Merge pull request 'add ingress pvc, helmRepo and helmRelease for pulse' (#27) from add-pulse into main

Reviewed-on: #27

.gitea/workflows/kubeconform.yml

@@ -1,6 +1,11 @@
 name: Validate Kubernetes Manifests
 
-on: pull_request
+on:
+  push:
+    paths:
+      - '**.yml'
+      - '**.yaml'
+      - '!.gitea/workflows/**'
 
 jobs:
   kubeconform:
@@ -19,6 +24,7 @@ jobs:
         with:
           files: |
             **.yml
+            **.yaml
             !.gitea/workflows/**
             !clusters/default/system-upgrade/crd.yml
 

clusters/ipv6/arr-stack/bazarr/bazarr.yml

@@ -39,10 +39,10 @@ spec:
           claimName: bazarr-longhorn
       - name: tv
         nfs:
-          server: 192.168.1.4
+          server: 10.0.0.123
           path: /merge/series
       - name: movies
         nfs:
-          server: 192.168.1.4
+          server: 10.0.0.123
           path: /merge/movies
 

clusters/ipv6/arr-stack/qbittorrent/qbittorrent.yml

@@ -59,5 +59,5 @@ spec:
           claimName: qbittorrent-longhorn
       - name: downloads
         nfs:
-          server: 192.168.1.4
+          server: 10.0.0.123
           path: /merge/downloads

clusters/ipv6/arr-stack/radarr/radarr.yml

@@ -38,11 +38,11 @@ spec:
       volumes:
       - name: movies
         nfs:
-          server: 192.168.1.4
+          server: 10.0.0.123
           path: /merge/movies
       - name: downloads
         nfs:
-          server: 192.168.1.4
+          server: 10.0.0.123
           path: /merge/downloads
       - name: config
         persistentVolumeClaim:

clusters/ipv6/arr-stack/sabnzbd/sabnzbd.yml

@@ -36,5 +36,5 @@ spec:
           claimName: sabnzbd-longhorn
       - name: downloads
         nfs:
-          server: 192.168.1.4
+          server: 10.0.0.123
           path: /merge/downloads

clusters/ipv6/arr-stack/sonarr/sonarr.yml

@@ -41,9 +41,9 @@ spec:
           claimName: sonarr-longhorn
       - name: downloads
         nfs:
-          server: 192.168.1.4
+          server: 10.0.0.123
           path: /merge/downloads
       - name: tv
         nfs:
-          server: 192.168.1.4
+          server: 10.0.0.123
           path: /merge/series

clusters/ipv6/external-dns/cloudflare-secret-sealed.yml

@@ -1,14 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: cloudflare-api-token
-  namespace: external-dns
-spec:
-  encryptedData:
-    CF_API_TOKEN: AgBGXS4yStjaLKfFq7svTArF6Y9wr/RvwQcV3P/aj/QzH8R3z9UimgGlrY61zTapCszTRRR4NJ55XpYQAU+9ugkfhDXfpmyi63oh7WWGENonHZFii9iAuC1xKMVP0B43I9Jm+YSFFCxpVE3iTiXFVbyhiSrbPfYX8KP3ED58D4T1s0OjCFWI6Uk63C5Qvc3zzjYRAvy/eHq4DEfNXifkFw7hJ03OouUmZMkvZXieNvPa3lvtnXHzE55eu3gs8C0xr/zGa3r2StfsVwLdLYaya+hHNtgp3cIiB+p8ncoBIEbyGzWQwT5jbl7zn7lqSfafe6KVYNxzKMGicVhCCOQfGyCUrrGkbBC3eXRPSgcPoHaJxLwjzPR1rVniKDsdVpRun2wskGXScRvzBEmt6gucLTUQTapc2R3R7MO8rxX0+dOR4uj7/hJdOJqNb6b7G74Jf9Y8nFfY1QEIys2i04d2HHKRIomQfAcnU2IsbWO2lEw4wzToPOGI4kQQqpLR7dIFOQnRrWJRj/5x3titG/th3vIyTRVHigGSwH9DUEh3TgVBSQbWuJMbh9HRZ/3z06kfgiGAnydzltLUOGw3w3JRE09+vS7kGKDr78jcokVoPcm8riRc1eJQImZsodMA1SF8PH1u+y0kUEbJpRuRG0e3m1yC014laokpa3Lrl8BAJkqOyAjufAOmSFPvXNROxw3WB1tED8RjZSADSocZPVoKfPNxInGxFntojEoYQw+P32d4sBdj9tJqHuCy
-  template:
-    metadata:
-      name: cloudflare-api-token
-      namespace: external-dns
-    type: Opaque

clusters/ipv6/external-dns/external-dns/external-dns-rbac.yml

@@ -1,31 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-dns
-  namespace: external-dns
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: external-dns
-rules:
-- apiGroups: [""]
-  resources: ["services", "endpoints", "pods"]
-  verbs: ["get", "watch", "list"]
-- apiGroups: ["networking.k8s.io"]
-  resources: ["ingresses"]
-  verbs: ["get", "watch", "list"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: external-dns
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: external-dns
-subjects:
-- kind: ServiceAccount
-  name: external-dns
-  namespace: external-dns
-

clusters/ipv6/external-dns/external-dns/external-dns.yml

@@ -1,37 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: external-dns
-  namespace: external-dns
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: external-dns
-  template:
-    metadata:
-      labels:
-        app: external-dns
-    spec:
-      serviceAccountName: external-dns
-      containers:
-      - name: external-dns
-        image: registry.k8s.io/external-dns/external-dns:v0.20.0
-        args:
-          - --source=ingress
-          - --provider=cloudflare
-          - --domain-filter=akshun-lab.cc
-          - --policy=sync
-          - --registry=txt
-          - --txt-owner-id=k3s
-          - --log-level=info
-          - --interval=60s
-          - --cloudflare-proxied
-          - --exclude-record-types=A
-        env:
-        - name: CF_API_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: cloudflare-api-token
-              key: CF_API_TOKEN
-

clusters/ipv6/external-dns/namespace.yml

@@ -1,8 +0,0 @@
----
-kind: Namespace
-apiVersion: v1
-metadata:
-  name: external-dns
-  labels:
-    name: external-dns
-

clusters/ipv6/flux-system/gotk-sync.yaml

@@ -11,7 +11,7 @@ spec:
     branch: main
   secretRef:
     name: flux-system
-  url: ssh://git@192.168.1.12:222/aggarwalakshun/ipv6-k3s
+  url: ssh://git@gitea.akshun-lab.cc/aggarwalakshun/ipv6-k3s
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization

clusters/ipv6/git-ops/gitea/gitea-ingress-route.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: gitea-ssh
+  namespace: git-ops
+spec:
+  entryPoints:
+    - ssh
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: gitea-int-service
+          port: 22

clusters/ipv6/git-ops/gitea/gitea-svc.yml

@@ -1,18 +1,3 @@
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: gitea-app
-  namespace: git-ops
-spec:
-  type: LoadBalancer
-  selector:
-    app: gitea-app
-  ports:
-  - port: 222
-    targetPort: 22
-    name: ssh
-
 ---
 apiVersion: v1
 kind: Service
@@ -26,6 +11,11 @@ spec:
     - protocol: TCP
       port: 3000
       targetPort: 3000
+      name: http
+    - protocol: TCP
+      port: 22
+      targetPort: 22
+      name: ssh
 
 ---
 apiVersion: v1

clusters/ipv6/kube-system/traefik/traefik-release.yml

@@ -0,0 +1,69 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  chart:
+    spec:
+      chart: traefik
+      sourceRef:
+        kind: HelmRepository
+        name: traefik
+        namespace: flux-system
+      version: '38.0.1'
+  install:
+    crds: Create
+  interval: 6h
+  releaseName: traefik
+  upgrade:
+    crds: CreateReplace
+  values:
+    deployment:
+      enabled: true
+      kind: DaemonSet
+    updateStrategy:
+      type: OnDelete
+
+    hostNetwork: true
+    dnsPolicy: ClusterFirstWithHostNet
+
+    service:
+      enabled: false
+
+    securityContext:
+      capabilities:
+        add:
+          - NET_BIND_SERVICE
+      readOnlyRootFilesystem: true
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+      fsGroup: 0
+
+    ports:
+      web:
+        port: 80
+        exposedPort: 80
+        protocol: TCP
+        expose:
+          default: true
+
+      websecure:
+        port: 443
+        exposedPort: 443
+        protocol: TCP
+        expose:
+          default: true
+
+      ssh:
+        port: 22
+        exposedPort: 22
+        protocol: TCP
+        expose:
+          default: true
+
+    providers:
+      kubernetesCRD: {}
+      kubernetesIngress: {}

clusters/ipv6/kube-system/traefik/traefik-repo.yml

@@ -2,8 +2,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: prometheus-community
+  name: traefik
   namespace: flux-system
 spec:
   interval: 6h
-  url: https://prometheus-community.github.io/helm-charts
+  url: https://traefik.github.io/charts

clusters/ipv6/media/ersatztv/ersatztv.yml

@@ -26,8 +26,6 @@ spec:
           mountPath: /root/.local/share/ersatztv
         - name: i915
           mountPath: /dev/dri/
-        - name: transcode
-          mountPath: /root/.local/share/etv-transcode
         - name: merge
           mountPath: /mnt/merge
         securityContext:
@@ -46,7 +44,5 @@ spec:
           path: /dev/dri
       - name: merge
         nfs:
-          server: 192.168.1.4
+          server: 10.0.0.123
           path: /merge
-      - name: transcode
-        emptyDir: {}

clusters/ipv6/media/immich/immich-pvc.yml

@@ -33,9 +33,9 @@ spec:
     - file_mode=0777
   csi:
     driver: smb.csi.k8s.io
-    volumeHandle: 192.168.1.4#pictures#immich
+    volumeHandle: 10.0.0.123#pictures#immich
     volumeAttributes:
-      source: //192.168.1.4/pictures
+      source: //10.0.0.123/pictures
     nodeStageSecretRef:
       name: smb-creds
       namespace: media

clusters/ipv6/media/invidious/invidious-companion.yml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: inv-companion
-        image: quay.io/invidious/invidious-companion@sha256:dbeaaab6a1c718f5874cc588aaab2d2b169dea4c742add6deac955c2879fc9c4
+        image: quay.io/invidious/invidious-companion@sha256:639c8b32dec2e0200c36ed369cf494eb0ca765fdb14d5890d7f460c89a34272d
         env:
         - name: SERVER_SECRET_KEY
           valueFrom:

clusters/ipv6/media/jellyfin/jellyfin.yml

@@ -45,7 +45,7 @@ spec:
         emptyDir: {}
       - name: media
         nfs:
-          server: 192.168.1.4
+          server: 10.0.0.123
           path: /merge
       - name: i915
         hostPath:

clusters/ipv6/metallb-system/l2-advertisement.yml

@@ -0,0 +1,8 @@
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: k3s-lb-pool
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+  - pool-ip

clusters/ipv6/metallb-system/metallb-release.yml

@@ -0,0 +1,22 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: metallb
+  namespace: metallb-system
+spec:
+  interval: 6h
+  chart:
+    spec:
+      chart: metallb
+      version: "0.15.3"
+      sourceRef:
+        kind: HelmRepository
+        name: metallb
+        namespace: flux-system
+      interval: 6h
+  install:
+    createNamespace: true
+  upgrade:
+    remediation:
+      remediateLastFailure: true

clusters/ipv6/metallb-system/metallb-repo.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: metallb
+  namespace: flux-system
+spec:
+  interval: 6h
+  url: https://metallb.github.io/metallb

clusters/ipv6/metallb-system/pool-ip.yml

@@ -0,0 +1,8 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: pool-ip
+  namespace: metallb-system
+spec:
+  addresses:
+  - 192.168.1.201-192.168.1.250

clusters/ipv6/monitoring/pulse/pulse-ingress.yml

@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pulse-ingress
+  namespace: monitoring
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - pulse.akshun-lab.cc
+    secretName: pulse-tls
+  rules:
+  - host: pulse.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: pulse
+            port:
+              number: 7655

clusters/ipv6/monitoring/pulse/pulse-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pulse-longhorn
+  namespace: monitoring
+spec:
+  resources:
+    requests:
+      storage: 1Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn

clusters/ipv6/monitoring/pulse/pulse-release.yml

@@ -2,26 +2,22 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: prometheus
+  name: pulse
   namespace: monitoring
 spec:
   interval: 6h
   chart:
     spec:
-      chart: prometheus
+      chart: pulse
-      version: "27.52.0"
       sourceRef:
         kind: HelmRepository
-        name: prometheus-community
+        name: pulse
         namespace: flux-system
       interval: 6h
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
   values:
-    service:
+    persistence: 
       enabled: true
-      type: ClusterIP
+      existingClaim: pulse-longhorn
+    image:
+      repository: rcourtman/pulse
+      tag: 5.0.10

clusters/ipv6/monitoring/pulse/pulse-repo.yml

@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: pulse
+  namespace: flux-system
+spec:
+  type: "oci"
+  interval: 6h
+  url: oci://ghcr.io/rcourtman/pulse-chart

clusters/ipv6/tools/authelia/authelia-middleware.yml

@@ -5,7 +5,7 @@ metadata:
   namespace: tools
 spec:
   forwardAuth:
-    address: http://authelia.tools.svc.cluster.local:9091/api/authz/forward-auth
+    address: http://192.168.1.203:9091/api/authz/forward-auth
     trustForwardHeader: true
     authResponseHeaders:
       - Remote-User

clusters/ipv6/tools/authelia/authelia-svc.yml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: authelia-service
+  namespace: tools
+  annotations:
+    metallb.io/loadBalancerIPs: 192.168.1.203
+spec:
+  selector:
+    app.kubernetes.io/instance: authelia
+  ports:
+  - port: 9091
+    targetPort: 9091
+  type: LoadBalancer

clusters/ipv6/tools/cloudflare-ddns/cf-ddns-secret-sealed.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: cf-ddns-secret
+  namespace: tools
+spec:
+  encryptedData:
+    api-token: AgB0eovgOD1djWw86G6ETlDEtrs0Yf31v/9voMyLkBM76rlPQ1RaLSZ8ozyH1nriLgAtiF1/g5/dtshGE+YZ0o4RjMCLPEhJXGFftEYXCTqTfH6PoODf4FV3sSSB1qx0VIUYjk61xxM0SD1R0cjNUlfTQxpmVcI2Zw8bjuuYZXy3kNt/4znsWtYUdRWgLFb5cAsdsesL+deWTnvLv67M3DyQ3l1qoqndVHFh3Sshxd8eI46kEiPVYwK+s1lGxi/y+Qbmw9g8Ki5LNvryVe6SHDTEziNHtnKsbPeDQ4bHRCs2/KQqhZIR39+1KV8dJ6DcXgz3GUermcQdm2o5nnfb2e0hsrQflW/IKxValsO9Ds+I1LARIQqdEYMHvsoExd+YVyL86hO3OWqSu53WbWToqbzx2O2NZ0iVFhOIqGHzTOZS0CQY8n9w3lpB86VF7nGZHW8AjJ8Z8FpU11Yx5So0UJG25n0f7gszm6v9HVvb5MUBZyXosoJGgB6AGG4lFgDWze+JIvnsgWrfjUwzsGVXeXOoi16+qZwdXcU7NfRPy0c4UV6C+UQH1oAgHN6Qy/PoaOcs0qnHuP0Cnzr8TgeYzsStpntA+3sPLpRjYCzAiowc5HzKbHDArMDrKgdy6cQSYL58P57ZsYV/AmQC9S0n+vYAZbJlOeI7laxCoPYAxcWS8WCYPoBDVmELPeeI7ch4BaoTYpWpOrGVeaJkRtMTVuQ7Fgc5yFzVOH6KOTTLDXuM/3xYHhG1ZRXj
+  template:
+    metadata:
+      name: cf-ddns-secret
+      namespace: tools
+    type: Opaque

clusters/ipv6/tools/cloudflare-ddns/cf-ddns.yml

@@ -0,0 +1,35 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cf-ddns
+  namespace: tools
+spec:
+  selector:
+    matchLabels:
+      app: cf-ddns
+  template:
+    metadata:
+      labels:
+        app: cf-ddns
+    spec:
+      hostNetwork: true
+      containers:
+      - name: cf-ddns
+        image: favonia/cloudflare-ddns:1.15.1
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+        env:
+        - name: DOMAINS
+          value: "*.akshun-lab.cc"
+        - name: PROXIED
+          value: "false"
+        - name: IP4_PROVIDER
+          value: "none"
+        - name: CLOUDFLARE_API_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: cf-ddns-secret
+              key: api-token

clusters/ipv6/tools/nextcloud/nextcloud-pvc.yml

@@ -12,3 +12,18 @@ spec:
     requests:
       storage: 2Gi
   storageClassName: longhorn
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-data-longhorn
+  namespace: tools
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: longhorn

clusters/ipv6/tools/nextcloud/nextcloud-svc.yml

@@ -46,3 +46,17 @@ spec:
       port: 3306
       targetPort: 3306
   clusterIP: None
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nextcloud-lb
+  namespace: tools
+spec:
+  type: LoadBalancer
+  selector:
+    app: nextcloud
+  ports:
+  - port: 443
+    targetPort: 443

clusters/ipv6/tools/nextcloud/nextcloud.yml

@@ -43,9 +43,8 @@ spec:
           mountPath: /config
       volumes:
       - name: nextcloud-data
-        nfs:
+        persistentVolumeClaim:
-          path: /home/akshun/nextcloud-data
+          claimName: nextcloud-data-longhorn        
-          server: 192.168.1.151
       - name: nextcloud-config
         persistentVolumeClaim:
           claimName: nextcloud-longhorn

clusters/ipv6/tools/searxng/searxng.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: searxng
-        image: searxng/searxng@sha256:1ad4159e74903f8870e3464df701b800a75bd2854f5d11b44ce09ee297f3c158
+        image: searxng/searxng@sha256:472dd0c84b8e2a05bca773b4a430b9fc9e4e92cd4fa0afaa223efab925ab752a
         ports:
         - containerPort: 8080
         env:

clusters/ipv6/tools/vaultwarden/vaultwarden.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: vaultwarden
-        image: vaultwarden/server:1.35.0
+        image: vaultwarden/server:1.35.1
         ports:
         - containerPort: 80
         env: