diff --git a/applications/10-replicator/replicator.yaml b/applications/10-replicator/replicator.yaml index c81ad23..9727660 100644 --- a/applications/10-replicator/replicator.yaml +++ b/applications/10-replicator/replicator.yaml @@ -89,4 +89,3 @@ spec: automated: prune: true selfHeal: true - diff --git a/applications/20-databases/databases.yaml b/applications/20-databases/databases.yaml deleted file mode 100644 index a0a1858..0000000 --- a/applications/20-databases/databases.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: ApplicationSet -metadata: - name: home-server-databases - namespace: argocd -spec: - generators: - - list: - elements: - - name: mariadb-operators - path: applications/20-databases/mariadb-operators - wave: 1 - #- name: postgresql - # path: applications/20-databases/postgresql - # wave: 1 - #- name: influxdb - # path: applications/20-databases/influxdb - # wave: 1 - #- name: redis - # path: applications/20-databases/redis - # wave: 1 - - name: mariadb-database - path: applications/20-databases/mariadb-database - wave: 2 - template: - metadata: - name: '{{.name}}' - spec: - project: default - source: - repoURL: 'https://repobase.net/j/home-server.git' - targetRevision: HEAD - path: '{{.path}}' - destination: - server: 'https://kubernetes.default.svc' - namespace: database - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - - SyncWave={{.wave}} diff --git a/applications/20-databases/influxdb/influxdb.yaml b/applications/20-databases/influxdb/influxdb.yaml deleted file mode 100644 index a70d171..0000000 --- a/applications/20-databases/influxdb/influxdb.yaml +++ /dev/null @@ -1,77 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: influxdb-pvc - namespace: database -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi - ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: influxdb-pv - namespace: database -spec: - capacity: - storage: 20Gi - accessModes: - - ReadWriteOnce - storageClassName: local-storage - hostPath: - path: /dpool/services/influxdb/data - type: DirectoryOrCreate - persistentVolumeReclaimPolicy: Retain - nodeAffinity: - required: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/hostname - operator: In - values: - - dck.hxme.net - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: influxdb - namespace: database -spec: - replicas: 1 - selector: - matchLabels: - app: influxdb - template: - metadata: - labels: - app: influxdb - spec: - containers: - - name: influxdb - image: influxdb:2.7.12 - ports: - - containerPort: 8086 - volumeMounts: - - name: influxdb-storage - mountPath: /var/lib/influxdb2 - env: - - name: DOCKER_INFLUXDB_INIT_MODE - value: "setup" - - name: DOCKER_INFLUXDB_INIT_USERNAME - value: "admin" - - name: DOCKER_INFLUXDB_INIT_PASSWORD - value: "adminpassword" - - name: DOCKER_INFLUXDB_INIT_ORG - value: "myorg" - - name: DOCKER_INFLUXDB_INIT_BUCKET - value: "mybucket" - volumes: - - name: influxdb-storage - persistentVolumeClaim: - claimName: influxdb-pvc diff --git a/applications/20-databases/mariadb-database/database.yaml b/applications/20-databases/mariadb-database/database.yaml deleted file mode 100644 index 77be256..0000000 --- a/applications/20-databases/mariadb-database/database.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: k8s.mariadb.com/v1alpha1 -kind: MariaDB -metadata: - name: mariadb - namespace: database -spec: - rootPasswordSecretKeyRef: - name: db-secrets - key: db-root-password - - storage: - size: 5Gi diff --git a/applications/20-databases/mariadb-operators/mariadb.yaml b/applications/20-databases/mariadb-operators/mariadb.yaml deleted file mode 100644 index 51ba483..0000000 --- a/applications/20-databases/mariadb-operators/mariadb.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: mariadb-operator-crds - namespace: argocd -spec: - project: default - source: - repoURL: "https://charts.mariadb.com/mariadb-operator" - chart: "mariadb-operator-crds" - targetRevision: "0.38.1" - helm: - releaseName: "mariadb-operator-crds" - destination: - server: "https://kubernetes.default.svc" - namespace: database - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - - ApplyOutOfSyncOnly=true - - SkipHooks=false - - SyncWave=0 # ensure this is applied first - ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: mariadb-operator - namespace: argocd -spec: - project: default - source: - repoURL: "https://charts.mariadb.com/mariadb-operator" - chart: "mariadb-operator" - targetRevision: "0.38.1" - helm: - releaseName: "mariadb-operator" - destination: - server: "https://kubernetes.default.svc" - namespace: database - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - - ApplyOutOfSyncOnly=true - - SkipHooks=false - - SyncWave=1 # ensure this waits for mariadb-operator-crds diff --git a/applications/20-databases/postgresql/postgresql.yaml b/applications/20-databases/postgresql/postgresql.yaml deleted file mode 100644 index 5f65a9d..0000000 --- a/applications/20-databases/postgresql/postgresql.yaml +++ /dev/null @@ -1,145 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: postgres-pv - namespace: database -spec: - capacity: - storage: 5Gi - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - storageClassName: local-path - hostPath: - path: /dpool/services/postgres/data - ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: postgres-pvc - namespace: database -spec: - accessModes: - - ReadWriteOnce - storageClassName: local-path - resources: - requests: - storage: 5Gi - volumeName: postgres-pv - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: postgres - namespace: database -spec: - replicas: 1 - selector: - matchLabels: - app: postgres - template: - metadata: - labels: - app: postgres - spec: - nodeSelector: - role: dck - containers: - - name: postgres - image: postgres:15 - ports: - - containerPort: 5432 - envFrom: - - secretRef: - name: postgres-secret - volumeMounts: - - name: postgres-data - mountPath: /var/lib/postgresql/data - volumes: - - name: postgres-data - persistentVolumeClaim: - claimName: postgres-pvc - ---- -apiVersion: v1 -kind: Service -metadata: - name: postgres - namespace: database -spec: - selector: - app: postgres - ports: - - port: 5432 - targetPort: 5432 - ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: postgres-backup-pv -spec: - capacity: - storage: 5Gi - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - storageClassName: local-path - hostPath: - path: /dpool/services/postgres/backup - ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: postgres-backup-pvc - namespace: database -spec: - accessModes: - - ReadWriteOnce - storageClassName: local-path - resources: - requests: - storage: 5Gi - - ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: postgres-backup - namespace: database -spec: - schedule: "0 2 * * *" # Every day at 2 AM - jobTemplate: - spec: - template: - spec: - nodeSelector: - role: dck - restartPolicy: OnFailure - containers: - - name: pg-backup - image: postgres:15 - envFrom: - - secretRef: - name: postgres-secret - command: - - /bin/sh - - -c - - | - mkdir -p /backup - PGPASSWORD=$POSTGRES_PASSWORD pg_dump -U $POSTGRES_USER -h localhost $POSTGRES_DB > /backup/backup-$(date +'%Y-%m-%d').sql - volumeMounts: - - name: backup-volume - mountPath: /backup - volumes: - - name: backup-volume - persistentVolumeClaim: - claimName: postgres-backup-pvc - - - diff --git a/applications/20-databases/redis/redis.yaml b/applications/20-databases/redis/redis.yaml deleted file mode 100644 index 5c6f090..0000000 --- a/applications/20-databases/redis/redis.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis - namespace: database -spec: - replicas: 1 - selector: - matchLabels: - app: redis - template: - metadata: - labels: - app: redis - spec: - nodeSelector: - role: dck - containers: - - name: redis - image: redis:7 - ports: - - containerPort: 6379 - volumeMounts: - - name: redis-data - mountPath: /data - volumes: - - name: redis-data - hostPath: - path: /dpool/services/redis/data - type: DirectoryOrCreate - ---- -apiVersion: v1 -kind: Service -metadata: - name: redis - namespace: database -spec: - selector: - app: redis - ports: - - port: 6379 - targetPort: 6379 - diff --git a/applications/30-domain-names/bind.yaml b/applications/30-domain-names/bind.yaml deleted file mode 100644 index b77a3ba..0000000 --- a/applications/30-domain-names/bind.yaml +++ /dev/null @@ -1,138 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: bind-master-config - namespace: home-server -data: - named.conf: | - include "/etc/bind/externaldns-key.conf"; - - options { - directory "/var/cache/bind"; - - recursion yes; - allow-query { any; }; - - listen-on port 53 { any; }; - listen-on-v6 port 53 { any; }; - - forwarders { - 10.40.0.254; - }; - - dnssec-validation auto; - }; - - zone "." IN { - type hint; - file "/usr/share/dns/root.hints"; - }; - - zone "hxme.net." IN { - type master; - file "/etc/bind/db.hxme.net"; - allow-update { key "externaldns-key"; }; - }; - db.hxme.net: | - $TTL 3600 - @ IN SOA ns1.hxme.net. admin.hxme.net. ( - 1 ; Serial - 7200 ; Refresh - 1800 ; Retry - 1209600 ; Expire - 86400 ) ; Negative Cache TTL - ; - @ IN NS ns1.hxme.net. - ns1 IN A 10.40.0.110 - @ IN A 10.40.0.110 - www IN A 10.40.0.110 ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: bind-master - namespace: home-server -spec: - selector: - matchLabels: - app: bind-master - template: - metadata: - labels: - app: bind-master - spec: - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - securityContext: - fsGroup: 999 - initContainers: - - name: fetch-root-hints - image: debian:12 - command: - - sh - - -c - - | - apt update && apt -y install curl - curl -sfSL https://www.internic.net/domain/named.cache -o /usr/share/dns/root.hints - volumeMounts: - - mountPath: /usr/share/dns - name: root-hints - containers: - - name: bind-master - image: internetsystemsconsortium/bind9:9.18 - command: ["named", "-g", "-c", "/etc/bind/named.conf"] - ports: - - containerPort: 53 - protocol: UDP - - containerPort: 53 - protocol: TCP - volumeMounts: - - name: config - mountPath: /etc/bind/named.conf - subPath: named.conf - - name: config - mountPath: /etc/bind/db.hxme.net - subPath: db.hxme.net - - name: dns-secrets - mountPath: /etc/bind/externaldns-key.conf - subPath: externaldns-key.conf - - name: bind-cache - mountPath: /var/cache/bind - - name: bind-rundir - mountPath: /var/run/named - - name: root-hints - mountPath: /usr/share/dns - volumes: - - name: dns-secrets - secret: - secretName: dns-secrets - - name: config - configMap: - name: bind-master-config - - name: bind-cache - emptyDir: {} - - name: bind-rundir - emptyDir: {} - - name: root-hints - emptyDir: {} - ---- -apiVersion: v1 -kind: Service -metadata: - name: bind-master - namespace: home-server -spec: - selector: - app: bind-master - ports: - - name: dns-udp - port: 53 - protocol: UDP - targetPort: 53 - - name: dns-tcp - port: 53 - protocol: TCP - targetPort: 53 - diff --git a/applications/30-domain-names/certmanager.yaml b/applications/30-domain-names/certmanager.yaml deleted file mode 100644 index 83befe8..0000000 --- a/applications/30-domain-names/certmanager.yaml +++ /dev/null @@ -1,76 +0,0 @@ ---- -# 1. cert-manager Helm chart -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: cert-manager - namespace: argocd -spec: - project: default - source: - repoURL: "https://charts.jetstack.io" - chart: "cert-manager" - targetRevision: "v1.18.2" - helm: - releaseName: "cert-manager" - values: | - installCRDs: true - extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - destination: - server: "https://kubernetes.default.svc" - namespace: home-server - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - - ApplyOutOfSyncOnly=true - - SkipHooks=false - - SyncWave=0 # ensure cert-manager is installed first - ---- -# 2. ClusterIssuer -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-rfc2136 -spec: - acme: - email: admin@hxme.net - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-rfc2136 - solvers: - - dns01: - rfc2136: - nameserver: hawke.hxst.com.au:53 - tsigKeyName: "hxme-update-key" - tsigAlgorithm: HMACSHA512 - tsigSecretSecretRef: - name: hxme-update-key - key: hxme-update-key - ---- -# 3. Certificate -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: wildcard-hxme-net - namespace: home-server -spec: - secretName: wildcard-hxme-net - secretTemplate: - annotations: - replicator.v1.mittwald.de/replication-allowed: "true" - replicator.v1.mittwald.de/replicate-to: "home-media" - issuerRef: - name: letsencrypt-rfc2136 - kind: ClusterIssuer - commonName: "hxme.net" - dnsNames: - - "hxme.net" - - "*.hxme.net" - diff --git a/applications/30-domain-names/externaldns.yaml b/applications/30-domain-names/externaldns.yaml deleted file mode 100644 index c3a9736..0000000 --- a/applications/30-domain-names/externaldns.yaml +++ /dev/null @@ -1,78 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: external-dns -rules: - - apiGroups: [""] - resources: ["services","endpoints","pods"] - verbs: ["get","watch","list"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get","watch","list"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["list","watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "watch", "list"] - # Add DNS provider specific rules here if needed (e.g., for AWS IAM, GCP etc.) ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: external-dns-viewer -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: external-dns -subjects: - - kind: ServiceAccount - name: external-dns - namespace: home-server ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-dns - namespace: home-server ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: external-dns - namespace: home-server -spec: - replicas: 1 - selector: - matchLabels: - app: external-dns - template: - metadata: - labels: - app: external-dns - spec: - serviceAccountName: external-dns - containers: - - name: external-dns - image: bitnami/external-dns:latest - args: - - --source=service - - --source=ingress - - --provider=rfc2136 - - --rfc2136-host=bind-master.home-server.svc.cluster.local - - --rfc2136-port=53 - - --rfc2136-zone=hxme.net - - --rfc2136-tsig-secret=$(RFC2136_TSIG_SECRET) - - --rfc2136-tsig-secret-alg=hmac-sha256 - - --rfc2136-tsig-keyname=externaldns-key - - --policy=sync - - --registry=txt - - --txt-owner-id=my-cluster - env: - - name: RFC2136_TSIG_SECRET - valueFrom: - secretKeyRef: - name: dns-secrets - key: externaldns-secret - diff --git a/applications/40-database/mariadb.yaml b/applications/40-database/mariadb.yaml deleted file mode 100644 index 77be256..0000000 --- a/applications/40-database/mariadb.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: k8s.mariadb.com/v1alpha1 -kind: MariaDB -metadata: - name: mariadb - namespace: database -spec: - rootPasswordSecretKeyRef: - name: db-secrets - key: db-root-password - - storage: - size: 5Gi diff --git a/applications/50-authentik/authentik.yaml b/applications/50-authentik/authentik.yaml deleted file mode 100644 index 536546e..0000000 --- a/applications/50-authentik/authentik.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: authentik - namespace: argocd -spec: - project: default - source: - repoURL: "https://charts.goauthentik.io/" - chart: "authentik" - targetRevision: "2024.4.2" - helm: - releaseName: "authentik" - values: | - postgresql: - enabled: false - server: - ingress: - annotations: - external-dns.alpha.kubernetes.io/hostname: auth.hxme.net - tls: - - secretName: wildcard-hxme-net - hosts: - - auth.hxme.net - valueFiles: [] - valuesFrom: - - kind: Secret - name: authentik-values - destination: - server: "https://kubernetes.default.svc" - namespace: home-server - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - diff --git a/applications/50-nextcloud/nextcloud.yaml b/applications/50-nextcloud/nextcloud.yaml deleted file mode 100644 index 40fee2b..0000000 --- a/applications/50-nextcloud/nextcloud.yaml +++ /dev/null @@ -1,134 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: nextcloud-pv -spec: - capacity: - storage: 10Gi - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - storageClassName: local-path - hostPath: - path: /dpool/services/nextcloud/data ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-pvc - namespace: home-server -spec: - accessModes: - - ReadWriteOnce - storageClassName: local-path - resources: - requests: - storage: 10Gi - volumeName: nextcloud-pv ---- -apiVersion: v1 -kind: Service -metadata: - name: nextcloud - namespace: home-server -spec: - ports: - - port: 80 - selector: - app: nextcloud ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nextcloud - namespace: home-server -spec: - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - selector: - matchLabels: - app: nextcloud - template: - metadata: - labels: - app: nextcloud - spec: - containers: - - name: nextcloud - image: nextcloud:29 - env: - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: nextcloud-secrets - key: MYSQL_PASSWORD - - name: MYSQL_DATABASE - value: nextcloud - - name: MYSQL_USER - value: nextcloud - - name: MYSQL_HOST - value: nextcloud-db - ports: - - containerPort: 80 - volumeMounts: - - name: nextcloud-data - mountPath: /var/www/html - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - volumes: - - name: nextcloud-data - persistentVolumeClaim: - claimName: nextcloud-pvc - ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: nextcloud - namespace: home-server - annotations: - external-dns.alpha.kubernetes.io/hostname: nc.hxme.net - nginx.ingress.kubernetes.io/server-snippet: | - add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; -spec: - tls: - - hosts: - - nc.hxme.net - secretName: wildcard-hxme-net - rules: - - host: nc.hxme.net - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: nextcloud - port: - number: 80 - - ---- -apiVersion: k8s.mariadb.com/v1alpha1 -kind: Grant -metadata: - name: nextcloud - namespace: database -spec: - databaseRef: - name: nextcloud - accountName: nextcloud@'%' - privileges: - - ALL - mariaDbRef: - name: mariadb - passwordSecretKeyRef: - name: nextcloud-secrets - key: MYSQL_PASSWORD - -