Merge branch 'main' into renovate/1password-connect-api-1.x

This commit is contained in:
Martyn 2025-03-13 10:41:47 +00:00
commit 832299c24a
41 changed files with 371 additions and 269 deletions

View file

@ -24,3 +24,11 @@ patches:
version: v1
kind: ConfigMap
name: argocd-cm
- patch: |-
- op: add
path: /spec/template/spec/containers/0/args/-
value: --insecure=true
target:
kind: Deployment
name: argocd-server

View file

@ -33,8 +33,6 @@ spec:
mountPath: /config
- name: series
mountPath: /series
- name: oldseries
mountPath: /oldseries
- name: films
mountPath: /films
volumes:
@ -44,9 +42,6 @@ spec:
- name: series
persistentVolumeClaim:
claimName: smb-series
- name: oldseries
persistentVolumeClaim:
claimName: smb-oldseries
- name: films
persistentVolumeClaim:
claimName: smb-films

View file

@ -12,18 +12,6 @@ spec:
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: smb-oldseries
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: smb-oldseries
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: smb-films
spec:
@ -32,4 +20,4 @@ spec:
resources:
requests:
storage: 1Gi
storageClassName: smb-films
storageClassName: smb-films

View file

@ -17,7 +17,7 @@ spec:
- env:
- name: ESPHOME_DASHBOARD_USE_PING
value: "true"
image: esphome/esphome:2022.12.3
image: esphome/esphome:2022.12.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3

View file

@ -0,0 +1,12 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: external-dns
spec:
template:
spec:
containers:
- name: external-dns
envFrom:
- secretRef:
name: dnsimple-auth

View file

@ -3,12 +3,16 @@ kind: Kustomization
helmCharts:
- name: external-dns
repo: https://charts.bitnami.com/bitnami
version: 6.28.4
repo: https://kubernetes-sigs.github.io/external-dns
version: 1.15.2
releaseName: external-dns
namespace: external-dns
valuesInline:
provider: dnsimple
provider:
name: dnsimple
txtPrefix: armnleg
sources: [service,ingress]
extraEnvVarsSecret: dnsimple-auth
patches:
- path: deploy.yaml
target:
kind: Deployment
name: external-dns

View file

@ -0,0 +1,23 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin
nginx.ingress.kubernetes.io/proxy-body-size: 700m
name: web-s3
spec:
ingressClassName: nginx
rules:
- host: files.martyn.berlin
http:
paths:
- backend:
service:
name: s3-nginx
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- files.martyn.berlin

View file

@ -0,0 +1,27 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: s3-nginx
name: s3-nginx
spec:
replicas: 1
selector:
matchLabels:
app: s3-nginx
template:
metadata:
creationTimestamp: null
labels:
app: s3-nginx
spec:
containers:
- image: nginx:1.27.4
name: nginx
volumeMounts:
- mountPath: /usr/share/nginx/html
name: s3
volumes:
- name: s3
persistentVolumeClaim:
claimName: smb-s3

View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: smb-s3
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: smb-s3

View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: s3-nginx
name: s3-nginx
spec:
internalTrafficPolicy: Cluster
ports:
- port: 80
selector:
app: s3-nginx

View file

@ -19,7 +19,7 @@ spec:
app: forgejo
spec:
containers:
- image: codeberg.org/forgejo/forgejo:1.21
- image: codeberg.org/forgejo/forgejo:10.0.1
env:
- name: FORGEJO__database__DB_TYPE
value: postgres

View file

@ -66,7 +66,7 @@ spec:
dnsPolicy: ClusterFirst
nodeSelector:
intel.feature.node.kubernetes.io/gpu: "true"
kubernetes.io/hostname: talos-llu-kx3
kubernetes.io/hostname: talos-e48-wv7
terminationGracePeriodSeconds: 30
volumes:
- name: jellyfin-config

View file

@ -32,7 +32,7 @@ spec:
automountServiceAccountToken: false
containers:
- env: []
image: grafana/grafana:9.5.3
image: grafana/grafana:9.5.21
name: grafana
ports:
- containerPort: 3000

View file

@ -18,7 +18,7 @@ spec:
app: lidarr
spec:
containers:
- image: hotio/lidarr:release
- image: hotio/lidarr:release-2.9.6.4552
name: lidarr
resources:
requests:

View file

@ -12,18 +12,6 @@ spec:
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: smb-oldmusic
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: smb-oldmusic
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: logitech-media-server-config
spec:

View file

@ -61,27 +61,14 @@ spec:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /srv/squeezebox
name: config
- mountPath: /smbmusic
name: smbmusic
- mountPath: /smboldmusic
name: smboldmusic
dnsPolicy: ClusterFirst
initContainers:
- command:
- sh
- -c
- mkdir /smbmusic; mkdir -pv /config/playlists /config/config; chown -Rc 1000:1000
/config
image: doliana/logitech-media-server:2023_04_15-8.3.1
imagePullPolicy: IfNotPresent
name: init-config
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /config
name: config
- mountPath: /music
name: smbmusic
- mountPath: /playlist
name: config
subPath: playlist
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
terminationGracePeriodSeconds: 30
@ -92,9 +79,6 @@ spec:
- name: smbmusic
persistentVolumeClaim:
claimName: smb-music
- name: smboldmusic
persistentVolumeClaim:
claimName: smb-oldmusic
updateStrategy:
rollingUpdate:
partition: 0

View file

@ -21,7 +21,7 @@ spec:
app.kubernetes.io/name: mosquitto
spec:
containers:
- image: eclipse-mosquitto:1.6.12
- image: eclipse-mosquitto:1.6.15
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3

View file

@ -0,0 +1,62 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts:
- name: paperless-ngx
repo: https://charts.gabe565.com
version: 0.24.1
releaseName: paperless-ngx
namespace: paperless-ngx
valuesInline:
persistence:
data:
enabled: "true"
size: "1Gi"
accessMode: ReadWriteOnce
storageClass: "longhorn-fast"
media:
enabled: "true"
size: "8Gi"
accessMode: ReadWriteOnce
storageClass: "longhorn-fast"
export:
enabled: "true"
size: "1Gi"
accessMode: ReadWriteOnce
storageClass: "longhorn-fast"
consume:
enabled: "true"
size: "1Gi"
accessMode: ReadWriteOnce
storageClass: "smb-scans"
service:
main:
type: LoadBalancer
annotations:
external-dns.alpha.kubernetes.io/hostname: "paperless.martyn.berlin"
ports:
http:
port: 8080
postgresql:
enabled: "true"
primary:
persistence:
enabled: "true"
storageClass: "longhorn-fast"
env:
TZ: "Europe/Berlin"
resources:
requests:
cpu: "25m"
memory: "511772986"
patches:
- target:
kind: Service
name: paperless-ngx
patch: |-
- op: replace
path: /spec/ports
value: [{"name":"http","port":80,"targetPort":"http","protocol":"TCP"}]

View file

@ -16,7 +16,7 @@ spec:
app: prowlarr
spec:
containers:
- image: hotio/prowlarr:release-1.26.1.4844
- image: hotio/prowlarr:release-1.31.2.4975
imagePullPolicy: Always
name: prowlarr
ports:

View file

@ -18,7 +18,7 @@ spec:
app: radarr
spec:
containers:
- image: hotio/radarr:release-5.18.4.9674
- image: hotio/radarr:release-5.19.3.9730
imagePullPolicy: IfNotPresent
name: radarr
ports:

View file

@ -38,7 +38,7 @@ metadata:
annotations:
configmap.reloader.stakater.com/reload: "ser2net"
spec:
replicas: 1
replicas: 0
strategy:
type: Recreate
selector:

View file

@ -4,7 +4,7 @@ metadata:
name: smb-films
provisioner: smb.csi.k8s.io
parameters:
source: "//172.20.0.125/films"
source: "//172.20.0.70/films"
csi.storage.k8s.io/node-stage-secret-name: smb-creds
csi.storage.k8s.io/node-stage-secret-namespace: kube-system
reclaimPolicy: Retain

View file

@ -1,10 +1,10 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: smb-oldseries
name: smb-s3
provisioner: smb.csi.k8s.io
parameters:
source: "//hp40l/disk2/oldseries"
source: "//172.20.0.69/s3"
csi.storage.k8s.io/node-stage-secret-name: smb-creds
csi.storage.k8s.io/node-stage-secret-namespace: kube-system
reclaimPolicy: Retain

View file

@ -4,7 +4,7 @@ metadata:
name: smb-series
provisioner: smb.csi.k8s.io
parameters:
source: "//hp40l/disk2/series"
source: "//172.20.0.70/series"
csi.storage.k8s.io/node-stage-secret-name: smb-creds
csi.storage.k8s.io/node-stage-secret-namespace: kube-system
reclaimPolicy: Retain

View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: tailscale-script
data:
script.sh: |
tailscaled --socks5-server=localhost:1055 --outbound-http-proxy-listen=localhost:1055 --tun=userspace-networking &
tailscale up --authkey=$TS_AUTHKEY --advertise-tags=tag:k8s --hostname k8s-tailscale-proxy &
sleep 3
echo "Waiting for $COUNTRY to do something"
while ! tailscale exit-node list 2>/dev/null | grep $COUNTRY >/dev/null; do echo -n . ;sleep 5; done
tailscale set --exit-node $(tailscale exit-node list | grep $COUNTRY | cut -f2 -d' ' | shuf | head -n1)
while true; do sleep 1; done

View file

@ -0,0 +1,100 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: tailscale-proxy
name: tailscale-proxy
spec:
replicas: 1
selector:
matchLabels:
app: tailscale-proxy
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: tailscale-proxy
spec:
containers:
- command:
- /bin/sh
- -c
- 'sh /script/script.sh'
env:
- name: TS_KUBE_SECRET
value: tailscale
- name: COUNTRY
value: Switzerland
- name: TS_AUTHKEY
valueFrom:
secretKeyRef:
key: TS_AUTHKEY
name: tailscale-auth
image: ghcr.io/tailscale/tailscale:v1.80.3
imagePullPolicy: IfNotPresent
startupProbe:
exec:
command:
- /bin/sh
- -c
- tailscale ip | grep ^100 > /dev/null
periodSeconds: 30
failureThreshold: 30
livenessProbe:
exec:
command:
- /bin/sh
- -c
- tailscale ip | grep ^100 > /dev/null
periodSeconds: 30
failureThreshold: 2
readinessProbe:
exec:
command:
- /bin/sh
- -c
- http_proxy=127.0.0.1:1055 wget -O- ifconfig.co/country 2>&1 | grep $COUNTRY > /dev/null
initialDelaySeconds: 60
periodSeconds: 60
failureThreshold: 3
name: tailscale
securityContext:
privileged: true
runAsGroup: 0
runAsUser: 0
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-t4rzn
readOnly: true
- mountPath: /script
name: script
serviceAccount: tailscale
serviceAccountName: tailscale
volumes:
- name: script
configMap:
name: tailscale-script
- name: kube-api-access-t4rzn
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace

View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: tailscale

View file

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: tailscale-proxy
app.kubernetes.io/instance: tailscale-proxy
name: tailscale-proxy
spec:
ports:
- port: 1055
protocol: TCP
targetPort: 1055
selector:
app: tailscale-proxy
type: LoadBalancer

View file

@ -14,6 +14,7 @@ spec:
labels:
app: qbittorrent
spec:
initContainers:
containers:
- image: qbittorrentofficial/qbittorrent-nox:latest
name: qbittorrent
@ -34,40 +35,6 @@ spec:
value: "/config"
- name: QBT_DOWNLOADS
value: "/downloads"
- env:
- name: TS_KUBE_SECRET
value: tailscale
- name: TS_USERSPACE
value: "false"
- name: TS_OUTBOUND_HTTP_PROXY_LISTEN
value: "localhost:1055"
- name: TS_SOCKS5_SERVER
value: "localhost:1055"
- name: TS_EXTRA_ARGS
value: "--exit-node=100.90.55.121"
- name: TS_AUTHKEY
valueFrom:
secretKeyRef:
key: TS_AUTHKEY
name: tailscale-auth
optional: true
livenessProbe:
exec:
command:
- ping
- -c1
- 100.100.100.100
initialDelaySeconds: 120
periodSeconds: 5
image: ghcr.io/tailscale/tailscale:latest
name: ts-sidecar
securityContext:
runAsGroup: 1000
runAsUser: 1000
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-t4rzn
readOnly: true
preemptionPolicy: PreemptLowerPriority
priority: 0
serviceAccountName: tailscale

View file

@ -24,7 +24,7 @@ spec:
value: en
- name: WHOOGLE_CONFIG_SEARCH_LANGUAGE
value: en
image: benbusby/whoogle-search@sha256:ecccdb598f890140bf5564ea0307d3a72871ab3d14fbf22e308b904846e5c590
image: benbusby/whoogle-search@sha256:5bbb30fc4cf67563b48529c5291813b3d49c290e1e8b9e3aaa5081e9cb6e40c0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3

View file

@ -8,4 +8,4 @@ spec:
storageClassName: longhorn-fast
resources:
requests:
storage: 128Mi
storage: 1280Mi

View file

@ -14,6 +14,10 @@ spec:
targetRevision: 4.12.0
helm:
parameters:
- name: controller.ingressClassResource.default
value: "true"
- name: controller.config.annotations-risk-level
value: "Critical"
- name: controller.service.type
value: LoadBalancer
- name: controller.allowSnippetAnnotations
@ -33,6 +37,11 @@ spec:
more_set_headers -a "X-Robots-Tag: anthropic-ai: none";
more_set_headers -a "X-Robots-Tag: CCBot: none";
more_set_headers -a "X-Robots-Tag: semrushbot: none";
more_set_headers -a "X-Robots-Tag: Amazonbot: none";
more_set_headers -a "X-Robots-Tag: dotbot: none";
more_set_headers -a "X-Robots-Tag: AhrefsBot: none";
- name: controller.config.block-user-agents
value: "~*Amazonbot,~*SemrushBot,~*DotBot,~*Ahrefsbot,~*GPT"
syncPolicy:
automated:
selfHeal: true

View file

@ -11,7 +11,7 @@ spec:
source:
chart: secrets-store-csi-driver
repoURL: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
targetRevision: 1.3.4
targetRevision: 1.4.8
syncPolicy:
automated:
selfHeal: true

View file

@ -1,44 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: bikerwitch
namespace: argocd
spec:
destination:
namespace: bikerwitch
server: https://kubernetes.default.svc
project: default
source:
helm:
parameters:
- name: service.type
value: LoadBalancer
- name: persistence.enabled
value: "true"
- name: persistence.storageClass
value: "longhorn-fast"
- name: image.repository
value: drupal
- name: image.tag
value: 9.4-php8.0-apache
values: |-
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt
kubernetes.io/ingress.class: nginx
external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin
hosts:
- host: bikerwitch.martyn.berlin
paths:
- /
- host: www.bikerwitch.org.uk
paths:
- /
tls:
- hosts:
- bikerwitch.martyn.berlin
- www.bikerwitch.org.uk
path: apps-helm/drupal
repoURL: https://git.martyn.berlin/martyn/infra4talos.git
targetRevision: HEAD

View file

@ -11,7 +11,7 @@ spec:
source:
chart: csi-driver-smb
repoURL: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-smb/master/charts
targetRevision: v1.13.0
targetRevision: v1.17.0
syncPolicy:
automated:
selfHeal: true

View file

@ -0,0 +1,17 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: files-web
namespace: argocd
spec:
destination:
namespace: files-web
server: https://kubernetes.default.svc
project: apps
source:
path: apps-kustomized/files-web
repoURL: https://git.martyn.berlin/martyn/infra4talos
targetRevision: HEAD
syncPolicy:
automated:
selfHeal: true

View file

@ -1,65 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: garage
namespace: argocd
spec:
destination:
namespace: garage
server: https://kubernetes.default.svc
project: infra
source:
helm:
valuesObject:
service:
type: LoadBalancer
persistence:
enabled: "true"
meta:
storageClass: longhorn-fast
data:
storageClass: longhorn-spinny
size: "1Gi"
deployment:
replicaCount: "1"
garage:
replicationMode: "1"
s3:
api:
rootDomain: ".s3.files.martyn.berlin"
web:
rootDomain: ".martyn.berlin"
ingress:
s3:
api:
className: "nginx"
enabled: "true"
annotations:
external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/proxy-body-size: "700m"
tls:
- hosts:
- "s3.files.martyn.berlin"
hosts:
- host: s3.files.martyn.berlin
paths:
- path: /
pathType: Prefix
web:
className: "nginx"
enabled: "true"
annotations:
external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin
cert-manager.io/cluster-issuer: letsencrypt
tls:
- hosts:
- "files.martyn.berlin"
hosts:
- host: files.martyn.berlin
paths:
- path: /
pathType: Prefix
path: script/helm/garage
repoURL: https://git.deuxfleurs.fr/Deuxfleurs/garage
targetRevision: HEAD

View file

@ -31,7 +31,7 @@ spec:
annotations:
external-dns.alpha.kubernetes.io/hostname: nodered.martyn.berlin
repoURL: https://k8s-at-home.com/charts/
targetRevision: 5.3.1
targetRevision: 5.4.0
syncPolicy:
automated:
selfHeal: true

View file

@ -9,57 +9,9 @@ spec:
server: https://kubernetes.default.svc
project: apps
source:
chart: paperless-ngx
helm:
parameters:
- name: service.main.type
value: "LoadBalancer"
- name: persistence.data.enabled
value: "true"
- name: persistence.data.size
value: "1Gi"
- name: persistence.data.accessMode
value: ReadWriteOnce
- name: persistence.data.storageClass
value: "longhorn-fast"
- name: persistence.media.enabled
value: "true"
- name: persistence.media.size
value: "8Gi"
- name: persistence.media.accessMode
value: ReadWriteOnce
- name: persistence.media.storageClass
value: "longhorn-fast"
- name: persistence.export.enabled
value: "true"
- name: persistence.export.size
value: "1Gi"
- name: persistence.export.accessMode
value: ReadWriteOnce
- name: persistence.export.storageClass
value: "longhorn-fast"
- name: persistence.consume.enabled
value: "true"
- name: persistence.consume.size
value: "1Gi"
- name: persistence.consume.accessMode
value: ReadWriteOnce
- name: persistence.consume.storageClass
value: "smb-scans"
- name: postgresql.enabled
value: "true"
- name: postgresql.primary.persistence.enabled
value: "true"
- name: postgresql.primary.persistence.storageClass
value: "longhorn-fast"
- name: env.TZ
value: "Europe/Berlin"
- name: resources.requests.cpu
value: "25m"
- name: resources.requests.memory
value: "511772986"
repoURL: https://charts.gabe565.com
targetRevision: 0.7.8
path: apps-kustomized/paperless-ngx
repoURL: https://git.martyn.berlin/martyn/infra4talos
targetRevision: HEAD
syncPolicy:
automated:
selfHeal: true

View file

@ -44,6 +44,9 @@ spec:
- name: scans
size: 1Gi
storageClass: longhorn-fast
- name: s3
size: 20Gi
storageClass: longhorn-fast
path: apps-helm/samba4
repoURL: https://git.martyn.berlin/martyn/infra4talos.git
targetRevision: HEAD

View file

@ -0,0 +1,17 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: tailscale-proxy
namespace: argocd
spec:
destination:
namespace: tailscale-proxy
server: https://kubernetes.default.svc
project: apps
source:
path: apps-kustomized/tailscale-proxy
repoURL: https://git.martyn.berlin/martyn/infra4talos
targetRevision: HEAD
syncPolicy:
automated:
selfHeal: true