diff --git a/k8s-peterg/alloy/configmap.yaml b/k8s-peterg/alloy/configmap.yaml index 01cad1f..18b2843 100644 --- a/k8s-peterg/alloy/configmap.yaml +++ b/k8s-peterg/alloy/configmap.yaml @@ -6,11 +6,6 @@ metadata: data: config.alloy: |- prometheus.exporter.unix "node" { - set_collectors = [ - "cpu", "diskstats", "filesystem", "loadavg", - "meminfo", "netdev", "netstat", "os", - "pressure", "processes", "stat", "uname", "vmstat", - ] } discovery.kubernetes "kubernetes_apiservers" { @@ -146,11 +141,6 @@ data: source_labels = ["__meta_kubernetes_pod_node_name"] target_label = "node" } - - rule { - regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" - action = "labeldrop" - } } discovery.relabel "kubernetes_services" { @@ -259,11 +249,6 @@ data: source_labels = ["__meta_kubernetes_pod_node_name"] target_label = "node" } - - rule { - regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" - action = "labeldrop" - } } discovery.relabel "pod_logs" { @@ -313,11 +298,6 @@ data: target_label = "__path__" replacement = "/var/log/pods/*$1/*.log" } - - rule { - regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" - action = "labeldrop" - } } local.file_match "pod_logs" { @@ -372,19 +352,9 @@ data: } } - prometheus.relabel "cadvisor" { - forward_to = [prometheus.remote_write.default.receiver] - - rule { - source_labels = ["__name__"] - regex = "container_(cpu_usage_seconds_total|memory_usage_bytes|memory_working_set_bytes|memory_rss|memory_cache|memory_swap|network_receive_bytes_total|network_transmit_bytes_total|network_receive_packets_total|network_transmit_packets_total|fs_reads_bytes_total|fs_writes_bytes_total|spec_cpu_quota|spec_cpu_period|spec_memory_limit_bytes|last_seen)" - action = "keep" - } - } - prometheus.scrape "kubernetes_nodes_cadvisor" { targets = discovery.relabel.kubernetes_nodes_cadvisor.output - forward_to = [prometheus.relabel.cadvisor.receiver] + forward_to = [prometheus.remote_write.default.receiver] job_name = "kubernetes-nodes-cadvisor" scheme = "https" diff --git a/k8s-peterg/argo-workflows/kustomization.yaml b/k8s-peterg/argo-workflows/kustomization.yaml index 76e6aa5..7451e9a 100644 --- a/k8s-peterg/argo-workflows/kustomization.yaml +++ b/k8s-peterg/argo-workflows/kustomization.yaml @@ -11,5 +11,5 @@ helmCharts: repo: https://argoproj.github.io/argo-helm namespace: argo-workflows releaseName: argo-workflows - version: 1.0.13 + version: 1.0.7 valuesFile: values.yaml diff --git a/k8s-peterg/argo-workflows/secrets.yaml b/k8s-peterg/argo-workflows/secrets.yaml index a32f76d..7838756 100644 --- a/k8s-peterg/argo-workflows/secrets.yaml +++ b/k8s-peterg/argo-workflows/secrets.yaml @@ -22,7 +22,6 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None - nullBytePolicy: Ignore - secretKey: client-secret remoteRef: key: secrets/managed/argo-workflows/authentik-sso @@ -30,4 +29,3 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None - nullBytePolicy: Ignore diff --git a/k8s-peterg/argocd/applications-peterg.yaml b/k8s-peterg/argocd/applications-peterg.yaml index 9822d88..26d36ff 100644 --- a/k8s-peterg/argocd/applications-peterg.yaml +++ b/k8s-peterg/argocd/applications-peterg.yaml @@ -99,22 +99,3 @@ spec: selfHeal: true syncOptions: - ServerSideApply=true ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: renovate-operator - namespace: argocd -spec: - project: default - source: - repoURL: https://code.peterg.nl/wheatley/kubernetes.git - path: k8s-peterg/renovate-operator - targetRevision: HEAD - destination: - server: https://kubernetes.default.svc - namespace: renovate-operator - syncPolicy: - automated: - prune: true - selfHeal: true diff --git a/k8s-peterg/argocd/applications-wheatley.yaml b/k8s-peterg/argocd/applications-wheatley.yaml index eae54ce..2f86524 100644 --- a/k8s-peterg/argocd/applications-wheatley.yaml +++ b/k8s-peterg/argocd/applications-wheatley.yaml @@ -143,25 +143,6 @@ spec: --- apiVersion: argoproj.io/v1alpha1 kind: Application -metadata: - name: lidarr - namespace: argocd -spec: - project: default - source: - repoURL: https://code.peterg.nl/wheatley/kubernetes.git - path: k8s-wheatley/lidarr - targetRevision: HEAD - destination: - server: https://10.13.37.10:6443 - namespace: lidarr - syncPolicy: - automated: - prune: true - selfHeal: true ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application metadata: name: prowlarr namespace: argocd diff --git a/k8s-peterg/argocd/oidc.yaml b/k8s-peterg/argocd/oidc.yaml index b45056e..c587b7e 100644 --- a/k8s-peterg/argocd/oidc.yaml +++ b/k8s-peterg/argocd/oidc.yaml @@ -27,3 +27,28 @@ spec: remoteRef: key: secrets/managed/argocd/authentik-oidc-credentials property: clientSecret +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: argo-workflows-sso + namespace: argocd +spec: + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: argo-workflows-sso + template: + metadata: + labels: + app.kubernetes.io/part-of: argo-workflows + data: + - secretKey: client-id + remoteRef: + key: secrets/managed/argo-workflows/dex-sso + property: client-id + - secretKey: client-secret + remoteRef: + key: secrets/managed/argo-workflows/dex-sso + property: client-secret diff --git a/k8s-peterg/external-secrets-operator/clustersecrets.yaml b/k8s-peterg/external-secrets-operator/clustersecrets.yaml index 87bfcef..db674e7 100644 --- a/k8s-peterg/external-secrets-operator/clustersecrets.yaml +++ b/k8s-peterg/external-secrets-operator/clustersecrets.yaml @@ -27,7 +27,6 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None - nullBytePolicy: Ignore - secretKey: key remoteRef: key: secrets/provisioned/tls-wildcard-peterg-nl @@ -35,4 +34,3 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None - nullBytePolicy: Ignore diff --git a/k8s-peterg/external-secrets-operator/kustomization.yaml b/k8s-peterg/external-secrets-operator/kustomization.yaml index 27bd976..91ef006 100644 --- a/k8s-peterg/external-secrets-operator/kustomization.yaml +++ b/k8s-peterg/external-secrets-operator/kustomization.yaml @@ -12,4 +12,4 @@ helmCharts: repo: https://charts.external-secrets.io namespace: external-secrets releaseName: external-secrets - version: 2.4.0 + version: 2.3.0 diff --git a/k8s-peterg/renovate-operator/configmap.yaml b/k8s-peterg/renovate-operator/configmap.yaml deleted file mode 100644 index 1edf30b..0000000 --- a/k8s-peterg/renovate-operator/configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: renovate-config - namespace: renovate-operator -data: - config.js: |- - module.exports = { - platform: 'forgejo', - endpoint: 'https://code.peterg.nl/api/v1/', - gitAuthor: 'Renovate ', - username: 'renovate', - onboardingConfig: { - $schema: 'https://docs.renovatebot.com/renovate-schema.json', - extends: ['config:recommended'], - }, - optimizeForDisabled: true, - persistRepoData: true, - }; diff --git a/k8s-peterg/renovate-operator/kustomization.yaml b/k8s-peterg/renovate-operator/kustomization.yaml deleted file mode 100644 index ad54284..0000000 --- a/k8s-peterg/renovate-operator/kustomization.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: renovate-operator - -resources: - - configmap.yaml - - namespace.yaml - - policies.yaml - - renovate-job.yaml - - secrets.yaml - -helmCharts: - - name: renovate-operator - repo: https://helm.mogenius.com/public - namespace: renovate-operator - releaseName: renovate-operator - version: "4.7.0" - valuesFile: values.yaml diff --git a/k8s-peterg/renovate-operator/namespace.yaml b/k8s-peterg/renovate-operator/namespace.yaml deleted file mode 100644 index 981aeee..0000000 --- a/k8s-peterg/renovate-operator/namespace.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: renovate-operator diff --git a/k8s-peterg/renovate-operator/policies.yaml b/k8s-peterg/renovate-operator/policies.yaml deleted file mode 100644 index e7c6c9a..0000000 --- a/k8s-peterg/renovate-operator/policies.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -kind: NetworkPolicy -apiVersion: networking.k8s.io/v1 -metadata: - name: allow-internet-only -spec: - podSelector: {} - policyTypes: - - Egress - egress: - - to: - - ipBlock: - cidr: 0.0.0.0/0 - except: - - 10.0.0.0/8 - - 192.168.0.0/16 - - 172.16.0.0/12 ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: kubernetes-egress -spec: - podSelector: {} - policyTypes: - - Egress - egress: - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - - podSelector: - matchLabels: - k8s-app: kube-apiserver - - ports: - - protocol: TCP - port: 6443 diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml deleted file mode 100644 index 7f161da..0000000 --- a/k8s-peterg/renovate-operator/renovate-job.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -apiVersion: renovate-operator.mogenius.com/v1alpha1 -kind: RenovateJob -metadata: - name: renovate - namespace: renovate-operator -spec: - schedule: "0 * * * *" - provider: - name: forgejo - endpoint: https://code.peterg.nl/api/v1/ - image: ghcr.io/renovatebot/renovate:43.161.0 - secretRef: renovate-operator-secrets - parallelism: 1 - skipForks: true - extraVolumes: - - name: renovate-config - configMap: - name: renovate-config - extraVolumeMounts: - - name: renovate-config - mountPath: /config - extraEnv: - - name: LOG_LEVEL - value: debug - - name: RENOVATE_CONFIG_FILE - value: /config/config.js diff --git a/k8s-peterg/renovate-operator/secrets.yaml b/k8s-peterg/renovate-operator/secrets.yaml deleted file mode 100644 index 543f6f2..0000000 --- a/k8s-peterg/renovate-operator/secrets.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: renovate-operator-secrets - namespace: renovate-operator -spec: - refreshInterval: "15s" - secretStoreRef: - name: vault-wheatley - kind: ClusterSecretStore - target: - name: renovate-operator-secrets - data: - - secretKey: RENOVATE_TOKEN - remoteRef: - key: /secrets/managed/renovate/token - property: RENOVATE_TOKEN - - secretKey: GITHUB_COM_TOKEN - remoteRef: - key: /secrets/managed/renovate/token - property: GITHUB_COM_TOKEN diff --git a/k8s-peterg/renovate-operator/values.yaml b/k8s-peterg/renovate-operator/values.yaml deleted file mode 100644 index d93c1d9..0000000 --- a/k8s-peterg/renovate-operator/values.yaml +++ /dev/null @@ -1,20 +0,0 @@ -fullnameOverride: "renovate-operator" -metrics: - enabled: true - serviceMonitor: - enabled: false - -crd: - install: true - mode: template - -rbac: - ownNamespaceOnly: true - -route: - enabled: true - hostnames: - parentRefs: - - name: internal - namespace: kube-system - sectionName: https diff --git a/k8s-peterg/vault-wheatley-approle.yaml b/k8s-peterg/vault-wheatley-approle.yaml new file mode 100644 index 0000000..f116d9d --- /dev/null +++ b/k8s-peterg/vault-wheatley-approle.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + approle_id: MDE5YTdjOWQtMTYxOC0yZjg0LWE2NzUtOWQ5NmVkZWFiNzEyCg== + approle_secret: ZDZkOWU0MmUtZmVhNi05MGIzLWNlODktYzJlY2E2YWIxMjc3Cg== +kind: Secret +metadata: + name: vault-wheatley-approle + namespace: external-secrets +type: Opaque diff --git a/k8s-wheatley/alloy/configmap.yaml b/k8s-wheatley/alloy/configmap.yaml index 819a1c1..991eb51 100644 --- a/k8s-wheatley/alloy/configmap.yaml +++ b/k8s-wheatley/alloy/configmap.yaml @@ -5,13 +5,7 @@ metadata: name: alloy-config data: config.alloy: |- - prometheus.exporter.unix "node" { - set_collectors = [ - "cpu", "diskstats", "filesystem", "loadavg", - "meminfo", "netdev", "netstat", "os", - "pressure", "processes", "stat", "uname", "vmstat", - ] - } + prometheus.exporter.unix "node" {} discovery.kubernetes "kubernetes_apiservers" { role = "endpoints" @@ -158,11 +152,6 @@ data: source_labels = ["__meta_kubernetes_pod_node_name"] target_label = "node" } - - rule { - regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" - action = "labeldrop" - } } discovery.relabel "kubernetes_services" { @@ -271,11 +260,6 @@ data: source_labels = ["__meta_kubernetes_pod_node_name"] target_label = "node" } - - rule { - regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" - action = "labeldrop" - } } discovery.relabel "pod_logs" { @@ -325,11 +309,6 @@ data: target_label = "__path__" replacement = "/var/log/pods/*$1/*.log" } - - rule { - regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" - action = "labeldrop" - } } local.file_match "pod_logs" { @@ -390,19 +369,9 @@ data: } } - prometheus.relabel "cadvisor" { - forward_to = [prometheus.remote_write.default.receiver] - - rule { - source_labels = ["__name__"] - regex = "container_(cpu_usage_seconds_total|memory_usage_bytes|memory_working_set_bytes|memory_rss|memory_cache|memory_swap|network_receive_bytes_total|network_transmit_bytes_total|network_receive_packets_total|network_transmit_packets_total|fs_reads_bytes_total|fs_writes_bytes_total|spec_cpu_quota|spec_cpu_period|spec_memory_limit_bytes|last_seen)" - action = "keep" - } - } - prometheus.scrape "kubernetes_nodes_cadvisor" { targets = discovery.relabel.kubernetes_nodes_cadvisor.output - forward_to = [prometheus.relabel.cadvisor.receiver] + forward_to = [prometheus.remote_write.default.receiver] job_name = "kubernetes-nodes-cadvisor" scheme = "https" clustering { diff --git a/k8s-wheatley/external-secrets-operator/clustersecrets.yaml b/k8s-wheatley/external-secrets-operator/clustersecrets.yaml index 16840b4..ea424ae 100644 --- a/k8s-wheatley/external-secrets-operator/clustersecrets.yaml +++ b/k8s-wheatley/external-secrets-operator/clustersecrets.yaml @@ -27,7 +27,6 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None - nullBytePolicy: Ignore - secretKey: key remoteRef: key: secrets/provisioned/tls-wildcard-wheatley-in @@ -35,4 +34,3 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None - nullBytePolicy: Ignore diff --git a/k8s-wheatley/external-secrets-operator/kustomization.yaml b/k8s-wheatley/external-secrets-operator/kustomization.yaml index 27bd976..91ef006 100644 --- a/k8s-wheatley/external-secrets-operator/kustomization.yaml +++ b/k8s-wheatley/external-secrets-operator/kustomization.yaml @@ -12,4 +12,4 @@ helmCharts: repo: https://charts.external-secrets.io namespace: external-secrets releaseName: external-secrets - version: 2.4.0 + version: 2.3.0 diff --git a/k8s-wheatley/lidarr/configmap.yaml b/k8s-wheatley/lidarr/configmap.yaml deleted file mode 100644 index 188b4e6..0000000 --- a/k8s-wheatley/lidarr/configmap.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: lidarr-envs -data: - PUID: "1000" - PGID: "1000" - TZ: Europe/Amsterdam diff --git a/k8s-wheatley/lidarr/deployments.yaml b/k8s-wheatley/lidarr/deployments.yaml deleted file mode 100644 index de9c4c5..0000000 --- a/k8s-wheatley/lidarr/deployments.yaml +++ /dev/null @@ -1,50 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: lidarr - labels: - app: lidarr -spec: - replicas: 1 - serviceName: lidarr - selector: - matchLabels: - app: lidarr - template: - metadata: - labels: - app: lidarr - spec: - containers: - - name: lidarr - image: linuxserver/lidarr - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8686 - envFrom: - - configMapRef: - name: lidarr-envs - volumeMounts: - - mountPath: /config - name: lidarr-config - - mountPath: /shared/media - name: nfs-media - securityContext: - seccompProfile: - type: RuntimeDefault - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "SETUID" - - "SETGID" - volumes: - - name: lidarr-config - persistentVolumeClaim: - claimName: lidarr-storage - - name: nfs-media - persistentVolumeClaim: - claimName: nfs-media diff --git a/k8s-wheatley/lidarr/ingress.yaml b/k8s-wheatley/lidarr/ingress.yaml deleted file mode 100644 index 727dfc4..0000000 --- a/k8s-wheatley/lidarr/ingress.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: lidarr-route -spec: - parentRefs: - - name: internal - namespace: kube-system - sectionName: https - hostnames: - - "lidarr.wheatley.in" - rules: - - backendRefs: - - name: lidarr - port: 80 diff --git a/k8s-wheatley/lidarr/kustomization.yaml b/k8s-wheatley/lidarr/kustomization.yaml deleted file mode 100644 index 018f13b..0000000 --- a/k8s-wheatley/lidarr/kustomization.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: lidarr - -resources: - - ../../kustomize-bases/nfs-media - - configmap.yaml - - deployments.yaml - - ingress.yaml - - pvc.yaml - - services.yaml - - namespace.yaml - -patches: - - target: - kind: PersistentVolume - name: nfs-media - patch: | - - op: replace - path: /metadata/name - value: nfs-media-lidarr - - target: - kind: PersistentVolumeClaim - name: nfs-media - patch: | - - op: replace - path: /spec/volumeName - value: nfs-media-lidarr - -images: - - name: linuxserver/lidarr - newTag: 3.1.0@sha256:d2f944115de2ca6754ad142ee92f9db481b1574c7bc030974d624584106b78d7 diff --git a/k8s-wheatley/lidarr/namespace.yaml b/k8s-wheatley/lidarr/namespace.yaml deleted file mode 100644 index 54f155f..0000000 --- a/k8s-wheatley/lidarr/namespace.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: lidarr diff --git a/k8s-wheatley/lidarr/pvc.yaml b/k8s-wheatley/lidarr/pvc.yaml deleted file mode 100644 index e06965e..0000000 --- a/k8s-wheatley/lidarr/pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: lidarr-storage -spec: - storageClassName: piraeus-lvmthin - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi diff --git a/k8s-wheatley/lidarr/services.yaml b/k8s-wheatley/lidarr/services.yaml deleted file mode 100644 index d1a3deb..0000000 --- a/k8s-wheatley/lidarr/services.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: lidarr -spec: - selector: - app: lidarr - ports: - - port: 80 - protocol: TCP - targetPort: 8686 diff --git a/k8s-wheatley/plex/kustomization.yaml b/k8s-wheatley/plex/kustomization.yaml index 3bd4023..7676da5 100644 --- a/k8s-wheatley/plex/kustomization.yaml +++ b/k8s-wheatley/plex/kustomization.yaml @@ -4,7 +4,6 @@ kind: Kustomization namespace: plex resources: - - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -13,28 +12,6 @@ resources: - services.yaml - namespace.yaml -patches: - - target: - kind: PersistentVolume - name: nfs-media - patch: | - - op: replace - path: /metadata/name - value: nfs-media-plex - - op: replace - path: /spec/accessModes/0 - value: ReadOnlyMany - - target: - kind: PersistentVolumeClaim - name: nfs-media - patch: | - - op: replace - path: /spec/volumeName - value: nfs-media-plex - - op: replace - path: /spec/accessModes/0 - value: ReadOnlyMany - images: - name: plexinc/pms-docker newTag: 1.43.1.10611-1e34174b1@sha256:8b5bcdf7b506fe051aa1a0a0d464efdb3ad8c0fb1f8a4dfb27a8c489b609920c diff --git a/k8s-wheatley/plex/pvc.yaml b/k8s-wheatley/plex/pvc.yaml index 69e27fe..7943bab 100644 --- a/k8s-wheatley/plex/pvc.yaml +++ b/k8s-wheatley/plex/pvc.yaml @@ -10,3 +10,36 @@ spec: resources: requests: storage: 20Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nfs-media +spec: + accessModes: + - ReadOnlyMany + resources: + requests: + storage: 40Ti + volumeName: nfs-media-plex +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: nfs-media-plex +spec: + capacity: + storage: 40Ti + accessModes: + - ReadOnlyMany + nfs: + server: 10.0.69.10 + path: /tank/media + mountOptions: + - vers=4.1 + - rsize=1048576 + - wsize=1048576 + - hard + - timeo=600 + - noatime + persistentVolumeReclaimPolicy: Retain diff --git a/k8s-wheatley/prowlarr/kustomization.yaml b/k8s-wheatley/prowlarr/kustomization.yaml index 788fdab..c9a7a47 100644 --- a/k8s-wheatley/prowlarr/kustomization.yaml +++ b/k8s-wheatley/prowlarr/kustomization.yaml @@ -16,4 +16,4 @@ images: - name: flaresolverr/flaresolverr newTag: v3.4.6@sha256:7962759d99d7e125e108e0f5e7f3cdbcd36161776d058d1d9b7153b92ef1af9e - name: linuxserver/prowlarr - newTag: 2.3.5@sha256:c5de2a8758a05594319263e7691c1dce56899442ed1720d6eca216c0958f4caf + newTag: 2.3.5@sha256:35f48abb3e976fcf077fae756866c582e4a90f8b24810ae4067b3558f7cdbbdf diff --git a/k8s-wheatley/qbittorrent/configmap.yaml b/k8s-wheatley/qbittorrent/configmap.yaml index 61c614d..de1c6cf 100644 --- a/k8s-wheatley/qbittorrent/configmap.yaml +++ b/k8s-wheatley/qbittorrent/configmap.yaml @@ -9,26 +9,22 @@ data: VPN_TYPE: "wireguard" VPN_PORT_FORWARDING: on VPN_PORT_FORWARDING_PROVIDER: protonvpn - VPN_PORT_FORWARDING_UP_COMMAND: "/scripts/port-up.sh" - VPN_PORT_FORWARDING_DOWN_COMMAND: "/scripts/port-down.sh" - FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12 - FIREWALL_INPUT_PORTS: "8112" ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: gluetun-scripts -data: - port-up.sh: | - #!/bin/sh + VPN_PORT_FORWARDING_UP_COMMAND: | + /bin/sh -c ' wget -O- --retry-connrefused \ --post-data "json={\"listen_port\":{{PORTS}},\"current_network_interface\":\"tun0\",\"random_port\":false,\"upnp\":false}" \ http://127.0.0.1:8112/api/v2/app/setPreferences 2>&1 - port-down.sh: | - #!/bin/sh + ' + VPN_PORT_FORWARDING_DOWN_COMMAND: | + /bin/sh -c ' wget -O- --retry-connrefused \ --post-data "json={\"listen_port\":0,\"current_network_interface\":\"lo\"}" \ http://127.0.0.1:8112/api/v2/app/setPreferences 2>&1 + ' + FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12 + FIREWALL_INPUT_PORTS: "8112" + DNS_KEEP_NAMESERVER: on + DOT: off --- apiVersion: v1 kind: ConfigMap diff --git a/k8s-wheatley/qbittorrent/deployments.yaml b/k8s-wheatley/qbittorrent/deployments.yaml index 5dba05a..0e1600b 100644 --- a/k8s-wheatley/qbittorrent/deployments.yaml +++ b/k8s-wheatley/qbittorrent/deployments.yaml @@ -33,8 +33,6 @@ spec: - mountPath: "/gluetun/wireguard" name: gluetun-wgconfig readOnly: true - - name: gluetun-scripts - mountPath: /scripts - name: gluetun-tmp mountPath: /tmp/gluetun restartPolicy: Always @@ -130,10 +128,6 @@ spec: - name: gluetun-wgconfig secret: secretName: gluetun-wgconfig - - name: gluetun-scripts - configMap: - name: gluetun-scripts - defaultMode: 0755 - name: gluetun-tmp emptyDir: {} - name: nfs-media diff --git a/k8s-wheatley/qbittorrent/kustomization.yaml b/k8s-wheatley/qbittorrent/kustomization.yaml index 68bd0ef..3e94bd5 100644 --- a/k8s-wheatley/qbittorrent/kustomization.yaml +++ b/k8s-wheatley/qbittorrent/kustomization.yaml @@ -4,7 +4,6 @@ kind: Kustomization namespace: qbittorrent resources: - - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -13,25 +12,6 @@ resources: - services.yaml - namespace.yaml -patches: - - target: - kind: PersistentVolume - name: nfs-media - patch: | - - op: replace - path: /metadata/name - value: nfs-media-qbittorrent - - op: replace - path: /spec/nfs/path - value: /tank/media/downloads - - target: - kind: PersistentVolumeClaim - name: nfs-media - patch: | - - op: replace - path: /spec/volumeName - value: nfs-media-qbittorrent - images: - name: ghcr.io/qdm12/gluetun newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab diff --git a/k8s-wheatley/qbittorrent/pvc.yaml b/k8s-wheatley/qbittorrent/pvc.yaml index c352b02..aa566ea 100644 --- a/k8s-wheatley/qbittorrent/pvc.yaml +++ b/k8s-wheatley/qbittorrent/pvc.yaml @@ -10,3 +10,36 @@ spec: resources: requests: storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nfs-media +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 40Ti + volumeName: nfs-media-qbittorrent +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: nfs-media-qbittorrent +spec: + capacity: + storage: 40Ti + accessModes: + - ReadWriteMany + nfs: + server: 10.0.69.10 + path: /tank/media/downloads + mountOptions: + - vers=4.1 + - rsize=1048576 + - wsize=1048576 + - hard + - timeo=600 + - noatime + persistentVolumeReclaimPolicy: Retain diff --git a/k8s-wheatley/radarr/kustomization.yaml b/k8s-wheatley/radarr/kustomization.yaml index 445d2f3..dcb0205 100644 --- a/k8s-wheatley/radarr/kustomization.yaml +++ b/k8s-wheatley/radarr/kustomization.yaml @@ -4,7 +4,6 @@ kind: Kustomization namespace: radarr resources: - - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -13,22 +12,6 @@ resources: - services.yaml - namespace.yaml -patches: - - target: - kind: PersistentVolume - name: nfs-media - patch: | - - op: replace - path: /metadata/name - value: nfs-media-radarr - - target: - kind: PersistentVolumeClaim - name: nfs-media - patch: | - - op: replace - path: /spec/volumeName - value: nfs-media-radarr - images: - name: linuxserver/radarr - newTag: 6.1.1@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d + newTag: 6.1.1@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7 diff --git a/k8s-wheatley/radarr/pvc.yaml b/k8s-wheatley/radarr/pvc.yaml index d188698..fe76bfc 100644 --- a/k8s-wheatley/radarr/pvc.yaml +++ b/k8s-wheatley/radarr/pvc.yaml @@ -10,3 +10,36 @@ spec: resources: requests: storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nfs-media +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 40Ti + volumeName: nfs-media-radarr +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: nfs-media-radarr +spec: + capacity: + storage: 40Ti + accessModes: + - ReadWriteMany + nfs: + server: 10.0.69.10 + path: /tank/media + mountOptions: + - vers=4.1 + - rsize=1048576 + - wsize=1048576 + - hard + - timeo=600 + - noatime + persistentVolumeReclaimPolicy: Retain diff --git a/k8s-wheatley/sonarr/kustomization.yaml b/k8s-wheatley/sonarr/kustomization.yaml index 51ba92b..eed76a3 100644 --- a/k8s-wheatley/sonarr/kustomization.yaml +++ b/k8s-wheatley/sonarr/kustomization.yaml @@ -4,7 +4,6 @@ kind: Kustomization namespace: sonarr resources: - - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -13,22 +12,6 @@ resources: - services.yaml - namespace.yaml -patches: - - target: - kind: PersistentVolume - name: nfs-media - patch: | - - op: replace - path: /metadata/name - value: nfs-media-sonarr - - target: - kind: PersistentVolumeClaim - name: nfs-media - patch: | - - op: replace - path: /spec/volumeName - value: nfs-media-sonarr - images: - name: linuxserver/sonarr - newTag: 4.0.17@sha256:3580aec3802c915f0f819a88d5099abce61734b925732b8393d176b5dc561020 + newTag: 4.0.17@sha256:6854df9de20b8c82e1982604f39473d64dbb4c4584b1013f18f9ade1ee92af13 diff --git a/k8s-wheatley/sonarr/pvc.yaml b/k8s-wheatley/sonarr/pvc.yaml index 14d30b8..d431b58 100644 --- a/k8s-wheatley/sonarr/pvc.yaml +++ b/k8s-wheatley/sonarr/pvc.yaml @@ -10,3 +10,36 @@ spec: resources: requests: storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nfs-media +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 40Ti + volumeName: nfs-media-sonarr +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: nfs-media-sonarr +spec: + capacity: + storage: 40Ti + accessModes: + - ReadWriteMany + nfs: + server: 10.0.69.10 + path: /tank/media + mountOptions: + - vers=4.1 + - rsize=1048576 + - wsize=1048576 + - hard + - timeo=600 + - noatime + persistentVolumeReclaimPolicy: Retain diff --git a/kustomize-bases/alloy/kustomization.yaml b/kustomize-bases/alloy/kustomization.yaml index 11b89fa..69e9687 100644 --- a/kustomize-bases/alloy/kustomization.yaml +++ b/kustomize-bases/alloy/kustomization.yaml @@ -9,12 +9,12 @@ resources: helmCharts: - name: alloy repo: https://grafana.github.io/helm-charts - version: "1.8.0" + version: "1.7.0" releaseName: alloy valuesFile: values.yaml - name: kube-state-metrics repo: https://prometheus-community.github.io/helm-charts - version: "7.3.0" + version: "7.2.2" releaseName: kube-state-metrics - name: prometheus-operator-crds repo: https://prometheus-community.github.io/helm-charts diff --git a/kustomize-bases/nfs-media/kustomization.yaml b/kustomize-bases/nfs-media/kustomization.yaml deleted file mode 100644 index 482f897..0000000 --- a/kustomize-bases/nfs-media/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - pvc.yaml diff --git a/kustomize-bases/nfs-media/pvc.yaml b/kustomize-bases/nfs-media/pvc.yaml deleted file mode 100644 index 94091c9..0000000 --- a/kustomize-bases/nfs-media/pvc.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Shared NFS media storage template — used by plex, sonarr, radarr, and qbittorrent. -# All apps on k8s-wheatley mount the same NFS server: 10.0.69.10 -# -# Each app overlays this base with JSON patches in its kustomization.yaml: -# - Always: rename PV (metadata.name) and update PVC volumeName to match -# - plex only: patch accessModes to ReadOnlyMany on both PV and PVC -# - qbittorrent only: patch nfs.path to /tank/media/downloads ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: nfs-media # renamed per-app via JSON patch -spec: - capacity: - storage: 40Ti - accessModes: - - ReadWriteMany - nfs: - server: 10.0.69.10 - path: /tank/media - mountOptions: - - vers=4.1 - - rsize=1048576 - - wsize=1048576 - - hard - - timeo=600 - - noatime - persistentVolumeReclaimPolicy: Retain ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nfs-media -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 40Ti - volumeName: nfs-media # patched per-app to match PV name