badhouseplants/k8s-deployment
4
0
Fork 0
Code Issues 3 Pull Requests 15 Actions Packages Projects Releases Activity

Compare commits

base: badhouseplants:main
Branches Tags
badhouseplants:main
badhouseplants:renovate/redis-20.x
badhouseplants:renovate/renovate-39.x
badhouseplants:renovate/kube-prometheus-stack-70.x
badhouseplants:renovate/grafana-8.x
badhouseplants:renovate/traefik-35.x
badhouseplants:renovate/zot-0.x
badhouseplants:renovate/woodpecker-3.x
badhouseplants:renovate/minecraft-4.x
badhouseplants:renovate/external-dns-1.x
badhouseplants:renovate/velero-8.x
badhouseplants:renovate/authentik-2025.x
badhouseplants:renovate/postgresql-16.x
badhouseplants:renovate/coredns-1.x
badhouseplants:renovate/loki-6.x
badhouseplants:add-ci
badhouseplants:refactor-again
badhouseplants:stale-teleport-installation
badhouseplants:script-fox-xray
badhouseplants:before-single-node
..
compare: badhouseplants:before-single-node
Branches Tags
badhouseplants:renovate/redis-20.x
badhouseplants:renovate/renovate-39.x
badhouseplants:renovate/kube-prometheus-stack-70.x
badhouseplants:renovate/grafana-8.x
badhouseplants:main
badhouseplants:renovate/traefik-35.x
badhouseplants:renovate/zot-0.x
badhouseplants:renovate/woodpecker-3.x
badhouseplants:renovate/minecraft-4.x
badhouseplants:renovate/external-dns-1.x
badhouseplants:renovate/velero-8.x
badhouseplants:renovate/authentik-2025.x
badhouseplants:renovate/postgresql-16.x
badhouseplants:renovate/coredns-1.x
badhouseplants:renovate/loki-6.x
badhouseplants:add-ci
badhouseplants:refactor-again
badhouseplants:stale-teleport-installation
badhouseplants:script-fox-xray
badhouseplants:before-single-node

No commits in common. "main" and "before-single-node" have entirely different histories.
main ... before-sin

294 changed files with 3395 additions and 9688 deletions
Show Stats Expand all files Collapse all files

32
.pre-commit-config.yaml
View File

@ -1,32 +0,0 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0 # Use the ref you want to point at
hooks:
- id: trailing-whitespace
- repo: https://github.com/google/yamlfmt
rev: v0.13.0
hooks:
- id: yamlfmt
exclude: |
(?x)(
^charts/|
^.*secrets.*yaml|
)
# - repo: https://github.com/codespell-project/codespell
# rev: v2.2.4
# hooks:
# - id: codespell
- repo: local
hooks:
- id: check-sops-secrets
name: check sops secrets
entry: ./scripts/sops_check.sh
language: script
# - name: check unused values (disable by setting DISABLE_ADDITIONAL_CHECKS=1)
# id: check-unused-values
# entry: ./scripts/find_unused_values.sh
# language: script
# - name: lint helmfiles (it might take a while, disable by setting DISABLE_ADDITIONAL_CHECKS=1)
# id: lint-all-envs
# entry: ./scripts/lint_all_envs.sh
# language: script

10
.sops.yaml
View File

@ -1,14 +1,6 @@
creation_rules: creation_rules:
- path_regex: values/.*/secrets.server-xray-public./*
key_groups:
- age:
- age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
- age17fyzv5mezck364lvyepp9pa3tnjn7jvsgcpykhhz2smnxyq6fdusvl7waf
- path_regex: values/.*/secrets.* - path_regex: values/.*/secrets.*
key_groups: key_groups:
- age: - age:
- age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
- path_regex: common/values/secrets.*
key_groups:
- age:
- age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8

2
.yamlfmt
View File

@ -1,2 +0,0 @@
formatter:
retain_line_breaks_single: true

9
README.md
View File

@ -1,9 +0,0 @@
<<<<<<< Updated upstream
k8s-deployemnt
=======
# Helmfile deployments for Bad Houseplants
## Project structure
>>>>>>> Stashed changes

21
charts/issuer/templates/issuer.yaml
View File

@ -1,23 +1,10 @@
{{- range $name, $issuer := .Values.clusterIssuers }}
--- ---
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: ClusterIssuer kind: ClusterIssuer
metadata: metadata:
labels: labels:
{{- include "issuer.labels" $ | nindent 4 }} {{- include "issuer.labels" . | nindent 4 }}
name: "{{ $name }}" name: "{{ .Values.name }}"
spec: spec:
{{ $issuer.spec | toYaml | indent 2 }} acme:
{{- end }} {{ .Values.spec | toYaml | indent 2 }}
{{- range $name, $issuer := .Values.issuers }}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
labels:
{{- include "issuer.labels" $ | nindent 4 }}
name: "{{ $name }}"
namespace: {{ $issuer.namespace }}
spec:
{{ $issuer.spec | toYaml | indent 2 }}
{{- end }}

24
charts/metallb-resources/Chart.yaml
View File

@ -1,24 +0,0 @@
apiVersion: v2
name: metallb-resources
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"

7
charts/metallb-resources/templates/ip_address_pool.tpl
View File

@ -1,7 +0,0 @@
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: {{ include "metallb-resources.fullname" . }}
spec:
addresses:
- {{ .Values.addresses}}

1
charts/metallb-resources/values.yaml
View File

@ -1 +0,0 @@
addresses: 1.1.1.1-1.1.1.1

0
charts/metallb-resources/.helmignore → charts/namespaces/chart/.helmignore
View File

0
charts/namespaces/Chart.yaml → charts/namespaces/chart/Chart.yaml
View File

0
charts/namespaces/templates/_helpers.tpl → charts/namespaces/chart/templates/_helpers.tpl
View File

19
charts/namespaces/templates/namespaces.yaml → charts/namespaces/chart/templates/namespaces.yaml
View File

@ -15,24 +15,5 @@ metadata:
{{- with $ns.annotations}} {{- with $ns.annotations}}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- if $ns.defaultRegcred }}
---
apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
name: regcred
namespace: {{ $ns.name }}
data:
.dockerconfigjson: {{ $.Values.defaultRegcred }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: {{ $ns.name }}
imagePullSecrets:
- name: regcred
{{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

0
charts/namespaces/values.yaml → charts/namespaces/chart/values.yaml
View File

6
charts/namespaces/kustomize/flux-system.yml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: flux-system
labels:
name: flux-system

6
charts/namespaces/kustomize/giantswarm-flux.yml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: giantswarm-flux
labels:
name: giantswarm-flux

6
charts/namespaces/kustomize/giantswarm.yml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: giantswarm
labels:
name: giantswarm

5
charts/namespaces/kustomize/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
resources:
- ./giantswarm-flux.yml
- ./giantswarm.yml
- ./monitoring.yml
- ./org-giantswarm.yml

6
charts/namespaces/kustomize/monitoring.yml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
labels:
name: monitoring

6
charts/namespaces/kustomize/org-giantswarm.yml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: org-giantswarm
labels:
name: org-giantswarm

0
charts/roles/templates/roles.yaml → charts/roles/templates/namespaces.yaml
View File

27
charts/roles/templates/rolebindings.yaml
View File

@ -1,27 +0,0 @@
{{- if .Values.bindings }}
{{- range $bindings := .Values.bindings }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ $bindings.kind }}
metadata:
name: {{ $bindings.name }}
namespace: {{ $bindings.namespace }}
labels:
{{- include "roles.labels" $ | nindent 4 }}
{{- with $bindings.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $bindings.annotations}}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
subjects:
{{- with $bindings.subjects }}
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
{{- with $bindings.roleRef }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}

20
charts/roles/templates/sa.yaml
View File

@ -1,20 +0,0 @@
{{- if .Values.sa }}
{{- range $sa := .Values.sa }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $sa.name }}
namespace: {{ $sa.namespace }}
labels:
{{- include "roles.labels" $ | nindent 4 }}
{{- with $sa.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $sa.annotations}}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: true
{{- end }}
{{- end }}

0
charts/namespaces/.helmignore → charts/root/.helmignore
View File

6
charts/root/Chart.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v2
name: root
description: A Helm chart for Kubernetes
type: application
version: 0.1.5
appVersion: "1.16.0"

20
charts/metallb-resources/templates/_helpers.tpl → charts/root/templates/_helpers.tpl
View File

@ -1,7 +1,7 @@
{{/* {{/*
Expand the name of the chart. Expand the name of the chart.
*/}} */}}
{{- define "metallb-resources.name" -}} {{- define "root.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }} {{- end }}
@ -10,7 +10,7 @@ Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name. If release name contains chart name it will be used as a full name.
*/}} */}}
{{- define "metallb-resources.fullname" -}} {{- define "root.fullname" -}}
{{- if .Values.fullnameOverride }} {{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }} {{- else }}
@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
{{/* {{/*
Create chart name and version as used by the chart label. Create chart name and version as used by the chart label.
*/}} */}}
{{- define "metallb-resources.chart" -}} {{- define "root.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }} {{- end }}
{{/* {{/*
Common labels Common labels
*/}} */}}
{{- define "metallb-resources.labels" -}} {{- define "root.labels" -}}
helm.sh/chart: {{ include "metallb-resources.chart" . }} helm.sh/chart: {{ include "root.chart" . }}
{{ include "metallb-resources.selectorLabels" . }} {{ include "root.selectorLabels" . }}
{{- if .Chart.AppVersion }} {{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }} {{- end }}
@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
{{/* {{/*
Selector labels Selector labels
*/}} */}}
{{- define "metallb-resources.selectorLabels" -}} {{- define "root.selectorLabels" -}}
app.kubernetes.io/name: {{ include "metallb-resources.name" . }} app.kubernetes.io/name: {{ include "root.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }} {{- end }}
{{/* {{/*
Create the name of the service account to use Create the name of the service account to use
*/}} */}}
{{- define "metallb-resources.serviceAccountName" -}} {{- define "root.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }} {{- if .Values.serviceAccount.create }}
{{- default (include "metallb-resources.fullname" .) .Values.serviceAccount.name }} {{- default (include "root.fullname" .) .Values.serviceAccount.name }}
{{- else }} {{- else }}
{{- default "default" .Values.serviceAccount.name }} {{- default "default" .Values.serviceAccount.name }}
{{- end }} {{- end }}

25
charts/root/templates/root.yaml Normal file
View File

@ -0,0 +1,25 @@
{{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: root
spec:
interval: 30s
url: {{ .Values.url }}
ref:
branch: {{ .Values.branch }}
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: root
spec:
interval: 30s
targetNamespace: flux-system
sourceRef:
kind: GitRepository
name: root
path: "."
prune: false
timeout: 1m
{{- end }}

25
charts/root/templates/self.yaml Normal file
View File

@ -0,0 +1,25 @@
{{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: root-self
spec:
interval: 30s
url: {{ .Values.self.url }}
ref:
branch: {{ .Values.self.branch }}
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: root-self
spec:
interval: 30s
targetNamespace: flux-system
sourceRef:
kind: GitRepository
name: root-self
path: "."
prune: false
timeout: 1m
{{- end }}

5
charts/root/values.yaml Normal file
View File

@ -0,0 +1,5 @@
url: https://git.badhouseplants.net/giantswarm/cluster-example.git
branch: main
self:
url: git@git.badhouseplants.net:giantswarm/root-config.git
branch: master

44
common/environments.yaml
View File

@ -1,49 +1,5 @@
environments: environments:
badhouseplants: badhouseplants:
kubeContext: badhouseplants kubeContext: badhouseplants
values:
- ./common/values/values.badhouseplants.yaml
- base:
enabled: true
- velero:
enabled: true
- workload:
enabled: true
- backups:
enabled: false
- localpath:
enabled: false
- openebs:
enabled: true
- postgres17:
enabled: true
- postgres16:
enabled: true
- redis:
enabled: true
- istio:
enabled: true
etersoft: etersoft:
kubeContext: etersoft kubeContext: etersoft
values:
- ./common/values/values.etersoft.yaml
- base:
enabled: true
- velero:
enabled: false
- workload:
enabled: false
- backups:
enabled: true
- openebs:
enabled: false
- localpath:
enabled: true
- postgres17:
enabled: false
- redis:
enabled: false
- postgres16:
enabled: false
- istio:
enabled: false

14
common/extensions/metallb.yaml
View File

@ -1,14 +0,0 @@
metallb:
templates:
- |
{{ range .Values.ippools }}
---
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: {{ .name }}
spec:
addresses:
- {{ .addresses }}
{{ end }}

13
common/extensions/self-signed-cert.yaml
View File

@ -1,13 +0,0 @@
ext-self-signed-cert:
templates:
- |
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.name }}
data:
{{- $ca := genCA .Values.domain 365 -}}
{{- $cert := genSignedCert .Values.domain nil (list .Values.domain ) 365 $ca }}
tls.crt: {{ $cert.Cert | b64enc }}
tls.key: {{ $cert.Key | b64enc }}

19
common/extensions/values.certificate.yaml
View File

@ -1,19 +0,0 @@
certificate:
templates:
- |
{{ range .Values.certificate }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .name }}
spec:
dnsNames:
{{- range .dnsNames }}
- {{ . | quote }}
{{- end }}
issuerRef:
kind: {{ .issuer.kind }}
name: {{ .issuer.name }}
secretName: {{ .secretName }}
{{ end }}

15
common/extensions/values.istio-gateway.yaml
View File

@ -1,15 +0,0 @@
istio-gateway:
templates:
- |
{{ range .Values.gateways }}
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: {{ .name }}
spec:
selector:
istio: ingressgateway
servers:
{{ toYaml .servers | indent 4 }}
{{ end }}

71
common/templates.yaml
View File

@ -1,6 +1,3 @@
helmDefaults:
kubeContext: {{ .StateValues.kubeContext }}
templates: templates:
# --------------------------- # ---------------------------
# -- Hooks # -- Hooks
@ -13,48 +10,33 @@ templates:
args: args:
- -c - -c
- | - |
helm show crds {{ `{{ .Release.Chart }}` }} --version {{ `{{ .Release.Version }}` }} | kubectl replace -f - \ helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl replace -f - \
|| helm show crds {{ `{{ .Release.Chart }}` }} --version {{ `{{ .Release.Version }}` }} | kubectl create -f - \ || helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl create -f - \
|| true || true
- events: ["prepare"] - events: ["prepare"]
showlogs: true showlogs: true
command: "sh" command: "sh"
args: args:
- -c - -c
- "helm show crds {{ `{{ .Release.Chart }}` }} --version {{ `{{ .Release.Version }}` }} | kubectl diff -f - || true" - "helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl diff -f - || true"
- events: ["postuninstall"] - events: ["postuninstall"]
showlogs: true showlogs: true
command: "sh" command: "sh"
args: args:
- -c - -c
- "helm show crds {{ `{{ .Release.Chart }}` }} --version {{ `{{ .Release.Version }}` }} | kubectl delete -f - || true" - "helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl delete -f - || true"
# ---------------------------- # ----------------------------
# -- Configs # -- Configs
# ---------------------------- # ----------------------------
default-common-values: default-common-values:
values: values:
- '{{ requiredEnv "PWD" }}/values/common/values.{{ `{{ .Release.Name }}` }}.yaml' - '{{ requiredEnv "PWD" }}/values/common/values.{{ .Release.Name }}.yaml'
default-env-values: default-env-values:
values: values:
- '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/values.{{ `{{ .Release.Name }}` }}.yaml' - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/values.{{ .Release.Name }}.yaml'
default-env-secrets: default-env-secrets:
secrets: secrets:
- '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/secrets.{{ `{{ .Release.Name }}` }}.yaml' - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/secrets.{{ .Release.Name }}.yaml'
common-values:
values:
- '../values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
common-values-tpl:
values:
- '../values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
env-values:
values:
- '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
env-values-tpl:
values:
- '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
env-secrets:
secrets:
- '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/secrets.yaml'
# ---------------------------- # ----------------------------
# -- Extensions # -- Extensions
# ---------------------------- # ----------------------------
@ -65,27 +47,15 @@ templates:
alias: istio-gateway alias: istio-gateway
values: values:
- '{{ requiredEnv "PWD" }}/values/common/values.istio-gateway.yaml' - '{{ requiredEnv "PWD" }}/values/common/values.istio-gateway.yaml'
ext-tcp-routes: ext-tcp-routes:
dependencies: dependencies:
- chart: bedag/raw - chart: bedag/raw
version: 2.0.0 version: 2.0.0
alias: traefik alias: traefik
values: values:
- '../values/common/values.tcp-route.yaml' - '{{ requiredEnv "PWD" }}/values/common/values.tcp-route.yaml'
ext-udp-routes:
dependencies:
- chart: bedag/raw
version: 2.0.0
alias: traefik-udp
values:
- '{{ requiredEnv "PWD" }}/values/common/values.udp-route.yaml'
ext-traefik-middleware:
dependencies:
- chart: bedag/raw
version: 2.0.0
alias: middleware
values:
- '{{ requiredEnv "PWD" }}/values/common/values.middleware.yaml'
ext-istio-resource: ext-istio-resource:
dependencies: dependencies:
- chart: bedag/raw - chart: bedag/raw
@ -93,6 +63,7 @@ templates:
alias: istio alias: istio
values: values:
- '{{ requiredEnv "PWD" }}/values/common/values.istio.yaml' - '{{ requiredEnv "PWD" }}/values/common/values.istio.yaml'
ext-certificate: ext-certificate:
dependencies: dependencies:
- chart: bedag/raw - chart: bedag/raw
@ -106,7 +77,7 @@ templates:
version: 2.0.0 version: 2.0.0
alias: metallb alias: metallb
values: values:
- '{{ requiredEnv "PWD" }}/common/extensions/metallb.yaml' - '{{ requiredEnv "PWD" }}/values/common/values.metallb.yaml'
service-monitor: service-monitor:
dependencies: dependencies:
- chart: bedag/raw - chart: bedag/raw
@ -122,13 +93,15 @@ templates:
inherit: inherit:
- template: default-values/common-values - template: default-values/common-values
- template: default-env-values - template: default-env-values
ext-database: ext-database:
dependencies: dependencies:
- chart: bedag/raw - chart: bedag/raw
version: 2.0.0 version: 2.0.0
alias: ext-database alias: ext-database
values: values:
- '../values/common/values.database.yaml' - '{{ requiredEnv "PWD" }}/values/common/values.database.yaml'
ext-secret: ext-secret:
dependencies: dependencies:
- chart: bedag/raw - chart: bedag/raw
@ -136,17 +109,3 @@ templates:
alias: ext-secret alias: ext-secret
values: values:
- '{{ requiredEnv "PWD" }}/values/common/values.secret.yaml' - '{{ requiredEnv "PWD" }}/values/common/values.secret.yaml'
ext-cilium:
dependencies:
- chart: bedag/raw
version: 2.0.0
alias: ext-cilium
values:
- '{{ requiredEnv "PWD" }}/values/common/values.ext-cilium.yaml'
ext-self-signed-cert:
dependencies:
- chart: bedag/raw
version: 2.0.0
alias: ext-self-signed-cert
values:
- '{{ requiredEnv "PWD" }}/common/extensions/self-signed-cert.yaml'

6
common/values/values.badhouseplants.yaml
View File

@ -1,6 +0,0 @@
registry: registry.badhouseplants.net/containers
registry_url: registry.badhouseplants.net
main_ip: 195.201.249.91
tools:
openebs:
enabled: true

6
common/values/values.etersoft.yaml
View File

@ -1,6 +0,0 @@
registry: registry.ru.badhouseplants.net/containers
registry_url: registry.ru.badhouseplants.net
main_ip: 91.232.225.63
tools:
openebs:
enabled: false

5
common/values/values.general.yaml
View File

@ -1,5 +0,0 @@
namespaces:
kubePublic: kube-public
kubeSystem: kube-system
traefikSystem: traefik-system

0
helmfile.yaml Normal file
View File

25
helmfile.yaml.gotmpl
View File

@ -1,25 +0,0 @@
---
bases:
- ./common/environments.yaml
---
helmfiles:
- path: ./helmfiles/base.yaml
values:
- kubeContext: "{{ .Environment.KubeContext }}"
- {{ toYaml .Environment.Values | nindent 8 }}
- path: ./helmfiles/system.yaml
values:
- kubeContext: "{{ .Environment.KubeContext }}"
- {{ toYaml .Environment.Values | nindent 8 }}
- path: ./helmfiles/platform.yaml
values:
- kubeContext: "{{ .Environment.KubeContext }}"
- {{ toYaml .Environment.Values | nindent 8 }}
- path: ./helmfiles/databases.yaml
values:
- kubeContext: "{{ .Environment.KubeContext }}"
- {{ toYaml .Environment.Values | nindent 8 }}
- path: ./helmfiles/applications.yaml
values:
- kubeContext: "{{ .Environment.KubeContext }}"
- {{ toYaml .Environment.Values | nindent 8 }}

28
helmfiles/applications.yaml
View File

@ -1,28 +0,0 @@
bases:
- ../common/templates.yaml
repositories:
- name: gitea
url: https://dl.gitea.io/charts/
- name: bedag
url: https://bedag.github.io/helm-charts/
- name: minecraft
url: https://itzg.github.io/minecraft-server-charts/
releases:
- name: app-gitea
chart: gitea/gitea
version: 11.0.1
namespace: org-badhouseplants
inherit:
- template: env-values
- template: env-secrets
- name: minecraft
chart: minecraft/minecraft
namespace: games
version: 4.26.1
inherit:
- template: common-values-tpl
- template: env-values
- template: env-secrets

21
helmfiles/base.yaml
View File

@ -1,21 +0,0 @@
bases:
- ../common/templates.yaml
releases:
# -- This one must be executed with --take-ownership at least once
- name: namespaces
chart: ../charts/namespaces
namespace: kube-system
createNamespace: false
inherit:
- template: env-values
- template: env-secrets
- name: roles
chart: ../charts/roles
namespace: kube-system
createNamespace: false
needs:
- kube-system/namespaces
inherit:
- template: env-values

45
helmfiles/databases.yaml
View File

@ -1,45 +0,0 @@
bases:
- ../common/templates.yaml
repositories:
- name: bitnami
url: registry-1.docker.io/bitnamicharts
oci: true
- name: bedag
url: https://bedag.github.io/helm-charts/
commonLabels:
installation: databases
releases:
- name: redis
chart: bitnami/redis
namespace: databases
condition: redis.enabled
version: 20.11.3
inherit:
- template: common-values-tpl
- template: env-values
- template: env-secrets
- name: postgres16
labels:
bundle: postgres
namespace: databases
chart: bitnami/postgresql
condition: postgres16.enabled
version: 15.5.38
inherit:
- template: common-values-tpl
- template: env-values
- template: env-secrets
- name: postgres17
labels:
bundle: postgres
namespace: databases
chart: bitnami/postgresql
condition: postgres17.enabled
version: 16.3.4
inherit:
- template: common-values-tpl
- template: env-values
- template: env-secrets

122
helmfiles/platform.yaml
View File

@ -1,122 +0,0 @@
bases:
- ../common/templates.yaml
repositories:
- name: keel
url: https://keel-hq.github.io/keel/
- name: uptime-kuma
url: https://helm.irsigler.cloud
- name: external-dns
url: https://kubernetes-sigs.github.io/external-dns/
- name: minio-standalone
url: https://charts.min.io/
- name: db-operator
url: https://db-operator.github.io/charts
- name: zot
url: https://zotregistry.dev/helm-charts/
- name: goauthentik
url: https://charts.goauthentik.io/
- name: flux-community
url: ghcr.io/fluxcd-community/charts
oci: true
- name: bedag
url: https://bedag.github.io/helm-charts/
- name: argo
url: https://argoproj.github.io/argo-helm
releases:
- name: external-dns
chart: external-dns/external-dns
version: 1.15.2
namespace: platform
inherit:
- template: common-values-tpl
- template: env-values
- template: env-secrets
- name: flux2
chart: flux-community/flux2
installed: false
version: 2.15.0
namespace: flux-system
inherit:
- template: common-values-tpl
- name: argocd
chart: argo/argo-cd
version: 7.8.23
namespace: argocd
inherit:
- template: env-values
- template: env-secrets
- name: keel
chart: keel/keel
version: v1.0.5
labels:
layer: platform
namespace: platform
inherit:
- template: common-values-tpl
- name: uptime-kuma
chart: uptime-kuma/uptime-kuma
version: 2.21.2
namespace: platform
labels:
layer: platform
inherit:
- template: common-values-tpl
- template: env-values
- name: minio
chart: minio-standalone/minio
version: 5.4.0
namespace: platform
labels:
layer: platform
inherit:
- template: common-values-tpl
- template: env-values
- template: env-secrets
- name: db-operator
namespace: platform
chart: db-operator/db-operator
version: 1.34.0
inherit:
- template: common-values-tpl
- name: db-instances
chart: db-operator/db-instances
namespace: platform
needs:
- platform/db-operator
version: 2.4.0
inherit:
- template: env-values
- template: env-secrets
- name: zot
chart: zot/zot
version: 0.1.67
namespace: platform
condition: workload.enabled
inherit:
- template: common-values-tpl
- template: env-values
- template: env-secrets
- name: authentik
chart: goauthentik/authentik
version: 2025.2.2
namespace: platform
createNamespace: false
condition: workload.enabled
needs:
- platform/db-operator
inherit:
- template: common-values-tpl
- template: env-values
- template: env-secrets
- template: ext-database

181
helmfiles/system.yaml
View File

@ -1,181 +0,0 @@
bases:
- ../common/templates.yaml
repositories:
- name: coredns
url: https://coredns.github.io/helm
- name: zot
url: https://zotregistry.dev/helm-charts/
- name: cilium
url: https://helm.cilium.io/
- name: metrics-server
url: https://kubernetes-sigs.github.io/metrics-server/
- name: jetstack
url: https://charts.jetstack.io
- name: metallb
url: https://metallb.github.io/metallb
- name: traefik
url: https://traefik.github.io/charts
- name: local-path-provisioner
url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
- name: kyverno
url: https://kyverno.github.io/kyverno/
- name: vmware-tanzu
url: https://vmware-tanzu.github.io/helm-charts/
- name: openebs
url: https://openebs.github.io/openebs
- name: istio
url: https://istio-release.storage.googleapis.com/charts
releases:
- name: coredns
chart: coredns/coredns
version: 1.39.1
namespace: kube-system
inherit:
- template: common-values-tpl
- name: cilium
chart: cilium/cilium
version: 1.17.2
namespace: kube-system
needs:
- kube-system/coredns
inherit:
- template: common-values
- template: common-values-tpl
- name: cert-manager
chart: jetstack/cert-manager
version: v1.17.1
namespace: kube-system
missingFileHandler: Warn
needs:
- kube-system/cilium
inherit:
- template: common-values
- template: common-values-tpl
- name: issuer
chart: ../charts/issuer
namespace: kube-system
missingFileHandler: Warn
needs:
- kube-system/cert-manager
inherit:
- template: common-values
- name: local-path-provisioner
chart: local-path-provisioner/local-path-provisioner
namespace: kube-system
inherit:
- template: common-values-tpl
- name: kyverno
chart: kyverno/kyverno
namespace: kyverno
version: 3.3.7
needs:
- kube-system/cilium
inherit:
- template: common-values-tpl
- name: kyverno-policies
chart: kyverno/kyverno-policies
namespace: kyverno
version: 3.3.4
needs:
- kyverno/kyverno
- name: custom-kyverno-policies
chart: ../kustomizations/kyverno/{{ .Environment.Name }}
namespace: kyverno
needs:
- kyverno/kyverno
- name: metallb
chart: metallb/metallb
namespace: kube-system
condition: base.enabled
version: 0.14.9
needs:
- registry/cluster-mirror
inherit:
- template: common-values
- template: common-values-tpl
- name: metallb-resources
chart: ../charts/metallb-resources
version: 2.0.0
condition: base.enabled
namespace: kube-system
needs:
- kube-system/metallb
inherit:
- template: common-values-tpl
- name: traefik
chart: traefik/traefik
version: 34.4.1
condition: base.enabled
namespace: kube-system
inherit:
- template: common-values-tpl
- template: common-values
- template: env-values
- name: cluster-mirror
chart: zot/zot
version: 0.1.67
createNamespace: false
installed: true
namespace: registry
needs:
- kube-system/cilium
inherit:
- template: common-values-tpl
- template: env-secrets
- name: metrics-server
chart: metrics-server/metrics-server
version: 3.12.2
namespace: kube-system
needs:
- registry/cluster-mirror
inherit:
- template: common-values-tpl
- name: openebs
chart: openebs/openebs
condition: tools.openebs.enabled
namespace: kube-system
version: 4.2.0
inherit:
- template: common-values-tpl
- template: env-values
- name: velero
chart: vmware-tanzu/velero
namespace: velero
version: 8.7.0
condition: velero.enabled
inherit:
- template: common-values-tpl
- template: env-values
- template: env-secrets
- name: istio-base
chart: istio/base
namespace: istio-system
version: 1.25.1
inherit:
- template: common-values
- name: istiod
chart: istio/istiod
namespace: istio-system
version: 1.25.1
inherit:
- template: common-values-tpl
needs:
- istio-system/istio-base

98
installations/applications/helmfile-badhouseplants.yaml
View File

@ -1,98 +0,0 @@
bases:
- ../../common/environments.yaml
- ../../common/templates.yaml
repositories:
- name: gitea
url: https://dl.gitea.io/charts/
- name: allangers-charts
url: ghcr.io/allanger/allangers-charts
oci: true
- name: badhouseplants-helm
url: git+https://gitea.badhouseplants.net/badhouseplants/badhouseplants-helm@charts?ref=main
- name: bedag
url: https://bedag.github.io/helm-charts/
#- name: open-strike
# url: git+https://gitea.badhouseplants.net/badhouseplants/open-strike-2.git@helm?ref=main
releases:
- name: app-vaultwarden
chart: allangers-charts/vaultwarden
version: 3.1.1
namespace: org-badhouseplants
inherit:
- template: env-values
- template: env-secrets
- name: app-stalwart
chart: allangers-charts/stalwart
version: 1.0.1
namespace: org-badhouseplants
inherit:
- template: env-values
- template: env-secrets
- name: app-tandoor-recipes
chart: allangers-charts/tandoor-recipes
version: 0.2.0
namespace: org-allanger
inherit:
- template: env-values
- template: env-secrets
- template: ext-database
- name: app-navidrome
chart: allangers-charts/navidrome
namespace: org-badhouseplants
version: 0.5.0
inherit:
- template: env-values
- template: ext-traefik-middleware
- name: app-navidrome-private
chart: allangers-charts/navidrome
namespace: org-badhouseplants
version: 0.5.0
inherit:
- template: env-values
- template: env-secrets
- name: server-xray-public
chart: allangers-charts/server-xray
namespace: public-xray
version: 0.6.0
inherit:
- template: default-env-secrets
- template: default-env-values
- template: ext-tcp-routes
- template: ext-cilium
- template: ext-certificate
- name: server-xray-public-edge
chart: allangers-charts/server-xray
installed: false
namespace: public-xray
version: 0.6.0
inherit:
- template: default-env-secrets
- template: default-env-values
- template: ext-tcp-routes
- template: ext-cilium
- template: ext-certificate
- name: memos
chart: allangers-charts/memos
version: 0.3.0
namespace: applications
inherit:
- template: default-env-values
- template: ext-database
- name: badhouseplants-net
chart: badhouseplants-helm/badhouseplants-net
namespace: production
values:
- deployAnnotations:
keel.sh/policy: force
keel.sh/trigger: poll
keel.sh/initContainers: 'true'

59
installations/applications/helmfile-etersoft.yaml
View File

@ -1,59 +0,0 @@
bases:
- ../../common/environments.yaml
- ../../common/templates.yaml
repositories:
- name: allangers-charts
url: ghcr.io/allanger/allangers-charts
oci: true
- name: gabe565
url: ghcr.io/gabe565/charts
oci: true
- name: xray-docs
url: git+https://gitea.badhouseplants.net/badhouseplants/xray-docs.git@helm?ref=main
releases:
- name: qbittorrent
chart: gabe565/qbittorrent
version: 0.4.1
namespace: applications
inherit:
- template: default-env-values
- template: ext-secret
- template: ext-traefik-middleware
- name: vaultwardentest
chart: allangers-charts/vaultwarden
version: 3.1.1
namespace: applications
inherit:
- template: default-env-values
- template: default-env-secrets
- name: memos
chart: allangers-charts/memos
version: 0.3.0
namespace: applications
inherit:
- template: default-env-values
- name: external-service-xray
chart: ../../kustomizations/external-service-xray
installed: true
namespace: public-xray
- name: server-xray-public
chart: allangers-charts/server-xray
namespace: public-xray
version: 0.6.0
inherit:
- template: default-env-secrets
- template: default-env-values
- template: ext-tcp-routes
- template: ext-cilium
- template: ext-certificate
- name: xray-docs
chart: xray-docs/xray-docs
installed: true
namespace: public-xray
inherit:
- template: default-env-values

154
installations/applications/helmfile.yaml
View File

@ -1,6 +1,154 @@
{{ readFile "../../common/templates.yaml" }}
bases: bases:
- ../../common/environments.yaml - ../../common/environments.yaml
- ../../common/templates.yaml
helmfiles: repositories:
- ./helmfile-{{ `{{ .Environment.Name }}` }}.yaml - name: softplayer-oci
url: registry.badhouseplants.net/softplayer/helm
oci: true
- name: requarks
url: https://charts.js.wiki
- name: goauthentik
url: https://charts.goauthentik.io/
- name: ananace-charts
url: https://ananace.gitlab.io/charts
- name: gitea
url: https://dl.gitea.io/charts/
- name: mailu
url: https://mailu.github.io/helm-charts/
- name: minio
url: https://charts.min.io/
- name: bedag
url: https://bedag.github.io/helm-charts/
- name: grafana
url: https://grafana.github.io/helm-charts
- name: bitnami
url: https://charts.bitnami.com/bitnami
- name: allangers-charts
url: ghcr.io/allanger/allangers-charts
oci: true
releases:
- name: authentik
chart: goauthentik/authentik
version: 2024.6.1
namespace: applications
createNamespace: false
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-database
- name: funkwhale
chart: ananace-charts/funkwhale
namespace: applications
version: 2.0.5
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-database
- name: gitea
chart: gitea/gitea
version: 10.4.0
namespace: applications
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-database
- template: ext-tcp-routes
- name: mailu
chart: mailu/mailu
namespace: applications
version: 2.0.0
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-certificate
- template: ext-tcp-routes
- template: ext-database
- name: minio
chart: minio/minio
version: 5.2.0
namespace: applications
inherit:
- template: default-env-values
- template: default-env-secrets
- name: nrodionov
chart: bitnami/wordpress
version: 22.4.20
namespace: applications
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-database
- name: openvpn-xor
chart: softplayer-oci/openvpn-xor
version: 1.2.0
namespace: applications
inherit:
- template: default-env-values
- template: ext-tcp-routes
- name: vaultwarden
chart: allangers-charts/vaultwarden
version: 2.1.0
namespace: applications
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-database
- name: stalwart
chart: allangers-charts/stalwart
version: 0.1.0
namespace: applications
inherit:
- template: default-env-values
- template: ext-tcp-routes
#- name: vaultwardentest
# chart: allangers-charts/vaultwarden
# version: 2.1.0
# namespace: applications
# inherit:
# - template: default-env-values
# - template: default-env-secrets
- name: shadowsocks-libev
chart: softplayer-oci/shadowsocks-libev
namespace: applications
version: 0.3.1
inherit:
- template: default-env-secrets
- name: wikijs
chart: requarks/wiki
namespace: applications
installed: false
version: 2.2.21
inherit:
- template: default-env-values
- template: ext-database
- name: mealie
chart: softplayer-oci/mealie
namespace: applications
version: 0.3.0
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-database
- name: grafana
chart: grafana/grafana
namespace: applications
version: 8.3.6
inherit:
- template: default-env-values
- template: default-env-secrets

47
installations/databases/helmfile.yaml Normal file
View File

@ -0,0 +1,47 @@
{{ readFile "../../common/templates.yaml" }}
bases:
- ../../common/environments.yaml
repositories:
- name: bitnami
url: https://charts.bitnami.com/bitnami
- name: bedag
url: https://bedag.github.io/helm-charts/
releases:
- name: mariadb
chart: bitnami/mariadb
namespace: databases
version: 19.0.2
inherit:
- template: default-env-values
- template: default-env-secrets
- name: redis
chart: bitnami/redis
namespace: databases
version: 19.6.3
inherit:
- template: default-env-values
- template: default-env-secrets
- name: postgres16
labels:
bundle: postgres
namespace: databases
chart: bitnami/postgresql
version: 15.5.19
inherit:
- template: default-env-values
- template: default-env-secrets
- name: postgres16-gitea
labels:
bundle: postgres
namespace: databases
chart: bitnami/postgresql
version: 15.5.19
inherit:
- template: default-env-values
- template: default-env-secrets

12
installations/development/helmfile.yaml Normal file
View File

@ -0,0 +1,12 @@
{{ readFile "../../common/templates.yaml" }}
bases:
- ../../common/environments.yaml
repositories:
- name: argo
url: https://argoproj.github.io/argo-helm
releases:
- name: badhouseplants
namespace: platform

11
installations/games/helmfile.yaml
View File

@ -1,19 +1,20 @@
---
{{ readFile "../../common/templates.yaml" }}
bases: bases:
- ../../common/environments.yaml - ../../common/environments.yaml
- ../../common/templates.yaml
repositories: repositories:
- name: bedag - name: bedag
url: https://bedag.github.io/helm-charts/ url: https://bedag.github.io/helm-charts/
- name: minecraft - name: minecraft
url: https://itzg.github.io/minecraft-server-charts/ url: https://itzg.github.io/minecraft-server-charts/
- name: allangers-charts
url: ghcr.io/allanger/allangers-charts
oci: true
releases: releases:
- name: minecraft - name: minecraft
chart: minecraft/minecraft chart: minecraft/minecraft
namespace: games namespace: games
version: 4.26.1 version: 4.20.0
inherit: inherit:
- template: ext-tcp-routes - template: ext-tcp-routes
- template: default-env-values - template: default-env-values

34
installations/monitoring/helmfile.yaml
View File

@ -1,41 +1,21 @@
{{ readFile "../../common/templates.yaml" }}
bases: bases:
- ../../common/environments.yaml - ../../common/environments.yaml
- ../../common/templates.yaml
repositories: repositories:
- name: bedag - name: bedag
url: https://bedag.github.io/helm-charts/ url: https://bedag.github.io/helm-charts/
- name: prometheus-community - name: prometheus-community
url: https://prometheus-community.github.io/helm-charts url: https://prometheus-community.github.io/helm-charts
- name: grafana
url: https://grafana.github.io/helm-charts
releases: releases:
- name: prometheus - name: prometheus
chart: prometheus-community/kube-prometheus-stack chart: prometheus-community/kube-prometheus-stack
namespace: observability namespace: monitoring
version: 70.1.1 version: 61.3.2
inherit: inherit:
- template: default-env-values - template: default-env-values
- template: default-env-secrets - template: default-env-secrets
- template: crd-management-hook - template: crd-management-hook
- name: grafana
chart: grafana/grafana
namespace: observability
version: 8.10.4
installed: true
inherit:
- template: default-env-values
- template: default-env-secrets
- name: loki
chart: grafana/loki
namespace: observability
version: 6.28.0
inherit:
- template: default-env-values
- template: ext-secret
- template: ext-traefik-middleware
- name: promtail
chart: grafana/promtail
namespace: observability
version: 6.16.6
inherit:
- template: default-env-values

24
installations/pipelines/helmfile.yaml
View File

@ -1,34 +1,20 @@
{{ readFile "../../common/templates.yaml" }}
bases: bases:
- ../../common/environments.yaml - ../../common/environments.yaml
- ../../common/templates.yaml
repositories: repositories:
- name: woodpecker - name: woodpecker
url: https://woodpecker-ci.org url: https://woodpecker-ci.org
- name: renovate
url: https://docs.renovatebot.com/helm-charts
- name: bedag - name: bedag
url: https://bedag.github.io/helm-charts/ url: https://bedag.github.io/helm-charts/
releases: releases:
- name: woodpecker-ci - name: woodpecker-ci
chart: woodpecker/woodpecker chart: woodpecker/woodpecker
namespace: pipelines namespace: pipelines
version: 3.0.6 version: 1.5.0
inherit: inherit:
- template: ext-database - template: ext-database
- template: default-env-values - template: default-env-values
- template: default-env-secrets - template: default-env-secrets
- name: renovate-gitea
chart: renovate/renovate
namespace: pipelines
version: 39.208.1
inherit:
- template: default-env-values
- template: default-env-secrets
- name: renovate-github
chart: renovate/renovate
installed: true
namespace: pipelines
version: 39.208.1
inherit:
- template: default-env-values
- template: default-env-secrets

56
installations/platform/helmfile.yaml Normal file
View File

@ -0,0 +1,56 @@
{{ readFile "../../common/templates.yaml" }}
bases:
- ../../common/environments.yaml
repositories:
- name: argo
url: https://argoproj.github.io/argo-helm
- name: db-operator
url: https://db-operator.github.io/charts
- name: zot
url: https://zotregistry.dev/helm-charts/
- name: bedag
url: https://bedag.github.io/helm-charts/
- name: percona
url: https://percona.github.io/percona-helm-charts/
releases:
- name: argocd
chart: argo/argo-cd
namespace: platform
version: 7.3.6
inherit:
- template: default-env-values
- template: default-env-secrets
- name: db-operator
namespace: platform
chart: db-operator/db-operator
version: 1.27.2
- name: db-instances
chart: db-operator/db-instances
namespace: platform
needs:
- platform/db-operator
version: 2.3.4
inherit:
- template: default-env-values
- template: default-env-secrets
- name: zot
chart: zot/zot
version: 0.1.57
createNamespace: false
namespace: platform
inherit:
- template: default-env-values
- template: default-env-secrets
- name: pg-operator
chart: percona/pg-operator
installed: false
version: 2.4.0
createNamespace: false
namespace: platform

49
installations/storage/helmfile.yaml Normal file
View File

@ -0,0 +1,49 @@
{{ readFile "../../common/templates.yaml" }}
bases:
- ../../common/environments.yaml
repositories:
- name: longhorn
url: https://charts.longhorn.io
- name: rook-release
url: https://charts.rook.io/release
- name: local-path-provisioner
url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=v0.0.28
releases:
- name: rook-ceph
chart: rook-release/rook-ceph
installed: true
namespace: rook-ceph
version: v1.14.9
inherit:
- template: default-env-values
- name: rook-ceph-cluster
chart: rook-release/rook-ceph-cluster
installed: true
namespace: rook-ceph
version: v1.14.9
needs:
- rook-ceph/rook-ceph
inherit:
- template: default-env-values
- name: longhorn
chart: longhorn/longhorn
namespace: longhorn-system
installed: false
version: 1.6.2
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-secret
- name: local-path-provisioner
chart: local-path-provisioner/local-path-provisioner
installed: false
createNamespace: false
namespace: kube-system
inherit:
- template: default-env-values

128
installations/system/helmfile.yaml Normal file
View File

@ -0,0 +1,128 @@
{{ readFile "../../common/templates.yaml" }}
bases:
- ../../common/environments.yaml
repositories:
- name: metrics-server
url: https://kubernetes-sigs.github.io/metrics-server/
- name: jetstack
url: https://charts.jetstack.io
- name: bedag
url: https://bedag.github.io/helm-charts/
- name: metallb
url: https://metallb.github.io/metallb
- name: traefik
url: https://traefik.github.io/charts
- name: coredns
url: https://coredns.github.io/helm
- name: cilium
url: https://helm.cilium.io/
- name: bedag
url: https://bedag.github.io/helm-charts/
- name: piraeus-charts
url: https://piraeus.io/helm-charts/
- name: vmware-tanzu
url: https://vmware-tanzu.github.io/helm-charts/
releases:
- name: namespaces
chart: '{{ requiredEnv "PWD" }}/charts/namespaces/chart'
namespace: kube-public
createNamespace: false
inherit:
- template: default-env-values
- name: roles
chart: '{{ requiredEnv "PWD" }}/charts/roles'
namespace: kube-public
createNamespace: false
needs:
- kube-public/namespaces
inherit:
- template: default-env-values
- name: coredns
chart: coredns/coredns
version: 1.31.0
namespace: kube-system
inherit:
- template: default-env-values
- name: snapshot-controller
chart: piraeus-charts/snapshot-controller
version: 3.0.5
namespace: kube-system
inherit:
- template: crd-management-hook
- name: cilium
chart: cilium/cilium
version: 1.16.0
namespace: kube-system
needs:
- kube-system/coredns
inherit:
- template: default-env-values
- name: cert-manager
chart: jetstack/cert-manager
version: 1.15.2
namespace: kube-system
needs:
- kube-system/cilium
inherit:
- template: default-env-values
- name: issuer
chart: '{{ requiredEnv "PWD" }}/charts/issuer'
namespace: kube-public
needs:
- kube-system/cert-manager
inherit:
- template: default-env-values
- name: metrics-server
chart: metrics-server/metrics-server
version: 3.12.1
namespace: kube-system
needs:
- kube-system/cilium
inherit:
- template: default-common-values
- name: metallb
chart: metallb/metallb
namespace: kube-system
version: 0.14.8
needs:
- kube-system/cilium
inherit:
- template: default-env-values
- name: metallb-resources
chart: bedag/raw
version: 2.0.0
namespace: kube-system
needs:
- kube-system/metallb
inherit:
- template: ext-metallb
- template: default-env-values
- name: traefik
chart: traefik/traefik
version: 30.0.2
namespace: kube-system
needs:
- kube-system/cilium
inherit:
- template: default-env-values
- name: velero
chart: vmware-tanzu/velero
namespace: kube-system
version: 7.1.4
inherit:
- template: default-env-values
- template: default-env-secrets

23
kustomizations/external-service-xray/service.yaml
View File

@ -1,23 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: xray-external-proxy
spec:
externalName: xray-public.badhouseplants.net
sessionAffinity: None
type: ExternalName
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: xray-external-proxy
spec:
entryPoints:
- xray-public
routes:
- match: HostSNI(`*`)
services:
- name: xray-external-proxy
nativeLB: true
port: 27015

20
kustomizations/kyverno/add-applied-by.yaml
View File

@ -1,20 +0,0 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-applied-by
spec:
background: false
rules:
- name: add-applied-by
match:
any:
- resources:
kinds:
- '*'
namespaces:
- org-*
mutate:
patchStrategicMerge:
metadata:
annotations:
applied-by: "{{ request.userInfo.username }}"

58
kustomizations/kyverno/badhouseplants/pvc-patch.yaml
View File

@ -1,58 +0,0 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: replace-storage-class-by-openebs
spec:
rules:
- name: local-path-fix
match:
any:
- resources:
kinds:
- PersistentVolumeClaim
namespaces:
- registry
mutate:
patchStrategicMerge:
metadata:
annotations:
volume.kubernetes.io/selected-node: bordeaux
- name: replace-storage-class
match:
any:
- resources:
kinds:
- PersistentVolumeClaim
namespaces:
- games
- application
- platform
- pipelines
mutate:
patchStrategicMerge:
metadata:
annotations:
volume.beta.kubernetes.io/storage-class: openebs-hostpath
spec:
storageClassName: openebs-hostpath
accessModes:
- ReadWriteOnce
#- name: remove-unwanted-annotations
# match:
# any:
# - resources:
# kinds:
# - PersistentVolumeClaim
# namespaces:
# - games
# mutate:
# patchesJson6902: |-
# - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-class"
# op: replace
# value: openebs-hostpath
# - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-provisioner"
# op: replace
# value: openebs.io/local
# - path: "/metadata/annotations/volume.kubernetes.io~1storage-provisioner"
# op: replace
# value: openebs.io/local

21
kustomizations/kyverno/etersoft/pvc-patch.yaml
View File

@ -1,21 +0,0 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: append-node-name-to-pvc
spec:
rules:
- name: replace-storage-class
match:
any:
- resources:
kinds:
- PersistentVolumeClaim
namespaces:
- applications
- platform
- registry
mutate:
patchStrategicMerge:
metadata:
annotations:
volume.kubernetes.io/selected-node: yekaterinburg

18
manifests/app.yaml
View File

@ -1,18 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: test-apps
namespace: platform
spec:
destination:
namespace: default
server: https://kubernetes.default.svc
project: default
syncPolicy:
automated:
prune: true
source:
path: manifests/postgresql-15.5.21.tgz
repoURL: https://gitea.badhouseplants.net/allanger/k8s-deployment.git
targetRevision: main
helm: {}

12
manifests/bucket.yaml
View File

@ -1,12 +0,0 @@
apiVersion: minio.crossplane.io/v1
kind: Bucket
metadata:
creationTimestamp: null
name: bucket-local-dev
spec:
forProvider:
region: us-east-1
providerConfigRef:
name: provider-config
status:
atProvider: {}

1765
manifests/cilium/cilium-allow-dns.yaml
View File

File diff suppressed because it is too large Load Diff

263
manifests/cilium/cilium-allow-google.yaml
View File

@ -1,263 +0,0 @@
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "cilium-policy-allow-google"
namespace: public-xray
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/instance: server-xray-public
app.kubernetes.io/name: server-xray
egress:
- toPorts:
- ports:
- port: "53"
protocol: ANY
- toPorts:
- ports:
- port: "80"
protocol: ANY
- port: "8080"
protocol: ANY
- port: "443"
protocol: ANY
- port: "27015"
protocol: ANY
- port: "45000"
endPort: 60000
protocol: UDP
- port: "6672"
protocol: UDP
- port: "61455"
protocol: UDP
- port: "61457"
protocol: UDP
- port: "61456"
protocol: UDP
- port: "61458"
protocol: UDP
toEntities:
- world
#- host
#- remote-node
icmps:
- fields:
- type: EchoRequest
family: IPv4
- type: EchoReply
family: IPv4
egressDeny:
- toCIDR:
- 93.158.213.92/32
- 93.158.213.92/32
- 185.243.218.213/32
- 91.216.110.53/32
- 23.157.120.14/32
- 94.243.222.100/32
- 208.83.20.20/32
- 156.234.201.18/32
- 209.141.59.16/32
- 34.89.51.235/32
- 109.201.134.183/32
- 83.102.180.21/32
- 185.230.4.150/32
- 45.9.60.30/32
- 5.181.156.41/32
- 156.234.201.18/32
- 34.89.51.235/32
- 83.6.102.25/32
- 51.222.82.36/32
- 125.227.79.123/32
- 193.42.111.57/32
- 135.125.202.143/32
- 176.56.7.44/32
- 185.87.45.163/32
- 181.214.58.63/32
- 143.198.64.177/32
- 5.255.124.190/32
- 52.58.128.163/32
- 15.204.57.168/32
- 34.94.76.146/32
- 211.23.142.127/32
- 64.23.195.62/32
- 23.153.248.83/32
- 82.156.24.219/32
- 37.235.176.37/32
- 176.123.1.180/32
- 35.227.59.57/32
- 62.210.114.129/32
- 185.216.179.62/32
- 34.94.76.146/32
- 121.199.16.229/32
- 23.163.56.66/32
- 176.99.7.59/32
- 207.241.231.226/32
- 207.241.226.111/32
- 27.151.84.136/32
- 104.244.77.14/32
- 5.102.159.190/32
- 184.61.17.58/32
- 125.227.79.123/32
- 181.214.58.63/32
- 95.217.167.10/32
- 159.148.57.222/32
- 15.204.57.168/32
- 211.23.142.127/32
- 34.94.76.146/32
- 187.56.163.73/32
- 109.71.253.37/32
- 5.182.86.242/32
- 104.244.77.14/32
- 190.146.242.81/32
- 89.110.76.229/32
- 138.124.183.78/32
- 209.126.11.233/32
- 167.99.185.219/32
- 37.59.48.81/32
- 27.151.84.136/32
- 142.132.183.104/32
- 193.53.126.151/32
- 74.48.17.122/32
- 93.158.213.92/32
- 156.234.201.18/32
- 35.227.59.57/32
- 34.89.51.235/32
- 34.94.76.146/32
- 184.61.17.58/32
- 125.227.79.123/32
- 104.21.58.176/32
- 172.67.162.102/32
- 181.214.58.63/32
- 93.185.165.29/32
- 95.217.167.10/32
- 159.148.57.222/32
- 15.204.57.168/32
- 211.75.210.220/32
- 125.227.79.123/32
- 211.23.142.127/32
- 172.67.165.72/32
- 104.21.57.182/32
- 35.227.59.57/32
- 34.89.51.235/32
- 34.94.76.146/32
- 187.56.163.73/32
- 109.71.253.37/32
- 5.182.86.242/32
- 104.244.77.14/32
- 193.53.126.151/32
- 104.19.22.31/32
- 104.19.22.22/32
- 104.19.22.27/32
- 104.19.22.23/32
- 104.19.22.30/32
- 104.19.22.24/32
- 104.19.22.26/32
- 104.19.22.29/32
- 104.19.22.32/32
- 104.19.22.28/32
- 104.19.22.25/32
- 74.48.17.122/32
- 184.61.17.58/32
- 104.21.62.230/32
- 172.67.139.235/32
- 172.67.135.244/32
- 104.21.26.114/32
- 104.21.72.244/32
- 172.67.136.175/32
- 172.67.183.130/32
- 104.21.64.112/32
- 104.26.10.105/32
- 104.26.11.105/32
- 172.67.70.119/32
- 172.67.144.128/32
- 104.21.71.114/32
- 172.67.161.130/32
- 104.21.65.89/32
- 172.67.156.75/32
- 104.21.40.186/32
- 65.21.91.32/32
- 184.61.17.58/32
- 104.21.82.111/32
- 172.67.200.173/32
- 104.21.13.129/32
- 172.67.200.14/32
- 104.21.89.147/32
- 172.67.160.224/32
- 172.67.139.235/32
- 104.21.62.230/32
- 93.158.213.92/32
- 185.243.218.213/32
- 91.216.110.53/32
- 23.157.120.14/32
- 94.243.222.100/32
- 208.83.20.20/32
- 156.234.201.18/32
- 209.141.59.16/32
- 34.94.76.146/32
- 35.227.59.57/32
- 34.89.51.235/32
- 109.201.134.183/32
- 83.102.180.21/32
- 185.230.4.150/32
- 45.9.60.30/32
- 5.181.156.41/32
- 83.6.102.25/32
- 54.39.48.3/32
- 51.222.82.36/32
- 125.227.79.123/32
- 193.42.111.57/32
- 135.125.202.143/32
- 176.56.7.44/32
- 185.87.45.163/32
- 93.185.165.29/32
- 181.214.58.63/32
- 143.198.64.177/32
- 5.255.124.190/32
- 52.58.128.163/32
- 15.204.57.168/32
- 35.227.59.57/32
- 34.89.51.235/32
- 34.94.76.146/32
- 211.23.142.127/32
- 211.75.210.220/32
- 125.227.79.123/32
- 64.23.195.62/32
- 51.81.222.188/32
- 23.153.248.83/32
- 82.156.24.219/32
- 37.235.176.37/32
- 51.15.41.46/32
- 176.123.1.180/32
- 104.244.77.87/32
- 34.94.76.146/32
- 34.89.51.235/32
- 35.227.59.57/32
- 62.210.114.129/32
- 185.216.179.62/32
- 34.94.76.146/32
- 34.89.51.235/32
- 35.227.59.57/32
- 121.199.16.229/32
- 35.227.59.57/32
- 34.89.51.235/32
- 34.94.76.146/32
- 23.163.56.66/32
- 176.99.7.59/32
- 207.241.231.226/32
- 207.241.226.111/32
- 27.151.84.136/32
- 51.159.54.68/32
- 104.244.77.14/32
- 5.102.159.190/32
- 190.146.242.81/32
- 89.110.76.229/32
- 89.47.160.50/32
- 138.124.183.78/32
- 209.126.11.233/32
- 167.99.185.219/32
- 27.151.84.136/32
- 37.59.48.81/32
- 27.151.84.136/32
- 142.132.183.104/32
- 159.148.57.222/32
- 159.148.57.222/32

17
manifests/cilium/cilium-policy.yaml
View File

@ -1,17 +0,0 @@
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "cilium-policy-allow-dns"
namespace: public-xray
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/instance: server-xray-public
app.kubernetes.io/name: server-xray
egress:
- toPorts:
- ports:
- port: "53"
protocol: ANY
- toCIDR:
- 1.1.1.1/32

15
manifests/debug.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: debug
spec:
containers:
- args:
- -c
- sleep 1000
command:
- sh
image: ubuntu:latest
imagePullPolicy: Always
name: server-xray
dnsPolicy: ClusterFirst

10
manifests/longhorn-snapshot-class.yaml
View File

@ -1,10 +0,0 @@
kind: VolumeSnapshotClass
apiVersion: snapshot.storage.k8s.io/v1
metadata:
name: longhorn-snapshot-vsc
labels:
velero.io/csi-volumesnapshot-class: "true"
driver: driver.longhorn.io
deletionPolicy: Delete
parameters:
type: bak

7
manifests/minio-secret.yaml
View File

@ -1,7 +0,0 @@
apiVersion: v1
stringData:
AWS_ACCESS_KEY_ID: minio
AWS_SECRET_ACCESS_KEY: minio123
kind: Secret
metadata:
name: minio-secret

166
manifests/minio-tf-workspace.yaml
View File

@ -1,166 +0,0 @@
apiVersion: tf.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: minio
spec:
configuration: |
provider minio {
// required
minio_server = "s3-new.badhouseplants.net:443"
minio_region = "us-east-1"
minio_ssl = "true"
}
terraform {
backend "kubernetes" {
secret_suffix = "minio-tf-state"
namespace = "platform"
in_cluster_config = true
}
required_providers {
minio = {
source = "aminueza/minio"
version = "2.4.3"
}
}
}
---
apiVersion: tf.upbound.io/v1beta1
kind: Workspace
metadata:
name: example-bucket-creation
spec:
providerConfigRef:
name: minio
writeConnectionSecretToRef:
namespace: platform
name: tf-minio-state-output
forProvider:
source: Inline
env:
- name: MINIO_PASSWORD
secretKeyRef:
namespace: platform
name: minio-secret
key: AWS_SECRET_ACCESS_KEY
- name: MINIO_USER
secretKeyRef:
namespace: platform
name: minio-secret
key: AWS_ACCESS_KEY_ID
module: |
resource "minio_s3_bucket" "states" {
bucket = "states"
}
resource "minio_iam_user" "terraform" {
name = "terraform"
force_destroy = true
tags = {
service = "terraform"
}
}
resource "minio_iam_policy" "terraform" {
name = "state-terraform"
policy= <<EOF
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"terraform",
"Effect": "Allow",
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::state-terraform-s3/*"
}
]
}
EOF
}
resource "minio_iam_user_policy_attachment" "terraform" {
user_name = minio_iam_user.terraform.id
policy_name = minio_iam_policy.terraform.id
}
output "MINIO_USERNAME" {
value = minio_iam_user.terraform.id
}
output "MINIO_PASSWORD" {
value = minio_iam_user.terraform.secret
sensitive = true
}
---
apiVersion: tf.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: minio-backend
spec:
configuration: |
provider minio {
// required
minio_server = "s3-new.badhouseplants.net:443"
minio_region = "us-east-1"
minio_ssl = "true"
}
terraform {
backend "s3" {
bucket = "states"
key = "test"
region = "us-east-1"
endpoint = "https://s3-new.badhouseplants.net"
use_path_style = true
skip_credentials_validation = true
skip_metadata_api_check = true
skip_region_validation = true
}
required_providers {
minio = {
source = "aminueza/minio"
version = "2.4.3"
}
}
}
---
apiVersion: tf.upbound.io/v1beta1
kind: Workspace
metadata:
name: try-backend
spec:
providerConfigRef:
name: minio-backend
writeConnectionSecretToRef:
namespace: platform
name: tf-minio-state-output
forProvider:
source: Inline
env:
- name: MINIO_PASSWORD
secretKeyRef:
namespace: platform
name: tf-minio-state-output
key: MINIO_PASSWORD
- name: MINIO_USER
secretKeyRef:
namespace: platform
name: tf-minio-state-output
key: MINIO_USERNAME
- name: AWS_ACCESS_KEY_ID
secretKeyRef:
namespace: platform
name: minio-secret
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
secretKeyRef:
namespace: platform
name: minio-secret
key: AWS_SECRET_ACCESS_KEY
module: |
resource "minio_s3_bucket" "states" {
bucket = "states-test"
}

32
manifests/network-policy.yaml
View File

@ -1,32 +0,0 @@
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-internet-only
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/20

8
manifests/peerauth.yaml
View File

@ -1,8 +0,0 @@
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
namespace: public-xray
spec:
mtls:
mode: STRICT

4
manifests/values.yaml
View File

@ -1,4 +0,0 @@
rsync:
nodeName: copenhagen
sshd:
nodeName: copenhagen

11
renovate.json
View File

@ -1,11 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended"
],
"helmfile": {
"fileMatch": [
"(^|/)helmfile.*\\.ya?ml(?:\\.gotmpl)?$"
]
}
}

41
scripts/add_xray_user.sh
View File

@ -1,41 +0,0 @@
#!/usr/bin/env bash
set -e
CONFIG=$(sops -d ./values/badhouseplants/secrets.server-xray-public.yaml | yq '.files.config.entries."config.json".data' | jq)
read -p "Enter fullname (Ivan Ivanov): " FULLNAME
read -p "Enter email (ivan@fakemail.net): " EMAIL
PASS=$(openssl rand -base64 10)
CONFIG_ENTRY=$(cat <<-EndOfMessage
[
{
"id": "${FULLNAME} ${PASS}",
"flow": "xtls-rprx-vision",
"level": 0,
"email": "${EMAIL}"
}
]
EndOfMessage
)
echo "You're about to add a following entry to the config, is it correct?"
echo "${CONFIG_ENTRY}"
read -p "Type 'YES' to continue " AGREE
if [ "${AGREE}" != "YES" ]; then echo "Alright, goodbye" && exit 1; fi
NEW_CONFIG=$(jq '.inbounds[].settings.clients += '"${CONFIG_ENTRY}"'' <<< "${CONFIG}" | jq)
echo $NEW_CONFIG
echo "Does the diff looks correct?"
diff <(echo $CONFIG) <(echo $NEW_CONFIG) || true
read -p "Type 'YES' to continue " AGREE
if [ "${AGREE}" != "YES" ]; then echo "Alright, goodbye" && exit 1; fi
WORKDIR=$(mktemp -d)
export NEW_CONFIG
sops -d ./values/badhouseplants/secrets.server-xray-public.yaml | yq '.files.config.entries."config.json".data = strenv(NEW_CONFIG)' > ./values/badhouseplants/secrets.server-xray-public.yaml && sops -e ./values/badhouseplants/secrets.server-xray-public.yaml
helmfile -e badhouseplants -f ./installations/applications -l name=server-xray-public diff

32
scripts/find_unused_values.sh
View File

@ -1,32 +0,0 @@
#!/usr/bin/env bash
if ! [ -z $DISABLE_ADDITIONAL_CHECKS ]; then
echo "Check is disabled"
exit 0
fi
# -- Get all the envs from the current helmfile installation
ENVS=$(yq '.environments | keys | .[]' ./common/environments.yaml)
ALL_VALUES=$(find ./values -type f)
USED_VALUES=""
for ENV in $ENVS; do
USED_VALUES="$(helmfile --log-level error -e $ENV build | yq '.releases[].values[]'):$USED_VALUES"
USED_VALUES="$(helmfile --log-level error -e $ENV build| yq '.releases[].secrets[]'):$USED_VALUES"
done
UNUSED_VALUES=""
for FILE in $ALL_VALUES; do
if [[ ${USED_VALUES} != *"$FILE"* ]]; then
UNUSED_VALUES="${FILE}\n${UNUSED_VALUES}"
fi
done
if [ -z "${UNUSED_VALUES}" ]; then
exit 0;
fi
printf "\n ** There are unused values in the repo ** \n"
printf "${UNUSED_VALUES}\n"
printf "Please remove them from the repo to keep it clean"
exit 1

43
scripts/get_public_trackers.sh
View File

@ -1,43 +0,0 @@
#!/usr/bin/env bash
curl https://raw.githubusercontent.com/ngosang/trackerslist/refs/heads/master/trackers_all_ip.txt | sed -e 's/.*:\/\/\(.*\):.*/\1/' | sed -e '/^[[:space:]]*$/d'
for http in $(curl https://raw.githubusercontent.com/ngosang/trackerslist/refs/heads/master/trackers_all_http.txt| sed -e 's/.*:\/\/\(.*\):.*/\1/' | sed -e '/^[[:space:]]*$/d'); do
RES=$(dig +short $http)
if [[ "${RES}" =~ [a-z] ]]; then
RES=$(dig +short $RES)
fi
for res in $RES; do
echo $res;
done
done
for http in $(curl https://raw.githubusercontent.com/ngosang/trackerslist/refs/heads/master/trackers_all_https.txt| sed -e 's/.*:\/\/\(.*\):.*/\1/' | sed -e '/^[[:space:]]*$/d'); do
RES=$(dig +short $http)
if [[ "${RES}" =~ [a-z] ]]; then
RES=$(dig +short $RES)
fi
for res in $RES; do
echo $res;
done
done
for http in $(curl https://raw.githubusercontent.com/ngosang/trackerslist/refs/heads/master/trackers_all_udp.txt| sed -e 's/.*:\/\/\(.*\):.*/\1/' | sed -e '/^[[:space:]]*$/d'); do
RES=$(dig +short $http)
if [[ "${RES}" =~ [a-z] ]]; then
RES=$(dig +short $RES)
fi
for res in $RES; do
echo $res;
done
done
for http in $(curl https://raw.githubusercontent.com/ngosang/trackerslist/refs/heads/master/trackers_all_ws.txt| sed -e 's/.*:\/\/\(.*\):.*/\1/' | sed -e '/^[[:space:]]*$/d'); do
RES=$(dig +short $http)
if [[ "${RES}" =~ [a-z] ]]; then
RES=$(dig +short $RES)
fi
for res in $RES; do
echo $res;
done
done

20
scripts/lint_all_envs.sh
View File

@ -1,20 +0,0 @@
#!/usr/bin/env bash
if ! [ -z $DISABLE_ADDITIONAL_CHECKS ]; then
echo "Check is disabled"
exit 0
fi
# -- Get all the envs from the current helmfile installation
ENVS=$(yq '.environments | keys | .[]' ./common/environments.yaml)
FAILED_LINTERS=""
for ENV in $ENVS; do
if ! helmfile -e $ENV lint; then FAILED_LINTERS="$ENV\n$FAILED_LINTERS"; fi
done
if ! [ -z $FAILED_LINTERS ]; then
printf "\n\nSome env can't pass the linter:\n $FAILED_LINTERS"
exit 1
fi
echo "The linter is happy"

18
scripts/sops_check.sh
View File

@ -1,18 +0,0 @@
#!/usr/bin/env bash
set -e
# -- Default exit status, that should be thrown
# -- when all the secrets are encrypted
EXIT_STATUS=0
for secrets in $(find . -type 'f' -name 'secrets.*'); do
echo "Checking ${secrets}"
STATUS=$(sops filestatus $secrets)
if [[ "${STATUS}" == *"false"* ]]; then
echo "ERROR: Found an unencrypted secret: $secrets"
EXIT_STATUS=1
sops encrypt -i $secrets;
fi;
done
exit "${EXIT_STATUS}"

6
scripts/sops_dec_enc.sh
View File

@ -1,6 +0,0 @@
#!/usr/bin/env bash
for file in $(find values -type f -depth 2 -name "secrets.*"); do
echo $file
sops decrypt -i $file
sops encrypt -i $file
done

4
scripts/sops_rotate.sh
View File

@ -1,4 +0,0 @@
#!/usr/bin/env bash
for file in $(find values -type f -depth 2 -name "secrets.*"); do sops updatekeys $file; done
for file in $(find values -type f -depth 2 -name "secrets.*"); do sops rotate -i $file; done

21
values/badhouseplants/argocd/argocd/secrets.yaml
View File

@ -1,21 +0,0 @@
configs:
cm:
dex.config: ENC[AES256_GCM,data:U+BKH82hTX8a08ZVJM8WJ2NuwIJR2Diax4VUxziFhHlZWMJKWCl2BNSquKxaFincmoR3Lqn95wyfsoGKwjPxINqYw0F3zbZttlfpyG84Jg2Y4E3+NDE0YtPv1stE47aW8ZWDycjcvrW9UGANEQWHGoEMVC7sIDmSEKc4zZYVOrDPnIDOl8Fdt+7oQb9XcITvkt28DJymMvm2FLJPEB9Iz/M9V72r8QhA9ASYEWnhjYUnv63A92YH7FBr+5rdlaRSW/jJfnTWViHdi9F0fYyPmjgcyAitSXZNbPs3bd8uV7ZZTWIQGMb1IpB9SFHxMBHLNv510kFmdn0RpThIrSiDrbau4OiXcFj3N3JOStlz/AlWBkAj/zNfCcdZfsSvICARcAuw4Jowh0fGSzi3uJrr9CezWTj5t3SN+KoKGs2vO5DoD8dmjtI3vStICVs9jN8QXiPb4WpUALyM9AT41Eg+oo/58SnxNjovJ2xw/DV4GTQxpzaPCC1yagR4vSR+/qlRYU9SUinw53kzm2tZjabAVbfpTlbq7F7Ld/GuW3IQh/fULBTxYGys9s++72GdG/P0elLjvCV0Xt3vIona//uVKQFXQB8rxAMWLnTHFbM9Y6uWlZkN/W63ceJAYzXNBtC/uzfMV8GRZQpbb/QVO9U/F54yefoB7XJ8BSrHYiCvIeV/SwWINNw9Lo/Cy4nsC6UrqYdanz32HrwawSGikfGjQGXDE1n3DcPXbA6rGR2N7bbxZnIeI7TLP+pNxEg8Apr550Vh1qM9oCDx7cYgFkAEb/X/P4PYqRe1yRn+jzomAPidhGCuHibtihCXU8bht4i3uwT91SJDNEmJI9yBSxAMY9pgjmSuVTO22tI=,iv:D+KOoEOhvNSEbx4h8ltF0Kj8XBp5B6ipCXFtREvqXdw=,tag:jVZjICBTlwEUAeaH7Rgkbg==,type:str]
credentialTemplates:
ssh-creds:
sshPrivateKey: ENC[AES256_GCM,data:NFkcWS4nL0KOtNaXU+InVIoVJhCiasJWN2JTJ2AP9WH9caU5pDw2mpT1mF0zZuRw/hvwJTrkSjA2pV6hiCEVwJegEWqWIKgnakEeF6XZPJK+ryWSLA2jg3Ba8BCMZxMTq9olZEt4ap/irKhvkoDxERdvGp/bsWYwNsy/lo92xNqAeGAWlyS4H5bBPx8RtzJx7MrVmGsOGmtPhaX9AxGtot13FZ07Y0lW0PZ75VgQzNS05Y9obO99hrdJ2sfGdmZtvqtENJGQh9sLzAKKbZFj5bE+A7TA54qVItmePEg6JhWdJ+0QMoyGXUaX1b1XsdwV8TOZEFOj9KI1RwsrOhwlD1sqkKJC1l498mOwP+xeFXJkGOtT2DB+Ds6LU4byXKMkvhwNQho2BBkQ/+W59IIL1+4a6RHMJwO1dhK94AsQDjy0TNyKKTSk8erotlwefR5ny+ZnARe2V5mLObmAZWdbni+AzvfHCrOQcmk3dxwLBCc98/hDzAMlbjsE34GWUEI5rcp+uHhFgnLaTNJE/PJOwP1WlFiyoDIpi2lj,iv:3XAh3cSFA2r1PMlXMo/1ubpIIgyGDDMhpni7hlinSBg=,tag:9po/JY+NFnOz3Xaw5L60PQ==,type:str]
sops:
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZzFUTVVQNit4eTNiYWcw
Z2JsNEVGcm9Qa2NkWnQ3Ym1RSmV5ang4dGt3CkJhdSsyeHJlZWdtbkx3alhqemxD
NWdHdGV2K1ZOeGpqSS84SHVWMUN3OGMKLS0tIFhNWXBHcFg5VDNVUWVaY3RhY0dz
aXNSKzVjZEZRZlBaelk1TTNYcTkxcWMKC1gn1y9T0PsFOE4hKYS7m4OgHGkFcK/p
SSFtTltvEs6jEeXitHhGcn1IWy4hxEvUBnVMGwTkweIKefwxkHi9/A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-14T12:08:28Z"
mac: ENC[AES256_GCM,data:YzmFndPEnQAs9LDD41xQPGTUvU2zUup7J3dTUPLVmBZVHbV2Ml2xAmxMLXJ0G1VOM6h+TEQasU/ZUadLc41GM4m8aZfvxnQtMxPJEP9L1g4zhE3zzXAGXixcQ9xDY3aDhVwdoipyMo23kQqaHageVIfoBxE5ClI+ci0FepeBO/I=,iv:8hAfCtpoecVU8WgAStfqFArAMqBAiPJQGgKMJhJnDBE=,tag:lbJOH1IAf6Enl8g/Pe2I+Q==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.1

24
values/badhouseplants/databases/postgres16/secrets.yaml
View File

@ -1,24 +0,0 @@
global:
postgresql:
auth:
postgresPassword: ENC[AES256_GCM,data:+YRWapVv08cZonBsTLtsMHxT7JJp,iv:LJBUmSX1vvmLDBuIdqmi+4UbuLL+yD6PO18kmwlyzpE=,tag:TmG2GQ5/87mIZPLY4uzkBA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJR1hzTUV3TzRFaHNTN3Fj
Tkh0TW1VNng0WkZNdXdsOVozMDZ5T25uQmgwCkhSWXViUkNsZnExV0c5UXFsd2R4
ZjNYYUFDbnpYYkRQbHdQUDA3cHBxa28KLS0tIFR4MGVWK2o1TFZlQ1FRbkIza3F6
UWc5NzVMVkQ4UDNlSzRidWNzSnFWWkkKfnTaKxZoBFCj2l4QfI/BvG0eGOFX/seF
DcpofYlg0hQFRSavqRjidLri1rzpOCdKlWh/h0nIRDFA7O55Q8QAnQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-14T08:08:22Z"
mac: ENC[AES256_GCM,data:fi4ewchdGDHm1YyVFD57IxSepsnP8K5kCY5klszKUA+swAkGS5BJb4/tsDQ2kefRgJ+RnbqeYfyaBrzrXQQBdYHsHIg4iR+NGl3ql8TzIze2Kc124BCjBs/eq+xyGRxjXjKr31c9dGGaWriO/jIO0ZBSDn5Uz7JcY6iv5Nu+cGI=,iv:SbZr06PcwTJduuxan4a9koKI7B8ZEZ1dQzwBbGQjO+w=,tag:RpTSWKBhUU4oH2m2g906Dw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

24
values/badhouseplants/databases/postgres17/secrets.yaml
View File

@ -1,24 +0,0 @@
global:
postgresql:
auth:
postgresPassword: ENC[AES256_GCM,data:WIgce24XYrwtjxj95M8Jsfe+PJRmdDsd4H8cupbR,iv:VY4NZfY8Y7xM7zcRwX8WMshtnGVl8ad88PpMnRBuaHo=,tag:O2VonlpkE5Xg0dQJR28GyQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUEd0REtSS0xZdUNZOC9s
NUVTNlRxR0ZVandaWmRsSEVINTNuUllBK1ZNCm5ObSsrVzl5SnNycXpjRjNWb3pu
U0R5ckM4bUlvVENiZ2gxeGJKZTNIR0UKLS0tIExsdTkyWDl2dzNVbmk5ZHNXSUJV
K1FqbjBWUkVRcFcxbmtCNWtOaDduYUEKDy2DQVcFCwHGEj+k2fkYAeHU7JWgoeet
ZeqW6H1tafj8dCiBYrbv+RufC3nSWgglVx7VVRtwHh/5MyikpSQGmw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-30T19:59:35Z"
mac: ENC[AES256_GCM,data:RSJqYBKwE0d1cWmb9yXrroRJ5SgQpfEbkCVDUHF/3+XsBDb4yFmbhdkJcWytSj5GK4th0lnuLoxGc/79dqSjlTy2vn1fJSCIrqso3hic6GEp4ZeVuN63D6tkRw2vCpXwHL7LM+VoE2pDW/c3bkkyYoP7486GHA/+jha/ZMxYHsA=,iv:qs6Eq1KVMzAWvecuSSf2LBHYeY1wbD1VgFCDCDurz+o=,tag:h/mprk9v9eNurJl++SCphQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

19
values/badhouseplants/databases/postgres17/values.yaml
View File

@ -1,19 +0,0 @@
architecture: standalone
auth:
database: postgres
metrics:
enabled: false
primary:
persistence:
size: 2Gi
resources:
limits:
ephemeral-storage: 1Gi
memory: 512Mi
requests:
cpu: 512m
ephemeral-storage: 50Mi
memory: 128Mi

26
values/badhouseplants/databases/redis/secrets.yaml
View File

@ -1,26 +0,0 @@
global:
redis:
#ENC[AES256_GCM,data:INOZ17f72Qf6D+drbcvmnZRBRIeXLSAV9RmfOLZFp45qt8GWSHMnevqq9ge4Zlydtsd3BDek/JLUNl6YHPPq9qM1EFujY2htbOHyf0Cn,iv:zZDMizNKFllCyNH/bUF+vuB9YOikjo3q5ebzu3LYvCc=,tag:H0XX/D9xh0HS0Xnqgs/aag==,type:comment]
#ENC[AES256_GCM,data:JiLOpJanuZnMpN5dMvw2,iv:YEVZSdRHez1lCb61hWLvalLq8F67l7KF0WXmmuj9bck=,tag:KnpfgwUYBQLZsj4Jk13RtQ==,type:comment]
#ENC[AES256_GCM,data:mzDGjHlXUunu1yA=,iv:LOOU/QGaHKeDrssbk1haYd0lPclbFak9GygEbbN0gFs=,tag:4cUubeiY6aJj5KVKVkdFUA==,type:comment]
password: ENC[AES256_GCM,data:kN93kIMiVTGWbaYgMC1n1MWqdl8s3cbZS5vvYTa2,iv:Qy+GQchC6s2PoarPWtquipF9gAVYZR6mn0GeHABRogE=,tag:V/xbfm9u51UUG+we/3nNLQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOHRuN1J1ODYvc0Z3OW5H
NFhVM0dWWGZETU0vTzVkeUk1NFVWc2FSaGprCm5NalJKUWxtLzA5VTU3YjR5VWtx
NExtbTZZZUZteVBTYnNWTVZvbnF5VFUKLS0tIEpBTDhPbkVLVytaY29aUktmZGF2
bnVKWmI4RWpLaGU5WTIwblJRcDFDMlUK2BHkUNbpRMo0jm2Sk+Qcf4giufJtaJyM
xuoG41AqGs4+KEDS8/rF9HK7z+2Wk9H5b8L+/W0n+J5EPOvwvFePTA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-26T12:23:02Z"
mac: ENC[AES256_GCM,data:xrA6hCFIH/R/j/V1T60xx5Eix5Z5ETREQP4zYriLkZQ4hEzL2WdJFExK1VXSfX4KmIR8215XHmHnWu70eIoAnFUaozBosIFtJz0YNrNNok6MeDGD5fy5mcBQfCqLw+rwbW/uxY7DQrchgVT9iFAkpRSoVPUzn6ku/xCmTmSlv3E=,iv:lNLR5QHKPUWb1Mz8mIFCHnjpuQVF7ttNTOy9+jEzLyo=,tag:G4iZ/9nWKh97JLGOxbgSQg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

28
values/badhouseplants/games/minecraft/secrets.yaml
View File

@ -1,28 +0,0 @@
minecraftServer:
rcon:
password: ENC[AES256_GCM,data:WEDxz61E0FT6qsk+4n/J1U6StnISu6qCCg==,iv:MGD1ONaSkbBoTgR1G7w/prefPHpNeoU1XkyTZCr3dQM=,tag:9kif0moX90lglV8zLNOr3Q==,type:str]
mcbackup:
resticEnvs:
RESTIC_PASSWORD: ENC[AES256_GCM,data:f3A8EsUfA8BkM/VtW4HXsmu/vkRhOuvEVls4JUFg,iv:+svddzq+ILiMoijIGdnNVJpBD33fw2PkfzSeoQC+Kkg=,tag:rUyat/2l3y2fB+UajG6j6A==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:0flAJJMncGcpq2A2wds=,iv:4q/3301l3wR9m1dgJNN6Yqkrlf9gfENivLtQ4s4/BLg=,tag:LLgqNyHqdVI5uBOEKlK5PQ==,type:str]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:H6SS4ogc,iv:nYYIyJWjnhU487PzVDD+1xbKd6NatL990gWgrZFNw88=,tag:/yiY2bcmOVW+PjALlUXS3Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2MFByOEpYVkI3TlJEbVRi
Vmp1QkRxY3V5aDdvelpHbndxS25QTTk0NVhrCnJQbEVCMFN3WmhpSWY3RXVMaEtz
K2lZMFlUSzZ5NHRSeHNXbWxVQ2RNTXcKLS0tIG95Qnc4VHFpL3o3L3FieUVIWk1W
U0FTYkVLVHAvcWcrdEt4dHo3bEM3Z2cK3OOXl4aGPF43umfNFPIQOgwxktoK9Ppz
Xj/EQlAqUAvEcs2Mfe1lWymHyK6HpZSN66jTf0a/0kh21cebVzwtnA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-14T08:08:21Z"
mac: ENC[AES256_GCM,data:7NgnMjs9R/tk+KzpY4A8d10V/ZERkdSZE/U+xq5k1OLeQ8P/Di+TI2LNSPZp4+qtG0UNFflVtBniZNJwjcg8tqLiSOuWmHJgc4C5CmEyESwL7igv5DZ+qfImuepDUJyJEvQFkyBISqkyKvJjBBoFPse1TU6EF0lOSNdBYOJ4up8=,iv:ss1VF5vKnaIt2r9PaT2vsy3zgLAH18/e+gX6YU5E/7I=,tag:mkvZGTd1ZRpaBQwoWfVmfQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

140
values/badhouseplants/games/minecraft/values.yaml
View File

@ -1,140 +0,0 @@
# --------------------------------------------------
# -- Main values
# --------------------------------------------------
image:
tag: java23-graalvm
pullPolicy: Always
resources:
requests:
memory: 2.5Gi
cpu: 2.5
limits:
memory: 2.5Gi
lifecycle:
postStart:
- bash
- -c
- for i in {1..100}; do mc-health && break || sleep 20; done && rcon-cli auth setGlobalPassword 11223345
nodeSelector:
node-role.kubernetes.io/minecraft: "true"
livenessProbe:
command:
- mc-health
initialDelaySeconds: 120
periodSeconds: 5
failureThreshold: 50
successThreshold: 1
timeoutSeconds: 20
readinessProbe:
command:
- mc-health
initialDelaySeconds: 30
periodSeconds: 5
failureThreshold: 20
successThreshold: 1
timeoutSeconds: 20
minecraftServer:
memory: 2000M
jvmOpts: |
-server
jvmXXOpts: |
-Xms2000G -Xmx2500G -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:G1ReservePercent=20 -XX:MaxGCPauseMillis=50 -XX:G1HeapRegionSize=32M
overrideServerProperties: true
eula: "TRUE"
onlineMode: false
difficulty: hard
hardcore: true
version: "1.21.5"
maxWorldSize: 90000
type: "FABRIC"
gameMode: survival
pvp: true
modUrls: []
serviceType: NodePort
rcon:
enabled: true
withGeneratedPassword: false
port: 25575
serviceType: ClusterIP
extraPorts:
- name: metrics
containerPort: 19565
protocol: TCP
service:
enabled: true
embedded: false
labels:
exporter: minecraft
type: ClusterIP
port: 19565
ingress:
enabled: false
persistence:
storageClass: openebs-hostpath
dataDir:
enabled: true
Size: 9Gi
mcbackup:
enabled: false
backupInterval: 2h
pauseIfNoPlayers: "false"
pruneBackupsDays: 2
rconRetries: 5
rconRetryInterval: 10s
excludes: "*.jar,cache,logs"
backupMethod: restic
resticRepository: s3:https://s3.e.badhouseplants.net:443/restic/minecraft
resticAdditionalTags: "mc_backups"
pruneResticRetention: "--keep-last 12 --keep-daily 1 --keep-weekly 2 --keep-monthly 2 --keep-yearly 2"
resources:
requests:
memory: 512Mi
cpu: 100m
persistence:
backupDir:
enabled: false
extraVolumes:
- volumeMounts:
- name: plugins
mountPath: /data/mods
readOnly: false
volumes:
- name: plugins
emptyDir:
sizeLimit: 500Mi
- name: download
emptyDir:
sizeLimit: 500Mi
extraDeploy:
- |-
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: minecraft
spec:
endpoints:
- interval: 30s
port: metrics
scrapeTimeout: 10s
path: '/'
namespaceSelector:
matchNames:
- games
selector:
matchLabels:
app.kubernetes.io/instance: minecraft
- |-
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: minecraft-tcp
spec:
entryPoints:
- minecraft
routes:
- match: HostSNI(`*`)
services:
- name: minecraft
nativeLB: true
port: 25565

21
values/badhouseplants/kube-system/namespaces/secrets.yaml
View File

@ -1,21 +0,0 @@
defaultRegcred: ENC[AES256_GCM,data:lsqr2fBEosOQqYLBwps1hmgFs90zkzbdHpO8UwJWcMl1/CGkyzroACqHkL8taaOnnvwWwadIL8FU3382jamw0Xk5O51bFSBbCxTs3xd4ibwe39ha5YI6YQDHADDb/u1Yw4TctJ/h9xykXHDOL4foE5Z860e16vtMiVvniLD9OGfR6utb9gvZHE2QqZTlHR9U4PY2vLWWQMN3VRvipT7hulmOUzXMVcuBswmyDF39PvTba6Ea7A83V9h6HpqNeSA1ewKREIDOFqjhl7tIit8aQnuee58bJCTVIdg6gyR6yfu6sF22wdUlsJ7CAHtd41sbhEhWGyzJIqg=,iv:J1CfAJmNpI7lgQalYJlXs+JX5I0e6COGrsenMhvDGLA=,tag:nHkq8VF47I/9FS8uGcEyuw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwWHpPUkZqbC9LaEtJYzhF
L0hIZUtOa3E4KzJDOFlwaFRVWDdJRnBtR1ZjCnVLNzhyQkdxS2dtK2lFaWRJUkJq
dThURHRTRG5GT1BqaTZRbzlUbXYzWHMKLS0tIFRSa1lkSGQrN1RGdklzYzZNU3BH
ZE0wMk1sRGg1M1lrNVFMTityK3cwK00Kbhugumz27RVo1SJjaljEbklHY6CW7xGD
UCbN0LGh5PPpN6eCbZW8dB1+/lLR9AnyYr6okrGM2iztaJQdlwRvww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-27T10:24:56Z"
mac: ENC[AES256_GCM,data:xGqmh1TPg0OJLSycbnjsF4Ai844ZzlCzawQXmROpORJEiSL/3R1W+2PsBT5KcAfG7y2+Ovyk+l1FeorIPuqnbcezX9zUxMOaFXJylmwvNYXCwoihU6Yx2hg9SuFhnwINAhCLqOaRKIh8xPUaK8nRVqwJJa0jW6eCyZ5lsLtpz90=,iv:pmPfpSv3VfVz/MvTGTWoMxzkF3BvCMhK+HxEeN5pzNI=,tag:WkLcTz/WlLXmq8EojHfdlA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

39
values/badhouseplants/kube-system/namespaces/values.yaml
View File

@ -1,39 +0,0 @@
namespaces:
- name: registry
- name: flux-system
defaultRegcred: true
- name: argocd
defaultRegcred: true
- name: kube-system
defaultRegcred: true
- name: production
defaultRegcred: true
- name: kyverno
defaultRegcred: true
- name: velero
defaultRegcred: true
- name: observability
defaultRegcred: true
- name: databases
defaultRegcred: true
- name: istio-system
defaultRegcred: true
- name: applications
defaultRegcred: true
labels:
istio-injection: enabled
- name: platform
defaultRegcred: true
- name: games
defaultRegcred: true
- name: pipelines
defaultRegcred: true
- name: public-xray
defaultRegcred: true
labels:
istio-injection: disabled
- name: org-badhouseplants
defaultRegcred: true
- name: org-allanger
labels:
istio-injection: enabled

37
values/badhouseplants/kube-system/openebs/values.yaml
View File

@ -1,37 +0,0 @@
localpv-provisioner:
hostpathClass:
isDefaultClass: true
zfs-localpv:
crds:
zfsLocalPv:
enabled: false
lvm-localpv:
crds:
lvmLocalPv:
enabled: false
mayastor:
csi:
node:
initContainers:
enabled: false
etcd:
# -- Kubernetes Cluster Domain
clusterDomain: cluster.local
localpv-provisioner:
crds:
enabled: false
openebs-crds:
csi:
volumeSnapshots:
enabled: false
keep: true
engines:
local:
lvm:
enabled: false
zfs:
enabled: false
replicated:
mayastor:
enabled: false

24
values/badhouseplants/kube-system/roles/values.yaml
View File

@ -1,24 +0,0 @@
roles:
- name: xray-admin
namespace: public-xray
kind: Role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
namespace: ["public-xray"]
bindings:
- name: woodpecker-ci
namespace: pipelines
kind: ClusterRoleBinding
subjects:
- kind: ServiceAccount
namespace: pipelines
name: woodpecker-ci
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
sa:
- name: woodpecker-ci
namespace: pipelines

137
values/badhouseplants/kube-system/traefik/values.yaml
View File

@ -1,137 +0,0 @@
service:
annotations:
service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
spec:
externalTrafficPolicy: Local
ports:
websecure:
transport:
respondingTimeouts:
readTimeout: 0
idleTimeout: 0
writeTimeout: 0
forwardedHeaders:
trustedIPs:
- "192.168.0.0/16"
proxyProtocol:
trustedIPs:
- "192.168.0.0/16"
ssh:
port: 22
expose:
default: true
exposedPort: 22
protocol: TCP
openvpn:
port: 1194
expose:
default: true
exposedPort: 1194
protocol: TCP
xray-public:
port: 27015
expose:
default: true
exposedPort: 27015
protocol: TCP
xray-edge:
port: 27016
expose:
default: true
exposedPort: 27016
protocol: TCP
smtp:
port: 25
protocol: TCP
exposedPort: 25
expose:
default: true
proxyProtocol:
trustedIPs:
- "192.168.0.0/16"
smtps:
port: 465
protocol: TCP
exposedPort: 465
expose:
default: true
proxyProtocol:
trustedIPs:
- "192.168.0.0/16"
smtp-startls:
port: 587
protocol: TCP
exposedPort: 587
expose:
default: true
proxyProtocol:
trustedIPs:
- "192.168.0.0/16"
imap:
port: 143
protocol: TCP
exposedPort: 143
expose:
default: true
proxyProtocol:
trustedIPs:
- "192.168.0.0/16"
imaps:
port: 993
protocol: TCP
exposedPort: 993
expose:
default: true
proxyProtocol:
trustedIPs:
- "192.168.0.0/16"
pop3:
port: 110
protocol: TCP
exposedPort: 110
expose:
default: true
pop3s:
port: 995
protocol: TCP
exposedPort: 995
expose:
default: true
proxyProtocol:
trustedIPs:
- "192.168.0.0/16"
minecraft:
port: 25565
protocol: TCP
exposedPort: 25565
expose:
default: true
game-udp:
port: 37015
protocol: UDP
exposedPort: 37015
expose:
default: true
# tf2-rcon:
# port: 37015
# protocol: TCP
# exposedPort: 37015
# expose:
# default: true
# ssocks-etcp:
# port: 8444
# protocol: TCP
# exposedPort: 8443
# expose:
# default: true
#
# ssocks-eudp:
# port: 8445
# protocol: UDP
# exposedPort: 8443
# expose:
# default: true

25
values/badhouseplants/org-allanger/app-tandoor-recipes/secrets.yaml
View File

@ -1,25 +0,0 @@
env:
secrets:
data:
SECRET_KEY: ENC[AES256_GCM,data:bLecWaJafPbXT2/dvKt3R2KNfuxxgQ6yLxviYbOf,iv:liuexfgYScH+eg/qSO23SQxE7hKpudgkOH3JRDkaa+A=,tag:DEcAbY6rg7mQnhsnukWtFA==,type:str]
SOCIALACCOUNT_PROVIDERS: ENC[AES256_GCM,data:kx9ziZhxWcWTu1UG7BPi/sdG1tHhzugq65xxL3IPVx8i1oHXwy+00KaOEsIYP+TJqX5516Zq6JqtXe9dQwI4uVIy538FdXeEQDHKNS0xesSx8jG0tKa71GiqyQGBrBBxiy144za9y1QHB9k1pvuaza8mVEQOoktmMFfiHzEOhYDQxIzTulOMWxN2ImTsYSupHS6HLR13gDCyROVDzj1Io/U1VHxN5RZBPiqthNiB+/Aj+2FuCwAaxgEE6VVNFJlghi2yiZbl/PvZ3MDT+dAx/NijawVt0qdBBmPvB3jKZkgRN2tyystGiu47hnLosuzjrOjAMA6rP7XkT2gQ5e6hoLlJxWD5IiAHI+gQK7REbyJrEmSwwH0aCVsd1H4FOBNk+rfKpTIr7sRZFTVcZLtUdTZW6EW0XWmrBBPr5jodmouoFZY+dGlWP1vQkG+2eymw5aJCan0oq+x+J9dB+CVZc/2M1zBeRa6Crg7w3smCqOr46jkaRxfoDxV2NdRSla5zkwwFSS7MqPYlqre2oW+pgP7lvRa4MW9++5q+Zg==,iv:RZMNm66PhTWvjJG5jtpJW22TFInHw8LT04qui3fMLgA=,tag:ETMqmFO/8Kve/W55WP21dA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcTM5RTNIakwwZHNrQXE2
U2FsK1gwMDhUTDd1MVorbENtQXdnZjYrM1c4CmNQaG5TcU9wK25qQUg5a29UUXBK
WlZHK0M0dHEvZWVyZmJzR0RLU1pGWmMKLS0tIGk4TFArQnJyTWJJa3FJRlJhY0do
ZE81bENWM3ZUdlR0N2RKMnJkUnJxSG8Ky2ngwj6ZnToGhnAJChU8NXUG+XPPZc2F
fOD35BFO5bUNe+V8MkDLae+GQ1hr55r4WnvFpSWywRIjCFYmUJHTgQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-22T12:32:43Z"
mac: ENC[AES256_GCM,data:khcLV/lPaY6J5QQmX8466jx9bsXn+NwA3TLIUYs9ipKa539OjIWstwyydVxILSBCwEWGEW86c8EzLBwptBBgg6gehfRJAax5TAn0lBd1lAAiAxZhdNpc2tfoaMaUWfWdpwYjdrtnvAlAkN3/16nvx+TIq7WdU/cWsic96PqhU0A=,iv:I81QvtZ7S+mSAzoXhU0YBMN0L4K+SRHW3UtcSLxwK5s=,tag:gAeAIjyJ13A8gfE7ppBeRg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

57
values/badhouseplants/org-allanger/app-tandoor-recipes/values.yaml
View File

@ -1,57 +0,0 @@
shortcuts:
hostname: tandoor.badhouseplants.net
ext-database:
enabled: true
name: tandoor-postgres17
instance: postgres17
credentials:
POSTGRES_HOST: "{{ .Hostname }}"
POSTGRES_PORT: "{{ .Port }}"
workload:
kind: Deployment
strategy:
type: RollingUpdate
containers:
tandoor:
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
envFrom:
- main
- secrets
- secretRef:
name: tandoor-postgres17-creds
extraVolumes:
common:
path: /opt/recipes
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 10
failureThreshold: 30
periodSeconds: 10
ingress:
main:
class: traefik
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
extraVolumes:
common:
emptyDir: {}
env:
main:
enabled: true
sensitive: false
data:
DB_ENGINE: django.db.backends.postgresql
SOCIAL_PROVIDERS: allauth.socialaccount.providers.openid_connect
REMOTE_USER_AUTH: 1
SOCIAL_DEFAULT_ACCESS: 1
SOCIAL_DEFAULT_GROUP: guest

50
values/badhouseplants/org-badhouseplants/app-gitea/secrets.yaml
View File

@ -1,50 +0,0 @@
gitea:
admin:
username: ENC[AES256_GCM,data:U230S8544mg=,iv:yL45Opnqp5T4h7erEv0pRHWtH1th8uu1Y4wfeY2aJcQ=,tag:a4vsJEOxlmHj1mwqcUGbiw==,type:str]
password: ENC[AES256_GCM,data:IpwOetFEvxt0/tGkiJ8bBI+OR/E=,iv:8OA48CiWeMyqZVs2lp+UzfyymUNQfdgmAQV33+AVQ+s=,tag:stgAMSnB5dCzFu4zvZeVRA==,type:str]
config:
storage:
MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:cn3NsFx0TH0fw6mJt6cArMRyQ6Qng3gIPQ==,iv:Jv+rweQzEXfVWuWycjGSi54jRAm0XEEcNxZ6flbUZWM=,tag:6O9KvcnaVEME5lXl6msZLw==,type:str]
mailer:
PASSWD: ENC[AES256_GCM,data:3UL0uvz49J3GIOo/eVWKYLrDG+u/lvCr8Q==,iv:HBQKF42R3tHFQxkUoRzsiPCUkFM40qpjM0SYrQSxugE=,tag:iua/nXoogjxnkj9T6UB/Sw==,type:str]
database:
PASSWD: ENC[AES256_GCM,data:DbL7wryYRQAEzujWNL4I0AwEq6Cr2r78FXQOAw==,iv:Oc2IYwD7iy7AlYVnhvSc61ttOf20qJyuuDnx4yF3/YE=,tag:aLa8+r0kYvzFSuF3hvhL2w==,type:str]
session:
PROVIDER_CONFIG: ENC[AES256_GCM,data:owsHUHdmzGiFgtD3+nRBmHYKcsNQXblbuCO8V0tLAAMvJBRHSA5YG1TL3Quy2186yoZCPiAdeQwg/o2Iutk2Mlc6/NmeurZbxomV8dWBuqJfn6t44xnDgFnEXpxE5kB5lNCtcjKXmpxC4fkoUVscOyZFmKp9uTgH,iv:evmTZH5NzMB3nhqLhuBmTTF4ztJX9a/ZMTOmYMqSaxs=,tag:dLnk9xt+moGoBhx7tqazig==,type:str]
cache:
HOST: ENC[AES256_GCM,data:feiTcBqztm76LZgNShj0Go0IRNgG9UwCQP9KrdexosP2XCnSe+giyKoIcADiHQFYVbnnkpw7/UqNxgM0Tx+EQ9eyFKY+PaFyCSFmQwikmAWakDJ+hQNM1VaNaDKdeLiGIeI7nO2MH9hGDMzPWtUgMNBxc9tTS38l,iv:Rcr+uiZMWbG9IPeMm+eiNf3W3yz2L7yqSkJSKUhWHtk=,tag:3cLuUAEU6CZvvUYKF1cCAQ==,type:str]
queue:
CONN_STR: ENC[AES256_GCM,data:Mw7W72M3HitiAEG1ihWctXyYqHJuSiKBZvQDDRjA4O9Yg9Zsbq+/HVcnh074zbiTjCO/496FLiy88HuAw8lksZ7MXXVvRI7rIcFKFZLpHcjAqkBnB301SGalK/R4bSisECsYIFPjKuh+s4PIuPEIgFtZuiEvYdbT,iv:uYwjzUObav2Hs/JgRIYbGBFNcZm++qS2QqKpz6Ma6EA=,tag:0okDz0yzL4eSat/0roYJ2A==,type:str]
oauth:
- name: ENC[AES256_GCM,data:sN+DzBKd,iv:0HNSbQEDLsV76DIRHdWnPs9SI/bHRZz6Fw+8B8Hhuns=,tag:mwTWy9VSXapPu3uLk7LgSQ==,type:str]
provider: ENC[AES256_GCM,data:m74moJ8h,iv:QfE5F3vpIlEzIftHlX/qpNvsnAab8gTd4CHyECHNcmQ=,tag:JefFm9mfYJSKzBDOb/l6BA==,type:str]
key: ENC[AES256_GCM,data:7ScP3oXE0zTnaqL3AigHby39fMk=,iv:sXllPawkQ5BcKmC1iBUJ2WOEPK2lm6W3q+GrprHZhAc=,tag:vSCB9w5x6jjPNu5b5ZEMzw==,type:str]
secret: ENC[AES256_GCM,data:XG9D5IUX4MqJzKf+aB7MCeDJAQlIzMxSv3ByAZQAdZCI+5my+cMfeg==,iv:s3e0wFznoX55MeEQj+dK0QrzzatGzDBKfT4xDD00cOA=,tag:vk32YQcPs0kAIOj61YwHww==,type:str]
- name: ENC[AES256_GCM,data:eBSL9xrBDN50,iv:TiC3jjpfwS6A9x6PAkMIorwJ9CecxblzEFt5+ZmSW6I=,tag:XA6UrnJbkUyDBgOY9xfIPw==,type:str]
provider: ENC[AES256_GCM,data:yh4TBYDI2R0a4f1qSg==,iv:hx8pAuo//U+YY5a2cq/KyoK4qcKbSXWtkrDvACWLU2c=,tag:uJ9JNWdDjb0eTS0ZJXHDaw==,type:str]
skip_local_2fa: ENC[AES256_GCM,data:8YwpOw==,iv:2R3Zc4HK/U31SVcXR3xi9J/kJySR3osA8xN3YhvRxBk=,tag:SzBFOwEmczW59SHLGCMb5Q==,type:str]
key: ENC[AES256_GCM,data:rLR8ve4=,iv:qOVIBiFjsOrrRg/mca5l7SHc2GdVAdyz0TV3Q7lJlQg=,tag:tYEzx7SoeoAC9/lgWU91uA==,type:str]
secret: ENC[AES256_GCM,data:r7sWVeqWTnqbt7ArzpADD5A1fYU6+KSpLohWJuSbEUyPAzOSxfZGxSYNfAwaxACOgmJJnxUeQ9l71nyUDWzGMrFkLr+o+WcQmSTPV3+3iMHDsTdgjEb+tIZFdi0Z5PJ8DCBxjckmbG5cx3O3Kyrjc24SNHCVb62lhduZH1fIlT0=,iv:kvtMCpiOUx10zTKt/ZYQh3leYaY9+v169Sq+sYIScHQ=,tag:t8txjt3xuVKWA7QgBJYuiw==,type:str]
autoDiscoverUrl: ENC[AES256_GCM,data:SG2ev/BshOBP0NQnpZRQErZDAEWdReiwp2pb2JJBWZmFvC67//t8WZu1/wilfQjJvJdsDGwk9Rwncoxya5Fb9uKYDAQKzqULJk70Er9pyNaowFbMxiMm+ws=,iv:B9GM9MLIrKTtRfyDxltlFvvm01aRCTQnyiemH4qzjGs=,tag:Wqji+fKliEGJRZ4inTmbXw==,type:str]
iconUrl: ENC[AES256_GCM,data:lcW3npgyrc50GIYCyTh5Gpht2CU6hX67j13XNOvGQybU2dsA9BtqpmH0OMQz4b1g/XkuHAp5j3I0wLnGvhXXf4mEugzt8g==,iv:X/kHS77OJLDuNN2lTAWLqPARJ1QZMY1ImuS+xmkUlgM=,tag:0ZRh7eH6dYdZd250Lb/+xA==,type:str]
scopes: ENC[AES256_GCM,data:GtTGDrDZwU1r5vEsxg==,iv:/7yMuJpxlML3R1X8onDSFbJVwpYFtnLamaI+X148Tlk=,tag:e8HkvzdpkhDvedVzm7jG3w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6d2JneUUzM1VkM1lvclA3
aC9wMGpKSGU5ZnVaUTNlVDNsMlNaOVRNYVdzCkpzVUJzNHN2TmhHektzOC93Vjlj
SVU3cUxVUm4wWjJQRWZRdWlRMEU1eUEKLS0tIHRLOEJERXBMd0NFajNjbHhPVVNl
b1cyT0RYa3hzbFJjc254bHJMcDIzeTgK/aX6f60NBz6w1TaOFSZDRE7rPniebb75
iwO74fJtl5g9WxAG5yByxJ455Uhc2R/+VBbK5BcYFt9cboIgkUrS2A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-25T19:15:08Z"
mac: ENC[AES256_GCM,data:ySAOo8j+p9O0v8xYFcjuD6e/pc9LtLxLWC4TdP7mjhdfwwaaoJW96DLEbSYxYN7Co8zHFqdMp5e76SgvhWwP2LNmHLunJ3LNU6u6NSMEFLCSyjAM8KiqB4bTNq7Kf9H2FZbAN58YKXpZEFECJpxoLg2Q9MdRp+BvgURDa2QLZRc=,iv:Ay5vMdrKbNpFyir/N4+mPuOwKwIVupZbeJFKA+DWFDA=,tag:+YUSXQYMfu59oF+hjg0XMg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

179
values/badhouseplants/org-badhouseplants/app-gitea/values.yaml
View File

@ -1,179 +0,0 @@
# ------------------------------------------
# -- Kubernetes related values
# ------------------------------------------
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
external-dns.alpha.kubernetes.io/ingress-hostname-source: defined-hosts-only
hosts:
- host: gitea.badhouseplants.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: gitea.badhouseplants.net
hosts:
- gitea.badhouseplants.net
replicaCount: 1
clusterDomain: cluster.local
resources:
limits:
memory: 1.5Gi
requests:
cpu: 1.5
memory: 1.5Gi
persistence:
enabled: true
size: 15Gi
accessModes:
- ReadWriteOnce
# ------------------------------------------
# -- Main Gitea settings
# ------------------------------------------
gitea:
metrics:
enabled: false
serviceMonitor:
enabled: false
config:
database:
DB_TYPE: postgres
HOST: postgres17-postgresql.databases.svc.cluster.local
NAME: org-badhouseplants-app-gitea
USER: org-badhouseplants-app-gitea
APP_NAME: Bad Houseplants Gitea
ui:
meta:
AUTHOR: Bad Houseplants
DESCRIPTION: '...by allanger'
repository:
DEFAULT_BRANCH: main
MAX_CREATION_LIMIT: 0
DISABLED_REPO_UNITS: repo.wiki
service:
DISABLE_REGISTRATION: true
server:
DOMAIN: gitea.badhouseplants.net
ROOT_URL: https://gitea.badhouseplants.net
LFS_START_SERVER: true
LANDING_PAGE: explore
START_SSH_SERVER: true
ENABLE_PPROF: false
storage:
STORAGE_TYPE: minio
MINIO_ENDPOINT: "s3.badhouseplants.net:443"
MINIO_ACCESS_KEY_ID: gitea
MINIO_BUCKET: gitea
MINIO_LOCATION: us-east-1
MINIO_USE_SSL: true
admin:
DISABLE_REGULAR_ORG_CREATION: true
packages:
ENABLED: true
cron:
enabled: true
attachment:
MAX_SIZE: 100
actions:
ENABLED: true
oauth2_client:
REGISTER_EMAIL_CONFIRM: false
ENABLE_AUTO_REGISTRATION: true
session:
PROVIDER: redis
cache:
ENABLED: true
ADAPTER: redis
queue:
TYPE: redis
mailer:
ENABLED: true
FROM: bot@badhouseplants.net
PROTOCOL: smtp+startls
SMTP_ADDR: stalwart.badhouseplants.net
SMTP_PORT: 587
USER: bot
indexer:
REPO_INDEXER_ENABLED: true
REPO_INDEXER_PATH: indexers/repos.bleve
MAX_FILE_SIZE: 1048576
REPO_INDEXER_EXCLUDE: resources/bin/**
picture:
ENABLE_FEDERATED_AVATAR: false
service:
ssh:
type: ClusterIP
port: 22
clusterIP:
deployment:
env:
- name: REQUIRE_SIGNIN_VIEW
value: expensive
extraDeploy:
- |-
apiVersion: kinda.rocks/v1beta1
kind: Database
metadata:
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: {{ include "gitea.fullname" $ }}
spec:
backup:
cron: 0 0 * * *
enable: false
credentials:
templates:
- name: CONNECTION_STRING
secret: true
template: {{` '{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{.Port }}/{{ .Database }}' `}}
deletionProtected: true
instance: postgres17
postgres: {}
secretName: {{ include "gitea.fullname" $ }}-db-creds
- |-
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: {{ include "gitea.fullname" $ }}-ssh
spec:
entryPoints:
- ssh
routes:
- match: HostSNI(`*`)
services:
- name: {{ include "gitea.fullname" $ }}-ssh
nativeLB: true
port: 22
# ------------------------------------------
# -- Disabled dependencies
# ------------------------------------------
postgresql-ha:
enabled: false
redis-cluster:
enabled: false
# extraDeploy:
# - |
# {{- if $.Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" }}
# apiVersion: traefik.io/v1alpha1
# kind: IngressRouteTCP
# metadata:
# name: {{ include "gitea.fullname" . }}-ssh
# spec:
# entryPoints:
# - ssh
# routes:
# - match: HostSNI('*')
# services:
# - name: "{{ include "gitea.fullname" . }}-ssh"
# port: 22
# nativeLB: true
# {{- end }}

28
values/badhouseplants/org-badhouseplants/app-navidrome-private/secrets.yaml
View File

@ -1,28 +0,0 @@
files:
rclone-config:
enabled: ENC[AES256_GCM,data:3y4DCg==,iv:n+Pfj4j405WR17aY7RbF6lpOQ58ZQmWrH6dgUTQ0jX4=,tag:xbKEnPnASJTl27ch1Hi00g==,type:bool]
sensitive: ENC[AES256_GCM,data:DGby8Q==,iv:nibU4CkdcYlT1F7OkgqE1apUuyJA5M9Vj5x40F9zt3w=,tag:oW+jPP7F1vWY5gf0JyrPdw==,type:bool]
remove: []
entries:
rclone.conf:
data: ENC[AES256_GCM,data:m4K3yt7no9mnUOzn/iGtaKqBrDXoLCgxEWV8NacXlOvh7c5ngmTmwoxzTaNxbsCQA7dECYb0dFtPvhF33AqgpcbRnqGrK54v8V+NaldQrgT2up4iQfdYA+sh+yNG3QAXU7eOEBvyFctJ+9dEaBII1sF/xFSkcTwrWkQFTQKLDdNIYU9a8ttEysz0cBWWXL3h9Y7C/mBjPdWIhpaf6Z63hy5P0hnYFftZsVM=,iv:qBBk9xMlZl3FriY2oYk4DQB1EKTsl7/qUj4s8naVvts=,tag:tDUKvK8ZuIxVeJjyUUqeXQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxalE3bUtCWmFVejBJMlZq
dUg0U0R2VytsZHZ5QlQ4UGdrRmdsWGhWbEI4Clk1WEZ4U1lEdTJoRVBTbEFXaE1O
TW1wb0dycS9HeWdQcUx3KzJKb2kwTVUKLS0tIDU1bE9JWnp3Q3U4V0pVOGs4Z3Rq
Q1VsM3orOUZmS3lDaFpNN2g0cnllVWMKqZlPfiIFKn8h56gspbbUhpv9RkL5gF73
NzqtFJJwQOGaD3lk2ocaLLkvywJ/DKNf7JupTWlmggHijId4hmpytw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-20T15:04:15Z"
mac: ENC[AES256_GCM,data:XRmw86oJLHXMAY/SPv6ptQLV1Eocbig6CQSG1SdOO9scMpfgD3tMY43z5aB16DkW+6AG1ti+TS4JRgXKLaSsAmORqRN0yTwGEktiLs0GxhtDvMYwnclj/Cx76WbZyMkgVzCHe7ZsAI+9DrejSFYbB/CzA+8yq1KmMf/L5NWcv7o=,iv:AcYK48ywr2pzNw/HEY5hWOcjdnmnG2/eWp+r/o15Lbk=,tag:HLKLFYFV+7SWUaFYiNUS3g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

49
values/badhouseplants/org-badhouseplants/app-navidrome-private/values.yaml
View File

@ -1,49 +0,0 @@
shortcuts:
hostname: navidrome.badhouseplants.net
ingress:
main:
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
env:
main:
enabled: true
sensitive: false
remove: []
data:
ND_MUSICFOLDER: /app/music
ND_DATAFOLDER: /app/data
ND_LOGLEVEL: info
ND_BASEURL: 'https://{{ .Values.shortcuts.hostname }}'
files:
rclone-config:
enabled: true
sensitive: true
remove: []
entries:
rclone.conf:
data: |
[music-data]
type = s3
provider = Minio
endpoint = s3.badhouseplants.net
location_constraint = us-west-1
access_key_id = allanger
secret_access_key = fPN3Nv6yDWVnZ7V7eRZ
rclone-script:
enabled: true
sensitive: false
remove: []
entries:
rclone-script:
data: |
#!/usr/bin/sh
while true; do
rclone --config /app/rclone.conf sync -P music-data:/music /app/music
sleep 10
done

54
values/badhouseplants/org-badhouseplants/app-navidrome/values.yaml
View File

@ -1,54 +0,0 @@
middleware:
enabled: true
middlewares:
- name: navidromeauth
spec:
headers:
customRequestHeaders:
Remote-User: "guest"
shortcuts:
hostname: music.badhouseplants.net
ingress:
main:
annotations:
traefik.ingress.kubernetes.io/router.middlewares: org-badhouseplants-navidromeauth@kubernetescrd
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
env:
main:
enabled: true
sensitive: false
remove: []
data:
ND_MUSICFOLDER: /app/music
ND_DATAFOLDER: /app/data
ND_LOGLEVEL: info
ND_BASEURL: 'https://{{ .Values.shortcuts.hostname }}'
ND_REVERSEPROXYUSERHEADER: "Remote-User"
ND_REVERSEPROXYWHITELIST: "0.0.0.0/0"
ND_LASTFM_ENABLED: false
ND_LISTENBRAINZ_ENABLED: false
ND_ENABLEUSEREDITING: false
ND_ENABLEFAVOURITES: false
ND_ENABLESTARRATING: false
ND_ENABLEEXTERNALSERVICES: false
ND_ENABLESHARING: true
files:
rclone-config:
enabled: true
sensitive: false
remove: []
entries:
rclone.conf:
data: |
[music-data]
type = s3
provider = Minio
endpoint = s3.badhouseplants.net
location_constraint = us-west-1

20
values/badhouseplants/org-badhouseplants/app-open-strike-2/values.yaml
View File

@ -1,20 +0,0 @@
deployAnnotations:
keel.sh/policy: force
keel.sh/trigger: poll
keel.sh/initContainers: 'true'
extra:
templates:
- |-
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: "{{ .Release.Name }}-game"
spec:
entryPoints:
- game-udp
routes:
- services:
- name: app-open-strike-2-main
nativeLB: true
port: 27015

27
values/badhouseplants/org-badhouseplants/app-stalwart/secrets.yaml
View File

@ -1,27 +0,0 @@
config:
env:
secrets:
data:
SW_ADMIN_SECRET: ENC[AES256_GCM,data:dG2zVmvycL7TZM922XADQ/SwWMBrUvXd+BPwpxIvmaDnjejpEaHUfB0xhpkhZqhAB8M=,iv:5hDpUFLLGLf4VLj8h3weOZhiwJKYORg5uKVgXVXKbgM=,tag:9FQru61B5hDPcIoIUDvUtg==,type:str]
MINIO_ACCESS_ID: ENC[AES256_GCM,data:HvZa/kOy8ZI=,iv:T2433k3OmZTmPTx2QWEAELlN7zY37LUynapVWpASrJ0=,tag:Kvr4wIgq5dMmXRJDoxqGxA==,type:str]
MINIO_SECRET_KEY: ENC[AES256_GCM,data:Tv5VWQprCKtJCghzhZ8YD8/9,iv:hioZ+d0ns+Hr3pBVyfFWgcuRKDrPQmskSnU0XOMwhzA=,tag:nuFn0qV9UMy2ywiFfx5gHg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGMTZGN2NSYXUzcXNJVUx2
YXE3Nk5MbnV1dyttUEtmUExabFYvOGdHcTBRCkM1WE9uNlF1OGh4NnNDL3NabXhi
OW1NcDlydUMraTVQV2tjLzVla2tpSnMKLS0tIHN6RXVJTzNvZlkyTmdDb09UTUNy
TVJyRVI5U2NmV1VIQTk4cjlYM1htMFkKkxsXzn+7nFiTs3mANqO0+f7/TTGKogFk
8ix4OpiA9b33kuqi4Z7bXx4ucyCmlDwtxuHvmOEOyW4yJ9F1cgm+Uw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-15T23:05:04Z"
mac: ENC[AES256_GCM,data:Kix/IdONJ79Lj1dc/gigpM7BUPyg7EIsPQzkhtu8+nbIQZQsm0CYqlqPx1V7w0r9vef+rCd/8GX8RdKw0o5ZaDZY5l0nXEi9E7dEtcHTYlrr8fqljcsGRAKmOiBRMkPh0jGTEPlFRtb0Inrn85rWUiMJP12hwIIS0t7GpAydKdI=,iv:1pMdzj1x0Hf65nmZ28Lv7yu6Y+suQKxv274nYl8J3HI=,tag:GQL8HOSswz2N56iNAS9l9w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

Some files were not shown because too many files have changed in this diff Show More