infrastructure/core-apps
3
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: infrastructure:main
Branches Tags
infrastructure:main
..
compare: infrastructure:bbdfaee3bf412baf9dd5230182bea0824dab547b
Branches Tags
infrastructure:main

1 Commits
main ... bbdfaee3bf

Author SHA1 Message Date
Renovate Bot
bbdfaee3bf chore(deps): update docker.io/library/busybox docker tag to v1.37.0 2025-05-27 15:00:21 +00:00
71 changed files with 287 additions and 1841 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -1,3 +1 @@
*-testing/ *-testing/
Chart.lock
charts/

24
arr-stack/flaresolverr/deployment.yaml
View File

@@ -1,24 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: flaresolverr
spec:
replicas: 1
selector:
matchLabels:
app: flaresolverr
template:
metadata:
labels:
app: flaresolverr
spec:
containers:
- name: flaresolverr
image: ghcr.io/flaresolverr/flaresolverr:v3.4.1
resources:
limits:
memory: "4Gi"
cpu: "1"
requests:
memory: "2Gi"
cpu: "0.5"

10
arr-stack/flaresolverr/svc.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: flaresolverr
spec:
selector:
app: flaresolverr
ports:
- port: 8191
targetPort: 8191

33
arr-stack/prowlarr/deployment.yaml
View File

@@ -1,33 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: prowlarr
spec:
replicas: 1
selector:
matchLabels:
app: prowlarr
template:
metadata:
labels:
app: prowlarr
annotations:
backup.velero.io/backup-volumes: config
spec:
containers:
- name: prowlarr
image: linuxserver/prowlarr:version-2.0.5.5160
volumeMounts:
- name: config
mountPath: /config
resources:
limits:
memory: "1Gi"
cpu: "1"
requests:
memory: "512Mi"
cpu: "0.5"
volumes:
- name: config
persistentVolumeClaim:
claimName: prowlarr-config

11
arr-stack/prowlarr/pvc.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: prowlarr-config
spec:
resources:
requests:
storage: 10Gi
volumeMode: Filesystem
accessModes:
- ReadWriteMany

10
arr-stack/prowlarr/svc.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: prowlarr
spec:
selector:
app: prowlarr
ports:
- port: 9696
targetPort: 9696

45
arr-stack/radarr/deployment.yaml
View File

@@ -1,45 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: radarr
spec:
replicas: 1
selector:
matchLabels:
app: radarr
template:
metadata:
labels:
app: radarr
annotations:
backup.velero.io/backup-volumes: config
spec:
containers:
- name: radarr
image: linuxserver/radarr:version-5.27.5.10198
volumeMounts:
- name: config
mountPath: /config
- name: downloads
mountPath: /mnt/Downloads
- name: movies
mountPath: /mnt/movies
resources:
limits:
memory: "1Gi"
cpu: "1"
requests:
memory: "512Mi"
cpu: "0.5"
volumes:
- name: config
persistentVolumeClaim:
claimName: radarr-config
- name: movies
nfs:
server: 10.105.15.20
path: /mnt/hdd-pool/movies
- name: downloads
nfs:
server: 10.105.15.20
path: /mnt/hdd-pool/syncthing-downloads

10
arr-stack/radarr/svc.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: radarr
spec:
selector:
app: radarr
ports:
- port: 7878
targetPort: 7878

45
arr-stack/sonarr/deployment.yaml
View File

@@ -1,45 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: sonarr
spec:
replicas: 1
selector:
matchLabels:
app: sonarr
template:
metadata:
labels:
app: sonarr
annotations:
backup.velero.io/backup-volumes: config
spec:
containers:
- name: sonarr
image: linuxserver/sonarr:4.0.15
volumeMounts:
- name: config
mountPath: /config
- name: downloads
mountPath: /mnt/Downloads
- name: tv-shows
mountPath: /mnt/tv-shows
resources:
limits:
memory: "1Gi"
cpu: "1"
requests:
memory: "512Mi"
cpu: "0.5"
volumes:
- name: config
persistentVolumeClaim:
claimName: sonarr-config
- name: tv-shows
nfs:
server: 10.105.15.20
path: /mnt/hdd-pool/tv-shows
- name: downloads
nfs:
server: 10.105.15.20
path: /mnt/hdd-pool/syncthing-downloads

10
arr-stack/sonarr/svc.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: sonarr
spec:
selector:
app: sonarr
ports:
- port: 8989
targetPort: 8989

33
arr-stack/tunnel/deployment.yaml
View File

@@ -1,33 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: deluge-tunnel
spec:
selector:
matchLabels:
app: deluge-tunnel
template:
metadata:
labels:
app: deluge-tunnel
spec:
containers:
- name: deluge-tunnel
image: kroniak/ssh-client:3.21
command: ["/bin/sh", "-c", "ssh -o StrictHostKeyChecking=no weyma-talos@45.152.211.243 -p 2222 -L 0.0.0.0:58846:127.0.0.1:58846 -L 0.0.0.0:8112:127.0.0.1:8112 -N"]
volumeMounts:
- name: ssh-keys
mountPath: /root/.ssh
resources:
limits:
memory: "512Mi"
cpu: "500m"
requests:
memory: "128Mi"
cpu: "200m"
volumes:
- name: ssh-keys
secret:
defaultMode: 0400
secretName: ssh-keys

28
arr-stack/tunnel/ssh-keys.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: ssh-keys
spec:
data:
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: deluge-ssh
metadataPolicy: None
property: private
secretKey: id_ed25519
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: deluge-ssh
metadataPolicy: None
property: public
secretKey: id_ed25519.pub
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: weyma-vault
target:
creationPolicy: Owner
deletionPolicy: Retain
name: ssh-keys

14
arr-stack/tunnel/svc.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: deluge
spec:
selector:
app: deluge-tunnel
ports:
- port: 58846
targetPort: 58846
name: deluge
- port: 8112
targetPort: 8112
name: web

2
authentik/Chart.yaml
View File

@@ -24,5 +24,5 @@ appVersion: "1.0"
dependencies: dependencies:
- name: authentik - name: authentik
version: 2025.10.2 version: 2025.4.1
repository: https://charts.goauthentik.io repository: https://charts.goauthentik.io

101
authentik/values.yaml
View File

@@ -25,6 +25,59 @@ authentik:
- name: cert-dubyatp-xyz - name: cert-dubyatp-xyz
secret: secret:
secretName: cert-dubyatp-xyz secretName: cert-dubyatp-xyz
postgresql:
enabled: true
image:
repository: bitnami/postgresql
tag: 15.8.0-debian-12-r18
auth:
username: authentik
database: authentik
existingSecret: "authentik-credentials"
secretKeys:
adminPasswordKey: "admin-password"
userPasswordKey: "user-password"
replicationPasswordKey: "replication-password"
primary:
podAnnotations:
backup.velero.io/backup-volumes: data
extendedConfiguration: |
max_connections = 500
resourcesPreset: "none"
persistence:
enabled: true
storageClass: weyma-shared
accessModes:
- ReadWriteOnce
readReplicas:
resourcesPreset: "none"
backup:
resourcesPreset: "none"
passwordUpdateJob:
resourcesPreset: "none"
volumePermissions:
resourcesPreset: "none"
metrics:
resourcesPreset: "none"
redis:
enabled: true
architecture: standalone
auth:
enabled: false
master:
resourcesPreset: "none"
podAnnotations:
backup.velero.io/backup-volumes: redis-data
replica:
resourcesPreset: "none"
sentinel:
resourcesPreset: "none"
metrics:
resourcesPreset: "none"
volumePermissions:
resourcesPreset: "none"
sysctl:
resourcesPreset: "none"
global: global:
env: env:
- name: AUTHENTIK_SECRET_KEY - name: AUTHENTIK_SECRET_KEY
@@ -32,32 +85,11 @@ authentik:
secretKeyRef: secretKeyRef:
name: authentik-credentials name: authentik-credentials
key: authentik-secret-key key: authentik-secret-key
- name: AUTHENTIK_POSTGRESQL__HOST
value: pooler-weyma-rw.cloudnativepg.svc.cluster.local
- name: AUTHENTIK_POSTGRESQL__NAME
value: authentik
- name: AUTHENTIK_POSTGRESQL__USER
value: authentik
- name: AUTHENTIK_POSTGRESQL__PASSWORD - name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-db-auth
key: password
- name: AUTHENTIK_EMAIL__FROM
value: authentik_dubyatp@em924671.dubyatp.xyz
- name: AUTHENTIK_EMAIL__HOST
value: mail.smtp2go.com
- name: AUTHENTIK_EMAIL__USE_TLS
value: "true"
- name: AUTHENTIK_EMAIL__USERNAME
value: authentik_dubyatp
- name: AUTHENTIK_EMAIL__PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: authentik-credentials name: authentik-credentials
key: smtp-password key: user-password
- name: AUTHENTIK_EMAIL__TIMEOUT
value: "30"
additionalObjects: additionalObjects:
- apiVersion: networking.k8s.io/v1 - apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
@@ -121,28 +153,3 @@ authentik:
remoteRef: remoteRef:
key: authentik key: authentik
property: user-password property: user-password
- secretKey: smtp-password
remoteRef:
key: authentik
property: smtp-password
- apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-db-auth
spec:
data:
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: cloudnativepg
metadataPolicy: None
property: authentik_pw
secretKey: password
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: weyma-vault
target:
creationPolicy: Owner
deletionPolicy: Retain
name: authentik-db-auth

61
dispatcharr/deployment.yaml
View File

@@ -1,61 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: dispatcharr
spec:
selector:
matchLabels:
app: dispatcharr
template:
metadata:
labels:
app: dispatcharr
annotations:
backup.velero.io/backup-volumes: data
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: extensions.talos.dev/i915
operator: Exists
nodeSelector:
kubernetes.io/hostname: weyma-talos-testw04
containers:
- name: dispatcharr
image: ghcr.io/dispatcharr/dispatcharr:0.8.0-amd64
env:
- name: DISPATCHARR_ENV
value: aio
- name: REDIS_HOST
value: localhost
- name: CELERY_BROKER_URL
value: redis://localhost:6379/0
- name: DISPATCHARR_LOG_LEVEL
value: info
- name: UWSGI_NICE_LEVEL
value: "-5"
- name: CELERY_NICE_LEVEL
value: "-5"
volumeMounts:
- name: dispatcharr-data
mountPath: /data
- name: dev-dri
mountPath: /dev/dri
resources:
limits:
memory: "3Gi"
cpu: "1"
requests:
memory: "256Mi"
cpu: "500m"
securityContext:
privileged: true
volumes:
- name: dispatcharr-data
persistentVolumeClaim:
claimName: dispatcharr
- name: dev-dri
hostPath:
path: /dev/dri

18
dispatcharr/ingress.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dispatcharr
labels:
app.kubernetes.io/name: dispatcharr
spec:
rules:
- host: dispatcharr.dubyatp.xyz
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: dispatcharr-svc
port:
number: 9191

11
dispatcharr/pvc.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: dispatcharr
spec:
resources:
requests:
storage: 20Gi
volumeMode: Filesystem
accessModes:
- ReadWriteMany

10
dispatcharr/svc.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: dispatcharr-svc
spec:
selector:
app: dispatcharr
ports:
- port: 9191
targetPort: 9191

10
emby/cert-dubyatp-xyz.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: Secret
metadata:
name: cert-dubyatp-xyz
annotations:
replicator.v1.mittwald.de/replicate-from: "cert-manager/cert-dubyatp-xyz"
replicator.v1.mittwald.de/replicated-keys: "tls.crt,tls.key"
data:
tls.crt: ""
tls.key: ""

79
emby/deployment.yaml Normal file
View File

@@ -0,0 +1,79 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: emby
spec:
strategy:
type: Recreate
selector:
matchLabels:
app: emby
template:
metadata:
annotations:
backup.velero.io/backup-volumes: emby-config
labels:
app: emby
spec:
volumes:
- name: tv-shows
nfs:
server: 10.105.15.20
path: /mnt/hdd-pool/tv-shows
- name: movies
nfs:
server: 10.105.15.20
path: /mnt/hdd-pool/movies
- name: emby-config
persistentVolumeClaim:
claimName: emby-config
- name: transcode-temp
emptyDir:
sizeLimit: 8Gi
medium: Memory
- name: dev-dri
hostPath:
path: /dev/dri
containers:
- name: emby
image: emby/embyserver:4.8.11.0
volumeMounts:
- name: tv-shows
mountPath: /mnt/tv-shows
- name: movies
mountPath: /mnt/movies
- name: emby-config
mountPath: /config
- name: transcode-temp
mountPath: /tmp/transcode
- name: dev-dri
mountPath: /dev/dri
env:
- name: UID
value: "1000"
- name: GID
value: "1000"
- name: GIDLIST
value: "100"
livenessProbe:
httpGet:
path: /
port: http
securityContext:
privileged: true
resources:
limits:
memory: 8Gi
cpu: '1'
requests:
memory: 4Gi
cpu: "500m"
nodeSelector:
kubernetes.io/hostname: weyma-talos-testw04
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: extensions.talos.dev/i915
operator: Exists

22
emby/ingress.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: emby-ingress
annotations:
traefik.ingress.kubernetes.io/router.middlewares: cloudflarewarp@file
spec:
rules:
- host: emby.dubyatp.xyz
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: emby-http-svc
port:
number: 8096
tls:
- hosts:
- emby.dubyatp.xyz
secretName: cert-dubyatp-xyz

5
arr-stack/sonarr/pvc.yaml → emby/pvc.yaml
View File

@@ -1,11 +1,12 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: sonarr-config name: emby-config
spec: spec:
storageClassName: weyma-shared
resources: resources:
requests: requests:
storage: 10Gi storage: 10Gi
volumeMode: Filesystem volumeMode: Filesystem
accessModes: accessModes:
- ReadWriteMany - ReadWriteOnce

5
arr-stack/radarr/pvc.yaml → emby/resilio-pvc.yaml
View File

@@ -1,11 +1,12 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: radarr-config name: resilio-pvc
spec: spec:
storageClassName: weyma-shared
resources: resources:
requests: requests:
storage: 10Gi storage: 10Gi
volumeMode: Filesystem volumeMode: Filesystem
accessModes: accessModes:
- ReadWriteMany - ReadWriteOnce

39
emby/resilio-sync.yaml Normal file
View File

@@ -0,0 +1,39 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: resilio-sync
spec:
selector:
matchLabels:
app: resilio-sync
template:
metadata:
labels:
app: resilio-sync
spec:
containers:
- name: resilio-sync
image: lscr.io/linuxserver/resilio-sync:3.0.0
volumeMounts:
- name: config
mountPath: /config
- name: tv-shows
mountPath: /sync/tv-shows
- name: movies
mountPath: /sync/movies
resources:
limits:
memory: "700Mi"
cpu: "500m"
volumes:
- name: config
persistentVolumeClaim:
claimName: resilio-pvc
- name: tv-shows
nfs:
server: 10.105.15.20
path: /mnt/hdd-pool/tv-shows
- name: movies
nfs:
server: 10.105.15.20
path: /mnt/hdd-pool/movies

23
emby/svc.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v1
kind: Service
metadata:
name: emby-http-svc
spec:
type: ClusterIP
selector:
app: emby
ports:
- port: 8096
targetPort: 8096
---
apiVersion: v1
kind: Service
metadata:
name: emby-https-svc
spec:
type: ClusterIP
selector:
app: emby
ports:
- port: 8920
targetPort: 8920

77
gitea-runner/deployment.yaml
View File

@@ -1,39 +1,33 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
annotations: name: gitea-runner
deployment.kubernetes.io/revision: "4"
labels:
app: act-runner
name: act-runner
namespace: gitea-runner
spec: spec:
progressDeadlineSeconds: 600
replicas: 1 replicas: 1
revisionHistoryLimit: 10 strategy:
type: Recreate
selector: selector:
matchLabels: matchLabels:
app: act-runner app: gitea-runner
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template: template:
metadata: metadata:
creationTimestamp: null
labels: labels:
app: act-runner app: gitea-runner
spec: spec:
restartPolicy: Always
volumes:
- name: docker-certs
emptyDir: {}
- name: runner-data
persistentVolumeClaim:
claimName: gitea-runner-pvc
containers: containers:
- command: - name: runner
- sh image: gitea/act_runner:nightly
- -c command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- run.sh"]
- while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...';
sleep 5; done; /sbin/tini -- run.sh
env: env:
- name: DOCKER_HOST - name: DOCKER_HOST
value: tcp://localhost:2376 value: tcp://127.0.0.1:2376
- name: DOCKER_CERT_PATH - name: DOCKER_CERT_PATH
value: /certs/client value: /certs/client
- name: DOCKER_TLS_VERIFY - name: DOCKER_TLS_VERIFY
@@ -43,37 +37,20 @@ spec:
- name: GITEA_RUNNER_REGISTRATION_TOKEN - name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: token name: gitea-runner-token
name: runner-secret key: registration-token
image: gitea/act_runner:nightly
imagePullPolicy: Always
name: runner
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /certs - name: docker-certs
name: docker-certs mountPath: /certs
- mountPath: /data - name: runner-data
name: runner-data mountPath: /data
- env: - name: daemon
image: docker:23.0.6-dind
env:
- name: DOCKER_TLS_CERTDIR - name: DOCKER_TLS_CERTDIR
value: /certs value: /certs
image: docker:23.0.6-dind
imagePullPolicy: IfNotPresent
name: daemon
securityContext: securityContext:
privileged: true privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /certs - name: docker-certs
name: docker-certs mountPath: /certs
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
terminationGracePeriodSeconds: 30
volumes:
- name: docker-certs
- name: runner-data
persistentVolumeClaim:
claimName: act-runner-vol

28
gitea/Chart.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: v2
name: gitea
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: "1.0"
dependencies:
- name: gitea
version: 12.4.0
repository: https://dl.gitea.com/charts/

188
gitea/values.yaml
View File

@@ -1,188 +0,0 @@
gitea:
replicaCount: 3
ingress:
enabled: true
hosts:
- host: git.dubyatp.xyz
paths:
- path: /
tls:
- secretName: cert-dubyatp-xyz
hosts:
- git.dubyatp.xyz
persistence:
enabled: true
create: true
mount: true
claimName: gitea-shared-storage
size: 50Gi
accessModes:
- ReadWriteMany
storageClass: weyma-shared
deployment:
annotations:
backup.velero.io/backup-volumes: data
env:
- name: GITEA__database__PASSWD
valueFrom:
secretKeyRef:
key: password
name: gitea-db-auth
- name: GITEA__mailer__PASSWD
valueFrom:
secretKeyRef:
key: smtp_smtp2go
name: gitea-secrets
- name: GITEA__security__INTERNAL_TOKEN
valueFrom:
secretKeyRef:
key: internal_token
name: gitea-secrets
- name: GITEA__security__SECRET_KEY
valueFrom:
secretKeyRef:
key: secret_key
name: gitea-secrets
- name: GITEA__oauth2__JWT_SECRET
valueFrom:
secretKeyRef:
key: oauth2_jwt
name: gitea-secrets
gitea:
admin:
passwordMode: initialOnlyNoReset
podAnnotations:
backup.velero.io/backup-volumes: data
config:
database:
DB_TYPE: postgres
HOST: pooler-weyma-rw.cloudnativepg.svc.cluster.local
NAME: gitea
USER: gitea
server:
DISABLE_SSH: false
DOMAIN: git.dubyatp.xyz
ENABLE_PPROF: false
ROOT_URL: https://git.dubyatp.xyz
SSH_DOMAIN: git-ssh.dubyatp.xyz
SSH_LISTEN_PORT: 22
SSH_PORT: 22
START_SSH_SERVER: true
OFFLINE_MODE: false
service:
DISABLE_REGISTRATION: false
webhook:
ALLOWED_HOST_LIST: "drone.infra.dubyatp.xyz,argocd.infra.dubyatp.xyz,discord.com,10.0.0.0/8"
mailer:
ENABLED: true
FROM: gitea@em924671.dubyatp.xyz
PROTOCOL: smtps
SMTP_ADDR: mail.smtp2go.com
SMTP_PORT: 465
USER: gitea_dubyatp
security:
INSTALL_LOCK: true
metrics:
enabled: true
serviceMonitor:
enabled: true
extraDeploy:
- apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: gitea-ssh
spec:
entryPoints:
- gitssh
routes:
- match: HostSNI(`*`)
priority: 1
services:
- name: gitea-ssh
port: 22
- apiVersion: v1
kind: Secret
metadata:
name: cert-dubyatp-xyz
annotations:
replicator.v1.mittwald.de/replicate-from: "cert-manager/cert-dubyatp-xyz"
replicator.v1.mittwald.de/replicated-keys: "tls.crt,tls.key"
data:
tls.crt: ""
tls.key: ""
- apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gitea-db-auth
spec:
data:
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: cloudnativepg
metadataPolicy: None
property: gitea_pw
secretKey: password
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: weyma-vault
target:
creationPolicy: Owner
deletionPolicy: Retain
name: gitea-db-auth
- apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gitea-secrets
spec:
data:
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: gitea
metadataPolicy: None
property: internal_token
secretKey: internal_token
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: gitea
metadataPolicy: None
property: oauth2_jwt
secretKey: oauth2_jwt
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: gitea
metadataPolicy: None
property: secret_key
secretKey: secret_key
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: gitea
metadataPolicy: None
property: smtp_smtp2go
secretKey: smtp_smtp2go
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: gitea
metadataPolicy: None
property: gitea_admin
secretKey: gitea_admin
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: weyma-vault
target:
creationPolicy: Owner
deletionPolicy: Retain
name: gitea-secrets
postgresql-ha:
enabled: false
valkey-cluster:
enabled: true
valkey:
resourcesPreset: "small"

2
grafana/Chart.yaml
View File

@@ -24,5 +24,5 @@ appVersion: "1.0"
dependencies: dependencies:
- name: grafana - name: grafana
version: 10.2.0 version: 9.2.1
repository: https://grafana.github.io/helm-charts repository: https://grafana.github.io/helm-charts

12
grafana/values.yaml
View File

@@ -16,6 +16,11 @@ grafana:
defaultCurlOptions: -skf defaultCurlOptions: -skf
deploymentStrategy: deploymentStrategy:
type: Recreate type: Recreate
downloadDashboardsImage:
pullPolicy: IfNotPresent
registry: docker.io
repository: curlimages/curl
tag: 8.9.1
enableServiceLinks: true enableServiceLinks: true
envFromConfigMaps: envFromConfigMaps:
- name: grafana-env - name: grafana-env
@@ -134,6 +139,11 @@ grafana:
secretName: cert-dubyatp-xyz secretName: cert-dubyatp-xyz
initChownData: initChownData:
enabled: true enabled: true
image:
pullPolicy: IfNotPresent
registry: docker.io
repository: library/busybox
tag: 1.37.0
securityContext: securityContext:
capabilities: capabilities:
add: add:
@@ -191,6 +201,6 @@ grafana:
image: image:
registry: docker.io registry: docker.io
repository: bats/bats repository: bats/bats
tag: 1.13.0 tag: 1.12.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
useStatefulSet: false useStatefulSet: false

4
immich/immich-ml-deployment.yaml
View File

@@ -13,7 +13,7 @@ spec:
spec: spec:
containers: containers:
- name: immich-ml - name: immich-ml
image: ghcr.io/immich-app/immich-machine-learning:v1.134.0 image: ghcr.io/immich-app/immich-machine-learning:v1.132.3
volumeMounts: volumeMounts:
- name: model-cache - name: model-cache
mountPath: /cache mountPath: /cache
@@ -23,7 +23,7 @@ spec:
mountPath: /dev/dri mountPath: /dev/dri
env: env:
- name: DB_HOSTNAME - name: DB_HOSTNAME
value: "immich-rw.cloudnativepg.svc.cluster.local" value: "weyma-pgsql-rw.cloudnativepg.svc.cluster.local"
- name: DB_DATABASE_NAME - name: DB_DATABASE_NAME
value: "immich" value: "immich"
- name: DB_USERNAME - name: DB_USERNAME

4
immich/immich-server_deployment.yaml
View File

@@ -13,7 +13,7 @@ spec:
spec: spec:
containers: containers:
- name: immich-server - name: immich-server
image: ghcr.io/immich-app/immich-server:v1.134.0 image: ghcr.io/immich-app/immich-server:v1.132.3
volumeMounts: volumeMounts:
- name: library - name: library
mountPath: /usr/src/app/upload mountPath: /usr/src/app/upload
@@ -23,7 +23,7 @@ spec:
mountPath: /dev/dri mountPath: /dev/dri
env: env:
- name: DB_HOSTNAME - name: DB_HOSTNAME
value: "immich-rw.cloudnativepg.svc.cluster.local" value: "weyma-pgsql-rw.cloudnativepg.svc.cluster.local"
- name: DB_DATABASE_NAME - name: DB_DATABASE_NAME
value: "immich" value: "immich"
- name: DB_USERNAME - name: DB_USERNAME

28
jellyfin/Chart.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: v2
name: jellyfin
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: "1.0"
dependencies:
- name: jellyfin
version: 2.5.0
repository: https://jellyfin.github.io/jellyfin-helm

33
jellyfin/templates/metrics-block.yaml
View File

@@ -1,33 +0,0 @@
{{- if and (.Values.jellyfin.metrics.enabled) (.Values.jellyfin.ingress.enabled) -}}
---
apiVersion: v1
kind: Service
metadata:
name: dummy-svc
namespace: {{ .Release.Namespace }}
spec:
selector:
app: dummy-svc
ports:
- protocol: TCP
port: 6767
targetPort: 6767
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: block-metrics
namespace: {{ .Release.Namespace }}
spec:
rules:
- host: {{ (index .Values.jellyfin.ingress.hosts 0).host }}
http:
paths:
- pathType: Prefix
path: "/metrics"
backend:
service:
name: dummy-svc
port:
number: 6767
{{- end }}

26
jellyfin/templates/redirect-regex.yaml
View File

@@ -1,26 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: emby-redirect
spec:
redirectRegex:
regex: ^https?://emby\.dubyatp\.xyz/(.*)$
replacement: https://jellyfin.dubyatp.xyz/${1}
permanent: true
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: emby-redirect
spec:
entryPoints:
- websecure
- web
routes:
- kind: Rule
match: Host(`emby.dubyatp.xyz`)
middlewares:
- name: emby-redirect
services:
- name: noop@internal
kind: TraefikService

11
jellyfin/templates/ssl-cert.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v1
data:
tls.crt:
tls.key:
kind: Secret
metadata:
annotations:
replicator.v1.mittwald.de/replicate-from: cert-manager/cert-dubyatp-xyz
replicator.v1.mittwald.de/replicated-keys: tls.crt,tls.key
name: cert-dubyatp-xyz
type: Opaque

73
jellyfin/values.yaml
View File

@@ -1,73 +0,0 @@
jellyfin:
deploymentStrategy:
type: Recreate
ingress:
enabled: true
hosts:
- host: jellyfin.dubyatp.xyz
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: cert-dubyatp.xyz
hosts:
- jellyfin.dubyatp.xyz
persistence:
config:
size: 25Gi
media:
enabled: false
volumes:
- name: tv-shows
nfs:
server: 10.105.15.20
path: /mnt/hdd-pool/tv-shows
- name: movies
nfs:
server: 10.105.15.20
path: /mnt/hdd-pool/movies
- name: dvr
nfs:
server: 10.105.15.20
path: /mnt/hdd-pool/DVR
- name: youtube-vids
nfs:
server: 10.105.15.20
path: /mnt/hdd-pool/youtube-vids
- name: transcode-temp
emptyDir:
sizeLimit: 8Gi
medium: Memory
- name: dev-dri
hostPath:
path: /dev/dri
metrics:
enabled: true
serviceMonitor:
enabled: true
volumeMounts:
- name: tv-shows
mountPath: /mnt/tv-shows
- name: movies
mountPath: /mnt/movies
- name: dvr
mountPath: /mnt/dvr
- name: youtube-vids
mountPath: /mnt/youtube-vids
- name: transcode-temp
mountPath: /tmp/transcode
- name: dev-dri
mountPath: /dev/dri
podAnnotations:
backup.velero.io/backup-volumes: config
securityContext:
privileged: true
nodeSelector:
kubernetes.io/hostname: weyma-talos-testw04
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: extensions.talos.dev/i915
operator: Exists

25
netmaker/config.yaml
View File

@@ -1,25 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: netmaker-config
data:
SERVER_NAME: netmaker.infra.dubyatp.xyz
SERVER_API_CONN_STRING: api.netmaker.infra.dubyatp.xyz:443
SERVER_HTTP_HOST: api.netmaker.infra.dubyatp.xyz
API_PORT: "8081"
WG_QUICK_USERSPACE_IMPLEMENTATION: wireguard-go
DNS_MODE: "off"
DISPLAY_KEYS: "on"
DATABASE: postgres
SQL_HOST: "pooler-weyma-rw.cloudnativepg.svc.cluster.local"
SQL_PORT: "5432"
SQL_DB: "netmaker"
SQL_USER: "netmaker"
MQ_USERNAME: netmaker
CORS_ALLOWED_ORIGIN: '*'
SERVER_BROKER_ENDPOINT: "ws://mq:1883"
BROKER_ENDPOINT: "wss://broker.netmaker.infra.dubyatp.xyz"
PLATFORM: "Kubernetes"
VERBOSITY: "3"
K8s: "true"
CACHING_ENABLED: "false"

16
netmaker/ingress.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: netmaker-api-ingress
spec:
rules:
- host: api.netmaker.infra.dubyatp.xyz
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: netmaker-rest
port:
number: 8081

11
netmaker/mosquitto/certs-pvc.yaml
View File

@@ -1,11 +0,0 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: shared-certs-pvc
spec:
storageClassName: weyma-shared
accessModes:
- ReadWriteMany
resources:
requests:
storage: 100Mi

38
netmaker/mosquitto/config.yaml
View File

@@ -1,38 +0,0 @@
apiVersion: v1
data:
mosquitto.conf: |
per_listener_settings false
listener 8883
protocol websockets
allow_anonymous false
listener 1883
protocol websockets
allow_anonymous false
password_file /mosquitto/temp/password.txt
wait.sh: |
#!/bin/ash
encrypt_password() {
echo "${MQ_USERNAME}:${MQ_PASSWORD}" > /mosquitto/temp/password.txt
mosquitto_passwd -U /mosquitto/temp/password.txt
chmod 0700 /mosquitto/temp/password.txt
}
main(){
encrypt_password
echo "Starting MQ..."
# Run the main container command.
/docker-entrypoint.sh
/usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf
}
main "${@}"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/instance: mosquitto
app.kubernetes.io/name: mosquitto
name: mosquitto-config
namespace: netmaker

83
netmaker/mosquitto/deployment.yaml
View File

@@ -1,83 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: mosquitto
spec:
progressDeadlineSeconds: 600
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: mosquitto
app.kubernetes.io/name: mosquitto
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/instance: mosquitto
app.kubernetes.io/name: mosquitto
spec:
containers:
- image: eclipse-mosquitto:2.0.22-openssl
imagePullPolicy: IfNotPresent
command: ["/mosquitto/config/wait.sh"]
livenessProbe:
failureThreshold: 3
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 8883
timeoutSeconds: 1
name: mosquitto
env:
- name: MQ_USERNAME
value: netmaker
- name: MQ_PASSWORD
valueFrom:
secretKeyRef:
key: mq_password
name: netmaker-secrets
ports:
- containerPort: 1883
name: mqtt
protocol: TCP
- containerPort: 8883
name: mqtt2
protocol: TCP
readinessProbe:
failureThreshold: 3
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 8883
timeoutSeconds: 1
resources: {}
startupProbe:
failureThreshold: 30
periodSeconds: 5
successThreshold: 1
tcpSocket:
port: 8883
timeoutSeconds: 1
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /mosquitto/config
name: mosquitto-config
- mountPath: /mosquitto/certs
name: shared-certs
- mountPath: /mosquitto/temp
name: mosquitto-temp
dnsPolicy: ClusterFirst
restartPolicy: Always
terminationGracePeriodSeconds: 30
volumes:
- configMap:
name: mosquitto-config
defaultMode: 0755
name: mosquitto-config
- name: mosquitto-temp
emptyDir:
- name: shared-certs
persistentVolumeClaim:
claimName: shared-certs-pvc

18
netmaker/mosquitto/ingress.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mosquitto-ingress
labels:
app.kubernetes.io/name: mosquitto-ingress
spec:
rules:
- host: broker.netmaker.infra.dubyatp.xyz
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: mq
port:
number: 8883

36
netmaker/mosquitto/svc.yaml
View File

@@ -1,36 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: mq
namespace: netmaker
spec:
ports:
- name: mqtt
port: 1883
protocol: TCP
targetPort: mqtt
- name: mqtt2
port: 8883
protocol: TCP
targetPort: mqtt2
selector:
app.kubernetes.io/instance: mosquitto
app.kubernetes.io/name: mosquitto
sessionAffinity: None
---
apiVersion: v1
kind: Service
metadata:
name: 'netmaker-mqtt'
spec:
externalTrafficPolicy: Cluster
type: NodePort
selector:
app.kubernetes.io/instance: mosquitto
app.kubernetes.io/name: mosquitto
ports:
- port: 31883
nodePort: 31883
protocol: TCP
targetPort: 8883
name: nm-mqtt

21
netmaker/postgres-auth.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: postgres-pw
spec:
data:
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: cloudnativepg
metadataPolicy: None
property: netmaker_pw
secretKey: password
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: weyma-vault
target:
creationPolicy: Owner
deletionPolicy: Retain
name: postgres-pw

35
netmaker/secrets.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: netmaker-secrets
spec:
data:
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: netmaker
metadataPolicy: None
property: master_key
secretKey: master_key
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: netmaker
metadataPolicy: None
property: mq_password
secretKey: mq_password
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: netmaker
metadataPolicy: None
property: turn_password
secretKey: turn_password
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: weyma-vault
target:
creationPolicy: Owner
deletionPolicy: Retain
name: netmaker-secrets

95
netmaker/statefulset.yaml
View File

@@ -1,95 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app: netmaker
name: netmaker
spec:
replicas: 3
serviceName: netmaker-headless
selector:
matchLabels:
app: netmaker
template:
metadata:
labels:
app: netmaker
spec:
initContainers:
- name: init-sysctl
image: busybox
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-c"]
args: ["sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.src_valid_mark=1 && sysctl -w net.ipv6.conf.all.disable_ipv6=0 && sysctl -w net.ipv6.conf.all.forwarding=1"]
securityContext:
privileged: true
dnsPolicy: ClusterFirstWithHostNet
containers:
- env:
- name: NODE_ID
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: SQL_PASS
valueFrom:
secretKeyRef:
key: password
name: postgres-pw
- name: MASTER_KEY
valueFrom:
secretKeyRef:
key: master_key
name: netmaker-secrets
- name: MQ_PASSWORD
valueFrom:
secretKeyRef:
key: mq_password
name: netmaker-secrets
- name: TURN_SERVER_PASSWORD
valueFrom:
secretKeyRef:
key: turn_password
name: netmaker-secrets
envFrom:
- configMapRef:
name: netmaker-config
image: gravitl/netmaker:v1.1.0
imagePullPolicy: Always
name: netmaker
ports:
- containerPort: 8081
protocol: TCP
- containerPort: 31821
protocol: UDP
- containerPort: 31822
protocol: UDP
- containerPort: 31823
protocol: UDP
- containerPort: 31824
protocol: UDP
- containerPort: 31825
protocol: UDP
- containerPort: 31826
protocol: UDP
- containerPort: 31827
protocol: UDP
- containerPort: 31828
protocol: UDP
- containerPort: 31829
protocol: UDP
- containerPort: 31830
protocol: UDP
resources: {}
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
volumeMounts:
- mountPath: /etc/netmaker/
name: shared-certs
volumes:
- name: shared-certs
persistentVolumeClaim:
claimName: shared-certs-pvc

14
netmaker/svc.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: 'netmaker-rest'
spec:
ports:
- name: rest
port: 8081
protocol: TCP
targetPort: 8081
selector:
app: 'netmaker'
sessionAffinity: None
type: ClusterIP

21
netmaker/ui/deployment.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: netmaker-ui
spec:
replicas: 2
selector:
matchLabels:
app: netmaker-ui
template:
metadata:
labels:
app: netmaker-ui
spec:
containers:
- name: netmaker-ui
image: gravitl/netmaker-ui:v1.1.0
env:
- name: BACKEND_URL
value: 'https://api.netmaker.infra.dubyatp.xyz'
terminationGracePeriodSeconds: 15

16
netmaker/ui/ingress.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: netmaker-ui-ingress
spec:
rules:
- host: dashboard.netmaker.infra.dubyatp.xyz
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: netmaker-ui
port:
number: 80

13
netmaker/ui/svc.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: 'netmaker-ui'
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: 'netmaker-ui'
sessionAffinity: None
type: 'ClusterIP'

10
peertube/bucket.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
name: peertube-bucket
namespace: peertube
spec:
generateBucketName: peertube
storageClassName: weyma-s3-bucket
additionalConfig:
maxSize: "100Gi"

35
peertube/config.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: peertube-config
data:
PEERTUBE_INSTANCE_NAME: "dubyatp peertube"
PEERTUBE_INSTANCE_DESCRIPTION: "duby's peertube instance"
POSTGRES_USER: peertube
POSTGRES_DB: peertube
PEERTUBE_DB_USERNAME: peertube
PEERTUBE_DB_HOSTNAME: pooler-weyma-rw.cloudnativepg.svc.cluster.local
PEERTUBE_DB_PORT: "5432"
PEERTUBE_WEBSERVER_HOSTNAME: "tube.dubyatp.xyz"
PEERTUBE_TRUST_PROXY: '["127.0.0.1", "loopback", "172.18.0.0/16"]'
PEERTUBE_SMTP_USERNAME: "peertube_dubyatp"
PEERTUBE_SMTP_HOSTNAME: "mail.smtp2go.com"
PEERTUBE_SMTP_PORT: "465"
PEERTUBE_SMTP_TLS: "true"
PEERTUBE_SMTP_FROM: "peertube@em924671.dubyatp.xyz"
PEERTUBE_ADMIN_EMAIL: "me@williamtpeebles.com"
#PEERTUBE_OBJECT_STORAGE_ENABLED: "true"
#PEERTUBE_OBJECT_STORAGE_ENDPOINT: "https://weyma-s3.infra.dubyatp.xyz"
#PEERTUBE_OBJECT_STORAGE_REGION: ""
#PEERTUBE_OBJECT_STORAGE_STREAMING_PLAYLISTS_BUCKET_NAME: "peertube-953221d2-7649-48b2-b79f-5a9e59daedbb"
#PEERTUBE_OBJECT_STORAGE_STREAMING_PLAYLISTS_PREFIX: "streaming/"
#PEERTUBE_OBJECT_STORAGE_WEB_VIDEOS_BUCKET_NAME: "peertube-953221d2-7649-48b2-b79f-5a9e59daedbb"
#PEERTUBE_OBJECT_STORAGE_WEB_VIDEOS_PREFIX: "videos/"
#PEERTUBE_OBJECT_STORAGE_USER_EXPORTS_BUCKET_NAME: "peertube-953221d2-7649-48b2-b79f-5a9e59daedbb"
#PEERTUBE_OBJECT_STORAGE_USER_EXPORTS_PREFIX: "exports/"
#PEERTUBE_OBJECT_STORAGE_ORIGINAL_VIDEO_FILES_BUCKET_NAME: "peertube-953221d2-7649-48b2-b79f-5a9e59daedbb"
#PEERTUBE_OBJECT_STORAGE_ORIGINAL_VIDEO_FILES_PREFIX: "original-videos/"
#PEERTUBE_OBJECT_STORAGE_CAPTIONS_BUCKET_NAME: "peertube-953221d2-7649-48b2-b79f-5a9e59daedbb"
#PEERTUBE_OBJECT_STORAGE_CAPTIONS_PREFIX: "captions/"
#PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PUBLIC: "public-read"
#PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PRIVATE: "private"

69
peertube/deployment.yaml
View File

@@ -1,69 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: peertube
labels:
app: peertube
spec:
replicas: 1
selector:
matchLabels:
app: peertube
template:
metadata:
labels:
app: peertube
spec:
containers:
- name: peertube
image: chocobozzz/peertube:v7.2.3-bookworm
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
name: http
- containerPort: 443
name: https
- containerPort: 9000
name: peertube
- containerPort: 1935
name: rtmp
envFrom:
- secretRef:
name: peertube-secret
- secretRef:
name: peertube-bucket
- configMapRef:
name: peertube-config
env:
- name: PEERTUBE_REDIS_HOSTNAME
value: "localhost"
- name: PEERTUBE_REDIS_AUTH
value: ""
volumeMounts:
- name: peertube-data
mountPath: /data
resources:
requests:
cpu: "0.5"
memory: 1Gi
limits:
cpu: "1"
memory: 2Gi
- name: redis
image: redis:8.2.1-alpine
imagePullPolicy: IfNotPresent
ports:
- containerPort: 6379
name: redis
resources:
requests:
cpu: "0.2"
memory: 256Mi
limits:
cpu: "0.5"
memory: 1Gi
volumes:
- name: peertube-data
persistentVolumeClaim:
claimName: peertube-data

18
peertube/ingress.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: peertube
labels:
app.kubernetes.io/name: peertube
spec:
rules:
- host: tube.dubyatp.xyz
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: peertube
port:
number: 9000

10
peertube/pvc.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: peertube-data
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Gi

42
peertube/secret.yaml
View File

@@ -1,42 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: peertube-secret
spec:
data:
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: peertube
metadataPolicy: None
property: PEERTUBE_SECRET
secretKey: PEERTUBE_SECRET
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: peertube
metadataPolicy: None
property: PEERTUBE_DB_PASSWORD
secretKey: PEERTUBE_DB_PASSWORD
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: peertube
metadataPolicy: None
property: PEERTUBE_SMTP_PASSWORD
secretKey: PEERTUBE_SMTP_PASSWORD
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: peertube
metadataPolicy: None
property: POSTGRES_PASSWORD
secretKey: POSTGRES_PASSWORD
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: weyma-vault
target:
creationPolicy: Owner
deletionPolicy: Retain
name: peertube-secret

24
peertube/service.yaml
View File

@@ -1,24 +0,0 @@
kind: Service
apiVersion: v1
metadata:
name: peertube
spec:
selector:
app: peertube
ports:
- protocol: TCP
port: 80
targetPort: 80
name: http
- protocol: TCP
port: 25
targetPort: 25
name: smtp
- protocol: TCP
port: 9000
targetPort: 9000
name: peertube
- protocol: TCP
name: rtmp
port: 1935
targetPort: 1935

16
peertube/valkey.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: hyperspike.io/v1
kind: Valkey
metadata:
name: peertube-kv
labels:
app.kubernetes.io/instance: peertube
spec:
anonymousAuth: true
certIssuerType: ClusterIssuer
clusterDomain: cluster.local
clusterPreferredEndpointType: ip
nodes: 1
prometheus: false
replicas: 3
tls: false
volumePermissions: true

5
renovate.json
View File

@@ -1,6 +1,3 @@
{ {
"$schema": "https://docs.renovatebot.com/renovate-schema.json", "$schema": "https://docs.renovatebot.com/renovate-schema.json"
"kubernetes": {
"managerFilePatterns": ["deployment.yaml", "statefulset.yaml", "cron.yaml", "cronjob.yaml"]
}
} }

8
renovate/renovate-config.yaml
View File

@@ -5,11 +5,5 @@ metadata:
data: data:
config.json: |- config.json: |-
{ {
"repositories": [ "repositories": ["infrastructure/core-apps","infrastructure/db-operators","infrastructure/weyma-talos"]
"infrastructure/core-apps",
"infrastructure/db-operators",
"infrastructure/weyma-talos",
"williamp/dubyatp.xyz",
"williamp/yt-dlp-bot"
]
} }

5
renovate/renovate-cronjob.yaml
View File

@@ -27,11 +27,6 @@ spec:
secretKeyRef: secretKeyRef:
key: github-com-pat key: github-com-pat
name: renovate-github-com-token name: renovate-github-com-token
- name: RENOVATE_GIT_PRIVATE_KEY
valueFrom:
secretKeyRef:
key: ssh-key
name: renovate-ssh-key
- name: RENOVATE_AUTODISCOVER - name: RENOVATE_AUTODISCOVER
value: 'false' value: 'false'
- name: RENOVATE_BASE_DIR - name: RENOVATE_BASE_DIR

17
renovate/renovate-ssh-key.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: renovate-ssh-key
spec:
refreshInterval: 1h
secretStoreRef:
name: weyma-vault
kind: ClusterSecretStore
target:
name: renovate-ssh-key
creationPolicy: Owner
data:
- secretKey: ssh-key
remoteRef:
key: renovate
property: ssh-key

10
vaultwarden/configmap.yaml
View File

@@ -6,10 +6,10 @@ data:
DATA_FOLDER: config DATA_FOLDER: config
DOMAIN: https://vaultwarden.dubyatp.xyz DOMAIN: https://vaultwarden.dubyatp.xyz
SIGNUPS_ALLOWED: "false" SIGNUPS_ALLOWED: "false"
SMTP_FROM: vaultwarden@em924671.dubyatp.xyz SMTP_FROM: bitwarden@em3532.williamtpeebles.com
SMTP_FROM_NAME: Vaultwarden SMTP_FROM_NAME: Vaultwarden
SMTP_HOST: mail.smtp2go.com SMTP_HOST: smtp.sendgrid.net
SMTP_PORT: "2525" SMTP_PORT: "587"
SMTP_SECURITY: "off" SMTP_SECURITY: starttls
SMTP_TIMEOUT: "15" SMTP_TIMEOUT: "15"
SMTP_USERNAME: vaultwarden_dubyatp SMTP_USERNAME: apikey

6
vaultwarden/secret.yaml
View File

@@ -19,11 +19,7 @@ spec:
remoteRef: remoteRef:
key: vaultwarden key: vaultwarden
property: hibp_api_key property: hibp_api_key
- secretKey: SMTP_PASSWORD_OLD
remoteRef:
key: vaultwarden
property: smtp_password
- secretKey: SMTP_PASSWORD - secretKey: SMTP_PASSWORD
remoteRef: remoteRef:
key: vaultwarden key: vaultwarden
property: smtp_password_smtp2go property: smtp_password

44
yt-dlp-bot/deployment.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: yt-dlp-bot
spec:
replicas: 1
selector:
matchLabels:
app: yt-dlp-bot
template:
metadata:
labels:
app: yt-dlp-bot
spec:
containers:
- name: yt-dlp-bot
image: 'git.dubyatp.xyz/williamp/yt-dlp-bot:1ef217f'
env:
- name: OUT_PATH
value: /data/youtube-vids
- name: TEMP_PATH
value: /tmp/ytdlp-temp
envFrom:
- secretRef:
name: yt-dlp-discord-token
volumeMounts:
- name: youtube-vids
mountPath: /data/youtube-vids
- name: temp
mountPath: /tmp/ytdlp-temp
resources:
limits:
memory: "3Gi"
cpu: "1"
volumes:
- name: youtube-vids
nfs:
server: 10.105.15.20
path: /mnt/hdd-pool/youtube-vids
- name: temp
emptyDir:
medium: Memory
strategy:
type: Recreate

21
yt-dlp-bot/secret.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: yt-dlp-discord-token
spec:
data:
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: yt-dlp-bot
metadataPolicy: None
property: DISCORD_TOKEN
secretKey: DISCORD_TOKEN
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: weyma-vault
target:
creationPolicy: Owner
deletionPolicy: Retain
name: yt-dlp-discord-token

10
zap2xml/bucket.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
name: zap2xml-bucket
namespace: zap2xml
spec:
generateBucketName: zap2xml
storageClassName: weyma-s3-bucket
additionalConfig:
maxSize: "1Gi"

98
zap2xml/config.yaml
View File

@@ -1,98 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: zap2xml-s3config
data:
.s3cfg: |
[default]
access_key =
access_token =
add_encoding_exts =
add_headers =
bucket_location = US
ca_certs_file =
cache_file =
check_ssl_certificate = True
check_ssl_hostname = True
cloudfront_host = cloudfront.amazonaws.com
connection_max_age = 5
connection_pooling = True
content_disposition =
content_type =
default_mime_type = binary/octet-stream
delay_updates = False
delete_after = False
delete_after_fetch = False
delete_removed = False
dry_run = False
enable_multipart = True
encoding = UTF-8
encrypt = False
expiry_date =
expiry_days =
expiry_prefix =
follow_symlinks = False
force = False
get_continue = False
gpg_command = /usr/bin/gpg
gpg_decrypt = %(gpg_command)s -d --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
gpg_encrypt = %(gpg_command)s -c --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
gpg_passphrase =
guess_mime_type = True
host_base = https://weyma-s3.infra.dubyatp.xyz
host_bucket =
human_readable_sizes = False
invalidate_default_index_on_cf = False
invalidate_default_index_root_on_cf = True
invalidate_on_cf = False
keep_dirs = False
kms_key =
limit = -1
limitrate = 0
list_allow_unordered = False
list_md5 = False
log_target_prefix =
long_listing = False
max_delete = -1
max_retries = 5
mime_type =
multipart_chunk_size_mb = 15
multipart_copy_chunk_size_mb = 1024
multipart_max_chunks = 10000
preserve_attrs = True
progress_meter = True
proxy_host =
proxy_port = 0
public_url_use_https = False
put_continue = False
recursive = False
recv_chunk = 65536
reduced_redundancy = False
requester_pays = False
restore_days = 1
restore_priority = Standard
secret_key =
send_chunk = 65536
server_side_encryption = False
signature_v2 = False
signurl_use_https = False
simpledb_host = sdb.amazonaws.com
skip_destination_validation = False
skip_existing = False
socket_timeout = 300
ssl_client_cert_file =
ssl_client_key_file =
stats = False
stop_on_error = False
storage_class =
throttle_max = 100
upload_id =
urlencoding_mode = normal
use_http_expect = False
use_https = True
use_mime_magic = True
verbosity = WARNING
website_endpoint = http://%(bucket)s.s3-website-%(location)s.amazonaws.com/
website_error =
website_index = index.html

87
zap2xml/cron.yaml
View File

@@ -1,87 +0,0 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: zap2xml-dtv-02191
spec:
schedule: "0 */12 * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: zap2xml
image: git.dubyatp.xyz/williamp/kube-zap2xml:c075fec
envFrom:
- secretRef:
name: zap2xml-bucket
env:
- name: LINEUP_ID
value: USA-DITV506-X
- name: POSTAL_CODE
value: "02191"
- name: TIMESPAN
value: "120"
- name: OUTPUT_FILE
value: /tmp/xmltv.xml
- name: PUBLIC_FILENAME
value: xmltv-directv-02191.xml
- name: S3_URL
value: s3://zap2xml-c134c9a7-a7a0-4113-997e-78e72ec3f576
volumeMounts:
- name: s3-config
mountPath: /root
- name: temp
mountPath: /tmp
restartPolicy: Never
volumes:
- name: s3-config
configMap:
name: zap2xml-s3config
- name: temp
emptyDir:
sizeLimit: 1Gi
medium: Memory
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: zap2xml-ota-02191
spec:
schedule: "30 */12 * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: zap2xml
image: git.dubyatp.xyz/williamp/kube-zap2xml:c075fec
envFrom:
- secretRef:
name: zap2xml-bucket
env:
- name: LINEUP_ID
value: USA-OTA02191
- name: POSTAL_CODE
value: "02191"
- name: TIMESPAN
value: "120"
- name: OUTPUT_FILE
value: /tmp/xmltv.xml
- name: PUBLIC_FILENAME
value: xmltv-ota-02191.xml
- name: S3_URL
value: s3://zap2xml-c134c9a7-a7a0-4113-997e-78e72ec3f576
volumeMounts:
- name: s3-config
mountPath: /root
- name: temp
mountPath: /tmp
restartPolicy: Never
volumes:
- name: s3-config
configMap:
name: zap2xml-s3config
- name: temp
emptyDir:
sizeLimit: 1Gi
medium: Memory