fix: correct typo in PAPERLESS_URL environment variable

Reviewed-on: #316

.gitea/workflows/kubeconform.yml

@@ -12,7 +12,7 @@ jobs:
   kubeconform:
     runs-on: ubuntu-latest
     container:
-      image: gitea.akshun-lab.cc/aggarwalakshun/kube-tools:1.0.0
+      image: gitea.akshun-lab.cc/aggarwalakshun/kube-tools:1.1.0
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
@@ -25,6 +25,7 @@ jobs:
         with:
           files: |
             **.yml
+            **.yaml
             !.gitea/workflows/**
             !clusters/default/system-upgrade/crd.yml
 
@@ -47,13 +48,11 @@ jobs:
           )
 
           EXIT_CODE=0
-          export KUBECONFORM_CACHE_DIR="/tmp/kubeconform-cache"
-          mkdir -p "$KUBECONFORM_CACHE_DIR"
 
           for file in ${ALL_CHANGED_FILES}; do
             [ -z "$file" ] && continue
             echo "=== Validating: $file ==="
-            # Split YAML into individual docs, output as JSON, and process each
+
             yq e -o=json '. as $item ireduce ([]; . + [$item])' "$file" | \
               jq -c '.[] | select(.kind != null)' | \
               while read -r manifest; do
@@ -65,7 +64,6 @@ jobs:
 
                   if ! echo "$manifest" | kubeconform \
                       -schema-location "$SCHEMA_URL" \
-                      -cache "$KUBECONFORM_CACHE_DIR" \
                       -output json \
                       -; then
                     EXIT_CODE=1
@@ -74,7 +72,6 @@ jobs:
                   echo "Validating with default schemas"
                   if ! echo "$manifest" | kubeconform \
                       -schema-location default \
-                      -cache "$KUBECONFORM_CACHE_DIR" \
                       -output json \
                       -; then
                     EXIT_CODE=1

.gitignore

@@ -1 +1,2 @@
 /tmp-pod.yml
+/Dockerfile

clusters/default/arr-stack/jellyseerr/jellyseerr.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       initContainers:
       - name: gluetun
-        image: qmcgaw/gluetun:v3.40.3
+        image: qmcgaw/gluetun:v3.41.0
         restartPolicy: Always
         securityContext:
           capabilities:

clusters/default/arr-stack/prowlarr/prowlarr.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       initContainers:
       - name: gluetun
-        image: qmcgaw/gluetun:v3.40.3
+        image: qmcgaw/gluetun:v3.41.0
         restartPolicy: Always
         securityContext:
           capabilities:

clusters/default/arr-stack/qbittorrent/qbittorrent.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       initContainers:
       - name: gluetun
-        image: qmcgaw/gluetun:v3.40.3
+        image: qmcgaw/gluetun:v3.41.0
         restartPolicy: Always
         securityContext:
           capabilities:

clusters/default/helm/gpu-operator/gpu-operator-release.yml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: gpu-operator
-      version: "v25.3.2"
+      version: "v25.10.1"
       sourceRef:
         kind: HelmRepository
         name: nvidia

clusters/default/helm/prometheus/prometheus-release.yml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: prometheus
-      version: "27.52.0"
+      version: "28.0.0"
       sourceRef:
         kind: HelmRepository
         name: prometheus-community

clusters/default/media/immich/immich-ml.yml

@@ -19,7 +19,7 @@ spec:
       runtimeClassName: nvidia
       containers:
       - name: immich-machine-learning
-        image: ghcr.io/immich-app/immich-machine-learning:v2.4.0-cuda
+        image: ghcr.io/immich-app/immich-machine-learning:v2.4.1-cuda
         ports:
         - containerPort: 3003
         env:

clusters/default/media/immich/immich.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: immich-server
-        image: ghcr.io/immich-app/immich-server:v2.4.0
+        image: ghcr.io/immich-app/immich-server:v2.4.1
         readinessProbe:
           exec:
             command:

clusters/default/media/invidious/invidious-companion.yml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: inv-companion
-        image: quay.io/invidious/invidious-companion@sha256:07a1dd6893e6311e341067cf61ba5f920184e40339e4b4e195f5713f99311343
+        image: quay.io/invidious/invidious-companion@sha256:639c8b32dec2e0200c36ed369cf494eb0ca765fdb14d5890d7f460c89a34272d
         env:
         - name: SERVER_SECRET_KEY
           valueFrom:

clusters/default/monitoring/jellystat/jellystat.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: jellystat
-        image: cyfershepard/jellystat:1.1.6
+        image: cyfershepard/jellystat:1.1.7
         readinessProbe:
           exec:
             command:

clusters/default/monitoring/pulse/pulse.yml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
       - name: pulse
-        image: rcourtman/pulse:4.36.2
+        image: rcourtman/pulse:5.0.10
         volumeMounts:
         - name: pulse-data
           mountPath: /data

clusters/default/monitoring/speedtest/speedtest.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: speedtest
-        image: lscr.io/linuxserver/speedtest-tracker:1.13.2
+        image: lscr.io/linuxserver/speedtest-tracker:1.13.4
         ports:
         - containerPort: 80
         env:

clusters/default/tools/open-webui/open-webui.yml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
       - name: open-webui
-        image: ghcr.io/open-webui/open-webui:0.6.41
+        image: ghcr.io/open-webui/open-webui:0.6.43
         ports:
         - containerPort: 8080
         env:

clusters/default/tools/searxng/searxng.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: searxng
-        image: searxng/searxng@sha256:a39ce90965a1650655c10f6e1b83bf0d1f09caf9af3ea182196e53f158f2bc5d
+        image: searxng/searxng@sha256:472dd0c84b8e2a05bca773b4a430b9fc9e4e92cd4fa0afaa223efab925ab752a
         ports:
         - containerPort: 8080
         env:

clusters/default/tools/vaultwarden/vaultwarden.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: vaultwarden
-        image: vaultwarden/server:1.34.3
+        image: vaultwarden/server:1.35.1
         ports:
         - containerPort: 80
         env:

clusters/ipv6/arr-stack/bazarr/bazarr-ingress.yml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bazarr-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - bazarr.akshun-lab.cc
+    secretName: bazarr-tls
+  rules:
+  - host: bazarr.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: bazarr-service
+            port:
+              number: 6767
+

clusters/ipv6/arr-stack/bazarr/bazarr-pvc.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bazarr-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: longhorn
+

clusters/ipv6/arr-stack/bazarr/bazarr-svc.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bazarr-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: bazarr
+  ports:
+  - protocol: TCP
+    port: 6767
+    targetPort: 6767

clusters/ipv6/arr-stack/bazarr/bazarr.yml

@@ -0,0 +1,48 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bazarr
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bazarr
+  template:
+    metadata:
+      labels:
+        app: bazarr
+    spec:
+      containers:
+      - name: bazarr
+        image: linuxserver/bazarr:1.5.4
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Asia/Kolkata"
+        volumeMounts:
+        - name: movies
+          mountPath: /movies
+        - name: tv
+          mountPath: /tv
+        - name: config
+          mountPath: /config
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: bazarr-longhorn
+      - name: tv
+        nfs:
+          server: 10.0.0.123
+          path: /merge/series
+      - name: movies
+        nfs:
+          server: 10.0.0.123
+          path: /merge/movies
+

clusters/ipv6/arr-stack/jellyseerr/jellyseerr-ingress.yml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jellyseerr-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - jellyseerr.akshun-lab.cc
+    secretName: jellyseerr-tls
+  rules:
+  - host: jellyseerr.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: jellyseerr-service
+            port:
+              number: 5055
+

clusters/ipv6/arr-stack/jellyseerr/jellyseerr-pvc.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyseerr-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+

clusters/ipv6/arr-stack/jellyseerr/jellyseerr-svc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: jellyseerr-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: jellyseerr
+  ports:
+  - port: 5055
+    targetPort: 5055
+    protocol: TCP
+

clusters/ipv6/arr-stack/jellyseerr/jellyseerr.yml

@@ -0,0 +1,58 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jellyseerr
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: jellyseerr
+  template:
+    metadata:
+      labels:
+        app: jellyseerr
+    spec:
+      initContainers:
+      - name: gluetun
+        image: qmcgaw/gluetun:v3.41.0
+        restartPolicy: Always
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        envFrom:
+        - configMapRef:
+            name: gluetun-config
+        env:
+        - name: OPENVPN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_PASSWORD
+        - name: OPENVPN_USER
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_USER
+      containers:
+      - name: jellyseerr
+        image: fallenbagel/jellyseerr:2.7.3
+        ports:
+        - containerPort: 5055
+        env:
+        - name: LOG_LEVEL
+          value: "info"
+        - name: TZ
+          value: "Asia/Kolkata"
+        volumeMounts:
+        - name: config
+          mountPath: /app/config
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: jellyseerr-longhorn
+

clusters/ipv6/arr-stack/namespace.yml

@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: arr-stack
+  labels:
+    name: arr-stack

clusters/ipv6/arr-stack/openvpn/gluetun-config.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gluetun-config
+  namespace: arr-stack
+data:
+  VPN_SERVICE_PROVIDER: "surfshark"
+  SERVER_COUNTRIES: "Netherlands"
+  HTTPPROXY: "ON"
+  FIREWALL_OUTBOUND_SUBNETS: "192.168.1.0/24,10.42.0.0/16,10.43.0.0/16"
+  DNS_ADDRESS: "8.8.8.8"
+

clusters/ipv6/arr-stack/openvpn/gluetun-secrets-sealed.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: openvpn-secrets
+  namespace: arr-stack
+spec:
+  encryptedData:
+    OPENVPN_PASSWORD: AgCq8+4OOOqt0Z0zTiVdtjz5uWoH7flNKwreecXW7zZ3gMi7t2dg9YApYV5lBzIxXSCx1DhMWqbgBx545n4SFkZhJhJeJRxRMYYV1b034W4TCzyJXU9d1kcUY4zesutK/HVY2R6riUdGLZzxJ9RPEa62LfdmjCc7ilOnMG2zqGwUF8g7+/I8ANnxNKYZ6WF6kmD96C6RdMMO5D2AUs7YppppsADkoQmHyTjx5geceDm7nGHSyy5ieFuvg7qd7S5s7E+GpsMWsXgl1RGD2nsyJ94h7FH0/krWR4DBu7YivgKtehTf/fK1tkqbxuqPUDJG2QVhmYwLmcEMhfajV8tmJrptfgxQ0nRbqIM/kcJeopPhbcHg/HMMfp7GwiTjfub6gxti9JQPBgMjoOdyMrYsdWPbIF8CaScF9S5owPx0sI1oHlS/q4vhQs/2jh5rIrwLTJbmo1Xwrkd86TJfuUv2G7khUDF1xLBOX9gHQFiCF+F2/JC08CKuodJ5NyYIbQ3jTFMbZHnwlsONKAgbVz40s90OumD4ujk+CtB89/p4Pz8zJC26qB3mFSiFAIQ4RbAwygA9jsFXmsuS86dxinWD+XZYWGAXvG9GHtmV1lRG55CGQ4SAKmAgECqvE0q3MCmmhIquUgl0HolkkDRC+eJadb0w2z3bpFQ9K8ZdFP50Gj37hxcaVY/CREkAuiRhpxBOzbjwQShnly4qW6mB6/r0VF8THYPOsDy5DfQ=
+    OPENVPN_USER: AgC/5sKPgHylU/nDJ/S63t/07I1Ll9gdBipIyWtL0Fl+OStZ1DAzt7n4oGZ+HRqZA1bLJ4ZB0xgOIL7JjFN+1AqvybrCrIrira7AwxwsRWHzboFzA8St81pQR2Bu6O6B+cfFUiFNI43yOVAn1LRWzPFjRc6wtJTym2tQbzDaFL5pdvnMRHRlDSrGfWMHvl/iNDwL4CUctBSLYNsSbew15g/KavkEfNT6DqVhGZ8LNA+223x6Xs2tsscAYZo9zEX4qxYO1jk0WxfMXA8iFqjl2icI3y6FMLtnfM4dA+4LK+5rrlyLQVoBWznwPTMSvRLEKmstKQAe4jSel/DxL0oa0SnfAty1n+weM5uA4UIvo3mgDX2tGNIeibV6Hn6aG0jTAWgSaWVjIDe/NCVKOks18nnqOI9p91MS93EoYU7gRwwpVCNYWoXQoul6G1P4EkiqtDbwKPOMgVPWIdu0unP1Af7K/QhqaelEMM/EageSXdMeZ/hDA9vMTNQlhNf+eowU0KwpQ9MXYre4m8N4twPzRQfXvU4+SNr1QsrlpB52Y0QJJJZvG9HOPfLK52Re42TxbLxGap1oQLyHhRscsQ6XIDszpEDBlXj8RYxhgaCIKfywK2Z5v0tbjdAWJuQ3Cw/kcaEa8dGT2x6BenU+XxwNIsyFkCCR5+0bJLdKZFPaT3J1wpIP8JQ/HuAWW89lxXFQ74935oecAwr93eN2rRAvdNmL71sDJoUGoSU=
+  template:
+    metadata:
+      name: openvpn-secrets
+      namespace: arr-stack
+    type: Opaque

clusters/ipv6/arr-stack/prowlarr/prowlarr-ingress.yml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: prowlarr-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - prowlarr.akshun-lab.cc
+    secretName: prowlarr-tls
+  rules:
+  - host: prowlarr.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: prowlarr-service
+            port:
+              number: 9696
+

clusters/ipv6/arr-stack/prowlarr/prowlarr-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: prowlarr-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn

clusters/ipv6/arr-stack/prowlarr/prowlarr-svc.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: prowlarr-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: prowlarr
+  ports:
+  - port: 9696
+    targetPort: 9696
+  clusterIP: 10.43.0.142

clusters/ipv6/arr-stack/prowlarr/prowlarr.yml

@@ -0,0 +1,59 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: prowlarr
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: prowlarr
+  template:
+    metadata:
+      labels:
+        app: prowlarr
+    spec:
+      initContainers:
+      - name: gluetun
+        image: qmcgaw/gluetun:v3.41.0
+        restartPolicy: Always
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        envFrom:
+        - configMapRef:
+            name: gluetun-config
+        env:
+        - name: OPENVPN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_PASSWORD
+        - name: OPENVPN_USER
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_USER
+      containers:
+      - name: prowlarr
+        image: lscr.io/linuxserver/prowlarr:2.3.0
+        volumeMounts:
+        - name: config
+          mountPath: /config
+        ports:
+        - containerPort: 9696
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Asia/Kolkata"
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: prowlarr-longhorn

clusters/ipv6/arr-stack/qbittorrent/qbittorrent-ingress.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: qbittorrent-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - qbittorrent.akshun-lab.cc
+    secretName: qbittorrent-tls
+  rules:
+  - host: qbittorrent.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: qbittorrent-service
+            port:
+              number: 8080

clusters/ipv6/arr-stack/qbittorrent/qbittorrent-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: qbittorrent-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn

clusters/ipv6/arr-stack/qbittorrent/qbittorrent-svc.yml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: qbittorrent-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: qbittorrent
+  ports:
+  - port: 8080
+    targetPort: 8080

clusters/ipv6/arr-stack/qbittorrent/qbittorrent.yml

@@ -0,0 +1,63 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: qbittorrent
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: qbittorrent
+  template:
+    metadata:
+      labels:
+        app: qbittorrent
+    spec:
+      initContainers:
+      - name: gluetun
+        image: qmcgaw/gluetun:v3.41.0
+        restartPolicy: Always
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        envFrom:
+        - configMapRef:
+            name: gluetun-config
+        env:
+        - name: OPENVPN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_PASSWORD
+        - name: OPENVPN_USER
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_USER
+      containers:
+      - name: qbittorrent
+        image: linuxserver/qbittorrent:5.1.4
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Asia/Kolkata"
+        volumeMounts:
+        - name: downloads
+          mountPath: /downloads
+        - name: config
+          mountPath: /config
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: qbittorrent-longhorn
+      - name: downloads
+        nfs:
+          server: 10.0.0.123
+          path: /merge/downloads

clusters/ipv6/arr-stack/radarr/radarr-ingress.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: radarr-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - radarr.akshun-lab.cc
+    secretName: radarr-tls
+  rules:
+  - host: radarr.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: radarr-service
+            port:
+              number: 7878

clusters/ipv6/arr-stack/radarr/radarr-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: radarr-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: longhorn

clusters/ipv6/arr-stack/radarr/radarr-svc.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: radarr-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: radarr
+  ports:
+  - port: 7878
+    targetPort: 7878
+  clusterIP: 10.43.0.204

clusters/ipv6/arr-stack/radarr/radarr.yml

@@ -0,0 +1,49 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: radarr
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: radarr
+  template:
+    metadata:
+      labels:
+        app: radarr
+    spec:
+      containers:
+      - name: radarr
+        image: lscr.io/linuxserver/radarr:6.0.4
+        ports:
+        - containerPort: 7878
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Asia/Kolkata"
+        volumeMounts:
+        - name: movies
+          mountPath: /movies
+        - name: downloads
+          mountPath: /downloads
+        - name: config
+          mountPath: /config
+      volumes:
+      - name: movies
+        nfs:
+          server: 10.0.0.123
+          path: /merge/movies
+      - name: downloads
+        nfs:
+          server: 10.0.0.123
+          path: /merge/downloads
+      - name: config
+        persistentVolumeClaim:
+          claimName: radarr-longhorn

clusters/ipv6/arr-stack/sabnzbd/sabnzbd-ingress.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: sabnzbd-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - sabnzbd.akshun-lab.cc
+    secretName: sabnzbd-tls
+  rules:
+  - host: sabnzbd.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: sabnzbd-service
+            port:
+              number: 8080

clusters/ipv6/arr-stack/sabnzbd/sabnzbd-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: sabnzbd-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn

clusters/ipv6/arr-stack/sabnzbd/sabnzbd-svc.yml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: sabnzbd-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: sabnzbd
+  ports:
+  - port: 8080
+    targetPort: 8080

clusters/ipv6/arr-stack/sabnzbd/sabnzbd.yml

@@ -0,0 +1,40 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sabnzbd
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: sabnzbd
+  template:
+    metadata:
+      labels:
+        app: sabnzbd
+    spec:
+      containers:
+      - name: sabnzbd
+        image: lscr.io/linuxserver/sabnzbd:4.5.5
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Asia/Kolkata"
+        volumeMounts:
+        - name: sabnzbd-config
+          mountPath: /config
+        - name: downloads
+          mountPath: /downloads
+      volumes:
+      - name: sabnzbd-config
+        persistentVolumeClaim:
+          claimName: sabnzbd-longhorn
+      - name: downloads
+        nfs:
+          server: 10.0.0.123
+          path: /merge/downloads

clusters/ipv6/arr-stack/sonarr/sonarr-ingress.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: sonarr-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - sonarr.akshun-lab.cc
+    secretName: sonarr-tls
+  rules:
+  - host: sonarr.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: sonarr-service
+            port:
+              number: 8989

clusters/ipv6/arr-stack/sonarr/sonarr-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: sonarr-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: longhorn

clusters/ipv6/arr-stack/sonarr/sonarr-svc.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: sonarr-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: sonarr
+  ports:
+  - port: 8989
+    targetPort: 8989
+  clusterIP: 10.43.0.194

clusters/ipv6/arr-stack/sonarr/sonarr.yml

@@ -0,0 +1,49 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sonarr
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sonarr
+  template:
+    metadata:
+      labels:
+        app: sonarr
+    spec:
+      containers:
+      - name: sonarr
+        image: lscr.io/linuxserver/sonarr:4.0.16
+        ports:
+        - containerPort: 8989
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Asia/Kolkata"
+        volumeMounts:
+        - name: config
+          mountPath: /config
+        - name: tv
+          mountPath: /tv
+        - name: downloads
+          mountPath: /downloads
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: sonarr-longhorn
+      - name: downloads
+        nfs:
+          server: 10.0.0.123
+          path: /merge/downloads
+      - name: tv
+        nfs:
+          server: 10.0.0.123
+          path: /merge/series

clusters/ipv6/cert-manager/cert-manager/cert-manager-release.yml

@@ -0,0 +1,28 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 6h
+  chart:
+    spec:
+      chart: cert-manager
+      version: "v1.19.2"
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+        namespace: flux-system
+      interval: 6h
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    crds:
+      enabled: true
+      keep: true
+

clusters/ipv6/cert-manager/cert-manager/cert-manager-repo.yml

@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: jetstack
+  namespace: flux-system
+spec:
+  interval: 6h
+  url: https://charts.jetstack.io
+

clusters/ipv6/cert-manager/cert-manager/cluster-issuer.yml

@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-cloudflare
+spec:
+  acme:
+    email: aggarwalakshun@gmail.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-cloudflare
+    solvers:
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token
+            key: api-token
+

clusters/ipv6/cert-manager/cloudflare-api-token-sealed.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: cloudflare-api-token
+  namespace: cert-manager
+spec:
+  encryptedData:
+    api-token: AgAT0GBUIiC9aRMr36PH4qAgyADvCrYaeMT/2XLHSQGb9mNsdAXFkWe8O2G/ZMn9duMECnidlI5XhaQeF0ih0gu6DNxTdid6IqrXnbbSoqv2bkKoCxtnzInVCcJLlvLY8IfgkSXZ54Zitq2j0epoMbDPEyKXOCrQmNsaNiodIs71SfsgheDwQL7JXIoI5K/JE2nO6zCDkrStUPgxWRsly/49L8i/4v8TI74eQha3Qi0lPqEZkHrXbW6w6g13PXyDk94878QxS5O+VzLtPcqjfJM3/I0zCJNqpiSSheUvkuCFE0X1xQkQ6azB6QH2lTZmkhNWqolENj2QrcCo5S6YXYaDdNZVLENzNOlzk55ns7ycoGMfTqx3KrPmr34yCBlRyb0eXm/V8QoDpbnPcdpphTJIM/R8OeoKkHDpf1cVPdwdhVHfkRMYG5C0BHr8yn+iHFnUhhz/39nRLORo1aXzyprT0KnI6WfGo86r4HcVjajspYS3Em05cD3/bKaJvDK1en2/sKxKgl1J20GKP2tKIaEJLbyVeVSnLHm/sFYcUQFXZM0STlddD1icuy2h5UvsFwrrGhrG+w7oxQVfIlyT5OItKntrROzF+ZJbTdwfJLoWHeSlsBKp+mEy5gzAQerDZ0ugDtIEoa6bpaIrk8HQulCOZRMARf8PlzZSF9t470eruE8mH+9m2sgubCLhLYWxnWjWvuGzclgk26iT1ZjEfMHOs3ZGuFl43joA8L7iPrTKX79kBusSgmGp
+  template:
+    metadata:
+      name: cloudflare-api-token
+      namespace: cert-manager
+    type: Opaque

clusters/ipv6/cert-manager/namespace.yml

@@ -0,0 +1,8 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: cert-manager
+  labels:
+    name: cert-manager
+

clusters/ipv6/external-resources/namespace.yml

@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: external-resources
+  labels:
+    name: external-resources

clusters/ipv6/external-resources/omv/omv-endpoint.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: omv
+  namespace: external-resources
+subsets:
+  - addresses:
+      - ip: 192.168.1.4
+    ports:
+      - name: http
+        protocol: TCP
+        port: 80

clusters/ipv6/external-resources/omv/omv-ingress.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: omv-ingress
+  namespace: external-resources
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - omv.akshun-lab.cc
+    secretName: omv-tls
+  rules:
+  - host: omv.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: omv
+            port:
+              number: 80

clusters/ipv6/external-resources/omv/omv-svc.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: omv
+  namespace: external-resources
+spec:
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80
+    protocol: TCP
+  clusterIP: None

clusters/ipv6/external-resources/pbs/pbs-endpoint.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: pbs
+  namespace: external-resources
+subsets:
+  - addresses:
+      - ip: 192.168.1.112
+    ports:
+      - name: https
+        protocol: TCP
+        port: 8007

clusters/ipv6/external-resources/pbs/pbs-ingress.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pbs-ingress
+  namespace: external-resources
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - pbs.akshun-lab.cc
+    secretName: pbs-tls
+  rules:
+  - host: pbs.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: pbs
+            port:
+              number: 8007

clusters/ipv6/external-resources/pbs/pbs-svc.yml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pbs
+  namespace: external-resources
+  annotations:
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+    traefik.ingress.kubernetes.io/service.serverstransport: external-resources-insecure-transport@kubernetescrd
+spec:
+  ports:
+  - name: https
+    port: 8007
+    targetPort: 8007
+    protocol: TCP
+  clusterIP: None

clusters/ipv6/external-resources/pihole/pihole-endpoint.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: pihole
+  namespace: external-resources
+subsets:
+  - addresses:
+      - ip: 192.168.1.19
+    ports:
+      - name: http
+        protocol: TCP
+        port: 80

clusters/ipv6/external-resources/pihole/pihole-ingress.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pihole-ingress
+  namespace: external-resources
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - pihole.akshun-lab.cc
+    secretName: pihole-tls
+  rules:
+  - host: pihole.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: pihole
+            port:
+              number: 80

clusters/ipv6/external-resources/pihole/pihole-svc.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pihole
+  namespace: external-resources
+spec:
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80
+    protocol: TCP
+  clusterIP: None

clusters/ipv6/external-resources/proxmox/proxmox-endpoint.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: proxmox
+  namespace: external-resources
+subsets:
+  - addresses:
+      - ip: 192.168.1.113
+    ports:
+      - name: https
+        protocol: TCP
+        port: 8006

clusters/ipv6/external-resources/proxmox/proxmox-ingress.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: proxmox-ingress
+  namespace: external-resources
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - proxmox.akshun-lab.cc
+    secretName: proxmox-tls
+  rules:
+  - host: proxmox.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: proxmox
+            port:
+              number: 8006

clusters/ipv6/external-resources/proxmox/proxmox-svc.yml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: proxmox
+  namespace: external-resources
+  annotations:
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+    traefik.ingress.kubernetes.io/service.serverstransport: external-resources-insecure-transport@kubernetescrd
+spec:
+  ports:
+  - name: https
+    port: 8006
+    targetPort: 8006
+    protocol: TCP
+  clusterIP: None

clusters/ipv6/external-resources/server-transport.yml

@@ -0,0 +1,8 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: insecure-transport
+  namespace: external-resources
+spec:
+  insecureSkipVerify: true

clusters/ipv6/flux-system/gotk-sync.yaml

@@ -0,0 +1,27 @@
+# This manifest was generated by flux. DO NOT EDIT.
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  ref:
+    branch: main
+  secretRef:
+    name: flux-system
+  url: ssh://git@gitea.akshun-lab.cc/aggarwalakshun/k3s-at-home
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./clusters/ipv6
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system

clusters/ipv6/flux-system/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gotk-components.yaml
+- gotk-sync.yaml

clusters/ipv6/git-ops/gitea-act/gitea-act-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-act-runner-longhorn
+  namespace: git-ops
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 100Mi
+  storageClassName: longhorn

clusters/ipv6/git-ops/gitea-act/gitea-act-secrets.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: gitea-act-runner-secret
+  namespace: git-ops
+spec:
+  encryptedData:
+    TOKEN: AgBhgEG6qqXq4vb28mzolrFoh4QSzV90//bpK9YasBpfazXjgpSvbN5DJ8BgGut7dgT/yRfb4DZTKO2qDIBDi/npE46vfCQKetgHOc3ngtqCvt+vkRBTDY9sRkqUMaQTZsz5pdyQBTKxFLei8PjQeGAJJupMPjqhdqpxGAkSjM77WwoBpHL3jBP8EYj+tdm2YlBtoTE2Wek4xYxUs7QL0TKNEf8pqnhoiMPzCUysRCkw5IhX2ccDv7eR3DXkpBJTva4qJ+K8Xzp6RqSeR/Q1sspFLdG6PlPIFR5Q7I6qdKrg826JcYoUGeVlLHdjjFyKsB8ayNC8sU8zfVM0u9W4fQoRoXC2BdO+E7pF/Q3F/FhnHJTfh20UJPu4i0SqRjJupBo1eHTTZ7m6AczD0DA7UQy7/EEATSlPVwWPSt5ROMw1fJ2ZWiN+Wl7h0DklhzSsWfNe6btAWvhlatWOxUUp5pasrFvMuhEEsf7ID27HOuHOXI7njbVDI6yf11r/G2vPJl7knB1D+lrpYM094W0pFN7Y5pdhQjOWJ4S4lu1IfkSpSAOEpllv/o4l6cEOCLgvvCnvrwyg6+DKePR93G0QuxaqGD3AepbcTC/2ATE8jan3m0eY1NNcld3GGH61eK0qeWDIWX/PFL7BehOHWeaFRm7m+vcuVylCsV4bDkVxi2+ZbThMsHo+E50BLwXRsTW4NW24pYHiwjWOPdYdDfORJE1FMd6naQNK5trp0R4cbQezYlKQnP58XO4G
+    URL: AgB6eHdrsTaC3a/SL5Sdp0IEvnl/tjkY/Wf4hgQT9oxGGrRIpaiC/hxs5kx0bXIISrRMpwaajlO88tUZBJ9STDXqUqge0nV45Cq1b2p4+3t03LIsYCYkbCrZ4OMmImxmAiV4SmF0mBHu1dhVXHzMzHhZDo/gwybyv1GPcdXP+P8DD2CX3asfTsvAJEvcSfWkauk+SLwiPkLuJSH6FP8c52jO80dboSeSmgpWvbknqB+umtQ9kRbvfD8+/5B9Kx3ROEZJMbv4FjugJ3dwswiKU2DuGwN8YVjQ7L60tWY+jbRHXi7sODIOBH3hcPhPTSE7mmqZo6g8qUsn0lhCcVV1Lx0rD/6zkNd16w4k2qpcY9vAKKL4wNp0W3e1hFSVrz6Xhv5wQwG9WM37+Am4d/QqRTiGgFfG+0O/BFh2oc4amKHHi/qjo9TonlZuJBddlVluQvBp30I6yK1wIyHCGs02nCBEt/b+Bra4NZISn+zfNRIYWwQGZJN3OH+oqMA8s4tN8rNeEh6HWBaLJk0+mbsBYViWW2m1ymiiYRy4oeAX+tpzr+04maldxLyND9NZyayOs9j3TMsVGk2/T6EaWj+lSyTTlhhadDJUFqxBVuRM4ToFORoL2ngwncGCWcF29ry/XMEDTpxaAt4m314j6QNXGn8F/yNVxltHEhfM+F4rmVQYLmUXfeDjLPo+O4wR7s6DilQuDqvyn4SwHcvnHm/jpKTeoYUKsHuwkUl38m8=
+  template:
+    metadata:
+      name: gitea-act-runner-secret
+      namespace: git-ops
+    type: Opaque

clusters/ipv6/git-ops/gitea-act/gitea-act.yml

@@ -0,0 +1,81 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: gitea-act-runner
+  name: gitea-act-runner
+  namespace: git-ops
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-act-runner
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: gitea-act-runner
+    spec:
+      restartPolicy: Always
+      volumes:
+      - name: docker-certs
+        emptyDir: {}
+      - name: runner-data
+        persistentVolumeClaim:
+          claimName: gitea-act-runner-longhorn
+      - name: docker-ipv6
+        configMap:
+          name: docker-daemon-ipv6
+      containers:
+      - name: runner
+        image: gitea/act_runner@sha256:8477d5b61b655caad4449888bae39f1f34bebd27db56cb15a62dccb3dcf3a944
+        command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- run.sh"]
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              nc -z gitea-int-service.git-ops.svc.cluster.local 3000
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
+        env:
+        - name: DOCKER_HOST
+          value: tcp://localhost:2376
+        - name: DOCKER_CERT_PATH
+          value: /certs/client
+        - name: DOCKER_TLS_VERIFY
+          value: "1"
+        - name: GITEA_INSTANCE_URL
+          valueFrom:
+            secretKeyRef:
+              key: URL
+              name: gitea-act-runner-secret
+        - name: GITEA_RUNNER_REGISTRATION_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: TOKEN
+              name: gitea-act-runner-secret
+        - name: CONFIG_FILE
+          value: "/data/config.yaml"
+        volumeMounts:
+        - name: docker-certs
+          mountPath: /certs
+        - name: runner-data
+          mountPath: /data
+      - name: daemon
+        image: docker:29.2.0-dind
+        env:
+        - name: DOCKER_TLS_CERTDIR
+          value: /certs
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: docker-certs
+          mountPath: /certs
+        - name: docker-ipv6
+          mountPath: /etc/docker/daemon.json
+          subPath: daemon.json

clusters/ipv6/git-ops/gitea-act/gitea-docker-daemon.yml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: docker-daemon-ipv6
+  namespace: git-ops
+data:
+  daemon.json: |
+    {
+      "ipv6": true,
+      "fixed-cidr-v6": "2001:db8:1::/64"
+    }

clusters/ipv6/git-ops/gitea/gitea-db-secret.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: gitea-db-secret
+  namespace: git-ops
+spec:
+  encryptedData:
+    password: AgBKu9EIjOgaDvb0k6TlZV0jF3ZlRgK0VmfmeKBwoYxqdoJeRyE8swEFF5gFcCHSkV4bPI4WM2SEsNtAbod484jJtJj+s5jOqZ4JghmxBHe/r8DVWdZvYBH4CThyheUFYqc4BrVWH506EDVpgaGaSpziuDsgPs4+p7hqfabFO5quzmbpkR+6gc9vVJej2ekNbYWQ4HHXKqWFi3Q4c+G53bpGXwrod8r1xuWIKZxDk3DjQbOTy9wy/X+cR0O4kDR4ZnjCZhq7sKUlDNdv5VfxBRoy48k+qBWbg1alwLhKlYJfZyeC0zz9sfIeIhy49a3JhC9blaiteKl8rxKTTsCRLQMackm+dkACdA7aIt93UZuC/Bkfr0zuCzRpPDa+nsztI4etLlsZWUKY4IOJTe6LTR09/jivekWysaLN9U0Ax8DSJYaW9Mu97uvg7q5a8HCmCh/Eyaqjc/PtV/lTzmVu9v5Y2QU+KbKrjy2K6TgR71i1XMfIYJti1atsC6ZQSufGDZX/cFftELQoL2Kmsr6cpHkjOOlRR5kCHZHZny3UMZi4cMZLJ/5eThPyuWuzep5/fF25WjK2CFckJAxuisc1GvYU7NAHVxbFL4fPCEijbvHArMkRohc4cc6y+0SbIibxL3+jazOh2rRZMyYqoX++qLRHAs4pKLMNTAf2htsTodTWzIDD0Io0Tx37eIl/lxHQGnH9bEWn3BKbr2bX
+  template:
+    metadata:
+      name: gitea-db-secret
+      namespace: git-ops
+    type: Opaque

clusters/ipv6/git-ops/gitea/gitea-db.yml

@@ -0,0 +1,51 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: gitea-db
+  namespace: git-ops
+spec:
+  selector:
+    matchLabels:
+      app: gitea-db
+  serviceName: gitea-db
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: gitea-db
+    spec:
+      initContainers:
+      - name: init-cleanup
+        image: busybox
+        command: ["rm", "-rf", "/var/lib/postgresql/lost+found"]
+        volumeMounts:
+        - name: gitea-db
+          mountPath: /var/lib/postgresql
+      containers:
+      - name: gitea-db
+        image: postgres:18
+        ports:
+        - containerPort: 5432
+        env:
+        - name: POSTGRES_USER
+          value: "gitea"
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: gitea-db-secret
+              key: password
+        - name: POSTGRES_DB
+          value: "gitea"
+        volumeMounts:
+        - name: gitea-db
+          mountPath: /var/lib/postgresql
+  volumeClaimTemplates:
+  - metadata:
+      name: gitea-db
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 2Gi
+      storageClassName: longhorn

clusters/ipv6/git-ops/gitea/gitea-ingress-route.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: gitea-ssh
+  namespace: git-ops
+spec:
+  entryPoints:
+    - ssh
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: gitea-int-service
+          port: 22

clusters/ipv6/git-ops/gitea/gitea-ingress.yml

@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea-ingress
+  namespace: git-ops
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare 
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - gitea.akshun-lab.cc
+    secretName: gitea-tls
+  rules:
+  - host: gitea.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: gitea-int-service
+            port:
+              number: 3000

clusters/ipv6/git-ops/gitea/gitea-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-app-longhorn
+  namespace: git-ops
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: longhorn

clusters/ipv6/git-ops/gitea/gitea-svc.yml

@@ -0,0 +1,50 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-int-service
+  namespace: git-ops
+spec:
+  selector:
+    app: gitea-app
+  ports:
+    - protocol: TCP
+      port: 3000
+      targetPort: 3000
+      name: http
+    - protocol: TCP
+      port: 22
+      targetPort: 22
+      name: ssh
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-db
+  namespace: git-ops
+spec:
+  ports:
+    - port: 5432
+      targetPort: 5432
+  selector:
+    app: gitea-db
+  clusterIP: None
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-lb-service
+  namespace: git-ops
+spec:
+  selector:
+    app: gitea-app
+  ports:
+  - port: 3000
+    targetPort: 3000
+    name: http
+  - port: 22
+    targetPort: 22
+    name: ssh
+  type: LoadBalancer

clusters/ipv6/git-ops/gitea/gitea.yml

@@ -0,0 +1,67 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea-app
+  namespace: git-ops
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-app
+  template:
+    metadata:
+      labels:
+        app: gitea-app
+    spec:
+      containers:
+      - name: gitea
+        image: gitea/gitea:1.25.4
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              nc -z gitea-db.git-ops.svc.cluster.local 5432
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
+        ports:
+        - containerPort: 22
+          name: ssh
+        - containerPort: 3000
+          name: http
+        env:
+        - name: USER_UID
+          value: "1000"
+        - name: USER_GID
+          value: "1000"
+        - name: GITEA__database__DB_TYPE
+          value: "postgres"
+        - name: GITEA__database__HOST
+          value: "gitea-db.git-ops.svc.cluster.local:5432"
+        - name: GITEA__database__NAME
+          value: "gitea"
+        - name: GITEA__database__USER
+          value: "gitea"
+        - name: GITEA__database__PASSWD
+          valueFrom:
+            secretKeyRef:
+              name: gitea-db-secret
+              key: password
+        volumeMounts:
+        - name: gitea-data
+          mountPath: /data
+        - name: localtime
+          mountPath: /etc/localtime
+      volumes:
+      - name: localtime
+        hostPath:
+          path: /etc/localtime
+          type: File
+      - name: gitea-data
+        persistentVolumeClaim:
+          claimName: gitea-app-longhorn

clusters/ipv6/git-ops/namespace.yml

@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: git-ops
+  labels:
+    name: git-ops

clusters/ipv6/git-ops/semaphore/semaphore-configmap.yml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: semaphore-config
+  namespace: git-ops
+data:
+  SEMAPHORE_DB_USER: "semaphore"
+  SEMAPHORE_DB_HOST: "semaphore-db"
+  SEMAPHORE_DB_PORT: "3306"
+  SEMAPHORE_DB_DIALECT: "mysql"
+  SEMAPHORE_DB: "semaphore"
+  SEMAPHORE_PLAYBOOK_PATH: "/tmp/semaphore"
+  SEMAPHORE_ADMIN_NAME: "admin"
+  SEMAPHORE_ADMIN_EMAIL: "aggarwalakshun@gmail.com"
+  SEMAPHORE_ADMIN: "admin"
+  SEMAPHORE_LDAP_ACTIVATED: "'no'"

clusters/ipv6/git-ops/semaphore/semaphore-db.yml

@@ -0,0 +1,46 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: semaphore-db
+  namespace: git-ops
+spec:
+  selector:
+    matchLabels:
+      app: semaphore-db
+  serviceName: semaphore-db
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: semaphore-db
+    spec:
+      containers:
+      - name: mysql
+        image: mysql:9.6.0
+        ports:
+        - containerPort: 3306
+        env:
+        - name: MYSQL_RANDOM_ROOT_PASSWORD
+          value: "'yes'"
+        - name: MYSQL_DATABASE
+          value: "semaphore"
+        - name: MYSQL_USER
+          value: "semaphore"
+        - name: MYSQL_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: semaphore-secrets
+              key: mysql_password
+        volumeMounts:
+        - name: semaphore-db
+          mountPath: /var/lib/mysql
+  volumeClaimTemplates:
+  - metadata:
+      name: semaphore-db
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 2Gi
+      storageClassName: longhorn

clusters/ipv6/git-ops/semaphore/semaphore-ingress.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: semaphore-ingress
+  namespace: git-ops
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - semaphore.akshun-lab.cc
+    secretName: semaphore-tls
+  rules:
+  - host: semaphore.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: semaphore-service
+            port:
+              number: 3000

clusters/ipv6/git-ops/semaphore/semaphore-secret.yml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: semaphore-secrets
+  namespace: git-ops
+spec:
+  encryptedData:
+    admin_password: AgCrz8xGMEZnq9vrjTHbhQP3vtxKJO/uv1VpsCWFvQ5c+69kgg7lB89zRhUp7aYqyzqbeX9DrCqCgRw5Q7Mo3llAVkWfOKoDF+qnpneSGJybqghZDdw8y08ca68COhF2cc6WwqJ7V20Eb2xndqdJ5kOuMw22Frrnzwds34JzdpJDRKcbAcOi1nq1o/pawwvQdYnrN0IoOCIKymzaB0iU9UMZ3mrnEvtWKQwm/O30aRqgpYg0UkJGTdeeW49So2J4EsAJQTTrO8NOtijuay89Fw9KQM/jmvohW9kO904TvhBU43bns8CZughw729GE66LMvi7wqUALBiVR5OxfZXf9QubKXjqTTQ3QW1s1HLtaChvGfSkY3tTETSj88iOzZNJ4LMvGznd59c4yH12xbD69qtRRNn1+sd15pYi+Nvs+qk44mg1HHQqmrDTMOerxz2/VinZwjHqPl+DtEsc7lXyyq+jPho8w6zNim2v+B+71eHGQhQHyvJPppuOdzNIopg0z4QWI3gtCT+7p/csllQuhIYGeg0+58ehKvmMdF51fXuiZVeGt0oPduLJGqgW8swoRof2AYyxf6zl5aMMCODtq+gK36AXdf+kP+UZaSWxIjiwcGFUf+iHYlJCk4+In3UG/eL60hOgv51OXbPElpIOa8h+xx/HKgHw0NEqFRnWvq4TOOJCr2JWfZEeSkzVrF74ENLOwJSRGVRYlCLM0g==
+    key: AgDytsmfBapOazPJ0R3xPyrgXNYZnOpElZ7VH0f9OGKq4FPrKsYuitPbWg5u+6n34dO6GkzJ72538AeY18/jmn7GvWLrRd+v/YA1vTmvVKmVYuavXNoy96+yV8SSJHPYf59QukynWlTkosHz6EK6M8Ny8fIhuoiuT2yUd2i5WaHPyx1zx0UWSMCij4h69ixJNBdHpCR/a/At+ek/SzVqlOUq0bGw2YXhOumeO7yVhIDt/GeKTIAuTzBwWGHlZ/oYm9991WuFS+MHtiCHWNdiwjaKPhSjIK1B5tvb1/myk1ZndgKgdKS0NOpJiXtwvx1gyVkLWCEkgxWmGR48kNXM4KiX3JPXT7D+CowPM/Vj2uju7jB8HW3+PHorWdbL3nLaFMbhGE4p48FkD45cc9JNYEyoW8nfUdQlfIjVL+3rIsp7hQpBVARKeRFwTWaUtclLmCC5ucp9/1BhZ+dKTY2vt26129YBp3dX0hRnH22vpJsroU+vEgJPI7VsH4xbyVYNBgkY6Ajsi1QpfjtBwk2jw+0lqD0o0JB0yjnrnrc840PJaQD+7Gl55r091kT7CQdKKuOVWoHY2XXIQWC1W88xXGhg2GIAxvtKdT+ldU/5vb02vrMv0hIPH3HH33124nRrvbLIUadjwhL9KYH2BBBRVBLRKeHPv45uNNGi6Hyt+TDBzF+27HNXHBsm1OO+YFUPHt9G6EQcjKtSLcBfiw9chMSTIZvYp74cGxg=
+    mysql_password: AgB+L9KqFIBNq0O0aTEQ9v8yWBIlxObRh5FJfLa+PIPAHLsPhGLwQrK5iM+y+D2izanLYaXszCD6g/O8NQoSmS2e5V/+BA9NOxf01tTxam3R4kaueJhK41na16pFVXVu8EKz15Tp7HtWAtwgDCirGCsa/1U42L1890OcgaKE3m7jUX43vYhQVlma2m2T16diog5Usri1edLPChHSxtvJVQlb65Qq38nyuS/c42YIIPAnkZpRqdjge8cygVzCZU0xm1qN5zjevW1I2K1AWgfSnlAReFgB2f8SfACgI4e6Bi4FMfZjnOc/j8yvKGFU8mppl269965D8Im9bnVnVUmXSgIW5G5Vr+I0x5uZ9Y50BoL6G6T4sXy6gsRmk/OsOuZdBxn60VyfTWcHfzh1B8/7oRESUGXCKYBAZdlCeT01RCC8ozNvTCM/4jdrvaoK27vWGjgG2Roaghvv3bi88pnI6AidRU6EhlQblC9uUfb+tbziWs83V/p7c7OJZyl/IeF8gMM1+Nx5lFN0paqxa04C/GTqU+ZfzzMC5tKXm6Um5ZqVxLahHyYcajS00V+/gr/PADP/sboPvoUk+V6VOR3+Yqm4qvRHJ1uy/lty3H6cKQnlLGx7U9jC9uZzCICXzUEnA8mDL21V+Js5ejsvYM60IJyZ6SD9GO5NhKzWYqiEGIvJPf61OA2xix6EA/4Ya9T0qvJuXPV2AxZW1Ef4KQ==
+  template:
+    metadata:
+      name: semaphore-secrets
+      namespace: git-ops
+    type: Opaque

clusters/ipv6/git-ops/semaphore/semaphore-svc.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: semaphore-service
+  namespace: git-ops
+spec:
+  selector:
+    app: semaphore
+  ports:
+  - name: http
+    port: 3000
+    targetPort: 3000
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: semaphore-db
+  namespace: git-ops
+spec:
+  selector:
+    app: semaphore-db
+  ports:
+  - port: 3306
+    targetPort: 3306
+  clusterIP: None

clusters/ipv6/git-ops/semaphore/semaphore.yml

@@ -0,0 +1,53 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: semaphore
+  namespace: git-ops
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: semaphore
+  template:
+    metadata:
+      labels:
+        app: semaphore
+    spec:
+      containers:
+      - name: semaphore
+        image: public.ecr.aws/semaphore/pro/server:v2.16.51
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              nc -z semaphore-db.git-ops.svc.cluster.local 3306
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
+        ports:
+        - name: http
+          containerPort: 3000
+        envFrom:
+        - configMapRef:
+            name: semaphore-config
+        env:
+        - name: SEMAPHORE_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: semaphore-secrets
+              key: admin_password
+        - name: SEMAPHORE_DB_PASS
+          valueFrom:
+            secretKeyRef:
+              name: semaphore-secrets
+              key: mysql_password
+        - name: SEMAPHORE_ACCESS_KEY_ENCRYPTION
+          valueFrom:
+            secretKeyRef:
+              name: semaphore-secrets
+              key: key

clusters/ipv6/gpu-operator/intel/intel-device-operator.yml

@@ -0,0 +1,24 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: device-plugin-operator
+  namespace: gpu-operator
+spec:
+  interval: 24h
+  chart:
+    spec:
+      chart: intel-device-plugins-operator
+      version: "0.34.1"
+      sourceRef:
+        kind: HelmRepository
+        name: intel
+        namespace: flux-system
+      interval: 24h
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+

clusters/ipv6/gpu-operator/intel/intel-plugin-operator.yml

@@ -0,0 +1,29 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: gpu-device-plugin
+  namespace: gpu-operator
+spec:
+  interval: 6h
+  chart:
+    spec:
+      chart: intel-device-plugins-gpu
+      version: "0.34.1"
+      sourceRef:
+        kind: HelmRepository
+        name: intel
+        namespace: flux-system
+      interval: 6h
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    sharedDevNum: 4
+    nodeFeatureRule: false
+    nodeSelector:
+      intel.feature.node.kubernetes.io/gpu: 'true'
+

clusters/ipv6/gpu-operator/intel/intel-repo.yml

@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: intel
+  namespace: flux-system
+spec:
+  interval: 6h
+  url: https://intel.github.io/helm-charts
+

clusters/ipv6/gpu-operator/nvidia/gpu-operator-configmap.yml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: time-slicing-config
+  namespace: gpu-operator
+data:
+  any: |-
+    version: v1
+    flags:
+      migStrategy: none
+    sharing:
+      timeSlicing:
+        resources:
+        - name: nvidia.com/gpu
+          replicas: 4
+
+# remember to patch the cluster policy to use this configmap
+# kubectl patch clusterpolicy/cluster-policy -n gpu-operator --type merge -p '{"spec": {"devicePlugin": {"config": {"name": "time-slicing-config", "default": "any"}}}}'

clusters/ipv6/gpu-operator/nvidia/gpu-operator-policy.yml

@@ -0,0 +1,289 @@
+apiVersion: nvidia.com/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    meta.helm.sh/release-name: gpu-operator
+    meta.helm.sh/release-namespace: gpu-operator
+  generation: 2
+  labels:
+    app.kubernetes.io/component: gpu-operator
+    app.kubernetes.io/instance: gpu-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: gpu-operator
+    app.kubernetes.io/version: v25.3.2
+    helm.sh/chart: gpu-operator-v25.3.2
+    helm.toolkit.fluxcd.io/name: gpu-operator
+    helm.toolkit.fluxcd.io/namespace: gpu-operator
+  name: cluster-policy
+spec:
+  ccManager:
+    defaultMode: "off"
+    enabled: false
+    env: []
+    image: k8s-cc-manager
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v0.1.1
+  cdi:
+    default: false
+    enabled: false
+  daemonsets:
+    labels:
+      app.kubernetes.io/managed-by: gpu-operator
+      helm.sh/chart: gpu-operator-v25.3.2
+    priorityClassName: system-node-critical
+    rollingUpdate:
+      maxUnavailable: "1"
+    tolerations:
+    - effect: NoSchedule
+      key: nvidia.com/gpu
+      operator: Exists
+    updateStrategy: RollingUpdate
+  dcgm:
+    enabled: false
+    image: dcgm
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: 4.2.3-1-ubuntu22.04
+  dcgmExporter:
+    enabled: true
+    env:
+    - name: DCGM_EXPORTER_LISTEN
+      value: :9400
+    - name: DCGM_EXPORTER_KUBERNETES
+      value: "true"
+    - name: DCGM_EXPORTER_COLLECTORS
+      value: /etc/dcgm-exporter/dcp-metrics-included.csv
+    image: dcgm-exporter
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/k8s
+    serviceMonitor:
+      additionalLabels: {}
+      enabled: false
+      honorLabels: false
+      interval: 15s
+      relabelings: []
+    version: 4.2.3-4.1.3-ubuntu22.04
+  devicePlugin:
+    config:
+      default: any
+      name: time-slicing-config
+    enabled: true
+    env:
+    - name: PASS_DEVICE_SPECS
+      value: "true"
+    - name: FAIL_ON_INIT_ERROR
+      value: "true"
+    - name: DEVICE_LIST_STRATEGY
+      value: envvar
+    - name: DEVICE_ID_STRATEGY
+      value: uuid
+    - name: NVIDIA_VISIBLE_DEVICES
+      value: all
+    - name: NVIDIA_DRIVER_CAPABILITIES
+      value: all
+    image: k8s-device-plugin
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia
+    version: v0.17.3
+  driver:
+    certConfig:
+      name: ""
+    enabled: false
+    image: driver
+    imagePullPolicy: IfNotPresent
+    kernelModuleConfig:
+      name: ""
+    licensingConfig:
+      configMapName: ""
+      nlsEnabled: true
+    manager:
+      env:
+      - name: ENABLE_GPU_POD_EVICTION
+        value: "true"
+      - name: ENABLE_AUTO_DRAIN
+        value: "false"
+      - name: DRAIN_USE_FORCE
+        value: "false"
+      - name: DRAIN_POD_SELECTOR_LABEL
+        value: ""
+      - name: DRAIN_TIMEOUT_SECONDS
+        value: 0s
+      - name: DRAIN_DELETE_EMPTYDIR_DATA
+        value: "false"
+      image: k8s-driver-manager
+      imagePullPolicy: IfNotPresent
+      repository: nvcr.io/nvidia/cloud-native
+      version: v0.8.0
+    rdma:
+      enabled: false
+      useHostMofed: false
+    repoConfig:
+      configMapName: ""
+    repository: nvcr.io/nvidia
+    startupProbe:
+      failureThreshold: 120
+      initialDelaySeconds: 60
+      periodSeconds: 10
+      timeoutSeconds: 60
+    upgradePolicy:
+      autoUpgrade: true
+      drain:
+        deleteEmptyDir: false
+        enable: false
+        force: false
+        timeoutSeconds: 300
+      maxParallelUpgrades: 1
+      maxUnavailable: 25%
+      podDeletion:
+        deleteEmptyDir: false
+        force: false
+        timeoutSeconds: 300
+      waitForCompletion:
+        timeoutSeconds: 0
+    useNvidiaDriverCRD: false
+    usePrecompiled: false
+    version: 570.148.08
+    virtualTopology:
+      config: ""
+  gdrcopy:
+    enabled: false
+    image: gdrdrv
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v2.5
+  gfd:
+    enabled: true
+    env:
+    - name: GFD_SLEEP_INTERVAL
+      value: 60s
+    - name: GFD_FAIL_ON_INIT_ERROR
+      value: "true"
+    image: k8s-device-plugin
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia
+    version: v0.17.3
+  hostPaths:
+    driverInstallDir: /run/nvidia/driver
+    rootFS: /
+  kataManager:
+    config:
+      artifactsDir: /opt/nvidia-gpu-operator/artifacts/runtimeclasses
+      runtimeClasses:
+      - artifacts:
+          pullSecret: ""
+          url: nvcr.io/nvidia/cloud-native/kata-gpu-artifacts:ubuntu22.04-535.54.03
+        name: kata-nvidia-gpu
+        nodeSelector: {}
+      - artifacts:
+          pullSecret: ""
+          url: nvcr.io/nvidia/cloud-native/kata-gpu-artifacts:ubuntu22.04-535.86.10-snp
+        name: kata-nvidia-gpu-snp
+        nodeSelector:
+          nvidia.com/cc.capable: "true"
+    enabled: false
+    image: k8s-kata-manager
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v0.2.3
+  mig:
+    strategy: single
+  migManager:
+    config:
+      default: all-disabled
+      name: default-mig-parted-config
+    enabled: true
+    env:
+    - name: WITH_REBOOT
+      value: "false"
+    gpuClientsConfig:
+      name: ""
+    image: k8s-mig-manager
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v0.12.2-ubuntu20.04
+  nodeStatusExporter:
+    enabled: false
+    image: gpu-operator-validator
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v25.3.2
+  operator:
+    defaultRuntime: docker
+    initContainer:
+      image: cuda
+      imagePullPolicy: IfNotPresent
+      repository: nvcr.io/nvidia
+      version: 12.8.1-base-ubi9
+    runtimeClass: nvidia
+  psa:
+    enabled: false
+  sandboxDevicePlugin:
+    enabled: true
+    image: kubevirt-gpu-device-plugin
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia
+    version: v1.3.1
+  sandboxWorkloads:
+    defaultWorkload: container
+    enabled: false
+  toolkit:
+    enabled: true
+    env:
+    - name: CONTAINERD_SOCKET
+      value: /run/k3s/containerd/containerd.sock
+    - name: CONTAINERD_CONFIG
+      value: /var/lib/rancher/k3s/agent/etc/containerd/config.toml
+    image: container-toolkit
+    imagePullPolicy: IfNotPresent
+    installDir: /usr/local/nvidia
+    repository: nvcr.io/nvidia/k8s
+    version: v1.17.8-ubuntu20.04
+  validator:
+    image: gpu-operator-validator
+    imagePullPolicy: IfNotPresent
+    plugin:
+      env:
+      - name: WITH_WORKLOAD
+        value: "false"
+    repository: nvcr.io/nvidia/cloud-native
+    version: v25.3.2
+  vfioManager:
+    driverManager:
+      env:
+      - name: ENABLE_GPU_POD_EVICTION
+        value: "false"
+      - name: ENABLE_AUTO_DRAIN
+        value: "false"
+      image: k8s-driver-manager
+      imagePullPolicy: IfNotPresent
+      repository: nvcr.io/nvidia/cloud-native
+      version: v0.8.0
+    enabled: true
+    image: cuda
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia
+    version: 12.8.1-base-ubi9
+  vgpuDeviceManager:
+    config:
+      default: default
+      name: ""
+    enabled: true
+    image: vgpu-device-manager
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v0.3.0
+  vgpuManager:
+    driverManager:
+      env:
+      - name: ENABLE_GPU_POD_EVICTION
+        value: "false"
+      - name: ENABLE_AUTO_DRAIN
+        value: "false"
+      image: k8s-driver-manager
+      imagePullPolicy: IfNotPresent
+      repository: nvcr.io/nvidia/cloud-native
+      version: v0.8.0
+    enabled: false
+    image: vgpu-manager
+    imagePullPolicy: IfNotPresent

clusters/ipv6/gpu-operator/nvidia/gpu-operator-release.yml

@@ -0,0 +1,31 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: gpu-operator
+  namespace: gpu-operator
+spec:
+  interval: 6h
+  chart:
+    spec:
+      chart: gpu-operator
+      version: "v25.10.1"
+      sourceRef:
+        kind: HelmRepository
+        name: nvidia
+        namespace: flux-system
+      interval: 6h
+  install:
+    createNamespace: true
+  upgrade:
+    remediation:
+      remediateLastFailure: true
+  values:
+    driver:
+      enabled: false
+    toolkit:
+      env:
+      - name: CONTAINERD_SOCKET
+        value: /run/k3s/containerd/containerd.sock
+      - name: CONTAINERD_CONFIG
+        value: /var/lib/rancher/k3s/agent/etc/containerd/config.toml

clusters/ipv6/gpu-operator/nvidia/gpu-operator-repo.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: nvidia
+  namespace: flux-system
+spec:
+  interval: 6h
+  url: https://helm.ngc.nvidia.com/nvidia

clusters/ipv6/kube-system/sealed-secrets/sealed-secrets-release.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: sealed-secrets
+  namespace: kube-system
+spec:
+  chart:
+    spec:
+      chart: sealed-secrets
+      sourceRef:
+        kind: HelmRepository
+        name: sealed-secrets
+        namespace: flux-system
+      version: '>=1.15.0-0'
+  install:
+    crds: Create
+  interval: 6h
+  releaseName: sealed-secrets-controller
+  upgrade:
+    crds: CreateReplace
+  values:
+    networkPolicy:
+      enabled: true

clusters/ipv6/kube-system/sealed-secrets/sealed-secrets-repo.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: sealed-secrets
+  namespace: flux-system
+spec:
+  interval: 6h
+  url: https://bitnami-labs.github.io/sealed-secrets

clusters/ipv6/kube-system/traefik/traefik-release.yml

@@ -0,0 +1,93 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  chart:
+    spec:
+      chart: traefik
+      sourceRef:
+        kind: HelmRepository
+        name: traefik
+        namespace: flux-system
+      version: '39.0.0'
+  install:
+    crds: Create
+  interval: 6h
+  releaseName: traefik
+  upgrade:
+    crds: CreateReplace
+  values:
+    deployment:
+      enabled: true
+      kind: DaemonSet
+    updateStrategy:
+      type: RollingUpdate
+      rollingUpdate:
+        maxUnavailable: 1
+        maxSurge: 0
+
+    hostNetwork: true
+
+    service:
+      enabled: false
+
+    securityContext:
+      capabilities:
+        add:
+          - NET_BIND_SERVICE
+      readOnlyRootFilesystem: true
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+      fsGroup: 0
+
+    ports:
+      web:
+        port: 80
+        exposedPort: 80
+        protocol: TCP
+        expose:
+          default: true
+        http:
+          encodedCharacters:
+            allowEncodedSlash: true
+            allowEncodedQuestionMark: true
+
+      websecure:
+        port: 443
+        exposedPort: 443
+        protocol: TCP
+        expose:
+          default: true
+        http:
+          encodedCharacters:
+            allowEncodedSlash: true
+            allowEncodedQuestionMark: true
+
+      ssh:
+        port: 22
+        exposedPort: 22
+        protocol: TCP
+        expose:
+          default: true
+
+      metrics:
+        port: 9101
+        exposedPort: 9101
+        protocol: TCP
+        expose:
+          default: false
+
+      traefik:
+        port: 8081
+        exposedPort: 8081
+        protocol: TCP
+        expose:
+          default: false
+
+    providers:
+      kubernetesCRD: {}
+      kubernetesIngress: {}

clusters/ipv6/kube-system/traefik/traefik-repo.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: traefik
+  namespace: flux-system
+spec:
+  interval: 6h
+  url: https://traefik.github.io/charts

clusters/ipv6/longhorn-system/longhorn-ingress.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: longhorn-ingress
+  namespace: longhorn-system
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - longhorn.akshun-lab.cc
+    secretName: longhorn-tls
+  rules:
+  - host: longhorn.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: longhorn-frontend
+            port:
+              number: 80

clusters/ipv6/longhorn-system/longhorn-release.yml

@@ -0,0 +1,31 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: longhorn
+  namespace: longhorn-system
+spec:
+  interval: 6h
+  chart:
+    spec:
+      chart: longhorn
+      version: "1.11.0"
+      sourceRef:
+        kind: HelmRepository
+        name: longhorn
+        namespace: flux-system
+      interval: 6h
+  install:
+    createNamespace: true
+  upgrade:
+    remediation:
+      remediateLastFailure: true
+  values:
+    persistence:
+      defaultClass: false
+      reclaimPolicy: Retain
+    ingress:
+      enabled: false
+    service:
+      ui:
+        type: LoadBalancer