WIP: configure rook

.woodpecker/.cdh.yml

@@ -0,0 +1,34 @@
+# ----------------------------------------------
+# -- Check da helm pipeline
+# ----------------------------------------------
+when:
+  - event: cron
+    cron: nightly
+steps:
+  check badhouseplants:
+    image: ghcr.io/allanger/check-da-helm-helmfile-secrets:stable
+    secrets:
+      - sops_age_key
+    environment:
+      RUST_LOG: info
+    commands:
+      - cdh --kind helmfile -p $CI_WORKSPACE/helmfile.yaml --helmfile-environment badhouseplants -o --output html >> result.html
+  notification:
+    image: deblan/woodpecker-email
+    settings:
+      from: woody@badhouseplants.net
+      host: badhouseplants.net
+      skip_verify: true
+      no_starttls: false
+      username:
+        from_secret: smtp_username
+      password:
+        from_secret: smtp_password
+      recipients:
+        - allanger@badhouseplants.net
+      subject: CDH result
+      target: main
+      recipients_only: true
+      attachment: result.html
+    when:
+      - status: [success, failure]

.woodpecker/.helmfile.yml

@@ -0,0 +1,29 @@
+when:
+  event: push
+matrix:
+  ENVIRONMENT:
+    - badhouseplants
+    - etersoft
+steps:
+  diff:
+    image: ghcr.io/helmfile/helmfile:canary
+    secrets: [sops_age_key, kubeconfig_content]
+    when:
+      - branch:
+          exclude:
+            - main
+    commands:
+      - mkdir $HOME/.kube
+      - echo "$KUBECONFIG_CONTENT" > $HOME/.kube/config && chmod 0600 $HOME/.kube/config
+      - helmfile -e $ENVIRONMENT diff --suppress-secrets
+  apply:
+    image: ghcr.io/helmfile/helmfile:canary
+    secrets: [sops_age_key, kubeconfig_content]
+    when:
+      - branch:
+          include:
+            - main
+    commands:
+      - mkdir $HOME/.kube
+      - echo "$KUBECONFIG_CONTENT" > $HOME/.kube/config && chmod 0600 $HOME/.kube/config
+      - helmfile -e $ENVIRONMENT apply

Makefile

@@ -2,4 +2,3 @@ create_crb:
 	kubectl create clusterrolebinding drone-deployer-workaround \
 		--clusterrole=cluster-admin  \
   	--serviceaccount=drone-service:default
-

badhouseplants/helmfile.yaml

@@ -13,7 +13,7 @@ releases:
     createNamespace: true
 
   - <<: *longhorn
-    installed: false
+    installed: true
     namespace: longhorn-system
     createNamespace: true
 
@@ -48,18 +48,13 @@ releases:
     createNamespace: true
 
   - <<: *loki
-    installed: false
+    installed: true
     namespace: monitoring-system
     createNamespace: true
 
   - <<: *promtail
-    installed: false
-    namespace: monitoring-system
-    createNamespace: true
-
-  - <<: *bitwarden
     installed: true
-    namespace: bitwarden-application
+    namespace: monitoring-system
     createNamespace: true
 
   - <<: *redis
@@ -82,16 +77,35 @@ releases:
     namespace: database-service
     createNamespace: true
 
-  - <<: *mysql
-    installed: true
-    namespace: database-service
-    createNamespace: true
-
   - <<: *docker-mailserver
     installed: true
     namespace: mail-service
     createNamespace: true
 
+  - <<: *istio-gateway-resources
+    installed: true
+    namespace: istio-system
+    createNamespace: true
+
+  - <<: *vaultwarden
+    createNamespace: true
+    installed: true
+    namespace: vaultwarden-application
+
+  - <<: *woodpecker-ci
+    installed: true
+    namespace: woodpecker-ci
+    createNamespace: true
+
+  - <<: *rook-ceph
+    installed: true
+    namespace: rook-ceph
+    createNamespace: true
+
+  - <<: *rook-ceph-cluster
+    installed: true
+    namespace: rook-ceph-cluster
+    createNamespace: true
 
 bases:
   - ../environments.yaml

badhouseplants/values/secrets.vaultwarden.yaml

@@ -0,0 +1,27 @@
+vaultwarden:
+    smtp:
+        username: ENC[AES256_GCM,data:6kAu3et5PmRgZ7B/qQQKA/hwsubozpBEcuzA,iv:cqNO3VWKFRWqBRAFTf2AyMQskuZvcDghseT2PWEsCjA=,tag:nkzugvJTJ/KhLuldXxdBrg==,type:str]
+        password:
+            value: ENC[AES256_GCM,data:rTCIH4vU7sfCNu6FxfdfyPKKQ01MQHBM0g==,iv:ZKD98V5W1GH0NZCfYG86AdFhbe8Ig+nCHFdU0NGcQT4=,tag:cL3fSAKntmWZ/QvSPYwbvw==,type:str]
+    adminToken:
+        value: ENC[AES256_GCM,data:PT62LcyiNqW1NVeuZ5+HTj8fzwSwuD1av/Z8S2GnR6j62+F8/aibhW/ATFG92chw++w=,iv:LnaRBem4dsggV4u4IlNjlWY301ajAHot2D259Y383m0=,tag:f24QDtGrtNJFA95Qo6Umqg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDL0RuQitFb0dPajRpSHRo
+            WnhUa3BOazVHSTE5STRNMGQ2eWUxaXhvNEJVCmtpMjE2Q3hyQzhDSTBObUgwQXV3
+            dmhvYmUvL05QUGd6Umx5QjRhMVFmcHMKLS0tIEtkTDc1ZVcxOWRqRzlzdTM1WG5a
+            U25tMkxQS1gzcyt6R2NkZnVLRVVoOWMKZSaIZxzTlYim2kmiHrQcgRu9XmWelRkT
+            HZZmSa0L9yEdksUCK3+iqjCZhQBYc/6qJHRYvuAaJ+/hs5RxuLUr8g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-25T19:33:37Z"
+    mac: ENC[AES256_GCM,data:Fl9x8f4YlhAciCdRNRWukK4lj/OqP+TJ8+xEXUSb+1FqUAv/aHocy/f3IuzEhgq/+i9RSKORy2+glYBdK+tL50FzaPQCXz9YgYMtshsIkfkVIw2j9R7sqs5Uo5fQ6g5V3ir5/czb8FSqoS7S+2onyHxZawuG1XCWYPPLATVrKa8=,iv:7K6NABns5rzYIJgthRxqkGD5bQXKPhgIxoCs2ZS0JGY=,tag:FvTTObosyFZom45xuVABog==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

badhouseplants/values/secrets.woodpecker-agent.yaml

@@ -0,0 +1,23 @@
+env:
+    WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:cJoxJw6c6FYZ337i5P6dGUzLmgUn9Z+/Ed9aUK76WYnB8m0D9h5IlAlOfCQ=,iv:1BgxKsaI3dhhPNkZbpHKBn6GXadn1RD+3Q4RwKLfmcU=,tag:y8qLWwpVAwKrOWN1cC2ulw==,type:str]
+    WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:VdWASwxPurzmfSjb2h8wBw3XbZSfG9UG0jmXSbTBPreZ+l7UQblI/wqr8Tw=,iv:APNuiqimA/ofCWsvywj+SJedQBMgRoCd65Gd3Ps2/fw=,tag:ATLGT4ACZ2GR46qD9ABUng==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRFNvdnBsSHFBcjlGcGl1
+            RnU1NEpZekpucTNCZHBGcXdBakhkU1drb2dZClVYZ2xMVUJiOXV2enlBbm1TS2Mz
+            ZnZ0UHpsVHVUU2ZkSGtwUXNMM0R6VjQKLS0tIFR4NEdTTGRIY3QycTFhRzJNSEY0
+            SEs0Z3VjaTN2Y3Z0QmtEUEdQdmtwYnMKxQ3z1p2GulSOklUEolWeH20JeFwNpZqY
+            870x5UtCJNVTMrIDgwMQK3hn+yywxPdgSRhkW3bqH4PJDxi78UUpXw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-10-05T08:06:51Z"
+    mac: ENC[AES256_GCM,data:pc4n/3MEP0GhmZ+wdbOiK2gj7ah/9IJ2hoXRtM1sAGy3UPNBrF5VE7hxnAi393YpWBank7crDTvg2aJjhVt7XqB8zcjiHtNMlcpxL6fJ+uWxeH4uVj/NBfSvoO410oYbtPuKMjZpPU7KACmTJ9tzVIZdZOScXx7fLQxNUq01Hu8=,iv:18MqueG9MHrTcXmu14Q8LPnMFT9lolDkCbXjjA2P1qg=,tag:6ETPd8vZ0CCGEUP5u8ZxNA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.0

badhouseplants/values/secrets.woodpecker-ci.yaml

@@ -0,0 +1,27 @@
+server:
+    env:
+        WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:mGYEvlIeQC3mg+kxy3ZX6gAVf88DXLVdeSdgpQa8wixsb2rDoj4+l2ET2saquK+lVhjvv8ZKdvg=,iv:VlPgDYPj1xpxnpWnEHj+slBi0H2nWKeScclPItUaG9A=,tag:ox/Ur5vsOARXRT3g0hCgsg==,type:str]
+        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:WXwsmLmb37clb5xgv+2DeKfhk7cwaIJpaCW8/Kq/CmgfwCmrarPDDQGXZoLwOjGj3mh/ciDj7V5WgHfyxuIDhA==,iv:NhGlPyPrTrTbz1DjOZEieWAfOQHqSqhdLiqMspex1j0=,tag:vOfo+XiCUW6MhtJemkZPMA==,type:str]
+agent:
+    env:
+        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:4lTZ16jbrorU4B9gTAoWmgiGggrMWD7K5O/5R47OIDMdRInwXtaWviofFD8WJQMduiGvANxMVNs0J1DLvFKi9Q==,iv:Y0AsW63vdVEwKvpVYeMVLFmwYlsQSwnz602QjDgj/ZQ=,tag:aO9xh3psy/bRCCQEFUp75A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlQjZqNE9iMDl6MlhnSUp5
+            QTBSOG83WFBqZFZIU2dEMzlpengrUFg4alZFCld4MkI4WW8xMUZnMm1SU2hmMCtn
+            bTZSVTIxTk5aZmo3OEJJdlJwL2xhV3MKLS0tIGJraERVZTNyMWFCVE1TbEhRR3J4
+            WXh3NGd4UG9OODhHNEp0cDVoQkM5dWMKcz4h0O4J2WlB+L9+/U8Rl+zzd87hsJo8
+            ThPZgnUNDGpdRrU2IYiXo03fZOhBoqBJe1ZG+Ol8z9bvTeyeMZxRIg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-18T17:43:53Z"
+    mac: ENC[AES256_GCM,data:u8iu+Ia1u5c5AkdyKbGT//G/Zp+yDNv3TQIElSBA6qCTBu0lKAii3ywXrqdpQ1kYtytjazcwkOa7vKmVy1UoCNda+8wGGHfhfOIQlll+TKBNvgUO73lF5P7X5q6CcgFMvTazXKElESEC3G04uVLEOdG1W6d0ArVRnh8gFOY6Jgg=,iv:VT0pFoOcLPK14I1doJi+52wtCfUuqh2nxdSVu0ufVOY=,tag:SwAOYLxOYaouteqXdgP2Hg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

badhouseplants/values/values.db-instances.yaml

@@ -18,7 +18,7 @@ dbinstances:
       Namespace: database-service
     engine: postgres
     generic:
-      host: postgres16-postgresql
+      host: postgres16-postgresql.database-service.svc.cluster.local
       port: 5432
   mysql:
     monitoring:

badhouseplants/values/values.gitea.yaml

@@ -43,7 +43,7 @@ resources:
 
 persistence:
   enabled: true
-  size: 8Gi
+  size: 10Gi
   accessModes:
     - ReadWriteOnce
 
@@ -108,6 +108,11 @@ gitea:
       SMTP_ADDR: badhouseplants.net
       SMTP_PORT: 587
       USER: overlord@badhouseplants.net
+    indexer:
+      REPO_INDEXER_ENABLED: true
+      REPO_INDEXER_PATH: indexers/repos.bleve
+      MAX_FILE_SIZE: 1048576
+      REPO_INDEXER_EXCLUDE: resources/bin/**
 service:
   ssh:
     type: ClusterIP

badhouseplants/values/values.istio-gateway-resources.yaml

@@ -1,3 +1,22 @@
+certificate:
+  enabled: true
+  certificate: 
+    - name: nrodionov-wildcard
+      secretName: nrodionov-wildcard-tls
+      issuer:
+        kind: ClusterIssuer
+        name: badhouseplants-issuer
+      dnsNames:
+        - nrodionov.info
+        - "*.nrodionov.info"
+    - name: badhouseplants-wildcard
+      secretName: badhouseplants-wildcard-tls
+      issuer:
+        kind: ClusterIssuer
+        name: badhouseplants-issuer
+      dnsNames:
+        - badhouseplants.net
+        - "*.badhouseplants.net"
 istio-gateway:
   enabled: true
   gateways:
@@ -32,7 +51,7 @@ istio-gateway:
             number: 80
             protocol: HTTP2
           tls:
-            httpsRedirect: false
+            httpsRedirect: true
         - hosts:
           - nrodionov.info
           - dev.nrodionov.info
@@ -57,7 +76,7 @@ istio-gateway:
           - '*'
           port:
             name: ssh
-            number: 22
+            number: 2022
             protocol: TCP
     - name: badhouseplants-minecraft
       servers:

badhouseplants/values/values.istio-ingressgateway.yaml

@@ -6,7 +6,7 @@ service:
       protocol: TCP
       targetPort: 25565
     - name: ssh-gitea
-      port: 22
+      port: 2222
       protocol: TCP
       targetPort: 22
     - name: http2

badhouseplants/values/values.loki.yaml

@@ -1,11 +1,22 @@
 ---
 singleBinary:
   replicas: 1
+  persistence:
+    size: 5Gi
 loki:
   auth_enabled: false
   commonConfig:
     replication_factor: 1
+  storage:
+    type: 'filesystem'
+monitoring:
+  selfMonitoring:
+    enabled: false
+  lokiCanary:
+    enabled: false
+test:
+  enabled: false
 compactor:
   retention_enabled: true
 limits_config:
-  retention_period: 2d
+  retention_period: 14d

badhouseplants/values/values.longhorn.yaml

@@ -5,9 +5,9 @@ defaultSettings:
   guaranteedReplicaManagerCPU: 6
   storageOverProvisioningPercentage: 300
   storageMinimalAvailablePercentage: 5
-  defaultDataPath: /media/longhorn
+  defaultDataPath: /media-longhorn
 csi:
-  kubeletRootDir: /var/lib/kubelet
+  kubeletRootDir: /var/snap/microk8s/common/var/lib/kubelet
 persistence:
-  defaultClassReplicaCount: 3
+  defaultClassReplicaCount: 1
 enablePSP: false

badhouseplants/values/values.metallb-resources.yaml

@@ -1,4 +0,0 @@
-ext-ipaddresspool:
-  enabled: true
-  name: badhouseplants-addresspool
-  addresses: 195.201.250.50-195.201.250.50

badhouseplants/values/values.minio.yaml

@@ -64,11 +64,6 @@ buckets:
   - name: allanger-music
     policy: download
     purge: false
-    versioning: false
-  - name: badhouseplants-brew
-    policy: download
-    purge: false
-    versioning: false
 metrics:
   serviceMonitor:
     enabled: false

badhouseplants/values/values.openvpn.yaml

@@ -17,7 +17,7 @@ istio:
 image:
   tag: v2.6.5-xor-4.0.0beta08
 storage:
-  class: default
+  class: longhorn
   size: 512Mi
 
 openvpn:

badhouseplants/values/values.prometheus.yaml

@@ -64,7 +64,8 @@ defaultRules:
 prometheus:
   prometheusSpec:
     enableAdminAPI: true
-    retentionSize: 10GB
+    retentionSize: 7GB
+    retention: 20d
     podMonitorNamespaceSelector:
       any: true
     podMonitorSelector: {}
@@ -83,7 +84,7 @@ prometheus:
           accessModes: ["ReadWriteOnce"]
           resources:
             requests:
-              storage: 10Gi
+              storage: 12Gi
 
 grafana:
   persistence:

badhouseplants/values/values.promtail.yaml

@@ -3,3 +3,9 @@ config:
   clients:
     #    - url: http://loki.monitoring-system:3100
     - url: http://loki-gateway/loki/api/v1/push
+  snippets:
+    pipelineStages:
+      - match:
+          pipeline_name: "drop-all"
+          selector: '{namespace!~"mail-service|woodpecker"}'
+          action: drop

badhouseplants/values/values.redis.yaml

@@ -1,6 +1,10 @@
 metrics:
   enabled: false
 
+secretAnnotations:
+  reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+  reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+  reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "gitea-service,funkwhale-application"
 architecture: standalone
 master:
   persistence:

badhouseplants/values/values.rook-ceph-cluster.yaml

@@ -1,144 +1,96 @@
-# This is a YAML-formatted file.
+cephFileSystems:
-# Declare variables to be passed into your templates.
+  - name: ceph-filesystem
-
+    spec:
-# -- Namespace of the main rook operator
+      metadataPool:
-operatorNamespace: rook-ceph
+        replicated:
-
+          size: 3
-# -- The metadata.name of the CephCluster CR
+      dataPools:
-# @default -- The same as the namespace
+        - failureDomain: host
-clusterName:
+          replicated:
-
+            size: 3
-# -- Optional override of the target kubernetes version
+          name: data0
-kubeVersion:
+      metadataServer:
-
+        activeCount: 1
-# -- Cluster ceph.conf override
+        activeStandby: true
-configOverride:
-# configOverride: |
-#   [global]
-#   mon_allow_pool_delete = true
-#   osd_pool_default_size = 3
-#   osd_pool_default_min_size = 2
-
-# Installs a debugging toolbox deployment
-toolbox:
-  # -- Enable Ceph debugging pod deployment. See [toolbox](../Troubleshooting/ceph-toolbox.md)
-  enabled: false
-  # -- Toolbox image, defaults to the image used by the Ceph cluster
-  image: #quay.io/ceph/ceph:v17.2.6
-  # -- Toolbox tolerations
-  tolerations: []
-  # -- Toolbox affinity
-  affinity: {}
-  # -- Toolbox container security context
-  containerSecurityContext:
-    runAsNonRoot: true
-    runAsUser: 2016
-    runAsGroup: 2016
-    capabilities:
-      drop: ["ALL"]
-  # -- Toolbox resources
         resources:
           limits:
-      cpu: "500m"
+            cpu: "200m"
-      memory: "1Gi"
+            memory: "256Mi"
           requests:
-      cpu: "100m"
+            cpu: "50m"
             memory: "128Mi"
-  # -- Set the priority class for the toolbox if desired
+        priorityClassName: system-cluster-critical
-  priorityClassName:
+    storageClass:
+      enabled: true
+      isDefault: false
+      name: ceph-filesystem
+      pool: data0
+      reclaimPolicy: Delete
+      allowVolumeExpansion: true
+      volumeBindingMode: "Immediate"
+      mountOptions: []
+      parameters:
+        csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
+        csi.storage.k8s.io/provisioner-secret-namespace: "{{ .Release.Namespace }}"
+        csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
+        csi.storage.k8s.io/controller-expand-secret-namespace: "{{ .Release.Namespace }}"
+        csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
+        csi.storage.k8s.io/node-stage-secret-namespace: "{{ .Release.Namespace }}"
+        csi.storage.k8s.io/fstype: ext4
 
-monitoring:
+cephObjectStores: []
-  # -- Enable Prometheus integration, will also create necessary RBAC rules to allow Operator to create ServiceMonitors.
+  #  - name: ceph-objectstore
-  # Monitoring requires Prometheus to be pre-installed
+  #    spec:
-  enabled: false
+  #      metadataPool:
-  # -- Whether to create the Prometheus rules for Ceph alerts
+  #        failureDomain: host
-  createPrometheusRules: false
+  #        replicated:
-  # -- The namespace in which to create the prometheus rules, if different from the rook cluster namespace.
+  #          size: 3
-  # If you have multiple rook-ceph clusters in the same k8s cluster, choose the same namespace (ideally, namespace with prometheus
+  #      dataPool:
-  # deployed) to set rulesNamespaceOverride for all the clusters. Otherwise, you will get duplicate alerts with multiple alert definitions.
+  #        failureDomain: host
-  rulesNamespaceOverride:
+  #        erasureCoded:
-  # Monitoring settings for external clusters:
+  #          dataChunks: 2
-  # externalMgrEndpoints: <list of endpoints>
+  #          codingChunks: 1
-  # externalMgrPrometheusPort: <port>
+  #      preservePoolsOnDelete: true
-  # allow adding custom labels and annotations to the prometheus rule
+  #      gateway:
-  prometheusRule:
+  #        port: 80
-    # -- Labels applied to PrometheusRule
+  #        resources:
-    labels: {}
+  #          limits:
-    # -- Annotations applied to PrometheusRule
+  #            cpu: "150m"
-    annotations: {}
+  #            memory: "256Mi"
-
+  #          requests:
-# -- Create & use PSP resources. Set this to the same value as the rook-ceph chart.
+  #            cpu: "50m"
-pspEnable: false
+  #            memory: "128Mi"
-
+  #        instances: 1
-# imagePullSecrets option allow to pull docker images from private docker registry. Option will be passed to all service accounts.
+  #        priorityClassName: system-cluster-critical
-# imagePullSecrets:
+  #    storageClass:
-# - name: my-registry-secret
+  #      enabled: true
-
+  #      name: ceph-bucket
-# All values below are taken from the CephCluster CRD
+  #      reclaimPolicy: Delete
-# -- Cluster configuration.
+  #      volumeBindingMode: "Immediate"
-# @default -- See [below](#ceph-cluster-spec)
+  #      parameters:
+  #        region: us-east-1
+  #    ingress:
+  #      enabled: false
 cephClusterSpec:
   resources:
     mgr:
       limits:
-        memory: "1Gi"
-      requests:
         cpu: "200m"
         memory: "512Mi"
+      requests:
+        cpu: "100m"
+        memory: "128Mi"
     mon:
       limits:
+        cpu: "200m"
+        memory: "512Mi"
+      requests:
+        cpu: "100m"
+        memory: "128Mi"
+    osd:
+      limits:
+        cpu: "200m"
         memory: "2Gi"
-      requests:
-        cpu: "250m"
-        memory: "1Gi"
-    osd:
-      requests:
-        cpu: "200m"
-        memory: "4Gi"
-    prepareosd:
-      # limits: It is not recommended to set limits on the OSD prepare job
-      #         since it's a one-time burst for memory that must be allowed to
-      #         complete without an OOM kill.  Note however that if a k8s
-      #         limitRange guardrail is defined external to Rook, the lack of
-      #         a limit here may result in a sync failure, in which case a
-      #         limit should be added.  1200Mi may suffice for up to 15Ti
-      #         OSDs ; for larger devices 2Gi may be required.
-      #         cf. https://github.com/rook/rook/pull/11103
-      requests:
-        cpu: "500m"
-        memory: "50Mi"
-    mgr-sidecar:
-      limits:
-        cpu: "500m"
-        memory: "100Mi"
       requests:
         cpu: "100m"
-        memory: "40Mi"
+        memory: "256Mi"
-    crashcollector:
-      limits:
-        cpu: "500m"
-        memory: "60Mi"
-      requests:
-        cpu: "100m"
-        memory: "60Mi"
-    logcollector:
-      limits:
-        cpu: "500m"
-        memory: "1Gi"
-      requests:
-        cpu: "100m"
-        memory: "100Mi"
-    cleanup:
-      limits:
-        cpu: "500m"
-        memory: "1Gi"
-      requests:
-        cpu: "500m"
-        memory: "100Mi"
-    exporter:
-      limits:
-        cpu: "250m"
-        memory: "128Mi"
-      requests:
-        cpu: "50m"
-        memory: "50Mi"

badhouseplants/values/values.rook-ceph.yaml

@@ -0,0 +1,215 @@
+---
+csi:
+  csiRBDProvisionerResource: |
+    - name : csi-provisioner
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 200m
+    - name : csi-resizer
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 200m
+    - name : csi-attacher
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 200m
+    - name : csi-snapshotter
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 200m
+    - name : csi-rbdplugin
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 200m
+    - name : csi-omap-generator
+      resource:
+        requests:
+          memory: 12Mi
+          cpu: 250m
+        limits:
+          memory: 1Gi
+          cpu: 500m
+    - name : liveness-prometheus
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 50m
+
+  # -- CEPH CSI RBD plugin resource requirement list
+  # @default -- see values.yaml
+  csiRBDPluginResource: |
+    - name : driver-registrar
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 50m
+    - name : csi-rbdplugin
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 50m
+    - name : liveness-prometheus
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 50m
+
+  # -- CEPH CSI CephFS provisioner resource requirement list
+  # @default -- see values.yaml
+  csiCephFSProvisionerResource: |
+    - name : csi-provisioner
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 200m
+    - name : csi-resizer
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 200m
+    - name : csi-attacher
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 200m
+    - name : csi-snapshotter
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 200m
+    - name : csi-cephfsplugin
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 50m
+    - name : liveness-prometheus
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 50m
+
+  # -- CEPH CSI CephFS plugin resource requirement list
+  # @default -- see values.yaml
+  csiCephFSPluginResource: |
+    - name : driver-registrar
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 50m
+    - name : csi-cephfsplugin
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 50m
+    - name : liveness-prometheus
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 50m
+
+  # -- CEPH CSI NFS provisioner resource requirement list
+  # @default -- see values.yaml
+  csiNFSProvisionerResource: |
+    - name : csi-provisioner
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 200m
+    - name : csi-nfsplugin
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 50m
+    - name : csi-attacher
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 50m
+
+  # -- CEPH CSI NFS plugin resource requirement list
+  # @default -- see values.yaml
+  csiNFSPluginResource: |
+    - name : driver-registrar
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 50m
+    - name : csi-nfsplugin
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+          cpu: 50m

badhouseplants/values/values.vaultwarden.yaml

@@ -0,0 +1,63 @@
+---
+# ------------------------------------------
+# -- Istio extenstion. Just because I'm
+# --  not using ingress nginx
+# ------------------------------------------
+istio:
+  enabled: true
+  istio:
+    - name: vaultwarden-http
+      kind: http
+      gateway: istio-system/badhouseplants-net
+      hostname: vault.badhouseplants.net
+      service: vaultwarden
+      port: 8080
+# ------------------------------------------
+# -- Database extension is used to manage
+# --  database with db-operator
+# ------------------------------------------
+ext-database:
+  enabled: true
+  name: vaultwarden-postgres16
+  instance: postgres16
+service: 
+  port: 8080
+vaultwarden:
+  smtp:
+    host: badhouseplants.net
+    security: "starttls"
+    port: 587
+    from: vaultwarden@badhouseplants.net
+    fromName: Vault Warden
+    authMechanism: "Plain"
+    acceptInvalidHostnames: "false"
+    acceptInvalidCerts: "false"
+    debug: false
+  domain: https://vault.badhouseplants.net
+  websocket:
+    enabled: true
+    address: "0.0.0.0"
+    port: 3012
+  rocket:
+    port: "8080"
+    workers: "10"
+  webVaultEnabled: "true"
+  signupsAllowed: false
+  invitationsAllowed: true
+  signupDomains: "https://vault.badhouseplants.com"
+  signupsVerify: "true"
+  showPassHint: "false"
+  database:
+    existingSecret: vaultwarden-postgres16-creds
+    existingSecretKey: CONNECTION_STRING
+    connectionRetries: 15
+    maxConnections: 10
+  storage:
+    enabled: false
+    size: 1Gi
+    class: default
+    dataDir: /data
+  logging:
+    enabled: false
+    logfile: "/data/vaultwarden.log"
+    loglevel: "warn"

badhouseplants/values/values.woodpecker-ci.yaml

@@ -0,0 +1,56 @@
+# ------------------------------------------
+# -- Istio extenstion. Just because I'm
+# --  not using ingress nginx
+# ------------------------------------------
+istio:
+  enabled: true
+  istio:
+    - name: woodpecker-server-http
+      gateway: istio-system/badhouseplants-net
+      kind: http
+      hostname: ci.badhouseplants.net
+      service: woodpecker-ci-server
+      port: 80
+ext-database:
+  enabled: true
+  name: woodpecker-postgres16
+  instance: postgres16
+  credentials:
+    WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
+server:
+  #image:
+  #  registry: git.badhouseplants.net
+  #  repository: allanger/woodpecker-server
+  #  pullPolicy: Always
+  #  tag: icon
+  enabled: true
+  env:
+    WOODPECKER_GITEA: true
+    WOODPECKER_GITEA_URL: https://git.badhouseplants.net
+    WOODPECKER_DATABASE_DRIVER: postgres
+    WOODPECKER_GITEA_CLIENT: ab5e4687-a476-4668-9fbc-288d54095634
+    WOODPECKER_OPEN: true
+    WOODPECKER_ADMIN: "woodpecker,allanger"
+    WOODPECKER_HOST: "https://ci.badhouseplants.net"
+    WOODPECKER_ESCALATE: true
+    WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker-ci
+    WOODPECKER_BACKEND_K8S_STORAGE_CLASS: microk8s-hostpath
+  extraSecretNamesForEnvFrom: 
+    - woodpecker-postgres16-creds
+agent:
+  image: 
+    registry: git.badhouseplants.net
+    repository: allanger/woodpecker-agent
+    pullPolicy: Always
+    tag: dev
+  enabled: true
+  extraSecretNamesForEnvFrom: []
+  env:
+    WOODPECKER_SERVER: woodpecker-ci-server:9000
+    WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 3Gi
+    WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker-ci
+    WOODPECKER_BACKEND_K8S_STORAGE_CLASS: microk8s-hostpath
+  serviceAccount:
+    create: true
+  rbac:
+    create: true

common/values.database.yaml

@@ -14,3 +14,12 @@ ext-database:
           backup:
             enable: false
             cron: 0 0 * * *
+          {{- if .Values.credentials }}
+          credentials:
+            templates:
+              {{- range $key, $value := .Values.credentials }}
+              - name: {{ $key }}
+                template: {{ $value }}
+                secret: true
+              {{- end }}
+          {{- end }}

common/values.ipaddresspool.yaml

@@ -1,14 +0,0 @@
----
-ext-ipaddresspool:
-  templates:
-    - |
-        ---
-        apiVersion: metallb.io/v1beta1
-        kind: IPAddressPool
-        metadata:
-          name: "{{ .Values.name }}"
-        spec:
-          addresses:
-            - "{{ .Values.addresses }}"
-          autoAssign: true
-          avoidBuggyIPs: false

etersoft/values/secrets.minio.yaml

@@ -9,8 +9,8 @@ users:
 oidc:
     enabled: ENC[AES256_GCM,data:AJwlxQ==,iv:e8Y4xI9VW7R64o5y2TYrMRnL92+RCzFaoF9v4wHDTlc=,tag:T0iZj9cCBxaF444+xuvKuA==,type:bool]
     configUrl: ENC[AES256_GCM,data:UHLEsZwSGwNEV9r6wpiw4lLsMOLxJ6QfHKrrP2oduJE+YG7hImEljrO+/kPSUOgWMGgtXIjT/VLYw7xhW+TL,iv:v6bXPeKMho108y+kErL71RvqlfL0YEUtAaexITN6arY=,tag:r/oglMJVU2J2s3mEgjP+dA==,type:str]
-    clientId: ENC[AES256_GCM,data:39mFCS47/yw1lGxvDs7nLkk941qPaHUMgGBgtcqmJukGMfJK,iv:rfE/1ukQAO8geJVIJQOQaXmn37DfhDMR/t7Ghwd093A=,tag:SDz4TVKiMY+bXAtfrm17/Q==,type:str]
+    clientId: ENC[AES256_GCM,data:6vU3UzdsBjCoxa+H3V87UeNyGt7IYsYMkjEZGFhMfCVWVxxB,iv:4J21E9eskroCTmUFbnt4K4v4tgD+Bjq5j2wT+1q1NE0=,tag:bBDqviaFjnQNDSwTzmpCtw==,type:str]
-    clientSecret: ENC[AES256_GCM,data:KcamhnHBTErbSS6dR7W+suwV5q13yXqZAUBYhKJ5Kj3t14dp6VDHoYc1Dwyt+hebFz0BYYbRA9g=,iv:hOhGu/lRjsEsEz4f6Wnkds6HNq3DnvM+GsJOAz1fOds=,tag:aQ4+xPDgg/2op+NQl7jhSg==,type:str]
+    clientSecret: ENC[AES256_GCM,data:G0OChA212NVb7utdsx4kJRS8BQ0V6igeteOo3Q+PvFTd0U7IVt27YB2u0BUGkt4/Go+wByf8joI=,iv:7khUct7Iln7pi7ET7FBLI51Zc+aFTjLpj92EV5q4Sjc=,tag:vMZtRxTDpphKRW4dN3OVfA==,type:str]
     claimName: ENC[AES256_GCM,data:UUrHhIFP,iv:dKg4zBykxhEKeG40a1eSWRYTyzpb5kBmzhEaULFgSII=,tag:3vfbgsoKkNF2Tmwx3Wi56w==,type:str]
     redirectUri: ENC[AES256_GCM,data:evZK5yq5syKOsTqeqICTWLTq96AXTKftwDdbPYP9Na67N7I12P+jK8k1zKswHQY=,iv:L5AmYGkO2lyU4ytjyMOmuWDg4GtbeoTzcEdZF7WP+es=,tag:BF8AZUJ39+xICfrdNsY9iQ==,type:str]
     comment: ENC[AES256_GCM,data:4h455QlIXewffU2bSKihkg==,iv:p5WRTZfAUgqbF/XpIlaLuUIhQhMWxgs0MW6cqNOiOtg=,tag:yk6CHXx7E8XBY3dath9ezQ==,type:str]
@@ -31,8 +31,8 @@ sops:
             UmdLL0NqWVpuNXBYRENEeTltdFVLREUKrwPN2daokcqABFVXjYCbNyCA0zdMCYh6
             vzTTtNV718OAPQKgl3Ho2c5nhhQcWy5YlWPfGMUklZhocXsAvMXS/g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-03-26T11:56:18Z"
+    lastmodified: "2023-11-04T19:00:41Z"
-    mac: ENC[AES256_GCM,data:oiaqwWDTTSvdGZxcLqAJrLkF+jNL2PfOOrTFtO2Arry1LehiGeXqNiqlHTd5IvnB/LrU9vGv5SjDrq+FRycfceai8O5hW8aGBXqCSZANIx7cpCJqtm1ErNAm8yw+K5rq/WeRKEySszNx7QtSZiM9ufo/GIAZMZgcd/bqFdm6oXE=,iv:s+uHg40NPT3kjwHnRIu3udkbm3gE36JMzPFhM6NdT/4=,tag:Q97lA8fRcPr5kGZEUbmhxQ==,type:str]
+    mac: ENC[AES256_GCM,data:jhZqJDZuHXpb50aI4f9Otj5y7lHzb1JadZqccju0No2PGUVO1Le3X/Zc51YIm3di+UV8bZSDUosYA7mWz4zNsyMwK0ikB0zUb12Wv1M0ESe4sJQR3mlQSa6fBe1EUGSAtjtmo/HlKaWvprEo3knTZJrxN8pZdTaPOTSA/Akr8m0=,iv:oUbuW1FL1qFbByt5DKqgCWVv/0D2ByWXs2dyUSuB3Uc=,tag:19MFSo0Y1AfB+kFk0sfW2g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

etersoft/values/values.metallb-resources.yaml

@@ -1,4 +0,0 @@
-ext-ipaddresspool:
-  enabled: true
-  name: etersoft-addresspool
-  addresses: 91.232.225.63-91.232.225.63

etersoft/values/values.minio.yaml

@@ -73,6 +73,8 @@ policies:
         - 'arn:aws:s3:::longhorn'
         - 'arn:aws:s3:::restic/*'
         - 'arn:aws:s3:::restic'
+        - 'arn:aws:s3:::etcd/*'
+        - 'arn:aws:s3:::etcd'
       actions:
         - "s3:DeleteObject"
         - "s3:GetObject"
@@ -87,6 +89,10 @@ buckets:
     policy: none
     purge: false
     versioning: false
+  - name: etcd
+    policy: none
+    versioning: false
+    purge: false
 metrics:
   serviceMonitor:
     enabled: false

etersoft/values/values.openvpn.yaml

@@ -14,6 +14,8 @@ istio:
       service: openvpn
       port: 1194
 
+image:
+  tag: v2.6.5-xor-4.0.0beta08
 storage:
   class: microk8s-hostpath
   size: 5Gi

helmfile.yaml

@@ -7,7 +7,7 @@ bases:
 
 releases:
   - <<: *metrics-server
-    installed: false
+    installed: true
     namespace: kube-system
     createNamespace: true
 
@@ -21,11 +21,6 @@ releases:
     namespace: istio-system
     createNamespace: true
 
-  - <<: *istio-gateway-resources
-    installed: true
-    namespace: istio-system
-    createNamespace: true
-
   - <<: *istiod
     installed: true
     namespace: istio-system
@@ -51,9 +46,10 @@ releases:
     namespace: metallb-system
     createNamespace: true
 
-  - <<: *metallb-resources
+  - <<: *reflector
     installed: true
-    namespace: metallb-system
+    namespace: reflector-system
+    createNamespace: true
 
 helmfiles:
   - path: {{.Environment.Name }}/helmfile.yaml

manifests/badhouseplants/namespace-creator-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: namespace-manager
+subjects:
+  - kind: User
+    name: badhousplants
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: namespace-manager
+  apiGroup: rbac.authorization.k8s.io

manifests/badhouseplants/namespace-creator-role.yaml

@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: namespace-manager
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "watch", "list", "create", "delete"]

releases.yaml

@@ -87,122 +87,41 @@ templates:
         alias: ext-database
     values:
       - '{{ requiredEnv "PWD" }}/common/values.database.yaml'
-
+  # ----------------------------
-  ext-ipaddresspool:
-    dependencies:
-    - chart: bedag/raw
-      version: 2.0.0
-      alias: ext-ipaddresspool
-    values:
-      - '{{ requiredEnv "PWD" }}/common/values.ipaddresspool.yaml'
-
-  # -------------------------------------------------------------------
   # -- Releases
-  # -------------------------------------------------------------------
+  # ----------------------------
   # -- System
-  # -- This is what has to be installed first. Without those releases
+  # ----------------------------
-  # --  cluster can't function
-  # -------------------------------------------------------------------
-  common-system:
-    labels:
-      layer: system
-
   metrics-server: &metrics-server
     name: metrics-server
     chart: metrics-server/metrics-server
     version: 3.11.0
-    inherit:
-      - template: common-system
     values:
       - common/values.{{ .Release.Name }}.yaml
 
   metallb: &metallb
     name: metallb
     chart: metallb/metallb
-    version: 0.13.11
+    version: 0.13.12
-    inherit:
-      - template: common-system
-
-  metallb-resources: &metallb-resources
-    name: metallb-resources
-    chart: bedag/raw
-    version: 2.0.0
-    needs: 
-      - metallb
-    inherit: 
-      - template: default-env-values
-      - template: ext-ipaddresspool
-      - template: common-system
 
   cert-manager: &cert-manager
     name: cert-manager
     chart: jetstack/cert-manager
-    version: 1.13.1
+    version: 1.13.3
-    inherit: 
-      - template: common-system
     set:
       - name: installCRDs
         value: true
-  
   longhorn: &longhorn
     name: longhorn
     chart: longhorn/longhorn
-    version: 1.5.1
+    version: 1.5.3
     inherit:
       - template: default-env-values
-      - template: common-system
-
-  # ----------------------------
-  # -- Istio
-  # ----------------------------
-  common-istio:
-    labels:
-      bundle: istio
-    version: 1.19.3
-    inherit: 
-      - template: common-system
-
-  istio-base: &istio-base
-    name: istio-base
-    chart: istio/base
-    inherit:
-      - template: crd-management-hook
-      - template: common-istio
-
-  istio-gateway: &istio-gateway
-    name: istio-ingressgateway
-    chart: istio/gateway
-    needs:
-      - istio-base
-      - metallb-system/metallb-resources
-    inherit:
-      - template: common-istio
-      - template: default-env-values
-
-  istiod: &istiod
-    name: istiod
-    chart: istio/istiod
-    needs:
-      - istio-base
-    inherit:
-      - template: common-istio
-      - template: default-env-values
-
-  istio-gateway-resources: &istio-gateway-resources
-    name: istio-gateway-resources
-    chart: bedag/raw
-    version: 2.0.0
-    needs:
-      - istio-base
-    inherit:
-      - template: ext-istio-gateway
-      - template: default-env-values
-      - template: common-system
 
   argocd: &argocd
     name: argocd
     chart: argo/argo-cd
-    version: 5.46.8
+    version: 5.51.6
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -215,7 +134,7 @@ templates:
   prometheus: &prometheus
     name: prometheus
     chart: prometheus-community/kube-prometheus-stack
-    version: 51.6.1
+    version: 55.3.1
     inherit:
       - template: monitoring-common
       - template: default-env-values
@@ -226,7 +145,7 @@ templates:
   loki: &loki
     name: loki
     chart: grafana/loki
-    version: 5.29.0
+    version: 5.41.1
     inherit:
       - template: monitoring-common
       - template: default-env-values
@@ -234,10 +153,47 @@ templates:
   promtail: &promtail
     name: promtail
     chart: grafana/promtail
-    version: 6.15.2
+    version: 6.15.3
     inherit:
       - template: monitoring-common
       - template: default-env-values
+  # ----------------------------
+  # -- Istio
+  # ----------------------------
+  istio-common:
+    labels:
+      bundle: istio
+    version: 1.20.1
+
+  istio-base: &istio-base
+    name: istio-base
+    chart: istio/base
+    inherit:
+      - template: crd-management-hook
+      - template: istio-common
+
+  istio-gateway: &istio-gateway
+    name: istio-ingressgateway
+    chart: istio/gateway
+    inherit:
+      - template: istio-common
+      - template: default-env-values
+
+  istio-gateway-resources: &istio-gateway-resources
+    name: istio-gateway-resources
+    chart: bedag/raw
+    version: 2.0.0
+    inherit:
+      - template: ext-istio-gateway
+      - template: ext-certificate
+      - template: default-env-values
+
+  istiod: &istiod
+    name: istiod
+    chart: istio/istiod
+    inherit:
+      - template: istio-common
+      - template: default-env-values
 
   # ----------------------------
   # -- Applications
@@ -245,7 +201,7 @@ templates:
   openvpn: &openvpn
     name: openvpn
     chart: allanger-gitea/openvpn
-    version: 1.0.6
+    version: 1.0.7
     inherit:
       - template: default-env-values
       - template: ext-istio-resource
@@ -268,16 +224,26 @@ templates:
   drone-runner-docker: &drone-runner-docker
     name: drone-runner-docker
     chart: drone/drone-runner-docker
-    version: 0.6.1
+    version: 0.6.2
     inherit:
       - template: default-env-values
       - template: default-env-secrets
       - template: drone-common
 
+  woodpecker-ci: &woodpecker-ci
+    name: woodpecker-ci
+    chart: woodpecker/woodpecker
+    version: 1.0.1
+    inherit:
+      - template: ext-database
+      - template: default-env-values
+      - template: default-env-secrets
+      - template: ext-istio-resource
+
   nrodionov: &nrodionov
     name: nrodionov
     chart: bitnami/wordpress
-    version: 18.0.4
+    version: 18.1.24
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -296,7 +262,7 @@ templates:
   minecraft: &minecraft
     name: minecraft
     chart: minecraft-server-charts/minecraft
-    version: 4.11.0
+    version: 4.12.0
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -305,7 +271,7 @@ templates:
   gitea: &gitea
     name: gitea
     chart: gitea/gitea
-    version: 9.5.0
+    version: 9.6.1
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -315,23 +281,13 @@ templates:
   funkwhale: &funkwhale
     name: funkwhale
     chart: ananace-charts/funkwhale
-    version: 2.0.3
+    version: 2.0.5
     inherit:
       - template: default-env-values
       - template: default-env-secrets
       - template: ext-istio-resource
       - template: ext-database
 
-  mailu: &mailu
-    name: mailu
-    chart: mailu/mailu
-    version: 1.2.0
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-istio-resource
-      - template: ext-certificate
-
   bitwarden: &bitwarden
     name: bitwarden
     chart: bitwarden/vaultwarden
@@ -344,7 +300,7 @@ templates:
   redis: &redis
     name: redis
     chart: bitnami/redis
-    version: 18.1.5
+    version: 18.5.0
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -352,7 +308,7 @@ templates:
   postgres16: &postgres16
     name: postgres16
     chart: bitnami/postgresql
-    version: 13.1.4
+    version: 13.2.24
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -360,12 +316,12 @@ templates:
   db-operator: &db-operator
     name: db-operator
     chart: db-operator/db-operator
-    version: 1.11.1
+    version: 1.14.1
 
   db-instances: &db-instances
     name: db-instances
     chart: db-operator/db-instances
-    version: 1.4.2
+    version: 2.1.1
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -373,7 +329,7 @@ templates:
   mysql: &mysql
     name: mysql
     chart: bitnami/mysql
-    version: 9.12.5
+    version: 9.14.4
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -381,9 +337,37 @@ templates:
   docker-mailserver: &docker-mailserver
     name: docker-mailserver
     chart: allanger-gitea/docker-mailserver
-    version: 2.1.3
+    version: 2.2.0
     inherit:
       - template: default-env-values
       - template: ext-istio-gateway
       - template: ext-istio-resource
 
+  vaultwarden: &vaultwarden
+    name: vaultwarden
+    chart: badhouseplants/vaultwarden
+    version: 1.0.0
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+      - template: ext-istio-resource
+      - template: ext-database
+
+  reflector: &reflector
+    name: reflector
+    chart: emberstack/reflector
+    version: 7.1.216
+
+  rook-ceph: &rook-ceph
+    name: rook-ceph
+    chart: rook/rook-ceph
+    version: v1.13.1
+    inherit:
+      - template: default-env-values
+
+  rook-ceph-cluster: &rook-ceph-cluster
+    name: rook-ceph-cluster
+    chart: rook/rook-ceph-cluster
+    version: v1.13.1
+    inherit:
+      - template: default-env-values

repositories.yaml

@@ -1,4 +1,3 @@
----
 repositories:
   - name: metrics-server
     url: https://kubernetes-sigs.github.io/metrics-server/
@@ -36,3 +35,13 @@ repositories:
     url: https://db-operator.github.io/charts
   - name: allanger-gitea
     url: https://git.badhouseplants.net/api/packages/allanger/helm
+  - name: badhouseplants
+    url: https://badhouseplants.github.io/helm-charts/
+  - name: woodpecker
+    url: https://woodpecker-ci.org
+  - name: firefly-iii
+    url: https://firefly-iii.github.io/kubernetes/
+  - name: emberstack
+    url: https://emberstack.github.io/helm-charts
+  - name: rook
+    url: https://charts.rook.io/release

test/test.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc-test
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pvc-test
+spec:
+  restartPolicy: Never
+  volumes:
+  - name: vol
+    persistentVolumeClaim:
+      claimName: pvc-test
+  containers:
+  - name: pv-recycler
+    image: ubuntu
+    command: ["/bin/sh", "-c", "sleep 10000"]
+    volumeMounts:
+    - name: vol
+      mountPath: /data