badhouseplants/k8s-deployment
4
0
Fork 0
Code Issues 3 Pull Requests 6 Actions Packages Projects Releases Activity

Compare commits

base: badhouseplants:3ad005c0733c510b2ea74f241a74cd25facdb78f
Branches Tags
badhouseplants:main
badhouseplants:renovate/postgresql-16.x
badhouseplants:renovate/velero-9.x
badhouseplants:renovate/istio-monorepo
badhouseplants:renovate/cilium-1.x
badhouseplants:renovate/argo-cd-7.x
badhouseplants:add-ci
badhouseplants:refactor-again
badhouseplants:stale-teleport-installation
badhouseplants:script-fox-xray
badhouseplants:before-single-node
..
compare: badhouseplants:2e13a6454f3c9a04b99d10d6b25cca0365e64d04
Branches Tags
badhouseplants:renovate/postgresql-16.x
badhouseplants:renovate/velero-9.x
badhouseplants:renovate/istio-monorepo
badhouseplants:renovate/cilium-1.x
badhouseplants:renovate/argo-cd-7.x
badhouseplants:main
badhouseplants:add-ci
badhouseplants:refactor-again
badhouseplants:stale-teleport-installation
badhouseplants:script-fox-xray
badhouseplants:before-single-node

15 Commits
3ad005c073 ... 2e13a6454f

Author SHA1 Message Date
Devops Bot
2e13a6454f chore(deps): update helm release external-dns to v1.16.0 2025-03-31 01:01:05 +00:00
Nikolai Rodionov
2c0f498611
Update memos lib 2025-03-30 18:18:28 +02:00
Nikolai Rodionov
bb45328532
Trying to migrate istio 2025-03-30 16:10:40 +02:00
Nikolai Rodionov
a8693f41ee
Keep migrating things 2025-03-30 15:51:26 +02:00
Nikolai Rodionov
a659611d6f
Keep migrating things 2025-03-30 15:13:48 +02:00
Nikolai Rodionov
dbd69180e4
Keep migrating things 2025-03-29 14:16:34 +01:00
Nikolai Rodionov
992463b8cd
Keep migrating things 2025-03-29 13:55:44 +01:00
Nikolai Rodionov
4e2a71ebfb
Migrate metallb 2025-03-28 17:18:17 +01:00
Nikolai Rodionov
c32705ffa0
Keep migrating things 2025-03-27 22:54:32 +01:00
Nikolai Rodionov
f8684df5a9
Started a big refactoring again 2025-03-27 21:13:13 +01:00
Nikolai Rodionov
cd6a200591
Fix helmfile 2025-03-26 22:25:38 +01:00
Nikolai Rodionov
173af0f7f8
Start using registry mirror 2025-03-26 22:23:54 +01:00
Nikolai Rodionov
1184e6cd89
Migrate woodpecked and tandoor 2025-03-25 21:08:47 +01:00
Nikolai Rodionov
e3f77b6bee
Migrate gitea to the org-badhouseplants ns 2025-03-25 20:39:09 +01:00
Nikolai Rodionov
fe5419f2ed
Migrate navidrome to the org-badhouseplants ns 2025-03-22 16:18:34 +01:00
111 changed files with 2063 additions and 550 deletions
Show Stats Expand all files Collapse all files

7
.pre-commit-config.yaml
View File

@ -8,9 +8,10 @@ repos:
hooks: hooks:
- id: yamlfmt - id: yamlfmt
exclude: | exclude: |
(?x)^( (?x)(
.*secrets.*yaml ^charts/|
)$ ^.*secrets.*yaml|
)
# - repo: https://github.com/codespell-project/codespell # - repo: https://github.com/codespell-project/codespell
# rev: v2.2.4 # rev: v2.2.4
# hooks: # hooks:

21
charts/issuer/templates/issuer.yaml
View File

@ -1,10 +1,23 @@
{{- range $name, $issuer := .Values.clusterIssuers }}
--- ---
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: ClusterIssuer kind: ClusterIssuer
metadata: metadata:
labels: labels:
{{- include "issuer.labels" . | nindent 4 }} {{- include "issuer.labels" $ | nindent 4 }}
name: "{{ .Values.name }}" name: "{{ $name }}"
spec: spec:
acme: {{ $issuer.spec | toYaml | indent 2 }}
{{ .Values.spec | toYaml | indent 2 }} {{- end }}
{{- range $name, $issuer := .Values.issuers }}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
labels:
{{- include "issuer.labels" $ | nindent 4 }}
name: "{{ $name }}"
namespace: {{ $issuer.namespace }}
spec:
{{ $issuer.spec | toYaml | indent 2 }}
{{- end }}

0
charts/namespaces/chart/.helmignore → charts/metallb-resources/.helmignore
View File

24
charts/metallb-resources/Chart.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v2
name: metallb-resources
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"

20
charts/root/templates/_helpers.tpl → charts/metallb-resources/templates/_helpers.tpl
View File

@ -1,7 +1,7 @@
{{/* {{/*
Expand the name of the chart. Expand the name of the chart.
*/}} */}}
{{- define "root.name" -}} {{- define "metallb-resources.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }} {{- end }}
@ -10,7 +10,7 @@ Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name. If release name contains chart name it will be used as a full name.
*/}} */}}
{{- define "root.fullname" -}} {{- define "metallb-resources.fullname" -}}
{{- if .Values.fullnameOverride }} {{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }} {{- else }}
@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
{{/* {{/*
Create chart name and version as used by the chart label. Create chart name and version as used by the chart label.
*/}} */}}
{{- define "root.chart" -}} {{- define "metallb-resources.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }} {{- end }}
{{/* {{/*
Common labels Common labels
*/}} */}}
{{- define "root.labels" -}} {{- define "metallb-resources.labels" -}}
helm.sh/chart: {{ include "root.chart" . }} helm.sh/chart: {{ include "metallb-resources.chart" . }}
{{ include "root.selectorLabels" . }} {{ include "metallb-resources.selectorLabels" . }}
{{- if .Chart.AppVersion }} {{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }} {{- end }}
@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
{{/* {{/*
Selector labels Selector labels
*/}} */}}
{{- define "root.selectorLabels" -}} {{- define "metallb-resources.selectorLabels" -}}
app.kubernetes.io/name: {{ include "root.name" . }} app.kubernetes.io/name: {{ include "metallb-resources.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }} {{- end }}
{{/* {{/*
Create the name of the service account to use Create the name of the service account to use
*/}} */}}
{{- define "root.serviceAccountName" -}} {{- define "metallb-resources.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }} {{- if .Values.serviceAccount.create }}
{{- default (include "root.fullname" .) .Values.serviceAccount.name }} {{- default (include "metallb-resources.fullname" .) .Values.serviceAccount.name }}
{{- else }} {{- else }}
{{- default "default" .Values.serviceAccount.name }} {{- default "default" .Values.serviceAccount.name }}
{{- end }} {{- end }}

7
charts/metallb-resources/templates/ip_address_pool.tpl Normal file
View File

@ -0,0 +1,7 @@
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: {{ include "metallb-resources.fullname" . }}
spec:
addresses:
- {{ .Values.addresses}}

1
charts/metallb-resources/values.yaml Normal file
View File

@ -0,0 +1 @@
addresses: 1.1.1.1-1.1.1.1

0
charts/root/.helmignore → charts/namespaces/.helmignore
View File

0
charts/namespaces/chart/Chart.yaml → charts/namespaces/Chart.yaml
View File

6
charts/namespaces/kustomize/flux-system.yml
View File

@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: flux-system
labels:
name: flux-system

6
charts/namespaces/kustomize/giantswarm-flux.yml
View File

@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: giantswarm-flux
labels:
name: giantswarm-flux

6
charts/namespaces/kustomize/giantswarm.yml
View File

@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: giantswarm
labels:
name: giantswarm

5
charts/namespaces/kustomize/kustomization.yaml
View File

@ -1,5 +0,0 @@
resources:
- ./giantswarm-flux.yml
- ./giantswarm.yml
- ./monitoring.yml
- ./org-giantswarm.yml

6
charts/namespaces/kustomize/monitoring.yml
View File

@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
labels:
name: monitoring

6
charts/namespaces/kustomize/org-giantswarm.yml
View File

@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: org-giantswarm
labels:
name: org-giantswarm

0
charts/namespaces/chart/templates/_helpers.tpl → charts/namespaces/templates/_helpers.tpl
View File

11
charts/namespaces/chart/templates/namespaces.yaml → charts/namespaces/templates/namespaces.yaml
View File

@ -15,5 +15,16 @@ metadata:
{{- with $ns.annotations}} {{- with $ns.annotations}}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- if $ns.defaultRegcred }}
---
apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
name: regcred
namespace: {{ $ns.name }}
data:
.dockerconfigjson: {{ $.Values.defaultRegcred }}
{{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

0
charts/namespaces/chart/values.yaml → charts/namespaces/values.yaml
View File

6
charts/root/Chart.yaml
View File

@ -1,6 +0,0 @@
apiVersion: v2
name: root
description: A Helm chart for Kubernetes
type: application
version: 0.1.5
appVersion: "1.16.0"

25
charts/root/templates/root.yaml
View File

@ -1,25 +0,0 @@
{{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: root
spec:
interval: 30s
url: {{ .Values.url }}
ref:
branch: {{ .Values.branch }}
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: root
spec:
interval: 30s
targetNamespace: flux-system
sourceRef:
kind: GitRepository
name: root
path: "."
prune: false
timeout: 1m
{{- end }}

25
charts/root/templates/self.yaml
View File

@ -1,25 +0,0 @@
{{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: root-self
spec:
interval: 30s
url: {{ .Values.self.url }}
ref:
branch: {{ .Values.self.branch }}
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: root-self
spec:
interval: 30s
targetNamespace: flux-system
sourceRef:
kind: GitRepository
name: root-self
path: "."
prune: false
timeout: 1m
{{- end }}

5
charts/root/values.yaml
View File

@ -1,5 +0,0 @@
url: https://git.badhouseplants.net/giantswarm/cluster-example.git
branch: main
self:
url: git@git.badhouseplants.net:giantswarm/root-config.git
branch: master

23
charts/tf-ocloud/.helmignore
View File

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
charts/tf-ocloud/Chart.lock
View File

@ -1,6 +0,0 @@
dependencies:
- name: helm-library
repository: oci://ghcr.io/allanger/allangers-helm-library
version: 0.1.4
digest: sha256:6306a6a8d3c51b2b5f37cffa88c3731550da789d1ce2317a83a3f9a657310f8e
generated: "2024-10-16T20:01:59.337767+02:00"

15
charts/tf-ocloud/Chart.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v2
name: tf-ocloud
type: application
version: 0.1.0
appVersion: 0.1.5
maintainers:
- name: allanger
email: allanger@zohomail.com
url: https://badhouseplants.net
dependencies:
- name: helm-library
version: 0.2.3
repository: oci://ghcr.io/allanger/allangers-helm-library
annotations:
allowed_workload_kinds: "Deployment"

BIN
charts/tf-ocloud/charts/helm-library-0.1.4.tgz
View File

Binary file not shown.

3
charts/tf-ocloud/templates/install.yaml
View File

@ -1,3 +0,0 @@
{{ include "lib.component.workload" . }}
{{ include "lib.component.files" . }}
{{ include "lib.component.env" . }}

67
charts/tf-ocloud/values.yaml
View File

@ -1,67 +0,0 @@
---
workload:
kind: Deployment
strategy:
type: RollingUpdate
securityContext: {}
containers:
tf:
securityContext: {}
image:
registry: zot.badhouseplants.net
repository: badhouseplants/terraform-ocloud
tag: 7eae6ec805bc99618a196abf9d4d2e0fd19f75e6
pullPolicy: Always
envFrom:
- main
mounts:
files:
ocloudkey:
path: /src/key.pem
subPath: key.pem
publickey:
path: /src/public_key
subPath: public-key
privatekey:
path: /src/ssh_key
subPath: ssh-key
tfvars:
path: /src/terraform.tfvars
subPath: terraform.tfvars
extraVolumes:
dottf:
path: /src/.terraform
extraVolumes:
dottf:
emptyDir: {}
files:
ocloudkey:
enabled: true
sensitive: false
remove: []
entries:
key.pem:
data: dummy
publickey:
enabled: true
sensitive: false
remove: []
entries:
public-key:
data: dummy
privatekey:
enabled: true
sensitive: false
remove: []
entries:
ssh-key:
data: dummy
tfvars:
enabled: true
sensitive: false
remove: []
entries:
terraform.tfvars:
data: dummy

2
common/environments.yaml
View File

@ -2,6 +2,7 @@ environments:
badhouseplants: badhouseplants:
kubeContext: badhouseplants kubeContext: badhouseplants
values: values:
#- ./common/values/values.badhouseplants.yaml
- base: - base:
enabled: true enabled: true
- velero: - velero:
@ -25,6 +26,7 @@ environments:
etersoft: etersoft:
kubeContext: etersoft kubeContext: etersoft
values: values:
- ./common/values/values.etersoft.yaml
- base: - base:
enabled: true enabled: true
- velero: - velero:

9
common/templates.yaml
View File

@ -37,9 +37,18 @@ templates:
default-env-secrets: default-env-secrets:
secrets: secrets:
- '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/secrets.{{ `{{ .Release.Name }}` }}.yaml' - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/secrets.{{ `{{ .Release.Name }}` }}.yaml'
common-values:
values:
- '{{ requiredEnv "PWD" }}/values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
common-values-tpl:
values:
- '{{ requiredEnv "PWD" }}/values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
env-values: env-values:
values: values:
- '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml' - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
env-values-tpl:
values:
- '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
env-secrets: env-secrets:
secrets: secrets:
- '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/secrets.yaml' - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/secrets.yaml'

10
common/values/values.badhouseplants.yaml
View File

@ -1,4 +1,6 @@
namespaces: registry: registry.badhouseplants.net/containers
kubeSystem: kube-system registry_url: registry.badhouseplants.net
kubePublic: kube-public main_ip: 195.201.249.91
tools:
openebs:
enabled: true

6
common/values/values.etersoft.yaml Normal file
View File

@ -0,0 +1,6 @@
registry: registry.ru.badhouseplants.net/containers
registry_url: registry.ru.badhouseplants.net
main_ip: 91.232.225.63
tools:
openebs:
enabled: false

11
helmfile.yaml
View File

@ -1,11 +1,6 @@
bases: bases:
- ./common/environments.yaml - ./common/environments.yaml
- ./common/templates.yaml - ./common/templates.yaml
helmfiles: - ./helmfiles/base.yaml
- ./installations/system/ - ./helmfiles/system.yaml
- ./installations/databases/ - ./helmfiles/platform.yaml
- ./installations/platform/
- ./installations/pipelines/
- ./installations/monitoring/
- ./installations/applications/helmfile-{{ .Environment.Name }}.yaml
- ./installations/games/

18
helmfiles/base.yaml Normal file
View File

@ -0,0 +1,18 @@
releases:
# -- This one must be executed with --take-ownership at least once
- name: namespaces
chart: ./charts/namespaces
namespace: kube-system
createNamespace: false
inherit:
- template: env-values
- template: env-secrets
- name: roles
chart: ./charts/roles
namespace: kube-system
createNamespace: false
needs:
- kube-system/namespaces
inherit:
- template: env-values

50
helmfiles/platform.yaml Normal file
View File

@ -0,0 +1,50 @@
repositories:
- name: keel
url: https://keel-hq.github.io/keel/
- name: uptime-kuma
url: https://helm.irsigler.cloud
- name: external-dns
url: https://kubernetes-sigs.github.io/external-dns/
- name: minio-standalone
url: https://charts.min.io/
releases:
- name: external-dns
chart: external-dns/external-dns
labels:
layer: platform
version: 1.16.0
namespace: platform
inherit:
- template: common-values-tpl
- template: env-values
- template: env-secrets
- name: keel
chart: keel/keel
version: v1.0.5
labels:
layer: platform
namespace: platform
inherit:
- template: common-values-tpl
- name: uptime-kuma
chart: uptime-kuma/uptime-kuma
version: 2.21.2
namespace: platform
labels:
layer: platform
inherit:
- template: common-values-tpl
- template: env-values
- name: minio
chart: minio-standalone/minio
version: 5.4.0
namespace: platform
labels:
layer: platform
inherit:
- template: common-values-tpl
- template: env-values
- template: env-secrets

180
helmfiles/system.yaml Normal file
View File

@ -0,0 +1,180 @@
repositories:
- name: coredns
url: https://coredns.github.io/helm
- name: zot
url: https://zotregistry.dev/helm-charts/
- name: cilium
url: https://helm.cilium.io/
- name: metrics-server
url: https://kubernetes-sigs.github.io/metrics-server/
- name: jetstack
url: https://charts.jetstack.io
- name: metallb
url: https://metallb.github.io/metallb
- name: traefik
url: https://traefik.github.io/charts
- name: local-path-provisioner
url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
- name: kyverno
url: https://kyverno.github.io/kyverno/
- name: vmware-tanzu
url: https://vmware-tanzu.github.io/helm-charts/
- name: openebs
url: https://openebs.github.io/openebs
- name: istio
url: https://istio-release.storage.googleapis.com/charts
releases:
- name: coredns
chart: coredns/coredns
version: 1.39.1
namespace: kube-system
inherit:
- template: common-values-tpl
- name: cilium
chart: cilium/cilium
version: 1.17.2
namespace: kube-system
needs:
- kube-system/coredns
inherit:
- template: common-values
- template: common-values-tpl
- name: cert-manager
chart: jetstack/cert-manager
version: v1.17.1
namespace: kube-system
missingFileHandler: Warn
needs:
- kube-system/cilium
inherit:
- template: common-values
- template: common-values-tpl
- name: issuer
chart: ./charts/issuer
namespace: kube-system
missingFileHandler: Warn
needs:
- kube-system/cert-manager
inherit:
- template: common-values
- name: local-path-provisioner
chart: local-path-provisioner/local-path-provisioner
namespace: kube-system
inherit:
- template: common-values-tpl
- name: kyverno
chart: kyverno/kyverno
namespace: kyverno
version: 3.3.7
needs:
- kube-system/cilium
inherit:
- template: common-values-tpl
- name: kyverno-policies
chart: kyverno/kyverno-policies
namespace: kyverno
version: 3.3.4
needs:
- kyverno/kyverno
- name: custom-kyverno-policies
chart: ./kustomizations/kyverno/{{ .Environment.Name }}
namespace: kyverno
needs:
- kyverno/kyverno
- name: metallb
chart: metallb/metallb
namespace: kube-system
condition: base.enabled
version: 0.14.9
needs:
- registry/cluster-mirror
inherit:
- template: common-values
- template: common-values-tpl
- name: metallb-resources
chart: ./charts/metallb-resources
version: 2.0.0
condition: base.enabled
namespace: kube-system
needs:
- kube-system/metallb
inherit:
- template: common-values-tpl
- name: traefik
chart: traefik/traefik
version: 34.4.1
condition: base.enabled
namespace: kube-system
inherit:
- template: common-values-tpl
- template: common-values
- template: env-values
- name: cluster-mirror
chart: zot/zot
version: 0.1.67
createNamespace: false
installed: true
namespace: registry
needs:
- kube-system/cilium
inherit:
- template: common-values-tpl
- template: env-secrets
- name: metrics-server
chart: metrics-server/metrics-server
version: 3.12.2
namespace: kube-system
needs:
- registry/cluster-mirror
inherit:
- template: common-values-tpl
- name: openebs
chart: openebs/openebs
condition: tools.openebs.enabled
namespace: kube-system
version: 4.2.0
inherit:
- template: common-values-tpl
- template: env-values
- name: velero
chart: vmware-tanzu/velero
namespace: velero
version: 8.5.0
condition: velero.enabled
inherit:
- template: common-values-tpl
- template: env-values
- template: env-secrets
- name: istio-base
chart: istio/base
condition: istio.enabled
namespace: istio-system
version: 1.25.1
inherit:
- template: common-values
- name: istiod
chart: istio/istiod
condition: istio.enabled
namespace: istio-system
version: 1.25.1
inherit:
- template: common-values-tpl
needs:
- istio-system/istio-base

35
installations/applications/helmfile-badhouseplants.yaml
View File

@ -20,6 +20,7 @@ releases:
chart: gitea/gitea chart: gitea/gitea
version: 11.0.0 version: 11.0.0
namespace: applications namespace: applications
installed: false
inherit: inherit:
- template: default-env-values - template: default-env-values
- template: default-env-secrets - template: default-env-secrets
@ -43,6 +44,7 @@ releases:
- template: env-secrets - template: env-secrets
- name: app-tandoor-recipes - name: app-tandoor-recipes
installed: false
chart: allangers-charts/tandoor-recipes chart: allangers-charts/tandoor-recipes
version: 0.2.0 version: 0.2.0
namespace: org-badhouseplants namespace: org-badhouseplants
@ -51,21 +53,38 @@ releases:
- template: env-secrets - template: env-secrets
- template: ext-database - template: ext-database
- name: navidrome - name: app-tandoor-recipes
chart: allangers-charts/tandoor-recipes
version: 0.2.0
namespace: org-allanger
inherit:
- template: env-values
- template: env-secrets
- template: ext-database
- name: app-navidrome
chart: allangers-charts/navidrome chart: allangers-charts/navidrome
namespace: applications namespace: org-badhouseplants
version: 0.5.0 version: 0.5.0
inherit: inherit:
- template: default-env-values - template: env-values
- template: ext-traefik-middleware - template: ext-traefik-middleware
- name: navidrome-private - name: app-navidrome-private
chart: allangers-charts/navidrome chart: allangers-charts/navidrome
namespace: applications namespace: org-badhouseplants
version: 0.5.0 version: 0.5.0
inherit: inherit:
- template: default-env-values - template: env-values
- template: default-env-secrets - template: env-secrets
- name: app-gitea
chart: gitea/gitea
version: 11.0.0
namespace: org-badhouseplants
inherit:
- template: env-values
- template: env-secrets
- name: server-xray-public - name: server-xray-public
chart: allangers-charts/server-xray chart: allangers-charts/server-xray
@ -92,7 +111,7 @@ releases:
- name: memos - name: memos
chart: allangers-charts/memos chart: allangers-charts/memos
version: 0.2.0 version: 0.3.0
namespace: applications namespace: applications
inherit: inherit:
- template: default-env-values - template: default-env-values

135
installations/system/helmfile.yaml
View File

@ -17,145 +17,14 @@ repositories:
url: https://coredns.github.io/helm url: https://coredns.github.io/helm
- name: cilium - name: cilium
url: https://helm.cilium.io/ url: https://helm.cilium.io/
- name: vmware-tanzu
url: https://vmware-tanzu.github.io/helm-charts/
- name: openebs
url: https://openebs.github.io/openebs
- name: local-path-provisioner - name: local-path-provisioner
url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
- name: istio - name: istio
url: https://istio-release.storage.googleapis.com/charts url: https://istio-release.storage.googleapis.com/charts
- name: zot
url: https://zotregistry.dev/helm-charts/
releases: releases:
- name: namespaces
chart: '{{ requiredEnv "PWD" }}/charts/namespaces/chart'
namespace: kube-public
createNamespace: false
inherit:
- template: default-env-values
- name: roles
chart: '{{ requiredEnv "PWD" }}/charts/roles'
namespace: kube-public
createNamespace: false
needs:
- kube-public/namespaces
inherit:
- template: default-env-values
- name: coredns
chart: coredns/coredns
version: 1.39.1
namespace: kube-system
inherit:
- template: default-common-values
- name: cilium
chart: cilium/cilium
version: 1.17.2
condition: base.enabled
namespace: kube-system
needs:
- kube-system/coredns
inherit:
- template: default-env-values
- name: cert-manager
chart: jetstack/cert-manager
version: v1.17.1
namespace: kube-system
condition: base.enabled
missingFileHandler: Warn
needs:
- kube-system/cilium
inherit:
- template: default-common-values
- template: default-env-values
- name: issuer
chart: '{{ requiredEnv "PWD" }}/charts/issuer'
namespace: kube-public
missingFileHandler: Warn
condition: base.enabled
needs:
- kube-system/cert-manager
inherit:
- template: default-common-values
- template: default-env-values
- name: metrics-server
chart: metrics-server/metrics-server
version: 3.12.2
namespace: kube-system
needs:
- kube-system/cilium
inherit:
- template: default-common-values
- name: metallb
chart: metallb/metallb
namespace: kube-system
condition: base.enabled
version: 0.14.9
needs:
- kube-system/cilium
inherit:
- template: default-common-values
- name: metallb-resources
chart: bedag/raw
version: 2.0.0
condition: base.enabled
namespace: kube-system
needs:
- kube-system/metallb
inherit:
- template: ext-metallb
- template: default-env-values
- name: traefik
chart: traefik/traefik
version: 34.4.1
condition: base.enabled
namespace: kube-system
needs:
- kube-system/cilium
inherit:
- template: default-common-values
- template: default-env-values
- name: velero
chart: vmware-tanzu/velero
namespace: velero
version: 8.5.0
condition: velero.enabled
needs:
- kube-system/cilium
inherit:
- template: default-env-values
- template: default-env-secrets
- template: crd-management-hook
- name: openebs
chart: openebs/openebs
condition: openebs.enabled
namespace: kube-system
version: 4.2.0
needs:
- kube-system/cilium
inherit:
- template: default-env-values
# -- Not versions since it's idnstalled from git
- name: local-path-provisioner
chart: local-path-provisioner/local-path-provisioner
condition: localpath.enabled
namespace: kube-system
needs:
- kube-system/cilium
inherit:
- template: default-env-values
- name: istio-base - name: istio-base
chart: istio/base chart: istio/base
condition: istio.enabled condition: istio.enabled

0
kustomizations/kyverno/badhouseplants/add-applied-by.yaml → kustomizations/kyverno/add-applied-by.yaml
View File

13
kustomizations/kyverno/badhouseplants/pvc-patch.yaml
View File

@ -4,6 +4,19 @@ metadata:
name: replace-storage-class-by-openebs name: replace-storage-class-by-openebs
spec: spec:
rules: rules:
- name: local-path-fix
match:
any:
- resources:
kinds:
- PersistentVolumeClaim
namespaces:
- registry
mutate:
patchStrategicMerge:
metadata:
annotations:
volume.kubernetes.io/selected-node: bordeaux
- name: replace-storage-class - name: replace-storage-class
match: match:
any: any:

1
kustomizations/kyverno/etersoft/pvc-patch.yaml
View File

@ -13,6 +13,7 @@ spec:
namespaces: namespaces:
- applications - applications
- platform - platform
- registry
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
metadata: metadata:

21
values/badhouseplants/kube-system/namespaces/secrets.yaml Normal file
View File

@ -0,0 +1,21 @@
defaultRegcred: ENC[AES256_GCM,data:lsqr2fBEosOQqYLBwps1hmgFs90zkzbdHpO8UwJWcMl1/CGkyzroACqHkL8taaOnnvwWwadIL8FU3382jamw0Xk5O51bFSBbCxTs3xd4ibwe39ha5YI6YQDHADDb/u1Yw4TctJ/h9xykXHDOL4foE5Z860e16vtMiVvniLD9OGfR6utb9gvZHE2QqZTlHR9U4PY2vLWWQMN3VRvipT7hulmOUzXMVcuBswmyDF39PvTba6Ea7A83V9h6HpqNeSA1ewKREIDOFqjhl7tIit8aQnuee58bJCTVIdg6gyR6yfu6sF22wdUlsJ7CAHtd41sbhEhWGyzJIqg=,iv:J1CfAJmNpI7lgQalYJlXs+JX5I0e6COGrsenMhvDGLA=,tag:nHkq8VF47I/9FS8uGcEyuw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwWHpPUkZqbC9LaEtJYzhF
L0hIZUtOa3E4KzJDOFlwaFRVWDdJRnBtR1ZjCnVLNzhyQkdxS2dtK2lFaWRJUkJq
dThURHRTRG5GT1BqaTZRbzlUbXYzWHMKLS0tIFRSa1lkSGQrN1RGdklzYzZNU3BH
ZE0wMk1sRGg1M1lrNVFMTityK3cwK00Kbhugumz27RVo1SJjaljEbklHY6CW7xGD
UCbN0LGh5PPpN6eCbZW8dB1+/lLR9AnyYr6okrGM2iztaJQdlwRvww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-27T10:24:56Z"
mac: ENC[AES256_GCM,data:xGqmh1TPg0OJLSycbnjsF4Ai844ZzlCzawQXmROpORJEiSL/3R1W+2PsBT5KcAfG7y2+Ovyk+l1FeorIPuqnbcezX9zUxMOaFXJylmwvNYXCwoihU6Yx2hg9SuFhnwINAhCLqOaRKIh8xPUaK8nRVqwJJa0jW6eCyZ5lsLtpz90=,iv:pmPfpSv3VfVz/MvTGTWoMxzkF3BvCMhK+HxEeN5pzNI=,tag:WkLcTz/WlLXmq8EojHfdlA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

12
values/badhouseplants/values.namespaces.yaml → values/badhouseplants/kube-system/namespaces/values.yaml
View File

@ -1,13 +1,21 @@
namespaces: namespaces:
- name: registry
- name: kube-system
defaultRegcred: true
- name: kyverno - name: kyverno
defaultRegcred: true
- name: velero - name: velero
defaultRegcred: true
- name: observability - name: observability
- name: databases - name: databases
- name: istio-system - name: istio-system
defaultRegcred: true
- name: applications - name: applications
defaultRegcred: true
labels: labels:
istio-injection: disabled istio-injection: enabled
- name: platform - name: platform
defaultRegcred: true
- name: games - name: games
- name: team-fortress-2 - name: team-fortress-2
- name: pipelines - name: pipelines
@ -15,4 +23,4 @@ namespaces:
labels: labels:
istio-injection: disabled istio-injection: disabled
- name: org-badhouseplants - name: org-badhouseplants
- name: org-onpier - name: org-allanger

1
values/badhouseplants/values.openebs.yaml → values/badhouseplants/kube-system/openebs/values.yaml
View File

@ -1,6 +1,7 @@
localpv-provisioner: localpv-provisioner:
hostpathClass: hostpathClass:
isDefaultClass: true isDefaultClass: true
zfs-localpv: zfs-localpv:
crds: crds:
zfsLocalPv: zfsLocalPv:

24
values/badhouseplants/kube-system/roles/values.yaml Normal file
View File

@ -0,0 +1,24 @@
roles:
- name: xray-admin
namespace: public-xray
kind: Role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
namespace: ["public-xray"]
bindings:
- name: woodpecker-ci
namespace: pipelines
kind: ClusterRoleBinding
subjects:
- kind: ServiceAccount
namespace: pipelines
name: woodpecker-ci
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
sa:
- name: woodpecker-ci
namespace: pipelines

0
values/badhouseplants/values.traefik.yaml → values/badhouseplants/kube-system/traefik/values.yaml
View File

25
values/badhouseplants/org-allanger/app-tandoor-recipes/secrets.yaml Normal file
View File

@ -0,0 +1,25 @@
env:
secrets:
data:
SECRET_KEY: ENC[AES256_GCM,data:bLecWaJafPbXT2/dvKt3R2KNfuxxgQ6yLxviYbOf,iv:liuexfgYScH+eg/qSO23SQxE7hKpudgkOH3JRDkaa+A=,tag:DEcAbY6rg7mQnhsnukWtFA==,type:str]
SOCIALACCOUNT_PROVIDERS: ENC[AES256_GCM,data:kx9ziZhxWcWTu1UG7BPi/sdG1tHhzugq65xxL3IPVx8i1oHXwy+00KaOEsIYP+TJqX5516Zq6JqtXe9dQwI4uVIy538FdXeEQDHKNS0xesSx8jG0tKa71GiqyQGBrBBxiy144za9y1QHB9k1pvuaza8mVEQOoktmMFfiHzEOhYDQxIzTulOMWxN2ImTsYSupHS6HLR13gDCyROVDzj1Io/U1VHxN5RZBPiqthNiB+/Aj+2FuCwAaxgEE6VVNFJlghi2yiZbl/PvZ3MDT+dAx/NijawVt0qdBBmPvB3jKZkgRN2tyystGiu47hnLosuzjrOjAMA6rP7XkT2gQ5e6hoLlJxWD5IiAHI+gQK7REbyJrEmSwwH0aCVsd1H4FOBNk+rfKpTIr7sRZFTVcZLtUdTZW6EW0XWmrBBPr5jodmouoFZY+dGlWP1vQkG+2eymw5aJCan0oq+x+J9dB+CVZc/2M1zBeRa6Crg7w3smCqOr46jkaRxfoDxV2NdRSla5zkwwFSS7MqPYlqre2oW+pgP7lvRa4MW9++5q+Zg==,iv:RZMNm66PhTWvjJG5jtpJW22TFInHw8LT04qui3fMLgA=,tag:ETMqmFO/8Kve/W55WP21dA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcTM5RTNIakwwZHNrQXE2
U2FsK1gwMDhUTDd1MVorbENtQXdnZjYrM1c4CmNQaG5TcU9wK25qQUg5a29UUXBK
WlZHK0M0dHEvZWVyZmJzR0RLU1pGWmMKLS0tIGk4TFArQnJyTWJJa3FJRlJhY0do
ZE81bENWM3ZUdlR0N2RKMnJkUnJxSG8Ky2ngwj6ZnToGhnAJChU8NXUG+XPPZc2F
fOD35BFO5bUNe+V8MkDLae+GQ1hr55r4WnvFpSWywRIjCFYmUJHTgQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-22T12:32:43Z"
mac: ENC[AES256_GCM,data:khcLV/lPaY6J5QQmX8466jx9bsXn+NwA3TLIUYs9ipKa539OjIWstwyydVxILSBCwEWGEW86c8EzLBwptBBgg6gehfRJAax5TAn0lBd1lAAiAxZhdNpc2tfoaMaUWfWdpwYjdrtnvAlAkN3/16nvx+TIq7WdU/cWsic96PqhU0A=,iv:I81QvtZ7S+mSAzoXhU0YBMN0L4K+SRHW3UtcSLxwK5s=,tag:gAeAIjyJ13A8gfE7ppBeRg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

57
values/badhouseplants/org-allanger/app-tandoor-recipes/values.yaml Normal file
View File

@ -0,0 +1,57 @@
shortcuts:
hostname: tandoor.badhouseplants.net
ext-database:
enabled: true
name: tandoor-postgres17
instance: postgres17
credentials:
POSTGRES_HOST: "{{ .Hostname }}"
POSTGRES_PORT: "{{ .Port }}"
workload:
kind: Deployment
strategy:
type: RollingUpdate
containers:
tandoor:
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
envFrom:
- main
- secrets
- secretRef:
name: tandoor-postgres17-creds
extraVolumes:
common:
path: /opt/recipes
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 10
failureThreshold: 30
periodSeconds: 10
ingress:
main:
class: traefik
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
extraVolumes:
common:
emptyDir: {}
env:
main:
enabled: true
sensitive: false
data:
DB_ENGINE: django.db.backends.postgresql
SOCIAL_PROVIDERS: allauth.socialaccount.providers.openid_connect
REMOTE_USER_AUTH: 1
SOCIAL_DEFAULT_ACCESS: 1
SOCIAL_DEFAULT_GROUP: guest

50
values/badhouseplants/org-badhouseplants/app-gitea/secrets.yaml Normal file
View File

@ -0,0 +1,50 @@
gitea:
admin:
username: ENC[AES256_GCM,data:U230S8544mg=,iv:yL45Opnqp5T4h7erEv0pRHWtH1th8uu1Y4wfeY2aJcQ=,tag:a4vsJEOxlmHj1mwqcUGbiw==,type:str]
password: ENC[AES256_GCM,data:IpwOetFEvxt0/tGkiJ8bBI+OR/E=,iv:8OA48CiWeMyqZVs2lp+UzfyymUNQfdgmAQV33+AVQ+s=,tag:stgAMSnB5dCzFu4zvZeVRA==,type:str]
config:
storage:
MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:cn3NsFx0TH0fw6mJt6cArMRyQ6Qng3gIPQ==,iv:Jv+rweQzEXfVWuWycjGSi54jRAm0XEEcNxZ6flbUZWM=,tag:6O9KvcnaVEME5lXl6msZLw==,type:str]
mailer:
PASSWD: ENC[AES256_GCM,data:3UL0uvz49J3GIOo/eVWKYLrDG+u/lvCr8Q==,iv:HBQKF42R3tHFQxkUoRzsiPCUkFM40qpjM0SYrQSxugE=,tag:iua/nXoogjxnkj9T6UB/Sw==,type:str]
database:
PASSWD: ENC[AES256_GCM,data:DbL7wryYRQAEzujWNL4I0AwEq6Cr2r78FXQOAw==,iv:Oc2IYwD7iy7AlYVnhvSc61ttOf20qJyuuDnx4yF3/YE=,tag:aLa8+r0kYvzFSuF3hvhL2w==,type:str]
session:
PROVIDER_CONFIG: ENC[AES256_GCM,data:owsHUHdmzGiFgtD3+nRBmHYKcsNQXblbuCO8V0tLAAMvJBRHSA5YG1TL3Quy2186yoZCPiAdeQwg/o2Iutk2Mlc6/NmeurZbxomV8dWBuqJfn6t44xnDgFnEXpxE5kB5lNCtcjKXmpxC4fkoUVscOyZFmKp9uTgH,iv:evmTZH5NzMB3nhqLhuBmTTF4ztJX9a/ZMTOmYMqSaxs=,tag:dLnk9xt+moGoBhx7tqazig==,type:str]
cache:
HOST: ENC[AES256_GCM,data:feiTcBqztm76LZgNShj0Go0IRNgG9UwCQP9KrdexosP2XCnSe+giyKoIcADiHQFYVbnnkpw7/UqNxgM0Tx+EQ9eyFKY+PaFyCSFmQwikmAWakDJ+hQNM1VaNaDKdeLiGIeI7nO2MH9hGDMzPWtUgMNBxc9tTS38l,iv:Rcr+uiZMWbG9IPeMm+eiNf3W3yz2L7yqSkJSKUhWHtk=,tag:3cLuUAEU6CZvvUYKF1cCAQ==,type:str]
queue:
CONN_STR: ENC[AES256_GCM,data:Mw7W72M3HitiAEG1ihWctXyYqHJuSiKBZvQDDRjA4O9Yg9Zsbq+/HVcnh074zbiTjCO/496FLiy88HuAw8lksZ7MXXVvRI7rIcFKFZLpHcjAqkBnB301SGalK/R4bSisECsYIFPjKuh+s4PIuPEIgFtZuiEvYdbT,iv:uYwjzUObav2Hs/JgRIYbGBFNcZm++qS2QqKpz6Ma6EA=,tag:0okDz0yzL4eSat/0roYJ2A==,type:str]
oauth:
- name: ENC[AES256_GCM,data:sN+DzBKd,iv:0HNSbQEDLsV76DIRHdWnPs9SI/bHRZz6Fw+8B8Hhuns=,tag:mwTWy9VSXapPu3uLk7LgSQ==,type:str]
provider: ENC[AES256_GCM,data:m74moJ8h,iv:QfE5F3vpIlEzIftHlX/qpNvsnAab8gTd4CHyECHNcmQ=,tag:JefFm9mfYJSKzBDOb/l6BA==,type:str]
key: ENC[AES256_GCM,data:7ScP3oXE0zTnaqL3AigHby39fMk=,iv:sXllPawkQ5BcKmC1iBUJ2WOEPK2lm6W3q+GrprHZhAc=,tag:vSCB9w5x6jjPNu5b5ZEMzw==,type:str]
secret: ENC[AES256_GCM,data:XG9D5IUX4MqJzKf+aB7MCeDJAQlIzMxSv3ByAZQAdZCI+5my+cMfeg==,iv:s3e0wFznoX55MeEQj+dK0QrzzatGzDBKfT4xDD00cOA=,tag:vk32YQcPs0kAIOj61YwHww==,type:str]
- name: ENC[AES256_GCM,data:eBSL9xrBDN50,iv:TiC3jjpfwS6A9x6PAkMIorwJ9CecxblzEFt5+ZmSW6I=,tag:XA6UrnJbkUyDBgOY9xfIPw==,type:str]
provider: ENC[AES256_GCM,data:yh4TBYDI2R0a4f1qSg==,iv:hx8pAuo//U+YY5a2cq/KyoK4qcKbSXWtkrDvACWLU2c=,tag:uJ9JNWdDjb0eTS0ZJXHDaw==,type:str]
skip_local_2fa: ENC[AES256_GCM,data:8YwpOw==,iv:2R3Zc4HK/U31SVcXR3xi9J/kJySR3osA8xN3YhvRxBk=,tag:SzBFOwEmczW59SHLGCMb5Q==,type:str]
key: ENC[AES256_GCM,data:rLR8ve4=,iv:qOVIBiFjsOrrRg/mca5l7SHc2GdVAdyz0TV3Q7lJlQg=,tag:tYEzx7SoeoAC9/lgWU91uA==,type:str]
secret: ENC[AES256_GCM,data:r7sWVeqWTnqbt7ArzpADD5A1fYU6+KSpLohWJuSbEUyPAzOSxfZGxSYNfAwaxACOgmJJnxUeQ9l71nyUDWzGMrFkLr+o+WcQmSTPV3+3iMHDsTdgjEb+tIZFdi0Z5PJ8DCBxjckmbG5cx3O3Kyrjc24SNHCVb62lhduZH1fIlT0=,iv:kvtMCpiOUx10zTKt/ZYQh3leYaY9+v169Sq+sYIScHQ=,tag:t8txjt3xuVKWA7QgBJYuiw==,type:str]
autoDiscoverUrl: ENC[AES256_GCM,data:SG2ev/BshOBP0NQnpZRQErZDAEWdReiwp2pb2JJBWZmFvC67//t8WZu1/wilfQjJvJdsDGwk9Rwncoxya5Fb9uKYDAQKzqULJk70Er9pyNaowFbMxiMm+ws=,iv:B9GM9MLIrKTtRfyDxltlFvvm01aRCTQnyiemH4qzjGs=,tag:Wqji+fKliEGJRZ4inTmbXw==,type:str]
iconUrl: ENC[AES256_GCM,data:lcW3npgyrc50GIYCyTh5Gpht2CU6hX67j13XNOvGQybU2dsA9BtqpmH0OMQz4b1g/XkuHAp5j3I0wLnGvhXXf4mEugzt8g==,iv:X/kHS77OJLDuNN2lTAWLqPARJ1QZMY1ImuS+xmkUlgM=,tag:0ZRh7eH6dYdZd250Lb/+xA==,type:str]
scopes: ENC[AES256_GCM,data:GtTGDrDZwU1r5vEsxg==,iv:/7yMuJpxlML3R1X8onDSFbJVwpYFtnLamaI+X148Tlk=,tag:e8HkvzdpkhDvedVzm7jG3w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6d2JneUUzM1VkM1lvclA3
aC9wMGpKSGU5ZnVaUTNlVDNsMlNaOVRNYVdzCkpzVUJzNHN2TmhHektzOC93Vjlj
SVU3cUxVUm4wWjJQRWZRdWlRMEU1eUEKLS0tIHRLOEJERXBMd0NFajNjbHhPVVNl
b1cyT0RYa3hzbFJjc254bHJMcDIzeTgK/aX6f60NBz6w1TaOFSZDRE7rPniebb75
iwO74fJtl5g9WxAG5yByxJ455Uhc2R/+VBbK5BcYFt9cboIgkUrS2A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-25T19:15:08Z"
mac: ENC[AES256_GCM,data:ySAOo8j+p9O0v8xYFcjuD6e/pc9LtLxLWC4TdP7mjhdfwwaaoJW96DLEbSYxYN7Co8zHFqdMp5e76SgvhWwP2LNmHLunJ3LNU6u6NSMEFLCSyjAM8KiqB4bTNq7Kf9H2FZbAN58YKXpZEFECJpxoLg2Q9MdRp+BvgURDa2QLZRc=,iv:Ay5vMdrKbNpFyir/N4+mPuOwKwIVupZbeJFKA+DWFDA=,tag:+YUSXQYMfu59oF+hjg0XMg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

176
values/badhouseplants/org-badhouseplants/app-gitea/values.yaml Normal file
View File

@ -0,0 +1,176 @@
# ------------------------------------------
# -- Kubernetes related values
# ------------------------------------------
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
external-dns.alpha.kubernetes.io/ingress-hostname-source: defined-hosts-only
hosts:
- host: gitea.badhouseplants.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: gitea.badhouseplants.net
hosts:
- gitea.badhouseplants.net
replicaCount: 1
clusterDomain: cluster.local
resources:
limits:
memory: 1024Mi
cpu: 1
requests:
cpu: 1
memory: 1024Mi
persistence:
enabled: true
size: 15Gi
accessModes:
- ReadWriteOnce
# ------------------------------------------
# -- Main Gitea settings
# ------------------------------------------
gitea:
metrics:
enabled: true
serviceMonitor:
# -- TODO(@allanger): Enable it once prometheus is configured
enabled: false
config:
database:
DB_TYPE: postgres
HOST: postgres17-postgresql.databases.svc.cluster.local
NAME: org-badhouseplants-app-gitea
USER: org-badhouseplants-app-gitea
APP_NAME: Bad Houseplants Gitea
ui:
meta:
AUTHOR: Bad Houseplants
DESCRIPTION: '...by allanger'
repository:
DEFAULT_BRANCH: main
MAX_CREATION_LIMIT: 0
DISABLED_REPO_UNITS: repo.wiki
service:
DISABLE_REGISTRATION: true
server:
DOMAIN: gitea.badhouseplants.net
ROOT_URL: https://gitea.badhouseplants.net
LFS_START_SERVER: true
LANDING_PAGE: explore
START_SSH_SERVER: true
storage:
STORAGE_TYPE: minio
MINIO_ENDPOINT: "s3.badhouseplants.net:443"
MINIO_ACCESS_KEY_ID: gitea
MINIO_BUCKET: gitea
MINIO_LOCATION: us-east-1
MINIO_USE_SSL: true
admin:
DISABLE_REGULAR_ORG_CREATION: true
packages:
ENABLED: true
cron:
enabled: true
attachment:
MAX_SIZE: 100
actions:
ENABLED: true
oauth2_client:
REGISTER_EMAIL_CONFIRM: false
ENABLE_AUTO_REGISTRATION: true
session:
PROVIDER: redis
cache:
ENABLED: true
ADAPTER: redis
queue:
TYPE: redis
mailer:
ENABLED: true
FROM: bot@badhouseplants.net
PROTOCOL: smtp+startls
SMTP_ADDR: stalwart.badhouseplants.net
SMTP_PORT: 587
USER: bot
indexer:
REPO_INDEXER_ENABLED: true
REPO_INDEXER_PATH: indexers/repos.bleve
MAX_FILE_SIZE: 1048576
REPO_INDEXER_EXCLUDE: resources/bin/**
picture:
ENABLE_FEDERATED_AVATAR: false
service:
ssh:
type: ClusterIP
port: 22
clusterIP:
extraDeploy:
- |-
apiVersion: kinda.rocks/v1beta1
kind: Database
metadata:
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: {{ include "gitea.fullname" $ }}
spec:
backup:
cron: 0 0 * * *
enable: false
credentials:
templates:
- name: CONNECTION_STRING
secret: true
template: {{` '{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{.Port }}/{{ .Database }}' `}}
deletionProtected: true
instance: postgres17
postgres: {}
secretName: {{ include "gitea.fullname" $ }}-db-creds
- |-
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: {{ include "gitea.fullname" $ }}-ssh
spec:
entryPoints:
- ssh
routes:
- match: HostSNI(`*`)
services:
- name: {{ include "gitea.fullname" $ }}-ssh
nativeLB: true
port: 22
# ------------------------------------------
# -- Disabled dependencies
# ------------------------------------------
postgresql-ha:
enabled: false
redis-cluster:
enabled: false
# extraDeploy:
# - |
# {{- if $.Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" }}
# apiVersion: traefik.io/v1alpha1
# kind: IngressRouteTCP
# metadata:
# name: {{ include "gitea.fullname" . }}-ssh
# spec:
# entryPoints:
# - ssh
# routes:
# - match: HostSNI('*')
# services:
# - name: "{{ include "gitea.fullname" . }}-ssh"
# port: 22
# nativeLB: true
# {{- end }}

28
values/badhouseplants/org-badhouseplants/app-navidrome-private/secrets.yaml Normal file
View File

@ -0,0 +1,28 @@
files:
rclone-config:
enabled: ENC[AES256_GCM,data:3y4DCg==,iv:n+Pfj4j405WR17aY7RbF6lpOQ58ZQmWrH6dgUTQ0jX4=,tag:xbKEnPnASJTl27ch1Hi00g==,type:bool]
sensitive: ENC[AES256_GCM,data:DGby8Q==,iv:nibU4CkdcYlT1F7OkgqE1apUuyJA5M9Vj5x40F9zt3w=,tag:oW+jPP7F1vWY5gf0JyrPdw==,type:bool]
remove: []
entries:
rclone.conf:
data: ENC[AES256_GCM,data:m4K3yt7no9mnUOzn/iGtaKqBrDXoLCgxEWV8NacXlOvh7c5ngmTmwoxzTaNxbsCQA7dECYb0dFtPvhF33AqgpcbRnqGrK54v8V+NaldQrgT2up4iQfdYA+sh+yNG3QAXU7eOEBvyFctJ+9dEaBII1sF/xFSkcTwrWkQFTQKLDdNIYU9a8ttEysz0cBWWXL3h9Y7C/mBjPdWIhpaf6Z63hy5P0hnYFftZsVM=,iv:qBBk9xMlZl3FriY2oYk4DQB1EKTsl7/qUj4s8naVvts=,tag:tDUKvK8ZuIxVeJjyUUqeXQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxalE3bUtCWmFVejBJMlZq
dUg0U0R2VytsZHZ5QlQ4UGdrRmdsWGhWbEI4Clk1WEZ4U1lEdTJoRVBTbEFXaE1O
TW1wb0dycS9HeWdQcUx3KzJKb2kwTVUKLS0tIDU1bE9JWnp3Q3U4V0pVOGs4Z3Rq
Q1VsM3orOUZmS3lDaFpNN2g0cnllVWMKqZlPfiIFKn8h56gspbbUhpv9RkL5gF73
NzqtFJJwQOGaD3lk2ocaLLkvywJ/DKNf7JupTWlmggHijId4hmpytw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-20T15:04:15Z"
mac: ENC[AES256_GCM,data:XRmw86oJLHXMAY/SPv6ptQLV1Eocbig6CQSG1SdOO9scMpfgD3tMY43z5aB16DkW+6AG1ti+TS4JRgXKLaSsAmORqRN0yTwGEktiLs0GxhtDvMYwnclj/Cx76WbZyMkgVzCHe7ZsAI+9DrejSFYbB/CzA+8yq1KmMf/L5NWcv7o=,iv:AcYK48ywr2pzNw/HEY5hWOcjdnmnG2/eWp+r/o15Lbk=,tag:HLKLFYFV+7SWUaFYiNUS3g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

49
values/badhouseplants/org-badhouseplants/app-navidrome-private/values.yaml Normal file
View File

@ -0,0 +1,49 @@
shortcuts:
hostname: navidrome.badhouseplants.net
ingress:
main:
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
env:
main:
enabled: true
sensitive: false
remove: []
data:
ND_MUSICFOLDER: /app/music
ND_DATAFOLDER: /app/data
ND_LOGLEVEL: info
ND_BASEURL: 'https://{{ .Values.shortcuts.hostname }}'
files:
rclone-config:
enabled: true
sensitive: true
remove: []
entries:
rclone.conf:
data: |
[music-data]
type = s3
provider = Minio
endpoint = s3.badhouseplants.net
location_constraint = us-west-1
access_key_id = allanger
secret_access_key = fPN3Nv6yDWVnZ7V7eRZ
rclone-script:
enabled: true
sensitive: false
remove: []
entries:
rclone-script:
data: |
#!/usr/bin/sh
while true; do
rclone --config /app/rclone.conf sync -P music-data:/music /app/music
sleep 10
done

54
values/badhouseplants/org-badhouseplants/app-navidrome/values.yaml Normal file
View File

@ -0,0 +1,54 @@
middleware:
enabled: true
middlewares:
- name: navidromeauth
spec:
headers:
customRequestHeaders:
Remote-User: "guest"
shortcuts:
hostname: music.badhouseplants.net
ingress:
main:
annotations:
traefik.ingress.kubernetes.io/router.middlewares: org-badhouseplants-navidromeauth@kubernetescrd
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
env:
main:
enabled: true
sensitive: false
remove: []
data:
ND_MUSICFOLDER: /app/music
ND_DATAFOLDER: /app/data
ND_LOGLEVEL: info
ND_BASEURL: 'https://{{ .Values.shortcuts.hostname }}'
ND_REVERSEPROXYUSERHEADER: "Remote-User"
ND_REVERSEPROXYWHITELIST: "0.0.0.0/0"
ND_LASTFM_ENABLED: false
ND_LISTENBRAINZ_ENABLED: false
ND_ENABLEUSEREDITING: false
ND_ENABLEFAVOURITES: false
ND_ENABLESTARRATING: false
ND_ENABLEEXTERNALSERVICES: false
ND_ENABLESHARING: true
files:
rclone-config:
enabled: true
sensitive: false
remove: []
entries:
rclone.conf:
data: |
[music-data]
type = s3
provider = Minio
endpoint = s3.badhouseplants.net
location_constraint = us-west-1

4
values/badhouseplants/org-badhouseplants/app-tandoor-recipes/values.yaml
View File

@ -2,8 +2,8 @@ shortcuts:
hostname: tandoor.badhouseplants.net hostname: tandoor.badhouseplants.net
ext-database: ext-database:
enabled: true enabled: true
name: tandoor-postgres16 name: tandoor-postgres17
instance: postgres16 instance: postgres17
credentials: credentials:
POSTGRES_HOST: "{{ .Hostname }}" POSTGRES_HOST: "{{ .Hostname }}"
POSTGRES_PORT: "{{ .Port }}" POSTGRES_PORT: "{{ .Port }}"

0
values/badhouseplants/secrets.external-dns.yaml → values/badhouseplants/platform/external-dns/secrets.yaml
View File

0
values/badhouseplants/values.external-dns.yaml → values/badhouseplants/platform/external-dns/values.yaml
View File

0
values/badhouseplants/secrets.minio.yaml → values/badhouseplants/platform/minio/secrets.yaml
View File

2
values/badhouseplants/values.minio.yaml → values/badhouseplants/platform/minio/values.yaml
View File

@ -56,7 +56,7 @@ consoleService:
port: '9001' port: '9001'
resources: resources:
requests: requests:
memory: 2Gi memory: 1Gi
buckets: buckets:
- name: badhouseplants-net - name: badhouseplants-net
policy: download policy: download

0
values/badhouseplants/values.uptime-kuma.yaml → values/badhouseplants/platform/uptime-kuma/values.yaml
View File

22
values/badhouseplants/registry/cluster-mirror/secrets.yaml Normal file
View File

@ -0,0 +1,22 @@
authHeader: ENC[AES256_GCM,data:BWmu4bpFjlIDStIcWfpsgbm1hfxlvZAK9LabhXuAdArJzflc4VA+Dy5fJRAMu9Mv,iv:+rwtfnjJCZKPmdcUkTfklq19uSgavOKaySK/O/xd2PE=,tag:3yXa+0LbIqMDk6KLWAAN0Q==,type:str]
_mirror_password: ENC[AES256_GCM,data:0aa6fqR3+0ZY5KhRKJa0SKBcBnF/KizHXTIm2NQB,iv:DUB8ItYbT+K31XLbWzi5909RPVn9DG9HRDU120VxbdY=,tag:DniRwku2rQX44ffMn4mU6Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsQ0U5L01iNFo5Y0t5SFo2
MXlwVDhQZ2R5QnVlUndmQ0x5L2ppU1h6aEVZCmhaUW1JY0RDMEM0T1JkZkk3TGVD
R0JjaEN0MGxVV1RIZUxkbjgzMTlTMmsKLS0tIFdDNW8xaWsxamFvUGRFaVZsVUV4
S3ZiYTJGOUFzZlNwSUZvNGtmSFNpczQK/npaHLqHSxMnCXNvDFw0eB9KfMJ7bWfV
ZuteeaXG+eZNX4l1ZY1pLNUv9kui4oXI8payp7sTZJI6WYZCQz6Oaw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-27T20:50:16Z"
mac: ENC[AES256_GCM,data:XtX4NUZ9PCdAFckdlygywFQ8vJRAszOjqPItr0MNRM0ndk/PkYYGzY0phMan7FgxY3Cz5XMJcv/MEogLedM+uH5vMbsOpRY49jpILMORL3Ni1tZFG5Px5NbfExGQmjFyefotRzCHlsUSTZEHlBIp4+FeBI41CgBbLw45rEoneL8=,iv:Ilk7TXqKSSV5WYnptLRaOk/lwwHHLesbSslOCarlVEA=,tag:vWXe+r3tHXoMtWYeJN9T0g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

56
values/badhouseplants/secrets.gitea.yaml
View File

@ -1,33 +1,33 @@
gitea: gitea:
admin: admin:
username: ENC[AES256_GCM,data:1yKnMnzbHno=,iv:AWqprQPRloJhZEtyhF8+5dgxyHXtK+2HLxHa+gU+Aw0=,tag:Irk65xjOWgFBfPUJGVcQcg==,type:str] username: ENC[AES256_GCM,data:u1KcCwDNplU=,iv:s9mWKPTz+8rFKS2RmFPxCGOIPXFHLvLX3v0t+DemDEU=,tag:MmGR2LqDmHw10uJdPe/tSw==,type:str]
password: ENC[AES256_GCM,data:8hbWwHlNyxzNe6PCYJ2w5b8oUi0=,iv:GtkHDZFUzk9rVh7ASmk+Qb/litPD5QX38hWLR24pgSU=,tag:bmdNTBDt2Mrxp1cVXmJwcQ==,type:str] password: ENC[AES256_GCM,data:mBhL52UJwOwWpRGRfc5WNAvYwHo=,iv:hGt1kGA2miwzMidwD0AT62oXs1CAwAFpKk3XltqsCz8=,tag:bfhsQxef8cKEes1JkTQw/w==,type:str]
config: config:
storage: storage:
MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:tLHwP5ZsoxKnaG38hNNXvXoy4PTuxlUT3w==,iv:bR0eL0MHOdT3CnsQrjdlEfwCEye41/ts/vsQf3ju1cU=,tag:XxpkrS88muDolMcB0r9rWg==,type:str] MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:5VjeSHLIDvZB/VE7OJ1eqWOnT5NU64om0g==,iv:OFK7MYlb9QfV4ZHIECa3vHG9pBp1TCGSqqUJX3D7uGE=,tag:Ibmihyp3TXarFtr/tDtEEQ==,type:str]
mailer: mailer:
PASSWD: ENC[AES256_GCM,data:tw+vJSoedon/a3VhXkcpupumdbBnyMbSzQ==,iv:xoxIm855BhNsNfq+5L33yIDFKx8igNuEV71IDt0WNzQ=,tag:i9FJe0x4PqaMb/SBN0yXCg==,type:str] PASSWD: ENC[AES256_GCM,data:lIv1/BEEkouDVqNy4u+u7WCY4zz3ow7fWg==,iv:we77bHyHyAYCMxFGG13sE/M+5Tv2VeYfrg9bsa3leec=,tag:TOltFQbhrXMJW5w5x27YjQ==,type:str]
database: database:
PASSWD: ENC[AES256_GCM,data:pB7YPucwcXwD9fzJsckZshz7ZLM=,iv:23k90tX465WltrQwSyx8Hixe2hnya/dx6aIvr3ti1wA=,tag:NvgN1g181yCBu5Mf7uYmGQ==,type:str] PASSWD: ENC[AES256_GCM,data:a3AV8QMYOxlWiU7G1DRCaOSdHKA=,iv:3ZCwEMo3/3rmGJXgDr/Pw+rNQBU14rUKQ7330otX1qQ=,tag:KjwexsLkYaHsTdXoHwXBJA==,type:str]
session: session:
PROVIDER_CONFIG: ENC[AES256_GCM,data:Ipcta9fyfGCygYqpisgiy0rCckP5Ma5bNs2ClFNn0lnm1LQOJDdDLiQDr5u9L/WG6Bs2WhHbeSrdjxyZdCKv9pd1CfmB7S9eNcp2w+4hhofwUVcKW89rj9HYEHSLuY8C4Y5KbJKKl6PkY/JmTzyVSpSMDHYadf3j,iv:YsMR3zwZODENuy+WvKy8AdByKTuI7ng0hf1AJT+CMQk=,tag:9hOo08OLybdNgr7wvRPvyw==,type:str] PROVIDER_CONFIG: ENC[AES256_GCM,data:nPtmi3wG3+wVkyb+IV832he9rUo2TRRx6cTqvGdVSIZMfcfUvS4rmSH7CQ28OYK6f+WEKs8PkjfrBzEP1mPFHC5eRQfg4ryaqM7eWmHaJipcg4h2nzH9ii6FXyYtmm2zFsTnodOJryEo0T/nMaGhEt7+eylCL+L4,iv:8UFjsAEtMjMqyC9Ib3ipoqpshFrsdE9d3dg7Cewv7dU=,tag:gGVNGk66/Kr/dZ6B3wbD4A==,type:str]
cache: cache:
HOST: ENC[AES256_GCM,data:K0FpmrMo1TlUnHHHRKcKVQ8NYeOr+YEeQjajEIM1x5XPjkxYUmywyVL8f5qNLkvotAtD941Rw9CQ7NRof0NketkYyC8gJsndfznGPjhfqH5a0MUWDu9tAfGUzWGzXxC0uq4Ne1eRhu4SjZljZybqk5qQR00Zc/qX,iv:izMvr/kdes3+Gl1a6URnWyQ5TwYqTDMOBskHxPZZpgo=,tag:MWdLA5PV/+bEPWgXHw9OQA==,type:str] HOST: ENC[AES256_GCM,data:tXEIBKqGyeuAc/adO6DjcyAAGgcIuwxJ8T0Zsi1xMy3I3gXbzeTG6XwyAesiUoHifoYTpn3wWbf+pIh8KtGFXb58UcEOgHmnADPWALiXKFoZmvtHDL+JEjOjd0tyoskJNf4Oi4BckJDnfpYuMqJW9qcQbsxlB1My,iv:kJ7XRqvUVEGUC9aAPYO+1oZA3QPc/SE9apaeTgLf3wA=,tag:525IBTPiuZIkAxAIiRE35w==,type:str]
queue: queue:
CONN_STR: ENC[AES256_GCM,data:MsKkRcKpCGmvcL2lP5N+WuCNGp68gPw5HCpvCjEbYPoJcl5j6mAV5bBGqmiaIpvRbBu1EL1riHMmFD55efSJ6XueOXPG997iwE7KISdPjAWA92ZFe/zFzSW5EfBz3BvgsxzkMk3gR2usid0BvKXLPztLSvAYOR1l,iv:S4BunQMCS33JZUL8x4dRSbMtKQoI0f3Iw9IQ663hqfw=,tag:G7Xpp4d0VKzHRb0ju+F+WA==,type:str] CONN_STR: ENC[AES256_GCM,data:Z1+u7JAcgNXkrO80YC2bMDk5VMyTFRAxDPc75ZPKbaD5+nsWQusvnHTS68rAu/WT21xAFpny7geERIOEZIewpucNoCTlqHVfJu/tsl40qMoBfjEWuwfaRM+AlNaXm5USTXkk+alQ3eJ2KIIhfhY1cd1yohRoKvAd,iv:bmLkzWqR8SwHLgWG6SWdeNr1w0fcZP8qNRlhfQfvJqs=,tag:QY5A8YGy0+3BnWSLBcsK5w==,type:str]
oauth: oauth:
- name: ENC[AES256_GCM,data:ruqXMi7A,iv:hzOf08m5WO/0ZLrsDdco2RuWquiR9n5hwZqcug7Gx1E=,tag:hwumITH28nq0z5i4Z4FvcQ==,type:str] - name: ENC[AES256_GCM,data:7KhuIzC/,iv:nn4bNQ1/tBiqjnQxcyocZd0h/54mH+LlRtiAjWuPCOc=,tag:e+55SHN49Q6NzT7KSsh52A==,type:str]
provider: ENC[AES256_GCM,data:Sx2HqTQ/,iv:DDhq7jVZdgD5MAFFeSt6KdsC0FSrpQWA+gu9gOg6Iwo=,tag:kOnrbDlwGLMrgKsF8hTGdA==,type:str] provider: ENC[AES256_GCM,data:+TrDQq3Z,iv:AAwjnHG40IKAkSPO5gzwEC745NH+Y5BgZIiJJ5Z2+AE=,tag:DENE8aAHAG9DZhkPmZWYVQ==,type:str]
key: ENC[AES256_GCM,data:itycutnIMsO2lb8M5UysL72Iq9k=,iv:E1b1zBGfew3bf72OxLoKQoosgPDqy8my1JMWvwBGpcE=,tag:iJGrMKbrqTD5NHYWvFxqxQ==,type:str] key: ENC[AES256_GCM,data:uOY9iM/dAkhGbWSsUbmN5rnbqUY=,iv:BQ3KjcHN1jJG28RkjjhsTgWm+lHmHzYS4/P4Vlp89hs=,tag:HY3fZysu7sCdyoR0TuRd6A==,type:str]
secret: ENC[AES256_GCM,data:mOpFm2yKl1aBu3TcJkO/Gm69XQh36le4ohsueq9t58cIHDucrksBmA==,iv:zW3zde+XcD3wmJcOKZ0lrPCBA2OPHoF+8/T+6PJpP5w=,tag:27ssfjvp2oX9yglNJLalFQ==,type:str] secret: ENC[AES256_GCM,data:5s12mFDJJLPRg/IsypTx/BpvobX0hluTSddTaCQ0SgYjt4lthZDGGg==,iv:ojiXiVQ7BFUNO2ukAK0ygUTu6KVDKu8AMVmHfBw8Ii0=,tag:0zcD8iNT8iutij1C+Hk7Hg==,type:str]
- name: ENC[AES256_GCM,data:8LPw6LKoUcMf,iv:/jNSUD9jcGxghxexh5063Le+t+xAbirHlc/1oG3JCq0=,tag:OA1LpeMNRi+Pkhr4cdseAw==,type:str] - name: ENC[AES256_GCM,data:S/RV60Bc3/lH,iv:xIG+UJnmkEvuo2mgu904Hdn18BhsOCtWVl/eL6ybcZs=,tag:nFKPEisO3U3hPJZASrytiw==,type:str]
provider: ENC[AES256_GCM,data:aqLm3vOS5b+cDBjnaA==,iv:/3teGaszsJEo9ya1Uy51xAxPC4zyMO08qm1Ag6sFb2A=,tag:iByKJjRGQcEiT8Zoe4cRnA==,type:str] provider: ENC[AES256_GCM,data:eZOq2jNeqLM7BzePXA==,iv:vHhMOtF/mqUorcKSe2djtWKcyc5F2c+udWclcOkxK/A=,tag:6yKwQj/9oDDIdHcRtIgW3A==,type:str]
skip_local_2fa: ENC[AES256_GCM,data:YZMe+A==,iv:VE8i+fA/xbv4Ii6vDjsclbuzHp9lva+jOBIYE0vsKNA=,tag:OXAZnoa/zISVBmhaojVB+w==,type:str] skip_local_2fa: ENC[AES256_GCM,data:B8ObUg==,iv:mmfGkA+8HK6H3DS+Hl5Hz3s/pwGBoYcXQfJiPiBKYFs=,tag:ErmgC/mcQZJ5sI5eEtLHzg==,type:str]
key: ENC[AES256_GCM,data:6mbjR2k=,iv:8zRBVFyF7XyTA96yfaWX8NtOC2f2abbyv7qUzizB+dc=,tag:BeBR+bijZFHepscsXJkoNw==,type:str] key: ENC[AES256_GCM,data:+w1/goQ=,iv:cIOxkdP38IaiNZ3dig5xo2kYrXdAwqerojCXcBifYds=,tag:5/+QimbfqpfnaFgFT3gfLg==,type:str]
secret: ENC[AES256_GCM,data:vM4LI6MFwF9co+qCzZwl+q7pKDtIiMj7jMwckleijtVOgnfafrMTKZsA4LbeKICm1p3kuj1qmdRzDgyCzGyCejwMwsd8Yze4gMKZb6wfnhOhaj11Yby40+xHHb8ogCzPfAH7TkOi+99Y2yMpfiw2i5UZvQK1oTjZLzMfJ0fK15k=,iv:F01nIJjOiZCueOaIa1p//ND4XA1wvNow9Crq73nHUVQ=,tag:KifiHsOa49Iah4SW28YMVA==,type:str] secret: ENC[AES256_GCM,data:Rg4rEk9j8zZcUCWbm6xmuEbRb107f5HaU8ClbUkXWKnnERkN91QYtSNlAEWfHBk30xmBObm/O2LlypYJWT5wO7LNw4G6q9yv5JaIc7vS1pjicDi2QNxAW89euELdlthFa2fXj4lNlKLgQr8TbC5wpX0oysC261MM9kgjLuTQnw8=,iv:ft8IMPIu2JuzeWdM53qN5kJQQR5Oq9d2yyNbAQdtdY4=,tag:cBMEqmoP3KAuOhuX364hew==,type:str]
autoDiscoverUrl: ENC[AES256_GCM,data:k1O5weiok0ybMfEwDfEaXu76AvUmgRHz3vGy5bShvdGxf/SQZVJJv0XntF9ifbfhYRKzJCt1BpVGkXQnHhMWntkolLUsv/r6OKZPjpwOtEozhI95fcjax1Y=,iv:2LFUB07dWs2tcCSibhoiJ8w3NoPMrpfEhAqb28TbdxY=,tag:iJtqPNf8nsjMVzF2Du+DVw==,type:str] autoDiscoverUrl: ENC[AES256_GCM,data:IlykewahSerO46QAqJrvryzHkZONrEDHYBgwq9Nkg1pja9X1l3YaMbsg9DYWUkod/ZlzrGUA8Qyi58WW07chkFDPvy/Cfbp7GZSosr9ZVv7LI7TlpZHxeaA=,iv:rp05dCHRMnysz98G3EbKBZWsBzHrGzSuC6FCr/S8evw=,tag:6UtCbpVoWLbv5W/cB1+qBg==,type:str]
iconUrl: ENC[AES256_GCM,data:Jr8Ej4zfe319HX4ruXrDSB5ZuuEfbuvEeIVHt13E7xx3NvPF9qrOZip40hmAR7dc1nW5m6aX6GxP5gbonr90wZRCf8HA9A==,iv:ykfp9vlCZnjR+7H9NTokW8AOr0EHEq6vkwWDSMYiU5Q=,tag:MbX/8yRj6XwBgU+MbylAKg==,type:str] iconUrl: ENC[AES256_GCM,data:Tp16796JFzlYfOSfI+ld+Lf7hCeS74ZDz0kA/I9P3v6G+3LQAUGOtfFTzx5mTsfpP1eQN4HgD2uU3lfLhSozril1qq3AZA==,iv:dQSq+IiRcepUZqLipRr6DOHH7Hg6h45gnr9LH9dWYdU=,tag:zeq3tVobXsOasCkIAw/riw==,type:str]
scopes: ENC[AES256_GCM,data:Lr+kdYTfCVQE25ZGeA==,iv:O6OYdDg/PGj0p2A9vjxPaDBRtUctS1j4TO/5V1gSQ88=,tag:tlDUKeGRIL3Rqep/mpdRZQ==,type:str] scopes: ENC[AES256_GCM,data:3qwG8sYZER/p9GgnuA==,iv:hvJvc1pwUgeatq9R8GBde1EQDJunwZBl+cmsqJr1PBY=,tag:ov+WHCFaNaA40PPvOzVPqQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -37,14 +37,14 @@ sops:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2V1RNMmlZaDJDMzBXekF1 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZ0IxQnpLSmJjTm1jTkI4
YmdlYjNBTEhaYU5YYTZ6U1pHckl5YVZ4WVV3Cml5RzkyeHVCV3FlbEpoanlZOWk4 NkhuMUN3RVp0TEFSNHhtTkFvWDFaUXVpUlIwCkxWbkxnQkY2R3g0cUY5VG1Kb251
RlVoL1VISDEzODRaYUs0N3JldXE4Q28KLS0tIDdqK3IxcHpQdWJoNHR4VCt4MVNm VUhYZlNCWC82Z0h3SHpaSnVST2h0WTAKLS0tIHJWR2FuT1ArRFhMWnV4cW9EcnZw
M25EVzZsS21OajdEKytoc2VBYm5SMU0K1wvfQOqBbAPyh1SxiONFSFO+a591HG/2 UHpBeWgyN21CUThydi9XdFc2V2c0TTQK38CQDRnFpUmWjyvDGGQ3vQxhBvy2Xva+
DJvP643yXIWBOiNTxjbQDygYmxwk9GbFmGlVf0pQoUEuH9D4SgCwJA== SCd8sJZc/bnVDOEidvV9oxJz4y0nj6RvgzcsU+M99YBJcuV12xPqag==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-14T08:08:22Z" lastmodified: "2025-03-26T11:56:44Z"
mac: ENC[AES256_GCM,data:Mel9AWdHERKt5xsDI7KmgINBCMAsfYrs/jgwQol+UVuiFXU73tAFeUqOZRDFwuzKBfxQExv8etBlgV8Q6Pdg0VojBLLz75BYZdqz5RD1VnllJ7y5/jCwCTyTbWxYQZpgj8dle0KA2NxoMraLIQY+gnvunqlAcIJgPZG9KY1UB3w=,iv:Nozpe5X8kwSrb2sturuCQBA8XhEQSI5nLRzBuCDFfz0=,tag:8kVcjwLDNTBmvDRPj2ELyQ==,type:str] mac: ENC[AES256_GCM,data:cc0H+6P0uTl5kpMR0B9o5BP8l1KHjLHdMetPlmNEVQo3NCzm+0SBjGYOqNhr0EG2Gd6RKdsAADrZAwyH+pXA2pmNVdIehDBu4Xncwi8nrUY3gm3jBIG/01H5VLqtZCoLfbqQ4ANHrGhn7JE5bwrXbbmD4t/7E2i7qHLukPj4S8w=,iv:3+llbgLRU2tMr+S2nvyA8hGfCnnWnqprGSW9H3VSCH0=,tag:gzMc8wSjZfa4h0eN3V5Ylw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.4

24
values/badhouseplants/secrets.redis.yaml
View File

@ -1,9 +1,9 @@
global: global:
redis: redis:
#ENC[AES256_GCM,data:d/vtscwAkAPFyRz6Ap29M/oZGEcX3POnzAd6GCkHIiTLFinXzOAn/ruMSiMsnL9lJxj50foVeLIXnmtFDGxUPsxNU9jePD037t6vbtja,iv:ALXE7IPi2d79rOpBMwlfi9IPtcvfoSAxsDHwiVItk8U=,tag:cMoKK0zkagLc3uC8Ry5hBw==,type:comment] #ENC[AES256_GCM,data:INOZ17f72Qf6D+drbcvmnZRBRIeXLSAV9RmfOLZFp45qt8GWSHMnevqq9ge4Zlydtsd3BDek/JLUNl6YHPPq9qM1EFujY2htbOHyf0Cn,iv:zZDMizNKFllCyNH/bUF+vuB9YOikjo3q5ebzu3LYvCc=,tag:H0XX/D9xh0HS0Xnqgs/aag==,type:comment]
#ENC[AES256_GCM,data:XQ6nK+hlKfFOBDye9a2a,iv:ptA0TWsjVjOQGOCe8leC7ZjRX8gSnbjb94NWZMccxSs=,tag:9vw4k4N1wI/C7jf7ZPxi7w==,type:comment] #ENC[AES256_GCM,data:JiLOpJanuZnMpN5dMvw2,iv:YEVZSdRHez1lCb61hWLvalLq8F67l7KF0WXmmuj9bck=,tag:KnpfgwUYBQLZsj4Jk13RtQ==,type:comment]
#ENC[AES256_GCM,data:eTsTA07O2Y/468A=,iv:ZWOZO3GAYbU/Bq5ejdzDUsrYpkfwNtK23zH+XS5PUsk=,tag:KL1Z0a+BxBW4Y+aeJb78lA==,type:comment] #ENC[AES256_GCM,data:mzDGjHlXUunu1yA=,iv:LOOU/QGaHKeDrssbk1haYd0lPclbFak9GygEbbN0gFs=,tag:4cUubeiY6aJj5KVKVkdFUA==,type:comment]
password: ENC[AES256_GCM,data:kFbVUyKL0B9GhOapmqOS/FyTaXZEGUmSFFLxYIzX,iv:sLue4AmkT12DoPrWH3VxpvXFBHYhYRUTWcNoC+ojhGY=,tag:ikQsyximPvONoANv/61GXA==,type:str] password: ENC[AES256_GCM,data:kN93kIMiVTGWbaYgMC1n1MWqdl8s3cbZS5vvYTa2,iv:Qy+GQchC6s2PoarPWtquipF9gAVYZR6mn0GeHABRogE=,tag:V/xbfm9u51UUG+we/3nNLQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -13,14 +13,14 @@ sops:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORUEvSlFCTzh4N2NGVkhO YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOHRuN1J1ODYvc0Z3OW5H
SlJXQlNvYjdCQmVjQWVpZ2YyUjlmWkZrWVdVCk1FK1VjVmpCWEVScVo0YldZQWxE NFhVM0dWWGZETU0vTzVkeUk1NFVWc2FSaGprCm5NalJKUWxtLzA5VTU3YjR5VWtx
L2I1RnNsVWJGRll5MXNjam1zMzU5OWcKLS0tIFI0eUFEYTdyWkFEb0xQeTBaZi9J NExtbTZZZUZteVBTYnNWTVZvbnF5VFUKLS0tIEpBTDhPbkVLVytaY29aUktmZGF2
aUJ0Umg5T1BFN1lEbThJTXErUkxKaGsK1Vvk45dshvEGF3OZfrLJPabHgvWFT8ps bnVKWmI4RWpLaGU5WTIwblJRcDFDMlUK2BHkUNbpRMo0jm2Sk+Qcf4giufJtaJyM
f7Ygd+3XhZUBUBi50Em/xzmKQXL0I0Ps9JetSbQ/Amlmp9gU8VqRGw== xuoG41AqGs4+KEDS8/rF9HK7z+2Wk9H5b8L+/W0n+J5EPOvwvFePTA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-14T08:08:22Z" lastmodified: "2025-03-26T12:23:02Z"
mac: ENC[AES256_GCM,data:9dykGJs5NFjahNZ+4orzMh2u7UBRHMVCv5J9QxRqAzE2aT556W6bZoV9n0V5b7Z6jhVGHFxA4do9RoFT2lq7aMVpQ4nl4iSXuavPiuoBeq8aIwykpCF0cs5dHxQP7R5US2A8rzsSScIBbB2i1LhRtpiVVGmekVp1YSZJWcNhMNk=,iv:tWf4DjEcAff4LupkpFiR/Ss3iYBqtvcQGW/xAeCDIvw=,tag:nbWpyxzNKKrbo8HjMBbeMg==,type:str] mac: ENC[AES256_GCM,data:xrA6hCFIH/R/j/V1T60xx5Eix5Z5ETREQP4zYriLkZQ4hEzL2WdJFExK1VXSfX4KmIR8215XHmHnWu70eIoAnFUaozBosIFtJz0YNrNNok6MeDGD5fy5mcBQfCqLw+rwbW/uxY7DQrchgVT9iFAkpRSoVPUzn6ku/xCmTmSlv3E=,iv:lNLR5QHKPUWb1Mz8mIFCHnjpuQVF7ttNTOy9+jEzLyo=,tag:G4iZ/9nWKh97JLGOxbgSQg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.4

22
values/badhouseplants/secrets.zot-mirror.yaml Normal file
View File

@ -0,0 +1,22 @@
authHeader: ENC[AES256_GCM,data:nmlP0vRoKJRivvwJArnEO26sqIwFtnK5MYVPJBBCmAGCPpe/U00gYu6JET0gPqGV,iv:+GZwWrxoWw0mAZxZdITBLtHgRKYIyaj/NQwHbD8KppA=,tag:MAer3FiaBxyNwJr0BbDtow==,type:str]
_mirror_password: ENC[AES256_GCM,data:W2xy2RMmD4d6N+DNceIgtDGUpygOGEbWgGa9Icsy,iv:YsQfm/EmBYY35q2irlZ2rmzkbJzlFnfgMSEKq0G1I5o=,tag:7rNG02Wm9g8GUXeM4nTHqA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVUlyVFZWcWFuWnEyS2Nv
Tkx6aTZKY1czQ25RTHhKNWNNQ0xIaWJLb1VFCkdoT0RBTW9EWG8zbzYxekdsUEY2
bE9nQUthV3NCa0kzRnBwZ2U2MWlVNzAKLS0tIFY4RVJDM05ZVmR3NEt5YUlpOWZa
ZVc1bmJnU1o4U3NGaGN0Sk90YTR0ckkK8gmkHty4Gwt4vuVK3xhWWg4h/EgvJULh
Trgn0lzx2pCThg/+82u5J1T/QLXdbbDFFFwGldiMwNjZQfpOmrZpVw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-26T21:04:45Z"
mac: ENC[AES256_GCM,data:cTN6wq1m1XtsfNujCfQ4nKtX1Pkc8MFCipUeScDLJUuZZwg4St0h1OkYtYJBWeVSt3CSjjexQpb7Oi9K8wukboIVevaIj0BTT1hkf2ZUFeIV8W62mtftfdRex0yJ/4h1gTZaYBhHEw+qD6r+XvavDs1m22FF5RuF+5qfGUEWA4I=,iv:RsVuXbLVfZSJ7AkIvEdf7H2auFTiqXgpXLe/LbATAo8=,tag:1V5eIiJzjzv4C1JNNf5Quw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

21
values/badhouseplants/secrets.zot.yaml
View File

File diff suppressed because one or more lines are too long

1
values/badhouseplants/values.gitea.yaml
View File

@ -128,6 +128,7 @@ service:
type: ClusterIP type: ClusterIP
port: 22 port: 22
clusterIP: clusterIP:
# ------------------------------------------ # ------------------------------------------
# -- Disabled dependencies # -- Disabled dependencies
# ------------------------------------------ # ------------------------------------------

13
values/badhouseplants/values.istiod.yaml
View File

@ -1,13 +0,0 @@
pilot:
resources:
requests:
cpu: 50m
memory: 2048Mi
global:
proxy:
resources:
requests:
cpu: 20m
memory: 128Mi
limits:
memory: 128Mi

18
values/badhouseplants/values.memos.yaml
View File

@ -2,19 +2,27 @@ shortcuts:
hostname: notes.badhouseplants.net hostname: notes.badhouseplants.net
ext-database: ext-database:
enabled: true enabled: true
name: memos-postgres16 name: memos-postgres17
instance: postgres16 instance: postgres17
credentials: credentials:
MEMOS_DRIVER: postgres MEMOS_DRIVER: postgres
MEMOS_DSN: "{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable" MEMOS_DSN: "{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
base:
workload: workload:
containers: containers:
memos: memos:
envFrom: envFrom:
- main main: {}
raw:
- secretRef: - secretRef:
name: memos-postgres16-creds name: memos-postgres16-creds
storage:
data:
metadata:
annotations:
volume.kubernetes.io/selected-node: bordeaux
storageClassName: openebs-hostpath
ingress: ingress:
main: main:
annotations: annotations:

6
values/badhouseplants/values.woodpecker-ci.yaml
View File

@ -4,8 +4,8 @@
# ------------------------------------------ # ------------------------------------------
ext-database: ext-database:
enabled: true enabled: true
name: woodpecker-postgres16 name: woodpecker-postgres17
instance: postgres16 instance: postgres17
credentials: credentials:
WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable" WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
server: server:
@ -41,7 +41,7 @@ server:
WOODPECKER_ESCALATE: true WOODPECKER_ESCALATE: true
WOODPECKER_BACKEND_K8S_NAMESPACE: pipelines WOODPECKER_BACKEND_K8S_NAMESPACE: pipelines
extraSecretNamesForEnvFrom: extraSecretNamesForEnvFrom:
- woodpecker-postgres16-creds - woodpecker-postgres17-creds
agent: agent:
enabled: true enabled: true
extraSecretNamesForEnvFrom: [] extraSecretNamesForEnvFrom: []

160
values/badhouseplants/values.zot-mirror.yaml Normal file
View File

@ -0,0 +1,160 @@
image:
repository: ghcr.io/project-zot/zot
tag: v2.1.3-rc4
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
pathtype: Prefix
hosts:
- host: registry.badhouseplants.net
paths:
- path: /
tls:
- secretName: registry.badhouseplants.net
hosts:
- registry.badhouseplants.net
service:
type: ClusterIP
persistence: false
pvc:
create: true
lavels:
velero.io/exclude-from-backup: true
mountConfig: true
mountSecret: true
configFiles:
config.json: |-
{
"distSpecVersion": "1.1.1",
"storage": {
"dedupe": true,
"gc": true,
"rootDirectory": "/var/lib/registry",
"retention": {
"dryRun": false,
"delay": "24h",
"policies": [
{
"repositories": [
"**"
],
"deleteReferrers": false,
"deleteUntagged": true,
"keepTags": [
{
"mostRecentlyPulledCount": 2
}
]
}
]
}
},
"http": {
"address": "0.0.0.0",
"port": "5000",
"externalUrl": "https://registry.badhouseplants.net",
"auth": {
"htpasswd": {
"path": "/secret/htpasswd"
}
},
"accessControl": {
"metrics": {
"users": [
"admin"
]
},
"repositories": {
"**": {
"anonymousPolicy": [],
"policies": [
{
"users": [
"mirror_user",
"overlord"
],
"actions": [
"read",
"create",
"update",
"delete"
]
}
]
}
}
}
},
"log": {
"level": "info"
},
"extensions": {
"scrub": {
"enable": true
},
"metrics": {
"enable": true,
"prometheus": {
"path": "/metrics"
}
},
"mgmt": {
"enable": false
},
"sync": {
"enable": true,
"registries": [
{
"urls": [
"https://docker.io/library",
"https://docker.io"
],
"content": [
{
"prefix": "**",
"destination": "/dockerhub"
}
],
"onDemand": true,
"tlsVerify": true
},
{
"urls": [
"https://registry.k8s.io"
],
"content": [
{
"prefix": "**",
"destination": "/k8s"
}
],
"onDemand": true,
"tlsVerify": true
},
{
"urls": [
"https://quay.io"
],
"content": [
{
"prefix": "**",
"destination": "/quay"
}
],
"onDemand": true,
"tlsVerify": true
}
]
}
}
}
secretFiles:
htpasswd: |-
overlord:$2y$05$RhAeAsFY32y8h0japhT72.SQTPXgHc54RCp4CZ4Udsg2.iQxJVeZ.
mirror_user:$2y$05$PkvVMY04ZGvuGUXkrez7peyXevl63ugFbdxZ.ON1G/Tof/0Uf5vZi

1
values/badhouseplants/values.zot.yaml
View File

@ -1,5 +1,6 @@
image: image:
repository: ghcr.io/project-zot/zot repository: ghcr.io/project-zot/zot
tag: v2.1.3-rc4
ingress: ingress:
enabled: true enabled: true
className: traefik className: traefik

0
values/badhouseplants/secrets.velero.yaml → values/badhouseplants/velero/velero/secrets.yaml
View File

12
values/badhouseplants/values.velero.yaml → values/badhouseplants/velero/velero/values.yaml
View File

@ -1,10 +1,3 @@
initContainers:
- name: velero-plugin-for-aws
image: velero/velero-plugin-for-aws:v1.11.0
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /target
name: plugins
configuration: configuration:
logLevel: error logLevel: error
repositoryMaintenanceJob: repositoryMaintenanceJob:
@ -17,7 +10,7 @@ configuration:
backupStorageLocation: backupStorageLocation:
- name: hetzner - name: hetzner
provider: aws provider: aws
plugin: velero/velero-plugin-for-aws:v1.11.0 plugin: velero/velero-plugin-for-aws:v1.11.1
bucket: badhouseplants-backups bucket: badhouseplants-backups
accessMode: ReadWrite accessMode: ReadWrite
credential: credential:
@ -31,7 +24,7 @@ configuration:
checksumAlgorithm: "" checksumAlgorithm: ""
- name: etersoft - name: etersoft
provider: aws provider: aws
plugin: velero/velero-plugin-for-aws:v1.11.0 plugin: velero/velero-plugin-for-aws:v1.11.1
bucket: velero bucket: velero
accessMode: ReadWrite accessMode: ReadWrite
credential: credential:
@ -73,6 +66,7 @@ schedules:
- games - games
- databases - databases
- org-badhouseplants - org-badhouseplants
- org-allanger
weekly: weekly:
disabled: false disabled: false
labels: labels:

3
values/common/istio-system/istio-base/values.yaml Normal file
View File

@ -0,0 +1,3 @@
global:
imagePullSecrets:
- regcred

16
values/common/istio-system/istiod/values.gotmpl Normal file
View File

@ -0,0 +1,16 @@
pilot:
resources:
requests:
cpu: 50m
memory: 256Mi
global:
hub: {{ .Values.registry }}/istio
imagePullSecrets:
- regcred
proxy:
resources:
requests:
cpu: 20m
memory: 54Mi
limits:
memory: 54Mi

19
values/common/kube-system/cert-manager/values.gotmpl Normal file
View File

@ -0,0 +1,19 @@
{{- if not (env "HELMFILE_BOOTSTRAP") }}
global:
imagePullSecrets:
- name: regcred
image:
repository: {{ .Values.registry }}/jetstack/cert-manager-controller
cainjector:
image:
repository: {{ .Values.registry }}/jetstack/cert-manager-cainjector
webhook:
image:
repository: {{ .Values.registry }}/jetstack/cert-manager-webhook
acmesolver:
image:
repository: {{ .Values.registry }}/jetstack/cert-manager-acmesolver
startupapicheck:
image:
repository: {{ .Values.registry }}/jetstack/cert-manager-startupapicheck
{{- end }}

25
values/common/kube-system/cert-manager/values.yaml Normal file
View File

@ -0,0 +1,25 @@
crds:
enabled: true
resources:
requests:
cpu: 30m
memory: 100Mi
limits:
memory: 100Mi
cainjector:
resources:
requests:
cpu: 20m
memory: 150Mi
limits:
memory: 150Mi
webhook:
resources:
requests:
cpu: 50m
memory: 150Mi
limits:
memory: 150Mi

24
values/common/kube-system/cilium/values.gotmpl Normal file
View File

@ -0,0 +1,24 @@
{{- if not (env "HELMFILE_BOOTSTRAP") }}
imagePullSecrets:
- name: regcred
image:
repository: {{ .Values.registry }}/cilium/cilium
useDigest: false
envoy:
image:
repository: {{ .Values.registry }}/cilium/cilium-envoy
useDigest: false
operator:
image:
repository: {{ .Values.registry }}/cilium/operator
useDigest: false
hubble:
tls:
auto:
method: certmanager
certValidityDuration: 14
certManagerIssuerRef:
group: cert-manager.io
kind: Issuer
name: selfsigned
{{- end }}

8
values/common/kube-system/cilium/values.yaml Normal file
View File

@ -0,0 +1,8 @@
operator:
replicas: 1
endpointRoutes:
enabled: true
ipam:
ciliumNodeUpdateRate: "15s"
operator:
clusterPoolIPv4PodCIDRList: ["192.168.0.0/16"]

10
values/common/values.coredns.yaml → values/common/kube-system/coredns/values.gotmpl
View File

@ -1,12 +1,22 @@
{{- if not (env "HELMFILE_BOOTSTRAP") }}
image:
repository: {{ .Values.registry }}/coredns/coredns
pullSecrets:
- name: regcred
{{- end }}
service: service:
clusterIP: 10.43.0.10 clusterIP: 10.43.0.10
replicaCount: 2 replicaCount: 2
resources: resources:
limits: limits:
cpu: 100m cpu: 100m
memory: 256Mi memory: 256Mi
requests: requests:
memory: 128Mi memory: 128Mi
servers: servers:
- zones: - zones:
- zone: . - zone: .

17
values/common/kube-system/issuer/values.yaml Normal file
View File

@ -0,0 +1,17 @@
clusterIssuers:
badhouseplants-issuer-http01:
spec:
acme:
email: allanger@badhouseplants.net
preferredChain: ""
privateKeySecretRef:
name: badhouseplants-http01-issuer-account-key
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
ingressClassName: traefik
issuers:
selfsigned:
spec:
selfSigned: {}

17
values/common/kube-system/local-path-provisioner/values.gotmpl Normal file
View File

@ -0,0 +1,17 @@
{{- if not (env "HELMFILE_BOOTSTRAP") }}
image:
repository: {{ .Values.registry }}/rancher/local-path-provisioner
helperImage:
repository: {{ .Values.registry }}/library/busybox
imagePullSecrets:
- name: regcred
{{- end }}
storageClass:
create: true
defaultClass: true
defaultVolumeType: local
reclaimPolicy: Delete
volumeBindingMode: Immediate

1
values/common/kube-system/metallb-resources/values.gotmpl Normal file
View File

@ -0,0 +1 @@
addresses: "{{ .Values.main_ip }}-{{ .Values.main_ip }}"

15
values/common/kube-system/metallb/values.gotmpl Normal file
View File

@ -0,0 +1,15 @@
{{- if not (env "HELMFILE_BOOTSTRAP") }}
imagePullSecrets:
- name: regcred
controller:
image:
repository: {{ .Values.registry }}/metallb/controller
speaker:
image:
repository: {{ .Values.registry }}/metallb/speaker
frr:
image:
repository: {{ .Values.registry }}/frrouting/frr
{{- end }}

19
values/common/values.metallb.yaml → values/common/kube-system/metallb/values.yaml
View File

@ -1,23 +1,22 @@
controller: controller:
enabled: true enabled: true
logLevel: warn logLevel: warn
image:
repository: quay.io/metallb/controller
tag:
pullPolicy:
strategy: strategy:
type: RollingUpdate type: RollingUpdate
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
# nobody # nobody
runAsUser: 65534 runAsUser: 65534
fsGroup: 65534 fsGroup: 65534
resources: resources:
requests: requests:
cpu: 20m cpu: 20m
memory: 100Mi memory: 150Mi
limits: limits:
memory: 100Mi memory: 150Mi
livenessProbe: livenessProbe:
enabled: true enabled: true
failureThreshold: 3 failureThreshold: 3
@ -37,17 +36,13 @@ speaker:
enabled: true enabled: true
logLevel: warn logLevel: warn
tolerateMaster: true tolerateMaster: true
image:
repository: quay.io/metallb/speaker
tag:
pullPolicy:
securityContext: {} securityContext: {}
resources: resources:
requests: requests:
cpu: 30m cpu: 30m
memory: 300Mi memory: 350Mi
limits: limits:
memory: 300Mi memory: 350Mi
livenessProbe: livenessProbe:
enabled: true enabled: true
failureThreshold: 3 failureThreshold: 3

4
values/common/values.metrics-server.yaml → values/common/kube-system/metrics-server/values.gotmpl
View File

@ -1,3 +1,7 @@
image:
repository: {{ .Values.registry }}/metrics-server/metrics-server
imagePullSecrets:
- name: regcred
apiService: apiService:
insecureSkipTLSVerify: true insecureSkipTLSVerify: true
nodeSelector: nodeSelector:

6
values/common/kube-system/openebs/values.gotmpl Normal file
View File

@ -0,0 +1,6 @@
global:
imageRegistry: {{ .Values.registry }}
localpv-provisioner:
imagePullSecrets:
- name: regcred

8
values/common/kube-system/traefik/values.gotmpl Normal file
View File

@ -0,0 +1,8 @@
{{- if not (env "HELMFILE_BOOTSTRAP") }}
deployment:
imagePullSecrets:
- name: regcred
image:
registry: {{ .Values.registry }}/library
{{- end }}

2
values/common/values.traefik.yaml → values/common/kube-system/traefik/values.yaml
View File

@ -1,9 +1,11 @@
globalArguments: globalArguments:
- "--serversTransport.insecureSkipVerify=true" - "--serversTransport.insecureSkipVerify=true"
- "--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik" - "--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik"
ports: ports:
web: web:
redirections: redirections:
port: websecure port: websecure
deployment: deployment:
replicas: 2 replicas: 2

7
values/common/kyverno/kyverno/values.gotmpl Normal file
View File

@ -0,0 +1,7 @@
{{- if not (env "HELMFILE_BOOTSTRAP") }}
global:
image:
registry: {{ .Values.registry }}
imagePullSecrets:
- name: regcred
{{- end }}

7
values/common/platform/external-dns/values.gotmpl Normal file
View File

@ -0,0 +1,7 @@
global:
imagePullSecrets:
- name: regcred
image:
repository: {{ .Values.registry}}/external-dns/external-dns

6
values/common/platform/keel/values.gotmpl Normal file
View File

@ -0,0 +1,6 @@
image:
repository: {{ .Values.registry }}/keelhq/keel
imagePullSecrets:
- name: regcred

9
values/common/platform/minio/values.gotmpl Normal file
View File

@ -0,0 +1,9 @@
image:
repository: {{ .Values.registry }}/minio/minio
imagePullSecrets:
- name: regcred
mcImage:
repository: {{ .Values.registry }}/minio/mc

6
values/common/platform/uptime-kuma/values.gotmpl Normal file
View File

@ -0,0 +1,6 @@
image:
repository: {{ .Values.registry }}/louislam/uptime-kuma
imagePullSecrets:
- name: regcred

175
values/common/registry/cluster-mirror/values.gotmpl Normal file
View File

@ -0,0 +1,175 @@
image:
repository: ghcr.io/project-zot/zot
tag: v2.1.3-rc4
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
pathtype: Prefix
hosts:
- host: {{ .Values.registry_url }}
paths:
- path: /
tls:
- secretName: {{ .Values.registry_url }}
hosts:
- {{ .Values.registry_url }}
service:
type: ClusterIP
persistence: true
pvc:
create: true
lavels:
velero.io/exclude-from-backup: true
mountConfig: true
mountSecret: true
strategy:
type: Recreate
configFiles:
config.json: |-
{
"distSpecVersion": "1.1.1",
"storage": {
"dedupe": true,
"gc": true,
"rootDirectory": "/var/lib/registry",
"retention": {
"dryRun": false,
"delay": "24h",
"policies": [
{
"repositories": [
"**"
],
"deleteReferrers": false,
"deleteUntagged": true,
"keepTags": [
{
"mostRecentlyPulledCount": 2
}
]
}
]
}
},
"http": {
"address": "0.0.0.0",
"port": "5000",
"externalUrl": "https://{{ .Values.registry_url }}",
"auth": {
"htpasswd": {
"path": "/secret/htpasswd"
}
},
"accessControl": {
"metrics": {
"users": [
"admin"
]
},
"repositories": {
"**": {
"anonymousPolicy": [],
"policies": [
{
"users": [
"mirror_user",
"overlord"
],
"actions": [
"read",
"create",
"update",
"delete"
]
}
]
}
}
}
},
"log": {
"level": "warn"
},
"extensions": {
"scrub": {
"enable": true
},
"metrics": {
"enable": true,
"prometheus": {
"path": "/metrics"
}
},
"mgmt": {
"enable": false
},
"sync": {
"enable": true,
"registries": [
{
"urls": [
"https://quay.io"
],
"content": [
{
"prefix": "**",
"destination": "/containers"
}
],
"onDemand": true,
"tlsVerify": true
},
{
"urls": [
"https://ghcr.io"
],
"content": [
{
"prefix": "**",
"destination": "/containers"
}
],
"onDemand": true,
"tlsVerify": true
},
{
"urls": [
"https://docker.io"
],
"content": [
{
"prefix": "**",
"destination": "/containers"
}
],
"onDemand": true,
"tlsVerify": true
},
{
"urls": [
"https://registry.k8s.io"
],
"content": [
{
"prefix": "**",
"destination": "/containers"
}
],
"onDemand": true,
"tlsVerify": true
}
]
}
}
}
secretFiles:
htpasswd: |-
overlord:$2y$05$RhAeAsFY32y8h0japhT72.SQTPXgHc54RCp4CZ4Udsg2.iQxJVeZ.
mirror_user:$2y$05$PkvVMY04ZGvuGUXkrez7peyXevl63ugFbdxZ.ON1G/Tof/0Uf5vZi

12
values/common/values.issuer.yaml
View File

@ -1,12 +0,0 @@
name: badhouseplants-issuer-http01
spec:
acme:
email: allanger@badhouseplants.net
preferredChain: ""
privateKeySecretRef:
name: badhouseplants-http01-issuer-account-key
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
ingressClassName: traefik

26
values/common/velero/velero/values.gotmpl Normal file
View File

@ -0,0 +1,26 @@
{{- if not (env "HELMFILE_BOOTSTRAP") }}
image:
repository: {{ .Values.registry }}/velero/velero
imagePullSecrets:
- regcred
kubectl:
image:
repository: {{ .Values.registry }}/bitnami/kubectl
initContainers:
- name: velero-plugin-for-aws
image: {{.Values.registry}}/velero/velero-plugin-for-aws:v1.11.1
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /target
name: plugins
{{- else }}
initContainers:
- name: velero-plugin-for-aws
image: velero/velero-plugin-for-aws:v1.11.1
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /target
name: plugins
{{- end }}

21
values/etersoft/kube-system/namespaces/secrets.yaml Normal file
View File

@ -0,0 +1,21 @@
defaultRegcred: ENC[AES256_GCM,data:YJfoPG9G4PBdkoGCGa/Q/GANcPrl15SnKZKZfkKuJmaOUo16c8la86D3M6ZRv3FPtpT57ZQAuru8aybLqk6bwi202CMuIDFxn8qTiAE/YLtPPpnIricyvOnI+ig4QZVxHb3Ewb6kBompw0wdaogUfXnQvVt39SdFkg04KZJu63xIMguPlgGR6ltW6lT/N//eadzSYaC9DT3L4KmfKhayNG1xuq2wL5NdD5t/jSfjonO7pgf5XrXY8XJGlHwDN4pdlas8Sto2SNWKg33cWutghXeqO7RpBe7fiJFgI2YzCoo992xPjwDoqLtxaZsgvXmh52Q8qTn/SF8bD9Sh3cLGDA==,iv:i0pyAYa7+pIkSfBbzr/omnPgBn/60wg/Egv4i8i56EU=,tag:ULVYyUme23ItIq4G9rYiKg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0S3p6SGxZZzFrNjBvSWRO
OU5XaFhrMW9IMldELzJCWGRTdVRONGM0OVRBCkhXalIvMk9NY0NtdWtlTTBwUFE0
blVaRWdrMUpFVlg5aldUd2RybFZ1SGcKLS0tIFE1WS9MR0pDRUtwSWFQOGxydzV2
cUZubjVHWlhkUU5BZUlQVnF2Wk5jZjQKn9A+rb/ZPCFRDjLPzf/xvUcZ5IjASl7r
fS2hcY7eFm7zdv3g85Iu9ivg4bIcn5U6R02izTWCBGbPIdDFtFbWwg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-27T10:24:28Z"
mac: ENC[AES256_GCM,data:T3IuMQKtpbmy2NbjZZmn56yvf8mt/Ef09ZD8zmUJijVGEeUTbbtQ/39WhXSXNWI0HZuz4nGkOzhgbTrotlHByxK6/z2rLeykHNB+WFGL4jYgwoJM4vtJpCL14xGlWHPr9dyz/IZP1oG21FHHsFJjdQ/WUzOMAkcLyieuQx78h6U=,iv:6GpX7zeIkEFvG1lyRw5m1X9/ngts5JhKGcVUGn9L8Mo=,tag:320EfivP9O2pwyWOYkqtKQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

11
values/etersoft/kube-system/namespaces/values.yaml Normal file
View File

@ -0,0 +1,11 @@
namespaces:
- name: registry
- name: kube-system
defaultRegcred: true
- name: applications
- name: platform
defaultRegcred: true
- name: kyverno
defaultRegcred: true
- name: istio-system
defaultRegcred: true

1
values/etersoft/kube-system/roles/values.yaml Normal file
View File

@ -0,0 +1 @@
roles: []

9
values/etersoft/values.traefik.yaml → values/etersoft/kube-system/traefik/values.yaml
View File

@ -1,3 +1,8 @@
providers:
kubernetesCRD:
allowExternalNameServices: true
enabled: true
ports: ports:
openvpn: openvpn:
port: 1194 port: 1194
@ -17,7 +22,3 @@ ports:
default: true default: true
exposedPort: 27016 exposedPort: 27016
protocol: TCP protocol: TCP
providers: # @schema additionalProperties: false
kubernetesCRD:
enabled: true
allowExternalNameServices: true

Some files were not shown because too many files have changed in this diff Show More