diff --git a/k8s-peterg/alloy/configmap.yaml b/k8s-peterg/alloy/configmap.yaml index 18b2843..01cad1f 100644 --- a/k8s-peterg/alloy/configmap.yaml +++ b/k8s-peterg/alloy/configmap.yaml @@ -6,6 +6,11 @@ metadata: data: config.alloy: |- prometheus.exporter.unix "node" { + set_collectors = [ + "cpu", "diskstats", "filesystem", "loadavg", + "meminfo", "netdev", "netstat", "os", + "pressure", "processes", "stat", "uname", "vmstat", + ] } discovery.kubernetes "kubernetes_apiservers" { @@ -141,6 +146,11 @@ data: source_labels = ["__meta_kubernetes_pod_node_name"] target_label = "node" } + + rule { + regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" + action = "labeldrop" + } } discovery.relabel "kubernetes_services" { @@ -249,6 +259,11 @@ data: source_labels = ["__meta_kubernetes_pod_node_name"] target_label = "node" } + + rule { + regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" + action = "labeldrop" + } } discovery.relabel "pod_logs" { @@ -298,6 +313,11 @@ data: target_label = "__path__" replacement = "/var/log/pods/*$1/*.log" } + + rule { + regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" + action = "labeldrop" + } } local.file_match "pod_logs" { @@ -352,9 +372,19 @@ data: } } + prometheus.relabel "cadvisor" { + forward_to = [prometheus.remote_write.default.receiver] + + rule { + source_labels = ["__name__"] + regex = "container_(cpu_usage_seconds_total|memory_usage_bytes|memory_working_set_bytes|memory_rss|memory_cache|memory_swap|network_receive_bytes_total|network_transmit_bytes_total|network_receive_packets_total|network_transmit_packets_total|fs_reads_bytes_total|fs_writes_bytes_total|spec_cpu_quota|spec_cpu_period|spec_memory_limit_bytes|last_seen)" + action = "keep" + } + } + prometheus.scrape "kubernetes_nodes_cadvisor" { targets = discovery.relabel.kubernetes_nodes_cadvisor.output - forward_to = [prometheus.remote_write.default.receiver] + forward_to = [prometheus.relabel.cadvisor.receiver] job_name = "kubernetes-nodes-cadvisor" scheme = "https" diff --git a/k8s-peterg/argo-workflows/kustomization.yaml b/k8s-peterg/argo-workflows/kustomization.yaml index 7451e9a..76e6aa5 100644 --- a/k8s-peterg/argo-workflows/kustomization.yaml +++ b/k8s-peterg/argo-workflows/kustomization.yaml @@ -11,5 +11,5 @@ helmCharts: repo: https://argoproj.github.io/argo-helm namespace: argo-workflows releaseName: argo-workflows - version: 1.0.7 + version: 1.0.13 valuesFile: values.yaml diff --git a/k8s-peterg/argo-workflows/secrets.yaml b/k8s-peterg/argo-workflows/secrets.yaml index 7838756..a32f76d 100644 --- a/k8s-peterg/argo-workflows/secrets.yaml +++ b/k8s-peterg/argo-workflows/secrets.yaml @@ -22,6 +22,7 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None + nullBytePolicy: Ignore - secretKey: client-secret remoteRef: key: secrets/managed/argo-workflows/authentik-sso @@ -29,3 +30,4 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None + nullBytePolicy: Ignore diff --git a/k8s-peterg/argocd/applications-peterg.yaml b/k8s-peterg/argocd/applications-peterg.yaml index 26d36ff..9822d88 100644 --- a/k8s-peterg/argocd/applications-peterg.yaml +++ b/k8s-peterg/argocd/applications-peterg.yaml @@ -99,3 +99,22 @@ spec: selfHeal: true syncOptions: - ServerSideApply=true +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: renovate-operator + namespace: argocd +spec: + project: default + source: + repoURL: https://code.peterg.nl/wheatley/kubernetes.git + path: k8s-peterg/renovate-operator + targetRevision: HEAD + destination: + server: https://kubernetes.default.svc + namespace: renovate-operator + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/k8s-peterg/argocd/applications-wheatley.yaml b/k8s-peterg/argocd/applications-wheatley.yaml index 2f86524..eae54ce 100644 --- a/k8s-peterg/argocd/applications-wheatley.yaml +++ b/k8s-peterg/argocd/applications-wheatley.yaml @@ -143,6 +143,25 @@ spec: --- apiVersion: argoproj.io/v1alpha1 kind: Application +metadata: + name: lidarr + namespace: argocd +spec: + project: default + source: + repoURL: https://code.peterg.nl/wheatley/kubernetes.git + path: k8s-wheatley/lidarr + targetRevision: HEAD + destination: + server: https://10.13.37.10:6443 + namespace: lidarr + syncPolicy: + automated: + prune: true + selfHeal: true +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application metadata: name: prowlarr namespace: argocd diff --git a/k8s-peterg/argocd/oidc.yaml b/k8s-peterg/argocd/oidc.yaml index c587b7e..b45056e 100644 --- a/k8s-peterg/argocd/oidc.yaml +++ b/k8s-peterg/argocd/oidc.yaml @@ -27,28 +27,3 @@ spec: remoteRef: key: secrets/managed/argocd/authentik-oidc-credentials property: clientSecret ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: argo-workflows-sso - namespace: argocd -spec: - secretStoreRef: - name: vault-wheatley - kind: ClusterSecretStore - target: - name: argo-workflows-sso - template: - metadata: - labels: - app.kubernetes.io/part-of: argo-workflows - data: - - secretKey: client-id - remoteRef: - key: secrets/managed/argo-workflows/dex-sso - property: client-id - - secretKey: client-secret - remoteRef: - key: secrets/managed/argo-workflows/dex-sso - property: client-secret diff --git a/k8s-peterg/external-secrets-operator/clustersecrets.yaml b/k8s-peterg/external-secrets-operator/clustersecrets.yaml index db674e7..87bfcef 100644 --- a/k8s-peterg/external-secrets-operator/clustersecrets.yaml +++ b/k8s-peterg/external-secrets-operator/clustersecrets.yaml @@ -27,6 +27,7 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None + nullBytePolicy: Ignore - secretKey: key remoteRef: key: secrets/provisioned/tls-wildcard-peterg-nl @@ -34,3 +35,4 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None + nullBytePolicy: Ignore diff --git a/k8s-peterg/external-secrets-operator/kustomization.yaml b/k8s-peterg/external-secrets-operator/kustomization.yaml index 91ef006..27bd976 100644 --- a/k8s-peterg/external-secrets-operator/kustomization.yaml +++ b/k8s-peterg/external-secrets-operator/kustomization.yaml @@ -12,4 +12,4 @@ helmCharts: repo: https://charts.external-secrets.io namespace: external-secrets releaseName: external-secrets - version: 2.3.0 + version: 2.4.0 diff --git a/k8s-peterg/renovate-operator/configmap.yaml b/k8s-peterg/renovate-operator/configmap.yaml new file mode 100644 index 0000000..1edf30b --- /dev/null +++ b/k8s-peterg/renovate-operator/configmap.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: renovate-config + namespace: renovate-operator +data: + config.js: |- + module.exports = { + platform: 'forgejo', + endpoint: 'https://code.peterg.nl/api/v1/', + gitAuthor: 'Renovate ', + username: 'renovate', + onboardingConfig: { + $schema: 'https://docs.renovatebot.com/renovate-schema.json', + extends: ['config:recommended'], + }, + optimizeForDisabled: true, + persistRepoData: true, + }; diff --git a/k8s-peterg/renovate-operator/kustomization.yaml b/k8s-peterg/renovate-operator/kustomization.yaml new file mode 100644 index 0000000..ad54284 --- /dev/null +++ b/k8s-peterg/renovate-operator/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: renovate-operator + +resources: + - configmap.yaml + - namespace.yaml + - policies.yaml + - renovate-job.yaml + - secrets.yaml + +helmCharts: + - name: renovate-operator + repo: https://helm.mogenius.com/public + namespace: renovate-operator + releaseName: renovate-operator + version: "4.7.0" + valuesFile: values.yaml diff --git a/k8s-peterg/renovate-operator/namespace.yaml b/k8s-peterg/renovate-operator/namespace.yaml new file mode 100644 index 0000000..981aeee --- /dev/null +++ b/k8s-peterg/renovate-operator/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: renovate-operator diff --git a/k8s-peterg/renovate-operator/policies.yaml b/k8s-peterg/renovate-operator/policies.yaml new file mode 100644 index 0000000..e7c6c9a --- /dev/null +++ b/k8s-peterg/renovate-operator/policies.yaml @@ -0,0 +1,37 @@ +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-internet-only +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 10.0.0.0/8 + - 192.168.0.0/16 + - 172.16.0.0/12 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: kubernetes-egress +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + - podSelector: + matchLabels: + k8s-app: kube-apiserver + - ports: + - protocol: TCP + port: 6443 diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml new file mode 100644 index 0000000..7f161da --- /dev/null +++ b/k8s-peterg/renovate-operator/renovate-job.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: renovate-operator.mogenius.com/v1alpha1 +kind: RenovateJob +metadata: + name: renovate + namespace: renovate-operator +spec: + schedule: "0 * * * *" + provider: + name: forgejo + endpoint: https://code.peterg.nl/api/v1/ + image: ghcr.io/renovatebot/renovate:43.161.0 + secretRef: renovate-operator-secrets + parallelism: 1 + skipForks: true + extraVolumes: + - name: renovate-config + configMap: + name: renovate-config + extraVolumeMounts: + - name: renovate-config + mountPath: /config + extraEnv: + - name: LOG_LEVEL + value: debug + - name: RENOVATE_CONFIG_FILE + value: /config/config.js diff --git a/k8s-peterg/renovate-operator/secrets.yaml b/k8s-peterg/renovate-operator/secrets.yaml new file mode 100644 index 0000000..543f6f2 --- /dev/null +++ b/k8s-peterg/renovate-operator/secrets.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: renovate-operator-secrets + namespace: renovate-operator +spec: + refreshInterval: "15s" + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: renovate-operator-secrets + data: + - secretKey: RENOVATE_TOKEN + remoteRef: + key: /secrets/managed/renovate/token + property: RENOVATE_TOKEN + - secretKey: GITHUB_COM_TOKEN + remoteRef: + key: /secrets/managed/renovate/token + property: GITHUB_COM_TOKEN diff --git a/k8s-peterg/renovate-operator/values.yaml b/k8s-peterg/renovate-operator/values.yaml new file mode 100644 index 0000000..d93c1d9 --- /dev/null +++ b/k8s-peterg/renovate-operator/values.yaml @@ -0,0 +1,20 @@ +fullnameOverride: "renovate-operator" +metrics: + enabled: true + serviceMonitor: + enabled: false + +crd: + install: true + mode: template + +rbac: + ownNamespaceOnly: true + +route: + enabled: true + hostnames: + parentRefs: + - name: internal + namespace: kube-system + sectionName: https diff --git a/k8s-peterg/vault-wheatley-approle.yaml b/k8s-peterg/vault-wheatley-approle.yaml deleted file mode 100644 index f116d9d..0000000 --- a/k8s-peterg/vault-wheatley-approle.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -data: - approle_id: MDE5YTdjOWQtMTYxOC0yZjg0LWE2NzUtOWQ5NmVkZWFiNzEyCg== - approle_secret: ZDZkOWU0MmUtZmVhNi05MGIzLWNlODktYzJlY2E2YWIxMjc3Cg== -kind: Secret -metadata: - name: vault-wheatley-approle - namespace: external-secrets -type: Opaque diff --git a/k8s-wheatley/alloy/configmap.yaml b/k8s-wheatley/alloy/configmap.yaml index 991eb51..819a1c1 100644 --- a/k8s-wheatley/alloy/configmap.yaml +++ b/k8s-wheatley/alloy/configmap.yaml @@ -5,7 +5,13 @@ metadata: name: alloy-config data: config.alloy: |- - prometheus.exporter.unix "node" {} + prometheus.exporter.unix "node" { + set_collectors = [ + "cpu", "diskstats", "filesystem", "loadavg", + "meminfo", "netdev", "netstat", "os", + "pressure", "processes", "stat", "uname", "vmstat", + ] + } discovery.kubernetes "kubernetes_apiservers" { role = "endpoints" @@ -152,6 +158,11 @@ data: source_labels = ["__meta_kubernetes_pod_node_name"] target_label = "node" } + + rule { + regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" + action = "labeldrop" + } } discovery.relabel "kubernetes_services" { @@ -260,6 +271,11 @@ data: source_labels = ["__meta_kubernetes_pod_node_name"] target_label = "node" } + + rule { + regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" + action = "labeldrop" + } } discovery.relabel "pod_logs" { @@ -309,6 +325,11 @@ data: target_label = "__path__" replacement = "/var/log/pods/*$1/*.log" } + + rule { + regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" + action = "labeldrop" + } } local.file_match "pod_logs" { @@ -369,9 +390,19 @@ data: } } + prometheus.relabel "cadvisor" { + forward_to = [prometheus.remote_write.default.receiver] + + rule { + source_labels = ["__name__"] + regex = "container_(cpu_usage_seconds_total|memory_usage_bytes|memory_working_set_bytes|memory_rss|memory_cache|memory_swap|network_receive_bytes_total|network_transmit_bytes_total|network_receive_packets_total|network_transmit_packets_total|fs_reads_bytes_total|fs_writes_bytes_total|spec_cpu_quota|spec_cpu_period|spec_memory_limit_bytes|last_seen)" + action = "keep" + } + } + prometheus.scrape "kubernetes_nodes_cadvisor" { targets = discovery.relabel.kubernetes_nodes_cadvisor.output - forward_to = [prometheus.remote_write.default.receiver] + forward_to = [prometheus.relabel.cadvisor.receiver] job_name = "kubernetes-nodes-cadvisor" scheme = "https" clustering { diff --git a/k8s-wheatley/external-secrets-operator/clustersecrets.yaml b/k8s-wheatley/external-secrets-operator/clustersecrets.yaml index ea424ae..16840b4 100644 --- a/k8s-wheatley/external-secrets-operator/clustersecrets.yaml +++ b/k8s-wheatley/external-secrets-operator/clustersecrets.yaml @@ -27,6 +27,7 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None + nullBytePolicy: Ignore - secretKey: key remoteRef: key: secrets/provisioned/tls-wildcard-wheatley-in @@ -34,3 +35,4 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None + nullBytePolicy: Ignore diff --git a/k8s-wheatley/external-secrets-operator/kustomization.yaml b/k8s-wheatley/external-secrets-operator/kustomization.yaml index 91ef006..27bd976 100644 --- a/k8s-wheatley/external-secrets-operator/kustomization.yaml +++ b/k8s-wheatley/external-secrets-operator/kustomization.yaml @@ -12,4 +12,4 @@ helmCharts: repo: https://charts.external-secrets.io namespace: external-secrets releaseName: external-secrets - version: 2.3.0 + version: 2.4.0 diff --git a/k8s-wheatley/lidarr/configmap.yaml b/k8s-wheatley/lidarr/configmap.yaml new file mode 100644 index 0000000..188b4e6 --- /dev/null +++ b/k8s-wheatley/lidarr/configmap.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: lidarr-envs +data: + PUID: "1000" + PGID: "1000" + TZ: Europe/Amsterdam diff --git a/k8s-wheatley/lidarr/deployments.yaml b/k8s-wheatley/lidarr/deployments.yaml new file mode 100644 index 0000000..de9c4c5 --- /dev/null +++ b/k8s-wheatley/lidarr/deployments.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: lidarr + labels: + app: lidarr +spec: + replicas: 1 + serviceName: lidarr + selector: + matchLabels: + app: lidarr + template: + metadata: + labels: + app: lidarr + spec: + containers: + - name: lidarr + image: linuxserver/lidarr + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8686 + envFrom: + - configMapRef: + name: lidarr-envs + volumeMounts: + - mountPath: /config + name: lidarr-config + - mountPath: /shared/media + name: nfs-media + securityContext: + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "SETUID" + - "SETGID" + volumes: + - name: lidarr-config + persistentVolumeClaim: + claimName: lidarr-storage + - name: nfs-media + persistentVolumeClaim: + claimName: nfs-media diff --git a/k8s-wheatley/lidarr/ingress.yaml b/k8s-wheatley/lidarr/ingress.yaml new file mode 100644 index 0000000..727dfc4 --- /dev/null +++ b/k8s-wheatley/lidarr/ingress.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: lidarr-route +spec: + parentRefs: + - name: internal + namespace: kube-system + sectionName: https + hostnames: + - "lidarr.wheatley.in" + rules: + - backendRefs: + - name: lidarr + port: 80 diff --git a/k8s-wheatley/lidarr/kustomization.yaml b/k8s-wheatley/lidarr/kustomization.yaml new file mode 100644 index 0000000..018f13b --- /dev/null +++ b/k8s-wheatley/lidarr/kustomization.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: lidarr + +resources: + - ../../kustomize-bases/nfs-media + - configmap.yaml + - deployments.yaml + - ingress.yaml + - pvc.yaml + - services.yaml + - namespace.yaml + +patches: + - target: + kind: PersistentVolume + name: nfs-media + patch: | + - op: replace + path: /metadata/name + value: nfs-media-lidarr + - target: + kind: PersistentVolumeClaim + name: nfs-media + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-lidarr + +images: + - name: linuxserver/lidarr + newTag: 3.1.0@sha256:d2f944115de2ca6754ad142ee92f9db481b1574c7bc030974d624584106b78d7 diff --git a/k8s-wheatley/lidarr/namespace.yaml b/k8s-wheatley/lidarr/namespace.yaml new file mode 100644 index 0000000..54f155f --- /dev/null +++ b/k8s-wheatley/lidarr/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: lidarr diff --git a/k8s-wheatley/lidarr/pvc.yaml b/k8s-wheatley/lidarr/pvc.yaml new file mode 100644 index 0000000..e06965e --- /dev/null +++ b/k8s-wheatley/lidarr/pvc.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: lidarr-storage +spec: + storageClassName: piraeus-lvmthin + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/k8s-wheatley/lidarr/services.yaml b/k8s-wheatley/lidarr/services.yaml new file mode 100644 index 0000000..d1a3deb --- /dev/null +++ b/k8s-wheatley/lidarr/services.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: lidarr +spec: + selector: + app: lidarr + ports: + - port: 80 + protocol: TCP + targetPort: 8686 diff --git a/k8s-wheatley/plex/kustomization.yaml b/k8s-wheatley/plex/kustomization.yaml index 7676da5..3bd4023 100644 --- a/k8s-wheatley/plex/kustomization.yaml +++ b/k8s-wheatley/plex/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: plex resources: + - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -12,6 +13,28 @@ resources: - services.yaml - namespace.yaml +patches: + - target: + kind: PersistentVolume + name: nfs-media + patch: | + - op: replace + path: /metadata/name + value: nfs-media-plex + - op: replace + path: /spec/accessModes/0 + value: ReadOnlyMany + - target: + kind: PersistentVolumeClaim + name: nfs-media + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-plex + - op: replace + path: /spec/accessModes/0 + value: ReadOnlyMany + images: - name: plexinc/pms-docker newTag: 1.43.1.10611-1e34174b1@sha256:8b5bcdf7b506fe051aa1a0a0d464efdb3ad8c0fb1f8a4dfb27a8c489b609920c diff --git a/k8s-wheatley/plex/pvc.yaml b/k8s-wheatley/plex/pvc.yaml index 7943bab..69e27fe 100644 --- a/k8s-wheatley/plex/pvc.yaml +++ b/k8s-wheatley/plex/pvc.yaml @@ -10,36 +10,3 @@ spec: resources: requests: storage: 20Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nfs-media -spec: - accessModes: - - ReadOnlyMany - resources: - requests: - storage: 40Ti - volumeName: nfs-media-plex ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: nfs-media-plex -spec: - capacity: - storage: 40Ti - accessModes: - - ReadOnlyMany - nfs: - server: 10.0.69.10 - path: /tank/media - mountOptions: - - vers=4.1 - - rsize=1048576 - - wsize=1048576 - - hard - - timeo=600 - - noatime - persistentVolumeReclaimPolicy: Retain diff --git a/k8s-wheatley/prowlarr/kustomization.yaml b/k8s-wheatley/prowlarr/kustomization.yaml index c9a7a47..788fdab 100644 --- a/k8s-wheatley/prowlarr/kustomization.yaml +++ b/k8s-wheatley/prowlarr/kustomization.yaml @@ -16,4 +16,4 @@ images: - name: flaresolverr/flaresolverr newTag: v3.4.6@sha256:7962759d99d7e125e108e0f5e7f3cdbcd36161776d058d1d9b7153b92ef1af9e - name: linuxserver/prowlarr - newTag: 2.3.5@sha256:35f48abb3e976fcf077fae756866c582e4a90f8b24810ae4067b3558f7cdbbdf + newTag: 2.3.5@sha256:c5de2a8758a05594319263e7691c1dce56899442ed1720d6eca216c0958f4caf diff --git a/k8s-wheatley/qbittorrent/configmap.yaml b/k8s-wheatley/qbittorrent/configmap.yaml index de1c6cf..61c614d 100644 --- a/k8s-wheatley/qbittorrent/configmap.yaml +++ b/k8s-wheatley/qbittorrent/configmap.yaml @@ -9,22 +9,26 @@ data: VPN_TYPE: "wireguard" VPN_PORT_FORWARDING: on VPN_PORT_FORWARDING_PROVIDER: protonvpn - VPN_PORT_FORWARDING_UP_COMMAND: | - /bin/sh -c ' + VPN_PORT_FORWARDING_UP_COMMAND: "/scripts/port-up.sh" + VPN_PORT_FORWARDING_DOWN_COMMAND: "/scripts/port-down.sh" + FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12 + FIREWALL_INPUT_PORTS: "8112" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: gluetun-scripts +data: + port-up.sh: | + #!/bin/sh wget -O- --retry-connrefused \ --post-data "json={\"listen_port\":{{PORTS}},\"current_network_interface\":\"tun0\",\"random_port\":false,\"upnp\":false}" \ http://127.0.0.1:8112/api/v2/app/setPreferences 2>&1 - ' - VPN_PORT_FORWARDING_DOWN_COMMAND: | - /bin/sh -c ' + port-down.sh: | + #!/bin/sh wget -O- --retry-connrefused \ --post-data "json={\"listen_port\":0,\"current_network_interface\":\"lo\"}" \ http://127.0.0.1:8112/api/v2/app/setPreferences 2>&1 - ' - FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12 - FIREWALL_INPUT_PORTS: "8112" - DNS_KEEP_NAMESERVER: on - DOT: off --- apiVersion: v1 kind: ConfigMap diff --git a/k8s-wheatley/qbittorrent/deployments.yaml b/k8s-wheatley/qbittorrent/deployments.yaml index 0e1600b..5dba05a 100644 --- a/k8s-wheatley/qbittorrent/deployments.yaml +++ b/k8s-wheatley/qbittorrent/deployments.yaml @@ -33,6 +33,8 @@ spec: - mountPath: "/gluetun/wireguard" name: gluetun-wgconfig readOnly: true + - name: gluetun-scripts + mountPath: /scripts - name: gluetun-tmp mountPath: /tmp/gluetun restartPolicy: Always @@ -128,6 +130,10 @@ spec: - name: gluetun-wgconfig secret: secretName: gluetun-wgconfig + - name: gluetun-scripts + configMap: + name: gluetun-scripts + defaultMode: 0755 - name: gluetun-tmp emptyDir: {} - name: nfs-media diff --git a/k8s-wheatley/qbittorrent/kustomization.yaml b/k8s-wheatley/qbittorrent/kustomization.yaml index 3e94bd5..68bd0ef 100644 --- a/k8s-wheatley/qbittorrent/kustomization.yaml +++ b/k8s-wheatley/qbittorrent/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: qbittorrent resources: + - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -12,6 +13,25 @@ resources: - services.yaml - namespace.yaml +patches: + - target: + kind: PersistentVolume + name: nfs-media + patch: | + - op: replace + path: /metadata/name + value: nfs-media-qbittorrent + - op: replace + path: /spec/nfs/path + value: /tank/media/downloads + - target: + kind: PersistentVolumeClaim + name: nfs-media + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-qbittorrent + images: - name: ghcr.io/qdm12/gluetun newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab diff --git a/k8s-wheatley/qbittorrent/pvc.yaml b/k8s-wheatley/qbittorrent/pvc.yaml index aa566ea..c352b02 100644 --- a/k8s-wheatley/qbittorrent/pvc.yaml +++ b/k8s-wheatley/qbittorrent/pvc.yaml @@ -10,36 +10,3 @@ spec: resources: requests: storage: 5Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nfs-media -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 40Ti - volumeName: nfs-media-qbittorrent ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: nfs-media-qbittorrent -spec: - capacity: - storage: 40Ti - accessModes: - - ReadWriteMany - nfs: - server: 10.0.69.10 - path: /tank/media/downloads - mountOptions: - - vers=4.1 - - rsize=1048576 - - wsize=1048576 - - hard - - timeo=600 - - noatime - persistentVolumeReclaimPolicy: Retain diff --git a/k8s-wheatley/radarr/kustomization.yaml b/k8s-wheatley/radarr/kustomization.yaml index dcb0205..445d2f3 100644 --- a/k8s-wheatley/radarr/kustomization.yaml +++ b/k8s-wheatley/radarr/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: radarr resources: + - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -12,6 +13,22 @@ resources: - services.yaml - namespace.yaml +patches: + - target: + kind: PersistentVolume + name: nfs-media + patch: | + - op: replace + path: /metadata/name + value: nfs-media-radarr + - target: + kind: PersistentVolumeClaim + name: nfs-media + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-radarr + images: - name: linuxserver/radarr - newTag: 6.1.1@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7 + newTag: 6.1.1@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d diff --git a/k8s-wheatley/radarr/pvc.yaml b/k8s-wheatley/radarr/pvc.yaml index fe76bfc..d188698 100644 --- a/k8s-wheatley/radarr/pvc.yaml +++ b/k8s-wheatley/radarr/pvc.yaml @@ -10,36 +10,3 @@ spec: resources: requests: storage: 5Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nfs-media -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 40Ti - volumeName: nfs-media-radarr ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: nfs-media-radarr -spec: - capacity: - storage: 40Ti - accessModes: - - ReadWriteMany - nfs: - server: 10.0.69.10 - path: /tank/media - mountOptions: - - vers=4.1 - - rsize=1048576 - - wsize=1048576 - - hard - - timeo=600 - - noatime - persistentVolumeReclaimPolicy: Retain diff --git a/k8s-wheatley/sonarr/kustomization.yaml b/k8s-wheatley/sonarr/kustomization.yaml index eed76a3..51ba92b 100644 --- a/k8s-wheatley/sonarr/kustomization.yaml +++ b/k8s-wheatley/sonarr/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: sonarr resources: + - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -12,6 +13,22 @@ resources: - services.yaml - namespace.yaml +patches: + - target: + kind: PersistentVolume + name: nfs-media + patch: | + - op: replace + path: /metadata/name + value: nfs-media-sonarr + - target: + kind: PersistentVolumeClaim + name: nfs-media + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-sonarr + images: - name: linuxserver/sonarr - newTag: 4.0.17@sha256:6854df9de20b8c82e1982604f39473d64dbb4c4584b1013f18f9ade1ee92af13 + newTag: 4.0.17@sha256:3580aec3802c915f0f819a88d5099abce61734b925732b8393d176b5dc561020 diff --git a/k8s-wheatley/sonarr/pvc.yaml b/k8s-wheatley/sonarr/pvc.yaml index d431b58..14d30b8 100644 --- a/k8s-wheatley/sonarr/pvc.yaml +++ b/k8s-wheatley/sonarr/pvc.yaml @@ -10,36 +10,3 @@ spec: resources: requests: storage: 5Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nfs-media -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 40Ti - volumeName: nfs-media-sonarr ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: nfs-media-sonarr -spec: - capacity: - storage: 40Ti - accessModes: - - ReadWriteMany - nfs: - server: 10.0.69.10 - path: /tank/media - mountOptions: - - vers=4.1 - - rsize=1048576 - - wsize=1048576 - - hard - - timeo=600 - - noatime - persistentVolumeReclaimPolicy: Retain diff --git a/kustomize-bases/alloy/kustomization.yaml b/kustomize-bases/alloy/kustomization.yaml index 69e9687..11b89fa 100644 --- a/kustomize-bases/alloy/kustomization.yaml +++ b/kustomize-bases/alloy/kustomization.yaml @@ -9,12 +9,12 @@ resources: helmCharts: - name: alloy repo: https://grafana.github.io/helm-charts - version: "1.7.0" + version: "1.8.0" releaseName: alloy valuesFile: values.yaml - name: kube-state-metrics repo: https://prometheus-community.github.io/helm-charts - version: "7.2.2" + version: "7.3.0" releaseName: kube-state-metrics - name: prometheus-operator-crds repo: https://prometheus-community.github.io/helm-charts diff --git a/kustomize-bases/cilium/kustomization.yaml b/kustomize-bases/cilium/kustomization.yaml index 4cccdf0..37b61c4 100644 --- a/kustomize-bases/cilium/kustomization.yaml +++ b/kustomize-bases/cilium/kustomization.yaml @@ -13,5 +13,5 @@ helmCharts: repo: https://helm.cilium.io namespace: kube-system releaseName: cilium - version: 1.18.6 + version: 1.19.3 valuesFile: values.yaml diff --git a/kustomize-bases/nfs-media/kustomization.yaml b/kustomize-bases/nfs-media/kustomization.yaml new file mode 100644 index 0000000..482f897 --- /dev/null +++ b/kustomize-bases/nfs-media/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - pvc.yaml diff --git a/kustomize-bases/nfs-media/pvc.yaml b/kustomize-bases/nfs-media/pvc.yaml new file mode 100644 index 0000000..94091c9 --- /dev/null +++ b/kustomize-bases/nfs-media/pvc.yaml @@ -0,0 +1,40 @@ +# Shared NFS media storage template — used by plex, sonarr, radarr, and qbittorrent. +# All apps on k8s-wheatley mount the same NFS server: 10.0.69.10 +# +# Each app overlays this base with JSON patches in its kustomization.yaml: +# - Always: rename PV (metadata.name) and update PVC volumeName to match +# - plex only: patch accessModes to ReadOnlyMany on both PV and PVC +# - qbittorrent only: patch nfs.path to /tank/media/downloads +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: nfs-media # renamed per-app via JSON patch +spec: + capacity: + storage: 40Ti + accessModes: + - ReadWriteMany + nfs: + server: 10.0.69.10 + path: /tank/media + mountOptions: + - vers=4.1 + - rsize=1048576 + - wsize=1048576 + - hard + - timeo=600 + - noatime + persistentVolumeReclaimPolicy: Retain +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nfs-media +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 40Ti + volumeName: nfs-media # patched per-app to match PV name