aggarwalakshun/k3s-at-home
0
0
Fork 0
Code Issues 1 Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request 'ipv6 cluster initial commit' (#249) from add-new-cluster into main
All checks were successful
Validate Kubernetes Manifests / kubeconform (push) Successful in 1m7s
Details

Browse Source 
Reviewed-on: #249
This commit was merged in pull request #249.
This commit is contained in:
Akshun Aggarwal
2026-01-04 01:40:32 +00:00
parent 12d4af9cd8 9aabad8216
commit 5422085072
179 changed files with 16997 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
clusters/ipv6/arr-stack/bazarr/bazarr-ingress.yml Normal file
View File

@@ -0,0 +1,28 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bazarr-ingress
namespace: arr-stack
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cloudflare
traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
ingressClassName: traefik
tls:
- hosts:
- bazarr.akshun-lab.cc
secretName: bazarr-tls
rules:
- host: bazarr.akshun-lab.cc
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: bazarr-service
port:
number: 6767

15
clusters/ipv6/arr-stack/bazarr/bazarr-pvc.yml Normal file
View File

@@ -0,0 +1,15 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bazarr-longhorn
namespace: arr-stack
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi
storageClassName: longhorn

13
clusters/ipv6/arr-stack/bazarr/bazarr-svc.yml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: Service
metadata:
name: bazarr-service
namespace: arr-stack
spec:
selector:
app: bazarr
ports:
- protocol: TCP
port: 6767
targetPort: 6767

48
clusters/ipv6/arr-stack/bazarr/bazarr.yml Normal file
View File

@@ -0,0 +1,48 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: bazarr
namespace: arr-stack
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: bazarr
template:
metadata:
labels:
app: bazarr
spec:
containers:
- name: bazarr
image: linuxserver/bazarr:1.5.3
env:
- name: PUID
value: "1000"
- name: PGID
value: "1000"
- name: TZ
value: "Asia/Kolkata"
volumeMounts:
- name: movies
mountPath: /movies
- name: tv
mountPath: /tv
- name: config
mountPath: /config
volumes:
- name: config
persistentVolumeClaim:
claimName: bazarr-longhorn
- name: tv
nfs:
server: 10.0.0.123
path: /merge/series
- name: movies
nfs:
server: 10.0.0.123
path: /merge/movies

28
clusters/ipv6/arr-stack/jellyseerr/jellyseerr-ingress.yml Normal file
View File

@@ -0,0 +1,28 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jellyseerr-ingress
namespace: arr-stack
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cloudflare
traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
ingressClassName: traefik
tls:
- hosts:
- jellyseerr.akshun-lab.cc
secretName: jellyseerr-tls
rules:
- host: jellyseerr.akshun-lab.cc
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jellyseerr-service
port:
number: 5055

15
clusters/ipv6/arr-stack/jellyseerr/jellyseerr-pvc.yml Normal file
View File

@@ -0,0 +1,15 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jellyseerr-longhorn
namespace: arr-stack
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi
storageClassName: longhorn

14
clusters/ipv6/arr-stack/jellyseerr/jellyseerr-svc.yml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: v1
kind: Service
metadata:
name: jellyseerr-service
namespace: arr-stack
spec:
selector:
app: jellyseerr
ports:
- port: 5055
targetPort: 5055
protocol: TCP

58
clusters/ipv6/arr-stack/jellyseerr/jellyseerr.yml Normal file
View File

@@ -0,0 +1,58 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jellyseerr
namespace: arr-stack
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: jellyseerr
template:
metadata:
labels:
app: jellyseerr
spec:
initContainers:
- name: gluetun
image: qmcgaw/gluetun:v3.41.0
restartPolicy: Always
securityContext:
capabilities:
add:
- NET_ADMIN
envFrom:
- configMapRef:
name: gluetun-config
env:
- name: OPENVPN_PASSWORD
valueFrom:
secretKeyRef:
name: openvpn-secrets
key: OPENVPN_PASSWORD
- name: OPENVPN_USER
valueFrom:
secretKeyRef:
name: openvpn-secrets
key: OPENVPN_USER
containers:
- name: jellyseerr
image: fallenbagel/jellyseerr:2.7.3
ports:
- containerPort: 5055
env:
- name: LOG_LEVEL
value: "info"
- name: TZ
value: "Asia/Kolkata"
volumeMounts:
- name: config
mountPath: /app/config
volumes:
- name: config
persistentVolumeClaim:
claimName: jellyseerr-longhorn

7
clusters/ipv6/arr-stack/namespace.yml Normal file
View File

@@ -0,0 +1,7 @@
---
kind: Namespace
apiVersion: v1
metadata:
name: arr-stack
labels:
name: arr-stack

13
clusters/ipv6/arr-stack/openvpn/gluetun-config.yml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: gluetun-config
namespace: arr-stack
data:
VPN_SERVICE_PROVIDER: "surfshark"
SERVER_COUNTRIES: "Netherlands"
HTTPPROXY: "ON"
FIREWALL_OUTBOUND_SUBNETS: "192.168.1.0/24,10.42.0.0/16,10.43.0.0/16"
DNS_ADDRESS: "8.8.8.8"

15
clusters/ipv6/arr-stack/openvpn/gluetun-secrets-sealed.yml Normal file
View File

@@ -0,0 +1,15 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: openvpn-secrets
namespace: arr-stack
spec:
encryptedData:
OPENVPN_PASSWORD: AgB7Oc8moaDTahnT3UDKXtRaOYknWJ+0eer7e5Gj01xcUHPwI82ufKHPmgOP3f/9f7Z7TV29gJbWsBqEbbuT8VRzd+KiwTKgpMDFVvIgciaoevj9PPW1ExRGdrcV069Pi4ZqqlCzQavh2BwZq+cbuIhMYZmKHtBRCoAJl3V/FCBu+3udDjiXk74ZiJ8G+EA2vaaANT8z7/lNiDJFb5TPuW+bte0IkfpmyyvFYQmOUsIQI301Ao040tMt39koPPTDKYlybPN0jyIRnXvVj1Ix3BX3sa1B80okCejPfw6DxdhkowVj30ZudgX/QmeaFuVaTNofwXXKsSQjbeiuqjsu9K94B6AXpWaCyxJ534wRuOJiLFpXREMwt7RhuwlB8pCEgXQj1g1hVxK/svjdQmuJirYPrJ9gO1+1BfRUubBMaWJB5mp03QL/5/4blqJKSjJyvPT51UqrQcdAMjudsZWSkr9ST0dczsc6JVGeF1vAWRVSmi0+v9tMDGHZDSIJJhSgCTmsfBw9LprJcTlL3WC7S7YVuNOnDtreNrQ/HK/S+aqD+Fl2SWjlGR71E2FTgwbwf/51iVQtp6i2s5WqHTY0hdenNOUUmMARYVHv0RMKG6urAflaeBUi7f1hTMPr5Hka2d0C1yVuPMAwpvbEi1rb3XMTfIw2/vD4s9L20WmXOKBh4Qs1KHuzEio4Fqt3SRG2fFJq8PFVkQ3t9BMJX8anbRmth7lrq6YfxcY=
OPENVPN_USER: AgB2LyS1rYyRfdxyDebD4V4Nz9Aa6J7Czs59K6xcWlgAIylyfX8Fxs1GdJ+thERmbaJ8LrSAHiX3DEQMyKs73DB06UaHwHYIQZIdHDSYprPYa16YGHmX5HuUKZ/NsN1Rf9MkC4P/hfUBPxrFVtZHPM44MWI/8kbFWvErK+w6BjUDyu7hP2fHTrri1ZIAesdPBoEO4g9krnyPfXSqsWJeJIzk33tILdKvaralCzqxcR0vziV8diaqsTflM7xZ6d7yXiidhrNx1CtCfUtkjbdWM6x0Ff9bzEoLgzKJRhxI8OlLLe8fFwbXSz3YHdDfTFvjBycYBVyQ7qCVz1zKtahnDGyWYIlQnsNQopeCQ4U7dVnrdzUK+qpP3uim7H0+vYE8Gy7ZShbALkp78u/93zyXtuUsd+eIClfzwYvY36lnrp1/zWT3cWuP1DbEBOXQoIBhOqlUGXIAX8n75wJF5WcsJtnu+hjOWgaNLsU6+xRmu7kB0fRmELfNqM9/ES4nKdVxq83XhAecsirR+1kgqUUGA8277aPDQd3h1SO4oXSkw4ikT8XQwgTv9To/EDdOjMEm5aTjxDbxlRNy4WZCGSXoINTy9Zg5aMEEMAN00sOwklyBejX0FyhgmW0pLJSG4Kqr+vFENcSuA+9cLlj1uV26ff/fBvp29RooOegpiaCiICB8IUBVI56D5FpeqImhg6h3nqloGch4Bk0V9o7J1FujYce81D9gh1/a9rM=
template:
metadata:
name: openvpn-secrets
namespace: arr-stack
type: Opaque

28
clusters/ipv6/arr-stack/prowlarr/prowlarr-ingress.yml Normal file
View File

@@ -0,0 +1,28 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: prowlarr-ingress
namespace: arr-stack
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cloudflare
traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
ingressClassName: traefik
tls:
- hosts:
- prowlarr.akshun-lab.cc
secretName: prowlarr-tls
rules:
- host: prowlarr.akshun-lab.cc
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: prowlarr-service
port:
number: 9696

14
clusters/ipv6/arr-stack/prowlarr/prowlarr-pvc.yml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: prowlarr-longhorn
namespace: arr-stack
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi
storageClassName: longhorn

13
clusters/ipv6/arr-stack/prowlarr/prowlarr-svc.yml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: Service
metadata:
name: prowlarr-service
namespace: arr-stack
spec:
selector:
app: prowlarr
ports:
- port: 9696
targetPort: 9696
clusterIP: 10.43.0.142

59
clusters/ipv6/arr-stack/prowlarr/prowlarr.yml Normal file
View File

@@ -0,0 +1,59 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: prowlarr
namespace: arr-stack
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: prowlarr
template:
metadata:
labels:
app: prowlarr
spec:
initContainers:
- name: gluetun
image: qmcgaw/gluetun:v3.41.0
restartPolicy: Always
securityContext:
capabilities:
add:
- NET_ADMIN
envFrom:
- configMapRef:
name: gluetun-config
env:
- name: OPENVPN_PASSWORD
valueFrom:
secretKeyRef:
name: openvpn-secrets
key: OPENVPN_PASSWORD
- name: OPENVPN_USER
valueFrom:
secretKeyRef:
name: openvpn-secrets
key: OPENVPN_USER
containers:
- name: prowlarr
image: lscr.io/linuxserver/prowlarr:2.3.0
volumeMounts:
- name: config
mountPath: /config
ports:
- containerPort: 9696
env:
- name: PUID
value: "1000"
- name: PGID
value: "1000"
- name: TZ
value: "Asia/Kolkata"
volumes:
- name: config
persistentVolumeClaim:
claimName: prowlarr-longhorn

27
clusters/ipv6/arr-stack/qbittorrent/qbittorrent-ingress.yml Normal file
View File

@@ -0,0 +1,27 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: qbittorrent-ingress
namespace: arr-stack
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cloudflare
traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
ingressClassName: traefik
tls:
- hosts:
- qbittorrent.akshun-lab.cc
secretName: qbittorrent-tls
rules:
- host: qbittorrent.akshun-lab.cc
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: qbittorrent-service
port:
number: 8080

14
clusters/ipv6/arr-stack/qbittorrent/qbittorrent-pvc.yml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: qbittorrent-longhorn
namespace: arr-stack
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi
storageClassName: longhorn

12
clusters/ipv6/arr-stack/qbittorrent/qbittorrent-svc.yml Normal file
View File

@@ -0,0 +1,12 @@
---
apiVersion: v1
kind: Service
metadata:
name: qbittorrent-service
namespace: arr-stack
spec:
selector:
app: qbittorrent
ports:
- port: 8080
targetPort: 8080

63
clusters/ipv6/arr-stack/qbittorrent/qbittorrent.yml Normal file
View File

@@ -0,0 +1,63 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: qbittorrent
namespace: arr-stack
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: qbittorrent
template:
metadata:
labels:
app: qbittorrent
spec:
initContainers:
- name: gluetun
image: qmcgaw/gluetun:v3.41.0
restartPolicy: Always
securityContext:
capabilities:
add:
- NET_ADMIN
envFrom:
- configMapRef:
name: gluetun-config
env:
- name: OPENVPN_PASSWORD
valueFrom:
secretKeyRef:
name: openvpn-secrets
key: OPENVPN_PASSWORD
- name: OPENVPN_USER
valueFrom:
secretKeyRef:
name: openvpn-secrets
key: OPENVPN_USER
containers:
- name: qbittorrent
image: linuxserver/qbittorrent:5.1.4
env:
- name: PUID
value: "1000"
- name: PGID
value: "1000"
- name: TZ
value: "Asia/Kolkata"
volumeMounts:
- name: downloads
mountPath: /downloads
- name: config
mountPath: /config
volumes:
- name: config
persistentVolumeClaim:
claimName: qbittorrent-longhorn
- name: downloads
nfs:
server: 10.0.0.123
path: /merge/downloads

27
clusters/ipv6/arr-stack/radarr/radarr-ingress.yml Normal file
View File

@@ -0,0 +1,27 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: radarr-ingress
namespace: arr-stack
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cloudflare
traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
ingressClassName: traefik
tls:
- hosts:
- radarr.akshun-lab.cc
secretName: radarr-tls
rules:
- host: radarr.akshun-lab.cc
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: radarr-service
port:
number: 7878

14
clusters/ipv6/arr-stack/radarr/radarr-pvc.yml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: radarr-longhorn
namespace: arr-stack
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi
storageClassName: longhorn

13
clusters/ipv6/arr-stack/radarr/radarr-svc.yml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: Service
metadata:
name: radarr-service
namespace: arr-stack
spec:
selector:
app: radarr
ports:
- port: 7878
targetPort: 7878
clusterIP: 10.43.0.204

49
clusters/ipv6/arr-stack/radarr/radarr.yml Normal file
View File

@@ -0,0 +1,49 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: radarr
namespace: arr-stack
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: radarr
template:
metadata:
labels:
app: radarr
spec:
containers:
- name: radarr
image: lscr.io/linuxserver/radarr:6.0.4
ports:
- containerPort: 7878
env:
- name: PUID
value: "1000"
- name: PGID
value: "1000"
- name: TZ
value: "Asia/Kolkata"
volumeMounts:
- name: movies
mountPath: /movies
- name: downloads
mountPath: /downloads
- name: config
mountPath: /config
volumes:
- name: movies
nfs:
server: 10.0.0.123
path: /merge/movies
- name: downloads
nfs:
server: 10.0.0.123
path: /merge/downloads
- name: config
persistentVolumeClaim:
claimName: radarr-longhorn

27
clusters/ipv6/arr-stack/sabnzbd/sabnzbd-ingress.yml Normal file
View File

@@ -0,0 +1,27 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sabnzbd-ingress
namespace: arr-stack
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cloudflare
traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
ingressClassName: traefik
tls:
- hosts:
- sabnzbd.akshun-lab.cc
secretName: sabnzbd-tls
rules:
- host: sabnzbd.akshun-lab.cc
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: sabnzbd-service
port:
number: 8080

14
clusters/ipv6/arr-stack/sabnzbd/sabnzbd-pvc.yml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: sabnzbd-longhorn
namespace: arr-stack
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi
storageClassName: longhorn

12
clusters/ipv6/arr-stack/sabnzbd/sabnzbd-svc.yml Normal file
View File

@@ -0,0 +1,12 @@
---
apiVersion: v1
kind: Service
metadata:
name: sabnzbd-service
namespace: arr-stack
spec:
selector:
app: sabnzbd
ports:
- port: 8080
targetPort: 8080

40
clusters/ipv6/arr-stack/sabnzbd/sabnzbd.yml Normal file
View File

@@ -0,0 +1,40 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sabnzbd
namespace: arr-stack
spec:
strategy:
type: Recreate
selector:
matchLabels:
app: sabnzbd
template:
metadata:
labels:
app: sabnzbd
spec:
containers:
- name: sabnzbd
image: lscr.io/linuxserver/sabnzbd:4.5.5
env:
- name: PUID
value: "1000"
- name: PGID
value: "1000"
- name: TZ
value: "Asia/Kolkata"
volumeMounts:
- name: sabnzbd-config
mountPath: /config
- name: downloads
mountPath: /downloads
volumes:
- name: sabnzbd-config
persistentVolumeClaim:
claimName: sabnzbd-longhorn
- name: downloads
nfs:
server: 10.0.0.123
path: /merge/downloads

27
clusters/ipv6/arr-stack/sonarr/sonarr-ingress.yml Normal file
View File

@@ -0,0 +1,27 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sonarr-ingress
namespace: arr-stack
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cloudflare
traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
ingressClassName: traefik
tls:
- hosts:
- sonarr.akshun-lab.cc
secretName: sonarr-tls
rules:
- host: sonarr.akshun-lab.cc
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: sonarr-service
port:
number: 8989

14
clusters/ipv6/arr-stack/sonarr/sonarr-pvc.yml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: sonarr-longhorn
namespace: arr-stack
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi
storageClassName: longhorn

13
clusters/ipv6/arr-stack/sonarr/sonarr-svc.yml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: Service
metadata:
name: sonarr-service
namespace: arr-stack
spec:
selector:
app: sonarr
ports:
- port: 8989
targetPort: 8989
clusterIP: 10.43.0.194

49
clusters/ipv6/arr-stack/sonarr/sonarr.yml Normal file
View File

@@ -0,0 +1,49 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sonarr
namespace: arr-stack
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: sonarr
template:
metadata:
labels:
app: sonarr
spec:
containers:
- name: sonarr
image: lscr.io/linuxserver/sonarr:4.0.16
ports:
- containerPort: 8989
env:
- name: PUID
value: "1000"
- name: PGID
value: "1000"
- name: TZ
value: "Asia/Kolkata"
volumeMounts:
- name: config
mountPath: /config
- name: tv
mountPath: /tv
- name: downloads
mountPath: /downloads
volumes:
- name: config
persistentVolumeClaim:
claimName: sonarr-longhorn
- name: downloads
nfs:
server: 10.0.0.123
path: /merge/downloads
- name: tv
nfs:
server: 10.0.0.123
path: /merge/series

28
clusters/ipv6/cert-manager/cert-manager/cert-manager-release.yml Normal file
View File

@@ -0,0 +1,28 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 6h
chart:
spec:
chart: cert-manager
version: "v1.19.2"
sourceRef:
kind: HelmRepository
name: jetstack
namespace: flux-system
interval: 6h
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
crds:
enabled: true
keep: true

10
clusters/ipv6/cert-manager/cert-manager/cert-manager-repo.yml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: jetstack
namespace: flux-system
spec:
interval: 6h
url: https://charts.jetstack.io

17
clusters/ipv6/cert-manager/cert-manager/cluster-issuer.yml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-cloudflare
spec:
acme:
email: aggarwalakshun@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-cloudflare
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token

14
clusters/ipv6/cert-manager/cloudflare-api-token-sealed.yml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: cloudflare-api-token
namespace: cert-manager
spec:
encryptedData:
api-token: AgAoYAr/Z/B1lj8KwPSPGDsBFSf8Rtqq6xulUuBFQX5rWIokr16G9ylgG+WPHPXopZFxRUUg8zzU3nYdtbepHETe4hnMAI6THYJtm/UShtedXPR7i2C4z82wHdDw5fbolLCgXZcVBDeFUnP7UCRvhvht3s+1+OPyv0ovz3Vm5GOpd+ZcXftiWheQcinQIN0y8CFas8TbGVqo7E51tWlYlJEaKFb6g6QKDl/XjfYA4F1i1HnMLuXMhowLDOLyn/yQXJrpMnGOcU8WJD14z+mnF4giLv6ITyDcN+RSBzqysOEweT7NbpEtdx1vsYazDnjEWmd8/jQeAf3GnmLmMOGFO8NUDUkJzseNpRkMnrE3uSTZHKN9VUHP31uDJfetKI1RrLTibpeJdGX3/YmNjYhLtwrhprff31tExlhtgCl0Hi0IEVQdZ2vLQF5dBA57NXjCkHdN/mMIsoIcXbmPyUuiEMPumH7BU0YAHL+fa/GW4DsTCz/chKCj26D21gQyI59Z1H/yYtCcZeNgmxce2SJYCgrSAAg54FIOtTDiJyrSTnObf+I3fgNFURt9IGCEyqq/mbzeyNS22Q5lgfJwNa+01r2/ie6etJmeeREyr7MZEwFbrfDylKedyfN5Y8IikI5YI9PIZK+L17gRTB5zX2IEP2VOkXjRWacTYyut7K/+oBWm5JZp6tqXbblStTQp0NBkwv3Ww+5Q8Rv1LVtl8ZrzQKhbsRtqdV7Jttpm/yR+cYuOa6o4ZxT9IG5b
template:
metadata:
name: cloudflare-api-token
namespace: cert-manager
type: Opaque

8
clusters/ipv6/cert-manager/namespace.yml Normal file
View File

@@ -0,0 +1,8 @@
---
kind: Namespace
apiVersion: v1
metadata:
name: cert-manager
labels:
name: cert-manager

10195
clusters/ipv6/flux-system/gotk-components.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

27
clusters/ipv6/flux-system/gotk-sync.yaml Normal file
View File

@@ -0,0 +1,27 @@
# This manifest was generated by flux. DO NOT EDIT.
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 1m0s
ref:
branch: main
secretRef:
name: flux-system
url: ssh://git@gitea.akshun-lab.cc/aggarwalakshun/ipv6-k3s
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 10m0s
path: ./clusters/ipv6
prune: true
sourceRef:
kind: GitRepository
name: flux-system

5
clusters/ipv6/flux-system/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml

14
clusters/ipv6/git-ops/gitea-act/gitea-act-pvc.yml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-act-runner-longhorn
namespace: git-ops
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 100Mi
storageClassName: longhorn

15
clusters/ipv6/git-ops/gitea-act/gitea-act-secrets.yml Normal file
View File

@@ -0,0 +1,15 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: gitea-act-runner-secret
namespace: git-ops
spec:
encryptedData:
TOKEN: AgB4aR4Gy0WDJbk0WyGjr8aa1TpwUjtifEDSAzT2DdKqmcfLbHLipTF+g0UwekJoDWmCg4+zWYtSQlE1yQ3w0Y1DRMGWT4+KF+/uR7qfvdQeMDWm6t/QO7toujV83MRK51m5ztADSgnUZMTB87AkQtuZArCDUan30bf8wHWo1QmyurIVlDAVIbjBF6A+XAh9H7oSsBQN37ysc+NKxrpRgUe/fMU5LBJXUhwPa0V3n3sWC/frTWxnoj5wUA+w7lvN1KHxnmoQ0DqqOaLGmE+Tq0Rg90Zz8b1ZxD8bG03sasXVM38yZdbYmE0ys/OiyeBuYg8u6dLufbNl7aOQofvbydL0NCqq3/rq5qvgC+mWcCoiR3Q1Kn+ETWA1NmxxhOpXwKyqcqjiHNSHIts/O5db+eWc0gk8tJT4R2vfk3Mn2qNVGSRsQZm7BYIBD84hDfgIRZ68AIRjG/J/42pJFlKsXFJMP5/TBblcaF5hqf6rNnUJOy5XBU7y9ub07GyuKjW+mufoksssATv6oOVvVqUocql5O3ioWzUaqhk05eawv7s++fbLnsNvDZwJKSyKZWe21VTfOQimH3gWAPf0qVsUH9u9Y5xNqogcIVudk5mARDQX4mvL+u8pZtfED019tU21lBVDIBj3vVzkRyKUGcf+thnmwQvrLbPzAL1P9XciQRK8rFDLSs6mA782cYR94h6xrg/syDXoKXfGIrpulAanUwdGhVVYLzCQbzZ0CX3CXvnoRE3l58+IBXEu
URL: AgCFJUzqH5WbRSCwMomlSAybWBAI678OADemgGBep/70wnuOSEsmRx9DPDGt+ta8+8mTlnVQpo7+L5MC8FTgGIHffFIWo1/4cYmGnIQQZwbgzYNQ1ZTHWdJyUBDcavN9MW2zYlc5VhsuxTKHbG93TDGpwzJGBeu+F8gLFVTuNsBOxrQzVqWKL82nDfCiX8W3oBDrf+bsi+Or0msKtlmmH02nFVfBJ9UCwXDYCYWtuaRtdjiPZKu2rjvZeotpwZJWKBDnkPpAL/fQ9LwtNY0mtsBR2rtdoF8LKgFOa8G27gXTRaPf7b37qT5peWCf8rjMBjFyndc1jR0ygr1jCmg1FLE04jjECL/bT+4hghnvnWKc5I7rbpXfn4nmaEaX5MrrL7SKBqqM6myiXTa//V0Azh6JA1w6DfaIeQN/CaEddeGgQ0S9zEjt30JXYEksWppVzL/Ler/W9J9vUviXkWCNkMSNYjSvpDeI3nrs3tnv0thOJ4o4mFojzDKeMOZoJFeeSl43q17XDTrxA+iBnucQTlHxpTw+cHqEd+eFZndfNqbvrrXyB+uzsW3wTl4Wj6Cq6HV8Ctf/+N3X2lme3jfg664OAu0yPWQ5QPfBRH5TVYhTn9OpBXMkE0PDbtW05D2YwBgs67oOwxt/vP1pwrhdBkmTT5WlPbX3bjQmrM8zkT4BP6QuJZV7cDszU/SDx3AEfbIXc1MECeYPC298cIn5z5W66DAb5St3CUipUYE=
template:
metadata:
name: gitea-act-runner-secret
namespace: git-ops
type: Opaque

75
clusters/ipv6/git-ops/gitea-act/gitea-act.yml Normal file
View File

@@ -0,0 +1,75 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: gitea-act-runner
name: gitea-act-runner
namespace: git-ops
spec:
replicas: 1
selector:
matchLabels:
app: gitea-act-runner
strategy:
type: Recreate
template:
metadata:
labels:
app: gitea-act-runner
spec:
restartPolicy: Always
volumes:
- name: docker-certs
emptyDir: {}
- name: runner-data
persistentVolumeClaim:
claimName: gitea-act-runner-longhorn
containers:
- name: runner
image: gitea/act_runner@sha256:8477d5b61b655caad4449888bae39f1f34bebd27db56cb15a62dccb3dcf3a944
command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- run.sh"]
readinessProbe:
exec:
command:
- sh
- -c
- |
nc -z gitea-int-service.git-ops.svc.cluster.local 3000
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
env:
- name: DOCKER_HOST
value: tcp://localhost:2376
- name: DOCKER_CERT_PATH
value: /certs/client
- name: DOCKER_TLS_VERIFY
value: "1"
- name: GITEA_INSTANCE_URL
valueFrom:
secretKeyRef:
key: URL
name: gitea-act-runner-secret
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
key: TOKEN
name: gitea-act-runner-secret
- name: CONFIG_FILE
value: "/data/config.yaml"
volumeMounts:
- name: docker-certs
mountPath: /certs
- name: runner-data
mountPath: /data
- name: daemon
image: docker:29.1.3-dind
env:
- name: DOCKER_TLS_CERTDIR
value: /certs
securityContext:
privileged: true
volumeMounts:
- name: docker-certs
mountPath: /certs

14
clusters/ipv6/git-ops/gitea/gitea-db-secret.yml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: gitea-db-secret
namespace: git-ops
spec:
encryptedData:
password: AgBxCXaMOGkUefM9N5GG2Ref5/0yz2son/3Sq55dfL+AIE+3c2xcn2sG5GV4V5lTFVsxVfKULSc5n6YaIDmHhPJJOnhE3QAgYuje/LJrQ6aF/g3mRRB1kKGXuOg5MsA/2+cjfmF7MWSvRwsbX3GDEpbx2p5D6bky8nsa+zaafBcHbr6ZZ9CXbKmQ+r/6ccqDP7drOlsKq9bMiLDuvLmPZYV++aKrZ5taSNBUfVynmTQagT04dT6EI41mXJvwydkrUi8GbygsRTvZFEZte3kPgZzV+pBPraHg+21as/frcXyGHxpnrzFv3G68heSmNWl+Oa7tkibdMkbQ7Gkv9eCEZ973Gisko2/w6HMayR7tBKtVFvBo5xa3SsHBfJ6it/wAm+gywJjsUbDZjJHxf2xCrcqGEVoOq3NQ9D93L6gZBYbQZjgHgrOyIrgSnxoQbKPOBVP50BUlof0ih4bbTDAOsJ1MRUIBQGFUycJGjT144bFNFJi5YOf9sYe+hc+73e2ryO/nEkfAW1zYkgXcaDJJhWgKpKtvfbh+GU9B8unXFH0yUEqECxhvDHi8tDTD4dCbnpdkttfQostAdvizkpWoS620JdZlDCLrwJAYLMO2MKpoXZpC3IIZzzRSeDJTUXNRYKRdjcaqCGb/cUk1iF0SW0Eu09g58Ugn9miCtF1ytFCunv+1GkLcG1Y7BItxtRM4wBSJbHjD1TepPxEV
template:
metadata:
name: gitea-db-secret
namespace: git-ops
type: Opaque

51
clusters/ipv6/git-ops/gitea/gitea-db.yml Normal file
View File

@@ -0,0 +1,51 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: gitea-db
namespace: git-ops
spec:
selector:
matchLabels:
app: gitea-db
serviceName: gitea-db
replicas: 1
template:
metadata:
labels:
app: gitea-db
spec:
initContainers:
- name: init-cleanup
image: busybox
command: ["rm", "-rf", "/var/lib/postgresql/lost+found"]
volumeMounts:
- name: gitea-db
mountPath: /var/lib/postgresql
containers:
- name: gitea-db
image: postgres:18
ports:
- containerPort: 5432
env:
- name: POSTGRES_USER
value: "gitea"
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: gitea-db-secret
key: password
- name: POSTGRES_DB
value: "gitea"
volumeMounts:
- name: gitea-db
mountPath: /var/lib/postgresql
volumeClaimTemplates:
- metadata:
name: gitea-db
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 2Gi
storageClassName: longhorn

14
clusters/ipv6/git-ops/gitea/gitea-ingress-route.yml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: gitea-ssh
namespace: git-ops
spec:
entryPoints:
- ssh
routes:
- match: HostSNI(`*`)
services:
- name: gitea-int-service
port: 22

26
clusters/ipv6/git-ops/gitea/gitea-ingress.yml Normal file
View File

@@ -0,0 +1,26 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-ingress
namespace: git-ops
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cloudflare
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
ingressClassName: traefik
tls:
- hosts:
- gitea.akshun-lab.cc
secretName: gitea-tls
rules:
- host: gitea.akshun-lab.cc
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea-int-service
port:
number: 3000

14
clusters/ipv6/git-ops/gitea/gitea-pvc.yml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-app-longhorn
namespace: git-ops
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi
storageClassName: longhorn

32
clusters/ipv6/git-ops/gitea/gitea-svc.yml Normal file
View File

@@ -0,0 +1,32 @@
---
apiVersion: v1
kind: Service
metadata:
name: gitea-int-service
namespace: git-ops
spec:
selector:
app: gitea-app
ports:
- protocol: TCP
port: 3000
targetPort: 3000
name: http
- protocol: TCP
port: 22
targetPort: 22
name: ssh
---
apiVersion: v1
kind: Service
metadata:
name: gitea-db
namespace: git-ops
spec:
ports:
- port: 5432
targetPort: 5432
selector:
app: gitea-db
clusterIP: None

67
clusters/ipv6/git-ops/gitea/gitea.yml Normal file
View File

@@ -0,0 +1,67 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea-app
namespace: git-ops
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: gitea-app
template:
metadata:
labels:
app: gitea-app
spec:
containers:
- name: gitea
image: gitea/gitea:1.25.3
readinessProbe:
exec:
command:
- sh
- -c
- |
nc -z gitea-db.git-ops.svc.cluster.local 5432
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
ports:
- containerPort: 22
name: ssh
- containerPort: 3000
name: http
env:
- name: USER_UID
value: "1000"
- name: USER_GID
value: "1000"
- name: GITEA__database__DB_TYPE
value: "postgres"
- name: GITEA__database__HOST
value: "gitea-db.git-ops.svc.cluster.local:5432"
- name: GITEA__database__NAME
value: "gitea"
- name: GITEA__database__USER
value: "gitea"
- name: GITEA__database__PASSWD
valueFrom:
secretKeyRef:
name: gitea-db-secret
key: password
volumeMounts:
- name: gitea-data
mountPath: /data
- name: localtime
mountPath: /etc/localtime
volumes:
- name: localtime
hostPath:
path: /etc/localtime
type: File
- name: gitea-data
persistentVolumeClaim:
claimName: gitea-app-longhorn

7
clusters/ipv6/git-ops/namespace.yml Normal file
View File

@@ -0,0 +1,7 @@
---
kind: Namespace
apiVersion: v1
metadata:
name: git-ops
labels:
name: git-ops

17
clusters/ipv6/git-ops/semaphore/semaphore-configmap.yml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: semaphore-config
namespace: git-ops
data:
SEMAPHORE_DB_USER: "semaphore"
SEMAPHORE_DB_HOST: "semaphore-db"
SEMAPHORE_DB_PORT: "3306"
SEMAPHORE_DB_DIALECT: "mysql"
SEMAPHORE_DB: "semaphore"
SEMAPHORE_PLAYBOOK_PATH: "/tmp/semaphore"
SEMAPHORE_ADMIN_NAME: "admin"
SEMAPHORE_ADMIN_EMAIL: "aggarwalakshun@gmail.com"
SEMAPHORE_ADMIN: "admin"
SEMAPHORE_LDAP_ACTIVATED: "'no'"

46
clusters/ipv6/git-ops/semaphore/semaphore-db.yml Normal file
View File

@@ -0,0 +1,46 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: semaphore-db
namespace: git-ops
spec:
selector:
matchLabels:
app: semaphore-db
serviceName: semaphore-db
replicas: 1
template:
metadata:
labels:
app: semaphore-db
spec:
containers:
- name: mysql
image: mysql:9.5.0
ports:
- containerPort: 3306
env:
- name: MYSQL_RANDOM_ROOT_PASSWORD
value: "'yes'"
- name: MYSQL_DATABASE
value: "semaphore"
- name: MYSQL_USER
value: "semaphore"
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: semaphore-secrets
key: mysql_password
volumeMounts:
- name: semaphore-db
mountPath: /var/lib/mysql
volumeClaimTemplates:
- metadata:
name: semaphore-db
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 2Gi
storageClassName: longhorn

27
clusters/ipv6/git-ops/semaphore/semaphore-ingress.yml Normal file
View File

@@ -0,0 +1,27 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: semaphore-ingress
namespace: git-ops
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cloudflare
traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
ingressClassName: traefik
tls:
- hosts:
- semaphore.akshun-lab.cc
secretName: semaphore-tls
rules:
- host: semaphore.akshun-lab.cc
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: semaphore-service
port:
number: 3000

16
clusters/ipv6/git-ops/semaphore/semaphore-secret.yml Normal file
View File

@@ -0,0 +1,16 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: semaphore-secrets
namespace: git-ops
spec:
encryptedData:
admin_password: AgAvzU2Kxf5AS9JSELN13bFPIAuvPhGPZS4cGl1gmVk5GT87FRYdIv8LpYACCd2voHsrymakkleR/oTXxAJDpMtkDFawRftvPpsEuNyt6aVPjMbN74HAuz3cRdgOQfwjMkawWd3RyHLY50ZYJaw8KwwVTuD8vO2SC3TYajRvVdfTwEMsVcffZBcpB5PNSvhzpqb66a+f78xQQI/10xLcBlFEYJ6+Mi1PwDVOb4aMuu5ezGVzzp/rmXBGTeT3mBpe4zZO6/mRJ9JvTEUGf6Btj9e8JiKhhNEuykPV46UlogryBLCTZDDHLUHx6GYbGluoU8AYIH5L7pV+UndZGqSlwWJFFX9zAkOPip1B5PQzAea5qWkrQ5ExAkIYjc42fpeiPhZtFlYGqeL+mckUsbrocwNAHYR9u1L6AiAOsIbTeSJ9K7Zs/IfaVmQlMDa2P4kICn39DWDu3DdCWvbubl+VZOedIOnysrdZJgEVcqKIBPChQBNfFFRX9/tqoeC0DRtJARLvcr3uwn1KZWS4GGhMAwwguwmrb3g8+IMUM9uKMO1WXBL9FaaI3cPEPebvNOiV2e//QvNSiUwAjlRvU/CEtmrZwTANu8nTbxBNT5MeFLvFdoLgDy715JGzyzIv5HDqCNh3KGmML4R3SHYieaDyDwh9RGEhfH9aS5ZWghru+h0i8Zoc/jRIQ7K1KCwwDOaX0+JIB51CEM/ac7QpPg==
key: AgChqM0qnZ9+lZWtqCx8gwZOL/2MxPlowGRixHK0XTNgkFFbrm/pKGV14fXkt0NIlZsBIdpqP0i+zwXdWO6qpS5paR8j0rxwPkdjQ8SWTq70H5NN8bj4eXt9PwkMtrq9c8dhJqXAa4T2lPV/vEQA6f/dsiWgHM9IxWsqkujXm4STtneBrG5dmiLRC/jXgkf1SkejLku7N3RZaYLGRtl/d+YTt+0W6IMTHraMnaFm18vX6JAZokgeF93zcXN0o9NnmcnIJ/WyJzmpaRLnSv8RVgeq8ONbxMo+Ke70QlqgmLwX3W4r18q5OGz+nqOugHAI2nKo/Ss3T1rnqL6no4RCCWa7YK8Yedx8EPhILMntgKENGtn0kZ0RNe+yqG+92FPQDv5lZFeLKTc0+fNWdlegBAq6VqFo6n/xwMJHKuyXV03l5ibPWBaxu3fUEdenhqePW6kD15zZ4pkKfoKbFNuqN9cGFO118Eb50X03J6+GtfO9Fx4ly/EarCPw3Rt8nYzliXw0m/DiBG7e0OiaftykK/aCJikZyUwawkdWoPq5umNcIzZ64YLdcozuQF2NZzn6E7DVeXPVCaOkIgd99dWXEhBijgmUUqMTvLzffFN//5Q2gTA/p2SByWAdFb1II552KMiGHPbgcq9zAzRwJeA52V02I53EfWsYP9wBViWmZ3+fB+clbfrb0ZAU7/xEk5ZQ1zklmZP6KtLpOngx2dIwbKpiAfKoY/YNv+4=
mysql_password: AgAuKcFk24AoA9N0QLobVhxDXRBzAspzvo0xFnVbDs6vB58Z3ExKiA6M9u9BboKLRHBlHBNcsjSI2YTDKm6OpwnLouatYQTitSo+KHUn7T7lXMNL9xv2Swpu3kOPvUG6YKRtIouFVvRLnww/yZZZ8OR6FQwgc7bmuKglFEd4t6R0hcsyozIuDt6TdzLmCLz3VtcKVZXsC4ACAHc51Ns+FZBaKyqLuFxojhB8MwI1NfE0o2JUojeO1cG767oSJDyM+5u8+eh4FYIDEUjFve/44f9LK4iZifkLHAyxVcBEA622/O8iMY0/RIh+nozffjih08eX8uRmDyevm4qeSbnrn/Xer+DYers40qaHokFey1psSG8zXBTToPqL9DEcg0EmhQcadsk3v8ZwwTbX3z72RcJsJkdbm295QkzXE4ZadaNI2bqYrf2l6ms4XkHhHC8qmhlQU+dNnDRKBQ/qgZrorD3EprKV4kpFjgQa7ICedNVv0UGmKMQpmCus8bT1T7NwnSaFTLIBOsWGXnQyF89ytvnHKzVdMnYjpVQgnGyDsVJtwwypuFu7ri7qi9M7bYT/wk9JaBq69V5yOxwT0/ZHB2ik4RZWWkY7cFuxNlYNStaYrYmdcB6Kdpr7JHHvexqcijj31xqmXPc9uuVSZqjg7/36AYGwY1GdGON5madm71XGpqvYue9r5hSAugK4/W0hzDJcYPonzXvkX730jg==
template:
metadata:
name: semaphore-secrets
namespace: git-ops
type: Opaque

27
clusters/ipv6/git-ops/semaphore/semaphore-svc.yml Normal file
View File

@@ -0,0 +1,27 @@
---
apiVersion: v1
kind: Service
metadata:
name: semaphore-service
namespace: git-ops
spec:
selector:
app: semaphore
ports:
- name: http
port: 3000
targetPort: 3000
---
apiVersion: v1
kind: Service
metadata:
name: semaphore-db
namespace: git-ops
spec:
selector:
app: semaphore-db
ports:
- port: 3306
targetPort: 3306
clusterIP: None

53
clusters/ipv6/git-ops/semaphore/semaphore.yml Normal file
View File

@@ -0,0 +1,53 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: semaphore
namespace: git-ops
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: semaphore
template:
metadata:
labels:
app: semaphore
spec:
containers:
- name: semaphore
image: public.ecr.aws/semaphore/pro/server:v2.16.47
readinessProbe:
exec:
command:
- sh
- -c
- |
nc -z semaphore-db.git-ops.svc.cluster.local 3306
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
ports:
- name: http
containerPort: 3000
envFrom:
- configMapRef:
name: semaphore-config
env:
- name: SEMAPHORE_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: semaphore-secrets
key: admin_password
- name: SEMAPHORE_DB_PASS
valueFrom:
secretKeyRef:
name: semaphore-secrets
key: mysql_password
- name: SEMAPHORE_ACCESS_KEY_ENCRYPTION
valueFrom:
secretKeyRef:
name: semaphore-secrets
key: key

24
clusters/ipv6/gpu-operator/intel/intel-device-operator.yml Normal file
View File

@@ -0,0 +1,24 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: device-plugin-operator
namespace: gpu-operator
spec:
interval: 24h
chart:
spec:
chart: intel-device-plugins-operator
version: "0.34.1"
sourceRef:
kind: HelmRepository
name: intel
namespace: flux-system
interval: 24h
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3

29
clusters/ipv6/gpu-operator/intel/intel-plugin-operator.yml Normal file
View File

@@ -0,0 +1,29 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gpu-device-plugin
namespace: gpu-operator
spec:
interval: 6h
chart:
spec:
chart: intel-device-plugins-gpu
version: "0.34.1"
sourceRef:
kind: HelmRepository
name: intel
namespace: flux-system
interval: 6h
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
sharedDevNum: 4
nodeFeatureRule: false
nodeSelector:
intel.feature.node.kubernetes.io/gpu: 'true'

10
clusters/ipv6/gpu-operator/intel/intel-repo.yml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: intel
namespace: flux-system
spec:
interval: 6h
url: https://intel.github.io/helm-charts

18
clusters/ipv6/gpu-operator/nvidia/gpu-operator-configmap.yml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: time-slicing-config
namespace: gpu-operator
data:
any: |-
version: v1
flags:
migStrategy: none
sharing:
timeSlicing:
resources:
- name: nvidia.com/gpu
replicas: 4
# remember to patch the cluster policy to use this configmap
# kubectl patch clusterpolicy/cluster-policy -n gpu-operator --type merge -p '{"spec": {"devicePlugin": {"config": {"name": "time-slicing-config", "default": "any"}}}}'

289
clusters/ipv6/gpu-operator/nvidia/gpu-operator-policy.yml Normal file
View File

@@ -0,0 +1,289 @@
apiVersion: nvidia.com/v1
kind: ClusterPolicy
metadata:
annotations:
meta.helm.sh/release-name: gpu-operator
meta.helm.sh/release-namespace: gpu-operator
generation: 2
labels:
app.kubernetes.io/component: gpu-operator
app.kubernetes.io/instance: gpu-operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: gpu-operator
app.kubernetes.io/version: v25.3.2
helm.sh/chart: gpu-operator-v25.3.2
helm.toolkit.fluxcd.io/name: gpu-operator
helm.toolkit.fluxcd.io/namespace: gpu-operator
name: cluster-policy
spec:
ccManager:
defaultMode: "off"
enabled: false
env: []
image: k8s-cc-manager
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia/cloud-native
version: v0.1.1
cdi:
default: false
enabled: false
daemonsets:
labels:
app.kubernetes.io/managed-by: gpu-operator
helm.sh/chart: gpu-operator-v25.3.2
priorityClassName: system-node-critical
rollingUpdate:
maxUnavailable: "1"
tolerations:
- effect: NoSchedule
key: nvidia.com/gpu
operator: Exists
updateStrategy: RollingUpdate
dcgm:
enabled: false
image: dcgm
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia/cloud-native
version: 4.2.3-1-ubuntu22.04
dcgmExporter:
enabled: true
env:
- name: DCGM_EXPORTER_LISTEN
value: :9400
- name: DCGM_EXPORTER_KUBERNETES
value: "true"
- name: DCGM_EXPORTER_COLLECTORS
value: /etc/dcgm-exporter/dcp-metrics-included.csv
image: dcgm-exporter
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia/k8s
serviceMonitor:
additionalLabels: {}
enabled: false
honorLabels: false
interval: 15s
relabelings: []
version: 4.2.3-4.1.3-ubuntu22.04
devicePlugin:
config:
default: any
name: time-slicing-config
enabled: true
env:
- name: PASS_DEVICE_SPECS
value: "true"
- name: FAIL_ON_INIT_ERROR
value: "true"
- name: DEVICE_LIST_STRATEGY
value: envvar
- name: DEVICE_ID_STRATEGY
value: uuid
- name: NVIDIA_VISIBLE_DEVICES
value: all
- name: NVIDIA_DRIVER_CAPABILITIES
value: all
image: k8s-device-plugin
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia
version: v0.17.3
driver:
certConfig:
name: ""
enabled: false
image: driver
imagePullPolicy: IfNotPresent
kernelModuleConfig:
name: ""
licensingConfig:
configMapName: ""
nlsEnabled: true
manager:
env:
- name: ENABLE_GPU_POD_EVICTION
value: "true"
- name: ENABLE_AUTO_DRAIN
value: "false"
- name: DRAIN_USE_FORCE
value: "false"
- name: DRAIN_POD_SELECTOR_LABEL
value: ""
- name: DRAIN_TIMEOUT_SECONDS
value: 0s
- name: DRAIN_DELETE_EMPTYDIR_DATA
value: "false"
image: k8s-driver-manager
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia/cloud-native
version: v0.8.0
rdma:
enabled: false
useHostMofed: false
repoConfig:
configMapName: ""
repository: nvcr.io/nvidia
startupProbe:
failureThreshold: 120
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 60
upgradePolicy:
autoUpgrade: true
drain:
deleteEmptyDir: false
enable: false
force: false
timeoutSeconds: 300
maxParallelUpgrades: 1
maxUnavailable: 25%
podDeletion:
deleteEmptyDir: false
force: false
timeoutSeconds: 300
waitForCompletion:
timeoutSeconds: 0
useNvidiaDriverCRD: false
usePrecompiled: false
version: 570.148.08
virtualTopology:
config: ""
gdrcopy:
enabled: false
image: gdrdrv
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia/cloud-native
version: v2.5
gfd:
enabled: true
env:
- name: GFD_SLEEP_INTERVAL
value: 60s
- name: GFD_FAIL_ON_INIT_ERROR
value: "true"
image: k8s-device-plugin
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia
version: v0.17.3
hostPaths:
driverInstallDir: /run/nvidia/driver
rootFS: /
kataManager:
config:
artifactsDir: /opt/nvidia-gpu-operator/artifacts/runtimeclasses
runtimeClasses:
- artifacts:
pullSecret: ""
url: nvcr.io/nvidia/cloud-native/kata-gpu-artifacts:ubuntu22.04-535.54.03
name: kata-nvidia-gpu
nodeSelector: {}
- artifacts:
pullSecret: ""
url: nvcr.io/nvidia/cloud-native/kata-gpu-artifacts:ubuntu22.04-535.86.10-snp
name: kata-nvidia-gpu-snp
nodeSelector:
nvidia.com/cc.capable: "true"
enabled: false
image: k8s-kata-manager
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia/cloud-native
version: v0.2.3
mig:
strategy: single
migManager:
config:
default: all-disabled
name: default-mig-parted-config
enabled: true
env:
- name: WITH_REBOOT
value: "false"
gpuClientsConfig:
name: ""
image: k8s-mig-manager
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia/cloud-native
version: v0.12.2-ubuntu20.04
nodeStatusExporter:
enabled: false
image: gpu-operator-validator
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia/cloud-native
version: v25.3.2
operator:
defaultRuntime: docker
initContainer:
image: cuda
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia
version: 12.8.1-base-ubi9
runtimeClass: nvidia
psa:
enabled: false
sandboxDevicePlugin:
enabled: true
image: kubevirt-gpu-device-plugin
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia
version: v1.3.1
sandboxWorkloads:
defaultWorkload: container
enabled: false
toolkit:
enabled: true
env:
- name: CONTAINERD_SOCKET
value: /run/k3s/containerd/containerd.sock
- name: CONTAINERD_CONFIG
value: /var/lib/rancher/k3s/agent/etc/containerd/config.toml
image: container-toolkit
imagePullPolicy: IfNotPresent
installDir: /usr/local/nvidia
repository: nvcr.io/nvidia/k8s
version: v1.17.8-ubuntu20.04
validator:
image: gpu-operator-validator
imagePullPolicy: IfNotPresent
plugin:
env:
- name: WITH_WORKLOAD
value: "false"
repository: nvcr.io/nvidia/cloud-native
version: v25.3.2
vfioManager:
driverManager:
env:
- name: ENABLE_GPU_POD_EVICTION
value: "false"
- name: ENABLE_AUTO_DRAIN
value: "false"
image: k8s-driver-manager
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia/cloud-native
version: v0.8.0
enabled: true
image: cuda
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia
version: 12.8.1-base-ubi9
vgpuDeviceManager:
config:
default: default
name: ""
enabled: true
image: vgpu-device-manager
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia/cloud-native
version: v0.3.0
vgpuManager:
driverManager:
env:
- name: ENABLE_GPU_POD_EVICTION
value: "false"
- name: ENABLE_AUTO_DRAIN
value: "false"
image: k8s-driver-manager
imagePullPolicy: IfNotPresent
repository: nvcr.io/nvidia/cloud-native
version: v0.8.0
enabled: false
image: vgpu-manager
imagePullPolicy: IfNotPresent

31
clusters/ipv6/gpu-operator/nvidia/gpu-operator-release.yml Normal file
View File

@@ -0,0 +1,31 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gpu-operator
namespace: gpu-operator
spec:
interval: 6h
chart:
spec:
chart: gpu-operator
version: "v25.10.1"
sourceRef:
kind: HelmRepository
name: nvidia
namespace: flux-system
interval: 6h
install:
createNamespace: true
upgrade:
remediation:
remediateLastFailure: true
values:
driver:
enabled: false
toolkit:
env:
- name: CONTAINERD_SOCKET
value: /run/k3s/containerd/containerd.sock
- name: CONTAINERD_CONFIG
value: /var/lib/rancher/k3s/agent/etc/containerd/config.toml

9
clusters/ipv6/gpu-operator/nvidia/gpu-operator-repo.yml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: nvidia
namespace: flux-system
spec:
interval: 6h
url: https://helm.ngc.nvidia.com/nvidia

22
clusters/ipv6/kube-system/csi-driver-smb/csi-driver-smb-release.yml Normal file
View File

@@ -0,0 +1,22 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: csi-driver-smb
namespace: kube-system
spec:
interval: 6h
chart:
spec:
chart: csi-driver-smb
version: "1.19.1"
sourceRef:
kind: HelmRepository
name: csi-driver-smb
namespace: flux-system
interval: 6h
install:
createNamespace: true
upgrade:
remediation:
remediateLastFailure: true

9
clusters/ipv6/kube-system/csi-driver-smb/csi-driver-smb-repo.yml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: csi-driver-smb
namespace: flux-system
spec:
interval: 6h
url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-smb/master/charts

24
clusters/ipv6/kube-system/sealed-secrets/sealed-secrets-release.yaml Normal file
View File

@@ -0,0 +1,24 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: sealed-secrets
namespace: kube-system
spec:
chart:
spec:
chart: sealed-secrets
sourceRef:
kind: HelmRepository
name: sealed-secrets
namespace: flux-system
version: '>=1.15.0-0'
install:
crds: Create
interval: 6h
releaseName: sealed-secrets-controller
upgrade:
crds: CreateReplace
values:
networkPolicy:
enabled: true

9
clusters/ipv6/kube-system/sealed-secrets/sealed-secrets-repo.yml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: sealed-secrets
namespace: flux-system
spec:
interval: 6h
url: https://bitnami-labs.github.io/sealed-secrets

69
clusters/ipv6/kube-system/traefik/traefik-release.yml Normal file
View File

@@ -0,0 +1,69 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: traefik
namespace: kube-system
spec:
chart:
spec:
chart: traefik
sourceRef:
kind: HelmRepository
name: traefik
namespace: flux-system
version: '38.0.1'
install:
crds: Create
interval: 6h
releaseName: traefik
upgrade:
crds: CreateReplace
values:
deployment:
enabled: true
kind: DaemonSet
updateStrategy:
type: OnDelete
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
service:
enabled: false
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
fsGroup: 0
ports:
web:
port: 80
exposedPort: 80
protocol: TCP
expose:
default: true
websecure:
port: 443
exposedPort: 443
protocol: TCP
expose:
default: true
ssh:
port: 22
exposedPort: 22
protocol: TCP
expose:
default: true
providers:
kubernetesCRD: {}
kubernetesIngress: {}

9
clusters/ipv6/kube-system/traefik/traefik-repo.yml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: traefik
namespace: flux-system
spec:
interval: 6h
url: https://traefik.github.io/charts

32
clusters/ipv6/longhorn-system/longhorn-release.yml Normal file
View File

@@ -0,0 +1,32 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: longhorn
namespace: longhorn-system
spec:
interval: 6h
chart:
spec:
chart: longhorn
version: "1.10.1"
sourceRef:
kind: HelmRepository
name: longhorn
namespace: flux-system
interval: 6h
install:
createNamespace: true
upgrade:
remediation:
remediateLastFailure: true
values:
persistence:
defaultClass: false
reclaimPolicy: Retain
ingress:
enabled: false
service:
ui:
type: ClusterIP

10
clusters/ipv6/longhorn-system/longhorn-repo.yml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: longhorn
namespace: flux-system
spec:
interval: 6h
url: https://charts.longhorn.io

8
clusters/ipv6/longhorn-system/namespace.yml Normal file
View File

@@ -0,0 +1,8 @@
---
kind: Namespace
apiVersion: v1
metadata:
name: longhorn-system
labels:
name: longhorn-system

27
clusters/ipv6/media/ersatztv/ersatztv-ingress.yml Normal file
View File

@@ -0,0 +1,27 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ersatztv-ingress
namespace: media
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cloudflare
traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
ingressClassName: traefik
tls:
- hosts:
- ersatztv.akshun-lab.cc
secretName: ersatztv-tls
rules:
- host: ersatztv.akshun-lab.cc
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ersatztv-service
port:
number: 8409

14
clusters/ipv6/media/ersatztv/ersatztv-pvc.yml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ersatztv-longhorn
namespace: media
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 3Gi
storageClassName: longhorn

13
clusters/ipv6/media/ersatztv/ersatztv-svc.yml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: Service
metadata:
name: ersatztv-service
namespace: media
spec:
selector:
app: ersatztv
ports:
- port: 8409
targetPort: 8409
protocol: TCP

48
clusters/ipv6/media/ersatztv/ersatztv.yml Normal file
View File

@@ -0,0 +1,48 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ersatztv
namespace: media
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: ersatztv
template:
metadata:
labels:
app: ersatztv
spec:
containers:
- name: ersatztv
image: jasongdove/ersatztv:v25.9.0
ports:
- containerPort: 8409
volumeMounts:
- name: data
mountPath: /root/.local/share/ersatztv
- name: i915
mountPath: /dev/dri/
- name: merge
mountPath: /mnt/merge
securityContext:
privileged: true
resources:
requests:
gpu.intel.com/i915: "1"
limits:
gpu.intel.com/i915: "1"
volumes:
- name: data
persistentVolumeClaim:
claimName: ersatztv-longhorn
- name: i915
hostPath:
path: /dev/dri
- name: merge
nfs:
server: 10.0.0.123
path: /merge

54
clusters/ipv6/media/immich/immich-db.yml Normal file
View File

@@ -0,0 +1,54 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: immich-psql
namespace: media
spec:
selector:
matchLabels:
app: immich-psql
serviceName: immich-psql
replicas: 1
template:
metadata:
labels:
app: immich-psql
spec:
initContainers:
- name: cleanup
image: busybox
command: ['sh', '-c', 'rm -rf /var/lib/postgresql/data/lost+found']
volumeMounts:
- name: immich-db
mountPath: /var/lib/postgresql/data
containers:
- name: immich-psql
image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
ports:
- containerPort: 5432
name: postgres
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: immich-postgres-secret
key: password
- name: POSTGRES_USER
value: "postgres"
- name: POSTGRES_DB
value: "immich"
- name: POSTGRES_INITDB_ARGS
value: "--data-checksums"
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: immich-db
volumeClaimTemplates:
- metadata:
name: immich-db
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 5Gi
storageClassName: longhorn

26
clusters/ipv6/media/immich/immich-ingress.yml Normal file
View File

@@ -0,0 +1,26 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: immich-ingress
namespace: media
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cloudflare
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
ingressClassName: traefik
tls:
- hosts:
- immich.akshun-lab.cc
secretName: immich-tls
rules:
- host: immich.akshun-lab.cc
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: immich-service
port:
number: 2283

43
clusters/ipv6/media/immich/immich-ml.yml Normal file
View File

@@ -0,0 +1,43 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: immich-ml
namespace: media
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: immich-ml
template:
metadata:
labels:
app: immich-ml
spec:
runtimeClassName: nvidia
containers:
- name: immich-machine-learning
image: ghcr.io/immich-app/immich-machine-learning:v2.4.1-cuda
ports:
- containerPort: 3003
env:
- name: REDIS_HOSTNAME
value: "immich-redis-service"
- name: NVIDIA_VISIBLE_DEVICES
value: "all"
- name: MACHINE_LEARNING_DEVICE_IDS
value: "0"
volumeMounts:
- name: model-cache
mountPath: /cache
resources:
requests:
nvidia.com/gpu: "1"
limits:
nvidia.com/gpu: "1"
volumes:
- name: model-cache
persistentVolumeClaim:
claimName: immich-cache-longhorn

55
clusters/ipv6/media/immich/immich-pvc.yml Normal file
View File

@@ -0,0 +1,55 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: immich-cache-longhorn
namespace: media
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 10Gi
storageClassName: longhorn
---
apiVersion: v1
kind: PersistentVolume
metadata:
annotations:
pv.kubernetes.io/provisioned-by: smb.csi.k8s.io
name: immich-pictures-pv
namespace: media
spec:
capacity:
storage: 100Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: immich-pictures-pv
mountOptions:
- dir_mode=0777
- file_mode=0777
csi:
driver: smb.csi.k8s.io
volumeHandle: 10.0.0.123#pictures#immich
volumeAttributes:
source: //10.0.0.123/pictures
nodeStageSecretRef:
name: smb-creds
namespace: media
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: immich-pictures-pvc
namespace: media
spec:
accessModes:
- ReadWriteMany
storageClassName: immich-pictures-pv
resources:
requests:
storage: 100Gi

23
clusters/ipv6/media/immich/immich-redis.yml Normal file
View File

@@ -0,0 +1,23 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: immich-redis
namespace: media
spec:
selector:
matchLabels:
app: immich-redis
serviceName: immich-redis
replicas: 1
template:
metadata:
labels:
app: immich-redis
spec:
containers:
- name: redis
image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
ports:
- containerPort: 6379
name: redis

14
clusters/ipv6/media/immich/immich-secrets-sealed.yml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: immich-postgres-secret
namespace: media
spec:
encryptedData:
password: AgBu1TYgl5+c8HAEZ62WcBcD6ebaF0YXl64RiumT5fOA8F16FA1OeATh17MTXUZuaF+WxpzJoJNSFp8GkfejSczMC2ZkViE/XR6spTGinHd6YI/HWQe0A1ojmTucohssWa00Ql0i6L6OTcD6fOS3gWZnUAi8W42vh4NVgdRx5AWSvjCwsF/visu5OwTFU0vRyTcYN3jrr/uYqLCrLKIQhf/jlfl7BdKN4Y/oZXMWP8K0mVp3deDqDF9NgL5fboL6B5XPihR7lPAZMmTQpf3ansxMMqesnWMKFUAyh50h4JEKcriSKPPuHhtsWTqKQmgUl+pmaTjDI31zmHKNQRbI4dTmkP0hVYGZ8hKomsbLvq9x8ZDfjGz2Vgt57ZMvMftMiz6Fvw8aQ+6XgTpfpYq6ZA4i3+p17nTrdQtMOuH1ogq5b09t2I6AB+0KANFJVG1iPTVGhG0nt23nZQydDHJ42ijl4OtRfJPHf28bUUpYSJ2X6g0/PGzTP8o2Hb+aLG5nJFfy6vikEHDDI4Z75hNSYrftHtQLxImxnEiMdIde1g26b00ECQ9roaOhszozQkGlKImC1+RpdUx1Mgi5yvqk7+RBRHolj9oxa0bdO9uj7u/SIuw8d7XHzHts2NBro9v6HpYjDiFmD35UTCvcaAi4PTUE/Sn2H5BWUDRnznrk1vp5EK3iv4uSM1L0EcD3Lkm6kTbwlctJaS0=
template:
metadata:
name: immich-postgres-secret
namespace: media
type: Opaque

55
clusters/ipv6/media/immich/immich-svc.yml Normal file
View File

@@ -0,0 +1,55 @@
---
apiVersion: v1
kind: Service
metadata:
name: immich-service
namespace: media
spec:
selector:
app: immich-app
ports:
- port: 2283
targetPort: 2283
---
apiVersion: v1
kind: Service
metadata:
name: immich-machine-learning-service
namespace: media
spec:
selector:
app: immich-ml
ports:
- port: 3003
targetPort: 3003
---
apiVersion: v1
kind: Service
metadata:
name: immich-psql
namespace: media
spec:
selector:
app: immich-psql
ports:
- name: postgres
port: 5432
targetPort: 5432
clusterIP: None
---
apiVersion: v1
kind: Service
metadata:
name: immich-redis
namespace: media
spec:
selector:
app: immich-redis
ports:
- name: redis
port: 6379
targetPort: 6379
clusterIP: None

56
clusters/ipv6/media/immich/immich.yml Normal file
View File

@@ -0,0 +1,56 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: immich-app
namespace: media
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: immich-app
template:
metadata:
labels:
app: immich-app
spec:
containers:
- name: immich-server
image: ghcr.io/immich-app/immich-server:v2.4.1
readinessProbe:
exec:
command:
- sh
- -c
- |
pg_isready -h immich-psql.media.svc.cluster.local -U postgres -p 5432
initialDelaySeconds: 10
periodSeconds: 5
failureThreshold: 5
ports:
- containerPort: 2283
env:
- name: TZ
value: "Asia/Kolkata"
- name: REDIS_HOSTNAME
value: "immich-redis.media.svc.cluster.local"
- name: DB_USERNAME
value: "postgres"
- name: DB_DATABASE_NAME
value: "immich"
- name: DB_HOSTNAME
value: "immich-psql.media.svc.cluster.local"
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: immich-postgres-secret
key: password
volumeMounts:
- mountPath: /usr/src/app/upload
name: pictures
volumes:
- name: pictures
persistentVolumeClaim:
claimName: immich-pictures-pvc

15
clusters/ipv6/media/immich/smb-secrets-sealed.yml Normal file
View File

@@ -0,0 +1,15 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: smb-creds
namespace: media
spec:
encryptedData:
password: AgC+7n+UgTpWtKSAT2pM3ko4DyqXlw3PzlBgcX/goSOGbLmxhN/wP1VFh8KJTy/+InMLjPs+Ja0mks6J5YCbl3hvOHFxEnwScnk8vRXgQUgpJTLwZQUR6TOQVJw1jsGqkPOHDzXQiqzvxYgWDdtAX1Fl4Lj6BUOS0zyZqJjC2DKlhLSNqEs2ABuoPLaTwT0i7BEVtUMjIKNJvu+bt2Tc+zdGLeT/RCGiDjiEUvyFOW7/5exPAn0s569EbhG60Wu6Baywz8c+QrgHTkoUkBO+kdSKy1yYMxpNrJ73rblgEUSzxTI/moNrWdpkre3C7hjD99a07zqf83znwwDB7njgecn/Xk4aWy5xyVgViQ4BFcaynR089zuInOtiJHKwv55hvW0jf4xR1pazgHlM/ZEAEv+WZXGd9nwWoCFiPOB/0hta4iJWUkcpfImzNlTq4xbVOUt4DqhNPEKqUAfjBr7krg0LM5y8wAUtepvbD99NVz4yfGMMmZBNBE/REhkJxN5WDPBQZGRdIq0X20wRWN2uCnaj7VYaxLnQbpczka76+dzO/GOlnBLBWkTUwV8VgKn3nsyNYG/7gbvi5c+7U4iDh8oa2/vn3O0nw0vEfnKCKkK5PYy8Ocfe05atQtq+ydtYP131XC/gQMJazOsjmS+8+mJ41b3JnhSI1ptWt0qE1NwcfaUsCFxhjJT6NsUtgvbelz1ixLswyFA=
username: AgAebr79UtTr4TK8wwndPZTBoWdeMs/6TCyfh2PWSw81IH3TV6xiVvey/IS3VK+0inXnF5Mx5osNqP7pvigZ+nRy1Opo8Yi1f+9l7dbDQ1LU4InAX4v/SHrNmyZYHfmLTTLfpoh8D+beLmNWXJDd4mz5CxleOIeai/UBdmsasHoQvvKZFBeIIRz2uv+fWurjQFT+8ZOjtyANa7W1Wqd/2WQI/3rP6CRRfOALoANj/+y3oCXXixzcyl/mEv1GN+p1B9g6AgQycpQSr8kNCeigFEiurU4flliRjwOP6NoZOxc6Vu8i2s4BqGexfgdVpEOLjFL2LtsIf5qLL1MXaquyx7ycXMM3zS8+yeitJ76U65HYswt6EpuksUKay+RFBAMXAzRvjY1MaLzdzso2qUh8yueQ28yI8HEXZLCMuEfTLs3vSHfFApk/JpTCYOtsUJynrF2EY7TxWYNlmn00f9i33Asikv3al+gKzjiN3btdk8y27LhIN3vCmzogHOO+Dt5kEuUCwMjfVGfnoVqQ7GpX7blEdhV9yNlY7evpwJJTYdY3avJnxVD7CXRihS0o2AYgQ5qfVllwR4BePsnyUlr4kwdsMf+PJRYXEBtGEKnJJGA6N+n3hSm6UYRaDXJxy7iCGMUOhiilA9gfnEZ/Zmmy0W7l034o+cFMZxaWOR9/hF3s8keF9iN8SUgsxrPMwdfJ2jgpzhDe9cA=
template:
metadata:
name: smb-creds
namespace: media
type: Opaque

28
clusters/ipv6/media/invidious/invidious-companion.yml Normal file
View File

@@ -0,0 +1,28 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: invidious-companion
namespace: media
spec:
selector:
matchLabels:
app: invidious-companion
template:
metadata:
labels:
app: invidious-companion
spec:
containers:
- name: inv-companion
image: quay.io/invidious/invidious-companion@sha256:639c8b32dec2e0200c36ed369cf494eb0ca765fdb14d5890d7f460c89a34272d
env:
- name: SERVER_SECRET_KEY
valueFrom:
secretKeyRef:
name: invidious-secrets
key: INVIDIOUS_COMPANION_KEY
securityContext:
capabilities:
drop:
- ALL

19
clusters/ipv6/media/invidious/invidious-config.yml Normal file
View File

@@ -0,0 +1,19 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: invidious-config
namespace: media
data:
invidious.yml: |
db:
dbname: invidious
user: kemal
password: ${INVIDIOUS_DB_PASSWORD}
host: invidious-db.media.svc.cluster.local
port: 5432
check_tables: true
invidious_companion:
- private_url: "http://invidious-companion-service.media.svc.cluster.local:8282/companion"
invidious_companion_key: ${INVIDIOUS_COMPANION_KEY}
hmac_key: ${INVIDIOUS_HMAC_KEY}

16
clusters/ipv6/media/invidious/invidious-db-secrets-sealed.yml Normal file
View File

@@ -0,0 +1,16 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: invidious-db-secrets
namespace: media
spec:
encryptedData:
postgres-db: AgDCRTGZMrx88eyNM/JENijAUak+FHV1llYWvG9CXqe+p3FqFxL1BBh2vICymkDGX1p7UeASvcNDWQQh+jeuzzPjfEo1t+tyBpZdA8KibIzR8LnQdcIWd76KKUpkDx9QLlu1d+j+zXOxlloTDe1kD/LNlGsb/5EWKfTsxD9xwtv9HDbHctqMLkQPK+fwVZNpaO60LII6dKc2igFjEbcV4203jiWG3Dx3oUMqb3xfNYrb0m2bndU9TfFCHV0TGkLgNX6impmIaHoQvozfniRRvrzjlFdClQW8FrwhnpLZ/gLk+W+zYbvZlHvfU2MeV+VKMDAuTOm36h2iEc6VrS6hy7xhAUY1vLTi+F9fA91qLeH5ZlU9/DTN4U3S47HsTumz3Fu9dvxsg/qtl+7mqBXTJpL7DusHJXE0pia1+RjM8ZwIXd4VLh1rrTt1ohUgOtytYdIzP42UWpIqKXfnzio74jk+CUULMaqB97R92gh2FdLzsSxY7znB+YT7Jie7cOCtSWds+OSNLiX/tm99CIKY+g6mYhCfgBWy/ZIZ4VSHIS2UZDKeqqbDa81IX+f5ASSCLD5daMVIl4qz37tboa0ah7YIvGS5Le9u0XiBWiy/+QOvp1nLYB2/N41kwDMsSqqAtpyqKzBJxu3eTb8QH1h0wllylFpO7yQNKHaZkcwOWqHyfpJQiDvcGr11inJDvkjU1U+ml5Nuq4IHNCg=
postgres-password: AgB0s+vZL++A9kEIBaknYFzwRNGQhsj3LQo7gfR0PebuaM96gFJxsBlrDgDrsIjfOWuwU8abg2Fjif4iU/N43Jz/mTmSVQe0WBhWYV0eBS/KMg8hEzQYA6Hm+WM1W0xS36QGgObP73eguHCictD6NcN0ff3IUZzg1z2Jyr+vDCGy98V2ANbPhiPPamIYaE8NG2B0cxFhi0XCcqkNIy6JTjFbVq/ivFNDmlZY6lZhATWjHine9BKgoTRAwqYHLFx/R0DR1fYiG/fHAzbNGBtDDnLcvL/uCj0LFLLHJ4DxvSmi4re61iBiG/ZFck/ET0bGnusUl7rjz/o9prUcINHtrFmhs6Oh2FwzzCvA1op1xbhOeKWceMAFNkd8BpY31DVjoVrQ1/JQRvqoS4J9TZ10YMtMdpOWxgmOb66W+kwhZOgT9bYrkSkOirGNLeFpC5uOt+rAm5rfiFrKsaLD4OTj1YDuSfewNpnM5rPawK36t9y5VFtSsJamtbS09vXLnKnO9D1M+Z/fxyCoBkeTE8UmSEfFZ52BODIasy1YVrXGLW6jXJOTLrj9ZaMajzS1LnlxeGPrJ/l7Q4qCo88/iEgrENHgx+x2j8kJm7jRsvyfa/U7vTpfIfuUIhSBxl8pHL1i7N/ZFL6Ses5lNEJ+53rXLSpkHEYh7gWId9eKUNTWikLkoAyNzcSS62jAWc2jUSO3V8rdoTPapE2OVifJ5g==
postgres-user: AgAMdnMR0vcu5ox07A1eZW55ihOs+qqA4sdoCZZa6VIgz0RoVO1R5XghBVk3l6XXn24bUFbufzZlWwAW+202ONLAsPHPOKjMB9ODOxk5iFP+D9iPiRlzpvuOf4cGdoyxlIuyr/p5OwTyAq9GQOZOzUZ0sB1bNyfQSpYISD+vTvkNIWe+O2LMQOXVegPkb0eWDCv5fHrjYrri0qurOQ9ah/wZMvSTRRRZcq+mpAU71VCycdC527JNb5/nxdhth7wXEVTuyh97il/Pu9fUdVyLMh8bnVPxB5cdxa1Bmo9txH7NKFyrscmlYfv9IinaxZhZSGKJxwX4zeaq4+wu8+JDPqD3OJr0jBepg88ZRWIkeFcDLFEjPcXeGjsF1B+fwb5iYI4KVI2QZGXNTrpFkFZQvTMjXh6WtH6BbluSBGsUAg4EW/gA6higfDQ7YM3ZN4KHXYy9Z8rK1TvC8TCNeWNRrG6hYN2wwkUmHh4Q9Y6Y3RSn8UNvdCvQCM7gF1SoUcyF4T97cJC0ER8YihwDKrsZHDDGNXXMtOV8gCi4MMNwdjuB2+lePrcidKMVYCtLhbevogyll6xgGPYU1PvZhyV0WSpY8z+ypcBlh9Z9kVd/PkbUcXRHdSm6znmzwKgWRi+zHfNfg9OxTBuy6oX/Kg48d1UIR59P2tGMteTTKf2e7SY3wQzRRdMrzY93sqa/rGilLu7RszYcCQ==
template:
metadata:
name: invidious-db-secrets
namespace: media
type: Opaque

59
clusters/ipv6/media/invidious/invidious-db.yml Normal file
View File

@@ -0,0 +1,59 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: invidious-db
namespace: media
spec:
selector:
matchLabels:
app: invidious-db
serviceName: invidious-db
replicas: 1
template:
metadata:
labels:
app: invidious-db
spec:
initContainers:
- name: clean-db-dir
image: busybox
command:
- sh
- -c
- |
rm -rf /var/lib/postgresql/lost+found
volumeMounts:
- name: postgres-data
mountPath: /var/lib/postgresql
containers:
- name: postgres
image: postgres:18
env:
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: invidious-db-secrets
key: postgres-db
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: invidious-db-secrets
key: postgres-user
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: invidious-db-secrets
key: postgres-password
volumeMounts:
- name: postgres-data
mountPath: /var/lib/postgresql
volumeClaimTemplates:
- metadata:
name: postgres-data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
storageClassName: longhorn

27
clusters/ipv6/media/invidious/invidious-ingress.yml Normal file
View File

@@ -0,0 +1,27 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: invidious-ingress
namespace: media
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cloudflare
traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
ingressClassName: traefik
tls:
- hosts:
- invidious.akshun-lab.cc
secretName: invidious-tls
rules:
- host: invidious.akshun-lab.cc
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: invidious-service
port:
number: 3000

16
clusters/ipv6/media/invidious/invidious-secrets-sealed.yml Normal file
View File

@@ -0,0 +1,16 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: invidious-secrets
namespace: media
spec:
encryptedData:
INVIDIOUS_COMPANION_KEY: AgDRcKWTyaK2LAPkjlHXJyhVkxkVg1AG6eLAh1JQjgz+w5f5op8/G7RJ+9rVEJd1liHNu8dZKxSJ09PHLbrgRW4WDwlOBoMA5YkP3UfmlsZC1oExxsIjSzjssvUU3ewDJY5ny/LVYeGD5I0KkKPGyVEDbaD1UL986t+GY56cVVF7xZJwyPyXokqRd23PahecmMgkOSk6Ikct0hyNBlKuAeB5obGB9kNdpNZwOHV33EyIjeZOsVlCd7mtf4kE2qIWKtZSR3MtGq2hGjelFXwD0s6++cLAZv3zC9nB6F9VY+JjZxmH2FZtB8QMcPSnjk0ea7qMDMIalYXqOn1AVPZ8v5l+V+iQeIRMOvoYnM5okY5ffP2Ug81V6h6lnSt2cqPg4+5U7Tu7GSct78sgudYCZwYvpUEZgoyJ5B8z9sqOhKtVSuyOwqnpWdzDufL4yLhIQVGsJ1T8U34IrietxEJ7YwwLsv5S/wkErgaUF54ZUED+C31gYXDebdJDdZcIrjWdSAp3gYXURoiv13sqmxLOZMgwsy9HZoozf1rzxKj67O45dRZWXE6JWuhFUDH8+boe9t8O/nHvpHwE7C4Gm79WC4AXJOO4cwzJySqiu8VZUywGojOHS6bGqRmcKootXSG+OM7o9ay0/6ctkYXbflKwza0JzzDorQ5vkt7A7vFhJss2y9sJa093WFvY2Wd0RsYwe8V48ZRx5ChXU6PB53/xt8KD
INVIDIOUS_DB_PASSWORD: AgCYcytQkrWQMQXlp1zRHgA2R/RO32tFXJTZufzjLh+uK6Na6lH9iRReWv/qLE3xR4qXDSy5Ph6+SbuQHi2GnqFKpmiU0CvjPvvl+dFmVhJvB7ho7AR06UYTmMqK9jLw9TWfLu21pUHQPBovZuofcNSllsEjZ9Zd6oN99gh51DiVFEwlJvLu2+bdIhM0wALqEphjihBJEdWzvr0WUOZoyqX8Dtb/d/bHeeEmmDRoIu8btmsyNwvMP+rDqfzXhQ+/HEhf40ZfnUWzxYGYfFz0m8CVVlk4WNxAJ8obb2jHfLDRIB1Fzwgyn+gQU6lhWo7vnAWLTZ2NAKKwN3Rs7Tu7B6SHkuNkAI89jwtlG1cSX3NnQe0gbvnNLtGG6yWBnh1ZJufseRgsOx2VU3CAYT16S6EM5Cpk41YKA0/tMu9Z8CG3MevnmTSQmke94AR+Yl2hFsEFDMqlOeCzS38urKM7oE1MkfMpdB8th19fPj00jdBixmEY5FlMBltQwX4T+xMdZEpZQnlFWfvLrIRwg1l8/JQAI+KRP6Ym8RwShWwc+DW58VSgaAjg/rqWl1nHPmZVdYGghyCM77HXQ1N7H+nMesFL0ebxg+bm0OTllNAL8m2S1l2lukH7d8OUoQT5yTrwuD/DvMv5S9RAVGBE/41ZQ3MSx1s/5DrIvUaFk8gdIpbIMhoKP5KaB4PdFnzy9yd3nQIgTfzMixrMlhW1ww==
INVIDIOUS_HMAC_KEY: AgCY3C9mojZsBnGVbs8HuJrm0H2A4qOMDWnuh7Ifru0cc6TGjMbkYUki63uETk/mNl/WH5t+kQkyZhXACjPbFCoW+CI4uLMR7YnNoVRUsftRDDG3mAZ4g2skGo3QSkI7HYC/UOTpBT+TYldwEznS5cZjKit4R0EvqJBRSE4BfE1cqn9pVnJX4SOeQNCKDWi5biGfMuZt3htZYYXCQrihLDCtgOMHJgYk3AgO9vCJZl3j5IwyQT77iA38xpio93AKkhyYL+XzdX38K4eQDkDJf/jyl4ZzRCeFNAKUX5WhBPkTfkn5Mp0rPvxk3/aDXqdNgTmcGYn1iM3uev4k38u9EaJ1ESbbh97CzDAK1nHVXbXtMJzUWsjN+E9xojsknkaucuMcVFrq5ZuE8EVzmoows+kVsXyYaahg4at0RgxtNovLbJ8Ct1SB1oNwwd/VaNNxl0Uy+5hO+9n2jjnP6j83U52SlkBPoqXp8hLCQxiglMiGhN3QapkghHoaN3DFjYtmTC6q/BCzFvF10Daa/iRALt/fBO7VbR9+hvknmYvv1Z6L/s2Rm4xYKkunjB4qWZdHIfwt4lSVHF94wg6NsRm3dkF4RA/AJlx9wfXaSvVJLj7Gfri/nZQ236RojFtPpvLrDAYV2qfNv2nmpCnpFH1XgWQmwn6xjcaT/VEf4pUdn4yu2T1mnjJkWua1oJ53hUyCK5lZDeJQurZj5f7y8HHv3pBo
template:
metadata:
name: invidious-secrets
namespace: media
type: Opaque

40
clusters/ipv6/media/invidious/invidious-svc.yml Normal file
View File

@@ -0,0 +1,40 @@
---
apiVersion: v1
kind: Service
metadata:
name: invidious-service
namespace: media
spec:
selector:
app: invidious
ports:
- port: 3000
targetPort: 3000
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: invidious-companion-service
namespace: media
spec:
selector:
app: invidious-companion
ports:
- port: 8282
targetPort: 8282
---
apiVersion: v1
kind: Service
metadata:
name: invidious-db
namespace: media
spec:
selector:
app: invidious-db
ports:
- port: 5432
targetPort: 5432
clusterIP: None

70
clusters/ipv6/media/invidious/invidious.yml Normal file
View File

@@ -0,0 +1,70 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: invidious
namespace: media
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: invidious
template:
metadata:
labels:
app: invidious
spec:
initContainers:
- name: substitute-config
image: alpine
envFrom:
- secretRef:
name: invidious-secrets
command:
- sh
- -c
- apk add gettext && envsubst < /mnt/init/invidious.yml > /mnt/invidious.yml
volumeMounts:
- name: invidious-config
mountPath: /mnt/init/invidious.yml
subPath: invidious.yml
- name: tmp
mountPath: /mnt
subPath: invidious.yml
containers:
- name: invidious
image: quay.io/invidious/invidious@sha256:2836b5b8226a53a9cc2afdbd5f5fe6bccdd200f2e17cd92a828b4dc8d8b5cc06
command:
- sh
- -c
- |
export INVIDIOUS_CONFIG="$(cat /mnt/invidious.yml)" &&
exec /invidious/invidious
readinessProbe:
exec:
command:
- sh
- -c
- |
nc -z invidious-db.media.svc.cluster.local 5432 && nc -z invidious-companion-service.media.svc.cluster.local 8282
env:
- name: INVIDIOUS_PORT
value: "3000"
ports:
- containerPort: 3000
volumeMounts:
- name: logging
mountPath: /var/log/invidious
- name: tmp
mountPath: /mnt
subPath: invidious.yml
volumes:
- name: logging
emptyDir: {}
- name: tmp
emptyDir: {}
- name: invidious-config
configMap:
name: invidious-config

26
clusters/ipv6/media/jellyfin/jellyfin-ingress.yml Normal file
View File

@@ -0,0 +1,26 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jellyfin-ingress
namespace: media
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cloudflare
spec:
ingressClassName: traefik
tls:
- hosts:
- jellyfin.akshun-lab.cc
secretName: jellyfin-tls
rules:
- host: jellyfin.akshun-lab.cc
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jellyfin-service
port:
number: 8096

15
clusters/ipv6/media/jellyfin/jellyfin-pvc.yml Normal file
View File

@@ -0,0 +1,15 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jellyfin-pvc
namespace: media
spec:
resources:
requests:
storage: 5Gi
storageClassName: longhorn
volumeMode: Filesystem
accessModes:
- ReadWriteOnce

14
clusters/ipv6/media/jellyfin/jellyfin-svc.yml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: v1
kind: Service
metadata:
name: jellyfin-service
namespace: media
spec:
selector:
app: jellyfin
ports:
- port: 8096
targetPort: 8096
protocol: TCP

53
clusters/ipv6/media/jellyfin/jellyfin.yml Normal file
View File

@@ -0,0 +1,53 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jellyfin
namespace: media
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: jellyfin
template:
metadata:
labels:
app: jellyfin
spec:
containers:
- name: jellyfin
image: jellyfin/jellyfin:10.11.5
ports:
- containerPort: 8096
volumeMounts:
- name: media
mountPath: /media
- name: config
mountPath: /config
- name: cache
mountPath: /cache
- name: i915
mountPath: /dev/dri
securityContext:
privileged: true
resources:
requests:
gpu.intel.com/i915: "1"
limits:
gpu.intel.com/i915: "1"
volumes:
- name: config
persistentVolumeClaim:
claimName: jellyfin-pvc
- name: cache
emptyDir: {}
- name: media
nfs:
server: 10.0.0.123
path: /merge
- name: i915
hostPath:
path: /dev/dri

7
clusters/ipv6/media/namespace.yml Normal file
View File

@@ -0,0 +1,7 @@
---
kind: Namespace
apiVersion: v1
metadata:
name: media
labels:
name: media

8
clusters/ipv6/metallb-system/l2-advertisement.yml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: k3s-lb-pool
namespace: metallb-system
spec:
ipAddressPools:
- pool-ip

22
clusters/ipv6/metallb-system/metallb-release.yml Normal file
View File

@@ -0,0 +1,22 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: metallb
namespace: metallb-system
spec:
interval: 6h
chart:
spec:
chart: metallb
version: "0.15.3"
sourceRef:
kind: HelmRepository
name: metallb
namespace: flux-system
interval: 6h
install:
createNamespace: true
upgrade:
remediation:
remediateLastFailure: true

Some files were not shown because too many files have changed in this diff Show More