martyn/infra4talos
1
0
Fork 0
Code Issues Pull requests 10 Projects Releases Packages Wiki Activity

Compare commits

base: martyn:1b3e57814a904bc3acb342f8a209134a2f2591e0
Branches Tags
martyn:main
martyn:renovate/cert-manager-1.x
martyn:renovate/codercom-code-server-4.x
martyn:renovate/ghcr.io-haveagitgat-tdarr-2.x
martyn:renovate/longhorn-1.x
martyn:renovate/cilium-1.x
martyn:renovate/ghcr.io-home-assistant-home-assistant-2024.x
martyn:renovate/fallenbagel-jellyseerr-1.x
martyn:renovate/docker.io-bitnami-postgresql-11.x
martyn:renovate/chocobozzz-peertube-5.x
martyn:renovate/postgres-operator-1.x
martyn:martyn-test-notifications
..
compare: martyn:8e5c1eb574a9c27e181f1106363e6245e4f3ff06
Branches Tags
martyn:main
martyn:renovate/cert-manager-1.x
martyn:renovate/codercom-code-server-4.x
martyn:renovate/ghcr.io-haveagitgat-tdarr-2.x
martyn:renovate/longhorn-1.x
martyn:renovate/cilium-1.x
martyn:renovate/ghcr.io-home-assistant-home-assistant-2024.x
martyn:renovate/fallenbagel-jellyseerr-1.x
martyn:renovate/docker.io-bitnami-postgresql-11.x
martyn:renovate/chocobozzz-peertube-5.x
martyn:renovate/postgres-operator-1.x
martyn:martyn-test-notifications

1 commit
1b3e57814a ... 8e5c1eb574

Author SHA1 Message Date
Renovate bot
8e5c1eb574 Update Helm release cilium to v1.17.1 2025-02-28 14:41:37 +00:00
55 changed files with 549 additions and 385 deletions
Show stats Expand all files Collapse all files

2
apps-helm/code-server/values.yaml
View file

@ -6,7 +6,7 @@ replicaCount: 1
image:
repository: codercom/code-server
tag: '4.97.2'
tag: '4.93.1'
pullPolicy: Always
secret:

4
apps-kustomized/1password-connect/deploy.yaml
View file

@ -46,7 +46,7 @@ spec:
value: "8080"
- name: OP_LOG_LEVEL
value: info
image: 1password/connect-api:1.7.3
image: 1password/connect-api:1.7.2
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
@ -92,7 +92,7 @@ spec:
value: localhost:11220
- name: OP_LOG_LEVEL
value: info
image: 1password/connect-sync:1.7.3
image: 1password/connect-sync:1.7.2
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3

8
apps-kustomized/argocd/kustomization.yaml
View file

@ -24,11 +24,3 @@ patches:
version: v1
kind: ConfigMap
name: argocd-cm
- patch: |-
- op: add
path: /spec/template/spec/containers/0/args/-
value: --insecure=true
target:
kind: Deployment
name: argocd-server

5
apps-kustomized/bazarr/deploy.yaml
View file

@ -33,6 +33,8 @@ spec:
mountPath: /config
- name: series
mountPath: /series
- name: oldseries
mountPath: /oldseries
- name: films
mountPath: /films
volumes:
@ -42,6 +44,9 @@ spec:
- name: series
persistentVolumeClaim:
claimName: smb-series
- name: oldseries
persistentVolumeClaim:
claimName: smb-oldseries
- name: films
persistentVolumeClaim:
claimName: smb-films

14
apps-kustomized/bazarr/pvc-smb.yaml
View file

@ -12,6 +12,18 @@ spec:
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: smb-oldseries
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: smb-oldseries
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: smb-films
spec:
@ -20,4 +32,4 @@ spec:
resources:
requests:
storage: 1Gi
storageClassName: smb-films
storageClassName: smb-films

2
apps-kustomized/esphome/deploy.yaml
View file

@ -17,7 +17,7 @@ spec:
- env:
- name: ESPHOME_DASHBOARD_USE_PING
value: "true"
image: esphome/esphome:2022.12.8
image: esphome/esphome:2022.12.3
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3

12
apps-kustomized/external-dns/deploy.yaml
View file

@ -1,12 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: external-dns
spec:
template:
spec:
containers:
- name: external-dns
envFrom:
- secretRef:
name: dnsimple-auth

14
apps-kustomized/external-dns/kustomization.yaml
View file

@ -3,16 +3,12 @@ kind: Kustomization
helmCharts:
- name: external-dns
repo: https://kubernetes-sigs.github.io/external-dns
version: 1.15.2
repo: https://charts.bitnami.com/bitnami
version: 6.28.4
releaseName: external-dns
namespace: external-dns
valuesInline:
provider:
name: dnsimple
provider: dnsimple
txtPrefix: armnleg
patches:
- path: deploy.yaml
target:
kind: Deployment
name: external-dns
sources: [service,ingress]
extraEnvVarsSecret: dnsimple-auth

23
apps-kustomized/files-web/ing.yaml
View file

@ -1,23 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin
nginx.ingress.kubernetes.io/proxy-body-size: 700m
name: web-s3
spec:
ingressClassName: nginx
rules:
- host: files.martyn.berlin
http:
paths:
- backend:
service:
name: s3-nginx
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- files.martyn.berlin

27
apps-kustomized/files-web/nginx.yaml
View file

@ -1,27 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: s3-nginx
name: s3-nginx
spec:
replicas: 1
selector:
matchLabels:
app: s3-nginx
template:
metadata:
creationTimestamp: null
labels:
app: s3-nginx
spec:
containers:
- image: nginx:1.27.4
name: nginx
volumeMounts:
- mountPath: /usr/share/nginx/html
name: s3
volumes:
- name: s3
persistentVolumeClaim:
claimName: smb-s3

11
apps-kustomized/files-web/pvc.yaml
View file

@ -1,11 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: smb-s3
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: smb-s3

12
apps-kustomized/files-web/svc.yaml
View file

@ -1,12 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: s3-nginx
name: s3-nginx
spec:
internalTrafficPolicy: Cluster
ports:
- port: 80
selector:
app: s3-nginx

2
apps-kustomized/forgejo/deploy.yaml
View file

@ -19,7 +19,7 @@ spec:
app: forgejo
spec:
containers:
- image: codeberg.org/forgejo/forgejo:10.0.1
- image: codeberg.org/forgejo/forgejo:1.21
env:
- name: FORGEJO__database__DB_TYPE
value: postgres

2
apps-kustomized/jellyfin/deployment.yaml
View file

@ -66,7 +66,7 @@ spec:
dnsPolicy: ClusterFirst
nodeSelector:
intel.feature.node.kubernetes.io/gpu: "true"
kubernetes.io/hostname: talos-e48-wv7
kubernetes.io/hostname: talos-llu-kx3
terminationGracePeriodSeconds: 30
volumes:
- name: jellyfin-config

2
apps-kustomized/kube-prometheus/grafana-deployment.yaml
View file

@ -32,7 +32,7 @@ spec:
automountServiceAccountToken: false
containers:
- env: []
image: grafana/grafana:9.5.21
image: grafana/grafana:9.5.3
name: grafana
ports:
- containerPort: 3000

2
apps-kustomized/lidarr/deploy.yaml
View file

@ -18,7 +18,7 @@ spec:
app: lidarr
spec:
containers:
- image: hotio/lidarr:release-2.9.6.4552
- image: hotio/lidarr:release
name: lidarr
resources:
requests:

12
apps-kustomized/lms/pvc.yaml
View file

@ -12,6 +12,18 @@ spec:
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: smb-oldmusic
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: smb-oldmusic
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: logitech-media-server-config
spec:

30
apps-kustomized/lms/statefulset.yaml
View file

@ -19,7 +19,7 @@ spec:
app.kubernetes.io/name: logitech-media-server
spec:
containers:
- image: lmscommunity/lyrionmusicserver:9.1.0
- image: doliana/logitech-media-server:2021_11_06-8.2.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 10
@ -61,14 +61,27 @@ spec:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /srv/squeezebox
name: config
- mountPath: /smbmusic
name: smbmusic
- mountPath: /smboldmusic
name: smboldmusic
dnsPolicy: ClusterFirst
initContainers:
- command:
- sh
- -c
- mkdir /smbmusic; mkdir -pv /config/playlists /config/config; chown -Rc 1000:1000
/config
image: doliana/logitech-media-server:2023_04_15-8.3.1
imagePullPolicy: IfNotPresent
name: init-config
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /config
name: config
- mountPath: /music
name: smbmusic
- mountPath: /playlist
name: config
subPath: playlist
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
terminationGracePeriodSeconds: 30
@ -79,6 +92,9 @@ spec:
- name: smbmusic
persistentVolumeClaim:
claimName: smb-music
- name: smboldmusic
persistentVolumeClaim:
claimName: smb-oldmusic
updateStrategy:
rollingUpdate:
partition: 0

2
apps-kustomized/mosquitto/deploy.yaml
View file

@ -21,7 +21,7 @@ spec:
app.kubernetes.io/name: mosquitto
spec:
containers:
- image: eclipse-mosquitto:1.6.15
- image: eclipse-mosquitto:1.6.12
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3

2
apps-kustomized/node-feature-discovery/kustomization.yaml
View file

@ -10,7 +10,7 @@ helmCharts:
includeCRDs: true
namespace: node-feature-discovery
releaseName: node-feature-discovery
version: 0.17.2
version: 0.16.6
repo: https://kubernetes-sigs.github.io/node-feature-discovery/charts
valuesInLine:
master:

2
apps-kustomized/nvidiastuff/kustomization.yaml
View file

@ -10,7 +10,7 @@ helmCharts:
includeCRDs: true
namespace: nvidia-device-plugin
releaseName: nvidia-device-plugin
version: 0.17.1
version: 0.17.0
repo: https://nvidia.github.io/k8s-device-plugin
valuesInline:
nodeSelector: "feature.node.kubernetes.io/pci-0300_10de_13c0_1569_13c0.present=true"

62
apps-kustomized/paperless-ngx/kustomization.yaml
View file

@ -1,62 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts:
- name: paperless-ngx
repo: https://charts.gabe565.com
version: 0.24.1
releaseName: paperless-ngx
namespace: paperless-ngx
valuesInline:
persistence:
data:
enabled: "true"
size: "1Gi"
accessMode: ReadWriteOnce
storageClass: "longhorn-fast"
media:
enabled: "true"
size: "8Gi"
accessMode: ReadWriteOnce
storageClass: "longhorn-fast"
export:
enabled: "true"
size: "1Gi"
accessMode: ReadWriteOnce
storageClass: "longhorn-fast"
consume:
enabled: "true"
size: "1Gi"
accessMode: ReadWriteOnce
storageClass: "smb-scans"
service:
main:
type: LoadBalancer
annotations:
external-dns.alpha.kubernetes.io/hostname: "paperless.martyn.berlin"
ports:
http:
port: 8080
postgresql:
enabled: "true"
primary:
persistence:
enabled: "true"
storageClass: "longhorn-fast"
env:
TZ: "Europe/Berlin"
resources:
requests:
cpu: "25m"
memory: "511772986"
patches:
- target:
kind: Service
name: paperless-ngx
patch: |-
- op: replace
path: /spec/ports
value: [{"name":"http","port":80,"targetPort":"http","protocol":"TCP"}]

2
apps-kustomized/prowlarr/deploy.yaml
View file

@ -16,7 +16,7 @@ spec:
app: prowlarr
spec:
containers:
- image: hotio/prowlarr:release-1.31.2.4975
- image: hotio/prowlarr:release-1.26.1.4844
imagePullPolicy: Always
name: prowlarr
ports:

2
apps-kustomized/radarr/deploy.yaml
View file

@ -18,7 +18,7 @@ spec:
app: radarr
spec:
containers:
- image: hotio/radarr:release-5.19.3.9730
- image: hotio/radarr:release-5.18.4.9674
imagePullPolicy: IfNotPresent
name: radarr
ports:

9
apps-kustomized/rook-cluster-ssd/blockpool-ssd.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: ceph.rook.io/v1
kind: CephBlockPool
metadata:
name: replicapool-ssd
namespace: rook-ceph
spec:
failureDomain: host
replicated:
size: 2

47
apps-kustomized/rook-cluster-ssd/cluster-ssd.yaml Normal file
View file

@ -0,0 +1,47 @@
apiVersion: ceph.rook.io/v1
kind: CephCluster
metadata:
name: ssd-cluster
namespace: rook-ceph # namespace:cluster
spec:
dataDirHostPath: /var/lib/rook-cluster-ssd
cephVersion:
image: quay.io/ceph/ceph:v18
allowUnsupported: true
mon:
count: 1
allowMultiplePerNode: true
mgr:
count: 1
allowMultiplePerNode: true
dashboard:
enabled: true
crashCollector:
disable: true
storage:
useAllNodes: false
useAllDevices: false
#deviceFilter:
nodes:
- name: "talos-7oq-vur"
devices:
- name: "sda"
config:
osdsPerDevice: "1"
- name: "talos-iqd-ysy"
devices:
- name: "sda"
config:
osdsPerDevice: "1"
monitoring:
enabled: false
healthCheck:
daemonHealth:
mon:
interval: 45s
timeout: 600s
priorityClassNames:
all: system-node-critical
mgr: system-cluster-critical
disruptionManagement:
managePodBudgets: true

13
apps-kustomized/rook-cluster-ssd/configmap.yaml Normal file
View file

@ -0,0 +1,13 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: rook-config-override
namespace: rook-ceph # namespace:cluster
data:
config: |
[global]
osd_pool_default_size = 1
mon_warn_on_pool_no_redundancy = false
bdev_flock_retry = 20
bluefs_buffered_io = false
mon_data_avail_warn = 10

130
apps-kustomized/rook-cluster-ssd/deploy-toolbox.yaml Normal file
View file

@ -0,0 +1,130 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: rook-ceph-tools
namespace: rook-ceph # namespace:cluster
labels:
app: rook-ceph-tools
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-tools
template:
metadata:
labels:
app: rook-ceph-tools
spec:
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: rook-ceph-tools
image: quay.io/ceph/ceph:v17.2.6
command:
- /bin/bash
- -c
- |
# Replicate the script from toolbox.sh inline so the ceph image
# can be run directly, instead of requiring the rook toolbox
CEPH_CONFIG="/etc/ceph/ceph.conf"
MON_CONFIG="/etc/rook/mon-endpoints"
KEYRING_FILE="/etc/ceph/keyring"
# create a ceph config file in its default location so ceph/rados tools can be used
# without specifying any arguments
write_endpoints() {
endpoints=$(cat ${MON_CONFIG})
# filter out the mon names
# external cluster can have numbers or hyphens in mon names, handling them in regex
# shellcheck disable=SC2001
mon_endpoints=$(echo "${endpoints}"| sed 's/[a-z0-9_-]\+=//g')
DATE=$(date)
echo "$DATE writing mon endpoints to ${CEPH_CONFIG}: ${endpoints}"
cat <<EOF > ${CEPH_CONFIG}
[global]
mon_host = ${mon_endpoints}
[client.admin]
keyring = ${KEYRING_FILE}
EOF
}
# watch the endpoints config file and update if the mon endpoints ever change
watch_endpoints() {
# get the timestamp for the target of the soft link
real_path=$(realpath ${MON_CONFIG})
initial_time=$(stat -c %Z "${real_path}")
while true; do
real_path=$(realpath ${MON_CONFIG})
latest_time=$(stat -c %Z "${real_path}")
if [[ "${latest_time}" != "${initial_time}" ]]; then
write_endpoints
initial_time=${latest_time}
fi
sleep 10
done
}
# read the secret from an env var (for backward compatibility), or from the secret file
ceph_secret=${ROOK_CEPH_SECRET}
if [[ "$ceph_secret" == "" ]]; then
ceph_secret=$(cat /var/lib/rook-ceph-mon/secret.keyring)
fi
# create the keyring file
cat <<EOF > ${KEYRING_FILE}
[${ROOK_CEPH_USERNAME}]
key = ${ceph_secret}
EOF
# write the initial config file
write_endpoints
# continuously update the mon endpoints if they fail over
watch_endpoints
imagePullPolicy: IfNotPresent
tty: true
securityContext:
runAsNonRoot: true
runAsUser: 2016
runAsGroup: 2016
capabilities:
drop: ["ALL"]
env:
- name: ROOK_CEPH_USERNAME
valueFrom:
secretKeyRef:
name: rook-ceph-mon
key: ceph-username
volumeMounts:
- mountPath: /etc/ceph
name: ceph-config
- name: mon-endpoint-volume
mountPath: /etc/rook
- name: ceph-admin-secret
mountPath: /var/lib/rook-ceph-mon
readOnly: true
volumes:
- name: ceph-admin-secret
secret:
secretName: rook-ceph-mon
optional: false
items:
- key: ceph-secret
path: secret.keyring
- name: mon-endpoint-volume
configMap:
name: rook-ceph-mon-endpoints
items:
- key: data
path: mon-endpoints
- name: ceph-config
emptyDir: {}
tolerations:
- key: "node.kubernetes.io/unreachable"
operator: "Exists"
effect: "NoExecute"
tolerationSeconds: 5

17
apps-kustomized/rook-cluster-ssd/fs.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: ceph.rook.io/v1
kind: CephFilesystem
metadata:
name: ssdfs
namespace: rook-ceph
spec:
metadataPool:
replicated:
size: 1
dataPools:
- name: replicated
replicated:
size: 1
preserveFilesystemOnDelete: true
metadataServer:
activeCount: 1
activeStandby: true

24
apps-kustomized/rook-cluster-ssd/storageclass-ssd-fs.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: rook-cephfs-ssd
# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
provisioner: rook-ceph.cephfs.csi.ceph.com
parameters:
# clusterID is the namespace where the rook cluster is running
clusterID: rook-ceph
fsName: ssdfs
# Ceph pool into which the image shall be created
pool: ssdfs-replicated
# The secrets contain Ceph admin credentials.
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
# Delete the rbd volume when a PVC is deleted
reclaimPolicy: Delete

32
apps-kustomized/rook-cluster-ssd/storageclass-ssd.yaml Normal file
View file

@ -0,0 +1,32 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: rook-ceph-block-ssd
annotations:
storageclass.kubernetes.io/is-default-class: true
# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
# clusterID is the namespace where the rook cluster is running
clusterID: rook-ceph
# Ceph pool into which the RBD image shall be created
pool: replicapool-ssd
# RBD image format. Defaults to "2".
imageFormat: "2"
# RBD image features. Available for imageFormat: "2". CSI RBD currently supports only `layering` feature.
imageFeatures: layering
# The secrets contain Ceph admin credentials.
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
# Specify the filesystem type of the volume. If not specified, csi-provisioner
# will set default as `ext4`.
csi.storage.k8s.io/fstype: xfs
# Delete the rbd volume when a PVC is deleted
reclaimPolicy: Delete

2
apps-kustomized/ser2net/ser2net-zigbee.yaml
View file

@ -38,7 +38,7 @@ metadata:
annotations:
configmap.reloader.stakater.com/reload: "ser2net"
spec:
replicas: 0
replicas: 1
strategy:
type: Recreate
selector:

2
apps-kustomized/smb-storageclasses/sc-films.yaml
View file

@ -4,7 +4,7 @@ metadata:
name: smb-films
provisioner: smb.csi.k8s.io
parameters:
source: "//172.20.0.70/films"
source: "//172.20.0.125/films"
csi.storage.k8s.io/node-stage-secret-name: smb-creds
csi.storage.k8s.io/node-stage-secret-namespace: kube-system
reclaimPolicy: Retain

4
apps-kustomized/smb-storageclasses/sc-s3.yaml → apps-kustomized/smb-storageclasses/sc-oldseries.yaml
View file

@ -1,10 +1,10 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: smb-s3
name: smb-oldseries
provisioner: smb.csi.k8s.io
parameters:
source: "//172.20.0.69/s3"
source: "//hp40l/disk2/oldseries"
csi.storage.k8s.io/node-stage-secret-name: smb-creds
csi.storage.k8s.io/node-stage-secret-namespace: kube-system
reclaimPolicy: Retain

2
apps-kustomized/smb-storageclasses/sc-series.yaml
View file

@ -4,7 +4,7 @@ metadata:
name: smb-series
provisioner: smb.csi.k8s.io
parameters:
source: "//172.20.0.70/series"
source: "//hp40l/disk2/series"
csi.storage.k8s.io/node-stage-secret-name: smb-creds
csi.storage.k8s.io/node-stage-secret-namespace: kube-system
reclaimPolicy: Retain

13
apps-kustomized/tailscale-proxy/configmap.yaml
View file

@ -1,13 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: tailscale-script
data:
script.sh: |
tailscaled --socks5-server=localhost:1055 --outbound-http-proxy-listen=localhost:1055 --tun=userspace-networking &
tailscale up --authkey=$TS_AUTHKEY --advertise-tags=tag:k8s --hostname k8s-tailscale-proxy &
sleep 3
echo "Waiting for $COUNTRY to do something"
while ! tailscale exit-node list 2>/dev/null | grep $COUNTRY >/dev/null; do echo -n . ;sleep 5; done
tailscale set --exit-node $(tailscale exit-node list | grep $COUNTRY | cut -f2 -d' ' | shuf | head -n1)
while true; do sleep 1; done

100
apps-kustomized/tailscale-proxy/deploy.yaml
View file

@ -1,100 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: tailscale-proxy
name: tailscale-proxy
spec:
replicas: 1
selector:
matchLabels:
app: tailscale-proxy
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: tailscale-proxy
spec:
containers:
- command:
- /bin/sh
- -c
- 'sh /script/script.sh'
env:
- name: TS_KUBE_SECRET
value: tailscale
- name: COUNTRY
value: Switzerland
- name: TS_AUTHKEY
valueFrom:
secretKeyRef:
key: TS_AUTHKEY
name: tailscale-auth
image: ghcr.io/tailscale/tailscale:v1.80.3
imagePullPolicy: IfNotPresent
startupProbe:
exec:
command:
- /bin/sh
- -c
- tailscale ip | grep ^100 > /dev/null
periodSeconds: 30
failureThreshold: 30
livenessProbe:
exec:
command:
- /bin/sh
- -c
- tailscale ip | grep ^100 > /dev/null
periodSeconds: 30
failureThreshold: 2
readinessProbe:
exec:
command:
- /bin/sh
- -c
- http_proxy=127.0.0.1:1055 wget -O- ifconfig.co/country 2>&1 | grep $COUNTRY > /dev/null
initialDelaySeconds: 60
periodSeconds: 60
failureThreshold: 3
name: tailscale
securityContext:
privileged: true
runAsGroup: 0
runAsUser: 0
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-t4rzn
readOnly: true
- mountPath: /script
name: script
serviceAccount: tailscale
serviceAccountName: tailscale
volumes:
- name: script
configMap:
name: tailscale-script
- name: kube-api-access-t4rzn
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace

4
apps-kustomized/tailscale-proxy/sa.yaml
View file

@ -1,4 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: tailscale

15
apps-kustomized/tailscale-proxy/svc.yaml
View file

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: tailscale-proxy
app.kubernetes.io/instance: tailscale-proxy
name: tailscale-proxy
spec:
ports:
- port: 1055
protocol: TCP
targetPort: 1055
selector:
app: tailscale-proxy
type: LoadBalancer

35
apps-kustomized/torrents/deploy.yaml
View file

@ -14,7 +14,6 @@ spec:
labels:
app: qbittorrent
spec:
initContainers:
containers:
- image: qbittorrentofficial/qbittorrent-nox:latest
name: qbittorrent
@ -35,6 +34,40 @@ spec:
value: "/config"
- name: QBT_DOWNLOADS
value: "/downloads"
- env:
- name: TS_KUBE_SECRET
value: tailscale
- name: TS_USERSPACE
value: "false"
- name: TS_OUTBOUND_HTTP_PROXY_LISTEN
value: "localhost:1055"
- name: TS_SOCKS5_SERVER
value: "localhost:1055"
- name: TS_EXTRA_ARGS
value: "--exit-node=100.90.55.121"
- name: TS_AUTHKEY
valueFrom:
secretKeyRef:
key: TS_AUTHKEY
name: tailscale-auth
optional: true
livenessProbe:
exec:
command:
- ping
- -c1
- 100.100.100.100
initialDelaySeconds: 120
periodSeconds: 5
image: ghcr.io/tailscale/tailscale:latest
name: ts-sidecar
securityContext:
runAsGroup: 1000
runAsUser: 1000
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-t4rzn
readOnly: true
preemptionPolicy: PreemptLowerPriority
priority: 0
serviceAccountName: tailscale

2
apps-kustomized/whoogle/deploy.yaml
View file

@ -24,7 +24,7 @@ spec:
value: en
- name: WHOOGLE_CONFIG_SEARCH_LANGUAGE
value: en
image: benbusby/whoogle-search@sha256:5bbb30fc4cf67563b48529c5291813b3d49c290e1e8b9e3aaa5081e9cb6e40c0
image: benbusby/whoogle-search@sha256:ecccdb598f890140bf5564ea0307d3a72871ab3d14fbf22e308b904846e5c590
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3

2
apps-kustomized/zigbee2mqtt2/pvc.yaml
View file

@ -8,4 +8,4 @@ spec:
storageClassName: longhorn-fast
resources:
requests:
storage: 1280Mi
storage: 128Mi

2
everything-app/app-cilium.yaml
View file

@ -11,7 +11,7 @@ spec:
source:
chart: cilium
repoURL: https://helm.cilium.io/
targetRevision: 1.17.2
targetRevision: 1.17.1
helm:
parameters:
- name: ipam.mode

9
everything-app/app-ingress-nginx.yaml
View file

@ -14,10 +14,6 @@ spec:
targetRevision: 4.12.0
helm:
parameters:
- name: controller.ingressClassResource.default
value: "true"
- name: controller.config.annotations-risk-level
value: "Critical"
- name: controller.service.type
value: LoadBalancer
- name: controller.allowSnippetAnnotations
@ -37,11 +33,6 @@ spec:
more_set_headers -a "X-Robots-Tag: anthropic-ai: none";
more_set_headers -a "X-Robots-Tag: CCBot: none";
more_set_headers -a "X-Robots-Tag: semrushbot: none";
more_set_headers -a "X-Robots-Tag: Amazonbot: none";
more_set_headers -a "X-Robots-Tag: dotbot: none";
more_set_headers -a "X-Robots-Tag: AhrefsBot: none";
- name: controller.config.block-user-agents
value: "~*Amazonbot,~*SemrushBot,~*DotBot,~*Ahrefsbot,~*GPT"
syncPolicy:
automated:
selfHeal: true

2
everything-app/app-letsencrypt.yaml
View file

@ -11,7 +11,7 @@ spec:
source:
chart: cert-manager
repoURL: https://charts.jetstack.io
targetRevision: v1.17.1
targetRevision: v1.13.1
helm:
parameters:
- name: installCRDs

2
everything-app/app-secrets-store-csi-driver.yaml
View file

@ -11,7 +11,7 @@ spec:
source:
chart: secrets-store-csi-driver
repoURL: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
targetRevision: 1.4.8
targetRevision: 1.3.4
syncPolicy:
automated:
selfHeal: true

44
everything-app/bikerwitch.yaml Normal file
View file

@ -0,0 +1,44 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: bikerwitch
namespace: argocd
spec:
destination:
namespace: bikerwitch
server: https://kubernetes.default.svc
project: default
source:
helm:
parameters:
- name: service.type
value: LoadBalancer
- name: persistence.enabled
value: "true"
- name: persistence.storageClass
value: "longhorn-fast"
- name: image.repository
value: drupal
- name: image.tag
value: 9.4-php8.0-apache
values: |-
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt
kubernetes.io/ingress.class: nginx
external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin
hosts:
- host: bikerwitch.martyn.berlin
paths:
- /
- host: www.bikerwitch.org.uk
paths:
- /
tls:
- hosts:
- bikerwitch.martyn.berlin
- www.bikerwitch.org.uk
path: apps-helm/drupal
repoURL: https://git.martyn.berlin/martyn/infra4talos.git
targetRevision: HEAD

2
everything-app/csi4samba.yaml
View file

@ -11,7 +11,7 @@ spec:
source:
chart: csi-driver-smb
repoURL: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-smb/master/charts
targetRevision: v1.17.0
targetRevision: v1.13.0
syncPolicy:
automated:
selfHeal: true

17
everything-app/files-web.yaml
View file

@ -1,17 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: files-web
namespace: argocd
spec:
destination:
namespace: files-web
server: https://kubernetes.default.svc
project: apps
source:
path: apps-kustomized/files-web
repoURL: https://git.martyn.berlin/martyn/infra4talos
targetRevision: HEAD
syncPolicy:
automated:
selfHeal: true

65
everything-app/garage.yaml Normal file
View file

@ -0,0 +1,65 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: garage
namespace: argocd
spec:
destination:
namespace: garage
server: https://kubernetes.default.svc
project: infra
source:
helm:
valuesObject:
service:
type: LoadBalancer
persistence:
enabled: "true"
meta:
storageClass: longhorn-fast
data:
storageClass: longhorn-spinny
size: "1Gi"
deployment:
replicaCount: "1"
garage:
replicationMode: "1"
s3:
api:
rootDomain: ".s3.files.martyn.berlin"
web:
rootDomain: ".martyn.berlin"
ingress:
s3:
api:
className: "nginx"
enabled: "true"
annotations:
external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/proxy-body-size: "700m"
tls:
- hosts:
- "s3.files.martyn.berlin"
hosts:
- host: s3.files.martyn.berlin
paths:
- path: /
pathType: Prefix
web:
className: "nginx"
enabled: "true"
annotations:
external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin
cert-manager.io/cluster-issuer: letsencrypt
tls:
- hosts:
- "files.martyn.berlin"
hosts:
- host: files.martyn.berlin
paths:
- path: /
pathType: Prefix
path: script/helm/garage
repoURL: https://git.deuxfleurs.fr/Deuxfleurs/garage
targetRevision: HEAD

2
everything-app/nodered.yaml
View file

@ -31,7 +31,7 @@ spec:
annotations:
external-dns.alpha.kubernetes.io/hostname: nodered.martyn.berlin
repoURL: https://k8s-at-home.com/charts/
targetRevision: 5.4.0
targetRevision: 5.3.1
syncPolicy:
automated:
selfHeal: true

54
everything-app/paperless-ngx.yaml
View file

@ -9,9 +9,57 @@ spec:
server: https://kubernetes.default.svc
project: apps
source:
path: apps-kustomized/paperless-ngx
repoURL: https://git.martyn.berlin/martyn/infra4talos
targetRevision: HEAD
chart: paperless-ngx
helm:
parameters:
- name: service.main.type
value: "LoadBalancer"
- name: persistence.data.enabled
value: "true"
- name: persistence.data.size
value: "1Gi"
- name: persistence.data.accessMode
value: ReadWriteOnce
- name: persistence.data.storageClass
value: "longhorn-fast"
- name: persistence.media.enabled
value: "true"
- name: persistence.media.size
value: "8Gi"
- name: persistence.media.accessMode
value: ReadWriteOnce
- name: persistence.media.storageClass
value: "longhorn-fast"
- name: persistence.export.enabled
value: "true"
- name: persistence.export.size
value: "1Gi"
- name: persistence.export.accessMode
value: ReadWriteOnce
- name: persistence.export.storageClass
value: "longhorn-fast"
- name: persistence.consume.enabled
value: "true"
- name: persistence.consume.size
value: "1Gi"
- name: persistence.consume.accessMode
value: ReadWriteOnce
- name: persistence.consume.storageClass
value: "smb-scans"
- name: postgresql.enabled
value: "true"
- name: postgresql.primary.persistence.enabled
value: "true"
- name: postgresql.primary.persistence.storageClass
value: "longhorn-fast"
- name: env.TZ
value: "Europe/Berlin"
- name: resources.requests.cpu
value: "25m"
- name: resources.requests.memory
value: "511772986"
repoURL: https://charts.gabe565.com
targetRevision: 0.7.8
syncPolicy:
automated:
selfHeal: true

3
everything-app/samba-longhorn-ssd.yaml
View file

@ -44,9 +44,6 @@ spec:
- name: scans
size: 1Gi
storageClass: longhorn-fast
- name: s3
size: 20Gi
storageClass: longhorn-fast
path: apps-helm/samba4
repoURL: https://git.martyn.berlin/martyn/infra4talos.git
targetRevision: HEAD

17
everything-app/tailscale-proxy.yaml
View file

@ -1,17 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: tailscale-proxy
namespace: argocd
spec:
destination:
namespace: tailscale-proxy
server: https://kubernetes.default.svc
project: apps
source:
path: apps-kustomized/tailscale-proxy
repoURL: https://git.martyn.berlin/martyn/infra4talos
targetRevision: HEAD
syncPolicy:
automated:
selfHeal: true

6
renovate.json
View file

@ -2,11 +2,5 @@
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"argocd": {
"fileMatch": ["everything-app/.+\\.yaml$"]
},
"kubernetes": {
"fileMatch": [
"apps-kustomized/.+\\.yaml$",
"apps-helm/.+/tempates/.+\\.yaml"
]
}
}