gwg313/homelab-gitops
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

squash all

Browse source 
Mostly copied over from my old repo and modified for app of apps.
Cleaning up the mess from migration

Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2025-07-03 08:02:33 -04:00
parent 471f30f0b1
commit 52933116f0
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
104 changed files with 2532 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.argocd-ignore Normal file
View file

@ -0,0 +1 @@
.pre-commit-config.yaml

163
.devenv.flake.nix Normal file
View file

@ -0,0 +1,163 @@
{
inputs =
let
version = "1.6.1";
system = "x86_64-linux";
devenv_root = "/home/gwg313/repos/homelab-gitops";
devenv_dotfile = ./.devenv;
devenv_dotfile_string = ".devenv";
container_name = null;
devenv_tmpdir = "/run/user/1000";
devenv_runtime = "/run/user/1000/devenv-f22e6d0";
devenv_istesting = false;
devenv_direnvrc_latest_version = 1;
in {
git-hooks.url = "github:cachix/git-hooks.nix";
git-hooks.inputs.nixpkgs.follows = "nixpkgs";
pre-commit-hooks.follows = "git-hooks";
nixpkgs.url = "github:cachix/devenv-nixpkgs/rolling";
devenv.url = "github:cachix/devenv?dir=src/modules";
} // (if builtins.pathExists (devenv_dotfile + "/flake.json")
then builtins.fromJSON (builtins.readFile (devenv_dotfile + "/flake.json"))
else { });
outputs = { nixpkgs, ... }@inputs:
let
version = "1.6.1";
system = "x86_64-linux";
devenv_root = "/home/gwg313/repos/homelab-gitops";
devenv_dotfile = ./.devenv;
devenv_dotfile_string = ".devenv";
container_name = null;
devenv_tmpdir = "/run/user/1000";
devenv_runtime = "/run/user/1000/devenv-f22e6d0";
devenv_istesting = false;
devenv_direnvrc_latest_version = 1;
devenv =
if builtins.pathExists (devenv_dotfile + "/devenv.json")
then builtins.fromJSON (builtins.readFile (devenv_dotfile + "/devenv.json"))
else { };
getOverlays = inputName: inputAttrs:
map
(overlay:
let
input = inputs.${inputName} or (throw "No such input `${inputName}` while trying to configure overlays.");
in
input.overlays.${overlay} or (throw "Input `${inputName}` has no overlay called `${overlay}`. Supported overlays: ${nixpkgs.lib.concatStringsSep ", " (builtins.attrNames input.overlays)}"))
inputAttrs.overlays or [ ];
overlays = nixpkgs.lib.flatten (nixpkgs.lib.mapAttrsToList getOverlays (devenv.inputs or { }));
pkgs = import nixpkgs {
inherit system;
config = {
allowUnfree = devenv.allowUnfree or false;
allowBroken = devenv.allowBroken or false;
permittedInsecurePackages = devenv.permittedInsecurePackages or [ ];
};
inherit overlays;
};
lib = pkgs.lib;
importModule = path:
if lib.hasPrefix "./" path
then if lib.hasSuffix ".nix" path
then ./. + (builtins.substring 1 255 path)
else ./. + (builtins.substring 1 255 path) + "/devenv.nix"
else if lib.hasPrefix "../" path
then throw "devenv: ../ is not supported for imports"
else
let
paths = lib.splitString "/" path;
name = builtins.head paths;
input = inputs.${name} or (throw "Unknown input ${name}");
subpath = "/${lib.concatStringsSep "/" (builtins.tail paths)}";
devenvpath = "${input}" + subpath;
devenvdefaultpath = devenvpath + "/devenv.nix";
in
if lib.hasSuffix ".nix" devenvpath
then devenvpath
else if builtins.pathExists devenvdefaultpath
then devenvdefaultpath
else throw (devenvdefaultpath + " file does not exist for input ${name}.");
project = pkgs.lib.evalModules {
specialArgs = inputs // { inherit inputs; };
modules = [
({ config, ... }: {
_module.args.pkgs = pkgs.appendOverlays (config.overlays or [ ]);
})
(inputs.devenv.modules + /top-level.nix)
{
devenv.cliVersion = version;
devenv.root = devenv_root;
devenv.dotfile = devenv_root + "/" + devenv_dotfile_string;
}
(pkgs.lib.optionalAttrs (inputs.devenv.isTmpDir or false) {
devenv.tmpdir = devenv_tmpdir;
devenv.runtime = devenv_runtime;
})
(pkgs.lib.optionalAttrs (inputs.devenv.hasIsTesting or false) {
devenv.isTesting = devenv_istesting;
})
(pkgs.lib.optionalAttrs (container_name != null) {
container.isBuilding = pkgs.lib.mkForce true;
containers.${container_name}.isBuilding = true;
})
({ options, ... }: {
config.devenv = pkgs.lib.optionalAttrs (builtins.hasAttr "direnvrcLatestVersion" options.devenv) {
direnvrcLatestVersion = devenv_direnvrc_latest_version;
};
})
] ++ (map importModule (devenv.imports or [ ])) ++ [
(if builtins.pathExists ./devenv.nix then ./devenv.nix else { })
(devenv.devenv or { })
(if builtins.pathExists ./devenv.local.nix then ./devenv.local.nix else { })
(if builtins.pathExists (devenv_dotfile + "/cli-options.nix") then import (devenv_dotfile + "/cli-options.nix") else { })
];
};
config = project.config;
options = pkgs.nixosOptionsDoc {
options = builtins.removeAttrs project.options [ "_module" ];
warningsAreErrors = false;
# Unpack Nix types, e.g. literalExpression, mDoc.
transformOptions =
let isDocType = v: builtins.elem v [ "literalDocBook" "literalExpression" "literalMD" "mdDoc" ];
in lib.attrsets.mapAttrs (_: v:
if v ? _type && isDocType v._type then
v.text
else if v ? _type && v._type == "derivation" then
v.name
else
v
);
};
build = options: config:
lib.concatMapAttrs
(name: option:
if builtins.hasAttr "type" option then
if option.type.name == "output" || option.type.name == "outputOf" then {
${name} = config.${name};
} else { }
else
let v = build option config.${name};
in if v != { } then {
${name} = v;
} else { }
)
options;
systems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
in
{
devShell = lib.genAttrs systems (system: config.shell);
packages = lib.genAttrs systems (system: {
optionsJSON = options.optionsJSON;
# deprecated
inherit (config) info procfileScript procfileEnv procfile;
ci = config.ciDerivation;
});
devenv = config;
build = build project.options project.config;
};
}

5
.gitleaks.toml Normal file
View file

@ -0,0 +1,5 @@
[allowlist]
description = "Ignore Kubernetes SealedSecrets"
regexes = [
'''(?s)kind:\s*SealedSecret.*?encryptedData:.*?'''
]

10
.yamllint Normal file
View file

@ -0,0 +1,10 @@
extends: default
rules:
document-start: disable
line-length:
max: 80
allow-non-breakable-words: false
ignore: |
**/*sealed*.yaml

9
apps/istio.yaml → apps/audiobookshelf.yaml
View file

@ -1,20 +1,17 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: istio name: audiobookshelf
namespace: argocd namespace: argocd
spec: spec:
project: default project: default
source: source:
repoURL: https://github.com/gwg313/homelab-gitops repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main targetRevision: main
path: istio path: audiobookshelf
helm:
valueFiles:
- base-values.yaml
destination: destination:
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
namespace: istio-system namespace: audiobookshelf
syncPolicy: syncPolicy:
automated: automated:
selfHeal: true selfHeal: true

20
apps/bytestash.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: bytestash
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: bytestash
destination:
server: https://kubernetes.default.svc
namespace: bytestash
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

18
apps/cert-issuer.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-issuer
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: cluster-issuer
destination:
server: https://kubernetes.default.svc
namespace: cert-manager
syncPolicy:
automated:
selfHeal: true
prune: true

24
apps/cert-manager.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-manager
namespace: argocd
spec:
project: default
source:
repoURL: https://charts.jetstack.io
chart: cert-manager
targetRevision: v1.15.0
helm:
releaseName: cert-manager
values: |
installCRDs: true
destination:
server: https://kubernetes.default.svc
namespace: cert-manager
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

20
apps/forgejo.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: forgejo
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: forgejo
destination:
server: https://kubernetes.default.svc
namespace: forgejo
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

20
apps/harbor-config.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: harbor-config
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: harbor-config
destination:
server: https://kubernetes.default.svc
namespace: harbor
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

51
apps/harbor.yaml Normal file
View file

@ -0,0 +1,51 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: harbor
namespace: argocd
spec:
project: default
destination:
server: https://kubernetes.default.svc
namespace: harbor
source:
repoURL: https://helm.goharbor.io
chart: harbor
targetRevision: 1.14.2
helm:
releaseName: harbor
values: |
externalURL: https://registry.gwg313.xyz
expose:
type: clusterIP
tls:
enabled: false
certSource: secret
secret:
secretName: harbor-cert-nginx
nginx:
replicas: 0
persistence:
persistentVolumeClaim:
registry:
existingClaim: harbor-registry
jobservice:
existingClaim: harbor-jobservice
trivy:
existingClaim: harbor-trivy
database:
existingClaim: harbor-database
redis:
existingClaim: harbor-redis
core:
existingClaim: harbor-core
ingress:
enabled: false
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

22
apps/istio/istio-base.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-base
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "0"
spec:
project: default
source:
repoURL: https://istio-release.storage.googleapis.com/charts
chart: base
targetRevision: 1.26.0
destination:
server: https://kubernetes.default.svc
namespace: istio-system
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

26
apps/istio/istio-cni.yaml Normal file
View file

@ -0,0 +1,26 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-cni
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "1"
spec:
project: default
source:
repoURL: https://istio-release.storage.googleapis.com/charts
chart: cni
targetRevision: 1.26.0
helm:
values: |
cni:
enabled: true
chained: false
logLevel: info
destination:
server: https://kubernetes.default.svc
namespace: istio-system
syncPolicy:
automated:
prune: true
selfHeal: true

50
apps/istio/istio-gateway.yaml Normal file
View file

@ -0,0 +1,50 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-gateway
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "2"
spec:
project: default
source:
repoURL: https://istio-release.storage.googleapis.com/charts
chart: gateway
targetRevision: 1.26.0
helm:
values: |
replicaCount: 2
autoscaling:
enabled: false
resources:
requests:
cpu: "500m"
memory: "512Mi"
limits:
cpu: "1000m"
memory: "1Gi"
podDisruptionBudget:
enabled: true
minAvailable: 1
proxy:
logLevel: warning
componentLogLevel: "misc:error,config:debug"
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
destination:
server: https://kubernetes.default.svc
namespace: istio-system
syncPolicy:
automated:
prune: true
selfHeal: true

43
apps/istio/istio-istiod.yaml Normal file
View file

@ -0,0 +1,43 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-istiod
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "1"
spec:
project: default
source:
repoURL: https://istio-release.storage.googleapis.com/charts
chart: istiod
targetRevision: 1.26.0
helm:
values: |
global:
istioCNI:
enabled: true
sidecarInjectorWebhook:
disableInitContainers: true
pilot:
autoscaleEnabled: false
replicaCount: 2
resources:
requests:
cpu: "500m"
memory: "512Mi"
limits:
cpu: "1000m"
memory: "1Gi"
podDisruptionBudget:
enabled: true
minAvailable: 1
destination:
server: https://kubernetes.default.svc
namespace: istio-system
syncPolicy:
automated:
prune: true
selfHeal: true

9
apps/istio/istio-peer-auth.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
annotations:
name: default
namespace: istio-system
spec:
mtls:
mode: PERMISSIVE

18
apps/metallb-config.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metallb-config
namespace: argocd
spec:
project: default
source:
path: metallb/config
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: HEAD
destination:
server: https://kubernetes.default.svc
namespace: metallb-system
syncPolicy:
automated:
prune: true
selfHeal: true

22
apps/metallb.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metallb
namespace: argocd
spec:
project: default
source:
repoURL: https://metallb.github.io/metallb
chart: metallb
targetRevision: 0.14.5
helm:
releaseName: metallb
destination:
server: https://kubernetes.default.svc
namespace: metallb-system
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

20
apps/minio-config.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: minio-config
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: minio
destination:
server: https://kubernetes.default.svc
namespace: minio
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

37
apps/minio.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: minio
namespace: argocd
spec:
destination:
namespace: minio
server: https://kubernetes.default.svc
project: default
source:
repoURL: https://charts.bitnami.com/bitnami
chart: minio
targetRevision: 17.0.9
helm:
releaseName: minio
values: |
auth:
existingSecret: minio-auth
ingress:
enabled: false
service:
type: ClusterIP
ports:
api: 9000
console: 9001
persistence:
existingClaim: minio-data
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

20
apps/navidrome.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: navidrome
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: navidrome
destination:
server: https://kubernetes.default.svc
namespace: navidrome
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

33
apps/nfs-subdir.yaml Normal file
View file

@ -0,0 +1,33 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: nfs-subdir-external-provisioner
namespace: argocd
spec:
project: default
source:
repoURL: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner
chart: nfs-subdir-external-provisioner
targetRevision: 4.0.18
helm:
releaseName: nfs-subdir-external-provisioner
values: |
nfs:
server: truenas.local.gwg313.xyz
path: /mnt/tank/k8s/nfs-subdir
storageClass:
name: nfs-client
defaultClass: true
accessModes: ["ReadWriteMany"]
reclaimPolicy: Delete
archiveOnDelete: false
destination:
server: https://kubernetes.default.svc
namespace: nfs-subdir-external-provisioner
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

24
apps/sealed-secrets.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: sealed-secrets
namespace: argocd
spec:
project: default
source:
repoURL: https://bitnami-labs.github.io/sealed-secrets
chart: sealed-secrets
targetRevision: 2.15.3
helm:
releaseName: sealed-secrets
values: |
fullnameOverride: sealed-secrets-controller
destination:
server: https://kubernetes.default.svc
namespace: sealed-secrets
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

20
apps/woodpecker-manifests.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: woodpecker-manifests
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: HEAD
path: woodpecker
destination:
server: https://kubernetes.default.svc
namespace: woodpecker
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

23
apps/woodpecker.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: woodpecker
namespace: argocd
spec:
project: default
source:
repoURL: https://woodpecker-ci.org/
chart: woodpecker
targetRevision: 3.2.0
helm:
releaseName: woodpecker
values: "server:\n env:\n WOODPECKER_HOST: \"https://ci.gwg313.xyz\"\n extraSecretNamesForEnvFrom:\n - woodpecker-server-secrets\n persistentVolume:\n enabled: true\n existingClaim: woodpecker-server-pvc5\n\nagent:\n enabled: true\n replicaCount: 1\n extraSecretNamesForEnvFrom:\n - woodpecker-agent-secrets\n env:\n WOODPECKER_SERVER: \"woodpecker-server:9000\"\n WOODPECKER_MAX_WORKFLOWS: \"5\"\n persistence:\n enabled: true\n existingClaim: woodpecker-agent-pvc5\n securityContext:\n privileged: true \n"
destination:
server: https://kubernetes.default.svc
namespace: woodpecker
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

20
apps/yopass.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: yopass
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: yopass
destination:
server: https://kubernetes.default.svc
namespace: yopass
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

12
audiobookshelf/certificate.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: audiobookshelf-cert
namespace: istio-system
spec:
secretName: audiobookshelf-cert
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
dnsNames:
- audiobooks.gwg313.xyz

42
audiobookshelf/deployment.yaml Normal file
View file

@ -0,0 +1,42 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: audiobookshelf
namespace: audiobookshelf
spec:
replicas: 1
selector:
matchLabels:
app: audiobookshelf
template:
metadata:
labels:
app: audiobookshelf
spec:
containers:
- name: audiobookshelf
image: registry.gwg313.xyz/library/audiobookshelf:latest
ports:
- containerPort: 8080
volumeMounts:
- name: audiobooks-volume
mountPath: /audiobooks
- name: podcasts-volume
mountPath: /podcasts
- name: config-volume
mountPath: /config
- name: metadata-volume
mountPath: /metadata
volumes:
- name: audiobooks-volume
persistentVolumeClaim:
claimName: audiobookshelf-audiobooks
- name: podcasts-volume
persistentVolumeClaim:
claimName: audiobookshelf-podcasts
- name: config-volume
persistentVolumeClaim:
claimName: audiobookshelf-config
- name: metadata-volume
persistentVolumeClaim:
claimName: audiobookshelf-metadata

18
audiobookshelf/gateway.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: audiobookshelf-gateway
namespace: audiobookshelf
spec:
selector:
istio: gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: audiobookshelf-cert
hosts:
- audiobooks.gwg313.xyz

19
audiobookshelf/iscsi-sealed.yaml Normal file
View file

@ -0,0 +1,19 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: audiobookshelf-iscsi-auth
namespace: audiobookshelf
spec:
encryptedData:
discovery.sendtargets.auth.password: AgBlREGUmNCv4V+AAsTN4xn1+CTIQspG86tK34CH8LbAQQtCwrldsyH/ZDnDEK2bmb7Eq0o4Lt9bYYdAFt/2d74ViMWVWyarIG5dU3kwMfzysQsu3lrWtIUwlFS08YaQJg+7Eipy1LbJvncTLY9ixZ3xA7Vx+rlyhXp0bt0Aet6ItzcxTbifA14xtCGDDDRcOjkBp+lhOY70tnqAkQ7NxLooPcNGSIqMPbIwhdc8Nq9Knz7ZqVTnVyl2QxdQSooUIcYBN0V97tiwtZUvwU0pb7LsxSEac2NbwzPMfoP8LnTETURK0JhqvO6Uvi7iMNBLw3sDzR2fCX1VhleLOM1JQgk93w5VA33GZOb+7iofJt+gVIs651G9+rCS2hN8XiQPiZnCVtZ9upxM4DnHz1GvuML0NRcXyIN2zOzcZdwMXBRAQ42XwcdbZIOubiVNbV/yEDoNmA6aR1ItRYDGyheRKwphLEDnbXlgWEDnKKHiUjrj833vNTXn9wtOZ2mnfzE//cr3fvaosQthfnviI/QRo8plpXI8y9BgjNToecsbQNzNIP17ZljCZB2HTBa8urX9A9vAOcFD51k6FugfE92tnBtSu42vGi3vkEuxM2blrFAWlpsChHkyQmONJchHgNsyKqZdlRzFLraZTtic9z8HBjmOyXgykGuoPzGf29vB8bwZ3mIUE8GSsF7WV9hAGdfGzE0VnUp3CKOIMFyrudVeWFOX
discovery.sendtargets.auth.username: AgBerGD4HXIRcJDdyknlztVIIfpLYyEnB5jIQV7tHksPPtDp4VxOQcOOnsgn2xcskpGbPP60iQJgTn9eNtHnRVylFhRDBr7ugn7LKWw0KGg/sexYx07Do6Sc7h7+MrzaoxV7kV7hOJrflALtKhSTmsiNLVnskmU+reckgLYFrFjSPOYJsDJlpq7WPXVBVW2nEJ0EMkCyfWAU1ADfpM5rvbtLu3geCAWAz557BASYgdvaBEWOT5sONC2rbl2MaSJeBVZX+Wr5IdzVd3K/VFJRSJ7xE5LAVKbuWGPpt18H86uU7mqXuyYUz7FR7nD21FT8rPvj4/rXKTR0W2U/hrH/53Jn5yFj30+iAcDhq9C4fRA8ZvI9KsESRZXq0dnInPkYpHzPIKdMwtEs/qycIMGwczRO9d6UDj3qJsJTO4E1btvzPQMt1kJ3d2U87/r7TCzcbIpLlMez8VTS0osnwVkD9/4oR074TX/0m9aMqLomsrw4oyXsetJL8O4R1A59NsjtBRvyeG00BmmJMlSrI+DF+wa131/4g/y6BsYP30QwxxxoOHH1clSdXGueHhQpttmc7le8FSJ+pyyPLR8BrFi76GojZG3GZScArJm/072WcUnsvxpitmtwKgihRFGr6V5yPU/vvPLWsV+swQ+zh6IZ1RPNn8QPk4oKqJnoAlDmMkdXhgqLucor322cxU+bNkE0v3RPBeynzEVpGSzrtYzOvw==
node.session.auth.password: AgB/lsTVb/3hrYtzpEydBfcesvDgZUi6Si4VNjlGRS1PfK9DSLpRBZazgLkrFSIhLOviWb9Rp9zQDNTJFAZkLbPGh8zNWyTzbANgsSziht7ljBArnsT3iMRQbFvZGUkI3QM95EURVXC7GhPEfr15bkEqq93ETzaDaBvZ3tKN2XqjRTFFAR2aFVVV6rPPea3FfAVhhcR700pfbW4YpLPfHuUFentEuMo5a3QRYo3VdzPYB7lzRx+YgD9Rv1rSffTdnPJzlE9IkUeBZKnuK9Xg80Q75aPHvb6MfT++LRZHUtsftQFjbJMcFKqqDu+JktjViyrTYG/2cfdQKsHbsQu4OW4XamU0isZiz42T8cj/Dpo0C+m2meZVXkSrsvyeHCA77vl9yd24O7CkDGKLnAqe5RLWAMJVBQwnVqiDhTdTvEItoyV9MZM079CsPKSpVZMJ4GQoJDjKN3L9Z0IIWHlrV5RJ65RJA3d8/9Ku+vFtxyfGWB3GtXAFvXYW/OZn1vuIEmA3U11mgnGKDIRETBMpuJSvzVKiTxCL4yrq5Ap0VRfBlJlNbDSlj78z6x9Pd8TsSoKUA5htpObLy3+Dx2Lm6SUflKvB6ywKnIbhlfFONlUrsxX6J02taDmqTzeAFT5sSM2Xl4yFveb7XLQQOJUIc32ZAFXOkYkvr9T8lbxXDE9mJG7abzwal7i1KWrxgVnmgN8oM6QDciHqElUb+z+tE69g
node.session.auth.username: AgCjON6B6NWGlbQsJvBLvy1SOgUt7fuIScFKqsnVLZf/AmUH6VJ70qAtjOr+MfoyhvGkpNLAb64LpUsEmxX/AI4pONZnNUVYgWSha+yEizCLsYCp2wL7PHbobg9nkYxL7vRcS/So5iIaHHS+3cHIHJI5O8Dhb6gqOz5kafNgdLu0TJ56n1Axe4QI3mz0m5/XjovzzImM3DiMaqtzJotENGxnnA/X0/zBbNZry94iWuXCTJ115+6cVn+h3SvVw0/rwcJgfNxgIJJW4Rukl6WCyC6MTKTjNnA65Z5R9oW4JviGNF/0PNGTjmkuCoJqSNZ+p5XebhTxn65ultLMxvJXZhVmSHo3es3x8wlmO49UOGhT1a38P+p/9DrrTg3xEdIeDHMmdLaZgOjjEfDh/2OP2S2ZHVEXQnFvG2VnKgmMYWyeylhBGyn4cEkLc1fFhy55g2EMCeF5zXNldTlT3Gh0ca1ipF0BBXgvuJCa9c5tNBK2QS66QVdehOLBOxrnjTnd4VPt05JXKqSQZ6S0ukNecL5hBju2nGHlXdYcVeI94/uZmpkNJC+mqRTJdXGwtUhF9F529Ln+DtkhTcGUAPBcZdP9eEc/lkAjp/lJyzW2jgTynVkqAyBZJsA7etAHAUlsFMgFOw6bG/oKXpJE7wFJ4J929/inpVj8J9rlLC7ruRlQy9gUT8A2uLwAXVmQufpjBTi2AVyS6wACG+eusvOHYg==
template:
metadata:
creationTimestamp: null
name: audiobookshelf-iscsi-auth
namespace: audiobookshelf
type: kubernetes.io/iscsi-chap

57
audiobookshelf/pvcs.yaml Normal file
View file

@ -0,0 +1,57 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-config
namespace: audiobookshelf
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
volumeName: audiobookshelf-config-pv
storageClassName: audiobookshelf-iscsi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-metadata
namespace: audiobookshelf
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
volumeName: audiobookshelf-metadata-pv
storageClassName: audiobookshelf-iscsi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-audiobooks
namespace: audiobookshelf
spec:
accessModes:
- ReadOnlyMany
resources:
requests:
storage: 100Gi
volumeName: audiobookshelf-audiobooks-pv
storageClassName: audiobookshelf-nfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-podcasts
namespace: audiobookshelf
spec:
accessModes:
- ReadOnlyMany
resources:
requests:
storage: 100Gi
volumeName: audiobookshelf-podcasts-pv
storageClassName: audiobookshelf-nfs

73
audiobookshelf/pvs.yaml Normal file
View file

@ -0,0 +1,73 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: audiobookshelf-config-pv
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: audiobookshelf-iscsi
iscsi:
targetPortal: truenas.local.gwg313.xyz:3260
iqn: iqn.2005-10.org.freenas.ctl:audiobookshelf-config
lun: 0
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: audiobookshelf-iscsi-auth
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: audiobookshelf-metadata-pv
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: audiobookshelf-iscsi
iscsi:
targetPortal: truenas.local.gwg313.xyz:3260
iqn: iqn.2005-10.org.freenas.ctl:audiobookshelf-metadata
lun: 1
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: audiobookshelf-iscsi-auth
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: audiobookshelf-audiobooks-pv
spec:
capacity:
storage: 100Gi
accessModes:
- ReadOnlyMany
persistentVolumeReclaimPolicy: Retain
nfs:
server: truenas.local.gwg313.xyz
path: /mnt/tank/media/audiobooks
storageClassName: audiobookshelf-nfs
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: audiobookshelf-podcasts-pv
spec:
capacity:
storage: 100Gi
accessModes:
- ReadOnlyMany
persistentVolumeReclaimPolicy: Retain
nfs:
server: truenas.local.gwg313.xyz
path: /mnt/tank/media/podcasts
storageClassName: audiobookshelf-nfs

11
audiobookshelf/service.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: audiobookshelf
namespace: audiobookshelf
spec:
selector:
app: audiobookshelf
ports:
- port: 80
targetPort: 8080

19
audiobookshelf/virtualservice.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: audiobookshelf
namespace: audiobookshelf
spec:
hosts:
- audiobooks.gwg313.xyz
gateways:
- audiobookshelf-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: audiobookshelf
port:
number: 80

8
bytestash/bytestash-peer-auth.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: strict-mtls
namespace: bytestash
spec:
mtls:
mode: STRICT

15
bytestash/bytestash-secret-sealed.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: bytestash-secret
namespace: bytestash
spec:
encryptedData:
JWT_SECRET_KEY: AgBhyqlrAr9hDaCZ7yPbZZuXtZMeqbMqd0LXWwT8nlEpTY0Tk7LLwjdv6DoY3gvj0Jbgcoa+Edgg6HywykouVAqe2i6HbDwWOPVjRw5K1GA7y7jlb8IOP2D7ZJN8sKW7MUfhmmraN0piuvpCMVl/NHbT1XfQq4mym/PChHcD4Ju+lNMfFWkHNZtXf/9tpYcTa3cmREf0uBFQRNQFP2TaUx8X+QmzIIdoGaqZA+Jud2HkTHymsRhn7fSK3smaJecw/y7IR4ohNcJ17FqOyaqbnQ/MUzB+aprFKjBOnVmZwbWSjJYWPN1nx6NPndmk8X3Q3XeB50WnoAhqNSwI6a58wo/zVHyM5B3Q+L9slCWd8t27z+Jv7Y8zRFl137dbhDBcrHf73miNnaK5x0b741Bv3yDakJG+DrU5YlmGH2/t4XBZjMMRxF4y0CgdT+DN+cZrkbkATHIQWZARmLTqYfig/2D+PfKhrniE4Tfq3V2gLN12Kwf09fqM02Uo2faOya6QF3fvGGZx3QXiDrzPMthLuvk1JqPqU98fNKniS8x7/q1LdHH6ga5wyXyGk76tl540p+kdY2sAi7K5/VAw0QM6A+6EHXJJgZ4bdd02eB0F1/lCKcCzZhs5lIjBu0r/d81wYlId6GtMvXZiMfsbMS9a7evGl20PXAn2C5KxWfyyyIX3wn7JIAxiOdGwPUOI6E4/LCJSnzlfBa7SWFrMHAjniNyQOLB0S9amtHwDDt6j
template:
metadata:
creationTimestamp: null
name: bytestash-secret
namespace: bytestash
type: Opaque

13
bytestash/certificate.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: bytestash-cert
namespace: istio-system
spec:
secretName: bytestash-cert
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
commonName: bytestash.local.gwg313.xyz
dnsNames:
- bytestash.local.gwg313.xyz

18
bytestash/configmap.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: bytestash-config
namespace: bytestash
data:
BASE_PATH: ""
TOKEN_EXPIRY: "24h"
ALLOW_NEW_ACCOUNTS: "true"
DEBUG: "true"
DISABLE_ACCOUNTS: "false"
DISABLE_INTERNAL_ACCOUNTS: "false"
OIDC_ENABLED: "false"
OIDC_DISPLAY_NAME: ""
OIDC_ISSUER_URL: ""
OIDC_CLIENT_ID: ""
OIDC_CLIENT_SECRET: ""
OIDC_SCOPES: ""

43
bytestash/deployment.yaml Normal file
View file

@ -0,0 +1,43 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: bytestash
namespace: bytestash
spec:
replicas: 1
selector:
matchLabels:
app: bytestash
template:
metadata:
labels:
app: bytestash
annotations:
sidecar.istio.io/inject: "true"
spec:
securityContext:
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
containers:
- name: bytestash
image: "ghcr.io/jordan-dalby/bytestash:latest"
ports:
- containerPort: 5000
envFrom:
- configMapRef:
name: bytestash-config
- secretRef:
name: bytestash-secret
volumeMounts:
- name: bytestash-storage
mountPath: /data/snippets
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
capabilities:
drop: ["ALL"]
volumes:
- name: bytestash-storage
persistentVolumeClaim:
claimName: bytestash-pvc

18
bytestash/gateway.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: bytestash-gateway
namespace: bytestash
spec:
selector:
istio: gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "bytestash.local.gwg313.xyz"
tls:
mode: SIMPLE
credentialName: bytestash-cert

4
bytestash/namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: bytestash

11
bytestash/service.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: bytestash
namespace: bytestash
spec:
selector:
app: bytestash
ports:
- port: 80
targetPort: 5000

29
bytestash/storage.yaml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: bytestash-pv
spec:
capacity:
storage: 1Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: manual
nfs:
path: /mnt/tank/docker-volumes/bytestash
server: truenas.local.gwg313.xyz
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bytestash-pvc
namespace: bytestash
spec:
storageClassName: manual
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
volumeName: bytestash-pv

16
bytestash/virtualservice.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bytestash
namespace: bytestash
spec:
hosts:
- "bytestash.local.gwg313.xyz"
gateways:
- bytestash/bytestash-gateway
http:
- route:
- destination:
host: bytestash
port:
number: 80

4
cert-manager/values.yaml Normal file
View file

@ -0,0 +1,4 @@
installCRDs: true
extraArgs:
- --dns01-recursive-nameservers-only
- --dns01-recursive-nameservers=1.1.1.1:53,8.8.8.8:53

15
cluster-issuer/01-sealedsecret.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: cloudflare-api-token
namespace: cert-manager
spec:
encryptedData:
api-token: AgC7jVHCCMGqv2ZcLxU13J2icxYM6pLCpy9ODRFtEZpjY4MGmja+ScRs00ziY8DeH9Ahhrc21VYTTZAmw1bCesHIys0y19KeXbO5HudWbSt02792kT5sPsjlNdkZyXT0Qmbz3i4OPcH1V1+oXJArTuicoJkAiVg05jGPuIcYM2zDaMvMjk4cq7L8PYc/HAusXlHI/ggozPqmohS4ACBYvsUvgyDEGAvwW0vFRjHb1z3IxyzVtbDdgae8okoQWCHlKRTeFRReB1AX9wml+kNpq2SeElh/5Grdiz4MEr8PsoKUIJg3n+KqjOFgHX7I5gDW7LQv2+W66sYzd3GFF0g6MUs1EjznX35J/e7uYSm3ERtomSIFx3FFx6fFXuN5QkCx79MgKZxP8F/PwBdusc8tDHocgK8V2hvSjxIU2J74rjcMw4ZUqwFvlZa0xAJcUAlkFQrN/b7ldlwQYyzsXhPyRIvIGvGSmBabq+yHE4nyjCVezy28h361O3zB2kCJUXi1k2rbD2+NI1Z+25q6JyRgnUelnfzyiPFJTKlFIiP1He1FC441OPjXILYhuaIenm0w9GQKUt2ndNJng4wRtsCPi6PcGHUIOjiT8ErZTkN4pJmm4/bRYPXumS9J0sTPNr2z564fsZjRpyCD97BJuntnXRnWxQRVbMb55f99Zu2j5jziEDegg6aCsXRLoATHLsBFlK5IiC95cMpkaAbY5FWwCCp4IMLkiPWGlR1dnCbBgF2P4NtxihNW9cPC
template:
metadata:
creationTimestamp: null
name: cloudflare-api-token
namespace: cert-manager
type: Opaque

16
cluster-issuer/02-cluster-issuer.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dns
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: gwg313@pm.me
privateKeySecretRef:
name: letsencrypt-dns-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token

54
devenv.nix
View file

@ -4,19 +4,23 @@
config, config,
inputs, inputs,
... ...
}: }: {
{
# https://devenv.sh/basics/ # https://devenv.sh/basics/
env.GREET = "devenv"; env.GREET = "devenv";
env = { env = {
CONTROL_PLANE_IP = "192.168.10.10";
WORKER_1_IP = "192.168.10.11";
WORKER_2_IP = "192.168.10.12";
}; };
# https://devenv.sh/packages/ # https://devenv.sh/packages/
packages = with pkgs; [ talosctl ]; packages = with pkgs; [
kubectl
talosctl
kubeseal
kubeconform
yamllint
shellcheck
gitleaks
yamlfmt
];
# https://devenv.sh/languages/ # https://devenv.sh/languages/
# languages.rust.enable = true; # languages.rust.enable = true;
@ -50,6 +54,42 @@
''; '';
# https://devenv.sh/pre-commit-hooks/ # https://devenv.sh/pre-commit-hooks/
# git-hooks.hooks = {
# check-yaml.enable = true;
# end-of-file-fixer.enable = true;
# trim-trailing-whitespace.enable = true;
# yamlfmt = {
# enable = true;
# entry = "yamlfmt";
# args = ["-in-place"];
# files = "\\.ya?ml$";
# language = "system";
# };
# yamllint.enable = true;
# shellcheck.enable = true;
#
# kubeconform = {
# enable = true;
# entry = "kubeconform";
# args = [
# "-strict"
# "-summary"
# "-ignore-missing-schemas"
# "-schema-location"
# "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.ResourceKind}}-{{.ResourceAPIVersion}}.json"
# "-schema-location"
# "default"
# ];
# files = "\\.ya?ml$";
# };
#
# gitleaks = {
# enable = true;
# entry = "gitleaks detect --no-git -v --redact";
# language = "system";
# pass_filenames = false;
# };
# };
# pre-commit.hooks.shellcheck.enable = true; # pre-commit.hooks.shellcheck.enable = true;
# See full reference at https://devenv.sh/reference/options/ # See full reference at https://devenv.sh/reference/options/

14
forgejo/certificate.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: forgejo-cert
namespace: istio-system
spec:
secretName: forgejo-cert
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
dnsNames:
- git.local.gwg313.xyz
- git.gwg313.xyz
- git.zerotier.gwg313.xyz

48
forgejo/deployment.yaml Normal file
View file

@ -0,0 +1,48 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: forgejo
namespace: forgejo
labels:
app: forgejo
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: forgejo
template:
metadata:
labels:
app: forgejo
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
terminationGracePeriodSeconds: 30
containers:
- name: forgejo
image: codeberg.org/forgejo/forgejo:11-rootless
ports:
- containerPort: 3000
- containerPort: 2222
env:
- name: FORGEJO__server__ROOT_URL
value: "https://git.gwg313.xyz/"
- name: FORGEJO__ssh__START_SSH_SERVER
value: "false"
- name: FORGEJO__webhook__ALLOWED_HOST_LIST
value: "ci.gwg313.xyz"
volumeMounts:
- name: forgejo-volume
mountPath: /var/lib/gitea
subPath: data
- name: forgejo-volume
mountPath: /etc/gitea
subPath: config
volumes:
- name: forgejo-volume
persistentVolumeClaim:
claimName: forgejo-pvc

12
forgejo/destinationrule.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: forgejo
namespace: forgejo
spec:
host: forgejo.forgejo.svc.cluster.local
trafficPolicy:
outlierDetection:
consecutive5xxErrors: 1
interval: 5s
baseEjectionTime: 30s

20
forgejo/gateway.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: forgejo-gateway
namespace: forgejo
spec:
selector:
istio: gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: forgejo-cert
hosts:
- git.local.gwg313.xyz
- git.gwg313.xyz
- git.zerotier.gwg313.xyz

18
forgejo/sealed-secret.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: forgejo-iscsi-auth
namespace: forgejo
spec:
encryptedData:
discovery.sendtargets.auth.password: AgAcRgPxIe/pBpeUWcSJzzf8HVUpFe8pl9U8qzs1eutcun91clbW5m/sra3oKV6KmmFgd69I2M3w38wtSGG7iztZdIPcCkVXZSqX3ANKrWIwiJXUBqfNtXAD0IxGu8SdkHRp7fGWR9NlynT7WDEZpTNNQrQE0O4GQrM7gMy9wzy22Foxk8hhUCOKW9o2q/HefBBp4BHHhdAmnaya26Cm2Fdji6U2bnORlY8SESRAyty7jkQFI4FcUlXXUhamVccFGVxufhRNkJP+90iPQbD48VDPSGHQS11EbfoSaoXlt+NTRt/FCwSMc2h5L5AtuZHTh72PGCk2+coYDLQb2IL0o+jujsf0hVlRAzMvHi5nDrwNVh+gbuV1MmC1SED3CA6nkevTeEj5mmK+kviZua1Ezi4LQ9daFPhOGjobCtPyZZsHwIzKceqWM5dULvckzgvNLecwkJgDOYRd9j3/G1wgsCUNZj4OhZZgO6rfG+XXMZfFnoRR1x0NK6jInaNm5oG+vYgBjN1WlR7dgEdUN8W0dC0uqmbpsoCTEyjOnumB7ecqknonh/syU8GqlB8KLBv5pZs9YR2fdMgDwh+RW/oPXcNCbbjsGi8N6+R6TdM7hp7NYh4yQaI/qkruCuUgGLEmziFUgrcWfjpwsmhNIuYG2lC0MC+oFlLiS1vF2mIkAM6AnbGgnwnWUU1FK6Y9q0aUjsPKp6Yv169oXgsyHqMk0EzD
discovery.sendtargets.auth.username: AgCCpqxtivSysp6XGnnh3xhyqg0I6/RLlwjJMsyQ5RJRoRSxKspKEuaW2+oIzVbCrCm6JS1Amrjk9MgR9jGNo+MtGNXTIWGcy3IAV+Cg6JZSyD/MGCHMQh/NIfZQnAPt2AuFAsXUUbcZbuVS5BYf+27KD8a9sCRH9McPv6IqSPC4tVSWOrdGD+FeL4oZhWhMuMiqAVwXi18tx+bu8TmCXjUUS/bYD64KnwBo+xyGAkiem+0NLqn9b85YMZQ68RWUepfFVZywbxWDuO0cQALHTUPPnVRCZPFImhz6vitlEY1dOkEmBYWQ9NoJZhTdiQA0pnnCvs7bDpGiqOK2qvlSyR6Bii5ZEUSBVfbtFDLQqcw+4mwOr1o+Zh1tSYZspHrm3ogAf3tzgEgHuZdWwXe/MFxDiaUviBjRwWAeCapl39+kn/PUSNQuta87DAOH9WecGE4vE5cvytDs21R+TXuY5IRtXngumEIuxex8Pm0CzjHt5JarWnhLs6kSMpJ2erI129mHh6OclC7ahACuKIMneQhVyWOHoGYdU3YuitRYPz9opYRi0tR1FilUmxKebHhOzu00FjtQTwIME4WIZpRXzvSHapNmx3k/aAX19Ow/lzr0fcszJNebc0p9cRsK+amxB9vIttpFTvhShd0+RQ5R/xAsoj49h0fyKT0Y/pNybZFRMtdMTbYLH2HxZj0DEz71HC5Y3bxGhWQS
node.session.auth.password: AgBfFtXL40WF/RcyVHRZ4LxDfFEpzaldSWjahyOQUJAKAgb5flbMdP99nEpL1Z+ZChMXMIn1hU5AbbbdYiMTeSAGyyg8/MHnikv5dvNzUWRYIT2jK++XvqfMWBvFC5Tc9TVFrsc2nFBeNgQ1E5a9W8vLv42sC4MTEHNvCsMxARCcDoxSzzmrZUV+RNy2ze20kp9pgWPxqcsaouynS2Kxdo0L3Tch6wcAOKewi6VKgtmsqrQjdl1wFCiHZrHl421c7Z18kQFsMnq8bF1tbELxm+KB2B78jaPQNHBYKM0aURmt6mnKI99XIIUf42s7fqlInceQwCRx7Q8HYOMWgI2FPwGVAOKRh4CS7woXfwbEga44uBRA91F5UV6i2VHkpfEnF7i6aZ/wKqnlVZQVvs5zZvumn+TuPDXibExTl///dCof7v2Q5xY8OLr2YUScfW3gokj7QUmCqfANG0sUxx+UqeNArXPaSRAw5gvTqRGtDAEZMBevPJSpcoWNJuKOkHST+lgF4T56s3KdyQoe10nrsgTmTEamOn9inkJOtNIlIpDjUHVHrTUgs24Tjfm9LKkrvP+/finuUbVJob6ltA6iU7tHDAAo2XgV2KfFTJC1ogv0hKltZA5TqPiqwUBF9w9iI1aEN2ghjc7+s1YcRtUFHCRnKdg9kU8LraxY166Iwajl1PESQ58LFMXqdLYRb2xIvZGATRYhG8qfhUYokMWTwpAj
node.session.auth.username: AgCKkZz7+v4qNvKCoxJUQK+ti3ptzvB3tQFrAhhtz14ifumuPhewFWwDMesWrzavnSm6jtD1U+8rnwgRvS1yyJ4ZtypohbJGWJlp1b/Pk0RT4lwxVLj0zRPvATYHTNSvRhFrnMeLBWMQbAfFNRdGUXN03qp3oq9uWr1I4jJ9fOHfCsqa4j7SH5raZ8qvDO1lPPrUioysbWkMjgP8DG+C8w+LEazgZu86WO/whCG4mEEHSaXs1aofSKfygYRxpd7GKcdmdflU9xbmIWdJMdQ6COWRZb9G8gJE1RsFum3pF5xfx6nxUOm6FkPbRBjtroMEKd4EWAGfl+P2AWWZ3xpA1WSoxjUztDRRvy7xGnU2QOZV3EEXqjG1/H4VUY9kd/3v10rFB9N1UgdatqRZpcxweNzaMJcUUGHMO5TsCjrwcPOD9gCLtWtsbYlvvUFTN2jfPiS2hzquEZI/hdr+qJC9sPJSu9OUvmFx+quT7DzVjvov/HjkdKd+N/dDpXHFVsL2oDq7mjUmT5mzqg3F/6/YkKn8b2X0LTgXUONXxF8xTUsI4HKCSBoANUuT/ePwBY3tVyz0AY+sUQd5Pxq708HeHC2edNTUwmY6ucuLWtTorXzFXSBXQXfeGZqjONtkYCE60CsTp7+RUtdNnG23CNDMFAUujVxLQVa1XfNFlfk9znBQ1IxUBLkU6JJm9kw3hYn6Bk06B/+mOOim
template:
metadata:
creationTimestamp: null
name: forgejo-iscsi-auth
namespace: forgejo
type: kubernetes.io/iscsi-chap

13
forgejo/service.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: forgejo
namespace: forgejo
spec:
selector:
app: forgejo
ports:
- name: http
port: 80
targetPort: 3000
type: ClusterIP

36
forgejo/storage.yaml Normal file
View file

@ -0,0 +1,36 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: forgejo-pv
spec:
capacity:
storage: 20Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
iscsi:
targetPortal: truenas.local.gwg313.xyz:3260
iqn: iqn.2005-10.org.freenas.ctl:forgejo
lun: 0
fsType: ext4
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: forgejo-iscsi-auth
claimRef:
namespace: forgejo
name: forgejo-pvc
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: forgejo-pvc
namespace: forgejo
spec:
storageClassName: manual
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
volumeName: forgejo-pv

21
forgejo/virtualservice.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: forgejo
namespace: forgejo
spec:
hosts:
- git.local.gwg313.xyz
- git.gwg313.xyz
- git.zerotier.gwg313.xyz
gateways:
- forgejo-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: forgejo
port:
number: 80

12
harbor-config/certificate-harbor.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: harbor-cert-nginx
namespace: harbor
spec:
secretName: harbor-cert-nginx
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
dnsNames:
- harbor.gwg313.xyz

12
harbor-config/certificate.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: harbor-cert
namespace: istio-system
spec:
secretName: harbor-cert
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
dnsNames:
- registry.gwg313.xyz

18
harbor-config/gateway.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: harbor-gateway
namespace: harbor
spec:
selector:
istio: gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- registry.gwg313.xyz
tls:
mode: SIMPLE
credentialName: harbor-cert

18
harbor-config/harbor-iscsi-secrets-sealed.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: harbor-iscsi-auth
namespace: harbor
spec:
encryptedData:
discovery.sendtargets.auth.password: AgAeJ3ODG8BmuWuPNj9VRVGJdi68V0NMTAdhF2Nhk8soW+l742UnEQNneZLEg2MBM4iHOit5Nsjw/0YRm8Yb8loTZInIDIXCi6LrP1NX58zANuoc/K8lovHL9BxwSeucfs+/Jh9vfM6tvuFExFz+yHeYhlufWSBkZIqF7LkX/yR7H1Yc5r4hXCJ2lDd/0TDssN8CjrIZ/2R/8rhKB7/14KfHifV/bXVwXUMtevXvbeEqeJxPPvRPb2fX6D3rrlbOLBnWBiRr4pLf76QrKG5ZgRiV2iXOKHfP3JBO5SCh5ftK8qIVgmAt7TcnEftzp4R6z6BvD2s5UNtUdzXSuwBuGW6Hc7jR8KszoziLI4LEVfU5YZtlc4U2NYuvrWUfzl7WB4c15saqr3ZK1jFxfzTQE4CPfY3HD4mQR0wQvzpDFrTI57sygXG5mRcpePnxu62i7rmx/RUSMAY6kt00YnrnSTafufdcFBA+RbFcJ7saDiidhC1R9nmanl1R2bOh0aZN6c5GPfGcaAvP4CqSVmns/e3s3Csm3OIMaKB+D3adkcMT3iDrpmaoN0eSCYFFKeIzUApVgEWMOWGoGRfeomAzJbpqwhfLecNkOAH2jgX3OTDYuKxik1oAwNOlH7s9ogTXtALG51x7brH1Hfcp5J36v0g+dZV4k2/z4V1R4GbQ9HvKiIA/zWDjZXUwh1/Jmf/n1J2tgK4DFnOpfA5+Hi27OFtQ
discovery.sendtargets.auth.username: AgAUXQyptx3bktJI+I6jvViwYvq1tETgA4z06HqAF9sCy7FA/tLnhmaDFOJBlsUUZdxKvybpL4gFfibfEGv0hrVb5yPhf2CZGPRnWEjqRBTzKwmtT8eeRnkR4WxNx/bsJhlNr3p1EAAVYJqot4qH6FuFh9zG/rwzAaLT883/p4HCGPf0vgCQmQYOrKT1tNVb7+hvDWLTkA+A45R86SznapYMT+awIHRO/ePngMYzpwmnBw82X+z7QubLSZyqEzyBoF7G1Bst81aiSlCeip/BWgS///EAvqvFTUMMHkRn48Qm4S4qRHepEJD3jpk28PcF4hs06e3NluEmxJ6cr7ejtFMoSu0vkw5FHHZN3U5YoafxvC8hc+5TotkFs4KIUnAsgFwTn68w7qwjmClUtFoughW3Ku5+7DEd1Klw1CBqSO7kURZI/777kyfcoEeXmkXbRzr8lOfvJoaMrHUsR5v9RZrsvWiuhXJjOdfVGw5p8RL137E4MxPwMAdlCW3Ry78AJnSAaIn+3Nuv0+lSpB1LFGGiuDPR5hKfA/dKX+FqFFF1CMn7q/DrLlcBlkjUHLR5sg0IBc4EReZLLa02USNwsisTkiQo+Wm5rwZ0ZvCCHOSmJjbLsbmqzSuAf5ffVcnEk2OWjxzZoMB8+d7HRqXumrA7vKK70sTpSNoMR1UuL0Kfgm8wvKvP3Fqd0dKEb/etLaGvL0RJ4ek=
node.session.auth.password: AgANvpN/nYqlyN7mZyIBE9aXRrOiINOTurXYDSwI9N9rc2SwBKvtUC9kvDE/5MZaU/Itk2SK4vFJEKuLkmomeyk9BFJJ0V3tqEDklgvGG2EMSt8Xlj9We8ujWnrN4GYSb047F3b0mBakczxcRNiJisPkvq/XyYrBVCgPPJqVhJIYKXjSXcthd1Jfd3kJzbippjCykmupRTbz7/Vk6QtKmQXfEcPDuOLPCaF/gFL2/3vVachJh7zON62lKCkuHE7QTeIEPFOCJib/oDSi2TG4ts5u8h+uTXoJCBpJwAGDhHly6cOOAiXR9BAp2nbprRb193Ga5aOGmR+qXmjQdMc3dLiJnWpMmGo0tbl5JD4bUOi/E9VFzOprKdGeYlGssGOTdAtmlrnKvaiSS6YiuCvFMFsHdo8jyC45dE4LNuiOI3MX6mkyLEGOYStiS8e/HzRPg5AGLQsuD33RVKE0+IpPGys4ScU44k+jclpcdS00eXI+ZSEfSUQA8di8rXgZfrJLvuVtRFCTjx3HA8kb4J68nHEdBeXJJEQp9Nx/Tc1ic/Iyi+Br/4Pw+UQHI3YYkUfwWaBuCqxOX5Yedcy3BHqxkdCARNVB9cRBcfFMhJJnS6WVaCgXa0qzZLt7RqutVCa7jtCOmMK3PiU4q09ML4OqyIg/HV+c2OMCJG9nBKL8wtE0Huz1ZNWDgFIWybKA4an1P2cULiMAMNQHGPrvL+o9v9CO
node.session.auth.username: AgA+bt5d5wiAHDmoV5fJExQIUFFy+WmJFFmZY5/WnulzC+/SRxssz/MtikNv8nkFdtvPfTXM57ic2SwPfSXULyQbDY/Kiwi0UejaC+9lN+weCKhks2UgaHYUtv3Inm6xLMHcvfxrwUERrfx7U70vl60WP3CYQ91l0d3fxbbRByw3TZuTZkuYnGmCsfJK0q+hd7GCa8cSxMvUf32MbRrVXecxsBKB4dtsMz0kHiZaH0wchmzWV/mBmAHV5oqkTyk3rAKZHd8D9uqy23fUr8BV6e5hSF67JicCgn94gJq8Z0hrDnu93zZl+mCFnkwPk9uA1jAuQOptHNdXEkZSjUKXFSp5pG5hgxCmwtJNBxUiZDc7IjPETCh/BzD3WLHIzfYAqW7LxDDr9IKlUEf5CUeBw2CULCq9wIaRhXqiJmV36XmMlAGJt+J2SCCKUbhKsJfyHL+PG19gDv2f75bcWc3U6646Pn5b3f0X+eJ9wIyW2Q1cqxo0yZJ+kQ3M7/ABOQfZBYoafi305fE5byecWBgz91ZrXDG/lXGat1rZBVpZ660iIZ9YvCHCC0Vb5LNEPwsfgodUnp1lXoSq8Fm6ggfLhKLL2JrlJhmou3fHsnovNmqTC9wJ026iGrwFNE8nRKvniK8aujK8IHfklodDSFWC4h/IpJf9oLWw8li0a4Ll/s0msFlWq+GABYJZW9CA0br0tp4Or8PwUwM=
template:
metadata:
creationTimestamp: null
name: harbor-iscsi-auth
namespace: harbor
type: kubernetes.io/iscsi-chap

197
harbor-config/storage.yaml Normal file
View file

@ -0,0 +1,197 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-registry-pv
spec:
capacity:
storage: 200Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain
storageClassName: harbor-iscsi
iscsi:
targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:harbor-registry
lun: 1
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: harbor-iscsi-auth
namespace: harbor
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-registry
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-registry-pv
resources:
requests:
storage: 200Gi
# Harbor: Jobservice
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-jobservice-pv
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain
storageClassName: harbor-iscsi
iscsi:
targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:harbor-jobservice
lun: 0
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: harbor-iscsi-auth
namespace: harbor
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-jobservice
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-jobservice-pv
resources:
requests:
storage: 10Gi
# Harbor: Database
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-database-pv
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain
storageClassName: harbor-iscsi
iscsi:
targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:harbor-database
lun: 2
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: harbor-iscsi-auth
namespace: harbor
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-database
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-database-pv
resources:
requests:
storage: 10Gi
# Harbor: Redis
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-redis-pv
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain
storageClassName: harbor-iscsi
iscsi:
targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:harbor-redis
lun: 3
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: harbor-iscsi-auth
namespace: harbor
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-redis
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-redis-pv
resources:
requests:
storage: 10Gi
# Harbor: Trivy
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-trivy-pv
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain
storageClassName: harbor-iscsi
iscsi:
targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:harbor-trivy
lun: 4
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: harbor-iscsi-auth
namespace: harbor
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-trivy
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-trivy-pv
resources:
requests:
storage: 10Gi

39
harbor-config/virtualservice.yaml Normal file
View file

@ -0,0 +1,39 @@
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: harbor
namespace: harbor
spec:
hosts:
- registry.gwg313.xyz
gateways:
- harbor-gateway
http:
- match:
- uri:
prefix: /api/
- uri:
prefix: /service/
- uri:
prefix: /chartrepo
- uri:
prefix: /c/
- uri:
prefix: /v1/
- uri:
prefix: /v2/
route:
- destination:
host: harbor-core
port:
number: 80
- match:
- uri:
prefix: /
name: portal
route:
- destination:
host: harbor-portal
port:
number: 80
timeout: 30s

14
istio/Chart.yaml
View file

@ -1,14 +0,0 @@
apiVersion: v2
name: istio
description: Istio base + control plane + ingress gateway
version: 0.1.0
dependencies:
- name: base
version: 1.22.0
repository: https://istio-release.storage.googleapis.com/charts
- name: istiod
version: 1.22.0
repository: https://istio-release.storage.googleapis.com/charts
- name: gateway
version: 1.22.0
repository: https://istio-release.storage.googleapis.com/charts

0
istio/README.md
View file

17
istio/base-values.yaml
View file

@ -1,17 +0,0 @@
# Enable Istio base + control plane + ingress gateway
global:
istioNamespace: istio-system
istiod:
enabled: true
meshConfig:
enablePrometheusMerge: true
accessLogFile: /dev/stdout
pilot:
autoscaleEnabled: false
gateway:
enabled: true
name: istio-ingressgateway
service:
type: LoadBalancer

7
metallb/Chart.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v2
name: metallb
version: 0.1.0
dependencies:
- name: metallb
version: 0.13.12
repository: https://metallb.github.io/metallb

8
metallb/config/ipaddresspool.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: default
namespace: metallb-system
spec:
addresses:
- 10.1.10.50-10.1.10.100

3
metallb/config/kustomization.yaml Normal file
View file

@ -0,0 +1,3 @@
resources:
- ipaddresspool.yaml
- l2advertisement.yaml

5
metallb/config/l2advertisement.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: default
namespace: metallb-system

4
metallb/namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: metallb-system

46
metallb/values.yaml Normal file
View file

@ -0,0 +1,46 @@
metallb:
controller:
enabled: true
speaker:
enabled: true
hostNetwork: true
podAnnotations:
sidecar.istio.io/inject: "false"
tolerations:
- operator: Exists
securityContext:
allowPrivilegeEscalation: false
privileged: false
capabilities:
drop: ["ALL"]
# keep FRR disabled GoBGP mode works fine and avoids NET_ADMIN
frr:
enabled: false
configInline:
peers:
- peer-address: 10.1.10.1 # OPNsense LAN IP
peer-asn: 65551 # ASN you set on OPNsense
my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
hold-time: 90s
source-address: 10.1.10.3 # Talos node IP (optional but fine)
- peer-address: 10.1.10.1 # OPNsense LAN IP
peer-asn: 65551 # ASN you set on OPNsense
my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
hold-time: 90s
source-address: 10.1.10.4 # Talos node IP (optional but fine)
- peer-address: 10.1.10.1 # OPNsense LAN IP
peer-asn: 65551 # ASN you set on OPNsense
my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
hold-time: 90s
source-address: 10.1.10.5 # Talos node IP (optional but fine)
- peer-address: 10.1.10.1 # OPNsense LAN IP
peer-asn: 65551 # ASN you set on OPNsense
my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
hold-time: 90s
source-address: 10.1.10.6 # Talos node IP (optional but fine)
# router-id optional can omit or make unique per node
address-pools:
- name: default
protocol: bgp
addresses:
- 10.1.10.50-10.1.10.100

13
minio/certificate.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: minio-cert
namespace: istio-system
spec:
secretName: minio-cert
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
dnsNames:
- s3.gwg313.xyz
- s3-console.gwg313.xyz

27
minio/gateway.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: minio-gateway
namespace: minio
spec:
selector:
istio: gateway
servers:
- port:
number: 443
name: minio-api
protocol: HTTPS
hosts:
- s3.gwg313.xyz
tls:
mode: SIMPLE
credentialName: minio-cert
- port:
number: 443
name: minio-console
protocol: HTTPS
hosts:
- s3-console.gwg313.xyz
tls:
mode: SIMPLE
credentialName: minio-cert

15
minio/minio-secrets-sealed.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: minio-auth
namespace: minio
spec:
encryptedData:
root-password: AgCvWTrmBHyov/pb/N4PoK20fwAoH1zDh+MFUGqA60QYiXYLTMMax5fjbOd4NafbpFo18NKen0dEKuJGec2NrHTMq7oM+46+PnzrSIuw1If1PHeU5vi0tYSZSI6EeiwUOlz5HZUV19X4y/eHkFFTGjqxaIRRaelCFFwIFwRh17WgBrm2IfR5GUka9HFYPYYrDpXqlbSxV6en1UPOkzyLUqvS6QbdV5XP0Lb9Yd/3wybpIMtkLloMDQ4r8svYQCHlAHmpLDDQHr76060I5hSf4G7Sf7OtQL/ajfyXjPOHLpBNZjEhRGXkevaiBS75JqeJEBnJ2R1UmaA6sjU5kgcPy0ZsgcznI4Gga4e5lfOKIZz0P85WW6oZZKtKQ4HbZ2+nbrlgleYeWB1CqaqWyonK7GLMG8HpSwVEtUwKZD5AOs0IOC83jjDFfWcJbEsbkjIwN+LQzCzW2+3fkeJTZ/6oybIYXBjKfek9+l99oPhkGuqY0QTh7beFfo7EMqLP1kPiqKaMkYyVtL2l78hDtp0D+6urgF31c5bjUjs5wpWFxnmGwkj9prAjn5gqHetHT7jcob0Gj08wnRip7/gL17VwS++1e6DkInvWatU8I/R29VxEPV9GzsXHQmRCJp64am9VaNuFa13Ot5OgImrt4/zrDSz7ERazTuWeq3hE5swwMFRudW+d04PX7Hc2ypSSnNThhq1GGhRsnmNmN5YK0TcdqBhXvoj6/EXiBCrZ
root-user: AgC2+0bGtunOwD/FrXYlsVaAFguyzSkjikinYoAy8tUjskZQmiCukls/938JMdI0ZAFl9XEmAaEizDcyGBjxso+hxRO4A33WUoPyMx+2/JBCVNiCxtlszNk6c2+eIJ2khRE3JtY7lNPUcVJiJr7t9zLeVfzBeyBEO2STmLZcuqw1b55KuadMxbjkK6Zt+yH0sQsu6jtrfM0oo+dBHETI/1xIxq9kwn75fkAfHDU4Tz0bQ1HILr226Eo1NRHtLN5S+Thi0fDnhVSHTMPr1khr39eu9jQDegiKXl98Ps3iodM4cSb9ic+hn7bCsMBcM4Y+X9ZEBeAS/8S97Vi/1izuHDhK3a3gZYznl/8nor38GkuWx/c3oocy7fkFGe0dmvk4y+aXUal32su3gnG8mLK5GwCMoAE+CKh0skN/boXLYOahPAfNLTBpP4UJBP6sgf+oKktWMTgJ1NJuvIoEFZM+s6eo/8hbG+x9+ACKaco80UT1dd545eEppMVfjh05Z3fzWi0Ro096tw/qQZp+Me3MyWgX1KiLUxykhE80brZ7+NUVm/USpoHGY/jogHiF11mV/7hL2cKea/Tuz+BRXh9CgPGb4MYr+O5lGewEAmlJAFOjWqmVNG6eezvzJKug/uzXKNNblEYnVNXYYJanQFLQtDrXMvz18fULoT7EiV1THvV9bUOtxu5v5IF8eK7F+Vqma5itjUBq5t0=
template:
metadata:
creationTimestamp: null
name: minio-auth
namespace: minio

18
minio/secrets-sealed.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: minio-iscsi-auth
namespace: minio
spec:
encryptedData:
discovery.sendtargets.auth.password: AgBmscqh2S8TPLgLJn+Wigsd0OAgPE4fHB9Me5dX6BTClvssIjg/fJJk0dFa3mxUcf44D6BkLpa6kquFHhYx7Ga7gNDB0SpLpL63jt8UVusEutE2+onTTh4saWGeQAmJHjdKvdWqdRFWSn+P1BWt6KqRAar+pPESCy010ZFC6Do/EJmxlKcwp2R/wlMg3VPOA25aHWwr8xjXgGIiAX3fHp8A5IWa3beqE26OfK1QixlVJUs4kr+VIIPLbyu8SlidcRNk0f7J5t+A6xwQTshjz3+BZiuvqU1vAfeVCbjtm0kTCohLlVTOw+TCCy28hd1rYdjUL1WNDy5+Z8AZdMyvQacwvuoygOZY2gQiuiA4dll51DIx3F+On43lAxg+UEMI2g8/Lk5G74+tHTm0xJ/UPVAg7aaru9j7XEoOtGuj1BvlFoQ04KDBynbMe9SRdkn7bC+ankKvs6tb9vaRGj8XNldd1zxWP3NX7cwEo4t2tvWJNtg9OKFrNRgajFNo/35N7NH0swtpLDLAOCGp4oQTvTEf74zniP5zaV9V7feO3F/t9Ha+N0PA/JdftQ++EHHnlI/eTRhJtH35vRHM1BYeVcNsrQMUIi7G3hx3Vwpu5iXNciMCFs3YDxwyYG6g4wSr1XLWT/zZW4R1jDx4ldYmGajF8f8lEAe5h/dilk44VVMsTAop5BXhlJykfEgCqf77hXIK8SQLpcWUvsgbaqeu/zGT
discovery.sendtargets.auth.username: AgBg+3rIcTT0tA479+DLobTdxmUZAkVfhcaweZlX5b8K4zRZFWuxFvZoVdJkL5O7dDR0F9lqp8MTdqWHyJ9uq5D/ei3cJb1CRHte5/Q7EkkcS1brMFP6sub+VXhDHMVZ8T4rC8XxdSZcGjyG3AH1wyqxNZ+C3vF7/Ngy6xBrukaS+6l9lwY/g4n7Q2+Up9i7s1nroBUM/nSgLCL5sVhvhgZ31r2aMxx8bXJT5/9JfAZL73hhInISCD8rjir0wj7mAFnrjfKxaNh2sEOZhXOyKPcgGk+ovDBeySZSF9mclV8iHXoHr/museX34oyvQejkkMGthMmL52PhZbXIlXwwIuf5n9bnPmMtPRQ/aovPHzmQDI+ks7ft4WfLnlX1Y16eQ/LVjT0ZD/0X7n4CE57utUAhdlVraxrFtr3YoPKsdLYfz/We3RGpeLWiW7JMYnmkc9j9XMHBwx91y0Ba3ssj9KSijtPVOzRqct3NoBJ+s1FpjbljIPS8iQKUYdHcSIhVjYIAebLMctZyxVG/cW1KbSPEeOo6MQ1drOFsvXOfUeYn0PiGcSmRWuJ8CJZxh+Y2YKUDf0eqJQCs8SlDucVcYvvjYM06tZXoGR6XuGqUnbzxguzTX6dbzR8mpfniAiQkIBkBVezdOvqh3OiOPfhFkVEX6V47UnZhfe9IA5RR9NehuUw9OVIZ6FGz1Adu1EeFJ6c0ikCSUg==
node.session.auth.password: AgCgA17eF7kgdTYGuBJ12HtWAdwQKluvmirOCpPWjIiGU7YHGfEQxIS3MEmuI7/Z0oNB/SYgqZwnS56AZ8OUEf6L90uYhfkN8VV79QJxZlk4EXSgu6EfiKjoYU0uwQSnqDVSOYG9VxEro+tgeYj4hpqag9MIfULX6kTbDll2bcuq/eXDl4QijNveU+wqMzRz5t/c7MSdcacJO9l3DvXvnZEUpKydw9TKyPBGyFB5Lsjlf9Lkxf8+kqScS7eC849LrDAUiFMktOrwKsK4gk7JX7Dvuc8n9iDOjGPjgv/mz1xOP9mEnQqpP7d9JIR7WLubl+MPeXwpTA4cR2/VA6TWV86hbmCuYGckPX80+DEW26jAHxmaSIk3U4ZOY11eiYGieTr7Irlx4L7TFukwB8g9Cf8io6pQJU2wA9vflF4s/yZOXiAqP4sit1qd4Z0/DR5n/7DbhOs0qKOHbiUTujmw36ewmfJ8IDxq6WzomjuJz2ezaVTVkdSXDcchyCg3yVutjqaAw+O1XNJdgtoAZXhh0dr6hiTLy1oi3nKyVy/EYn3mxZg8S/ixLyS3a6XcoAqsfpdXf2tirfrMG5OACZgLoi3+cYthgrpi1rrbIR23MSFuvAcDUjLKYiFbq2BJJUpuACeio2VMrgCC/Cb5xXS4Rprg4wUEz0wAB5vUH2NrkDTqMTofEw3EdhB5SfjLu5+HlBmasmlwgbyhmrSr0V609fog
node.session.auth.username: AgAUXhbc4OXDg1DgbJeJ3Q6ANfa6SKyQshDJeutnrHFJ8g5Ne59OzkMrbEafDEp+BmPtLA9gV/wYhieMWgsdtKQiYiEsBqqOwT4K/bxV0zTo1wUG5yfwC7QSPYssdOKTcDHix0sHB+V4e8n1HO8Y6gfZaqkrK65WairLtMWLF0fmCYZ7peMa8FGu94n0uDL1iglXdnp9CphFjMeaghHRDNUsvWKXnlP4wa+VsY3NQqGqiulfhRhFUyjCtR496VztD+JMtUdh4wp0xN0HRZxkTAfC0xcVuXBnTZgDv7OQ8lb1EOqjMmVaI9Xd9+JA1HYEwqSizkzP6EnOhQZgBviJfjYiLLqwZTqpIaaOtaQ0QO+ws65smG8TlRMfzsiW0NfpzwY3E3ZSUewp0Lq6wnKdB/7DeLQKbLJ2mUV/Xes1AHjJAcCgdVoVmNooepKTe9r6Ysvdab1UelYjbsgJB178Yohlhe0zAGNiBGjDwc9Y87ZzL8KTySiihl0u6/HIEJKYAhrivAXLDu/rwtFBGvpM0VjyOs3/2OhUIJ/a2ln8+xPXfqeGeAXzXmU4tRwoeS9df95gxyFnV+SrYT3Vv64CQvCbfnYtG+mlPznxiwRAdYBcjOuHm1GmfbeD0jgJeIMpLl91eg70pVa3RNYagA67bclF0ImXQQd7MFF2plUyH5DAq2yMxmVBs9Jx+7Adr60VomzVLr5ymw==
template:
metadata:
creationTimestamp: null
name: minio-iscsi-auth
namespace: minio
type: kubernetes.io/iscsi-chap

38
minio/storage.yaml Normal file
View file

@ -0,0 +1,38 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: minio-pv
spec:
capacity:
storage: 100Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain
storageClassName: minio-iscsi
iscsi:
targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:minio
lun: 0
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: minio-iscsi-auth
namespace: minio
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: minio-data
namespace: minio
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 100Gi
volumeName: minio-pv
storageClassName: minio-iscsi

39
minio/virtualservice.yaml Normal file
View file

@ -0,0 +1,39 @@
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: minio-console
namespace: minio
spec:
hosts:
- s3-console.gwg313.xyz
gateways:
- minio-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: minio-console
port:
number: 9090
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: minio-api
namespace: minio
spec:
hosts:
- s3.gwg313.xyz
gateways:
- minio-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: minio
port:
number: 9000

15
navidrome/certificate.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: navidrome-cert
namespace: istio-system
spec:
secretName: navidrome-cert
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
# commonName: music.local.gwg313.xyz
dnsNames:
- music.local.gwg313.xyz
- music.gwg313.xyz
- music.zerotier.gwg313.xyz

11
navidrome/configmap.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: navidrome-config
namespace: navidrome
data:
ND_SCANSCHEDULE: "1h"
ND_LOGLEVEL: "info"
ND_SESSIONTIMEOUT: "24h"
ND_BASEURL: ""
ND_DEVACTIVITYPANEL: "false"

38
navidrome/deployment.yaml Normal file
View file

@ -0,0 +1,38 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: navidrome
namespace: navidrome
spec:
replicas: 1
selector:
matchLabels:
app: navidrome
template:
metadata:
labels:
app: navidrome
spec:
containers:
- name: navidrome
image: deluan/navidrome:latest
ports:
- containerPort: 4533
envFrom:
- configMapRef:
name: navidrome-config
- secretRef:
name: navidrome-secrets
volumeMounts:
- mountPath: /data
name: navidrome-data
- mountPath: /music
name: navidrome-music
readOnly: true
volumes:
- name: navidrome-data
persistentVolumeClaim:
claimName: navidrome-data
- name: navidrome-music
persistentVolumeClaim:
claimName: navidrome-music

19
navidrome/gateway.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: music-gateway
spec:
selector:
istio: gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: navidrome-cert
hosts:
- music.local.gwg313.xyz
- music.gwg313.xyz
- music.zerotier.gwg313.xyz

18
navidrome/iscsi-secret.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: navidrome-iscsi-auth
namespace: navidrome
spec:
encryptedData:
discovery.sendtargets.auth.password: AgCfQP4VjeYYMuHZn5ZOVrs3C9vm+kF0qiWfT1wTixwvvNA5I9mDFA7F2cR/SIT6NvDLpLVMaFku7tf88aJCjlQvhEoEJbeSEurLCfJcXDaQwFKaTeELrz6l1NbyusXlijblpLQYkupxl7ZNraY3mWJSAoBD0OdpQfP56+8NcoOHHEDDdBwYza/VkBdlYOYCFWtPCosbw+wjtLgSIRkiNbrWXEN0MkBAo9OWczvB0GKGyk5divHM8iDFTON34Rk1HMv41o3tvgHa7RvXFC8LJ3GB0NyFeawyrcQF7C3i+8P50zGmzUs3ie1il//8ICzkp+0zJk4hOG+9KBIu9sDInjjVhhwHcCZspvmuKOOqg9F2mjK8a6VGURoKdvxFX2HahqAB/FjFTp5diKKZQY+zfkd7mJ3OnPqhB9fIKmZnxWwtUq8AYI2jcDdERI4FeTrmkbcxAhMCgI7cCYStwDD11dQt4XRqWOeA3trOHubyslPjvjEkIDvoVj2BNHtFIwSNX16gAMs5HsRZnoo1SUc57+IRPH0v/ZaSfJXeE6Lrv2H7ZTSlHEusKkTAvAnVKAQyJmRTYCOMdYPePr169NUEhsAqWVmizjxN34VPiK7Y6kkwgGiQJpXZHHj1QxUQ63P4O4iuvYPEx40gCtR8cXBMesPE6XkH5udxmQ/zAHjjJSyodJgM6v2IO++0gYZb06AZjDPtqgp3sqrHnzlcNRh78oBz
discovery.sendtargets.auth.username: AgAY/IEE3LVt8co+pMWEppPD9RC2JnmL/qbFrZ5PKZc3XA33wrtzHGBoELDwWG4Lfc5Itg1Zr0t/Sh8aLNLGlgfa8Zd4KBmu6mi+sHnh4LKKEIEE3pMuyNUC6k4jWDz22XihEy9Qfs3fr4qOrDvn9OxzVSTogLQvvn2bG1jBauRawekN3bwln7B5eY2PVwYTxjdgDBIVe2DdJYoKquK2siFszXJzM9m+IpE7S1M5s1pzs6GdYH3qBiBoWnJ5vVZzx1h7O2Z+5yVrxC1T11gDsal6mOsqSP7XNerIy0G3/NcE/RkWPz0+/wqlWTv8kulnKYnKuG+m1lttnBLr7oc6xqRNQmcFlui+0R/FS0slDvoM52KU7ZBg9YSXoMjZsQziYVF8to2wxCNAvkNpATdsgqTfbj/ydUHNrXmtBgyVWyOmmJZYHw4rUIWqlgwOkEK1arsiHPWLbOEqY+MZAyqWO9s+/iTVhGckTwDACTavhWthEhZAaaW/mr42uDTQAapjnQ8/AYixuwK8pnL20j/89xNXdCIKiSPSx0i5F4vIv7jLRCuLSmyuhMk8yOrSFOMUnk2FHxdFrLMsP9q5L3+ZSU5pVe/pJJtYSM56TIg5sGKE4l8gEm+3aEVKQMhA1urzfEe8Gz1xxpd1qnViEWegaoAEqbfmDBGmnofxkpk6xK/27Y+DKWNtNpQTZ1Ss768sb6hsI1aidC/BcIo=
node.session.auth.password: AgCaw7xjK13WWHje8KBCyk9KJVvGsbwnZHcQZjl1OQlqpyPx2MuYt41z2jnReAieFwFJ0EUR0AcHWWVS1llrUl0v4URGLmFSX372s+Z1rZ0J/agFGgAIHwu+ksXRhG2rLtUk4YJ0RBJUaWOcIpFrHk3oGnUU55Nw1v5GtiYbgRTBehMkON6TXQt3PA0WLmVHxEoDoKy9kzQL643VnQ+jTiuFFcmmjVVAF+a+xEAwV0os6FgrO1okej2ucBTrNAmbFUl9dhzGidA50asSZimplrlRY8y1b2R9LUQOYZ/U4PgTsG9dAfM3wSjfhcWFlQ3D4pf4Y/pchUe0OkkFTLXnXCcY0MhdpMtDDWRU6JoBNkDsa4g36gzEL2s+dCcWa+ltA8XPdI1vpbOaFpZn1TZTgk00JQnnePOsL1bTObNY1Eh0Yl7g1zb2SgUzg7zp4C2rOz/0q9I4ftuNgMtAPtD+fbf53vxCOc6hHvEdCZN03uvbsGp2drF7R7xHOXbWNvJtXi1kCO/ddVP6hxKOLbg/5Ag07gf9p1scm+nDhsBvVaTJTI6Oc66MggAsHRkQVvdM6XJlmINVCIKPoqygXCkZwXrIJUXin6MTV3OTqIC/FdKUE4Or0hhQM4Gw6Dg3FE+zAENdPPQeEs6A7+KQbMw0NDA0WoyXDbOobEHpOU5IUcigycjklO/58sYOrQX7z8JlxyibtRunPHhiL7fBWi7p2PSG
node.session.auth.username: AgBGQxzefQTAt3/7O+1bqbt6XlqehG0Obc3+GH5V4dgDyZMcPGgq74Beh07j8ahe9i4T+tXY4DylnTaBoVBSrOW62ipwVYmiyxWRbQ7TJ0m4dcAJOddDFED2pmQ91S0xneIrHx7N8SZgXf2Gh9xabOrkqcTHx0n0KXjuQvrDO6DcckSdnvptS3PNniK9DogY1cOInHZdAX341wXY93U4DyQb1JsoKi3QvxjVGBlmPft9GiAfWTBj9Hj9q+AA6pymH69j7xhkUiv7b6XCgYdjOqE0D1/4hIMvJR7qybGYrwUbVv/xvfLcIKJFsAMkigi2VQaTvn4E+4MkmukM+FBDfuoJ64asvYlu8quJ5KwD/OHL8toYthjs/g3aq/EQBCn1hc3JNPq6ZZ52rfRKiPcjHKOdoFkPy8yXg6nb3HSqDlUv3i01CbQ841hQhJgFfnbqDYvI3xYH0ubXKiJsGlTbZVV8iDOiJJIPRiRKL9tt4PzR2J3GCnR4ZZVYYHWkE1wIYheLwklxBkKmg2lktc0MzBfCtbcCewmcfZ9bnQFy0TT9Bvzr5EA8UbYDVEiw7eqNiK8u//iwNPZvHyMXo0lKDQ0O8YuznUrZZ0g+RHALKwDPpYqhXvu5ARh3SnSkvonZ2STVDMJgeM4/p0Q2fKomfrzwJrzHth3ipR/9gScdInMvtrudcBpVhgULxsc9UxbwnW708N6kN5lo7fo=
template:
metadata:
creationTimestamp: null
name: navidrome-iscsi-auth
namespace: navidrome
type: kubernetes.io/iscsi-chap

18
navidrome/navidrome-secrets.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: navidrome-secrets
namespace: navidrome
spec:
encryptedData:
ND_LASTFM_APIKEY: AgBtbBJ+dQ30vpgr5lU6e94qa4wsxBHrs6zuD/HjC8SB5eqFk5u6FT6/7SPvKbrSxllFkOrpeUJpvmQvstEO1pqCil54gwxTmtq5eMpqee9wASbGSPOlGGOz6BT+38HX60x2A8jXmg7AnZWm5gTdjS2k3UxzIfNW/6jrNx2X+sZer2gH5ck1cISbZli68oDYgyYQ5sJYTiTSoBBJFjICZHzep2pKEaUV+4sp+PHmeBseXEajUJ3XcxEOPORr0AQX+uyqb0jYQQBMk9/EmSIisaCR2Xn4/bH0YioosSGSsPkQzT1E6fdeDuaiwjtf2Vt/0FmtBvkT2KeEqQIVbRL5AEjjgP33hmVD+PvBYm6TS1VlE8MpP/gHfQtNASw8PO5txroPdtlRCI3DgmmEMw1knoJcTQ0LNxPBit0IlBEiN8sVlXe5jWxBD0NrywZdufYrgvl7bxtcV32nGYj6ux+aaK/GS41rIvfHdh2mDyAXNWGXQbl+VPTzH5jBhvGZqlqhmVsbL8EA8nuG3sP4/AfWINUO8M4ru50lOUR1yr7XjFxO/I8LWch3qExQ9MRyjKbfphm/ge/9rdVNTN9aeE190LCrGiDI41OITEPq27pl3UavoYM2e6TEf1j8qLgZRmZb+cdf5qbE5uOyig1nlclRGX8eUwQTJWMrJaLJnSLidLHiRL8yHSRvnH9tWa10HMUe/KmTkusAvdfxiMdfOsgyA8HwyXKPljrg/MDOzu+PSsYa+w==
ND_LASTFM_SECRET: AgCa1zBHgJ7H5yRJqK6HE0c/x7mxS0PlENPJ6gryJyciqezSznr0ONAVDAtvVkWvbZrhpvTcI1SPaiqRUIF8x+7kWTYROnnCXlphoX8zMFCaw+LZxv4mC6GI4q9ciUZTRvCMKKlzTVbJIYcUaPh8zH4F0MlyWyWhpTLamkkLiPst+uArxqTw40qtqLpA9rZoshSlIXq84eeZmUuyMEhGXRspjwI7HINAaF3TfsSsuuHsqsKjbY2atwfOmeyddWh2GT1r1OtjchOq43thHHLqXH3KkKhprUK0m0b9unna9wO8Q274CeXpXME0+/qH3A14nmsYtFeyPRTuBM3iHoHR4gMaSIPcm6xZNYxSkEKglxWJztOJ6JvSsepgd37RQpDmzaZe67/9gJKTHL3pe+Id7+TQVeWqCUMQFywYE3VqJdGJWF60jc28pkCQPnbuUNgsfQySY+s65RwEqfJwJrM7orfS66vK8FDlJtH4e3bBVvZfUKjoH5mc6H9mNhJeYMAWG+RMsRvC8WRnOf9n+GTSm0j6MZ7IPpKn0xCrUaAuTAhQrSJ94exqLTGQ99RNN5RHuwMshdwr3uK3fpo33Y3xL6mFTW+GNDhRpyjlh1c6mRrMtWIfkUvWlpfFA15JTc9yR0lupZjIb3dUPrNCWQJh5J3f8k9wfiR8oQLvQesKh90zM2OYcqodwxPysRfMhxrZLmVytjCoFEcjXJy8u1PD9oTw1KaSvk5m4hUqLirNNyZ8ig==
ND_SPOTIFY_ID: AgBEOjEOVPO7L1Yg/5b7Lp47Lo/ZDALMypfaKoGlt6dPUVfUd7D3Ex9fdydNdcOZroRgYKi4j8gOYg+5JMJVw/TzGVlXiuhCBWYga9deeboAatgr4EuldvUgApfwKBFdoMLsOtGnSI+UoAX4pXyJXTCsjqnxtN+HfYmBu5oxbOkm65ztoiodwpjFVOBsgsCgCVwt6uI6H37ryKxxZ2nPS+X38VbMJAyo6dvD3jLB+wyUB1hemmdTyg/VbnBFaIMX+Ms6iUmLMggfOq0P3oLvc4sL5LSaZ5ZCIcwDrNvFc19xR7c265XgIUGiD2HyT+lqIoNq6V6duLQkQynRsbh3fS2KLGui+CiIskajM6RqtjncsutVEXPSsuRxUD1WU9IB6UwrNuuiJXnLgUhB8/av9ERDN+Un3cxNW78ytXClIxTCyB8Ndr6A6urwJIBogAo/bL8rNg7TlKqUnzpYa/GYQ6lBIN2SL9UTRyBfi8sE664ERs8nZkPlf/BQQBKQxJpYeSjTVDGpDNhuSE1LdLK6VM+vDueFlJ38d/YAz0gaV2Km1eWmfm4dTpG0zjZoFQbfRjGFIZYhLaju/cBpSW5qb7IoVN8TdQzJ6YFLy2lDEWfTqEcmu/Lbp1cvjU1MYeQ48x4eRK+SsLD+7ds4tiQLwhi52nC+uLi4YcqQayF2m/pSoMOOqarhP5g0ZRG2tcgJnynvCzAzks2zkGWyA+3FPg75eEc49IueaNTE6jT+/4fgww==
ND_SPOTIFY_SECRET: AgBpGvv+LZdybstbYW39F5dY2YZHqTVL80XJ8oVLyuvCljamzABlpYaoVw58OygdGRuyDJCrOPpyCxpDRx1MoQV4+qwE/a4K6JLjlFXCg6yR1vySHjO7l7zwJtWhf71wmvQ5WSrs/l54BbWh7Vfz18Dr4kuoNgk6F394XdKBZv3jhawQP94b4sykHhmSkXoqoPAESxLkPJ8M3rhxmdnerdRA3y4Y7m1fXy7yXqw1ojr0w2850hubK6YYxpcCqDwGi97//V/tWzz+Z7XZe8cf8cQ4+KvxpZQUpOfeCE8mVVaPAuHCDDXk9y8ObsUbwlcLstds+GFGfo16Llb2mwoTfifSrby1nbPEKAvGqa7eQavGpaeFEP9t5SftASGWeKflzYveCa9lkdrH5/8ZsieWrVJJv2K0YemaD3QqwL3ymyzehWzG7O/6bK98RkxdHGHFCH3HzFl+rHzQTPSLKof5YQU6+cMwbr3TCNTFnQVJ7O9+AFrOQVYn2/3fC3ZXq5SDObRYJYQRw5bGQcJPGZFC8uUzhT9KI+8gAVJYSwtTwNrZzEgCHviUlg6mKyV0I+7KdC8ghfl4GmjBIwscH2Ur2h20NDGQ1z22RsqSkxaYZBtLzaMLE3jZFMZTEYtjs2NjXSspSWVR2eplBmXez/kdkUOV5r9x8Z6vs3FEDyslzEEsuyutC1OGY7xi4Jiuq6P87y1R7fZttkuTIiUgyz7j9ZaLPu5qs/fjGonU1vvYe8OVVA==
template:
metadata:
creationTimestamp: null
name: navidrome-secrets
namespace: navidrome
type: Opaque

42
navidrome/pv.yaml Normal file
View file

@ -0,0 +1,42 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: navidrome-data-pv
namespace: navidrome
spec:
capacity:
storage: 20Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: manual
iscsi:
targetPortal: truenas.local.gwg313.xyz:3260
iqn: iqn.2005-10.org.freenas.ctl:navidrome
lun: 0
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: navidrome-iscsi-auth
claimRef:
namespace: navidrome
name: navidrome-data
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: navidrome-music-pv
namespace: navidrome
spec:
capacity:
storage: 10Gi
volumeMode: Filesystem
accessModes:
- ReadOnlyMany
persistentVolumeReclaimPolicy: Retain
storageClassName: manual
nfs:
path: /mnt/tank/music-ro
server: truenas.local.gwg313.xyz

29
navidrome/pvc.yaml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: navidrome-data
namespace: navidrome
spec:
accessModes:
- ReadWriteOnce
storageClassName: manual
volumeMode: Block
volumeName: navidrome-data-pv
resources:
requests:
storage: 20Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: navidrome-music
namespace: navidrome
spec:
accessModes:
- ReadOnlyMany
storageClassName: manual
volumeMode: Filesystem
volumeName: navidrome-music-pv
resources:
requests:
storage: 10Gi

12
navidrome/service.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: navidrome
spec:
selector:
app: navidrome
ports:
- name: http
port: 80
targetPort: 4533
type: ClusterIP

20
navidrome/virtualservice.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: navidrome
spec:
hosts:
- music.local.gwg313.xyz
- music.gwg313.xyz
- music.zerotier.gwg313.xyz
gateways:
- music-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: navidrome
port:
number: 80

1
sealed-secrets/values.yaml Normal file
View file

@ -0,0 +1 @@
fullnameOverride: sealed-secrets-controller

12
woodpecker/certificate.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: woodpecker-cert
namespace: istio-system
spec:
secretName: woodpecker-cert
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
dnsNames:
- ci.gwg313.xyz

18
woodpecker/gateway.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: woodpecker-gateway
namespace: woodpecker
spec:
selector:
istio: gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: woodpecker-cert
hosts:
- ci.gwg313.xyz

18
woodpecker/iscsi-secret-sealed.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: woodpecker-iscsi-auth
namespace: woodpecker
spec:
encryptedData:
discovery.sendtargets.auth.password: AgAXwKZ0NHUvgJVsV6yb7qFx/HlLXNGkQCRQh4u5PyVG3BJCIyJXBbvmRMDHSTpzJPsaWD4q56ZBhGsduNSJf/oBttS3wNNdEtv0xLcWL1umOntkEv7uus9KT+ig3TmxiYgzCBrdD2t29oFlVosJWFOmBCdh2IcYfnZSBCDQJz2pHlC/6cA7wn+ykPXYKurxBs6MNiUx7cSBLZuWcdvXtouJ/8wZkARZSBdppk2vGzw7pqXzVLN8HyiiM8Uf9Zz6ShTHDuvtFAbiyeuTOVa+P9jmQ+y/2iRZf2DCE7rLDKT04xQZFrHaCGHHQ7ynrGQBLN3d8oVE6iDdacZiow4txEWTbxJ0pbDR7m0T0Nk04Xfc2MLyhCJhR6AGR03aMFd4DJYLnqzFHFoK//qvfFpNwj6hcSPkqzCEliaSeCldLM3aoTw9IPc4lGMgrIHefNzucpYlYMJhxc/OvEmXCi3ZxT7fcE8oYasswjtsDfXzAKsJA2tjzIwJiab+kJyXXyDsmWnF+CkmCMZWspHafICorFSObPsSgAm49+c17gwCprl+VKZf1mEl/g+iFRM5XKqlD50nUvx1my6VHRqaKowxGKxv2m87urhPQYvRCwApzHsoVK3OR01Q2YwjyPneAbZomwY/P+yixlGXDTQx9oxrYvm1Qt95OFvGsI4I/VIgUBkLJqsVDYz616w9ljGViyh/udNezgvXw4Vz1taRSMjR6EeF
discovery.sendtargets.auth.username: AgAYnEFgZ4zi8mmqMLNAQP6e+Y0re23os1wbu5Xj3gDm+3qLyK1JzzAeeHHVyTqU27gr12ofVqKUqOMb/aXNGjA5Jzn9SgWrWg9SbLxFiV6sL1s9LhQUJ0708GXcLwN9bdU8pjiEhO3eh8RYoH1+mP5aHy7s+56xmZsiIzP6Vk8+WI38bMXBy2jIhTZHyFxABVtBb6eBU+JPaGitOgkoi6JCyUmsZbV6GzdJPD/H2wZJBxG4B5rKDdVgpBtaQyPPmKSI/NheqQgOneabS3Dyeq7SgP0bxPq9tTU6jEHsvKOOigu6px4Tt0hx0BZZqOFFsMQAtU3ymofVyNZg7F2Uf6NEuRNgI6GUv7Wykv9H4ZjPffrI1OPmEBC/o84ThaGi4161gXcL/+atvQa/RkVvRou7iRG3oLM4qQWVDStanE7+Jq0cATFdXyFWCfXZ2/8TftadQfC5oKmdkOjvOGtPJgRZMA8lNogScoFZtCprioOjKvEeirjBBmbGUC2Uc8eEUkAIlwernimno6y3Z6prlK5nzK+HKI0EWSFQxYG69vtGgzxvJP4G14FwfJKl3Za84iZoC5OGld18JQ6b4qDphrxHU4K/mE8L99YpzrahdECKATwSzmKU6seJq+TrbYIzkWqPpV/GxSh53kIbPPi+CeK0xpFtuOfQ75lxiaGcbwt1QVaLuQzgKmjDgRMmNXHYAxOFJqnmawI2DLaR
node.session.auth.password: AgAJfFaVcDzIUGbDIRlCiz3ROdtm80nDwLcYKzAwfLDs8Gbcq7o1EldWtArR+zEss40va672lWdIhUO46mT+l2NDLJRvdCCHfZOxmU058ba5G81Hd87kpd4Kz/jyNgwBV8VNjSVE1v6oJKlmj1gnSJwRYclgqTXcmhP20gQKEtONnuDC6SZkFtjQBCP5//Kt9LBQrrXIJHe6DgNlqsqLtXA26RKBRJlt7H+tu6SG5u9HZ0rdz/jpBymESihVUpRBp3v98aG69Vaa9xWIPAivtsvJUURlSGu0raN3ipvq0Fk54eWAbRmqTkC/JJVrRmZwskfSOU+DET8kjU7h7hA/5Z2NTqkjKNXmL8e1nn3ZWAI7hnf1wFcvRrqlVIiiRldr+IsT2wXp9d8jEHr/qwVl0emxoiXHVKjLnvhH+FKpt7GfCQa/1K11RGw7vkfEIWF6lvcECHcGQbf+0kuFWsCBwwQhQem+KqbHo2gmsc73XUVUVkkyBYG5FIzH5MuYBf8nHI/mt+bUSdT+4YU9Qj13pgpURX1bzIgXYMHWgtfWdxdy/pHsPZiOuBOsMkD1qUoDuV0/nc13zS/gsSFhdX0mdyXixQgXe9R+XzzuWmgV/mO+/6AsnkvD4KnTt5cv1Ft+f3FUqoW4NViigZ9URlX4xZ7zI/UJhXiPm4RCjNNZrefDua0bRzESTxnakyKe1XeylPQ+hEZRdPU0lYLrk3b3GZdg
node.session.auth.username: AgBz3hk4xbhTTSigqw2L0Truwe4iFkNCtbWRaJ7Vm9huG69RAyOg63+fg8UFk1rmmECo+OaEadexUS6JIo+g8yA+Mds6KE3kr+3kdDOOMFdXh40VtJGHYlqzeyRYwJ/PU2BHWPZi72WW9/A8bPFfVQMzIEinnRpxtV1otRmdfZSXviE24LPiClkCzbwPGZPDW56wtfuxVJjuQyhAJ7ote8F8yV7N7q7lz6tBTYA58pfKCbs4KQdK39h2afW3gVjevw+4kLeTlzu5Ynj446ZIUR7pID1SHLVEVXXIW7rKZ+cs4EWB34M1jJL/T/EAOYsh1vaTwxhoDR/98awbnZZ/Z6SWoARwBLDjk3Nez4N2FqzFhn1EjYiBYym2Xz7c+kwhyDApOY0D7ESK0W8efg1RrsJgVKhFO4AO/oI6/MYxur6ZdI5/xReJirmhN9HNf7tvZ+wwo3sW37H5v6FhcTCG6/bXsTYj8vZT/JmrH9AmeqDzKfi4NkWhfG7RC+2NQxA3X8OuXdbPFWv0YriL/yk88eUzi+orS5O2PV7o8a4c7BplV6K6XiWlV+1oUsfpF9r8t1x+AQj4G83aGLgYvpmSinpMbmO33bEor+QY+4s1Epa/VEF84grc+It55G+7DjE3o5couWVre96HDXqN9falXt2yvRS1YdYSzh25mY33wnEWMDBMUBR3NnkYU/3GCLz7dpeYwZbBtayzdmli
template:
metadata:
creationTimestamp: null
name: woodpecker-iscsi-auth
namespace: woodpecker
type: Opaque

6
woodpecker/privileges.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: woodpecker
labels:
pod-security.kubernetes.io/enforce: privileged

16
woodpecker/server-agent-sealed.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: woodpecker-agent-secrets
namespace: woodpecker
spec:
encryptedData:
WOODPECKER_AGENT_SECRET: AgBmeIkpWWnoPxHam7X6V5/TTI2pu3DwzuvWySQuWewf1N72hl6Ljw6aFJEU6Mu02keLB2ECPPBg+kJ5Bh/d3rMPllSW/HyuepjyrnaWBgNkAWObjJ7oOmqVR1TlXORj8cLz/vHkhq75Cn0FLQ+/2FlAxX436YEIB92IVObdx6J006UM+HqlRn7TXXuD168pd/3L/DhQdGnyBcDH7u21o1nLl+gZvqe6L6v/Jz6Z5gDi9B8B7zwldQfGY/BKv5fKOJixqisXfteV+BbAzce4KgI5djqKUoaOOy8T7Sm3uGYckxtEkA+mMcX5SUKInsFRnfpTfbMZU+2GofpHKbHFLYiqsZ8HG6/9P8EZ3DBsPrGG/xyccnH/Ylwj+jJfkrlDPo2i42rqB4XwES5sxnUAdF8W9f8QTK/4wlbglUqBJf/g74hNrYIVw+YikGpBYHaRInYLXnsXReaIyhvG0UK9fjotTZJ5ptta/OZ04kvXqoxXGojBPtZc/0n9vI0ynbIlHCOO7dRawaG/Iefg7cCZvpzBCyL5dd1gtCXUYrPoFrn1UFc9kD6YzRtiPO4AnTZjXXuEMiVsyjFBeewiq9b4QchXO5zY/6DhnLv8HDCJwAZD3HiCFJ/O6wOzBTdqCmPXMpVGbJOOy3Vm8W16uyMOkwmYeq78oFQxMhkfnLReh3svdPGKV9Mr9sn+7NmPJmZ50TEuXF6LUGc0AcgDw9MZ8JsURp8wrA==
WOODPECKER_SERVER: AgCrhcONkNTohkwUFIQBi5KO2RLKN18CNNjPkEobv9KxTrTY38aPKltuMC6hxBeR05Wt7ySRe5aaXfLOKHs6mO16qzIaIkyduQxpfJge7BJOKtCzjzhb3sflUqT6XY+wXJp0kN9wVFHEwplzBZc0gd0rUD6Y4wIJcUjIGVcdu0Hx+nujfpvEdxB4b7qIDGDyED7yL4XKAK4XmLD3lDjuVpTGAoVOuISqAdfRLDEJRQnpsQxvYQTJ6CizkSLL+K4R7STcWZtxOw0qQ3Y71eoiaW/G+aT64Tnu1fvCX65T632Ij4yTxz6pdjAltegpvmLh/6zdLTBloIn+jEHcKqaXyTjtTDUIsNkdJYArSB9NdjTQpBZBbSEvxMQx4ebyi1O3brhJVa891fcEAXOWqDM3lgK/FQQCIjKoX1DQ0OWfJO8oa/pJyoV6ZOz7ivv/dOqsHP1WsuEM19Y3oNNnNVgH30rShNxt2Vnz9z1BIOoEe0HZ95lL9AcuIgS2i1pNYvjkn2cm+o0CQa3Va0flFINIlXKmnoISbQKXqOzySn2U1uuunjyoemh2bXgZ/8FcAFbX0AMLkeLeqi51tBU0QWIxXDIVNlCMEufLFnCl3S2Yj0r8Q6zKVq1U2bZqn62IHI9ffUP8Nvs8oNVhIuq/1QGx5MzXIXcI3KVBZw+jKrHWEmOOhxfkTEw/Wk2fZocJ7WjjNlyBrOiYAtnHAl/v0nSELLjZPop4tG76
template:
metadata:
creationTimestamp: null
name: woodpecker-agent-secrets
namespace: woodpecker
type: Opaque

22
woodpecker/server-secrets-sealed.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: woodpecker-server-secrets
namespace: woodpecker
spec:
encryptedData:
WOODPECKER_ADMIN: AgA7kUg81lyccXKPLhf+Zem/b+XnJad90CNPF+pbyGw01kzfu4E7Dp9cWyYZOvuuI5NA/PZueEavbS5TrTbuPU/pCuDMiYaceeRjTVwni6V536th+HqMh3kPCaoTYeAmiOJGJ2HRdLnM5MVDGCHGRtmf9czv2BOUwHFSeNm0n4bxCiTe6KbdKctscmombgrOsbY4mJOFyfsNiia3MjsQadKr0lMtXuairA3Gb8k+3F96mPHC1MitD0yHKJObAdJVFWbp/RpUJ+SdMvYOcTsQOnXDeTwTGBaBSwJOg1havXrAflpzbKlQPXeADICcDl1ZhdIJU4FUUA9x0FDGLmW36aSk2DGFVgGq4GaQtTdbLnK84DBBlsCqhbEy1k/x9XmVMdGxYaqIofaHwpOOxJ0EzEaiO2iXuXcOp0M3mLtY4id09yB2cIKqhQ1ADBA/EB4+hUxk/OV8uhNsdFgzAyIrbg2PkXZCUx2adhoPzi04j9x8ZirH35WCUm6bcnXyu8B7h8VkBVMk7gtS8jYCYkOJ1Q2pAilGOJBN12LNUCaHEWZ0FoGPwZpCsggWNHHilHQNYwx2AlapsjXetNBsm2+EytDBvOHxDtwGgm+aW92RmhTlxGRUTW5VgzaIzLgtqS8VFNhEJB5krDVgjzUGReJvswAdIhp8ydATJUTscovEjlBD9PESvRQoBCM3M1ftpxykpntW1bOOtvQ=
WOODPECKER_AGENT_SECRET: AgCiRmjxwTv+82/w979A35VyQVkN7blRM53bcC6qzdxQ6SUFYe5Ec6Us2tGS8wM3I0Jk1mBiuxoRqXsgfF2ZjQBhFx/cn2/n3BqgY2yO/qm8PFrylxmLbGQQxvqmql19VL9Z237lv1tKsfoMFW8KZPhwWN+48J4Og+Rp6XbYwalSALJz1GIQFeRaAkvMn9w9gpmVe9ageN7p2Jf9dOZSD5FCP02h8WnBxiF1SsQjoSUmzzeVDsJNAHwp4l9dTjBTsRW2EZQ7a8fQ8iFnweovG5ykceEI+7g5iGafD29Rkt2H/FC/9APWObbw9fTCLiClP93PsLCskvuPdgyBKiInEPT0pkd3hTzj+5/DZqSP0FQjN9xSOeeKLE7LlyzItsAAbu3YoGyvL6CjIsraMRFa9HENd5WYL59QMKhNT70vBC/zAcbSMYyugLnVZa84wY+LIL8GKUTpwo+GtI1LlmYmDzSIm9Yw+PN7JZF9Nkz3Iahlqpo+QVng2VBjcnKeQOwCsUx7f644hkGHGgmTO7uKUgo5jbBacp2RB6McSb2zmwuk/0if5/zJf+ugzvJjbvpbGtJB7OP1lZooj1fRFxes5gFn6VWGjYpg97zkEQqEndwAG1EhmR6ocs62hY/6PMHvT3pOFCFZ9cQ+hEtFBo9duHxcsC3n3vFmkxF5G+t1Ye2sKOZfZ3OfZT8jZYCdgTuD/xOIbqKsYNn8nXnjxePRjUgEWe57kg==
WOODPECKER_BACKEND: AgBbVv2hx1tUZloiQpNMHhelQJirKx2/ylnYke5U3dshC7eNwZ3pZSXlPLhPet/hpiul/VNpfksouhhpxDshzsXZ8F/U0rtCkCn7Ocz7esST9QT7l4PXHKEbkktCaBnuUt+xerZhRzyfgdRUHuXdtsZ9YBjCKuFB/5Oa52Jp2jknkyukvpCG9Ndhm1XvrzFJPhVlWHrg8KC8a2SKCzfWjHEwRkQxXxiLNLGyLIBgxo+EM/XliMio6nXijee4tKWa0MN2iQaptmU0GWjsHo8VDwJTbG2/q7PxfGdUMCf3IHvhDABWxdcTpnS0IQZ62vqTMQGew0xnjhMVUjfnpMqRbV/hIlq1kAcj+XNokkRgrhu29t28U4gB0qEIHjg3C6jCC1Yrx0uvfLD9WHjcR8J6HeOE3oCdIbOF3ew9raqI7vNyrmCREfoSx0RHDzfoo4uTXLjZaALvYopShZgi4Pj6I7SSU8KPmMHvZTp8qzAworbrUBs4SSHWjvIWkjy6xEj6XPBe3hO5FJoOviSi2BdsE0XaCnlbMEQGo66bBUTGYoZROgY/VmzFh/c0t1XwOpPqvWMiESUF6XtKNZeD4GxOvgqYfG8hsfYPapGLQy0Rwvg+8QgJbgns+MpiVVD+vJYPhS7ys7g/87B7mSPtnqeUZ1mTxZOuzHyjhCBx7++3ztOmwj4ZO/DM7GI++LpIZ0lsyw4dy3b/ZR4xBc0A
WOODPECKER_GITEA: AgC3EN7jhXB5dUOt4EPNV/Pu4c9IsB+m2CLkNu29P67L+nu9/PgNg/LKr3cy6oDYJk2ktiI732nXVY7mFK1/APS2F3yaut7cSPvCAYnDkwbjFf/kCl2ucmpTihigWUrSZ9io71EM8nTJBMqTBi9NozVljK4Nb+F63kIXvJQWk6tr9OJOeACY+wldZ/ggfY1YZSTn73hXigFzlVprP/RvGxRLPNxyFF6HwvrdZE4S0MQBDM7sDoC+FiZdjuNWslxYATOph4laOSgCvSa3qDD92b9p9dyO/BCWdME/mRc3S0+9qE8McaYsOIHFpgl49jTyGmf9K9DT6WSmbA2yjF1Yd2kFIN9jmuHF0jsSxi72ihyBTSIc3UJTTwvddAjq6NNMiw4NOgnRIxPPx9icUWYTxMTKcUsc7qrsHBL5X0E/V2UuiHzxMBgWGBSAaM2tl73wpuiBNL4o4fAcB3FHoxGC3J3ntGYaLR4g08XUR94DhBvA/owJ0lqKXI3tyU4h9rdZao/wt6d9sFMnUH3cJvfOg9iTPVzFSl7mlx/0zVKsnh2Rv9v61zsJZxXpNnTyevZUyB9HOh6ei49JI2vPleDyX834SyOqQnx/pIUGeuzMKV2XYtKGBf+5YECdHfo/zIld1j/PTviK1fXU47FbCE1mCi9YeV6UK+mYC2zbOfaro7sbPZ36uq/mNINp8OhdhCYX47WbSKLb
WOODPECKER_GITEA_CLIENT: AgCutj2N3sHx7OXltumsWO2rGNFN2CZhsF2OitQArYEyZo1dWg0hkP+0hEN4UCywwnQ8bKGDpJRLOFyHg1I+2EJNJekSEtOJLwf08qPPSMYETrT4dZw7BmaEe37bwTWBBAVrGgULcocb6LW0RU5e5/nLOF6CjUniKKeunulcvOYNCMuVuBOFnnr33br/iZE+eZfEbVu8781WfHIa1UH1qASwLZeW+ORU/qjn7q03iAEkocBcH/jysmyEHizPyj3MM/XFVUcZ5VrY8sSKEiIzNi3CQvBATGAjVMLTH+Fo/AhUYSirk0g3/gkgcHOYiuUbBJTFDkqPBoHvGRXdCQzgSwEK/hatddy+f2s7IE2ut/bbNvii6nXqy342wBlm28PCEsWgN5piNM0nb+zmIz7czhiC253ZtrxcOjkXlGVtDDgc31J+64BCO3Plbq6NFCCbNGfXTagCQtlKPEpz5l67wv8wOUeecOFzyzOTCOupmFYNWbms0rXNKLjUcHOvO8mkvvrZnCoGVjbVjcyl3SZ39sckVJ+8OA7Ji7Cdt647GcaYMbmsUM5dXPGA/Rsvonmi5viJ4KqR/yOCkzK9KFi+FL480FWDupfVcN3rsD3HEqFYJAU2gpSBW+xRJGSkzN5bl9JYvW+gMALXlpPlG478qBU72wIKdwMw5eoSzcGD7UHKa7ySrL5xQPhAOqWb0FUcQHyjVp+jQxi6E4WoILrCnfrjHOGDbAmNDbfVcl6XaXKDDKcSgRM=
WOODPECKER_GITEA_SECRET: AgB1JmxK+NeZIQrd7OcFNDzE3PI43+gyGAcgvfkrone1bl/O1/YIsDxvjTTR/+Y2HMKzs5jp0b2xwXuct56Y2xUpdA4uYZqCJW1QdiNJd+ytcKID3VaT3NkcPNWZ1Oedap/Guc+haMDdrzw2gPWUWBITVTReqeIF4DKHU8HKII+17Md2gyEo/wLnnt/gLOrYR+hzuLsjrtp/sK0Y2fvH5L+EGZjt7t+wqTRd1bV8qixcOQvINsGhoO+q+9M/vMOYlbk9Kr/xArTvTkpLDONzq9womY/oJ/xOB4BCRT82GopxYzDJJYDTSk9FSlfoelok2nxs3cy53+v3HVlAvbIIhBkiYXMIkUlj/AqMDTgfgx8wrRUe3ZUP9pA6lOC3Ff/3ZxhGBchCKsSbQ8kXiSCtGIHT0gYRyJQyipFDX3kJxu8Tq4h3MrqeXn/qoKaPZSf/eEXgymVhraGGj8x2CxN/I+cKP3PFXyLuMtxBk5QIfhGhqbe77XOC+TquOqfkto8kMb8ZmqMdbFiAhWyRx1HsoVoBtWUq8yGhC3dycd6EMjY5gxUqB6tg9XzdqEaMoaYzdNpAG+JP3Ueq31cVgpIhEjVyLviiIpWgeIhihMadu2oi5BJqA6Mqt+xLo0dyd4qUrUG6lbWKQf6fMc0XXeenLb8U+smOFbl170c5/hh5Pg0+P9KBPqUywiE7rDu7NjRxnk/4KDiJzHZ+C11rMParnU8ISi8jGwWWkksw489Lkoi/5Yl5Ukvxm6yU6gSecNJH59EFqrpw2Oqqeg==
WOODPECKER_GITEA_URL: AgBYHc/0fUUYN0wLhIKPyOAZOf2K4XKvCFbzxuQUb4VLKmDF2fU+a1UV+hiOYKcmz4IgtL+ypl9n6fWBkdzqVpbJRQMPPc0Q0XOC9GO13+HdFWHlN6qaC1uszMquhNf4q2erfKQ+HAXynD8SuqBNYjaCbXjsNrrG1tPY9coHsnIkdqmVMYJKagbq6P8JUOTLq+tBBZNf+l9vhfNRsfQRh0ivn4bHpgLBMCT2Hi8bEP9r5Ba3lA5/fm+AuQP8OPxvnQFMJYJUIGfiwkLjIptdOTUN6ChfvSrE7i26KepsjO0RtmPNGqUDvSsSja3aWW1Tlkaj8UoJkM46pzZfGAGX7FRHp6O6de5x+1nY6duJRVzzLB7npmSoYbPeSjc/Y+H+vAUoUpNuJ+5S7MNcF89W7HaWf7W8GzKIAcFy0Ko0ecf4asQ3f5EkQBAy+qb/+iPXIYzJu0Iyu32c77zF0fbBGbbK7KMnENy096St9bGBxfoMcMbeIj1/Bfd0pUpK4Fdd6VaKoJy3YIwkx3bpXfKaKx4hYHrITi6QF+14MZZosGjeBegm/VZM0gejKtLlC/YgCwTLO7zvihSrf1sipdWo9n9B88/2WJnLSHvA/5bnREhpy/CwStL9wOuY3eSVcWDGhMvXvVD83sH1cckAD8C+dGd/sKJrCTWvr8L+g3LNXkOtD14S8Ga38jR04ZegWKz6mB7ge0L7mnGp7wsmHaXptozlZ+WniBng
WOODPECKER_HOST: AgBvAmxzFEvZyl+uCZ49nr168nSwJ84vI8VJTzbT1d0zLdqwBNwSDOoMzo3qWMy/QDMqv3ECZYjWFmqYHTQjSbqO0+QRfIEPOfcyMRNmvH77Br7bTIaqj7fRZ/asz9dgfQjeoGnrkVMzuZ6QK6ZJGBvF2AEC2q2K7ZBpngRZCE32g9adA8al9yZX1FNVpoEjlwkroRFx26cs6+aD4GqjGFOgkVOxTo8eESTnOtBvGE024f4bdmOh01TTGncgUfZzBEaXTZn5gAJB5Nu1OvCez8lsDU6StyQ+T0FLt+vIqoqEy8SX8o3RoQ91wflu/1+mh6jjEPgDSaxvC2k0rECwVSty8csJsq4ACs+66Y1nLiXfqs0GM5kFXRAlbUQtdaOd8Bu2fSZWF6q+mSt5uNVCh0S5noRL/izmMfGuyqY4ZcnYi/9ed/+nWjJTZu1s7gcraIDc0i5qMVF10d9hNdye1lXSPjx7DCmgpEsZII6cSCC1VXFkt501YdhxPq0iALAhq433J8z5XLwWEvxqSDRH4SjTdDoXgp0t6YEvyQdhm+MjfGxe08pMIi53ejMo8B9fzRGZNzDAOrx4FNwdnxu0kD5WIdy16YOQNr87B/DH515hctbCz7pIKT9tywoarpmBBxFN2MtVh3rh8qWDHOzZRUhqY1exAMOInhiQOF3dZEG3o8xhgFxl63STu23C9dKzu1XQUnZSZAk50g8cTkiEVLfv42qz/kc=
template:
metadata:
creationTimestamp: null
name: woodpecker-server-secrets
namespace: woodpecker
type: Opaque

11
woodpecker/service.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: woodpecker
namespace: woodpecker
spec:
selector:
app: woodpecker
ports:
- port: 80
targetPort: 8000

12
woodpecker/shared-pvc.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: woodpecker-shared-storage
namespace: woodpecker
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 20Gi
storageClassName: nfs-client

114
woodpecker/storage.yaml Normal file
View file

@ -0,0 +1,114 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: woodpecker-agent-pv5
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
storageClassName: ""
persistentVolumeReclaimPolicy: Retain
volumeMode: Filesystem
iscsi:
targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:woodpecker-agent
lun: 1
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: woodpecker-iscsi-auth
namespace: woodpecker
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: woodpecker-agent-pvc5
namespace: woodpecker
spec:
accessModes:
- ReadWriteOnce
storageClassName: ""
volumeName: woodpecker-agent-pv5
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: woodpecker-server-pv5
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
storageClassName: ""
persistentVolumeReclaimPolicy: Retain
volumeMode: Filesystem
iscsi:
targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:woodpecker-server
lun: 0
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: woodpecker-iscsi-auth
namespace: woodpecker
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: woodpecker-server-pvc5
namespace: woodpecker
spec:
accessModes:
- ReadWriteOnce
storageClassName: ""
volumeName: woodpecker-server-pv5
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: data-woodpecker-server-0
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
storageClassName: ""
persistentVolumeReclaimPolicy: Retain
iscsi:
targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:woodpecker-data
lun: 2
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: woodpecker-iscsi-auth
namespace: woodpecker
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data-woodpecker-server-0
namespace: woodpecker
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 10Gi
volumeName: data-woodpecker-server-0
storageClassName: "" # must match PV

16
woodpecker/virtualservice.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: woodpecker
namespace: woodpecker
spec:
gateways:
- woodpecker-gateway
hosts:
- ci.gwg313.xyz
http:
- route:
- destination:
host: woodpecker-server
port:
number: 80

27
woodpecker/woodpecker-cache.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: wp-cache-pv1
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: manual-nfs
nfs:
server: truenas.local.gwg313.xyz
path: /mnt/tank/k8s/democratic/woodpecker-cache
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: wp-cache-pvc1
namespace: woodpecker
spec:
accessModes:
- ReadWriteMany
storageClassName: manual-nfs
resources:
requests:
storage: 1Gi

13
yopass/certificate.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: yopass-cert
namespace: istio-system
spec:
secretName: yopass-cert
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
dnsNames:
- pastebin.local.gwg313.xyz
- pastebin.gwg313.xyz

Some files were not shown because too many files have changed in this diff Show more