Merge branch 'main' into pgi-add-workflow

Reviewed-on: #84

k8s-peterg/alloy/configmap.yaml

@@ -6,6 +6,11 @@ metadata:
 data:
   config.alloy: |-
     prometheus.exporter.unix "node" {
+      set_collectors = [
+        "cpu", "diskstats", "filesystem", "loadavg",
+        "meminfo", "netdev", "netstat", "os",
+        "pressure", "processes", "stat", "uname", "vmstat",
+      ]
     }
 
     discovery.kubernetes "kubernetes_apiservers" {
@@ -141,6 +146,11 @@ data:
         source_labels = ["__meta_kubernetes_pod_node_name"]
         target_label  = "node"
       }
+
+      rule {
+        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
+        action = "labeldrop"
+      }
     }
 
     discovery.relabel "kubernetes_services" {
@@ -249,6 +259,11 @@ data:
         source_labels = ["__meta_kubernetes_pod_node_name"]
         target_label  = "node"
       }
+
+      rule {
+        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
+        action = "labeldrop"
+      }
     }
 
     discovery.relabel "pod_logs" {
@@ -298,6 +313,11 @@ data:
         target_label  = "__path__"
         replacement   = "/var/log/pods/*$1/*.log"
       }
+
+      rule {
+        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
+        action = "labeldrop"
+      }
     }
 
     local.file_match "pod_logs" {
@@ -352,9 +372,19 @@ data:
       }
     }
 
+    prometheus.relabel "cadvisor" {
+      forward_to = [prometheus.remote_write.default.receiver]
+
+      rule {
+        source_labels = ["__name__"]
+        regex         = "container_(cpu_usage_seconds_total|memory_usage_bytes|memory_working_set_bytes|memory_rss|memory_cache|memory_swap|network_receive_bytes_total|network_transmit_bytes_total|network_receive_packets_total|network_transmit_packets_total|fs_reads_bytes_total|fs_writes_bytes_total|spec_cpu_quota|spec_cpu_period|spec_memory_limit_bytes|last_seen)"
+        action        = "keep"
+      }
+    }
+
     prometheus.scrape "kubernetes_nodes_cadvisor" {
       targets    = discovery.relabel.kubernetes_nodes_cadvisor.output
-      forward_to = [prometheus.remote_write.default.receiver]
+      forward_to = [prometheus.relabel.cadvisor.receiver]
       job_name   = "kubernetes-nodes-cadvisor"
       scheme     = "https"
 

k8s-peterg/argo-workflows/kustomization.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - secrets.yaml
+
+helmCharts:
+  - name: argo-workflows
+    repo: https://argoproj.github.io/argo-helm
+    namespace: argo-workflows
+    releaseName: argo-workflows
+    version: 1.0.14
+    valuesFile: values.yaml

k8s-peterg/argo-workflows/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: argo-workflows

k8s-peterg/argo-workflows/secrets.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: argo-workflows-sso
+  namespace: argo-workflows
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: argo-workflows-sso
+    template:
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argo-workflows
+  data:
+    - secretKey: client-id
+      remoteRef:
+        key: secrets/managed/argo-workflows/authentik-sso
+        property: client-id
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        nullBytePolicy: Ignore
+    - secretKey: client-secret
+      remoteRef:
+        key: secrets/managed/argo-workflows/authentik-sso
+        property: client-secret
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        nullBytePolicy: Ignore

k8s-peterg/argo-workflows/values.yaml

@@ -0,0 +1,342 @@
+## Custom resource configuration
+crds:
+  # -- Install and upgrade CRDs
+  install: true
+  # -- Keep CRDs on chart uninstall
+  keep: true
+  # -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields.
+  # Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply.
+  full: true
+
+# -- Create ClusterRoles that extend existing ClusterRoles to interact with Argo Workflows CRDs.
+## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+createAggregateRoles: true
+
+# -- Restrict Argo to operate only in a single namespace (the namespace of the
+# Helm release) by apply Roles and RoleBindings instead of the Cluster
+# equivalents, and start workflow-controller with the --namespaced flag. Use it
+# in clusters with strict access policy.
+singleNamespace: false
+
+workflow:
+  serviceAccount:
+    # -- Specifies whether a service account should be created
+    create: false
+    # -- Labels applied to created service account
+    labels: {}
+    # -- Annotations applied to created service account
+    annotations: {}
+    # -- Service account which is used to run workflows
+    name: "argo-workflow"
+    # -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
+    pullSecrets: []
+  rbac:
+    # -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
+    # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
+    create: true
+    # -- Allows permissions for the Argo Agent. Only required if using http/plugin templates
+    agentPermissions: false
+    # -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc
+    artifactGC: false
+    # -- Extra service accounts to be added to the RoleBinding
+    serviceAccounts: []
+      # - name: my-service-account
+      #   namespace: my-namespace
+    # -- Additional rules for the service account that runs the workflows.
+    rules: []
+
+controller:
+  rbac:
+    # -- Adds Role and RoleBinding for the controller.
+    create: true
+    # -- Allows controller to get, list, and watch certain k8s secrets
+    secretWhitelist: []
+    # -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
+    accessAllSecrets: false
+    # -- Allows controller to create and update ConfigMaps. Enables memoization feature
+    writeConfigMaps: false
+
+  configMap:
+    # -- Create a ConfigMap for the controller
+    create: true
+    # -- ConfigMap name
+    name: ""
+    # -- ConfigMap annotations
+    annotations: {}
+
+  # -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available.
+  ## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/
+  persistence: {}
+  # connectionPool:
+  #   maxIdleConns: 100
+  #   maxOpenConns: 0
+  # # save the entire workflow into etcd and DB
+  # nodeStatusOffLoad: false
+  # # enable archiving of old workflows
+  # archive: false
+  # postgresql:
+  #   host: localhost
+  #   port: 5432
+  #   database: postgres
+  #   tableName: argo_workflows
+  #   # the database secrets must be in the same namespace of the controller
+  #   userNameSecret:
+  #     name: argo-postgres-config
+  #     key: username
+  #   passwordSecret:
+  #     name: argo-postgres-config
+  #     key: password
+  #   ssl: true
+  #   # sslMode must be one of: disable, require, verify-ca, verify-full
+  #   # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
+  #   sslMode: require
+  # mysql:
+  #   host: localhost
+  #   port: 3306
+  #   database: argo
+  #   tableName: argo_workflows
+  #   userNameSecret:
+  #     name: argo-mysql-config
+  #     key: username
+  #   passwordSecret:
+  #     name: argo-mysql-config
+  #     key: password
+
+  # -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
+  # Only valid for 2.7+
+  ## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/
+  workflowDefaults: {}
+  #   spec:
+  #     ttlStrategy:
+  #       secondsAfterCompletion: 86400
+  #     # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/
+  #     artifactRepositoryRef:
+  #       configMap: my-artifact-repository # default is "artifact-repositories"
+  #       key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
+
+  serviceAccount:
+    # -- Create a service account for the controller
+    create: true
+    # -- Service account name
+    name: ""
+    # -- Labels applied to created service account
+    labels: {}
+    # -- Annotations applied to created service account
+    annotations: {}
+
+  # -- Workflow controller name string
+  name: workflow-controller
+
+  # -- Specify all namespaces where this workflow controller instance will manage
+  # workflows. This controls where the service account and RBAC resources will
+  # be created. Only valid when singleNamespace is false.
+  workflowNamespaces:
+    - default
+
+  logging:
+    # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
+    level: info
+    # -- Set the glog logging level
+    globallevel: "0"
+    # -- Set the logging format (one of: `text`, `json`)
+    format: "text"
+
+server:
+  # -- Deploy the Argo Server
+  enabled: true
+  # -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
+  ## only updates base url of resources on client side,
+  ## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
+  ## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
+  baseHref: /
+  image:
+    # -- Registry to use for the server
+    registry: quay.io
+    # -- Repository to use for the server
+    repository: argoproj/argocli
+  rbac:
+    # -- Adds Role and RoleBinding for the server.
+    create: true
+  # -- Servers container-level security context
+  serviceAccount:
+    # -- Create a service account for the server
+    create: true
+    # -- Service account name
+    name: ""
+    # -- Labels applied to created service account
+    labels: {}
+    # -- Annotations applied to created service account
+    annotations: {}
+
+  # -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well.
+  ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/
+  authModes:
+    - sso
+
+  ## Ingress configuration.
+  # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
+  ingress:
+    # -- Enable an ingress resource
+    enabled: false
+
+  # Gateway API HTTPRoute configuration
+  # NOTE: Gateway API support is in EXPERIMENTAL status
+  # Support depends on your Gateway controller implementation
+  # Some controllers may require additional configuration (e.g., BackendTLSPolicy for HTTPS backends)
+  # Refer to https://gateway-api.sigs.k8s.io/implementations/ for controller-specific details
+  httproute:
+    # -- Enable HTTPRoute resource for Argo Workflows server (Gateway API)
+    enabled: true
+    # -- Additional HTTPRoute labels
+    labels: {}
+    # -- Additional HTTPRoute annotations
+    annotations: {}
+    # -- Gateway API parentRefs for the HTTPRoute
+    ## Must reference an existing Gateway
+    # @default -- `[]` (See [values.yaml])
+    parentRefs:
+      - group: gateway.networking.k8s.io
+        kind: Gateway
+        name: internal
+        namespace: kube-system
+        sectionName: https
+    # -- List of hostnames for the HTTPRoute
+    # @default -- `[]` (See [values.yaml])
+    hostnames:
+      - "workflows.peterg.nl"
+      # @default -- `[]` (See [values.yaml])
+    rules:
+      - matches:
+          - path:
+              type: PathPrefix
+              value: /
+        # filters: []
+        #   - type: RequestHeaderModifier
+        #     requestHeaderModifier:
+        #       add:
+        #         - name: X-Custom-Header
+        #           value: custom-value
+
+  # Gateway API BackendTLSPolicy configuration
+  # NOTE: BackendTLSPolicy support is in EXPERIMENTAL status
+  # Required for HTTPS backends when using Gateway API
+  # Not all Gateway controllers support this resource (e.g., Cilium does not support it yet)
+  backendTLSPolicy:
+    # -- Enable BackendTLSPolicy resource for Argo Workflows server (Gateway API)
+    enabled: false
+    # -- Additional BackendTLSPolicy labels
+    labels: {}
+    # -- Additional BackendTLSPolicy annotations
+    annotations: {}
+    # -- Target references for the BackendTLSPolicy
+    # @default -- `[]` (See [values.yaml])
+    targetRefs: []
+      # - group: ""
+      #   kind: Service
+      #   name: argo-workflows-server
+      #   sectionName: https
+    # -- TLS validation configuration
+    # @default -- `{}` (See [values.yaml])
+    validation: {}
+      # hostname: argo-workflows-server.argo.svc.cluster.local
+      # caCertificateRefs:
+      #   - name: example-ca-cert
+      #     group: ""
+      #     kind: ConfigMap
+      # wellKnownCACertificates: System
+
+  clusterWorkflowTemplates:
+    # -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
+    enabled: true
+    # -- Give the server permissions to edit ClusterWorkflowTemplates.
+    enableEditing: true
+
+  # SSO configuration when SSO is specified as a server auth mode.
+  sso:
+    enabled: true
+    issuer: https://auth.peterg.nl/application/o/argo-workflows/
+    clientId:
+      name: argo-workflows-sso
+      key: client-id
+    clientSecret:
+      name: argo-workflows-sso
+      key: client-secret
+    redirectUrl: https://workflows.peterg.nl/oauth2/callback
+    scopes:
+      - groups
+    rbac:
+      enabled: true
+
+# -- Array of extra K8s manifests to deploy
+extraObjects:
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: admin-user
+      namespace: argo-workflows
+      annotations:
+        workflows.argoproj.io/rbac-rule: "'ArgoCD Admins' in groups"
+        workflows.argoproj.io/rbac-rule-precedence: "1"
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: read-only
+      namespace: argo-workflows
+      annotations:
+        workflows.argoproj.io/rbac-rule: "true"
+        workflows.argoproj.io/rbac-rule-precedence: "0"
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: argo-workflows-admin-user
+    subjects:
+      - kind: ServiceAccount
+        name: admin-user
+        namespace: argo-workflows
+    roleRef:
+      kind: ClusterRole
+      name: argo-workflows-admin
+      apiGroup: rbac.authorization.k8s.io
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: argo-workflows-read-only
+    subjects:
+      - kind: ServiceAccount
+        name: read-only
+        namespace: argo-workflows
+    roleRef:
+      kind: ClusterRole
+      name: argo-workflows-view
+      apiGroup: rbac.authorization.k8s.io
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: argo-workflows-server-sso
+      namespace: argo-workflows
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - serviceaccounts
+        verbs:
+          - get
+      - apiGroups:
+          - ""
+        resources:
+          - serviceaccounts/token
+        verbs:
+          - create
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: argo-workflows-server-sso
+      namespace: argo-workflows
+    subjects:
+      - kind: ServiceAccount
+        name: argo-workflows-server
+        namespace: argo-workflows
+    roleRef:
+      kind: Role
+      name: argo-workflows-server-sso
+      apiGroup: rbac.authorization.k8s.io

k8s-peterg/argocd/applications-peterg.yaml

@@ -17,6 +17,8 @@ spec:
     automated:
       prune: true
       selfHeal: true
+    syncOptions:
+      - ServerSideApply=true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -78,3 +80,68 @@ spec:
       selfHeal: true
     syncOptions:
       - ServerSideApply=true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: metrics-server-peterg
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://kubernetes-sigs.github.io/metrics-server
+    targetRevision: 3.13.0
+    chart: metrics-server
+    helm:
+      releaseName: metrics-server
+      values: |
+        args:
+          - --kubelet-insecure-tls=true
+          - --kubelet-preferred-address-types=InternalIP
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kube-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argo-workflows
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
+    path: k8s-peterg/argo-workflows
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argo-workflows
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - ServerSideApply=true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: renovate-operator
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
+    path: k8s-peterg/renovate-operator
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: renovate-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

k8s-peterg/argocd/applications-wheatley.yaml

@@ -80,6 +80,31 @@ spec:
       selfHeal: true
     syncOptions:
       - ServerSideApply=true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: metrics-server-wheatley
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://kubernetes-sigs.github.io/metrics-server
+    targetRevision: 3.13.0
+    chart: metrics-server
+    helm:
+      releaseName: metrics-server
+      values: |
+        args:
+          - --kubelet-insecure-tls=true
+          - --kubelet-preferred-address-types=InternalIP
+  destination:
+    server: https://10.13.37.10:6443
+    namespace: kube-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
 
 ---
 apiVersion: argoproj.io/v1alpha1
@@ -143,6 +168,25 @@ spec:
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
+metadata:
+  name: lidarr
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
+    path: k8s-wheatley/lidarr
+    targetRevision: HEAD
+  destination:
+    server: https://10.13.37.10:6443
+    namespace: lidarr
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
 metadata:
   name: prowlarr
   namespace: argocd
@@ -181,6 +225,25 @@ spec:
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
+metadata:
+  name: soulseekd
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
+    path: k8s-wheatley/soulseekd
+    targetRevision: HEAD
+  destination:
+    server: https://10.13.37.10:6443
+    namespace: soulseekd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
 metadata:
   name: plex
   namespace: argocd
@@ -197,3 +260,22 @@ spec:
     automated:
       prune: true
       selfHeal: true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: romm
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
+    path: k8s-wheatley/romm
+    targetRevision: HEAD
+  destination:
+    server: https://10.13.37.10:6443
+    namespace: romm
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

k8s-peterg/external-secrets-operator/clustersecrets.yaml

@@ -27,6 +27,7 @@ spec:
           conversionStrategy: Default
           decodingStrategy: None
           metadataPolicy: None
+          nullBytePolicy: Ignore
       - secretKey: key
         remoteRef:
           key: secrets/provisioned/tls-wildcard-peterg-nl
@@ -34,3 +35,4 @@ spec:
           conversionStrategy: Default
           decodingStrategy: None
           metadataPolicy: None
+          nullBytePolicy: Ignore

k8s-peterg/external-secrets-operator/kustomization.yaml

@@ -12,4 +12,4 @@ helmCharts:
     repo: https://charts.external-secrets.io
     namespace: external-secrets
     releaseName: external-secrets
-    version: 2.1.0
+    version: 2.5.0

k8s-peterg/renovate-operator/configmap.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: renovate-config
+  namespace: renovate-operator
+data:
+  config.js: |-
+    module.exports = {
+      platform: 'forgejo',
+      endpoint: 'https://code.peterg.nl/api/v1/',
+      gitAuthor: 'Renovate <renovate@peterg.nl>',
+      username: 'renovate',
+      onboardingConfig: {
+        $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+        extends: ['config:recommended'],
+      },
+      optimizeForDisabled: true,
+      persistRepoData: true,
+    };

k8s-peterg/renovate-operator/kustomization.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: renovate-operator
+
+resources:
+  - configmap.yaml
+  - namespace.yaml
+  - policies.yaml
+  - renovate-job.yaml
+  - secrets.yaml
+
+helmCharts:
+  - name: renovate-operator
+    repo: https://helm.mogenius.com/public
+    namespace: renovate-operator
+    releaseName: renovate-operator
+    version: "4.8.1"
+    valuesFile: values.yaml

k8s-peterg/renovate-operator/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: renovate-operator

k8s-peterg/renovate-operator/policies.yaml

@@ -0,0 +1,37 @@
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-internet-only
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+            except:
+              - 10.0.0.0/8
+              - 192.168.0.0/16
+              - 172.16.0.0/12
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: kubernetes-egress
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+        - podSelector:
+            matchLabels:
+              k8s-app: kube-apiserver
+    - ports:
+        - protocol: TCP
+          port: 6443

k8s-peterg/renovate-operator/renovate-job.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: renovate-operator.mogenius.com/v1alpha1
+kind: RenovateJob
+metadata:
+  name: renovate
+  namespace: renovate-operator
+spec:
+  schedule: "0 * * * *"
+  provider:
+    name: forgejo
+    endpoint: https://code.peterg.nl/api/v1/
+  image: ghcr.io/renovatebot/renovate:43.161.0
+  secretRef: renovate-operator-secrets
+  parallelism: 1
+  skipForks: true
+  extraVolumes:
+    - name: renovate-config
+      configMap:
+        name: renovate-config
+  extraVolumeMounts:
+    - name: renovate-config
+      mountPath: /config
+  extraEnv:
+    - name: LOG_LEVEL
+      value: debug
+    - name: RENOVATE_CONFIG_FILE
+      value: /config/config.js

k8s-peterg/renovate-operator/secrets.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: renovate-operator-secrets
+  namespace: renovate-operator
+spec:
+  refreshInterval: "15s"
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: renovate-operator-secrets
+  data:
+    - secretKey: RENOVATE_TOKEN
+      remoteRef:
+        key: /secrets/managed/renovate/token
+        property: RENOVATE_TOKEN
+    - secretKey: GITHUB_COM_TOKEN
+      remoteRef:
+        key: /secrets/managed/renovate/token
+        property: GITHUB_COM_TOKEN

k8s-peterg/renovate-operator/values.yaml

@@ -0,0 +1,20 @@
+fullnameOverride: "renovate-operator"
+metrics:
+  enabled: true
+  serviceMonitor:
+    enabled: false
+
+crd:
+  install: true
+  mode: template
+
+rbac:
+  ownNamespaceOnly: true
+
+route:
+  enabled: true
+  hostnames:
+  parentRefs:
+    - name: internal
+      namespace: kube-system
+      sectionName: https

k8s-wheatley/alloy/configmap.yaml

@@ -5,7 +5,13 @@ metadata:
   name: alloy-config
 data:
   config.alloy: |-
-    prometheus.exporter.unix "node" {}
+    prometheus.exporter.unix "node" {
+      set_collectors = [
+        "cpu", "diskstats", "filesystem", "loadavg",
+        "meminfo", "netdev", "netstat", "os",
+        "pressure", "processes", "stat", "uname", "vmstat",
+      ]
+    }
 
     discovery.kubernetes "kubernetes_apiservers" {
       role = "endpoints"
@@ -152,6 +158,11 @@ data:
         source_labels = ["__meta_kubernetes_pod_node_name"]
         target_label  = "node"
       }
+
+      rule {
+        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
+        action = "labeldrop"
+      }
     }
 
     discovery.relabel "kubernetes_services" {
@@ -260,6 +271,11 @@ data:
         source_labels = ["__meta_kubernetes_pod_node_name"]
         target_label  = "node"
       }
+
+      rule {
+        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
+        action = "labeldrop"
+      }
     }
 
     discovery.relabel "pod_logs" {
@@ -309,6 +325,11 @@ data:
         target_label  = "__path__"
         replacement   = "/var/log/pods/*$1/*.log"
       }
+
+      rule {
+        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
+        action = "labeldrop"
+      }
     }
 
     local.file_match "pod_logs" {
@@ -369,9 +390,19 @@ data:
       }
     }
 
+    prometheus.relabel "cadvisor" {
+      forward_to = [prometheus.remote_write.default.receiver]
+
+      rule {
+        source_labels = ["__name__"]
+        regex         = "container_(cpu_usage_seconds_total|memory_usage_bytes|memory_working_set_bytes|memory_rss|memory_cache|memory_swap|network_receive_bytes_total|network_transmit_bytes_total|network_receive_packets_total|network_transmit_packets_total|fs_reads_bytes_total|fs_writes_bytes_total|spec_cpu_quota|spec_cpu_period|spec_memory_limit_bytes|last_seen)"
+        action        = "keep"
+      }
+    }
+
     prometheus.scrape "kubernetes_nodes_cadvisor" {
       targets    = discovery.relabel.kubernetes_nodes_cadvisor.output
-      forward_to = [prometheus.remote_write.default.receiver]
+      forward_to = [prometheus.relabel.cadvisor.receiver]
       job_name   = "kubernetes-nodes-cadvisor"
       scheme     = "https"
       clustering {

k8s-wheatley/cloudnative-pg/kustomization.yaml

@@ -11,5 +11,5 @@ helmCharts:
     repo: https://cloudnative-pg.github.io/charts
     namespace: cnpg-system
     releaseName: cloudnative-pg
-    version: 0.27.1
+    version: 0.28.2
     valuesFile: values.yaml

k8s-wheatley/external-secrets-operator/clustersecrets.yaml

@@ -27,6 +27,7 @@ spec:
           conversionStrategy: Default
           decodingStrategy: None
           metadataPolicy: None
+          nullBytePolicy: Ignore
       - secretKey: key
         remoteRef:
           key: secrets/provisioned/tls-wildcard-wheatley-in
@@ -34,3 +35,4 @@ spec:
           conversionStrategy: Default
           decodingStrategy: None
           metadataPolicy: None
+          nullBytePolicy: Ignore

k8s-wheatley/external-secrets-operator/kustomization.yaml

@@ -12,4 +12,4 @@ helmCharts:
     repo: https://charts.external-secrets.io
     namespace: external-secrets
     releaseName: external-secrets
-    version: 2.1.0
+    version: 2.5.0

k8s-wheatley/lidarr/configmap.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: lidarr-envs
+data:
+  PUID: "1000"
+  PGID: "1000"
+  TZ: Europe/Amsterdam

k8s-wheatley/lidarr/deployments.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: lidarr
+  labels:
+    app: lidarr
+spec:
+  replicas: 1
+  serviceName: lidarr
+  selector:
+    matchLabels:
+      app: lidarr
+  template:
+    metadata:
+      labels:
+        app: lidarr
+    spec:
+      containers:
+        - name: lidarr
+          image: linuxserver/lidarr
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8686
+          envFrom:
+            - configMapRef:
+                name: lidarr-envs
+          volumeMounts:
+            - mountPath: /config
+              name: lidarr-config
+            - mountPath: /shared/media/music
+              name: nfs-media-music
+            - mountPath: /shared/media/downloads
+              name: nfs-media-downloads
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - "ALL"
+              add:
+                - "CHOWN"
+                - "SETUID"
+                - "SETGID"
+      volumes:
+        - name: lidarr-config
+          persistentVolumeClaim:
+            claimName: lidarr-storage
+        - name: nfs-media-music
+          persistentVolumeClaim:
+            claimName: nfs-media-music
+        - name: nfs-media-downloads
+          persistentVolumeClaim:
+            claimName: nfs-media-downloads

k8s-wheatley/lidarr/ingress.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: lidarr-route
+spec:
+  parentRefs:
+    - name: internal
+      namespace: kube-system
+      sectionName: https
+  hostnames:
+    - "lidarr.wheatley.in"
+  rules:
+    - backendRefs:
+        - name: lidarr
+          port: 80

k8s-wheatley/lidarr/kustomization.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: lidarr
+
+resources:
+  - configmap.yaml
+  - deployments.yaml
+  - ingress.yaml
+  - pvc.yaml
+  - services.yaml
+  - namespace.yaml
+
+components:
+  - ../../kustomize-bases/nfs-media/components/music
+  - ../../kustomize-bases/nfs-media/components/downloads
+
+patches:
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-music
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-lidarr-music
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-music
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-lidarr-music
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-lidarr-downloads
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-lidarr-downloads
+
+images:
+  - name: linuxserver/lidarr
+    newTag: 3.1.3-nightly@sha256:1e6019d60c5f16e73d4656a1d97d1f6ec48c8389695c0670a845fe8932b106a2

k8s-wheatley/lidarr/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: lidarr

k8s-wheatley/lidarr/pvc.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: lidarr-storage
+spec:
+  storageClassName: piraeus-lvmthin
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

k8s-wheatley/lidarr/services.yaml

@@ -2,11 +2,11 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: qbittorrent
+  name: lidarr
 spec:
   selector:
-    app: qbittorrent
+    app: lidarr
   ports:
     - port: 80
       protocol: TCP
-      targetPort: 8112
+      targetPort: 8686

k8s-wheatley/plex/deployments.yaml

@@ -28,8 +28,14 @@ spec:
           volumeMounts:
             - mountPath: /config
               name: plex-config
-            - mountPath: /data
+            - mountPath: /data/movies
-              name: nfs-media
+              name: nfs-media-movies
+            - mountPath: /data/series
+              name: nfs-media-series
+            - mountPath: /data/anime
+              name: nfs-media-anime
+            - mountPath: /data/music
+              name: nfs-media-music
           securityContext:
             seccompProfile:
               type: RuntimeDefault
@@ -45,6 +51,15 @@ spec:
         - name: plex-config
           persistentVolumeClaim:
             claimName: plex-storage
-        - name: nfs-media
+        - name: nfs-media-movies
           persistentVolumeClaim:
-            claimName: nfs-media
+            claimName: nfs-media-movies
+        - name: nfs-media-series
+          persistentVolumeClaim:
+            claimName: nfs-media-series
+        - name: nfs-media-anime
+          persistentVolumeClaim:
+            claimName: nfs-media-anime
+        - name: nfs-media-music
+          persistentVolumeClaim:
+            claimName: nfs-media-music

k8s-wheatley/plex/kustomization.yaml

@@ -12,6 +12,94 @@ resources:
   - services.yaml
   - namespace.yaml
 
+components:
+  - ../../kustomize-bases/nfs-media/components/movies
+  - ../../kustomize-bases/nfs-media/components/series
+  - ../../kustomize-bases/nfs-media/components/anime
+  - ../../kustomize-bases/nfs-media/components/music
+
+patches:
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-movies
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-plex-movies
+      - op: replace
+        path: /spec/accessModes/0
+        value: ReadOnlyMany
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-movies
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-plex-movies
+      - op: replace
+        path: /spec/accessModes/0
+        value: ReadOnlyMany
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-series
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-plex-series
+      - op: replace
+        path: /spec/accessModes/0
+        value: ReadOnlyMany
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-series
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-plex-series
+      - op: replace
+        path: /spec/accessModes/0
+        value: ReadOnlyMany
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-anime
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-plex-anime
+      - op: replace
+        path: /spec/accessModes/0
+        value: ReadOnlyMany
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-anime
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-plex-anime
+      - op: replace
+        path: /spec/accessModes/0
+        value: ReadOnlyMany
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-music
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-plex-music
+      - op: replace
+        path: /spec/accessModes/0
+        value: ReadOnlyMany
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-music
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-plex-music
+      - op: replace
+        path: /spec/accessModes/0
+        value: ReadOnlyMany
+
 images:
 - name: plexinc/pms-docker
-  newTag: 1.43.0.10492-121068a07@sha256:1131c4cd21fa22f8196f749f1dbb69af306776c3c83c7f5b061e51dc49bcff7f
+  newTag: 1.43.2.10687-563d026ea@sha256:c37106c57fed7a6624f5dee5a3ce460ff011f09a2aa7f4ee9e8dbbd08ae1b87e

k8s-wheatley/plex/pvc.yaml

@@ -10,36 +10,3 @@ spec:
   resources:
     requests:
       storage: 20Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: nfs-media
-spec:
-  accessModes:
-    - ReadOnlyMany
-  resources:
-    requests:
-      storage: 40Ti
-  volumeName: nfs-media-plex
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: nfs-media-plex
-spec:
-  capacity:
-    storage: 40Ti
-  accessModes:
-    - ReadOnlyMany
-  nfs:
-    server: 10.0.69.10
-    path: /tank/media
-  mountOptions:
-    - vers=4.1
-    - rsize=1048576
-    - wsize=1048576
-    - hard
-    - timeo=600
-    - noatime
-  persistentVolumeReclaimPolicy: Retain

k8s-wheatley/prowlarr/kustomization.yaml

@@ -16,4 +16,4 @@ images:
   - name: flaresolverr/flaresolverr
     newTag: v3.4.6@sha256:7962759d99d7e125e108e0f5e7f3cdbcd36161776d058d1d9b7153b92ef1af9e
   - name: linuxserver/prowlarr
-    newTag: 2.3.0@sha256:9ef5d8bf832edcacb6082f9262cb36087854e78eb7b1c3e1d4375056055b2d82
+    newTag: 2.3.5@sha256:c9fe528f34b1fd3715438b6f6d6991d64e2965f2c055db36398bc66a0e7eab01

k8s-wheatley/qbittorrent/configmap.yaml

@@ -9,22 +9,26 @@ data:
   VPN_TYPE: "wireguard"
   VPN_PORT_FORWARDING: on
   VPN_PORT_FORWARDING_PROVIDER: protonvpn
-  VPN_PORT_FORWARDING_UP_COMMAND: |
+  VPN_PORT_FORWARDING_UP_COMMAND: "/scripts/port-up.sh"
-    /bin/sh -c '
+  VPN_PORT_FORWARDING_DOWN_COMMAND: "/scripts/port-down.sh"
+  FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12
+  FIREWALL_INPUT_PORTS: "8112"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gluetun-scripts
+data:
+  port-up.sh: |
+    #!/bin/sh
     wget -O- --retry-connrefused \
       --post-data "json={\"listen_port\":{{PORTS}},\"current_network_interface\":\"tun0\",\"random_port\":false,\"upnp\":false}" \
       http://127.0.0.1:8112/api/v2/app/setPreferences 2>&1
-    '
+  port-down.sh: |
-  VPN_PORT_FORWARDING_DOWN_COMMAND: |
+    #!/bin/sh
-    /bin/sh -c '
     wget -O- --retry-connrefused \
       --post-data "json={\"listen_port\":0,\"current_network_interface\":\"lo\"}" \
       http://127.0.0.1:8112/api/v2/app/setPreferences 2>&1
-    '
-  FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12
-  FIREWALL_INPUT_PORTS: "8112"
-  DNS_KEEP_NAMESERVER: on
-  DOT: off
 ---
 apiVersion: v1
 kind: ConfigMap

k8s-wheatley/qbittorrent/deployments.yaml

@@ -17,25 +17,39 @@ spec:
       labels:
         app: qbittorrent
     spec:
+      nodeName: k8s-wheatley-worker02
       initContainers:
         - name: gluetun
           image: ghcr.io/qdm12/gluetun
           ports:
-            - name: http
+            - name: qbit-http
               containerPort: 8112
               protocol: TCP
           envFrom:
             - configMapRef:
                 name: gluetun-envs
+            - secretRef:
+                name: gluetun-env-secrets
           volumeMounts:
             - mountPath: /dev/net/tun
               name: dev-tun
-            - mountPath: "/gluetun/wireguard"
+            - mountPath: /gluetun/wireguard
               name: gluetun-wgconfig
               readOnly: true
+            - name: gluetun-scripts
+              mountPath: /scripts
             - name: gluetun-tmp
               mountPath: /tmp/gluetun
           restartPolicy: Always
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                  [
+                    "/bin/sh",
+                    "-c",
+                    "(ip rule del table 51820; ip -6 rule del table 51820) || true",
+                  ]
           readinessProbe:
             exec:
               command:
@@ -78,7 +92,7 @@ spec:
             - mountPath: /config
               name: qbittorrent-config
             - mountPath: /shared/media/downloads
-              name: nfs-media
+              name: nfs-media-downloads
           securityContext:
             seccompProfile:
               type: RuntimeDefault
@@ -98,7 +112,7 @@ spec:
                 name: unpackerr-env-secrets
           volumeMounts:
             - mountPath: /shared/media/downloads
-              name: nfs-media
+              name: nfs-media-downloads
           securityContext:
             seccompProfile:
               type: RuntimeDefault
@@ -119,8 +133,12 @@ spec:
         - name: gluetun-wgconfig
           secret:
             secretName: gluetun-wgconfig
+        - name: gluetun-scripts
+          configMap:
+            name: gluetun-scripts
+            defaultMode: 0755
         - name: gluetun-tmp
           emptyDir: {}
-        - name: nfs-media
+        - name: nfs-media-downloads
           persistentVolumeClaim:
-            claimName: nfs-media
+            claimName: nfs-media-downloads

k8s-wheatley/qbittorrent/ingress.yaml

@@ -14,3 +14,16 @@ spec:
     - backendRefs:
         - name: qbittorrent
           port: 80
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: qbittorrent
+spec:
+  selector:
+    app: qbittorrent
+  ports:
+    - port: 80
+      protocol: TCP
+      targetPort: 8112

k8s-wheatley/qbittorrent/kustomization.yaml

@@ -9,9 +9,27 @@ resources:
   - ingress.yaml
   - pvc.yaml
   - secrets.yaml
-  - services.yaml
   - namespace.yaml
 
+components:
+  - ../../kustomize-bases/nfs-media/components/downloads
+
+patches:
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-qbittorrent-downloads
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-qbittorrent-downloads
+
 images:
   - name: ghcr.io/qdm12/gluetun
     newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab

k8s-wheatley/qbittorrent/pvc.yaml

@@ -10,36 +10,3 @@ spec:
   resources:
     requests:
       storage: 5Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: nfs-media
-spec:
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 40Ti
-  volumeName: nfs-media-qbittorrent
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: nfs-media-qbittorrent
-spec:
-  capacity:
-    storage: 40Ti
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    server: 10.0.69.10
-    path: /tank/media/downloads
-  mountOptions:
-    - vers=4.1
-    - rsize=1048576
-    - wsize=1048576
-    - hard
-    - timeo=600
-    - noatime
-  persistentVolumeReclaimPolicy: Retain

k8s-wheatley/qbittorrent/secrets.yaml

@@ -17,6 +17,24 @@ spec:
       remoteRef:
         key: secrets/managed/qbittorrent/protonvpn-wgconfig
         property: config
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gluetun-env-secrets
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: gluetun-env-secrets
+  data:
+    - secretKey: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE
+      remoteRef:
+        key: secrets/managed/qbittorrent/gluetun-env-secrets
+        property: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE
+
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret

k8s-wheatley/radarr/deployments.yaml

@@ -28,8 +28,10 @@ spec:
           volumeMounts:
             - mountPath: /config
               name: radarr-config
-            - mountPath: /shared/media
+            - mountPath: /shared/media/movies
-              name: nfs-media
+              name: nfs-media-movies
+            - mountPath: /shared/media/downloads
+              name: nfs-media-downloads
           securityContext:
             seccompProfile:
               type: RuntimeDefault
@@ -45,6 +47,9 @@ spec:
         - name: radarr-config
           persistentVolumeClaim:
             claimName: radarr-storage
-        - name: nfs-media
+        - name: nfs-media-movies
           persistentVolumeClaim:
-            claimName: nfs-media
+            claimName: nfs-media-movies
+        - name: nfs-media-downloads
+          persistentVolumeClaim:
+            claimName: nfs-media-downloads

k8s-wheatley/radarr/kustomization.yaml

@@ -12,6 +12,40 @@ resources:
   - services.yaml
   - namespace.yaml
 
+components:
+  - ../../kustomize-bases/nfs-media/components/movies
+  - ../../kustomize-bases/nfs-media/components/downloads
+
+patches:
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-movies
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-radarr-movies
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-movies
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-radarr-movies
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-radarr-downloads
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-radarr-downloads
+
 images:
   - name: linuxserver/radarr
-    newTag: 6.0.4@sha256:ca43905eaf2dd11425efdcfe184892e43806b1ae0a830440c825cecbc2629cfb
+    newTag: 6.1.1@sha256:079e48870584baf2a3e7e43e7ba6d3c834555931851a59c82c51cc792d285caf

k8s-wheatley/radarr/pvc.yaml

@@ -10,36 +10,3 @@ spec:
   resources:
     requests:
       storage: 5Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: nfs-media
-spec:
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 40Ti
-  volumeName: nfs-media-radarr
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: nfs-media-radarr
-spec:
-  capacity:
-    storage: 40Ti
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    server: 10.0.69.10
-    path: /tank/media
-  mountOptions:
-    - vers=4.1
-    - rsize=1048576
-    - wsize=1048576
-    - hard
-    - timeo=600
-    - noatime
-  persistentVolumeReclaimPolicy: Retain

k8s-wheatley/romm/configmap.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: romm-db-envs
+data:
+  MARIADB_DATABASE: romm
+  MARIADB_USER: romm
+  TZ: Europe/Amsterdam
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: romm-envs
+data:
+  DB_HOST: 127.0.0.1
+  DB_NAME: romm
+  DB_USER: romm
+  ROMM_PORT: "8080"
+  HASHEOUS_API_ENABLED: "true"
+  TZ: Europe/Amsterdam

k8s-wheatley/romm/deployments.yaml

@@ -0,0 +1,83 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: romm
+  labels:
+    app: romm
+spec:
+  replicas: 1
+  serviceName: romm
+  selector:
+    matchLabels:
+      app: romm
+  template:
+    metadata:
+      labels:
+        app: romm
+    spec:
+      initContainers:
+        - name: romm-db
+          image: mariadb
+          envFrom:
+            - configMapRef:
+                name: romm-db-envs
+            - secretRef:
+                name: romm-db-env-secrets
+          volumeMounts:
+            - mountPath: /var/lib/mysql
+              name: romm-db-data
+          restartPolicy: Always
+          readinessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - "healthcheck.sh --connect --innodb_initialized"
+            initialDelaySeconds: 5
+            periodSeconds: 3
+            timeoutSeconds: 2
+            failureThreshold: 3
+          livenessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - "healthcheck.sh --connect --innodb_initialized"
+            initialDelaySeconds: 10
+            periodSeconds: 15
+            timeoutSeconds: 2
+            failureThreshold: 3
+      containers:
+        - name: romm
+          image: rommapp/romm
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8080
+          envFrom:
+            - configMapRef:
+                name: romm-envs
+            - secretRef:
+                name: romm-env-secrets
+          volumeMounts:
+            - mountPath: /romm
+              name: romm-data
+            - mountPath: /romm/library
+              name: nfs-media-roms
+              readOnly: true
+            - mountPath: /romm/downloads
+              name: nfs-media-downloads
+              readOnly: true
+      volumes:
+        - name: romm-db-data
+          persistentVolumeClaim:
+            claimName: romm-db-storage
+        - name: romm-data
+          persistentVolumeClaim:
+            claimName: romm-storage
+        - name: nfs-media-roms
+          persistentVolumeClaim:
+            claimName: nfs-media-roms
+        - name: nfs-media-downloads
+          persistentVolumeClaim:
+            claimName: nfs-media-downloads

k8s-wheatley/romm/ingress.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: romm-route
+spec:
+  parentRefs:
+    - name: internal
+      namespace: kube-system
+      sectionName: https
+  hostnames:
+    - "roms.wheatley.in"
+  rules:
+    - backendRefs:
+        - name: romm
+          port: 80

k8s-wheatley/romm/kustomization.yaml

@@ -0,0 +1,53 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: romm
+
+resources:
+  - configmap.yaml
+  - deployments.yaml
+  - ingress.yaml
+  - pvc.yaml
+  - secrets.yaml
+  - services.yaml
+  - namespace.yaml
+
+components:
+  - ../../kustomize-bases/nfs-media/components/roms
+  - ../../kustomize-bases/nfs-media/components/downloads
+
+patches:
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-roms
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-romm-roms
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-romm-downloads
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-roms
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-romm-roms
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-romm-downloads
+
+images:
+  - name: mariadb
+    newTag: lts@sha256:78185355dd49b54dd6909072531ce8d7e06aa0eccd7aa5b23c93ebb7e34c5aaa
+  - name: rommapp/romm
+    newTag: 4.8.1@sha256:2b7a1714b287f69b081ad2a63bb8c2fa673666a17b2f21322b580b0cd51cb266

k8s-wheatley/romm/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: romm

k8s-wheatley/romm/pvc.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: romm-db-storage
+spec:
+  storageClassName: piraeus-lvmthin
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: romm-storage
+spec:
+  storageClassName: piraeus-lvmthin
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

k8s-wheatley/romm/secrets.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: romm-db-env-secrets
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: romm-db-env-secrets
+  data:
+    - secretKey: MARIADB_ROOT_PASSWORD
+      remoteRef:
+        key: secrets/managed/romm/romm-db
+        property: ROOT_PASSWORD
+    - secretKey: MARIADB_PASSWORD
+      remoteRef:
+        key: secrets/managed/romm/romm-db
+        property: PASSWORD
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: romm-env-secrets
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: romm-env-secrets
+  data:
+    - secretKey: DB_PASSWD
+      remoteRef:
+        key: secrets/managed/romm/romm-db
+        property: PASSWORD
+    - secretKey: ROMM_AUTH_SECRET_KEY
+      remoteRef:
+        key: secrets/managed/romm/romm
+        property: SECRET_KEY
+    - secretKey: IGDB_CLIENT_ID
+      remoteRef:
+        key: secrets/managed/romm/romm
+        property: IGDB_CLIENT_ID
+    - secretKey: IGDB_CLIENT_SECRET
+      remoteRef:
+        key: secrets/managed/romm/romm
+        property: IGDB_CLIENT_SECRET
+    - secretKey: STEAMGRIDDB_API_KEY
+      remoteRef:
+        key: secrets/managed/romm/romm
+        property: STEAMGRIDDB_API_KEY

k8s-wheatley/romm/services.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: romm
+spec:
+  selector:
+    app: romm
+  ports:
+    - port: 80
+      protocol: TCP
+      targetPort: 8080

k8s-wheatley/sonarr/deployments.yaml

@@ -16,6 +16,7 @@ spec:
       labels:
         app: sonarr
     spec:
+      nodeName: k8s-wheatley-worker03
       containers:
         - name: sonarr
           image: linuxserver/sonarr
@@ -28,8 +29,12 @@ spec:
           volumeMounts:
             - mountPath: /config
               name: sonarr-config
-            - mountPath: /shared/media
+            - mountPath: /shared/media/series
-              name: nfs-media
+              name: nfs-media-series
+            - mountPath: /shared/media/anime
+              name: nfs-media-anime
+            - mountPath: /shared/media/downloads
+              name: nfs-media-downloads
           securityContext:
             seccompProfile:
               type: RuntimeDefault
@@ -45,6 +50,12 @@ spec:
         - name: sonarr-config
           persistentVolumeClaim:
             claimName: sonarr-storage
-        - name: nfs-media
+        - name: nfs-media-series
           persistentVolumeClaim:
-            claimName: nfs-media
+            claimName: nfs-media-series
+        - name: nfs-media-anime
+          persistentVolumeClaim:
+            claimName: nfs-media-anime
+        - name: nfs-media-downloads
+          persistentVolumeClaim:
+            claimName: nfs-media-downloads

k8s-wheatley/sonarr/kustomization.yaml

@@ -12,6 +12,55 @@ resources:
   - services.yaml
   - namespace.yaml
 
+components:
+  - ../../kustomize-bases/nfs-media/components/series
+  - ../../kustomize-bases/nfs-media/components/anime
+  - ../../kustomize-bases/nfs-media/components/downloads
+
+patches:
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-series
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-sonarr-series
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-series
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-sonarr-series
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-anime
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-sonarr-anime
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-anime
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-sonarr-anime
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-sonarr-downloads
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-sonarr-downloads
+
 images:
   - name: linuxserver/sonarr
-    newTag: 4.0.16@sha256:21c1c3d52248589bb064f5adafec18cad45812d7a01d317472955eef051e619b
+    newTag: 4.0.17@sha256:0b5c4803f92456fb9b65bae8375716ea120b4ea17b3cced7da32b63f0085782b

k8s-wheatley/sonarr/pvc.yaml

@@ -9,37 +9,4 @@ spec:
     - ReadWriteOnce
   resources:
     requests:
-      storage: 5Gi
+      storage: 10Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: nfs-media
-spec:
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 40Ti
-  volumeName: nfs-media-sonarr
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: nfs-media-sonarr
-spec:
-  capacity:
-    storage: 40Ti
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    server: 10.0.69.10
-    path: /tank/media
-  mountOptions:
-    - vers=4.1
-    - rsize=1048576
-    - wsize=1048576
-    - hard
-    - timeo=600
-    - noatime
-  persistentVolumeReclaimPolicy: Retain

k8s-wheatley/soulseekd/configmap.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gluetun-envs
+data:
+  TZ: Europe/Amsterdam
+  VPN_SERVICE_PROVIDER: "custom"
+  VPN_TYPE: "wireguard"
+  VPN_PORT_FORWARDING: on
+  VPN_PORT_FORWARDING_PROVIDER: protonvpn
+  FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12
+  FIREWALL_INPUT_PORTS: "5030"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: slskd-envs
+data:
+  TZ: Europe/Amsterdam
+  PUID: "1000"
+  PGID: "1000"
+  SLSKD_DOWNLOADS_DIR: /shared/media/downloads/_slsk-downloads
+  SLSKD_INCOMPLETE_DIR: /shared/media/downloads/_slsk-incomplete
+  SLSKD_SHARED_DIR: "[Music]/shared/media/music"
+  SLSKD_REMOTE_CONFIGURATION: "true"
+  SLSKD_VPN: "true"
+  SLSKD_VPN_PORT_FORWARDING: "true"
+  SLSKD_VPN_GLUETUN_URL: http://localhost:8000

k8s-wheatley/soulseekd/deployments.yaml

@@ -0,0 +1,127 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: soulseekd
+  namespace: soulseekd
+  labels:
+    app: soulseekd
+spec:
+  replicas: 1
+  serviceName: soulseekd
+  selector:
+    matchLabels:
+      app: soulseekd
+  template:
+    metadata:
+      labels:
+        app: soulseekd
+    spec:
+      nodeName: k8s-wheatley-worker01
+      initContainers:
+        - name: gluetun
+          image: ghcr.io/qdm12/gluetun
+          ports:
+            - name: slskd-http
+              containerPort: 5030
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: gluetun-envs
+            - secretRef:
+                name: gluetun-env-secrets
+          volumeMounts:
+            - mountPath: /dev/net/tun
+              name: dev-tun
+            - mountPath: /gluetun/wireguard
+              name: gluetun-wgconfig
+              readOnly: true
+            - name: gluetun-tmp
+              mountPath: /tmp/gluetun
+          restartPolicy: Always
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                  [
+                    "/bin/sh",
+                    "-c",
+                    "(ip rule del table 51820; ip -6 rule del table 51820) || true",
+                  ]
+          readinessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - "ping -c 1 9.9.9.9"
+            initialDelaySeconds: 5
+            periodSeconds: 3
+            timeoutSeconds: 2
+            failureThreshold: 3
+          livenessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - "ping -c 1 9.9.9.9"
+            initialDelaySeconds: 10
+            periodSeconds: 15
+            timeoutSeconds: 2
+            failureThreshold: 3
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - "ALL"
+              add:
+                - "CHOWN"
+                - "NET_ADMIN"
+                - "NET_RAW"
+      containers:
+        - name: slskd
+          image: docker.io/slskd/slskd
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - configMapRef:
+                name: slskd-envs
+            - secretRef:
+                name: slskd-env-secrets
+          volumeMounts:
+            - mountPath: /config
+              name: slskd-config
+            - mountPath: /shared/media/downloads
+              name: nfs-media-downloads
+            - mountPath: /shared/media/music
+              name: nfs-media-music
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - "ALL"
+              add:
+                - "CHOWN"
+                - "SETUID"
+                - "SETGID"
+      volumes:
+        - name: dev-tun
+          hostPath:
+            path: /dev/net/tun
+            type: CharDevice
+        - name: slskd-config
+          persistentVolumeClaim:
+            claimName: slskd-storage
+        - name: gluetun-wgconfig
+          secret:
+            secretName: gluetun-wgconfig
+        - name: gluetun-tmp
+          emptyDir: {}
+        - name: nfs-media-downloads
+          persistentVolumeClaim:
+            claimName: nfs-media-downloads
+        - name: nfs-media-music
+          persistentVolumeClaim:
+            claimName: nfs-media-music

k8s-wheatley/soulseekd/ingress.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: slskd-route
+spec:
+  parentRefs:
+    - name: internal
+      namespace: kube-system
+      sectionName: https
+  hostnames:
+    - "slskd.wheatley.in"
+  rules:
+    - backendRefs:
+        - name: slskd
+          port: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: slskd
+spec:
+  selector:
+    app: soulseekd
+  ports:
+    - port: 80
+      protocol: TCP
+      targetPort: 5030

k8s-wheatley/soulseekd/kustomization.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: soulseekd
+
+resources:
+  - configmap.yaml
+  - deployments.yaml
+  - ingress.yaml
+  - pvc.yaml
+  - secrets.yaml
+  - namespace.yaml
+
+components:
+  - ../../kustomize-bases/nfs-media/components/downloads
+  - ../../kustomize-bases/nfs-media/components/music
+
+patches:
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-soulseekd-downloads
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-soulseekd-downloads
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-music
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-soulseekd-music
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-music
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-soulseekd-music
+
+images:
+  - name: ghcr.io/qdm12/gluetun
+    newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab
+  - name: docker.io/slskd/slskd
+    newTag: 0.25.1@sha256:ab9ed50e028b524cefdb7c1dd8ebca368a076e18441ee8ac2326473eb850b4c3

k8s-wheatley/soulseekd/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: soulseekd
+  labels:
+    pod-security.kubernetes.io/enforce: privileged

k8s-wheatley/soulseekd/pvc.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: slskd-storage
+spec:
+  storageClassName: piraeus-lvmthin
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

k8s-wheatley/soulseekd/secrets.yaml

@@ -0,0 +1,69 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gluetun-wgconfig
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: gluetun-wgconfig
+    template:
+      data:
+        wg0.conf: "{{ .config }}"
+  data:
+    - secretKey: config
+      remoteRef:
+        key: secrets/managed/soulseekd/protonvpn-wgconfig
+        property: config
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: slskd-env-secrets
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: slskd-env-secrets
+  data:
+    - secretKey: SLSKD_VPN_GLUETUN_API_KEY
+      remoteRef:
+        key: secrets/managed/soulseekd/slskd-env-secrets
+        property: GLUETUN_API_KEY
+    - secretKey: SLSKD_SLSK_USERNAME
+      remoteRef:
+        key: secrets/managed/soulseekd/slskd-env-secrets
+        property: SLSK_USERNAME
+    - secretKey: SLSKD_SLSK_PASSWORD
+      remoteRef:
+        key: secrets/managed/soulseekd/slskd-env-secrets
+        property: SLSK_PASSWORD
+    - secretKey: SLSKD_PASSWORD
+      remoteRef:
+        key: secrets/managed/soulseekd/slskd-env-secrets
+        property: SLSKD_PASSWORD
+    - secretKey: SLSKD_API_KEY
+      remoteRef:
+        key: secrets/managed/soulseekd/slskd-env-secrets
+        property: API_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gluetun-env-secrets
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: gluetun-env-secrets
+  data:
+    - secretKey: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE
+      remoteRef:
+        key: secrets/managed/soulseekd/gluetun-env-secrets
+        property: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE

kustomize-bases/alloy/kustomization.yaml

@@ -9,14 +9,14 @@ resources:
 helmCharts:
   - name: alloy
     repo: https://grafana.github.io/helm-charts
-    version: "1.6.2"
+    version: "1.8.2"
     releaseName: alloy
     valuesFile: values.yaml
   - name: kube-state-metrics
     repo: https://prometheus-community.github.io/helm-charts
-    version: "7.2.1"
+    version: "7.4.0"
     releaseName: kube-state-metrics
   - name: prometheus-operator-crds
     repo: https://prometheus-community.github.io/helm-charts
-    version: "27.0.0"
+    version: "29.0.0"
     releaseName: prometheus-operator-crds

kustomize-bases/alloy/values.yaml

@@ -127,7 +127,7 @@ configReloader:
     # -- Repository to get config reloader image from.
     repository: prometheus-operator/prometheus-config-reloader
     # -- Tag of image to use for config reloading.
-    tag: v0.89.0@sha256:cb4ac6a56555bef0e202bec11e367dfe07ffb241cf4d30566b12b864692607a8
+    tag: v0.91.0@sha256:7d9e4eea5f1139e602508871f422b0116c60e87c662f3dcd234d5ab60cd0d8c1
     # -- SHA256 digest of image to use for config reloading (either in format "sha256:XYZ" or "XYZ"). When set, will override `configReloader.image.tag`
     digest: ""
   # -- Override the args passed to the container.

kustomize-bases/cilium/kustomization.yaml

@@ -13,5 +13,5 @@ helmCharts:
     repo: https://helm.cilium.io
     namespace: kube-system
     releaseName: cilium
-    version: 1.18.6
+    version: 1.18.10
     valuesFile: values.yaml

kustomize-bases/nfs-media/components/anime/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - pvc.yaml

kustomize-bases/nfs-media/components/anime/pvc.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nfs-media-anime
+spec:
+  capacity:
+    storage: 40Ti
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    server: 10.0.69.10
+    path: /tank/media/anime
+  mountOptions:
+    - vers=4.1
+    - rsize=1048576
+    - wsize=1048576
+    - hard
+    - timeo=600
+    - noatime
+  persistentVolumeReclaimPolicy: Retain
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nfs-media-anime
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 40Ti
+  volumeName: nfs-media-anime

kustomize-bases/nfs-media/components/downloads/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - pvc.yaml

kustomize-bases/nfs-media/components/downloads/pvc.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nfs-media-downloads
+spec:
+  capacity:
+    storage: 40Ti
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    server: 10.0.69.10
+    path: /tank/media/downloads
+  mountOptions:
+    - vers=4.1
+    - rsize=1048576
+    - wsize=1048576
+    - hard
+    - timeo=600
+    - noatime
+  persistentVolumeReclaimPolicy: Retain
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nfs-media-downloads
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 40Ti
+  volumeName: nfs-media-downloads

kustomize-bases/nfs-media/components/movies/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - pvc.yaml

kustomize-bases/nfs-media/components/movies/pvc.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nfs-media-movies
+spec:
+  capacity:
+    storage: 40Ti
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    server: 10.0.69.10
+    path: /tank/media/movies
+  mountOptions:
+    - vers=4.1
+    - rsize=1048576
+    - wsize=1048576
+    - hard
+    - timeo=600
+    - noatime
+  persistentVolumeReclaimPolicy: Retain
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nfs-media-movies
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 40Ti
+  volumeName: nfs-media-movies

kustomize-bases/nfs-media/components/music/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - pvc.yaml

kustomize-bases/nfs-media/components/music/pvc.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nfs-media-music
+spec:
+  capacity:
+    storage: 40Ti
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    server: 10.0.69.10
+    path: /tank/media/music
+  mountOptions:
+    - vers=4.1
+    - rsize=1048576
+    - wsize=1048576
+    - hard
+    - timeo=600
+    - noatime
+  persistentVolumeReclaimPolicy: Retain
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nfs-media-music
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 40Ti
+  volumeName: nfs-media-music

kustomize-bases/nfs-media/components/roms/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - pvc.yaml

kustomize-bases/nfs-media/components/roms/pvc.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nfs-media-roms
+spec:
+  capacity:
+    storage: 40Ti
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    server: 10.0.69.10
+    path: /tank/media/roms
+  mountOptions:
+    - vers=4.1
+    - rsize=1048576
+    - wsize=1048576
+    - hard
+    - timeo=600
+    - noatime
+  persistentVolumeReclaimPolicy: Retain
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nfs-media-roms
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 40Ti
+  volumeName: nfs-media-roms

kustomize-bases/nfs-media/components/series/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - pvc.yaml

kustomize-bases/nfs-media/components/series/pvc.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nfs-media-series
+spec:
+  capacity:
+    storage: 40Ti
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    server: 10.0.69.10
+    path: /tank/media/series
+  mountOptions:
+    - vers=4.1
+    - rsize=1048576
+    - wsize=1048576
+    - hard
+    - timeo=600
+    - noatime
+  persistentVolumeReclaimPolicy: Retain
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nfs-media-series
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 40Ti
+  volumeName: nfs-media-series