana/alloy_values.yaml
View File

@@ -1,199 +0,0 @@
alloy:
clustering:
enabled: true
configMap:
content: |-
logging {
level = "info"
format = "logfmt"
}
discovery.kubernetes "pods" {
role = "pod"
}
discovery.kubernetes "nodes" {
role = "node"
}
discovery.relabel "pods" {
targets = discovery.kubernetes.pods.targets
rule {
source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_label_app_kubernetes_io_name", "__meta_kubernetes_pod_container_name"]
separator = "/"
target_label = "deployment_name"
action = "replace"
}
}
loki.source.kubernetes "pods" {
targets = discovery.relabel.pods.output
forward_to = [loki.process.process.receiver]
}
loki.process "process" {
forward_to = [loki.write.loki.receiver]
stage.drop {
older_than = "1h"
drop_counter_reason = "too old"
}
stage.match {
selector = "{instance=~\".*\"}"
stage.json {
expressions = {
level = "\"level\"",
}
}
stage.labels {
values = {
level = "level",
}
}
}
stage.label_drop {
values = [ "job", "service_name" ]
}
}
loki.write "loki" {
endpoint {
url = "http://grafana-loki-distributor:3100/loki/api/v1/push"
}
}
discovery.relabel "metrics" {
targets = discovery.kubernetes.pods.targets
rule {
source_labels = ["__meta_kubernetes_pod_annotation_prometheus_io_port"]
target_label = "__meta_kubernetes_pod_container_port_number"
action = "keepequal"
}
rule {
source_labels = ["__meta_kubernetes_pod_container_port_number"]
regex = ""
action = "drop"
}
rule {
source_labels = ["__meta_kubernetes_pod_annotation_prometheus_io_path",]
target_label = "__metrics_path__"
separator = ""
action = "replace"
}
}
prometheus.scrape "metrics" {
clustering {
enabled = true
}
targets = discovery.relabel.metrics.output
forward_to = [prometheus.remote_write.metrics.receiver]
scrape_interval = "30s"
}
discovery.relabel "pods_metrics" {
targets = discovery.kubernetes.nodes.targets
rule {
replacement = "kubernetes.default.svc:443"
target_label = "__address__"
}
rule {
regex = "(.+)"
replacement = "/api/v1/nodes/$1/proxy/metrics/cadvisor"
source_labels = ["__meta_kubernetes_node_name"]
target_label = "__metrics_path__"
}
}
prometheus.scrape "pods_metrics" {
clustering {
enabled = true
}
targets = discovery.relabel.pods_metrics.output
job_name = "integrations/kubernetes/kubelet"
scheme = "https"
honor_labels = true
forward_to = [prometheus.remote_write.metrics.receiver]
bearer_token_file = "/run/secrets/kubernetes.io/serviceaccount/token"
tls_config {
insecure_skip_verify = true
server_name = "kubernetes"
}
scrape_interval = "30s"
}
prometheus.exporter.unix "os_metrics" { }
prometheus.scrape "os_metrics" {
clustering {
enabled = true
}
targets = prometheus.exporter.unix.os_metrics.targets
forward_to = [prometheus.remote_write.metrics.receiver]
scrape_interval = "30s"
}
discovery.kubernetes "kube_state_metrics" {
role = "endpoints"
selectors {
role = "endpoints"
label = "app.kubernetes.io/name=kube-state-metrics"
}
namespaces {
names = ["grafana"]
}
}
discovery.relabel "kube_state_metrics" {
targets = discovery.kubernetes.kube_state_metrics.targets
// only keep targets with a matching port name
rule {
source_labels = ["__meta_kubernetes_endpoint_port_name"]
regex = "http"
action = "keep"
}
rule {
action = "replace"
replacement = "kubernetes"
target_label = "source"
}
}
prometheus.scrape "kube_state_metrics" {
targets = discovery.relabel.kube_state_metrics.output
job_name = "integrations/kubernetes/kube-state-metrics"
scrape_interval = "30s"
scheme = "http"
bearer_token_file = ""
tls_config {
insecure_skip_verify = true
}
clustering {
enabled = true
}
forward_to = [prometheus.relabel.kube_state_metrics.receiver]
}
prometheus.relabel "kube_state_metrics" {
max_cache_size = 100000
rule {
source_labels = ["__name__"]
regex = "up|scrape_samples_scraped|kube_configmap_info|kube_configmap_metadata_resource_version|kube_daemonset.*|kube_deployment_metadata_generation|kube_deployment_spec_replicas|kube_deployment_status_condition|kube_deployment_status_observed_generation|kube_deployment_status_replicas_available|kube_deployment_status_replicas_updated|kube_horizontalpodautoscaler_spec_max_replicas|kube_horizontalpodautoscaler_spec_min_replicas|kube_horizontalpodautoscaler_status_current_replicas|kube_horizontalpodautoscaler_status_desired_replicas|kube_job.*|kube_namespace_status_phase|kube_node.*|kube_persistentvolume_status_phase|kube_persistentvolumeclaim_access_mode|kube_persistentvolumeclaim_info|kube_persistentvolumeclaim_labels|kube_persistentvolumeclaim_resource_requests_storage_bytes|kube_persistentvolumeclaim_status_phase|kube_pod_container_info|kube_pod_container_resource_limits|kube_pod_container_resource_requests|kube_pod_container_status_last_terminated_reason|kube_pod_container_status_restarts_total|kube_pod_container_status_waiting_reason|kube_pod_info|kube_pod_owner|kube_pod_spec_volumes_persistentvolumeclaims_info|kube_pod_start_time|kube_pod_status_phase|kube_pod_status_reason|kube_replicaset.*|kube_resourcequota|kube_secret_metadata_resource_version|kube_statefulset.*"
action = "keep"
}
forward_to = [prometheus.remote_write.metrics.receiver]
}
prometheus.remote_write "metrics" {
endpoint {
url = "http://grafana-mimir-nginx/api/v1/push"
}
}
resources:
requests:
cpu: 1m
memory: 5Mi
limits:
cpu: 1
memory: 400Mi

19
grafana/values.yaml
View File

@@ -1,19 +0,0 @@
grafana:
ingress:
enabled: true
hosts:
- watcher.incngrnt.ca
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
persistence:
enabled: true
mimir:
mimir:
structuredConfig:
limits:
compactor_blocks_retention_period: 2h
ingester:
persistentVolume:
size: 5Gi

28
helmfile.d/01-infrastructure.lock
View File

@@ -1,16 +1,22 @@
version: 0.170.1
version: 1.2.3
dependencies:
- name: rook-ceph
- name: cert-manager
repository: https://charts.jetstack.io
version: v1.19.2
- name: cert-manager-webhook-hetzner
repository: https://vadimkim.github.io/cert-manager-webhook-hetzner
version: 1.4.2
- name: rook-ceph
repository: https://charts.rook.io/release
version: v1.18.2
- name: rook-ceph-cluster
version: v1.18.8
- name: rook-ceph-cluster
repository: https://charts.rook.io/release
version: v1.18.2
- name: tailscale-operator
version: v1.18.8
- name: tailscale-operator
repository: https://pkgs.tailscale.com/helmcharts
version: 1.86.5
- name: traefik
version: 1.92.4
- name: traefik
repository: https://traefik.github.io/charts
version: 37.1.1
digest: sha256:390b9f11dc9645c5add8f2efdbaa28bbbaf9ad8ab3056ef5b83580a53abdc112
generated: "2025-09-16T10:37:17.844160925-06:00"
version: 38.0.1
digest: sha256:3297bc0c10765abe170881882f7daf441a4dd735ed0ee7d1f4233692e8888c3c
generated: "2025-12-23T10:31:34.409765694-07:00"

43
helmfile.d/01-infrastructure.yaml
View File

@@ -5,35 +5,50 @@ repositories:
url: https://traefik.github.io/charts
- name: tailscale
url: https://pkgs.tailscale.com/helmcharts
- name: jetstack
url: https://charts.jetstack.io
- name: cert-manager-webhook-hetzner
url: https://vadimkim.github.io/cert-manager-webhook-hetzner
lockFilePath: ./helmfile.d/01-infrastructure.lock
releases:
# networking
- name: metallb
namespace: metallb-system
createNamespace: true
chart: ../metallb
values:
- ../metallb/values.yaml.gotmpl
- name: cert-manager
namespace: cert-manager
createNamespace: true
chart: jetstack/cert-manager
values:
- ../cert-manager/values.yaml.gotmpl
- name: cert-manager-webhook-hetzner
namespace: cert-manager
createNamespace: true
chart: cert-manager-webhook-hetzner/cert-manager-webhook-hetzner
values:
- ../cert-manager-hetzner-webhook/values.yaml.gotmpl
- name: cert-manager-issuers
namespace: cert-manager
createNamespace: true
chart: ../cert-manager-issuers
values:
- ../cert-manager-issuers/values.yaml.gotmpl
- name: traefik
namespace: traefik
createNamespace: true
chart: traefik/traefik
values:
- ../traefik/values.yaml
setString:
- name: certificatesResolvers.letsencrypt.acme.email
value: {{ requiredEnv "ACME_EMAIL" }}
- name: extraObjects[0].stringData.password
value: {{ requiredEnv "TRAEFIK_ADMIN_PASSWORD" }}
- ../traefik/values.yaml.gotmpl
- name: tailscale-operator
namespace: tailscale
createNamespace: true
chart: tailscale/tailscale-operator
values:
- ../tailscale/values.yaml
setString:
- name: oauth.clientId
value: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_ID" }}
- name: oauth.clientSecret
value: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_SECRET" }}
- ../tailscale/values.yaml.gotmpl
# storage infrastructure
- name: rook-ceph
@@ -41,13 +56,13 @@ releases:
createNamespace: true
chart: rook-release/rook-ceph
values:
- ../rook-ceph/values.yaml
- ../rook-ceph/values.yaml.gotmpl
- name: rook-ceph-cluster
namespace: rook-ceph
createNamespace: true
chart: rook-release/rook-ceph-cluster
values:
- ../rook-ceph-cluster/values.yaml
- ../rook-ceph-cluster/values.yaml.gotmpl
set:
- name: operatorNamespace
value: rook-ceph

18
helmfile.d/02-datastore.lock
View File

@@ -1,16 +1,16 @@
version: 0.170.1
version: 1.2.3
dependencies:
- name: k8up
- name: k8up
repository: https://k8up-io.github.io/k8up
version: 4.8.5
- name: mariadb
version: 4.8.6
- name: mariadb
repository: https://charts.bitnami.com/bitnami
version: 22.0.0
- name: pgo
version: 24.0.2
- name: pgo
repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
version: 5.8.1
- name: postgrescluster
- name: postgrescluster
repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
version: 5.7.4
digest: sha256:df6cd58e23f8c570ef0f3d57e26720a29685275bee12525ca9abb2e70e28e491
generated: "2025-09-16T10:37:30.538389689-06:00"
digest: sha256:f8989df670b3574b6d87438486b66fdaf44bc1ed379d3a98e00963a27703003a
generated: "2025-12-14T14:14:05.060998516-07:00"

19
helmfile.d/02-datastore.yaml
View File

@@ -6,6 +6,7 @@ repositories:
- name: k8up-io
url: https://k8up-io.github.io/k8up
lockFilePath: ./helmfile.d/02-datastore.lock
releases:
# data storage
- name: pgo
@@ -13,29 +14,19 @@ releases:
createNamespace: true
chart: crunchydata/pgo
values:
- ../postgres/operator-values.yaml
- ../postgres/operator-values.yaml.gotmpl
- name: postgres
namespace: datastore
createNamespace: true
chart: crunchydata/postgrescluster
values:
- ../postgres/values.yaml
setString:
- name: pgBackRestConfig.global.repo1-s3-key
value: '{{ requiredEnv "HETZNER_S3_ACCESS_KEY" }}'
- name: pgBackRestConfig.global.repo1-s3-key-secret
value: '{{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}'
- name: pgBackRestConfig.global.repo1-cipher-pass
value: '{{ requiredEnv "PG_BACKREST_PASSWORD" }}'
- ../postgres/values.yaml.gotmpl
- name: mariadb
namespace: datastore
createNamespace: true
chart: bitnami/mariadb
values:
- ../mariadb/values.yaml
setString:
- name: auth.rootPassword
value: {{ requiredEnv "MARIADB_ROOT_PASSWORD" }}
- ../mariadb/values.yaml.gotmpl
# backup infrastructure
- name: k8up
@@ -43,4 +34,4 @@ releases:
createNamespace: true
chart: k8up-io/k8up
values:
- ../k8up/values.yaml
- ../k8up/values.yaml.gotmpl

33
helmfile.d/03-apps.lock
View File

@@ -1,34 +1,37 @@
version: 0.170.1
version: 1.2.3
dependencies:
- name: ghost
- name: ghost
repository: https://charts.bitnami.com/bitnami
version: 25.0.4
- name: ghost
- name: ghost
repository: https://charts.bitnami.com/bitnami
version: 25.0.4
- name: immich
- name: gitea
repository: https://dl.gitea.io/charts
version: 12.4.0
- name: immich
repository: https://immich-app.github.io/immich-charts
version: 0.9.3
- name: k8up-backup
version: 0.10.3
- name: k8up-backup
repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
version: 0.0.3
- name: k8up-backup
- name: k8up-backup
repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
version: 0.0.3
- name: k8up-backup
- name: k8up-backup
repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
version: 0.0.3
- name: k8up-backup
- name: k8up-backup
repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
version: 0.0.3
- name: matrix-registration
- name: matrix-registration
repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
version: 0.1.0
- name: matrix-synapse
- name: matrix-synapse
repository: https://ananace.gitlab.io/charts
version: 3.12.8
- name: static-site
version: 3.12.17
- name: static-site
repository: git+https://github.com/cfpb/static-site@charts?ref=main
version: 0.1.1
digest: sha256:a7f2ab0e045290264fd7675f2e8979e449ccc60df6518ac20eb4d0c4c007fd96
generated: "2025-09-16T10:37:47.891825732-06:00"
digest: sha256:b44d082b71203ca6bb4fd881d8c6ce71575db556f432bbcc46078a535c8cd9c3
generated: "2025-12-23T10:31:37.404126839-07:00"

15
helmfile.d/03-apps.yaml
View File

@@ -12,6 +12,7 @@ repositories:
- name: incngrnt
url: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
lockFilePath: ./helmfile.d/03-apps.lock
releases:
# goatchat matrix
- name: goatchat
@@ -40,7 +41,7 @@ releases:
createNamespace: true
chart: static-site/static-site
values:
- ../incngrnt-web/values.yaml
- ../incngrnt-web/values.yaml.gotmpl
# ghost blogs
- name: kgnot-ghost
namespace: ghost
@@ -56,12 +57,12 @@ releases:
- ../53ll/values.yaml.gotmpl
# dev tools
# - name: gitea
# namespace: gitea
# createNamespace: true
# chart: gitea/gitea
# values:
# - ../gitea/values.yaml.gotmpl
- name: gitea
namespace: gitea
createNamespace: true
chart: gitea/gitea
values:
- ../gitea/values.yaml.gotmpl
# backups
- name: ghost-backup

13
helmfile.d/04-monitoring.lock
View File

@@ -1,13 +0,0 @@
version: 0.170.1
dependencies:
- name: alloy
repository: https://grafana.github.io/helm-charts
version: 1.2.1
- name: kube-state-metrics
repository: https://prometheus-community.github.io/helm-charts
version: 6.3.0
- name: lgtm-distributed
repository: https://grafana.github.io/helm-charts
version: 2.1.0
digest: sha256:8a06f8a58058fcc5487b01542d48a745189ab4d01a8f9aad6710ffda3cab765a
generated: "2025-09-16T10:38:05.465270419-06:00"

27
helmfile.d/04-monitoring.yaml
View File

@@ -1,27 +0,0 @@
repositories:
- name: grafana
url: https://grafana.github.io/helm-charts
- name: prometheus-community
url: https://prometheus-community.github.io/helm-charts
releases:
# monitoring
- name: grafana
namespace: grafana
installed: false
createNamespace: true
chart: grafana/lgtm-distributed
values:
- ../grafana/values.yaml
- name: alloy
namespace: grafana
installed: false
createNamespace: true
chart: grafana/alloy
values:
- ../grafana/alloy_values.yaml
- name: kube-state-metrics
namespace: grafana
installed: false
createNamespace: true
chart: prometheus-community/kube-state-metrics

52
immich/values.yaml.gotmpl
View File

@@ -1,7 +1,11 @@
image:
tag: v1.142.1
controllers:
main:
containers:
main:
image:
tag: v2.4.1
env:
env:
DB_HOSTNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.host | base64decode }}'") }}
DB_USERNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.user | base64decode }}'") }}
DB_DATABASE_NAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.dbname | base64decode }}'") }}
@@ -13,7 +17,7 @@ immich:
library:
existingClaim: immich-data
redis:
valkey:
enabled: true
master:
persistence:
@@ -22,31 +26,51 @@ redis:
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 1
memory: 32Mi
server:
enabled: true
controllers:
main:
strategy: Recreate
containers:
main:
resources:
requests:
cpu: 10m
memory: 256Mi
limits:
cpu: 1
memory: 700Mi
ingress:
main:
enabled: true
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
tls:
- secretName: photos-incngrnt-ca-tls
hosts:
- photos.incngrnt.ca
hosts:
- host: photos.incngrnt.ca
paths:
- path: "/"
pathType: Prefix
resources:
requests:
cpu: 10m
limits:
cpu: 1
controller:
strategy: Recreate
service:
identifier: main
machine-learning:
enabled: true
controllers:
main:
containers:
main:
resources:
requests:
cpu: 10m
memory: 128Mi
limits:
cpu: 1
memory: 1Gi

15
incngrnt-web/values.yaml → incngrnt-web/values.yaml.gotmpl
View File

@@ -3,12 +3,23 @@ init:
wget:
url: https://git.incngrnt.ca/grant/incngrnt/releases/download/v0.0.8/v0.0.8.tar
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 500m
memory: 32Mi
ingress:
enabled: true
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
tls:
- secretName: incngrnt-ca-tls
hosts:
- incngrnt.ca
hosts:
- host: incngrnt.ca
paths:
- path: /
pathType: ImplementationSpecific

26
justfile
View File

@@ -1,11 +1,11 @@
update:
bws run 'helmfile deps'
deploy ARGS='--output simple -i':
bws run 'helmfile apply {{ARGS}}'
deploy ARGS='':
bws run 'helmfile apply --output simple --skip-deps {{ARGS}}'
diff ARGS='':
bws run 'helmfile diff --output dyff {{ARGS}}'
bws run 'helmfile diff --output dyff --skip-deps {{ARGS}}'
cleanuppods:
#!/bin/bash
@@ -23,6 +23,12 @@ cleanupjobs:
pgrestart:
kubectl patch postgrescluster/postgres --type merge --patch '{"spec":{"metadata":{"annotations":{"restarted":"'"$(date)"'"}}}}'
talos-upgrade VERSION NODE:
talosctl upgrade \
--image factory.talos.dev/metal-installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba:{{VERSION}} \
-n {{NODE}}
goatchat-register:
bws run 'curl -v -H '\"'Authorization: SharedSecret $GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET'\"' \
-H "Content-Type: application/json" \
@@ -32,3 +38,17 @@ goatchat-register-review:
bws run 'curl -v -H '\"'Authorization: SharedSecret $GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET'\"' \
-H "Content-Type: application/json" \
https://goatchat.ca/gate/api/token' | jq
refresh-client-cert:
#!/bin/bash
yq -r .machine.ca.crt controlplane.yaml | base64 -d > ca.crt
yq -r .machine.ca.key controlplane.yaml | base64 -d > ca.key
talosctl gen key --name admin
talosctl gen csr --key admin.key --ip 127.0.0.1
talosctl gen crt --ca ca --csr admin.csr --name admin
yq -i '.contexts.fog.ca = "'"$(base64 -w0 ca.crt)"\
'" | .contexts.fog.crt = "'"$(base64 -w0 admin.crt)"\
'" | .contexts.fog.key = "'"$(base64 -w0 admin.key)"'"' \
.config/talosconfig
talosctl kubeconfig .config/kubeconfig -n 192.168.1.43

8
k8up-backup/values.yaml.gotmpl
View File

@@ -6,3 +6,11 @@ credentials:
key: {{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}
repoPassword: {{ requiredEnv "k8UP_REPO_PASSWORD" }}
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 500m
memory: 128Mi

4
k8up/values.yaml
View File

@@ -1,4 +0,0 @@
k8up:
envVars:
- name: BACKUP_GLOBAL_CONCURRENT_BACKUP_JOBS_LIMIT
values: 1

11
k8up/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,11 @@
k8up:
envVars:
- name: BACKUP_GLOBAL_CONCURRENT_BACKUP_JOBS_LIMIT
values: 1
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 500m
memory: 64Mi

32
kgnot/values.yaml → kgnot/values.yaml.gotmpl
View File

@@ -3,7 +3,7 @@ image:
ghostBlogTitle: K&G Tie the Kgnot
ghostHost: https://kgnot.ca
ghostUsername: # set through cli args
ghostUsername: {{ requiredEnv "KGNOT_GHOST_USER_NAME" }}
existingSecret: ghost-kgnot-user-secret
allowEmptyPassword: false
@@ -13,14 +13,14 @@ readinessProbe:
enabled: false
resources:
limits:
cpu: 500m
ephemeral-storage: 2Gi
memory: 250Mi
requests:
cpu: 10m
ephemeral-storage: 50Mi
memory: 128Mi
memory: 64Mi
limits:
cpu: 500m
ephemeral-storage: 2Gi
memory: 350Mi
persistence:
size: 1Gi
@@ -50,5 +50,21 @@ ingress:
enabled: true
hostname: kgnot.ca
tls: true
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
extraTls:
- secretName: kgnot-ca-tls
hosts:
- kgnot.ca
extraDeploy:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kgnot-ca
namespace: ghost
spec:
secretName: kgnot-ca-tls
issuerRef:
name: letsencrypt-kgnot
kind: ClusterIssuer
dnsNames:
- kgnot.ca

14
mariadb/values.yaml
View File

@@ -1,14 +0,0 @@
persistent:
size: 5Gi
primary:
resources:
limits:
cpu: 375m
ephemeral-storage: 2Gi
memory: 384Mi
requests:
cpu: 50m
ephemeral-storage: 50Mi
memory: 256Mi

16
mariadb/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,16 @@
auth:
rootPassword: {{ requiredEnv "MARIADB_ROOT_PASSWORD" }}
persistent:
size: 5Gi
primary:
resources:
requests:
cpu: 50m
ephemeral-storage: 50Mi
memory: 96Mi
limits:
cpu: 1
ephemeral-storage: 2Gi
memory: 192Mi

5
matrix-registration/values.yaml
View File

@@ -1,5 +0,0 @@
serverLocation: http://goatchat-matrix-synapse:8008
serverName: goatchat.ca
serverBaseUrl: /gate
registrationSharedSecret: # set through cli
adminApiSharedSecret: # set through cli

13
matrix-registration/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,13 @@
serverLocation: http://goatchat-matrix-synapse:8008
serverName: goatchat.ca
serverBaseUrl: /gate
registrationSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }}
adminApiSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET" }}
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 500m
memory: 64Mi

0
metallb/values.yaml
View File

17
metallb/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,17 @@
controller:
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 500m
memory: 64Mi
speaker:
resources:
requests:
cpu: 10m
memory: 48Mi
limits:
cpu: 500m
memory: 96Mi

2
postgres/operator-values.yaml
View File

@@ -1,2 +0,0 @@
pgoControllerLeaseName: ''
replicas: 1

10
postgres/operator-values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,10 @@
pgoControllerLeaseName: ''
replicas: 1
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 500m
memory: 160Mi

21
postgres/values.yaml → postgres/values.yaml.gotmpl
View File

@@ -1,5 +1,21 @@
instanceSize: 50Gi
instanceMemory: 1Gi
instanceCPU: 2
instances:
- name: instance1
resources:
requests:
cpu: 100m
memory: 192Mi
limits:
cpu: 2
memory: 1Gi
dataVolumeClaimSpec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: 50Gi
patroni:
dynamicConfiguration:
postgresql:
@@ -33,6 +49,9 @@ pgBackRestConfig:
repo1-path: /pgbackrest/datastore/postgres/repo1
repo1-retention-full: "10"
repo1-retention-full-type: count
repo1-s3-key: {{ requiredEnv "HETZNER_S3_ACCESS_KEY" }}
repo1-s3-key-secret: {{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}
repo1-cipher-pass: {{ requiredEnv "PG_BACKREST_PASSWORD" }}
repos:
- name: repo1

31
rook-ceph-cluster/values.yaml → rook-ceph-cluster/values.yaml.gotmpl
View File

@@ -6,6 +6,8 @@ cephClusterSpec:
useAllNodes: true
useAllDevices: false
deviceFilter: "^sda"
config:
osd_memory_target: "1073741824" # 1GB per OSD to maintain 70% node capacity
resources:
mgr:
requests:
@@ -13,18 +15,21 @@ cephClusterSpec:
memory: 256Mi
limits:
cpu: "1"
memory: 704Mi
mon:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: "1"
memory: 64Mi
osd:
requests:
cpu: 100m
memory: 256Mi
memory: 896Mi
limits:
cpu: "1"
memory: 1280Mi
ingress:
dashboard:
@@ -32,10 +37,27 @@ ingress:
name: fog.incngrnt.ca
path: /fog/ceph
pathType: Prefix
tls:
- secretName: fog-incngrnt-ca-tls
hosts:
- fog.incngrnt.ca
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
"traefik.ingress.kubernetes.io/router.middlewares": "rook-ceph-ceph-stripprefix@kubernetescrd"
extraDeploy:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: fog-ceph-incngrnt-ca
namespace: rook-ceph
spec:
secretName: fog-incngrnt-ca-tls
issuerRef:
name: letsencrypt-incngrnt
kind: ClusterIssuer
dnsNames:
- fog.incngrnt.ca
cephFileSystems:
- name: ceph-filesystem
# see https://github.com/rook/rook/blob/master/Documentation/ceph-filesystem-crd.md#filesystem-settings for available configuration
@@ -55,9 +77,10 @@ cephFileSystems:
resources:
requests:
cpu: 50m
memory: 256Mi
limit:
memory: 64Mi
limits:
cpu: "1"
memory: 32Mi
storageClass:
enabled: true
isDefault: false

3
rook-ceph/values.yaml → rook-ceph/values.yaml.gotmpl
View File

@@ -2,3 +2,6 @@ resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 1
memory: 300Mi

16
synapse/values.yaml → synapse/values.yaml.gotmpl
View File

@@ -16,14 +16,14 @@ synapse:
resources:
requests:
cpu: 10m
memory: 160Mi
memory: 128Mi
limits:
cpu: '1'
memory: 320Mi
memory: 256Mi
config:
macaroonSecretKey: # set through cli args
registrationSharedSecret: # set through cli args
macaroonSecretKey: {{ requiredEnv "GOATCHAT_SYNAPSE_MACAROON_SECRET_KEY" }}
registrationSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }}
extraConfig:
url_preview_enabled: true
@@ -45,7 +45,7 @@ extraConfig:
smtp_host: "smtp.sendgrid.net"
smtp_port: 587
smtp_user: "apikey"
smtp_pass: # set through cli args
smtp_pass: {{ requiredEnv "GOATCHAT_SMTP_PASSWORD" }}
require_transport_security: true
notif_from: "Your Friendly %(app)s homeserver <noreply@goatchat.ca>"
app_name: Goatchat
@@ -69,8 +69,10 @@ extraConfig:
ingress:
traefikPaths: true
annotations:
"traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
tls:
- secretName: goatchat-ca-tls
hosts:
- goatchat.ca
persistence:

4
tailscale/values.yaml
View File

@@ -1,4 +0,0 @@
operatorConfig:
extraEnv:
- name: PROXY_PRIORITY_CLASS_NAME
value: critical

16
tailscale/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,16 @@
operatorConfig:
extraEnv:
- name: PROXY_PRIORITY_CLASS_NAME
value: critical
resources:
requests:
cpu: 10m
memory: 48Mi
limits:
cpu: 500m
memory: 64Mi
oauth:
clientId: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_ID" }}
clientSecret: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_SECRET" }}

102
traefik/values.yaml
View File

@@ -1,102 +0,0 @@
deployment:
initContainers:
- name: volume-permissions
image: busybox:latest
command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
volumeMounts:
- name: data
mountPath: /data
updateStrategy:
type: Recreate
env:
- name: HETZNER_API_KEY
valueFrom:
secretKeyRef:
name: hetzner-api-key
key: token
additionalArguments:
- "--api.basePath=/fog/traefik"
persistence:
enabled: true
logs:
format: json
access:
enabled: true
format: json
service:
spec:
externalTrafficPolicy: Local
ingressRoute:
dashboard:
enabled: true
matchRule: Host(`fog.incngrnt.ca`) && (PathPrefix(`/fog/traefik/dashboard`) || PathPrefix(`/fog/traefik/api`))
entryPoints: ["websecure"]
middlewares:
- name: traefik-dashboard-auth
tls:
certResolver: letsencrypt
ports:
websecure:
middlewares:
- traefik-rate-limit@kubernetescrd
web:
middlewares:
- traefik-redirectscheme@kubernetescrd
ssh:
port: 2222
expose:
default: true
exposedPort: 2222
protocol: TCP
extraObjects:
- apiVersion: v1
kind: Secret
metadata:
name: traefik-dashboard-auth-secret
type: kubernetes.io/basic-auth
stringData:
username: admin
password: # set through cli args
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: traefik-dashboard-auth
spec:
basicAuth:
secret: traefik-dashboard-auth-secret
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rate-limit
spec:
rateLimit:
average: 50
burst: 100
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: redirectscheme
spec:
redirectScheme:
scheme: https
permanent: true
certificatesResolvers:
letsencrypt:
acme:
dnschallenge:
provider: hetzner
delaybeforecheck: 30
email: # set through cli args
storage: /data/acme.json

158
traefik/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,158 @@
deployment:
replicas: 2
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 1
memory: 128Mi
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
maxSurge: 1
podDisruptionBudget:
enabled: true
minAvailable: 1
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- traefik
topologyKey: kubernetes.io/hostname
additionalArguments:
- "--api.basePath=/fog/traefik"
persistence:
enabled: false
logs:
format: json
access:
enabled: true
format: json
service:
spec:
externalTrafficPolicy: Local
ingressRoute:
dashboard:
enabled: true
matchRule: Host(`fog.incngrnt.ca`) && (PathPrefix(`/fog/traefik/dashboard`) || PathPrefix(`/fog/traefik/api`))
entryPoints: ["websecure"]
middlewares:
- name: traefik-dashboard-auth
tls:
secretName: fog-incngrnt-ca-tls
ports:
websecure:
middlewares:
- traefik-rate-limit@kubernetescrd
web:
middlewares:
- traefik-redirectscheme@kubernetescrd
ssh:
port: 2222
expose:
default: true
exposedPort: 2222
protocol: TCP
extraObjects:
- apiVersion: v1
kind: Secret
metadata:
name: traefik-dashboard-auth-secret
type: kubernetes.io/basic-auth
stringData:
username: admin
password: {{ requiredEnv "TRAEFIK_ADMIN_PASSWORD" }}
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: traefik-dashboard-auth
spec:
basicAuth:
secret: traefik-dashboard-auth-secret
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rate-limit
spec:
rateLimit:
average: 50
burst: 100
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: redirectscheme
spec:
redirectScheme:
scheme: https
permanent: true
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: fog-incngrnt-ca
namespace: traefik
spec:
secretName: fog-incngrnt-ca-tls
issuerRef:
name: letsencrypt-incngrnt
kind: ClusterIssuer
dnsNames:
- fog.incngrnt.ca
# other certs
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: goatchat-ca
namespace: goatchat
spec:
secretName: goatchat-ca-tls
issuerRef:
name: letsencrypt-goatchat
kind: ClusterIssuer
dnsNames:
- goatchat.ca
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: incngrnt-ca
namespace: incngrnt-web
spec:
secretName: incngrnt-ca-tls
issuerRef:
name: letsencrypt-incngrnt
kind: ClusterIssuer
dnsNames:
- incngrnt.ca
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: photos-incngrnt-ca
namespace: immich
spec:
secretName: photos-incngrnt-ca-tls
issuerRef:
name: letsencrypt-incngrnt
kind: ClusterIssuer
dnsNames:
- photos.incngrnt.ca