ntr/ntwl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ntr:260a072aa7a9b939f915b1fcf61ffc4c38d84c1d
Branches Tags
ntr:main
ntr:nightowl
..
compare: ntr:ae4d18443f41981b28a69c95b3236c1b15f4646b
Branches Tags
ntr:main
ntr:nightowl

No commits in common. "260a072aa7a9b939f915b1fcf61ffc4c38d84c1d" and "ae4d18443f41981b28a69c95b3236c1b15f4646b" have entirely different histories.
260a072aa7 ... ae4d18443f

31 changed files with 62 additions and 1381 deletions
Show Stats Expand all files Collapse all files

24
CLAUDE.md
View File

@ -1,24 +0,0 @@
# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## Commands
- Validate YAML: `kubectl --dry-run=client -f <filename.yaml>`
- Validate syntax with YAML linter: `yamllint <filename.yaml>`
- Check Kubernetes resources: `kubectl get <resource-type> --namespace <namespace>`
## Style Guidelines
1. YAML Formatting:
- Use 2-space indentation
- Use snake_case for keys
- Keep line length under 100 characters
2. Kubernetes Resources:
- Include resource limits/requests in all deployments
- Add appropriate labels and annotations
- Group related resources in the same file
- Use namespaces to organize resources by service
3. Documentation:
- Add comments for non-obvious configuration choices
- Document environment-specific variables clearly

9
README.md
View File

@ -2,18 +2,9 @@
## TODO ## TODO
### Media
[ ] sabnzbd ini config map
[ ] tdarr
[ ] subtitle extractor
[ ] intro-skipper
[x] private registry [x] private registry
[x] secrets [x] secrets
[x] ntr-cv static containers [x] ntr-cv static containers
[x] check mnmlgg mail [x] check mnmlgg mail
[x] ufw [x] ufw
[x] grafana etc [x] grafana etc
kubectl run -i --tty --rm debug --image=busybox --restart=Never -- nslookup openebs-etcd.openebs.svc.cluster.local

27
crates/crates.ingress.yaml
View File

@ -11,7 +11,7 @@ metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec: spec:
ingressClassName: haproxy ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- crates.strix.systems - crates.strix.systems
@ -27,16 +27,6 @@ spec:
name: crates-client name: crates-client
port: port:
number: 8080 number: 8080
- host: crates.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: crates-client
port:
number: 8080
--- ---
@ -45,11 +35,12 @@ kind: Ingress
metadata: metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
haproxy.org/path-rewrite: "/api(/)?(.*) /$2" nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
name: crates-api name: crates-api
namespace: default namespace: default
spec: spec:
ingressClassName: haproxy ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- crates.strix.systems - crates.strix.systems
@ -65,13 +56,3 @@ spec:
name: crates-api name: crates-api
port: port:
number: 41337 number: 41337
- host: crates.ntwl.xyz
http:
paths:
- path: /api(/|$)(.*)
pathType: ImplementationSpecific
backend:
service:
name: crates-api
port:
number: 41337

137
media/jellyfin.yaml
View File

@ -1,137 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jellyfin
namespace: media
spec:
selector:
matchLabels:
app: jellyfin
template:
metadata:
labels:
app: jellyfin
spec:
# USE GPU
runtimeClassName: nvidia
restartPolicy: Always
containers:
- image: ghcr.io/hotio/jellyfin
imagePullPolicy: Always
name: jellyfin
env:
- name: TZ
value: Australia/Melbourne
- name: PUID
value: '1000'
- name: PGID
value: '1000'
- name: UMASK
value: '002'
ports:
- containerPort: 8096
protocol: TCP
volumeMounts:
- mountPath: /data
name: jellyfin-data
readOnly: true
- mountPath: /config
name: jellyfin-config
volumes:
- name: jellyfin-data
persistentVolumeClaim:
claimName: data
- name: jellyfin-config
persistentVolumeClaim:
claimName: jellyfin-config
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: jellyfin-config
namespace: media
spec:
storageClassName: zfs-fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app: jellyfin
name: jellyfin
namespace: media
spec:
ports:
- name: web
port: 8096
protocol: TCP
targetPort: 8096
selector:
app: jellyfin
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jellyfin-ingress
namespace: media
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
ingressClassName: haproxy
tls:
- secretName: jellyfin-ingress
hosts:
- jf.ntwl.xyz
rules:
- host: jf.ntwl.xyz
http:
paths:
- backend:
service:
name: jellyfin
port:
name: web
path: /
pathType: Prefix
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jellyfin-lan-ingress
namespace: media
annotations:
haproxy.org/ssl-redirect: "false"
haproxy.org/ssl-certificate: "default/tls-secret"
spec:
ingressClassName: haproxy
rules:
- host: jfl.ntwl.xyz
http:
paths:
- backend:
service:
name: jellyfin
port:
name: web
path: /
pathType: Prefix

108
media/jellyseerr.yaml
View File

@ -1,108 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jellyseerr
namespace: media
spec:
selector:
matchLabels:
app: jellyseerr
template:
metadata:
labels:
app: jellyseerr
spec:
restartPolicy: Always
containers:
- image: ghcr.io/hotio/jellyseerr
imagePullPolicy: Always
name: jellyseerr
env:
- name: TZ
value: Australia/Melbourne
ports:
- containerPort: 5055
name: web
protocol: TCP
volumeMounts:
- mountPath: /app/config
name: jellyseerr-config
volumes:
- name: jellyseerr-config
persistentVolumeClaim:
claimName: jellyseerr-config
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: jellyseerr-config
namespace: media
spec:
storageClassName: zfs-fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app: jellyseerr
name: jellyseerr
namespace: media
spec:
ports:
- name: web
port: 5055
protocol: TCP
targetPort: 5055
selector:
app: jellyseerr
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jellyseerr-ingress
namespace: media
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
ingressClassName: haproxy
tls:
- secretName: jellyseerr-ingress
hosts:
- jellyseerr.ntwl.xyz
- get.ntwl.xyz
rules:
- host: jellyseerr.ntwl.xyz
http:
paths:
- backend:
service:
name: jellyseerr
port:
name: web
path: /
pathType: Prefix
- host: get.ntwl.xyz
http:
paths:
- backend:
service:
name: jellyseerr
port:
name: web
path: /
pathType: Prefix

21
media/media.yaml
View File

@ -1,21 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: media
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: data
namespace: media
spec:
storageClassName: slow
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4Ti

42
media/nvidia.yaml
View File

@ -1,42 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: gpu-operator
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: gpu-operator
namespace: gpu-operator
spec:
repo: https://helm.ngc.nvidia.com/nvidia
chart: gpu-operator
targetNamespace: gpu-operator
version: 24.9.2
---
# apiVersion: v1
# kind: Pod
# metadata:
# name: nbody-gpu-benchmark
# namespace: default
# spec:
# restartPolicy: OnFailure
# runtimeClassName: nvidia
# containers:
# - name: cuda-container
# image: nvcr.io/nvidia/k8s/cuda-sample:nbody
# args: ["nbody", "-gpu", "-benchmark"]
# resources:
# limits:
# nvidia.com/gpu: 1
# env:
# - name: NVIDIA_VISIBLE_DEVICES
# value: all
# - name: NVIDIA_DRIVER_CAPABILITIES
# value: all

95
media/prowlarr.yaml
View File

@ -1,95 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: prowlarr
namespace: media
spec:
selector:
matchLabels:
app: prowlarr
template:
metadata:
labels:
app: prowlarr
spec:
restartPolicy: Always
containers:
- image: ghcr.io/hotio/prowlarr
imagePullPolicy: Always
name: prowlarr
env:
- name: TZ
value: Australia/Melbourne
- name: PUID
value: '1000'
- name: PGID
value: '1000'
- name: UMASK
value: '002'
ports:
- containerPort: 9696
name: web
protocol: TCP
volumeMounts:
- mountPath: /config
name: prowlarr-config
volumes:
- name: prowlarr-config
persistentVolumeClaim:
claimName: prowlarr-config
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: prowlarr-config
namespace: media
spec:
storageClassName: zfs-fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app: prowlarr
name: prowlarr
namespace: media
spec:
ports:
- name: web
port: 9696
protocol: TCP
targetPort: 9696
selector:
app: prowlarr
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: prowlarr-ingress
namespace: media
spec:
ingressClassName: haproxy
rules:
- host: prowlarr.ntwl.xyz
http:
paths:
- backend:
service:
name: prowlarr
port:
name: web
path: /
pathType: Prefix

100
media/radarr.yaml
View File

@ -1,100 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: radarr
namespace: media
spec:
selector:
matchLabels:
app: radarr
template:
metadata:
labels:
app: radarr
spec:
restartPolicy: Always
containers:
- image: ghcr.io/hotio/radarr
imagePullPolicy: Always
name: radarr
env:
- name: TZ
value: Australia/Melbourne
- name: PUID
value: '1000'
- name: PGID
value: '1000'
- name: UMASK
value: '002'
ports:
- containerPort: 7878
name: web
protocol: TCP
volumeMounts:
- mountPath: /data
name: radarr-data
- mountPath: /config
name: radarr-config
volumes:
- name: radarr-data
persistentVolumeClaim:
claimName: data
- name: radarr-config
persistentVolumeClaim:
claimName: radarr-config
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: radarr-config
namespace: media
spec:
storageClassName: zfs-fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app: radarr
name: radarr
namespace: media
spec:
ports:
- name: web
port: 7878
protocol: TCP
targetPort: 7878
selector:
app: radarr
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: radarr-ingress
namespace: media
spec:
ingressClassName: haproxy
rules:
- host: radarr.ntwl.xyz
http:
paths:
- backend:
service:
name: radarr
port:
name: web
path: /
pathType: Prefix

109
media/sabnzbd.yaml
View File

@ -1,109 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sabnzbd
namespace: media
spec:
selector:
matchLabels:
app: sabnzbd
template:
metadata:
labels:
app: sabnzbd
spec:
restartPolicy: Always
containers:
- image: ghcr.io/hotio/sabnzbd
imagePullPolicy: Always
name: sabnzbd
env:
- name: TZ
value: Australia/Melbourne
- name: PUID
value: '1000'
- name: PGID
value: '1000'
- name: UMASK
value: '002'
- name: WEBUI_PORTS
value: '8080/tcp,8080/udp'
- name: ARGS
value: ''
ports:
- containerPort: 8080
name: web
protocol: TCP
volumeMounts:
- mountPath: /data
name: sabnzbd-data
- mountPath: /config
name: sabnzbd-config
volumes:
- name: sabnzbd-data
persistentVolumeClaim:
claimName: data
- name: sabnzbd-config
persistentVolumeClaim:
claimName: sabnzbd-config
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: sabnzbd-config
namespace: media
spec:
storageClassName: zfs-fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app: sabnzbd
name: sabnzbd
namespace: media
spec:
ports:
- name: web
port: 8080
protocol: TCP
targetPort: 8080
- name: web-udp
port: 8080
protocol: UDP
targetPort: 8080
selector:
app: sabnzbd
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sabnzbd-ingress
namespace: media
spec:
ingressClassName: haproxy
rules:
- host: sabnzbd.ntwl.xyz
http:
paths:
- backend:
service:
name: sabnzbd
port:
name: web
path: /
pathType: Prefix

101
media/sonarr.yaml
View File

@ -1,101 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sonarr
namespace: media
spec:
selector:
matchLabels:
app: sonarr
template:
metadata:
labels:
app: sonarr
spec:
restartPolicy: Always
containers:
- image: ghcr.io/hotio/sonarr
imagePullPolicy: Always
name: sonarr
env:
- name: TZ
value: Australia/Melbourne
- name: PUID
value: '1000'
- name: PGID
value: '1000'
- name: UMASK
value: '002'
ports:
- containerPort: 8989
name: web
protocol: TCP
volumeMounts:
- mountPath: /data
name: sonarr-data
- mountPath: /config
name: sonarr-config
volumes:
- name: sonarr-data
persistentVolumeClaim:
claimName: data
- name: sonarr-config
persistentVolumeClaim:
claimName: sonarr-config
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: sonarr-config
namespace: media
spec:
storageClassName: zfs-fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app: sonarr
name: sonarr
namespace: media
spec:
ports:
- name: web
port: 8989
protocol: TCP
targetPort: 8989
selector:
app: sonarr
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sonarr-ingress
namespace: media
spec:
ingressClassName: haproxy
rules:
- host: sonarr.ntwl.xyz
http:
paths:
- backend:
service:
name: sonarr
port:
name: web
path: /
pathType: Prefix

24
memestream/memestream.ingress.yaml
View File

@ -5,13 +5,11 @@ metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec: spec:
ingressClassName: haproxy ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- memestream.strix.systems - memestream.strix.systems
- search.memestream.strix.systems - search.memestream.strix.systems
- memestream.ntwl.xyz
- search.memestream.ntwl.xyz
secretName: memestream-strix-systems-tls secretName: memestream-strix-systems-tls
rules: rules:
- host: search.memestream.strix.systems - host: search.memestream.strix.systems
@ -24,16 +22,6 @@ spec:
name: memestream-meili name: memestream-meili
port: port:
number: 7700 number: 7700
- host: search.memestream.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: memestream-meili
port:
number: 7700
- host: memestream.strix.systems - host: memestream.strix.systems
http: http:
paths: paths:
@ -44,13 +32,3 @@ spec:
name: memestream-client name: memestream-client
port: port:
number: 8080 number: 8080
- host: memestream.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: memestream-client
port:
number: 8080

28
memestream/memestream.yaml
View File

@ -45,7 +45,7 @@ metadata:
spec: spec:
storageClassName: "" storageClassName: ""
capacity: capacity:
storage: 5Gi storage: 2Gi
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
@ -68,7 +68,7 @@ spec:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
requests: requests:
storage: 5Gi storage: 2Gi
--- ---
@ -76,30 +76,6 @@ spec:
# DEPLOYMENTS # DEPLOYMENTS
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
apiVersion: apps/v1
kind: Deployment
metadata:
name: memestream-archiver
spec:
replicas: 1
selector:
matchLabels:
app: memestream-archiver
template:
metadata:
labels:
app: memestream-archiver
spec:
containers:
- name: memestream-archiver
image: registry.strix.systems/memestream-archiver
imagePullPolicy: Always
envFrom:
- secretRef:
name: memestream-archiver
---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:

13
mnml/mnml.ingress.yaml
View File

@ -10,7 +10,7 @@ metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec: spec:
ingressClassName: haproxy ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- mnml.gg - mnml.gg
@ -36,9 +36,9 @@ metadata:
namespace: default namespace: default
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
haproxy.org/websocket-support: "true" nginx.org/websocket-services: "mnml-ws"
spec: spec:
ingressClassName: haproxy ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- mnml.gg - mnml.gg
@ -63,10 +63,11 @@ metadata:
name: mnml-ws name: mnml-ws
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
haproxy.org/websocket-support: "true" nginx.org/proxy-read-timeout: "3600"
haproxy.org/timeout-tunnel: "3600s" nginx.org/proxy-send-timeout: "3600"
nginx.org/websocket-services: mnml-ws
spec: spec:
ingressClassName: haproxy ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- mnml.gg - mnml.gg

0
ops/grafana.yaml → monitor/grafana.yaml
View File

13
ops/monitor.ingress.yaml → monitor/monitor.ingress.yaml
View File

@ -8,11 +8,10 @@ metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec: spec:
ingressClassName: haproxy ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- monitor.strix.systems - monitor.strix.systems
- monitor.ntwl.xyz
secretName: monitor-strix-systems-tls secretName: monitor-strix-systems-tls
rules: rules:
- host: monitor.strix.systems - host: monitor.strix.systems
@ -25,13 +24,3 @@ spec:
name: kube-prometheus-stack-grafana name: kube-prometheus-stack-grafana
port: port:
number: 80 number: 80
- host: monitor.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kube-prometheus-stack-grafana
port:
number: 80

0
ops/values.yaml → monitor/values.yaml
View File

19
networking/haproxy.yaml
View File

@ -1,19 +0,0 @@
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: haproxy-kubernetes-ingress
namespace: kube-system
spec:
repo: https://haproxytech.github.io/helm-charts
chart: kubernetes-ingress
targetNamespace: networking
valuesContent: |-
controller:
kind: DaemonSet
daemonset:
useHostPort: true
config:
ssl-redirect-port: "443"
# - --https-bind-port=443

6
networking/networking.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: networking

168
networking/pihole.yaml
View File

@ -1,168 +0,0 @@
---
# -----------------------------------------------------------------------
# DEPLOYMENTS
# -----------------------------------------------------------------------
apiVersion: apps/v1
kind: Deployment
metadata:
name: pihole
namespace: networking
spec:
replicas: 1
selector:
matchLabels:
app: pihole
template:
metadata:
labels:
app: pihole
spec:
containers:
- name: pihole
image: pihole/pihole:latest
imagePullPolicy: IfNotPresent
env:
- name: TZ
value: "Australia/Melbourne"
- name: FTLCONF_webserver_api_password
value: grepgrepgrep
# allow it to respond to devices outside cluster
- name: FTLCONF_dns_listeningMode
value: single
# resolve wildcards
- name: FTLCONF_misc_dnsmasq_lines
value: address=/nightowl.strix.systems/192.168.1.88
ports:
- containerPort: 53
protocol: TCP
- containerPort: 53
protocol: UDP
- containerPort: 67
protocol: UDP
- containerPort: 80
protocol: TCP
- containerPort: 443
protocol: TCP
# volumeMounts:
# - name: etc
# mountPath: /etc/pihole
# - name: dnsmasq
# mountPath: /etc/dnsmasq.d
resources:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 2Gi
cpu: 1
# volumes:
# - name: etc
# hostPath:
# path: /data/pihole/etc
# type: Directory
# - name: dnsmasq
# hostPath:
# path: /data/pihole/dnsmasq.d
# type: Directory
# -----------------------------------------------------------------------
# SERVICES
# -----------------------------------------------------------------------
---
kind: Service
apiVersion: v1
metadata:
name: pihole
namespace: networking
spec:
selector:
app: pihole
ports:
- name: web
port: 80
targetPort: 80
- name: dns-tcp
port: 53
targetPort: 53
protocol: TCP
- name: dns-udp
port: 53
targetPort: 53
protocol: UDP
---
apiVersion: v1
kind: Service
metadata:
name: pihole-dns-udp
namespace: networking
spec:
selector:
app: pihole
ports:
- name: dns-udp
port: 53
protocol: UDP
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: pihole-dns-tcp
namespace: networking
spec:
selector:
app: pihole
ports:
- name: dns-tcp
port: 53
protocol: TCP
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: pihole-web-debug
namespace: networking
spec:
selector:
app: pihole
ports:
- name: dns-tcp
port: 9980
targetPort: 80
protocol: TCP
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pihole
namespace: networking
spec:
ingressClassName: haproxy
rules:
- host: "pihole.nightowl.strix.systems"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: pihole
port:
name: web

20
networking/cert-manager.yaml → nginx-ingress/cert-manager.yaml
View File

@ -1,21 +1,6 @@
# using the same issuer for everything # using the same issuer for everything
# ntr@strix is the big boss # ntr@strix is the big boss
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: cert-manager
namespace: cert-manager
spec:
repo: https://charts.jetstack.io
chart: cert-manager
targetNamespace: networking
valuesContent: |-
crds:
enabled: true
--- ---
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: ClusterIssuer kind: ClusterIssuer
@ -34,7 +19,7 @@ spec:
solvers: solvers:
- http01: - http01:
ingress: ingress:
ingressClassName: haproxy ingressClassName: nginx
--- ---
@ -55,5 +40,4 @@ spec:
solvers: solvers:
- http01: - http01:
ingress: ingress:
ingressClassName: haproxy ingressClassName: nginx

13
ntr-cv/ntr-cv.ingress.yaml
View File

@ -7,11 +7,10 @@ metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec: spec:
ingressClassName: haproxy ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- strix.systems - strix.systems
- ntr.ntwl.xyz
secretName: strix-systems-tls secretName: strix-systems-tls
rules: rules:
- host: strix.systems - host: strix.systems
@ -24,13 +23,3 @@ spec:
name: ntr-cv name: ntr-cv
port: port:
number: 8080 number: 8080
- host: ntr.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ntr-cv
port:
number: 8080

130
ops/git.yaml
View File

@ -1,130 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: gitea-admin-secret
namespace: ops
type: Opaque
stringData:
username: ntr
password: "ghastly ghouls"
email: "ntr@strix.systems"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: gitea-data
namespace: ops
spec:
storageClassName: fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: gitea-redis
namespace: ops
spec:
storageClassName: fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4Gi
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: gitea-pg
namespace: ops
spec:
storageClassName: fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4Gi
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: gitea
namespace: ops
spec:
repo: https://dl.gitea.com/charts/
chart: gitea
targetNamespace: ops
valuesContent: |-
ingress:
enabled: true
className: haproxy
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
tls:
- secretName: git-tls
hosts:
- git.ntwl.xyz
# - git.strix.systems
hosts:
- host: git.ntwl.xyz
paths:
- path: /
pathType: Prefix
- host: git.strix.systems
paths:
- path: /
pathType: Prefix
service:
ssh:
type: LoadBalancer
port: 60022
externalTrafficPolicy: Local
redis-cluster:
enabled: false
redis:
enabled: true
persistence:
enabled: true
existingClaim: gitea-redis
postgresql:
enabled: true
persistence:
enabled: true
existingClaim: gitea-pg
postgresql-ha:
enabled: false
persistence:
enabled: true
existingClaim: gitea-data
gitea:
config:
database:
DB_TYPE: postgres
indexer:
ISSUE_INDEXER_TYPE: bleve
REPO_INDEXER_ENABLED: true
server:
SSH_PORT: 60022
admin:
existingSecret: gitea-admin-secret

6
ops/ops.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: ops

9
ops/generate_auth.sh → registry/generate_auth.sh Normal file → Executable file
View File

@ -11,7 +11,7 @@ htpasswd() {
htpasswd -Bbn ${1} ${2} | head -n 1 2> /dev/null\"" htpasswd -Bbn ${1} ${2} | head -n 1 2> /dev/null\""
} }
K3S_HOST=ntwl.xyz K3S_HOST=strix.systems
REGISTRY_ADMIN=ntr REGISTRY_ADMIN=ntr
REGISTRY_PASSWORD=$(gen_password) REGISTRY_PASSWORD=$(gen_password)
REGISTRY_AUTH=$(htpasswd ${REGISTRY_ADMIN} ${REGISTRY_PASSWORD}) REGISTRY_AUTH=$(htpasswd ${REGISTRY_ADMIN} ${REGISTRY_PASSWORD})
@ -24,7 +24,6 @@ echo REGISTRY_AUTH is ${REGISTRY_AUTH}
echo REGISTRY_HTTP_SECRET is ${REGISTRY_HTTP_SECRET} echo REGISTRY_HTTP_SECRET is ${REGISTRY_HTTP_SECRET}
kubectl create secret generic registry \ kubectl create secret generic registry \
-n ops \
--from-literal=REGISTRY_ADMIN=${REGISTRY_ADMIN} \ --from-literal=REGISTRY_ADMIN=${REGISTRY_ADMIN} \
--from-literal=REGISTRY_PASSWORD=${REGISTRY_PASSWORD} \ --from-literal=REGISTRY_PASSWORD=${REGISTRY_PASSWORD} \
--from-literal=REGISTRY_HTTP_SECRET=${REGISTRY_HTTP_SECRET} \ --from-literal=REGISTRY_HTTP_SECRET=${REGISTRY_HTTP_SECRET} \
@ -32,11 +31,11 @@ kubectl create secret generic registry \
# cat <<EOF | ssh root@strix tee /etc/rancher/k3s/registries.yaml # cat <<EOF | ssh root@strix tee /etc/rancher/k3s/registries.yaml
# mirrors: # mirrors:
# registry.ntwl.xyz: # registry.strix.systems:
# endpoint: # endpoint:
# - "https://registry.ntwl.xyz" # - "https://registry.strix.systems"
# configs: # configs:
# "registry.ntwl.xyz": # "registry.strix.systems":
# auth: # auth:
# username: ntr # username: ntr
# password: pw # password: pw

15
ops/registry.ingress.yaml → registry/registry.ingress.yaml
View File

@ -5,14 +5,13 @@ kind: Ingress
metadata: metadata:
name: registry name: registry
annotations: annotations:
haproxy.org/proxy-body-size-limit: "2g" nginx.ingress.kubernetes.io/proxy-body-size: 2g
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec: spec:
ingressClassName: haproxy ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- registry.strix.systems - registry.strix.systems
- registry.ntwl.xyz
secretName: registry-strix-systems-tls secretName: registry-strix-systems-tls
rules: rules:
- host: registry.strix.systems - host: registry.strix.systems
@ -25,13 +24,3 @@ spec:
name: registry name: registry
port: port:
number: 5000 number: 5000
- host: registry.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: registry
port:
number: 5000

38
ops/registry.yaml → registry/registry.yaml
View File

@ -1,17 +1,37 @@
--- ---
kind: PersistentVolumeClaim
apiVersion: v1 apiVersion: v1
kind: PersistentVolume
metadata: metadata:
name: registry-storage name: registry-pv
namespace: ops
spec: spec:
storageClassName: zfs-fast storageClassName: local-path
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
claimRef:
namespace: default
name: registry-pvc
hostPath:
path: "/var/lib/rancher/k3s/storage/registry-pv"
type: DirectoryOrCreate
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: registry-pvc
spec:
volumeName: registry-pv
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
requests: requests:
storage: 10Gi storage: 10Gi
storageClassName: local-path
--- ---
@ -19,7 +39,6 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: registry name: registry
namespace: ops
spec: spec:
ports: ports:
- name: web - name: web
@ -34,7 +53,6 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: registry name: registry
namespace: ops
labels: labels:
app: registry app: registry
spec: spec:
@ -70,7 +88,7 @@ spec:
name: registry name: registry
key: REGISTRY_HTTP_SECRET key: REGISTRY_HTTP_SECRET
volumeMounts: volumeMounts:
- name: registry-storage - name: registry-pvc
mountPath: /var/lib/registry mountPath: /var/lib/registry
- name: registry-auth - name: registry-auth
mountPath: /auth mountPath: /auth
@ -87,9 +105,9 @@ spec:
- name: registry-config - name: registry-config
configMap: configMap:
name: registry name: registry
- name: registry-storage - name: registry-pvc
persistentVolumeClaim: persistentVolumeClaim:
claimName: registry-storage claimName: registry-pvc
--- ---
@ -97,7 +115,7 @@ apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: registry name: registry
namespace: ops # namespace: registry
data: data:
config.yml: | config.yml: |
version: 0.1 version: 0.1

6
spacerace/spacerace.ingress.yaml
View File

@ -5,9 +5,11 @@ metadata:
name: spacerace-api name: spacerace-api
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
haproxy.org/path-rewrite: "/api(/)?(.*) /$2" # don't do this again
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec: spec:
ingressClassName: haproxy ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- spacerace.strix.systems - spacerace.strix.systems

28
storage/minio.ingress.yaml
View File

@ -7,11 +7,10 @@ metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec: spec:
ingressClassName: haproxy ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- minio.strix.systems - minio.strix.systems
- minio.ntwl.xyz
secretName: minio.strix.systems secretName: minio.strix.systems
rules: rules:
- host: minio.strix.systems - host: minio.strix.systems
@ -24,16 +23,6 @@ spec:
name: minio-service name: minio-service
port: port:
number: 9090 number: 9090
- host: minio.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: minio-service
port:
number: 9090
--- ---
@ -45,13 +34,12 @@ metadata:
app: minio app: minio
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
haproxy.org/proxy-body-size-limit: "1g" nginx.ingress.kubernetes.io/proxy-body-size: 1g
spec: spec:
ingressClassName: haproxy ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- storage.strix.systems - storage.strix.systems
- storage.ntwl.xyz
secretName: storage.strix.systems secretName: storage.strix.systems
rules: rules:
- host: storage.strix.systems - host: storage.strix.systems
@ -64,13 +52,3 @@ spec:
name: minio-service name: minio-service
port: port:
number: 9000 number: 9000
- host: storage.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: minio-service
port:
number: 9000

4
storage/minio.yaml
View File

@ -11,7 +11,7 @@ metadata:
spec: spec:
storageClassName: "" storageClassName: ""
capacity: capacity:
storage: 20Gi storage: 10Gi
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
@ -34,7 +34,7 @@ spec:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
requests: requests:
storage: 20Gi storage: 10Gi
--- ---

128
storage/openebs.yaml
View File

@ -1,128 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: openebs
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: openebs
namespace: openebs
spec:
repo: https://openebs.github.io/openebs/
chart: openebs
targetNamespace: openebs
valuesContent: |-
engines:
replicated:
mayastor:
enabled: false
local:
lvm:
enabled: false
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: zfs-fast
parameters:
poolname: "fast/k8s"
recordsize: "128k"
compression: "off"
dedup: "off"
fstype: "zfs"
provisioner: zfs.csi.openebs.io
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: zfs-slow
parameters:
poolname: "slow/k8s"
# https://www.zfshandbook.com/docs/advanced-zfs/performance-tuning/
recordsize: "1M"
compression: "off"
dedup: "off"
fstype: "zfs"
provisioner: zfs.csi.openebs.io
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: zfs-fast-shared
parameters:
poolname: "fast/k8s"
recordsize: "128k"
shared: "yes"
compression: "off"
dedup: "off"
fstype: "zfs"
provisioner: zfs.csi.openebs.io
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: zfs-slow-shared
parameters:
poolname: "slow/k8s"
# https://www.zfshandbook.com/docs/advanced-zfs/performance-tuning/
recordsize: "1M"
shared: "yes"
compression: "off"
dedup: "off"
fstype: "zfs"
provisioner: zfs.csi.openebs.io
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: fast
annotations:
cas.openebs.io/config: |
- name: StorageType
value: "hostpath"
- name: BasePath
value: "/fast/k8s/"
openebs.io/cas-type: local
provisioner: openebs.io/local
reclaimPolicy: Retain
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: slow
annotations:
cas.openebs.io/config: |
- name: StorageType
value: "hostpath"
- name: BasePath
value: "/slow/k8s/"
openebs.io/cas-type: local
provisioner: openebs.io/local
reclaimPolicy: Retain
volumeBindingMode: WaitForFirstConsumer