ntr/ntwl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ntr:ae4d18443f41981b28a69c95b3236c1b15f4646b
Branches Tags
ntr:main
ntr:nightowl
..
compare: ntr:260a072aa7a9b939f915b1fcf61ffc4c38d84c1d
Branches Tags
ntr:main
ntr:nightowl

10 Commits
ae4d18443f ... 260a072aa7

Author SHA1 Message Date
Nathan Rashleigh
260a072aa7 registry 2025-04-08 01:36:11 +10:00
Nathan Rashleigh
61643c4c72 move stuff 2025-04-07 23:45:57 +10:00
Nathan Rashleigh
7071dbc06c Merge branch 'nightowl' of ssh://strix:/home/ntr/repos/strix into nightowl 2025-04-07 23:36:47 +10:00
Nathan Rashleigh
64886cdbaf certmanager 2025-04-07 23:36:44 +10:00
Nathan Rashleigh
1207f50bd6 merge main 2025-04-07 23:08:47 +10:00
Nathan Rashleigh
0bc67f0fdc yarrrrr 2025-03-11 00:47:21 +11:00
Nathan Rashleigh
2b2296cc2e seeerrrr 2025-03-10 20:47:23 +11:00
Nathan Rashleigh
7fbc9cdd3d storage 2025-03-10 14:22:19 +11:00
Nathan Rashleigh
ca6113a68e nightowl networking 2025-03-08 18:39:56 +11:00
Nathan Rashleigh
be831bbb77 increase memestream storage 2025-02-08 00:20:19 +11:00
31 changed files with 1381 additions and 62 deletions
Show Stats Expand all files Collapse all files

24
CLAUDE.md Normal file
View File

@ -0,0 +1,24 @@
# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## Commands
- Validate YAML: `kubectl --dry-run=client -f <filename.yaml>`
- Validate syntax with YAML linter: `yamllint <filename.yaml>`
- Check Kubernetes resources: `kubectl get <resource-type> --namespace <namespace>`
## Style Guidelines
1. YAML Formatting:
- Use 2-space indentation
- Use snake_case for keys
- Keep line length under 100 characters
2. Kubernetes Resources:
- Include resource limits/requests in all deployments
- Add appropriate labels and annotations
- Group related resources in the same file
- Use namespaces to organize resources by service
3. Documentation:
- Add comments for non-obvious configuration choices
- Document environment-specific variables clearly

11
README.md
View File

@ -2,9 +2,18 @@
## TODO ## TODO
### Media
[ ] sabnzbd ini config map
[ ] tdarr
[ ] subtitle extractor
[ ] intro-skipper
[x] private registry [x] private registry
[x] secrets [x] secrets
[x] ntr-cv static containers [x] ntr-cv static containers
[x] check mnmlgg mail [x] check mnmlgg mail
[x] ufw [x] ufw
[x] grafana etc [x] grafana etc
kubectl run -i --tty --rm debug --image=busybox --restart=Never -- nslookup openebs-etcd.openebs.svc.cluster.local

27
crates/crates.ingress.yaml
View File

@ -11,7 +11,7 @@ metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec: spec:
ingressClassName: nginx ingressClassName: haproxy
tls: tls:
- hosts: - hosts:
- crates.strix.systems - crates.strix.systems
@ -27,6 +27,16 @@ spec:
name: crates-client name: crates-client
port: port:
number: 8080 number: 8080
- host: crates.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: crates-client
port:
number: 8080
--- ---
@ -35,12 +45,11 @@ kind: Ingress
metadata: metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/use-regex: "true" haproxy.org/path-rewrite: "/api(/)?(.*) /$2"
nginx.ingress.kubernetes.io/rewrite-target: /$2
name: crates-api name: crates-api
namespace: default namespace: default
spec: spec:
ingressClassName: nginx ingressClassName: haproxy
tls: tls:
- hosts: - hosts:
- crates.strix.systems - crates.strix.systems
@ -56,3 +65,13 @@ spec:
name: crates-api name: crates-api
port: port:
number: 41337 number: 41337
- host: crates.ntwl.xyz
http:
paths:
- path: /api(/|$)(.*)
pathType: ImplementationSpecific
backend:
service:
name: crates-api
port:
number: 41337

137
media/jellyfin.yaml Normal file
View File

@ -0,0 +1,137 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jellyfin
namespace: media
spec:
selector:
matchLabels:
app: jellyfin
template:
metadata:
labels:
app: jellyfin
spec:
# USE GPU
runtimeClassName: nvidia
restartPolicy: Always
containers:
- image: ghcr.io/hotio/jellyfin
imagePullPolicy: Always
name: jellyfin
env:
- name: TZ
value: Australia/Melbourne
- name: PUID
value: '1000'
- name: PGID
value: '1000'
- name: UMASK
value: '002'
ports:
- containerPort: 8096
protocol: TCP
volumeMounts:
- mountPath: /data
name: jellyfin-data
readOnly: true
- mountPath: /config
name: jellyfin-config
volumes:
- name: jellyfin-data
persistentVolumeClaim:
claimName: data
- name: jellyfin-config
persistentVolumeClaim:
claimName: jellyfin-config
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: jellyfin-config
namespace: media
spec:
storageClassName: zfs-fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app: jellyfin
name: jellyfin
namespace: media
spec:
ports:
- name: web
port: 8096
protocol: TCP
targetPort: 8096
selector:
app: jellyfin
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jellyfin-ingress
namespace: media
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
ingressClassName: haproxy
tls:
- secretName: jellyfin-ingress
hosts:
- jf.ntwl.xyz
rules:
- host: jf.ntwl.xyz
http:
paths:
- backend:
service:
name: jellyfin
port:
name: web
path: /
pathType: Prefix
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jellyfin-lan-ingress
namespace: media
annotations:
haproxy.org/ssl-redirect: "false"
haproxy.org/ssl-certificate: "default/tls-secret"
spec:
ingressClassName: haproxy
rules:
- host: jfl.ntwl.xyz
http:
paths:
- backend:
service:
name: jellyfin
port:
name: web
path: /
pathType: Prefix

108
media/jellyseerr.yaml Normal file
View File

@ -0,0 +1,108 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jellyseerr
namespace: media
spec:
selector:
matchLabels:
app: jellyseerr
template:
metadata:
labels:
app: jellyseerr
spec:
restartPolicy: Always
containers:
- image: ghcr.io/hotio/jellyseerr
imagePullPolicy: Always
name: jellyseerr
env:
- name: TZ
value: Australia/Melbourne
ports:
- containerPort: 5055
name: web
protocol: TCP
volumeMounts:
- mountPath: /app/config
name: jellyseerr-config
volumes:
- name: jellyseerr-config
persistentVolumeClaim:
claimName: jellyseerr-config
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: jellyseerr-config
namespace: media
spec:
storageClassName: zfs-fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app: jellyseerr
name: jellyseerr
namespace: media
spec:
ports:
- name: web
port: 5055
protocol: TCP
targetPort: 5055
selector:
app: jellyseerr
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jellyseerr-ingress
namespace: media
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
ingressClassName: haproxy
tls:
- secretName: jellyseerr-ingress
hosts:
- jellyseerr.ntwl.xyz
- get.ntwl.xyz
rules:
- host: jellyseerr.ntwl.xyz
http:
paths:
- backend:
service:
name: jellyseerr
port:
name: web
path: /
pathType: Prefix
- host: get.ntwl.xyz
http:
paths:
- backend:
service:
name: jellyseerr
port:
name: web
path: /
pathType: Prefix

21
media/media.yaml Normal file
View File

@ -0,0 +1,21 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: media
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: data
namespace: media
spec:
storageClassName: slow
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4Ti

42
media/nvidia.yaml Normal file
View File

@ -0,0 +1,42 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: gpu-operator
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: gpu-operator
namespace: gpu-operator
spec:
repo: https://helm.ngc.nvidia.com/nvidia
chart: gpu-operator
targetNamespace: gpu-operator
version: 24.9.2
---
# apiVersion: v1
# kind: Pod
# metadata:
# name: nbody-gpu-benchmark
# namespace: default
# spec:
# restartPolicy: OnFailure
# runtimeClassName: nvidia
# containers:
# - name: cuda-container
# image: nvcr.io/nvidia/k8s/cuda-sample:nbody
# args: ["nbody", "-gpu", "-benchmark"]
# resources:
# limits:
# nvidia.com/gpu: 1
# env:
# - name: NVIDIA_VISIBLE_DEVICES
# value: all
# - name: NVIDIA_DRIVER_CAPABILITIES
# value: all

95
media/prowlarr.yaml Normal file
View File

@ -0,0 +1,95 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: prowlarr
namespace: media
spec:
selector:
matchLabels:
app: prowlarr
template:
metadata:
labels:
app: prowlarr
spec:
restartPolicy: Always
containers:
- image: ghcr.io/hotio/prowlarr
imagePullPolicy: Always
name: prowlarr
env:
- name: TZ
value: Australia/Melbourne
- name: PUID
value: '1000'
- name: PGID
value: '1000'
- name: UMASK
value: '002'
ports:
- containerPort: 9696
name: web
protocol: TCP
volumeMounts:
- mountPath: /config
name: prowlarr-config
volumes:
- name: prowlarr-config
persistentVolumeClaim:
claimName: prowlarr-config
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: prowlarr-config
namespace: media
spec:
storageClassName: zfs-fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app: prowlarr
name: prowlarr
namespace: media
spec:
ports:
- name: web
port: 9696
protocol: TCP
targetPort: 9696
selector:
app: prowlarr
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: prowlarr-ingress
namespace: media
spec:
ingressClassName: haproxy
rules:
- host: prowlarr.ntwl.xyz
http:
paths:
- backend:
service:
name: prowlarr
port:
name: web
path: /
pathType: Prefix

100
media/radarr.yaml Normal file
View File

@ -0,0 +1,100 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: radarr
namespace: media
spec:
selector:
matchLabels:
app: radarr
template:
metadata:
labels:
app: radarr
spec:
restartPolicy: Always
containers:
- image: ghcr.io/hotio/radarr
imagePullPolicy: Always
name: radarr
env:
- name: TZ
value: Australia/Melbourne
- name: PUID
value: '1000'
- name: PGID
value: '1000'
- name: UMASK
value: '002'
ports:
- containerPort: 7878
name: web
protocol: TCP
volumeMounts:
- mountPath: /data
name: radarr-data
- mountPath: /config
name: radarr-config
volumes:
- name: radarr-data
persistentVolumeClaim:
claimName: data
- name: radarr-config
persistentVolumeClaim:
claimName: radarr-config
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: radarr-config
namespace: media
spec:
storageClassName: zfs-fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app: radarr
name: radarr
namespace: media
spec:
ports:
- name: web
port: 7878
protocol: TCP
targetPort: 7878
selector:
app: radarr
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: radarr-ingress
namespace: media
spec:
ingressClassName: haproxy
rules:
- host: radarr.ntwl.xyz
http:
paths:
- backend:
service:
name: radarr
port:
name: web
path: /
pathType: Prefix

109
media/sabnzbd.yaml Normal file
View File

@ -0,0 +1,109 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sabnzbd
namespace: media
spec:
selector:
matchLabels:
app: sabnzbd
template:
metadata:
labels:
app: sabnzbd
spec:
restartPolicy: Always
containers:
- image: ghcr.io/hotio/sabnzbd
imagePullPolicy: Always
name: sabnzbd
env:
- name: TZ
value: Australia/Melbourne
- name: PUID
value: '1000'
- name: PGID
value: '1000'
- name: UMASK
value: '002'
- name: WEBUI_PORTS
value: '8080/tcp,8080/udp'
- name: ARGS
value: ''
ports:
- containerPort: 8080
name: web
protocol: TCP
volumeMounts:
- mountPath: /data
name: sabnzbd-data
- mountPath: /config
name: sabnzbd-config
volumes:
- name: sabnzbd-data
persistentVolumeClaim:
claimName: data
- name: sabnzbd-config
persistentVolumeClaim:
claimName: sabnzbd-config
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: sabnzbd-config
namespace: media
spec:
storageClassName: zfs-fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app: sabnzbd
name: sabnzbd
namespace: media
spec:
ports:
- name: web
port: 8080
protocol: TCP
targetPort: 8080
- name: web-udp
port: 8080
protocol: UDP
targetPort: 8080
selector:
app: sabnzbd
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sabnzbd-ingress
namespace: media
spec:
ingressClassName: haproxy
rules:
- host: sabnzbd.ntwl.xyz
http:
paths:
- backend:
service:
name: sabnzbd
port:
name: web
path: /
pathType: Prefix

101
media/sonarr.yaml Normal file
View File

@ -0,0 +1,101 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sonarr
namespace: media
spec:
selector:
matchLabels:
app: sonarr
template:
metadata:
labels:
app: sonarr
spec:
restartPolicy: Always
containers:
- image: ghcr.io/hotio/sonarr
imagePullPolicy: Always
name: sonarr
env:
- name: TZ
value: Australia/Melbourne
- name: PUID
value: '1000'
- name: PGID
value: '1000'
- name: UMASK
value: '002'
ports:
- containerPort: 8989
name: web
protocol: TCP
volumeMounts:
- mountPath: /data
name: sonarr-data
- mountPath: /config
name: sonarr-config
volumes:
- name: sonarr-data
persistentVolumeClaim:
claimName: data
- name: sonarr-config
persistentVolumeClaim:
claimName: sonarr-config
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: sonarr-config
namespace: media
spec:
storageClassName: zfs-fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app: sonarr
name: sonarr
namespace: media
spec:
ports:
- name: web
port: 8989
protocol: TCP
targetPort: 8989
selector:
app: sonarr
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sonarr-ingress
namespace: media
spec:
ingressClassName: haproxy
rules:
- host: sonarr.ntwl.xyz
http:
paths:
- backend:
service:
name: sonarr
port:
name: web
path: /
pathType: Prefix

24
memestream/memestream.ingress.yaml
View File

@ -5,11 +5,13 @@ metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec: spec:
ingressClassName: nginx ingressClassName: haproxy
tls: tls:
- hosts: - hosts:
- memestream.strix.systems - memestream.strix.systems
- search.memestream.strix.systems - search.memestream.strix.systems
- memestream.ntwl.xyz
- search.memestream.ntwl.xyz
secretName: memestream-strix-systems-tls secretName: memestream-strix-systems-tls
rules: rules:
- host: search.memestream.strix.systems - host: search.memestream.strix.systems
@ -22,7 +24,27 @@ spec:
name: memestream-meili name: memestream-meili
port: port:
number: 7700 number: 7700
- host: search.memestream.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: memestream-meili
port:
number: 7700
- host: memestream.strix.systems - host: memestream.strix.systems
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: memestream-client
port:
number: 8080
- host: memestream.ntwl.xyz
http: http:
paths: paths:
- path: / - path: /

28
memestream/memestream.yaml
View File

@ -45,7 +45,7 @@ metadata:
spec: spec:
storageClassName: "" storageClassName: ""
capacity: capacity:
storage: 2Gi storage: 5Gi
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
@ -68,7 +68,7 @@ spec:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
requests: requests:
storage: 2Gi storage: 5Gi
--- ---
@ -76,6 +76,30 @@ spec:
# DEPLOYMENTS # DEPLOYMENTS
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
apiVersion: apps/v1
kind: Deployment
metadata:
name: memestream-archiver
spec:
replicas: 1
selector:
matchLabels:
app: memestream-archiver
template:
metadata:
labels:
app: memestream-archiver
spec:
containers:
- name: memestream-archiver
image: registry.strix.systems/memestream-archiver
imagePullPolicy: Always
envFrom:
- secretRef:
name: memestream-archiver
---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:

13
mnml/mnml.ingress.yaml
View File

@ -10,7 +10,7 @@ metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec: spec:
ingressClassName: nginx ingressClassName: haproxy
tls: tls:
- hosts: - hosts:
- mnml.gg - mnml.gg
@ -36,9 +36,9 @@ metadata:
namespace: default namespace: default
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.org/websocket-services: "mnml-ws" haproxy.org/websocket-support: "true"
spec: spec:
ingressClassName: nginx ingressClassName: haproxy
tls: tls:
- hosts: - hosts:
- mnml.gg - mnml.gg
@ -63,11 +63,10 @@ metadata:
name: mnml-ws name: mnml-ws
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.org/proxy-read-timeout: "3600" haproxy.org/websocket-support: "true"
nginx.org/proxy-send-timeout: "3600" haproxy.org/timeout-tunnel: "3600s"
nginx.org/websocket-services: mnml-ws
spec: spec:
ingressClassName: nginx ingressClassName: haproxy
tls: tls:
- hosts: - hosts:
- mnml.gg - mnml.gg

20
nginx-ingress/cert-manager.yaml → networking/cert-manager.yaml
View File

@ -1,6 +1,21 @@
# using the same issuer for everything # using the same issuer for everything
# ntr@strix is the big boss # ntr@strix is the big boss
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: cert-manager
namespace: cert-manager
spec:
repo: https://charts.jetstack.io
chart: cert-manager
targetNamespace: networking
valuesContent: |-
crds:
enabled: true
--- ---
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: ClusterIssuer kind: ClusterIssuer
@ -19,7 +34,7 @@ spec:
solvers: solvers:
- http01: - http01:
ingress: ingress:
ingressClassName: nginx ingressClassName: haproxy
--- ---
@ -40,4 +55,5 @@ spec:
solvers: solvers:
- http01: - http01:
ingress: ingress:
ingressClassName: nginx ingressClassName: haproxy

19
networking/haproxy.yaml Normal file
View File

@ -0,0 +1,19 @@
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: haproxy-kubernetes-ingress
namespace: kube-system
spec:
repo: https://haproxytech.github.io/helm-charts
chart: kubernetes-ingress
targetNamespace: networking
valuesContent: |-
controller:
kind: DaemonSet
daemonset:
useHostPort: true
config:
ssl-redirect-port: "443"
# - --https-bind-port=443

6
networking/networking.yaml Normal file
View File

@ -0,0 +1,6 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: networking

168
networking/pihole.yaml Normal file
View File

@ -0,0 +1,168 @@
---
# -----------------------------------------------------------------------
# DEPLOYMENTS
# -----------------------------------------------------------------------
apiVersion: apps/v1
kind: Deployment
metadata:
name: pihole
namespace: networking
spec:
replicas: 1
selector:
matchLabels:
app: pihole
template:
metadata:
labels:
app: pihole
spec:
containers:
- name: pihole
image: pihole/pihole:latest
imagePullPolicy: IfNotPresent
env:
- name: TZ
value: "Australia/Melbourne"
- name: FTLCONF_webserver_api_password
value: grepgrepgrep
# allow it to respond to devices outside cluster
- name: FTLCONF_dns_listeningMode
value: single
# resolve wildcards
- name: FTLCONF_misc_dnsmasq_lines
value: address=/nightowl.strix.systems/192.168.1.88
ports:
- containerPort: 53
protocol: TCP
- containerPort: 53
protocol: UDP
- containerPort: 67
protocol: UDP
- containerPort: 80
protocol: TCP
- containerPort: 443
protocol: TCP
# volumeMounts:
# - name: etc
# mountPath: /etc/pihole
# - name: dnsmasq
# mountPath: /etc/dnsmasq.d
resources:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 2Gi
cpu: 1
# volumes:
# - name: etc
# hostPath:
# path: /data/pihole/etc
# type: Directory
# - name: dnsmasq
# hostPath:
# path: /data/pihole/dnsmasq.d
# type: Directory
# -----------------------------------------------------------------------
# SERVICES
# -----------------------------------------------------------------------
---
kind: Service
apiVersion: v1
metadata:
name: pihole
namespace: networking
spec:
selector:
app: pihole
ports:
- name: web
port: 80
targetPort: 80
- name: dns-tcp
port: 53
targetPort: 53
protocol: TCP
- name: dns-udp
port: 53
targetPort: 53
protocol: UDP
---
apiVersion: v1
kind: Service
metadata:
name: pihole-dns-udp
namespace: networking
spec:
selector:
app: pihole
ports:
- name: dns-udp
port: 53
protocol: UDP
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: pihole-dns-tcp
namespace: networking
spec:
selector:
app: pihole
ports:
- name: dns-tcp
port: 53
protocol: TCP
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: pihole-web-debug
namespace: networking
spec:
selector:
app: pihole
ports:
- name: dns-tcp
port: 9980
targetPort: 80
protocol: TCP
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pihole
namespace: networking
spec:
ingressClassName: haproxy
rules:
- host: "pihole.nightowl.strix.systems"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: pihole
port:
name: web

13
ntr-cv/ntr-cv.ingress.yaml
View File

@ -7,10 +7,11 @@ metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec: spec:
ingressClassName: nginx ingressClassName: haproxy
tls: tls:
- hosts: - hosts:
- strix.systems - strix.systems
- ntr.ntwl.xyz
secretName: strix-systems-tls secretName: strix-systems-tls
rules: rules:
- host: strix.systems - host: strix.systems
@ -23,3 +24,13 @@ spec:
name: ntr-cv name: ntr-cv
port: port:
number: 8080 number: 8080
- host: ntr.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ntr-cv
port:
number: 8080

9
registry/generate_auth.sh → ops/generate_auth.sh Executable file → Normal file
View File

@ -11,7 +11,7 @@ htpasswd() {
htpasswd -Bbn ${1} ${2} | head -n 1 2> /dev/null\"" htpasswd -Bbn ${1} ${2} | head -n 1 2> /dev/null\""
} }
K3S_HOST=strix.systems K3S_HOST=ntwl.xyz
REGISTRY_ADMIN=ntr REGISTRY_ADMIN=ntr
REGISTRY_PASSWORD=$(gen_password) REGISTRY_PASSWORD=$(gen_password)
REGISTRY_AUTH=$(htpasswd ${REGISTRY_ADMIN} ${REGISTRY_PASSWORD}) REGISTRY_AUTH=$(htpasswd ${REGISTRY_ADMIN} ${REGISTRY_PASSWORD})
@ -24,6 +24,7 @@ echo REGISTRY_AUTH is ${REGISTRY_AUTH}
echo REGISTRY_HTTP_SECRET is ${REGISTRY_HTTP_SECRET} echo REGISTRY_HTTP_SECRET is ${REGISTRY_HTTP_SECRET}
kubectl create secret generic registry \ kubectl create secret generic registry \
-n ops \
--from-literal=REGISTRY_ADMIN=${REGISTRY_ADMIN} \ --from-literal=REGISTRY_ADMIN=${REGISTRY_ADMIN} \
--from-literal=REGISTRY_PASSWORD=${REGISTRY_PASSWORD} \ --from-literal=REGISTRY_PASSWORD=${REGISTRY_PASSWORD} \
--from-literal=REGISTRY_HTTP_SECRET=${REGISTRY_HTTP_SECRET} \ --from-literal=REGISTRY_HTTP_SECRET=${REGISTRY_HTTP_SECRET} \
@ -31,11 +32,11 @@ kubectl create secret generic registry \
# cat <<EOF | ssh root@strix tee /etc/rancher/k3s/registries.yaml # cat <<EOF | ssh root@strix tee /etc/rancher/k3s/registries.yaml
# mirrors: # mirrors:
# registry.strix.systems: # registry.ntwl.xyz:
# endpoint: # endpoint:
# - "https://registry.strix.systems" # - "https://registry.ntwl.xyz"
# configs: # configs:
# "registry.strix.systems": # "registry.ntwl.xyz":
# auth: # auth:
# username: ntr # username: ntr
# password: pw # password: pw

130
ops/git.yaml Normal file
View File

@ -0,0 +1,130 @@
---
apiVersion: v1
kind: Secret
metadata:
name: gitea-admin-secret
namespace: ops
type: Opaque
stringData:
username: ntr
password: "ghastly ghouls"
email: "ntr@strix.systems"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: gitea-data
namespace: ops
spec:
storageClassName: fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: gitea-redis
namespace: ops
spec:
storageClassName: fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4Gi
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: gitea-pg
namespace: ops
spec:
storageClassName: fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4Gi
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: gitea
namespace: ops
spec:
repo: https://dl.gitea.com/charts/
chart: gitea
targetNamespace: ops
valuesContent: |-
ingress:
enabled: true
className: haproxy
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
tls:
- secretName: git-tls
hosts:
- git.ntwl.xyz
# - git.strix.systems
hosts:
- host: git.ntwl.xyz
paths:
- path: /
pathType: Prefix
- host: git.strix.systems
paths:
- path: /
pathType: Prefix
service:
ssh:
type: LoadBalancer
port: 60022
externalTrafficPolicy: Local
redis-cluster:
enabled: false
redis:
enabled: true
persistence:
enabled: true
existingClaim: gitea-redis
postgresql:
enabled: true
persistence:
enabled: true
existingClaim: gitea-pg
postgresql-ha:
enabled: false
persistence:
enabled: true
existingClaim: gitea-data
gitea:
config:
database:
DB_TYPE: postgres
indexer:
ISSUE_INDEXER_TYPE: bleve
REPO_INDEXER_ENABLED: true
server:
SSH_PORT: 60022
admin:
existingSecret: gitea-admin-secret

0
monitor/grafana.yaml → ops/grafana.yaml
View File

13
monitor/monitor.ingress.yaml → ops/monitor.ingress.yaml
View File

@ -8,10 +8,11 @@ metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec: spec:
ingressClassName: nginx ingressClassName: haproxy
tls: tls:
- hosts: - hosts:
- monitor.strix.systems - monitor.strix.systems
- monitor.ntwl.xyz
secretName: monitor-strix-systems-tls secretName: monitor-strix-systems-tls
rules: rules:
- host: monitor.strix.systems - host: monitor.strix.systems
@ -24,3 +25,13 @@ spec:
name: kube-prometheus-stack-grafana name: kube-prometheus-stack-grafana
port: port:
number: 80 number: 80
- host: monitor.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kube-prometheus-stack-grafana
port:
number: 80

6
ops/ops.yaml Normal file
View File

@ -0,0 +1,6 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: ops

15
registry/registry.ingress.yaml → ops/registry.ingress.yaml
View File

@ -5,13 +5,14 @@ kind: Ingress
metadata: metadata:
name: registry name: registry
annotations: annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 2g haproxy.org/proxy-body-size-limit: "2g"
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec: spec:
ingressClassName: nginx ingressClassName: haproxy
tls: tls:
- hosts: - hosts:
- registry.strix.systems - registry.strix.systems
- registry.ntwl.xyz
secretName: registry-strix-systems-tls secretName: registry-strix-systems-tls
rules: rules:
- host: registry.strix.systems - host: registry.strix.systems
@ -24,3 +25,13 @@ spec:
name: registry name: registry
port: port:
number: 5000 number: 5000
- host: registry.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: registry
port:
number: 5000

38
registry/registry.yaml → ops/registry.yaml
View File

@ -1,37 +1,17 @@
--- ---
apiVersion: v1
kind: PersistentVolume
metadata:
name: registry-pv
spec:
storageClassName: local-path
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
claimRef:
namespace: default
name: registry-pvc
hostPath:
path: "/var/lib/rancher/k3s/storage/registry-pv"
type: DirectoryOrCreate
---
apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
apiVersion: v1
metadata: metadata:
name: registry-pvc name: registry-storage
namespace: ops
spec: spec:
volumeName: registry-pv storageClassName: zfs-fast
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
requests: requests:
storage: 10Gi storage: 10Gi
storageClassName: local-path
--- ---
@ -39,6 +19,7 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: registry name: registry
namespace: ops
spec: spec:
ports: ports:
- name: web - name: web
@ -53,6 +34,7 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: registry name: registry
namespace: ops
labels: labels:
app: registry app: registry
spec: spec:
@ -88,7 +70,7 @@ spec:
name: registry name: registry
key: REGISTRY_HTTP_SECRET key: REGISTRY_HTTP_SECRET
volumeMounts: volumeMounts:
- name: registry-pvc - name: registry-storage
mountPath: /var/lib/registry mountPath: /var/lib/registry
- name: registry-auth - name: registry-auth
mountPath: /auth mountPath: /auth
@ -105,9 +87,9 @@ spec:
- name: registry-config - name: registry-config
configMap: configMap:
name: registry name: registry
- name: registry-pvc - name: registry-storage
persistentVolumeClaim: persistentVolumeClaim:
claimName: registry-pvc claimName: registry-storage
--- ---
@ -115,7 +97,7 @@ apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: registry name: registry
# namespace: registry namespace: ops
data: data:
config.yml: | config.yml: |
version: 0.1 version: 0.1

0
monitor/values.yaml → ops/values.yaml
View File

6
spacerace/spacerace.ingress.yaml
View File

@ -5,11 +5,9 @@ metadata:
name: spacerace-api name: spacerace-api
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
# don't do this again haproxy.org/path-rewrite: "/api(/)?(.*) /$2"
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec: spec:
ingressClassName: nginx ingressClassName: haproxy
tls: tls:
- hosts: - hosts:
- spacerace.strix.systems - spacerace.strix.systems

28
storage/minio.ingress.yaml
View File

@ -7,10 +7,11 @@ metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec: spec:
ingressClassName: nginx ingressClassName: haproxy
tls: tls:
- hosts: - hosts:
- minio.strix.systems - minio.strix.systems
- minio.ntwl.xyz
secretName: minio.strix.systems secretName: minio.strix.systems
rules: rules:
- host: minio.strix.systems - host: minio.strix.systems
@ -23,6 +24,16 @@ spec:
name: minio-service name: minio-service
port: port:
number: 9090 number: 9090
- host: minio.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: minio-service
port:
number: 9090
--- ---
@ -34,12 +45,13 @@ metadata:
app: minio app: minio
annotations: annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/proxy-body-size: 1g haproxy.org/proxy-body-size-limit: "1g"
spec: spec:
ingressClassName: nginx ingressClassName: haproxy
tls: tls:
- hosts: - hosts:
- storage.strix.systems - storage.strix.systems
- storage.ntwl.xyz
secretName: storage.strix.systems secretName: storage.strix.systems
rules: rules:
- host: storage.strix.systems - host: storage.strix.systems
@ -52,3 +64,13 @@ spec:
name: minio-service name: minio-service
port: port:
number: 9000 number: 9000
- host: storage.ntwl.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: minio-service
port:
number: 9000

4
storage/minio.yaml
View File

@ -11,7 +11,7 @@ metadata:
spec: spec:
storageClassName: "" storageClassName: ""
capacity: capacity:
storage: 10Gi storage: 20Gi
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
@ -34,7 +34,7 @@ spec:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
requests: requests:
storage: 10Gi storage: 20Gi
--- ---

128
storage/openebs.yaml Normal file
View File

@ -0,0 +1,128 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: openebs
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: openebs
namespace: openebs
spec:
repo: https://openebs.github.io/openebs/
chart: openebs
targetNamespace: openebs
valuesContent: |-
engines:
replicated:
mayastor:
enabled: false
local:
lvm:
enabled: false
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: zfs-fast
parameters:
poolname: "fast/k8s"
recordsize: "128k"
compression: "off"
dedup: "off"
fstype: "zfs"
provisioner: zfs.csi.openebs.io
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: zfs-slow
parameters:
poolname: "slow/k8s"
# https://www.zfshandbook.com/docs/advanced-zfs/performance-tuning/
recordsize: "1M"
compression: "off"
dedup: "off"
fstype: "zfs"
provisioner: zfs.csi.openebs.io
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: zfs-fast-shared
parameters:
poolname: "fast/k8s"
recordsize: "128k"
shared: "yes"
compression: "off"
dedup: "off"
fstype: "zfs"
provisioner: zfs.csi.openebs.io
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: zfs-slow-shared
parameters:
poolname: "slow/k8s"
# https://www.zfshandbook.com/docs/advanced-zfs/performance-tuning/
recordsize: "1M"
shared: "yes"
compression: "off"
dedup: "off"
fstype: "zfs"
provisioner: zfs.csi.openebs.io
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: fast
annotations:
cas.openebs.io/config: |
- name: StorageType
value: "hostpath"
- name: BasePath
value: "/fast/k8s/"
openebs.io/cas-type: local
provisioner: openebs.io/local
reclaimPolicy: Retain
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: slow
annotations:
cas.openebs.io/config: |
- name: StorageType
value: "hostpath"
- name: BasePath
value: "/slow/k8s/"
openebs.io/cas-type: local
provisioner: openebs.io/local
reclaimPolicy: Retain
volumeBindingMode: WaitForFirstConsumer