infra/kubernetes
1
0
Fork 0
Code Pull Requests 3 Activity

Compare commits

base: infra:updatebot/music-assistant
Branches Tags
infra:master infra:updatebot/music-assistant infra:updatebot/paperless-ngx infra:updatebot/home-assistant infra:jenkins-buildroot infra:xactmon-doc infra:etcd infra:dch-webhooks-secrets
..
compare: infra:d67afa59828c7def64044cfd8b0a31678955a886
Branches Tags
infra:updatebot/music-assistant infra:updatebot/paperless-ngx infra:updatebot/home-assistant infra:master infra:jenkins-buildroot infra:xactmon-doc infra:etcd infra:dch-webhooks-secrets

1 Commits
updatebot/ ... d67afa5982

Author SHA1 Message Date
bot
d67afa5982 firefly-iii: Update to 6.4.2 2025-10-11 11:32:12 +00:00
42 changed files with 49 additions and 955 deletions
Expand all files Collapse all files

3
authelia/configuration.yml
View File

@@ -108,7 +108,7 @@ identity_providers:
- phone
authorization_policy: one_factor
pre_configured_consent_duration: 8h
token_endpoint_auth_method: client_secret_basic
token_endpoint_auth_method: client_secret_post
- client_id: kubernetes
client_name: Kubernetes
public: true
@@ -116,7 +116,6 @@ identity_providers:
redirect_uris:
- http://localhost:8000
- http://localhost:18000
- https://headlamp.pyrocufflink.blue/oidc-callback
authorization_policy: one_factor
pre_configured_consent_duration: 8h
- client_id: 1b6adbfc-d9e0-4cab-b780-e410639dc420

2
authelia/kustomization.yaml
View File

@@ -58,4 +58,4 @@ patches:
name: dch-root-ca
images:
- name: ghcr.io/authelia/authelia
newTag: 4.39.15
newTag: 4.39.9

55
crio-clean.sh
View File

@@ -1,55 +0,0 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
usage() {
printf 'usage: %s node\n' "${0##*/}"
}
drain_node() {
kubectl drain \
--ignore-daemonsets \
--delete-emptydir-data \
"$1"
}
stop_node() {
ssh "$1" doas sh <<EOF # lang: bash
echo 'Stopping kubelet' >&2
systemctl stop kubelet
echo 'Stopping all containers' >&2
crictl ps -aq | xargs crictl stop
echo 'Stopping CRI-O' >&2
systemctl stop crio
EOF
}
wipe_crio() {
echo 'Wiping container storage'
ssh "$1" doas crio wipe -f
}
start_node() {
echo 'Starting Kubelet/CRI-O'
ssh "$1" doas systemctl start crio kubelet
}
uncordon_node() {
kubectl uncordon "$1"
}
main() {
local node=$1
if [ -z "${node}" ]; then
usage >&2
exit 2
fi
drain_node "${node}" || exit
stop_node "${node}" || exit
wipe_crio "${node}" || exit
start_node "${node}" || exit
uncordon_node "${node}" || exit
}
main "$@"

2
firefly-iii/firefly-iii.env
View File

@@ -32,5 +32,3 @@ MAIL_PORT=25
MAIL_ENCRYPTION=null
MAIL_FROM=firefly-iii@pyrocufflink.net
SEND_ERROR_MESSAGE=false
ALLOW_WEBHOOKS=true

5
firefly-iii/kustomization.yaml
View File

@@ -16,12 +16,13 @@ resources:
- importer.yaml
- importer-ingress.yaml
- ../dch-root-ca
- network-policy.yaml
configMapGenerator:
- name: firefly-iii
envs:
- firefly-iii.env
options:
disableNameSuffixHash: true
- name: firefly-iii-importer
envs:
- firefly-iii-importer.env
@@ -64,4 +65,4 @@ patches:
defaultMode: 0640
images:
- name: docker.io/fireflyiii/core
newTag: version-6.4.9
newTag: version-6.4.2

61
firefly-iii/network-policy.yaml
View File

@@ -1,61 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: firefly-iii
labels:
app.kubernetes.io/name: firefly-iii
app.kubernetes.io/component: firefly-iii
spec:
egress:
# Allow access to other components of the Firefly III ecosystem
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: firefly-iii
# Allow access Kubernetes cluster DNS
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allow access to the PostgreSQL database server
- to:
- ipBlock:
cidr: 172.30.0.0/26
ports:
- port: 5432
protocol: TCP
# Allow access to SMTP on mail.pyrocufflink.blue
- to:
- ipBlock:
cidr: 172.30.0.12/32
ports:
- port: 25
# Allow access dch-webhooks
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: default
podSelector:
matchLabels:
app.kubernetes.io/name: dch-webhooks
# Allow access ntfy
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ntfy
podSelector:
matchLabels:
app.kubernetes.io/name: ntfy
podSelector:
matchLabels:
app.kubernetes.io/component: firefly-iii
policyTypes:
- Egress

87
fluent-bit/fluent-bit.yaml
View File

@@ -1,87 +0,0 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: fluent-bit
labels: &labels
app.kubernetes.io/name: fluent-bit
app.kubernetes.io/component: fluent-bit
spec:
selector:
matchLabels: *labels
template:
metadata:
labels: *labels
spec:
containers:
- name: fluent-bit
image: cr.fluentbit.io/fluent/fluent-bit
imagePullPolicy: IfNotPresent
args:
- -c
- /etc/fluent-bit/fluent-bit.yml
env:
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
add:
- CAP_DAC_READ_SEARCH
volumeMounts:
- mountPath: /etc/fluent-bit
name: fluent-bit-config
readOnly: true
- mountPath: /etc/machine-id
name: machine-id
readOnly: true
- mountPath: /etc/pki/ca-trust/source/anchors
name: dch-ca
readOnly: true
- mountPath: /run/log
name: run-log
readOnly: true
- mountPath: /var/lib/fluent-bit
name: fluent-bit-data
- mountPath: /var/log
name: var-log
readOnly: true
dnsPolicy: ClusterFirstWithHostNet
securityContext:
seLinuxOptions:
type: spc_t
serviceAccountName: fluent-bit
tolerations:
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- name: dch-ca
configMap:
name: dch-root-ca
items:
- key: dch-root-ca.crt
path: dch-root-ca-r2.crt
- name: fluent-bit-config
configMap:
name: fluent-bit
- name: fluent-bit-data
hostPath:
path: /var/lib/fluent-bit
type: DirectoryOrCreate
- name: machine-id
hostPath:
path: /etc/machine-id
type: File
- name: run-log
hostPath:
path: /run/log
type: Directory
- name: var-log
hostPath:
path: /var/log
type: Directory

25
fluent-bit/kustomization.yaml
View File

@@ -1,25 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: fluent-bit
labels:
- pairs:
app.kubernetes.io/instance: fluent-bit
includeTemplates: false
includeSelectors: true
- pairs:
app.kubernetes.io/part-of: fluent-bit
includeTemplates: true
includeSelectors: false
resources:
- namespace.yaml
- rbac.yaml
- fluent-bit.yaml
#- network-policy.yaml
- ../dch-root-ca
images:
- name: cr.fluentbit.io/fluent/fluent-bit
newTag: 3.2.8

6
fluent-bit/namespace.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: fluent-bit
labels:
app.kubernetes.io/name: fluent-bit

42
fluent-bit/rbac.yaml
View File

@@ -1,42 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: fluent-bit
labels:
app.kubernetes.io/name: fluent-bit
app.kubernetes.io/component: fluent-bit
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: fluent-bit
labels:
app.kubernetes.io/name: fluent-bit
app.kubernetes.io/component: fluent-bit
rules:
- apiGroups:
- ''
resources:
- namespaces
- pods
- nodes
- nodes/proxy
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: fluent-bit
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: fluent-bit
subjects:
- kind: ServiceAccount
name: fluent-bit
namespace: fluent-bit

1
grafana/grafana.yaml
View File

@@ -60,7 +60,6 @@ spec:
port: http
path: /api/health
periodSeconds: 60
timeoutSeconds: 5
startupProbe:
<<: *probe
periodSeconds: 1

3
headlamp/headlamp.env
View File

@@ -1,3 +0,0 @@
HEADLAMP_CONFIG_OIDC_CLIENT_ID=kubernetes
HEADLAMP_CONFIG_OIDC_USE_PKCE=true
HEADLAMP_CONFIG_OIDC_IDP_ISSUER_URL=https://auth.pyrocufflink.blue

23
headlamp/ingress.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: headlamp
labels:
app.kubernetes.io/name: headlamp
app.kubernetes.io/component: headlamp
app.kubernetes.io/part-of: headlamp
spec:
tls:
- hosts:
- headlamp.pyrocufflink.blue
rules:
- host: headlamp.pyrocufflink.blue
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: headlamp
port:
number: 80

44
headlamp/kustomization.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: headlamp
labels:
- pairs:
app.kubernetes.io/instance: headlamp
app.kubernetes.io/part-of: headlamp
resources:
- namespace.yaml
- https://raw.githubusercontent.com/kubernetes-sigs/headlamp/refs/tags/v0.38.0/kubernetes-headlamp.yaml
- ingress.yaml
configMapGenerator:
- name: headlamp-env
envs:
- headlamp.env
options:
labels:
app.kubernetes.io/name: headlamp-env
app.kubernetes.io/componet: headlamp
patches:
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: headlamp
namespace: kube-system
spec:
template:
spec:
containers:
- name: headlamp
envFrom:
- configMapRef:
name: headlamp-env
optional: true
securityContext:
runAsNonRoot: true
runAsUser: 100
runAsGroup: 101

6
headlamp/namespace.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: headlamp
labels:
app.kubernetes.io/name: headlamp

4
home-assistant/configuration.yaml
View File

@@ -91,8 +91,8 @@ notify:
- platform: group
name: mobile_apps_group
services:
- service: mobile_app_pixel_8a
- service: mobile_app_pixel_9a
- service: mobile_app_pixel_8
- service: mobile_app_pixel_6a_tab_jan_2024
- name: ntfy
platform: rest
method: POST_JSON

10
home-assistant/kustomization.yaml
View File

@@ -152,14 +152,14 @@ patches:
images:
- name: ghcr.io/home-assistant/home-assistant
newTag: 2025.11.3
newTag: 2025.9.2
- name: docker.io/rhasspy/wyoming-whisper
newTag: 3.0.2
newTag: 2.5.0
- name: docker.io/rhasspy/wyoming-piper
newTag: 2.1.2
newTag: 1.6.3
- name: ghcr.io/koenkk/zigbee2mqtt
newTag: 2.6.3
newTag: 2.6.1
- name: ghcr.io/zwave-js/zwave-js-ui
newTag: 11.8.1
newTag: 11.2.1
- name: docker.io/library/eclipse-mosquitto
newTag: 2.0.22

2
home-assistant/secrets.yaml
View File

@@ -7,7 +7,7 @@ metadata:
namespace: home-assistant
spec:
encryptedData:
passwd: AgAtHK4uabM+TDpKukHpZ7c7RnlmAMBoJQnS1cozg0gFEXgmAdDJKWHymifmgbeJrYdVPNYTVn6lCjsllx+zzHYNrQrFShAhrDZwzel2ElYtUjp7u2M1tnqgmaGk3E1pSBdH0pwzMcB7yPDBXI9hadeurL1+dk5OmqAoQfpjlYmkT7wqAp21qH3Y7fTehpXZZ3XojrM60fwyaCKBWwQCjablR/20BuoJMmXXVN35L8Q2OH4HWDY8WRteTZaa+zL/lozrR/BW2/T45X5o6oCmukk30OSGbb16aeIIasB8tBKjYm7L/EtWY42QLPyV6LZDKFtH/1XD737nYzoYYi2GfiYboQJqfYZlP5ElhxMP+azFHr2eD1Ild7yxSNiGMtnbsd9VSCUywtbKqDvNEA4C5FXrvNlfcoq6LCyrKhFFLDPuv9BkN6NlB/eYGsSkVTwEgai3j7FvxFIgEAY1Hzr9Tn9/g+lMoEgHKgjiRBMRkn3HcB3K16U9QN1gSaQpLdlW7uG7o4UoerFQ5p1NW5pyja+kOFPb2YBv/2O1C6izSCt+i99zy3iwJGXEHMEGkA4Ag1Ti/sRxRZj7QsBhYcoxgB1GLhvB9TldQqOExCo/B08/t32EwuSQaHgjWGIeJjrY+g1w0C75ya6me1GQ7K8yIWcHmyo34LyOMkwdH9URgFgldNn0u4CEDyZR9ujhf1UEUxkgG6Pj5SUA7Exn1cIM/H472NU3G/uyCPWGLEeahFAutLkniagGA4t+Rb/IF3ZEqm/arpEGcjlaW9otOEBVJzal5OPpjDgfSbt4rUeHm8z2xLwvV6kYmLZRAH5SHZruS7mk92SjKZKD4BroZ7nJKYDksWmidpDVpmVcfBNHfL/Zs859I623aYVXj4mrU3LWaZ6DkG94hQRPsp+7zHEvx78+prHoIld/Zf8YOqFli0G0Cb5LtZVHIOVT6g81uvYjoodNdX742H0exfHci1UCpU6PIqBBSeBjppoUIoHjjFSUWWm6+bZsRTciaBrkt3YvzBTE3cdCfxfF2Y7A6wY98lVKpOEBGhtXNi+pXq3x5OhQBl2EZ1iBJBP2DN+qv6ymdnZlQ333+E1R3mn+NgrxVyHFSVRe+q63vETfGWmQN48LD73dl0ck6ER/bLxV3vl7UfWf2h1tG2lY3FHKdmMOpXoYJPEd8XDyDkSjf4ZruFyloD9QOMf0jXphrlYOHqhqNHAV86OcA+ggvJXkKuIw0ZZPsj7gux7xsiZ5rDtZUbnRLkss4e+XStBqHc80cnw0kKiVqCpJjZ+9BG6ntPqfACXnAEOL1dcPkicsB8lzfeTfK2JcZ1U+VAQm2rnsT49Er5GaU1wPBWoNJIYedfWpkwkXYRAWPkOdAoWEvFRNrwJx/O9vsMKTMcGCno3keMYSc/gzv/F9ADE7IQ7WFr+RZGKMVnoYyztFLSH0E5qhmP3DpnMZDizZaxwZhEyFhNdaWsxNC4vX3Hw/R1wkx0dZYGpqxECRpEkHuBwSrOTrJMKjSX/jOHdeO+n910Eigb731ivEiDpUH1RtYFK8XiqhxgowZaFCIuSMdMIYzg/PyxGWInRBnzhvr8Z9UNM+gXbo/3i2J9s718AnIbTacFHz+GEW/yAupWsZcyh7mwl+X3EMPMR23moXHOKLljxWeZs4NTpvr+htY9NgGicLFitpu0OHXM+e9V4UfeCTtDD1Kf4/SQDB9n3Qu/T5wv2VHbzxn4fYW3pxFThAA+DPb2UTVUSfbKlRi2hbdlBHQ2FJMQCdIFxkHjSLHDZBtuYGsPux6ekEsKck3AzorHXkBMsWtY0QUO1l4OXPoqnAOSatcxzKThvPIftK/4up/9ncyH2PQ++OlPiDbDkI5k5tWbWc4KAFEkCEmowcx4PcwYGbMMnsITDhNVL+/mf2nbLeQXZgBGKgexbYoj9EBa76YF1yXSv+awx1jXj3y3Ut5axlE5pONJRegmYeP7R5OLSPtb0baUFbHLtXmKc2ITOihSI9dTTh842l5mEJq9wo6LigQI0sRiF0ERidC5fiXcJly481R8LM3K52C9h7uQg0CnkBAJ8bgPQzDk3sMhWoLZaqBPm6G0HyoYl/uv89ikrquluPA6qRlDJu93k5IwRosM7hGReEIuSHMfV3n8DBMNC/SN0xgEkASK/9lbeURWC596kpcarHLekSpcgcmBAJfKbtI1IGGD2OcLO6qq0rlS65DS66dwbhIyE0VsTeG4VcJbDOujtQVXP6xps1RY6j3hcWu+QlWFlmZa2qx1zMl0eWoh0gs2QC4uBTKQubAt4oT/o/djf8SH3scytMl+qEwXzY/5UOz7gAkj7f5QlPygmJijqh0GvWhaZeftocaIiQmbjPqAznJkGaavbgO6H2QlUy60N9Vu+PXmP86X/tGKWS/TiDm9fSAITFbKIql18DqvpyNXgDSm8M9BKEgBTj7CMeynmFurbjcbv3+SrxQRiX0xaDVmnKyMT3m+vNRvIK0UmSi3856Q==
passwd: AgBbjHLTpEZlxT1KH90K9LtkyqrhmpUSC/komksX+lZZYxqa9qqTFE5DFSqqPf/M2cxEmZSrQfn5lkKUHZRaCT8tHmCULRvxFNPnmucLxyilQcbF6serER78kr85KdZI30LSY9WxIyJcElIL2BUdsKEZwhwdjTn3FDHUxhysMuIZBEXnigwZ16LzpC4bqWEZrohgU043gPffFL51kT4l0c6atEgAoqlhjeHmOix8a6jUwxO6fJvDfyxGskY2lVAmmlbuFKBkJnYp1NF10nhimwDl6R0yy7du8Vlg50lqE5MvIiIGuG0d+Ly5ePT5qRy+Si9JiFHrtIG7LKXuAB/dztxayRnzEw4wiXfCDA2UGoL/EdbxorcIcol9HfjHwpWtvLBUES3UIMv86GGE9L4R83rQf7geLWpYRD7O7mZ8E3N+59xO8WOlMo9wjnymYOkkUmSSxdR1Zj08W2gvjXf1pWW4dEn7nNVLG56+/8nChgAY7d3EOKC0cQflrc3TpU6Fh2DDEA+uBASgvJi8ZxDb2hTPbXEBxsMrtSU+s0NqiTm425HeqINpElOBhdP1KgXbhFVUG+ET5mzcwnY4HicakiFq882kBI5rB9+SgTSS5GxQyzFDjLH2HPURF2JEpugWgJa/YcHrX1pa8ksbymJOz63Zi2197V/k25eiJI9imOOMAvIm7xYhOuPeV9Gy7yEU7Pyli82M2Q+MDLCk3PbQirJOA1Ja/B/vBXCNdByoW1RUo5K+6Pd6qxlMvHvlBiHhH2XKYZec14bJNkynwv1Su07AJgaoznMglJm+kEvFyIOPnJQ1yIkdgT5uO/9VC6JNhgHtqd0EVoADZZl8tdgU3wGZpK9xNkRyn7Edxcpq5cl+JmTLUcbLtMfFSlS9fOycJaivyKsScRTHl9mC+kzSGEMZYKVlZN/ualVoQ+jOYuFOdth/Uq5ZpDXPeSdThE90fSj5Gg8BiRW4BL7E8/A1LBeiZQITRajhsIwyjmum7EVXQEQ+xKPlV8etI0XixuUZrXEc8V7wyFtX43D64VQOVlDegx3WbdLGc1Qh24rej1NnK+v8d9XBlgsSSmuwp5udMTQ7kXNyWdgkb7qVk1mmXTD0SHagNzsWSHCOlfvY8XFeVkLe1XlxES7wR/Q7bKeSAtOA8i41/u9q7b2099g4J/skIDa/QYQEotFsCyqSLxxtJ/gng8cX3yesZmite2M//v2nnhsGd+qTHLyEmL+2aE0xDDJzommQhDPKg6u2ML6OkmBNYK7WrdSZ1dQJz+ForM9pOPkf4TX3ZT9SU8caxMhuQ8AfG4tQt5hgdM/F9+iu2d5tz0+MP+n5oFiFDQ8uDm1N6vEhPNxqeH2kCyZMdD8wLYt2rNKs6TcKkOMUZcehBZdefSHBoWpl3NciIek/lyZ0tV4AM1uMO/jUViS+xVDIDSpyQvy3ru3UJV/poiNbzO2eAH2RmA5+WlJsKc2ihP5ZQ/BAYw+N7/pM97Qqes9J0yf+7Rny6EBnB5vlIBrbz6B6A3246pbGg7AXCTd0V9QEFgk+PrvLyEzYmJL75JV3UvU1qEVIg68a2sXYHRTSCoKYoy70pqIgP5MxM8THTyiDg1bRsItI/CxTZsHRbJ6w2kCCV/f8oORIjF/eufh1iuKnPVc9HqEnymtocnuRIZUrk3f0LtRLktR45++pKgjZkmcrj3yeQknmof/4s3zf5m53CXCOgX6OBtI+RxMZe6f+uA1gBXYK+RfFBYOgFXWxFwEzLrpSVj4IeBw79aenZUX8Wh4HEjsmX/XHFJeZbzV9fOheapXwLk/76pwYt7pHyMRTXtHT0pL+NTd+NndVZtlZDMD/IqWNuRw1v+CetmPWxIQUDnTw5iBiWr92AhvT20YuVsigszEDYsp/pSO3kshfrLoWMFIqS1in39dwh1jYgqJnNMljX5nfkc9R/fOU8y85bxFUWi7iCa3a/IN+4tl7F5J1IHkAIEOjNu5hWbGLFvHS0AK347a9A9lqVF0ZC7BGTJTJe+umEM1tOol7C9F5BRV1SDlAp+x9eGHegzGkU99nZl5AVxgtdmhFooC1AlAVcyawKKpUhEWxnVfPFq5WWvPj9ePCaMAK7iaLyEsU3Sm7tc1QEI2wyP57UiW7tBPwi/ILwnrpCMKSoqg2m2ZOwTw69pLsos2IS61sUw64GX2dQ1VojPcohhuNHuxLKwXGbROw3Bk7E1+4ItYarxWhxjeAGNhwKn1h95WV78sVsG8qdQbd9SZOCHy8WXU0JYKe0oAxrRMozsJePJ07xxClIKx8EBiEioHQRBUExQpgqR2I8FPpCvklEPK5kdca/c8UwfZ5uwRU
template:
metadata:
creationTimestamp: null

38
jenkins/kustomization.yaml
View File

@@ -11,18 +11,6 @@ resources:
- iscsi.yaml
- ssh-host-keys
- workspace-volume.yaml
- updatecheck.yaml
configMapGenerator:
- name: updatecheck
namespace: jenkins
files:
- config.toml=updatecheck.toml
options:
disableNameSuffixHash: true
labels:
app.kubernetes.io/name: updatecheck
app.kubernetes.io/component: updatecheck
patches:
- patch: |
@@ -34,29 +22,3 @@ patches:
spec:
volumeName: jenkins
storageClassName: ''
- patch: |-
apiVersion: batch/v1
kind: CronJob
metadata:
name: updatecheck
namespace: jenkins
spec:
jobTemplate:
spec:
template:
spec:
nodeSelector:
network.du5t1n.me/storage: 'true'
- patch: |
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: updatecheck
namespace: jenkins
spec:
storageClassName: synology-iscsi
images:
- name: docker.io/jenkins/jenkins
newTag: 2.528.2-lts

38
jenkins/secrets.yaml
View File

@@ -73,41 +73,3 @@ spec:
name: rpm-gpg-key-passphrase
namespace: jenkins
type: Opaque
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: kmod-signing-cert
namespace: jenkins
spec:
encryptedData:
data: AgCWHnNGTMP9xpyjvYHCNZhmhBY5NhA6hGm+VDaEKUTTUsoHFYwNoL8Z6PwKqDMyo3NfZ/QR74+zpuGxidGLKfSWKXAR6vkHeTD5wGmZLetwzmFRPL/AjUJU4bBYBKfbfUHJDBUhgcGu5CKROW1ChNjf+EvaevrI9yTNe3Pgu1/Cqv+jiBkSCH1PMFiwNZIuYC1eFTs+NGUEyCU0bbkBW4wvrCm/RXiw5OAun8rxVfMa79HmyIXzM6gvnZxArcL4oHhmAOo3wzqOqgBgJ1VLVPcppVHzr3bawSRZ7kkcuV+CLBaT2/76/Gmsu6o8bAWIpgKIs8d0+ZE3y3cUjqYpVS9qHcgLlF5HG8nus68HpSRUd2rSDBWeLcKq1WfNcbFWIk0/lniI1zs6UjbSbbwblHy1g/eHYU7FOzi7L1S8tgwwUn0i2o4+yXrw+o4PuLukDGxZid5fTI5/bfsrdcYvf7WGC3WNMs5F35UGTtUmPrVs+n8V0Hcjb4w/SWhdsaMG/FQunO3nIDuC7YUaPYlv2Em4Eetwwuon46weHAPcPkdIJge0+f7BMZGsxz5MRdrxGgsmdPB/JDNs2DvuGyFKiyPjsRNDuS5JDapEiqsvyvzOpmoO3bkpHw7iPHC6ocqA3cBiwYypk4tHPG74UgrchpADI30QFTYj9PAyoEng0Gcy+7tFUva2Jum46NjMFLxyDTm6GRf+PBt3oQKauHcWitEo2fl1qk22tP0DXtG4ylcI1ZM8SpBGZRVeOsg+x+sjbAAcXGyY3XXlhiqjGRiiPiphhYq8qpbsiklIxJ+D/IJyz3wIIuAqukIxI54RnPRpKrxL4FfZacpffnQdXu8tkyHE5ZVxbHGtHE0f/ZN7DuNVgm4xCNyww5bQExArkhtJNYDUf9MlzyvXFAVQQsXcamWOUquJ+Z5fnR61pHFCSJmy4hZ+8aaosu0fgqyebOa/JQDbKs3GeZ/dg3P10Sa/AVj0Ry9IiGkPznv2W+m2Qaepoa5sVsH4/WWE4gns5Js3KewdFdLO8E9IkWJoAOixtRL8dWNW9qLt/SwprwhNeTE4cX/PCnYqAFqZyBWHjsNHOockLGJOfOoADdh9Jm9Ap5BGlWqkfpacO6cWohw2DMMP+ut1zjD5GoEPTX5Y2yota7FR9q6eFlzKysizRA+3Tzvb1AYu1FORdMebgBflpw9efhbShRHBpaRz2GJ6Wh307gF3SCcu9sgyk29zUBNKLR06e5mIHYXVFPVgOboI96gDrYuBSPuPJhs09GLdt0qwMBPbgL0SzPcOvHTmXqr6FpsJj68TffcbjAuKdYEOYRQ1DbOeWfK1c8+NACKBPjSfNCB4EdkRIQhZ2SrY4wtbnUDkdPdHv3zl52aIbj/gmMit+wx7Ej0LrzftWnmF+4v06zL6ZtZx4gLU4FNN7QLKOUzEgE64Y20yRiTKDRPLV0O0UsunJU9QPQvfJkR2PAlLBt1cJdl3vJp2pNYGqyF6UPfryoNkBCvwaoa2cnU7jFKK4/985fS6N6eB9q5cYdusVWIz6O5ENgn9ipF4w9tFk3oJrebkcvssWAsHMEu3G8XvdgLFG14enP/JeKSRrAHoYq3QPOlZq8QyYzEVr0FeHVEGSszc+HwuRzwkOffJdE9iGySsGHOBigonSiWfAB+Dy4/3Tt7lD53uN98QZVXlJRiffvvPIn5F2VMMq9/wB5q5Gy+m2TZiQ/4xRaZAGnm8W2ultZ6AIrMnb6rFgShbElYBJuK25w2EXzY/nR5OIdsFEkJ5bxeHJ/O4942U3WxnyZ8Zcy7KVrtEG6MNBmT/TneA49MwkYlyLpm7xPxMnhRZhx0/izwjtbWZRp+2L7r2i36Ag5sLuT0K8bUc8UCzBiYVSlo2lQ8Z2JmpK7IJQkuDSr0hHJ259r+FL4PVc+cM4kINctWvh6JduhF0wx0ltBuOdlfKq1m6K3vmO3R2N8NybzkmK4IOAqcjUAiQBtICzhVfYmJXCKvFa21uF37Izbx2ty+KJyR/vr8/qyqcuO8QHheFm0wajuhKdPX+tlhkF6sn1k0CV2vub7Tcl5JHws3GM38resQsIlm+/rr5Bd/hpzUPQFC5KQsyXYl96lI2+p4h0lomOpZFMPHGIAlSOUeOpv3uU+7uqONdNr9KasiICv8WUOi/r4iLMmFb/SxGgQIYIU3hm4C0g6Mwn1Zmi09kJ98bhlTxbIedjw/pyc/TirLDaKsH9/yNRyt5rRYPWKVObhYrZWERHn98uc7/T8hDQqbn1EqIeocdAyFcNsv8UUopyC7LSCQnQ1fZnUVV5+YI3rnZ0gh5K/lwvD1MmnbxEUNFGFudwy3O3i8tSp7G+KL+pZxHLk8pyZNX8949vAyaE5lgrI9DLnJllocjlh5EzdXKaH7yrEQHK4ldU/BR6jLPlpLhM3GJ1tCfHPlqtz7D88xW8/cV44hobw7NBn9jO7B+myY4rygt6nj5wPWMbcQDtPldS41IFcEpd0XZa6kO/tOdBZ3sXmNilJhQhj57ZFqm9bL8oGWqMXjevfdL3HKUpOiza98GPk55kUzMSbhfdCJsYC1o3QN66aLpf1PaES0NENwYX1IycN3aJYqJOUicyg4oPAXXK+DYBnknfj8NCak2zSELimOVTeIlQmCczx4mBgn/5eGxXytXIdjHYfNj/1raCqkaEhC0X1Q21asNrIP3DYFM3KFIvOCZt7TCMeG8q5L4estYCncr1HAgu9CMFrq4vEDW1llPvAyr5dwFR52VnMPffwYEBpRG6xN7QSn8HYBkx4XIBLlKQH0GZtRjT4bpBmeKPH0fai5e36uCy+OLraqB05lUCJwHw+ej3ymWIe8osi+uRMZHCTBo6DNbbOTIcRfScRKJMcNlXu3v5+wZq5UT52TTaqUkHV/eEX2kFYuqbkfdtwizbN/JMomTClbAKpjpYk2zR1Jjj/f/2H8nlLYZprkiLGQcI/4dk/r0MASN3d3jiSPR+Y1FVxnedSh0qhxqDKq6rQG5jSd9muZJaZL23E7qeQ+24QhmAtWQtnp3z+iX79T6IIaDBeM7sTRr0jaJ6k2Id8EZ0QVI80aSoYaYLQO15gXY0DldqbuGy/J+Ugh3GPMVUtJdUm+JnRmxDKTdeK9RPdNtEE3Bcl9ERu46+kIhaK1K2HVQqlHoIKplVxj/Avncv9MeOsIZIpP0jDDlTAd49d8HJ1uQWi0A5HzM2jVgqvvVtWHtjwtUDhd4YdSDUPlkx8xqunkcPakj/QZtEc4JfioriyZWG2v29pRxrxSaiGe9AquCJMtncChRVXWm1A80DvEKoFByFbyS5P6T41oTE6zysxAt1JGBRpimQHE3rRzYyqLXsCQUP9TN+3Y/84zZXZKeOgK4KoHXxTRLZL/CDXDE4lvbbtTzPcQ8UpgGb3tBgp0ui40qBWREo/TU4zelqSNVNROO5VbPakx+aaZ2tuajmxkp8CmyrBzM8wuY2m6AokRp1TN+rsSHk+UuAqSNM9lgVleWuKoEoBF0wT3YlqN/hxc2zWmyb/oCHh5hexiO8fbZUwkbyprIpZ3s5IdxbrtDYEPFzIdmuAQVN/GQ1tu86Cc4g4rHZqJ3w614/NzgRj+0RPAFrp1NC1zZzuc36TfsazzyDPZ1r8rwyJ2HWjO/cemTPrPQYdFY5SrAklBs6Otc89IdbKn5eSVKIyTQbqSP7lYAKEHLQdUoCAVRv7ghVaXCyprNfpr9bpUJ/mGoikNi3m0o83E8R7yp5/nbgG6rgEyza0LQHVF1mEOqwi2LKB6u5F0KjsGhqr4OLegf8GxYX8bPNfdD3XCpG/nqNYA5eJgA68qViJdU15FnR4kzLrWlJfVB8TwMIb1pAq8itgzveVKXUJS/ZS6kkFdH18LMHbw16tHBmTDewtzdbv+vBfXuZQz3Ay8nMAe/jWeAaujlVfTFKJ0L03kXvr59DIxnEODdvAtPhPXRyqfLbN9ffj3Jtn5ermKUnBMNNqeSJV8GFyIZXkemwX9CkXsrJvV1EreheRWaW6UD7104rJY/EQ1jg6BaCaZ1R34DIO8VHG33GkqvgzK8QJgrvSGuUDxHtOyzm/hwh6odPqqSRFdEMgU2GUNNLmO6xoHh2Q6GnE2PaYjKEw+Spm0iAoSgA349ElDOToGgPyOusMKroHKTbxGVqC8A4iVaNiNnEHm066bJCs1TlMxXQ5ob+gzN+1KJyxzwp47HHVeFQqTIwcsE+4WVUY7116oUHzyzHUxwsuGfS22I/JSrnelcx7vHPNRC5slAoe6aQ929q9f+kknr8EyifD9Fxbw1f+GpCvrujW+AoyQhBcD5F+KdvECRZ9WA7JNebmb5Mq0Qst4a5c4UKyk6OqNhj1UY0FWl7N1yO5jvX37rSbtcX2loTIBYksIJ/dYK2FJjO0Vs6/xBeJALMR+Sh3pVuVf+Ez5WlCvVrUT51g2LO2NVocBoAF1S9aQw7x6ex3tAYatgRC5JUWAOjpC6F7I=
template:
metadata:
name: kmod-signing-cert
namespace: jenkins
annotations:
jenkins.io/credentials-description: Kernel modules signing certificate
labels:
jenkins.io/credentials-type: secretFile
data:
filename: signing_key.pem
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: webhook-trigger
namespace: jenkins
spec:
encryptedData:
text: AgA6vfZFOXBx/5bBP1K3GyOq3XQVIVMQ7j48jgJdwm5c4dEKl1HJgoNFiE2NWiX+ALx4ebmGj5FovCajkJ2YIzqNbI+wZeEoH1gIO0WmQcVlEg0zparSTkll/D+eguoPB6YtSr2T+g30FZFnzWQWMetxydWHX/pqx7e/6L3M+50IYfjQ8Vcx/QGe9KAiMHapEdxAEmoxdrrtsKlGo5Bh4JNoFWYf9ZcvTrYmrUtR+PYfZcxTulP0Cn6q3yNG4DC19WK0OXI1lmuZ36aUYJJrvu+rT+SB6JntMMmCLiBkcbhjxA2fTuNcYoAAXqwZjrFjXRBxuww75Wm/v+BqxGkkaJrZdhIv/maqZggLb1sHE9HyulSQ536R8f0FEt0FXX0hn1VuckWLZvDEOpcude8EEJ7DE+/Qya6fdx7ZLtKCefViTj/R8xDPoicbmgToJaZ1qnH3QFkzPXtHhzFFM4rks+i1Nz14A5kg2APiw1QQsOTp/wp2S2LXnU3gR/LQa1uEpM82KrKQfJ4TATp1oip2wemwm+burgv1DGoRBYNYM6huaS6g5u76/Vo0PTrQAEe8uIus9RnZhZ4Wp5NtLUlGM0B5oL2O4ySeBGjpM5w1UGswqjFBcP6MNQPuJEBsKhbqSUR/E1pgH9pm065XJo8SWpWqiYdNsY+s2fhb9SMiQxFStAF0Mm8lvN3hnXdfGjoyufJMcKtodLzC5sPwJHNJLkod2qIA+OY+c/gHplCPhcvPOg==
template:
metadata:
name: webhook-trigger
namespace: jenkins
annotations:
jenkins.io/credentials-description: Generic Webhook Trigger token
labels:
jenkins.io/credentials-type: secretText

13
jenkins/updatecheck.toml
View File

@@ -1,13 +0,0 @@
[storage]
dir = "/var/lib/updatecheck"
[[watch]]
packages = "kernel"
[watch.on_update]
url = "https://jenkins.pyrocufflink.blue/generic-webhook-trigger/invoke"
coalesce = true
[[watch.on_update.headers]]
name = 'Token'
value_file = '/run/secrets/updatecheck/token'

74
jenkins/updatecheck.yaml
View File

@@ -1,74 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: updatecheck
namespace: jenkins
labels:
app.kubernetes.io/name: updatecheck
app.kubernetes.io/component: updatecheck
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 300Mi
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: updatecheck
namespace: jenkins
labels: &labels
app.kubernetes.io/name: updatecheck
app.kubernetes.io/component: updatecheck
spec:
schedule: >-
22 */4 * * *
concurrencyPolicy: Forbid
jobTemplate:
metadata:
labels: *labels
spec:
template:
metadata:
labels: *labels
spec:
restartPolicy: Never
containers:
- name: updatecheck
image: git.pyrocufflink.net/infra/updatecheck
args:
- /etc/updatecheck/config.toml
env:
- name: RUST_LOG
value: updatecheck=debug,info
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/updatecheck
name: config
- mountPath: /run/secrets/updatecheck
name: secrets
readOnly: true
- mountPath: /var/lib/updatecheck
name: data
securityContext:
runAsUser: 21470
runAsGroup: 21470
fsGroup: 21470
runAsNonRoot: true
volumes:
- name: config
configMap:
name: updatecheck
- name: data
persistentVolumeClaim:
claimName: updatecheck
- name: secrets
secret:
secretName: webhook-trigger
items:
- key: text
path: token
mode: 0440

4
jenkins/workspace-volume.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: buildroot
name: buildroot-airplaypi
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: buildroot
app.kubernetes.io/name: buildroot-airplaypi
app.kubernetes.io/component: jenkins
spec:
accessModes:

36
k8s-reboot-coordinator/jenkins.yaml
View File

@@ -1,36 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: jenkins.k8s-reboot-coordinator
labels:
app.kubernetes.io/name: jenkins.k8s-reboot-coordinator
app.kubernetes.io/component: k8s-reboot-coordinator
app.kubernetes.io/part-of: k8s-reboot-coordinator
rules:
- apiGroups:
- apps
resources:
- daemonsets
resourceNames:
- k8s-reboot-coordinator
verbs:
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins.k8s-reboot-coordinator
labels:
app.kubernetes.io/name: jenkins.k8s-reboot-coordinator
app.kubernetes.io/component: k8s-reboot-coordinator
app.kubernetes.io/part-of: k8s-reboot-coordinator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins.k8s-reboot-coordinator
subjects:
- kind: ServiceAccount
name: default
namespace: jenkins-jobs

37
k8s-reboot-coordinator/kustomization.yaml
View File

@@ -1,37 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kube-system
labels:
- pairs:
app.kubernetes.io/instance: k8s-reboot-coordinator
includeSelectors: true
resources:
- https://git.pyrocufflink.net/dustin/k8s-reboot-coordinator//kubernetes?ref=master
- service.yaml
- jenkins.yaml
images:
- name: k8s-reboot-coordinator
newName: git.pyrocufflink.net/packages/k8s-reboot-coordinator
newTag: latest
patches:
- patch: |-
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: k8s-reboot-coordinator
spec:
template:
spec:
containers:
- name: k8s-reboot-coordinator
imagePullPolicy: Always
env:
- name: RUST_LOG
value: k8s_reboot_coordinator=debug,info
imagePullSecrets:
- name: imagepull-gitea

14
k8s-reboot-coordinator/service.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: &name k8s-reboot-coordinator
labels: &labels
app.kubernetes.io/name: *name
app.kubernetes.io/component: *name
app.kubernetes.io/part-of: *name
spec:
selector: *labels
ports:
- port: 8000
targetPort: http
name: http

18
keepalived/keepalived.conf
View File

@@ -20,11 +20,6 @@ vrrp_track_process rabbitmq {
weight 90
}
vrrp_track_process hbbs {
process hbbs
weight 90
}
vrrp_instance ingress-nginx {
state BACKUP
priority 100
@@ -63,16 +58,3 @@ vrrp_instance rabbitmq {
rabbitmq
}
}
vrrp_instance hbbs {
state BACKUP
priority 100
interface ${INTERFACE}
virtual_router_id 54
virtual_ipaddress {
172.30.0.150/28
}
track_process {
hbbs
}
}

4
keepalived/keepalived.yaml
View File

@@ -18,7 +18,7 @@ spec:
command:
- sh
- -c
- | # bash
- |
printf '$INTERFACE=%s\n' \
$(ip route | awk '/^default via/{print $5}') \
> /run/keepalived.interface
@@ -28,7 +28,7 @@ spec:
subPath: run
containers:
- name: keepalived
image: git.pyrocufflink.net/containerimages/keepalived
image: git.pyrocufflink.net/containerimages/keepalived:dev
imagePullPolicy: Always
command:
- keepalived

2
music-assistant/kustomization.yaml
View File

@@ -18,4 +18,4 @@ resources:
images:
- name: ghcr.io/music-assistant/server
newTag: 2.6.3
newTag: 2.6.0b18

2
ntfy/kustomization.yaml
View File

@@ -20,4 +20,4 @@ configMapGenerator:
images:
- name: docker.io/binwiederhier/ntfy
newTag: v2.15.0
newTag: v2.14.0

6
paperless-ngx/kustomization.yaml
View File

@@ -45,8 +45,8 @@ patches:
images:
- name: ghcr.io/paperless-ngx/paperless-ngx
newTag: 2.20.0
newTag: 2.18.4
- name: docker.io/gotenberg/gotenberg
newTag: 8.25.0
newTag: 8.23.0
- name: docker.io/apache/tika
newTag: 3.2.3.0
newTag: 3.2.2.0

30
policy/README.md
View File

@@ -1,30 +0,0 @@
# Cluster Policies
## Validating Admission Policy
To enable (prior to Kubernetes v1.30):
1. Add the following to `apiServer.extraArgs` in the `ClusterConfiguration` key
of the `kubeadm-config` ConfigMap:
```yaml
feature-gates: ValidatingAdmissionPolicy=true
runtime-config: admissionregistration.k8s.io/v1beta1=true
```
2. Redeploy the API servers using `kubeadm`:
```sh
doas kubeadm upgrade apply v1.29.15 --yes
```
### disallow-hostnetwork
This policy prevents pods from running in the host's network namespace. This is
especially important because most nodes are connected to the storage network
VLAN, so allowing pods to use the host network namespace would give them access
to the iSCSI LUNs and NFS shares on the NAS.
If a trusted pod needs to run in the host's network namespace, its Kubernetes
namespace can be listed in the exclusion list of the
`disallow-hostnetwork-binding` policy binding resource.

43
policy/disallow-hostnetwork.yaml
View File

@@ -1,43 +0,0 @@
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: disallow-hostnetwork
spec:
matchConstraints:
resourceRules:
- apiGroups:
- ''
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
validations:
- expression: >-
!has(object.spec.hostNetwork) || !object.spec.hostNetwork
message: >-
Pods must not use hostNetwork: true
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: disallow-hostnetwork-binding
spec:
policyName: disallow-hostnetwork
validationActions:
- Deny
matchResources:
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- calico-system
- democratic-csi
- keepalived
- kube-system
- music-assistant
- tigera-operator

5
policy/kustomization.yaml
View File

@@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- disallow-hostnetwork.yaml

36
rustdesk/kustomization.yaml
View File

@@ -1,36 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: rustdesk
labels:
- pairs:
app.kubernetes.io/instance: rustdesk
resources:
- namespace.yaml
- rustdesk.yaml
- network-policy.yaml
patches:
- patch: |-
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: rustdesk
spec:
storageClassName: synology-iscsi
- patch: |-
apiVersion: v1
kind: Service
metadata:
name: rustdesk
spec:
externalIPs:
- 172.30.0.150
externalTrafficPolicy: Local
images:
- name: docker.io/rustdesk/rustdesk-server
newTag: 1.1.14

8
rustdesk/namespace.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: rustdesk
labels:
app.kubernetes.io/name: rustdesk
app.kubernetes.io/component: rustdesk
app.kubernetes.io/part-of: rustdesk

30
rustdesk/network-policy.yaml
View File

@@ -1,30 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: rustdesk
labels:
app.kubernetes.io/name: rustdesk
app.kubernetes.io/component: rustdesk
spec:
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/part-of: rustdesk
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/component: rustdesk
policyTypes:
- Egress

122
rustdesk/rustdesk.yaml
View File

@@ -1,122 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: rustdesk
labels:
app.kubernetes.io/name: rustdesk
app.kubernetes.io/component: rustdesk
app.kubernetes.io/part-of: rustdesk
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
name: rustdesk
labels:
app.kubernetes.io/name: rustdesk
app.kubernetes.io/component: rustdesk
app.kubernetes.io/part-of: rustdesk
spec:
selector:
app.kubernetes.io/name: rustdesk
app.kubernetes.io/component: rustdesk
ports:
- port: 21115
name: nat-t
- port: 21116
name: hbbs-tcp
protocol: TCP
- port: 21116
name: hbbs-udp
protocol: UDP
- port: 21118
name: hbbs-web
- port: 21117
name: hbbr
- port: 21119
name: hbbr-web
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: rustdesk
labels:
app.kubernetes.io/name: rustdesk
app.kubernetes.io/component: rustdesk
app.kubernetes.io/part-of: rustdesk
spec:
selector:
matchLabels:
app.kubernetes.io/name: rustdesk
app.kubernetes.io/component: rustdesk
serviceName: rustdesk
template:
metadata:
labels:
app.kubernetes.io/name: rustdesk
app.kubernetes.io/component: rustdesk
app.kubernetes.io/part-of: rustdesk
spec:
containers:
- name: hbbs
image: docker.io/rustdesk/rustdesk-server
imagePullPolicy: IfNotPresent
args:
- hbbs
env: &env
- name: XDG_CONFIG_HOME
value: /etc
- name: XDG_DATA_HOME
value: /var/lib/rustdesk
workingDir: &dir /var/lib/rustdesk
ports:
- containerPort: 21115
name: nat-t
- containerPort: 21116
name: hbbs-tcp
protocol: TCP
- containerPort: 21116
name: hbbs-udp
protocol: UDP
- containerPort: 21118
name: hbbs-web
securityContext:
readOnlyRootFilesystem: true
volumeMounts: &mounts
- mountPath: /etc/rustdesk
name: rustdesk-data
subPath: config
- mountPath: /var/lib/rustdesk
name: rustdesk-data
subPath: data
- name: hbbr
image: docker.io/rustdesk/rustdesk-server
imagePullPolicy: IfNotPresent
env: *env
workingDir: *dir
args:
- hbbr
ports:
- containerPort: 21117
name: hbbr
- containerPort: 21119
name: hbbr-web
securityContext:
readOnlyRootFilesystem: true
volumeMounts: *mounts
securityContext:
runAsNonRoot: true
runAsUser: 21115
runAsGroup: 21115
fsGroup: 21115
volumes:
- name: rustdesk-data
persistentVolumeClaim:
claimName: rustdesk

3
ssh-host-keys/ssh_known_hosts
View File

@@ -10,9 +10,6 @@ git.pyrocufflink.net ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbml
git.pyrocufflink.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZUu95QA3i7d5LZvB/RncHN
git.pyrocufflink.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9
mtrcs0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFklfgYwVlea/FbFNguKEY2hMXw9iOneNveLVws8dd9
pikvm-nvr2.mgmt.pyrocufflink.black ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIs34lxHkZMeKsbVaDLE9iFiUxsqmvwIRNv7z7BX1bDLtTH7yihHxnKkjc+q0JueNyvw+0KzsbQbns+6A6RqOuA=
pikvm-nvr2.mgmt.pyrocufflink.black ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6X4q2X9OL2SPHn7pF1yUTz0W2L3pyUNAqY+JBLckes
pikvm-nvr2.mgmt.pyrocufflink.black ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC10WLu1UCK0DbxqdeSSj5T2bKEeBuGAKLTdGbD2QDQ3hhfz3Tz+NK9wgQftl/Kr346eJ4toZTE4lis/XNLFjjmp2v40Ge4Ban1k2JXdXwFdPUesSDvQVUJxdGPIqEuXmnLpHkDxy+Blw9Y/Z31ujAqmPw2+X/tx19ZiJZS7SPvDB5lOsjapTap/srWDZA+xHALXVfnZAOubJxfi9Zfa0J9i3/HxVpLE0z7dC4hhIIe3imllxc6XiSNuIiUNTZBNwrD30P/+9c5aHELsAGJGMQ/TAZDExmnzPQO+dEIhus8jbVqRkzcl3ayhMIXmaz1ctZZgH8DqZ/gzbuHdkEBy3zOusEsP1fKUkjMlJYLhUgX59/xAVhNk6gVNptRDBRlp8mbYO4GjXOMhLipBBpewwH8fEcGsXCLY5Z51A72hNABbSy/vnXav9UxqIjX7y955lVilnWmjX+UaQMGMpQFoAfcZryqrRUWLcGLZsAxEFhsSxa3Dc6IqT6I8vbDmrLetZk=
serial0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABidV03uxUtikscJfA3qZ+mgXW9KP2QWJBLhlDOleHQ
vps-04485add.vps.ovh.us ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPmQD73UDTO8Yv4sZgSKbwzMpHt3XayubSkWe2ACQrnS
vps-04485add.vps.ovh.us,15.204.240.219 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIm1WdNspEcqQpQLTPB1ZD45bOA1zI/EFDkkdLjj9USK30TrcN0zN3oDN/+G7L+0det785q3jWS2bwQGmY3eXPI=

10
updatebot/config.yml
View File

@@ -107,13 +107,3 @@ projects:
kind: github
organization: dani-garcia
repo: vaultwarden
- name: music-assistant
kind: kustomize
images:
- name: music-assistant
image: ghcr.io/music-assistant/server
source:
kind: github
organization: music-assistant
repo: server

49
victoria-metrics/scrape.yml
View File

@@ -196,8 +196,7 @@ scrape_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: >-
%{KUBERNETES_SERVICE_HOST}:%{KUBERNETES_SERVICE_PORT}
replacement: %{KUBERNETES_SERVICE_HOST}:%{KUBERNETES_SERVICE_PORT}
- target_label: __metrics_path__
source_labels:
- __meta_kubernetes_node_name
@@ -259,6 +258,32 @@ scrape_configs:
- source_labels: [__address__]
target_label: instance
- job_name: promtail
static_configs:
- targets:
- nvr2.pyrocufflink.blue
kubernetes_sd_configs:
- role: pod
namespaces:
names:
- promtail
selectors:
- role: pod
label: app.kubernetes.io/name=promtail
relabel_configs:
- source_labels: [__meta_kubernetes_node_name]
regex: .*\.compute\.internal$
action: drop
- source_labels: [__address__]
target_label: instance
- source_labels: [__meta_kubernetes_pod_node_name]
regex: '(.+)'
target_label: instance
- source_labels: [__address__]
target_label: __address__
regex: '([^:]+)'
replacement: '$1:9080'
- job_name: argocd
static_configs:
- targets:
@@ -513,23 +538,3 @@ scrape_configs:
target_label: instance
- target_label: __address__
replacement: blackbox-exporter:9115
- job_name: pikvm
scheme: https
metrics_path: /api/export/prometheus/metrics
tls_config:
ca_file: /run/dch-ca/dch-root-ca.crt
dns_sd_configs:
- names:
- pikvm-nvr2.mgmt.pyrocufflink.black
type: A
port: 443
basic_auth:
username: prometheus
password_file: /run/secrets/vmagent/pikvm.password
relabel_configs:
- source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
separator: ':'
target_label: __address__
- source_labels: [__meta_dns_name]
target_label: instance

1
victoria-metrics/secrets.yaml
View File

@@ -9,7 +9,6 @@ spec:
encryptedData:
graylog.token: AgAhkcueTYekWV1i71xu97dP8WkDczpuSaQzP/HBDLvAIOs+n15aS8vk/6iLKcovSdf7tBTpj2ft1zf1oLqYL6q2jpakF6HYCIRSMDGOTkp6hBJyTup+bafqaNgzY2D9i7D/KMdCahVPnrriyNVAgCl2zlrMny5C882IvGNwS4fhaHFdLm+waTRHdZZJJzObvXI4nWDO7fOqIEEzoOF6pBwuTXU6t38bK72RxUWHQjOx9XP+MJbfB64kPHul8w+kS94LMLq/6LxofMs54YtSOLavPUo+OZhcW53XQROHKKJqAm23FE9HOVdnggGMHnXIDnhSBu4rOGt0OMn/7X9MaKO25Ey+jx/+K3tj17tu6OlvUJ49x3u03cmvC2BXokl2Dnj9+at6gC5Zuj4bGvquxsF8/uPAfZSasFFWr5p5HVfPUOqriSbMZ8tmn7ZAnWhaJrxc91Vv0raHeXMjJTu36r3QJtNpt2UNoY23pxH7QS6KxSB/3QXOZb2l1I3S7EoHddiu8MuZxAhWkmsqZDHWZPWsYPO0bA7NZlM+7XwhU2vqloH79tLTLdIlzubFXGW70VrsDm2bJOrftlcxkHG8j5NqNbOHuYGMZ+7m9cIpzB5ilmuv6k5Et9P0Vo++Awt5534VDpw6+vm2a5O/YwZjjP3VOtrp59Y8HFI3V/MQYpO3CpaYTOQGELt3tWpfIKKHnfqmYI8hFVdOj9kR76OFxOBXoyFagM9Th12NGHUkNZTbAhu/BFxVl5wC2ObGgjlcwQSvRo5m
homeassistant.token: AgB23TUFBNpyu0RmdYkUZEYWy3+cMcffZFKVjAlvbkGOWs3f5NwWbJEZ7wBP5+s9NHNYzGx5VtGRQKSg/MjUs47gtaRN4uHLzdH7ziWrRurG4GIl36mCYeivqdf7Z+PCi/E/O+0ShCmaF9u8rYcb/ECWJDWIMt1m5+QBWLXdPJgKpw4bbS8AlIzsSvjwZs4axeZvMp4gpzjPhtl4XziKiptQ25miXtX5GtNOqmI9QwMcOmXVLXg6ZC93AqToUWiiiGKvFSob6VUvQlEJaJZNhaDwN52fjglwus6B4pnrOnck21T56IviD5Lh6LI5EKltTAJ7TwPjIySbhASp/dGOna1wanSspQZ9ZhAUMiSxrBLlv5fB+Sg70k++5jftbqqNi+X+m36UEcwQBISZNaGgQlutzJ/ghDEwXfPZOsImVT5qPz62wV8bfxJ5G2CRw1S5BfFXjJ0AyzulKLE5GGucUk03R0MUYLz0oS2mX4xsHG3qlc5WvzHNc/YsOm8bKVd/Wa/wGt3U/4bNX8BF5IUznuc22+4oxdvEeOidMB4LjLaYpYzBwpRRMLupb9sSiqKCaGUfb6kQGDHkcwZDpCVf492IUIbeihc50J2w3J9eQfbyJMmc0v0GblpzNG0OVGmMy5Z+ThZnTm/Rfmrsh18zYQGr4sBZFjXJZA2gETQY1gSTsS1z2KkhvzQwrZEiMp4ZgIzDxUwGPLH0BqnXHz7KfxJW7V1BUsk2fkD2UA51CVf52VUlGGY0CYQRf8Sgq/qqAHtz6MpQ7Gc4Z1RzXlALLTK8hii7Uv6aGNFj8iIpbRLG7d9R6y+Rlp8JUd1PC6a+uFLASx2M/q036/bBNbUDgxs3qHJmq1SaHEObFur7dpIbd9XP2FWWmk8x67gQs1Nqb73KVHbWJ1kdGMmfJr42aO6+ZPVZvlJ3l1RL4a1lrAk7Y0FlWjMvOg0r
pikvm.password: AgB3fQePD14jVc0FRaesCrx7jSuy5u9U+nvirvAS9JQAKL9COz/jKLuojeFsnd62/547QciAcC8ui9YRhkwSJOrmHB/IXvRw2+fr6K8aKfeH8aT1Gn1GuKyJvBzXs2ZUlkOZdyPDTpcwRQG3fDoQveSOU0YLln2VKp3KTRXSmBIPuJ9OG4PMTC2Rwg2NGgYaBxC9mAEWXfhaCpx0gLBvQNF2QURZUqk1wfRYPhmO1btZWYnFrUnMs1S+0WSb8qEcNLrRpKQilHwuZKxKyDR0qig/V0FIVAL17z4B+7li3NKv+iJafHIek1FVjPEPD4spk41GqfMkw/0Il4rHdUvYb2UL5dCBNKIe5xmOiNihREinanmTtz8TGjpbOCdz6vInCUbPHQWgqIvRwX89rYr17hk4FHUpYRw/KtWak2lUK3HZi+ZzYWGu1QDU8QGTxYHrASoTY5pHEgp6gsoA+KzkGyyHalghHhRUSyKMoc74uJGM/iUx6CWiqw1VLpOw0s5/yyIIkd6cneyl7q3mdRbFvYLcrDEZ26tDlKxcxY7lsXV6nTKU10DHWCGYwtOLATX7ZkX2coAmLTAEHidCz9wP/1c8pUpU6O1+bFRw/hxghAG4SAucPH61uwjqtM6I96ot1BzsXjvrJxgFls0ive1QvmhEf9aZ9IMHz0KL+MMwxcZ3p7rGjilIY7z8P67M4hQrP/xMoQkBdEvJo955f067fqNwZfaFDpimKrp4DvpCb74+ag==
template:
metadata:
name: vmagent