diff --git a/.gitignore b/.gitignore
index 317e8ef..144e57a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -50,3 +50,5 @@ credentials.pkr.hcl
# Plausible
compose.override.yml
+# SOPS
+*.decrypted~*
\ No newline at end of file
diff --git a/kubernetes/README.md b/kubernetes/README.md
deleted file mode 100644
index 44fdad8..0000000
--- a/kubernetes/README.md
+++ /dev/null
@@ -1 +0,0 @@
-See https://git.mafyuh.dev/mafyuh/kub for Kubernetes until migration
\ No newline at end of file
diff --git a/kubernetes/apps/kustomization.yaml b/kubernetes/apps/kustomization.yaml
new file mode 100644
index 0000000..ad0eb28
--- /dev/null
+++ b/kubernetes/apps/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - production/
\ No newline at end of file
diff --git a/kubernetes/apps/production/README.md b/kubernetes/apps/production/README.md
new file mode 100644
index 0000000..e69de29
diff --git a/kubernetes/apps/production/arr/bazarr/deployment.yaml b/kubernetes/apps/production/arr/bazarr/deployment.yaml
new file mode 100644
index 0000000..ec47cfe
--- /dev/null
+++ b/kubernetes/apps/production/arr/bazarr/deployment.yaml
@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: bazarr
+ namespace: arr
+ labels:
+ app: bazarr
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: bazarr
+ template:
+ metadata:
+ labels:
+ app: bazarr
+ spec:
+ securityContext:
+ runAsUser: 65534
+ runAsGroup: 65534
+ fsGroup: 65534
+ fsGroupChangePolicy: OnRootMismatch
+ containers:
+ - name: bazarr
+ image: ghcr.io/onedr0p/bazarr:rolling@sha256:1c88830f3c51fc2f1230ad7040bcbe30f197449ae93f835448cf516d8b7e5e82
+ resources:
+ requests:
+ memory: 512Mi
+ cpu: 75m
+ limits:
+ memory: 535Mi
+ cpu: 100m
+ volumeMounts:
+ - mountPath: /config
+ name: bazarr-config
+ volumes:
+ - name: bazarr-config
+ persistentVolumeClaim:
+ claimName: bazarr-config
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: bazarr-config
+ namespace: arr
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 1Gi
+ storageClassName: longhorn
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/bazarr/ingress.yaml b/kubernetes/apps/production/arr/bazarr/ingress.yaml
new file mode 100644
index 0000000..72e09ec
--- /dev/null
+++ b/kubernetes/apps/production/arr/bazarr/ingress.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: bazarr
+ namespace: arr
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: "bazarr.local.mafyuh.com"
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: headless-bazarr
+ port:
+ number: 6767
+ tls:
+ - hosts:
+ - "bazarr.local.mafyuh.com"
+ secretName: local-mafyuh-com-production-tls
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/bazarr/kustomization.yaml b/kubernetes/apps/production/arr/bazarr/kustomization.yaml
new file mode 100644
index 0000000..5f7a4f4
--- /dev/null
+++ b/kubernetes/apps/production/arr/bazarr/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - deployment.yaml
+ - service.yaml
+ - ingress.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/bazarr/service.yaml b/kubernetes/apps/production/arr/bazarr/service.yaml
new file mode 100644
index 0000000..e370c75
--- /dev/null
+++ b/kubernetes/apps/production/arr/bazarr/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: headless-bazarr
+ namespace: arr
+spec:
+ selector:
+ app: bazarr
+ ports:
+ - port: 6767
+ targetPort: 6767
+ protocol: TCP
+ type: ClusterIP
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/flaresolverr/deployment.yaml b/kubernetes/apps/production/arr/flaresolverr/deployment.yaml
new file mode 100644
index 0000000..4306049
--- /dev/null
+++ b/kubernetes/apps/production/arr/flaresolverr/deployment.yaml
@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: flaresolverr
+ namespace: arr
+ labels:
+ app: flaresolverr
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: flaresolverr
+ template:
+ metadata:
+ labels:
+ app: flaresolverr
+ spec:
+ containers:
+ - name: flaresolverr
+ image: ghcr.io/flaresolverr/flaresolverr:v3.3.21
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 8191
+ env:
+ - name: LOG_LEVEL
+ value: "info"
+ resources:
+ requests:
+ memory: "100Mi"
+ cpu: "100m"
+ limits:
+ memory: "300Mi"
+ cpu: "200m"
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/flaresolverr/kustomization.yaml b/kubernetes/apps/production/arr/flaresolverr/kustomization.yaml
new file mode 100644
index 0000000..ca1d88e
--- /dev/null
+++ b/kubernetes/apps/production/arr/flaresolverr/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - deployment.yaml
+ - service.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/flaresolverr/service.yaml b/kubernetes/apps/production/arr/flaresolverr/service.yaml
new file mode 100644
index 0000000..a3c0d39
--- /dev/null
+++ b/kubernetes/apps/production/arr/flaresolverr/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: flaresolverr
+ namespace: arr
+spec:
+ selector:
+ app: flaresolverr
+ ports:
+ - protocol: TCP
+ port: 8191
+ targetPort: 8191
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/kustomization.yaml b/kubernetes/apps/production/arr/kustomization.yaml
new file mode 100644
index 0000000..3c3e8e6
--- /dev/null
+++ b/kubernetes/apps/production/arr/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - bazarr/
+ - flaresolverr/
+ - prowlarr/
+ - qbitty/
+ - radarr/
+ - sabnzbd/
+ - sonarr/
+ - namespace.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/namespace.yaml b/kubernetes/apps/production/arr/namespace.yaml
new file mode 100644
index 0000000..fc153a5
--- /dev/null
+++ b/kubernetes/apps/production/arr/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: arr
+ labels:
+ name: arr
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/prowlarr/deployment.yaml b/kubernetes/apps/production/arr/prowlarr/deployment.yaml
new file mode 100644
index 0000000..14c5a16
--- /dev/null
+++ b/kubernetes/apps/production/arr/prowlarr/deployment.yaml
@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: prowlarr
+ namespace: arr
+ labels:
+ app: prowlarr
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: prowlarr
+ template:
+ metadata:
+ labels:
+ app: prowlarr
+ spec:
+ securityContext:
+ runAsUser: 65534
+ runAsGroup: 65534
+ fsGroup: 65534
+ fsGroupChangePolicy: OnRootMismatch
+ containers:
+ - name: prowlarr
+ image: ghcr.io/onedr0p/prowlarr:rolling@sha256:7234ae8ca5b14153baddf42257cc2ddc928695ce604d11a9616b635eca0e43e7
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ memory: 512Mi
+ cpu: 150m
+ limits:
+ memory: 2Gi
+ cpu: 500m
+ volumeMounts:
+ - mountPath: /config
+ name: prowlarr-config
+ volumes:
+ - name: prowlarr-config
+ persistentVolumeClaim:
+ claimName: prowlarr-config
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: prowlarr-config
+ namespace: arr
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 1Gi
+ storageClassName: longhorn
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/prowlarr/ingress.yaml b/kubernetes/apps/production/arr/prowlarr/ingress.yaml
new file mode 100644
index 0000000..790d52b
--- /dev/null
+++ b/kubernetes/apps/production/arr/prowlarr/ingress.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: prowlarr
+ namespace: arr
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: "prowlarr.local.mafyuh.com"
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: headless-prowlarr
+ port:
+ number: 9696
+ tls:
+ - hosts:
+ - "prowlarr.local.mafyuh.com"
+ secretName: local-mafyuh-com-production-tls
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/prowlarr/kustomization.yaml b/kubernetes/apps/production/arr/prowlarr/kustomization.yaml
new file mode 100644
index 0000000..5f7a4f4
--- /dev/null
+++ b/kubernetes/apps/production/arr/prowlarr/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - deployment.yaml
+ - service.yaml
+ - ingress.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/prowlarr/service.yaml b/kubernetes/apps/production/arr/prowlarr/service.yaml
new file mode 100644
index 0000000..e005ac6
--- /dev/null
+++ b/kubernetes/apps/production/arr/prowlarr/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: headless-prowlarr
+ namespace: arr
+spec:
+ selector:
+ app: prowlarr
+ ports:
+ - port: 9696
+ targetPort: 9696
+ protocol: TCP
+ type: ClusterIP
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/qbitty/deployment.yaml b/kubernetes/apps/production/arr/qbitty/deployment.yaml
new file mode 100644
index 0000000..50a4813
--- /dev/null
+++ b/kubernetes/apps/production/arr/qbitty/deployment.yaml
@@ -0,0 +1,99 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: qbitty
+ namespace: arr
+ labels:
+ app: qbitty
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: qbitty
+ template:
+ metadata:
+ labels:
+ app: qbitty
+ spec:
+ containers:
+ - name: qbitty
+ image: ghcr.io/hotio/qbittorrent@sha256:3c32e5d21f5e83558a71767dfdf7f39fe5379548829be4723270cda61f08fd56
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: VPN_ENABLED
+ value: "true"
+ - name: VPN_CONF
+ value: "wg0"
+ - name: VPN_PROVIDER
+ value: "proton"
+ - name: VPN_KEEP_LOCAL_DNS
+ value: "false"
+ - name: VPN_AUTO_PORT_FORWARD
+ value: "true"
+ - name: VPN_LAN_NETWORK
+ valueFrom:
+ secretKeyRef:
+ name: lan-network
+ key: lan-network
+ - name: VPN_LAN_LEAK_ENABLED
+ value: "false"
+ - name: VPN_FIREWALL_TYPE
+ value: "auto"
+ - name: PRIVOXY_ENABLED
+ value: "false"
+ - name: WEBUI_PORT
+ value: "8080"
+ - name: VPN_HEALTHCHECK_ENABLED
+ value: "false"
+ - name: UNBOUND_ENABLED
+ value: "false"
+ resources:
+ requests:
+ memory: "256Mi"
+ cpu: "100m"
+ limits:
+ memory: "1Gi"
+ cpu: "5000m"
+ volumeMounts:
+ - mountPath: /config
+ name: qbitty-config
+ - mountPath: /data
+ name: nas
+ - mountPath: /config/wireguard/
+ name: wireguard-config
+ - mountPath: /incomplete
+ name: qbitty-incomplete
+ securityContext:
+ capabilities:
+ add: ["NET_ADMIN"]
+ ports:
+ - containerPort: 8080
+ name: webui
+ protocol: TCP
+ volumes:
+ - name: nas
+ nfs:
+ path: /mnt/thePool/thePoolShare
+ server: 10.0.0.10
+ - name: qbitty-config
+ persistentVolumeClaim:
+ claimName: qbitty-config
+ - name: wireguard-config
+ secret:
+ secretName: qbitty-wireguard
+ - name: qbitty-incomplete
+ emptyDir:
+ sizeLimit: 100Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: qbitty-config
+ namespace: arr
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 1Gi
+ storageClassName: longhorn
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/qbitty/ingress.yaml b/kubernetes/apps/production/arr/qbitty/ingress.yaml
new file mode 100644
index 0000000..88d138c
--- /dev/null
+++ b/kubernetes/apps/production/arr/qbitty/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: qbitty
+ namespace: arr
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ nginx.ingress.kubernetes.io/proxy-body-size: 0
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: "qbitty.local.mafyuh.com"
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: qbitty
+ port:
+ number: 8080
+ tls:
+ - hosts:
+ - "qbitty.local.mafyuh.com"
+ secretName: local-mafyuh-com-production-tls
diff --git a/kubernetes/apps/production/arr/qbitty/kustomization.yaml b/kubernetes/apps/production/arr/qbitty/kustomization.yaml
new file mode 100644
index 0000000..5f7a4f4
--- /dev/null
+++ b/kubernetes/apps/production/arr/qbitty/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - deployment.yaml
+ - service.yaml
+ - ingress.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/qbitty/service.yaml b/kubernetes/apps/production/arr/qbitty/service.yaml
new file mode 100644
index 0000000..bfcd933
--- /dev/null
+++ b/kubernetes/apps/production/arr/qbitty/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: qbitty
+ namespace: arr
+spec:
+ selector:
+ app: qbitty
+ ports:
+ - port: 8080
+ targetPort: 8080
+ protocol: TCP
+ type: ClusterIP
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/radarr/deployment.yaml b/kubernetes/apps/production/arr/radarr/deployment.yaml
new file mode 100644
index 0000000..8997817
--- /dev/null
+++ b/kubernetes/apps/production/arr/radarr/deployment.yaml
@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: radarr
+ namespace: arr
+ labels:
+ app: radarr
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: radarr
+ template:
+ metadata:
+ labels:
+ app: radarr
+ spec:
+ securityContext:
+ runAsUser: 65534
+ runAsGroup: 65534
+ fsGroup: 65534
+ fsGroupChangePolicy: OnRootMismatch
+ containers:
+ - name: radarr
+ image: ghcr.io/onedr0p/radarr:rolling@sha256:32d0e8d46f5619069d88445936670ffbca5a3aab7ed2e94e77a834ed85df81bb
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ memory: 512Mi
+ cpu: 100m
+ limits:
+ memory: 2Gi
+ cpu: 500m
+ volumeMounts:
+ - mountPath: /config
+ name: radarr-config
+ - mountPath: /data
+ name: nas
+ volumes:
+ - name: nas
+ nfs:
+ path: /mnt/thePool/thePoolShare
+ server: 10.0.0.10
+ - name: radarr-config
+ persistentVolumeClaim:
+ claimName: radarr-config
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: radarr-config
+ namespace: arr
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 3Gi
+ storageClassName: longhorn
diff --git a/kubernetes/apps/production/arr/radarr/ingress.yaml b/kubernetes/apps/production/arr/radarr/ingress.yaml
new file mode 100644
index 0000000..337d9d5
--- /dev/null
+++ b/kubernetes/apps/production/arr/radarr/ingress.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: radarr
+ namespace: arr
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: "radarr.local.mafyuh.com"
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: headless-radarr
+ port:
+ number: 7878
+ tls:
+ - hosts:
+ - "radarr.local.mafyuh.com"
+ secretName: local-mafyuh-com-production-tls
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/radarr/kustomization.yaml b/kubernetes/apps/production/arr/radarr/kustomization.yaml
new file mode 100644
index 0000000..5f7a4f4
--- /dev/null
+++ b/kubernetes/apps/production/arr/radarr/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - deployment.yaml
+ - service.yaml
+ - ingress.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/radarr/service.yaml b/kubernetes/apps/production/arr/radarr/service.yaml
new file mode 100644
index 0000000..f2618d2
--- /dev/null
+++ b/kubernetes/apps/production/arr/radarr/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: headless-radarr
+ namespace: arr
+spec:
+ selector:
+ app: radarr
+ ports:
+ - port: 7878
+ targetPort: 7878
+ protocol: TCP
+ type: ClusterIP
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/sabnzbd/deployment.yaml b/kubernetes/apps/production/arr/sabnzbd/deployment.yaml
new file mode 100644
index 0000000..56a2bda
--- /dev/null
+++ b/kubernetes/apps/production/arr/sabnzbd/deployment.yaml
@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: sabnzbd
+ namespace: arr
+ labels:
+ app: sabnzbd
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: sabnzbd
+ template:
+ metadata:
+ labels:
+ app: sabnzbd
+ spec:
+ containers:
+ - name: sabnzbd
+ image: ghcr.io/linuxserver/sabnzbd@sha256:7afe3af1cff19c2a7a5d4bacb2202fcb21a0ee15b7e23e4114ab3f7070213662
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: PUID
+ value: "1000"
+ - name: PGID
+ value: "1000"
+ - name: TZ
+ value: America/New_York
+ resources:
+ requests:
+ memory: "1024Mi"
+ cpu: "500m"
+ limits:
+ memory: "4Gi"
+ cpu: "2000m"
+ volumeMounts:
+ - mountPath: /config
+ name: sabnzbd-config
+ - mountPath: /data
+ name: nas
+ - mountPath: /incomplete
+ name: sabnzbd-incomplete
+ volumes:
+ - name: nas
+ nfs:
+ path: /mnt/thePool/thePoolShare
+ server: 10.0.0.10
+ - name: sabnzbd-config
+ persistentVolumeClaim:
+ claimName: sabnzbd-config
+ - name: sabnzbd-incomplete
+ emptyDir:
+ sizeLimit: 100Gi
+ nodeSelector:
+ kubernetes.io/hostname: master3
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: sabnzbd-config
+ namespace: arr
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 2Gi
+ storageClassName: longhorn
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/sabnzbd/ingress.yaml b/kubernetes/apps/production/arr/sabnzbd/ingress.yaml
new file mode 100644
index 0000000..504c5b6
--- /dev/null
+++ b/kubernetes/apps/production/arr/sabnzbd/ingress.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: sabnzbd
+ namespace: arr
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: "sab.local.mafyuh.com"
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: headless-sabnzbd
+ port:
+ number: 8080
+ tls:
+ - hosts:
+ - "sab.local.mafyuh.com"
+ secretName: local-mafyuh-com-production-tls
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/sabnzbd/kustomization.yaml b/kubernetes/apps/production/arr/sabnzbd/kustomization.yaml
new file mode 100644
index 0000000..5f7a4f4
--- /dev/null
+++ b/kubernetes/apps/production/arr/sabnzbd/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - deployment.yaml
+ - service.yaml
+ - ingress.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/sabnzbd/service.yaml b/kubernetes/apps/production/arr/sabnzbd/service.yaml
new file mode 100644
index 0000000..a1f7e72
--- /dev/null
+++ b/kubernetes/apps/production/arr/sabnzbd/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: headless-sabnzbd
+ namespace: arr
+spec:
+ selector:
+ app: sabnzbd
+ ports:
+ - port: 8080
+ targetPort: 8080
+ protocol: TCP
+ type: ClusterIP
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/sonarr/deployment.yaml b/kubernetes/apps/production/arr/sonarr/deployment.yaml
new file mode 100644
index 0000000..eefa019
--- /dev/null
+++ b/kubernetes/apps/production/arr/sonarr/deployment.yaml
@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: sonarr
+ namespace: arr
+ labels:
+ app: sonarr
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: sonarr
+ template:
+ metadata:
+ labels:
+ app: sonarr
+ spec:
+ securityContext:
+ runAsUser: 65534
+ runAsGroup: 65534
+ fsGroup: 65534
+ fsGroupChangePolicy: OnRootMismatch
+ containers:
+ - name: sonarr
+ image: ghcr.io/onedr0p/sonarr:rolling@sha256:55c6878a5367fc2398d15c9a16a70653f5e5f42c9fe9b708a038f2781fb0360f
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ memory: 512Mi
+ cpu: 75m
+ limits:
+ memory: 1024Mi
+ cpu: 150m
+ volumeMounts:
+ - mountPath: /config
+ name: sonarr-config
+ - mountPath: /data
+ name: nas
+ volumes:
+ - name: nas
+ nfs:
+ path: /mnt/thePool/thePoolShare
+ server: 10.0.0.10
+ - name: sonarr-config
+ persistentVolumeClaim:
+ claimName: sonarr-config
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: sonarr-config
+ namespace: arr
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 3Gi
+ storageClassName: longhorn
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/sonarr/ingress.yaml b/kubernetes/apps/production/arr/sonarr/ingress.yaml
new file mode 100644
index 0000000..95aa4a0
--- /dev/null
+++ b/kubernetes/apps/production/arr/sonarr/ingress.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: sonarr
+ namespace: arr
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: "sonarr.local.mafyuh.com"
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: headless-sonarr
+ port:
+ number: 8989
+ tls:
+ - hosts:
+ - "sonarr.local.mafyuh.com"
+ secretName: local-mafyuh-com-production-tls
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/sonarr/kustomization.yaml b/kubernetes/apps/production/arr/sonarr/kustomization.yaml
new file mode 100644
index 0000000..5f7a4f4
--- /dev/null
+++ b/kubernetes/apps/production/arr/sonarr/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - deployment.yaml
+ - service.yaml
+ - ingress.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/sonarr/service.yaml b/kubernetes/apps/production/arr/sonarr/service.yaml
new file mode 100644
index 0000000..34d1760
--- /dev/null
+++ b/kubernetes/apps/production/arr/sonarr/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: headless-sonarr
+ namespace: arr
+spec:
+ selector:
+ app: sonarr
+ ports:
+ - port: 8989
+ targetPort: 8989
+ protocol: TCP
+ type: ClusterIP
\ No newline at end of file
diff --git a/kubernetes/apps/production/authentik/configmap.yaml b/kubernetes/apps/production/authentik/configmap.yaml
new file mode 100644
index 0000000..46aa0d7
--- /dev/null
+++ b/kubernetes/apps/production/authentik/configmap.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: authentik-values
+ namespace: authentik
+data:
+ values.yaml: ENC[AES256_GCM,data:N+DmcY0JWYURQ19cI8uMd0aT4hAE3Sc8JL7u5Is1aO0Vp1ysHfHo3pa3gNxjkNpMdK/oSEEANdWMBQnROSYTiolqegafJgU8xTyy11OTGQ1aQbB/hUavz9Za+qU2wDiqsJ3Cnysjg1kfZsYSqAe9nEmmrXTFN/Uyjjn6g+YbnrHueoDBwSxwHrfTR5b1mkGHJUHYBjMr86F0f7xSjWWa4rt1MPsLVg2Bcq03InyNSa7tNBkLhJ2uqUPDdAU33qLTMuMXMxfQj/S9bi+m+reDNc0+vUWRWJhSySntUGSyVVLTZXRpf82+jaTVTQfjPoJCo1ddXZT4HBbM8HVu7Y9oa8C+8UE9btYr7Sb1m7zF0jQOHuVRVbL72D2FDnLGKFJYjdNoRPQ2afB+d/jMdD9RYtKOyvpmayWFoSSz8jdp32jn+Y0ubZNxuhG9JFzDMQu+9E9gn+zwwnDoQsmZ5mlpWlVdOnu7A0t3gjKQYTPsxCd5tEQC8RTfcvuU0D5uP6aEgcK3RHS6rOoh8DX1RM3kw36cLDIMfxa7R7sJzBmAz5rDlnXKi+4rpEQB2zSMY1K6BuHPhAhN+lagwufaYzJF/av3wGypnQJdA4/1+FP9eeDartzkn0tIBJbwkEIJVij6mtRp1wSqdoGNV7AN9iIPfF0Nz3DSLAHHK+5OjcOGX3f5B25iA1e979NqMq8yI5IN49PiXdByo5Mpm+cotRlSAXvequOB/Sj4EOXwOsQQvWrqFAqGX41C19Wt1bV8O2WqMlP1B0U1356S0+o/KUkvUsjy4RyXwDTXnI45ghrB+yhcrb1oGZWNHvWGwtbR+vXCvYAKHAfoO2VkFfv3XJv+F7WDSpY8qM8bk+nvDcuKnN3ZsOBimA5KNRBttZKj7UZweX7RkA==,iv:MsALcVWHIsVSc/fOfbewA/GvW14ZyR0XBoKgHLMJ0pg=,tag:pJLW8Lomj7tQxln6zhzi5w==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age18z6wevr8ze5azvq7nfty3l29s7887l8n5mefr64avhlthtr4uvnqw90nfs
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrdG1aUk9aek5RVE4rZm5N
+ ajhyc3NLKzF3Q3UrUE1RSFJsci9aMWNjbEQwCmhSNENJcWlaZUpxT3lqZmdOUWVo
+ UDVwRC9vU0kwRDNXNk5VUVpMUTEwWDAKLS0tICtFL25FZFRaTEhPdWJhYmRYbFVt
+ RndrQ2JxZnMxZlBIM3RHS0E1WTlZQzQK7oTkv/PG3poAdYnqXnzX3j5ZUgMa3GFB
+ aQtceF96jKRltwPrnUgZZ5EadTaLyGAD30fqvUJ9/oP6NLe7kmsTWg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-02-08T01:38:06Z"
+ mac: ENC[AES256_GCM,data:eZ1eWxLcub6DaPPI+UkLb0cK/1DECeRee5RSVpo0G7DgggKS9Hwi+9K8EQ+xfTLhyDiuCh5FOlBakqinKpNo0BS2rJls1teVvFoXv/j7OwnbKRzFmSxVloC9OTGdjmAUY0wnkaN27GgassK/mUPixXGyy0rwN/qf+wel5uh8dYI=,iv:Xj4uJEF1+e9O+q63tWXIYZnDIJN1wpxiJQppl84YiJI=,tag:ioyJgO4bhkt8yJ3YsZISqA==,type:str]
+ pgp: []
+ encrypted_regex: ^(data|stringData|secret_key|password|hosts)$
+ version: 3.9.4
diff --git a/kubernetes/apps/production/authentik/customcss.yaml b/kubernetes/apps/production/authentik/customcss.yaml
new file mode 100644
index 0000000..83a46a4
--- /dev/null
+++ b/kubernetes/apps/production/authentik/customcss.yaml
@@ -0,0 +1,135 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: authentik-custom-css
+ namespace: authentik
+data:
+ custom.css: |
+ /* Custom CSS for Authentik Login Page and Admin Interface */
+
+ :root {
+ --ak-accent: #3a3a40;
+ --pf-global--primary-color--100: #3a3a40;
+ --pf-global--primary-color--200: #3a3a40;
+ --pf-global--primary-color--400: var(--ak-accent);
+ }
+
+ /*** Main login page ***/
+ .pf-c-login__main {
+ background-color: transparent !important;
+ backdrop-filter: blur(8px);
+ border: 2px solid #807e82;
+ border-radius: 25px;
+ animation: pulse-border 3s infinite;
+ }
+
+ /* Glowing border animation */
+ @keyframes pulse-border {
+ 0%, 100% {
+ box-shadow: 0 0 10px #807e82, 0 0 15px #807e82;
+ }
+ 50% {
+ box-shadow: 0 0 15px #807e82, 0 0 25px #807e82;
+ }
+ }
+
+ /* Sidebar and footer transparency */
+ .pf-c-page__sidebar,
+ .pf-c-login__main-footer-band,
+ .pf-c-login__footer .pf-c-list {
+ background-color: transparent !important;
+ backdrop-filter: blur(10px);
+ }
+
+ /* Pseudo-elements for background effects */
+ .pf-c-login__main::before,
+ .pf-c-login__main-footer-band::before,
+ .pf-c-login__footer .pf-c-list::before,
+ .pf-c-page__sidebar::before {
+ content: "";
+ position: absolute;
+ left: 0;
+ top: 0;
+ width: 100%;
+ height: 100%;
+ z-index: -1;
+ opacity: 0.1;
+ background-color: var(--ak-dark-background);
+ border-radius: 25px;
+ }
+
+ /* Login button styling */
+ .pf-c-button.pf-m-block {
+ --pf-c-button--disabled--BackgroundColor: var(--pf-c-button--m-link--disabled--BackgroundColor);
+ color: white;
+ background-color: #3a3a40;
+ border-radius: 20px;
+ opacity: 0.785;
+ box-shadow: 2px 2px 10px rgba(0, 0, 0, 0.3);
+ width: 50%;
+ margin: 0 auto;
+ }
+
+ /* Form input styling */
+ .pf-c-form-control,
+ .pf-c-input-group {
+ border-radius: 20px;
+ border: 2px solid #3a3a40 !important;
+ }
+
+ /* Text color for various elements */
+ a,
+ body,
+ h1,
+ h2,
+ .pf-c-expandable-section__toggle,
+ .pf-c-page__header-tools,
+ .pf-c-button {
+ color: #b7b7b7 !important;
+ }
+
+ .pf-c-button.pf-m-secondary.pf-m-block::after {
+ content: none; /* Removes the content from the ::after pseudo-element */
+ box-shadow: none; /* Removes any shadow that may create a square effect */
+ border: none; /* If there's any border being applied, remove it */
+ }
+
+ /* Light mode adjustments */
+ :host([theme="light"]) .pf-c-page__header-tools-item .fas,
+ :host([theme="light"]) .pf-c-notification-badge__count,
+ :host([theme="light"]) .pf-c-page__header-tools-group .pf-c-button {
+ color: #b7b7b7 !important;
+ }
+
+ /* App card styling */
+ .pf-c-card.pf-m-compact,
+ .pf-c-expandable-section.pf-m-display-lg {
+ border-radius: 20px;
+ background: rgba(18, 18, 18, 0.4);
+ backdrop-filter: blur(7px);
+ border: 1px solid rgba(255, 255, 255, 0.2);
+ transition: box-shadow 0.3s ease-in-out;
+ box-shadow: 0 4px 15px rgba(0, 0, 0, 0.5);
+ background: linear-gradient(135deg, rgba(30, 30, 30, 0.3) 0%, rgba(15, 15, 15, 0.3) 100%);
+ }
+
+ /* App card hover effect */
+ .pf-c-card.pf-m-compact:hover,
+ .pf-c-expandable-section.pf-m-display-lg:hover {
+ box-shadow: 0 0 15px 3px #d6d6d6;
+ }
+
+ /* App icon rounded corners */
+ .icon.pf-c-avatar {
+ border-radius: 15px;
+ }
+
+ /*** Admin interface ***/
+ .pf-c-page__sidebar {
+ backdrop-filter: blur(10px);
+ }
+
+ .pf-c-page,
+ .pf-c-tabs__item {
+ background-color: transparent !important;
+ }
\ No newline at end of file
diff --git a/kubernetes/apps/production/authentik/helmrelease.yaml b/kubernetes/apps/production/authentik/helmrelease.yaml
new file mode 100644
index 0000000..ec4f800
--- /dev/null
+++ b/kubernetes/apps/production/authentik/helmrelease.yaml
@@ -0,0 +1,22 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ name: authentik
+ namespace: authentik
+spec:
+ interval: 15m
+ chart:
+ spec:
+ chart: authentik
+ version: "2024.12.3"
+ sourceRef:
+ kind: HelmRepository
+ name: authentik-chart
+ namespace: flux-system
+ interval: 15m
+ install:
+ remediation:
+ retries: 5
+ valuesFrom:
+ - kind: ConfigMap
+ name: authentik-values
\ No newline at end of file
diff --git a/kubernetes/apps/production/authentik/helmrepo.yaml b/kubernetes/apps/production/authentik/helmrepo.yaml
new file mode 100644
index 0000000..b0420ef
--- /dev/null
+++ b/kubernetes/apps/production/authentik/helmrepo.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+ name: authentik-chart
+ namespace: flux-system
+spec:
+ interval: 2h
+ url: https://charts.goauthentik.io
\ No newline at end of file
diff --git a/kubernetes/apps/production/authentik/kustomization.yaml b/kubernetes/apps/production/authentik/kustomization.yaml
new file mode 100644
index 0000000..abec9c2
--- /dev/null
+++ b/kubernetes/apps/production/authentik/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - namespace.yaml
+ - helmrelease.yaml
+ - helmrepo.yaml
+ - configmap.yaml
+ - service.yaml
+ - customcss.yaml
+ - media-pvc.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/authentik/media-pvc.yaml b/kubernetes/apps/production/authentik/media-pvc.yaml
new file mode 100644
index 0000000..8c66e9f
--- /dev/null
+++ b/kubernetes/apps/production/authentik/media-pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: authentik-media-pvc
+ namespace: authentik
+spec:
+ accessModes:
+ - ReadWriteMany
+ resources:
+ requests:
+ storage: 1Gi
+ storageClassName: longhorn
\ No newline at end of file
diff --git a/kubernetes/apps/production/authentik/namespace.yaml b/kubernetes/apps/production/authentik/namespace.yaml
new file mode 100644
index 0000000..a6b2e67
--- /dev/null
+++ b/kubernetes/apps/production/authentik/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: authentik
+ labels:
+ name: authentik
\ No newline at end of file
diff --git a/kubernetes/apps/production/authentik/service.yaml b/kubernetes/apps/production/authentik/service.yaml
new file mode 100644
index 0000000..347d6f6
--- /dev/null
+++ b/kubernetes/apps/production/authentik/service.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: authentik-lb
+ namespace: authentik
+spec:
+ type: LoadBalancer
+ selector:
+ app.kubernetes.io/name: authentik
+ ports:
+ - name: http
+ port: 9000
+ targetPort: 9000
+ protocol: TCP
+ - name: https
+ port: 9443
+ targetPort: 9443
+ protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: authentik-ldap-lb
+ namespace: authentik
+spec:
+ type: LoadBalancer
+ selector:
+ app.kubernetes.io/name: authentik-outpost-ldap
+ ports:
+ - name: ldap
+ port: 389
+ targetPort: 3389
+ protocol: TCP
diff --git a/kubernetes/apps/production/cert-manager/certificates/local.yaml b/kubernetes/apps/production/cert-manager/certificates/local.yaml
new file mode 100644
index 0000000..c893ec3
--- /dev/null
+++ b/kubernetes/apps/production/cert-manager/certificates/local.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: local-mafyuh-com
+ namespace: default
+spec:
+ secretName: local-mafyuh-com-production-tls
+ secretTemplate:
+ annotations:
+ reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+ reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+ issuerRef:
+ name: letsencrypt-production
+ kind: ClusterIssuer
+ commonName: "*.local.mafyuh.com"
+ dnsNames:
+ - "local.mafyuh.com"
+ - "*.local.mafyuh.com"
\ No newline at end of file
diff --git a/kubernetes/apps/production/cert-manager/helmrelease.yaml b/kubernetes/apps/production/cert-manager/helmrelease.yaml
new file mode 100644
index 0000000..e4ea8a5
--- /dev/null
+++ b/kubernetes/apps/production/cert-manager/helmrelease.yaml
@@ -0,0 +1,27 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ name: cert-manager
+ namespace: cert-manager
+spec:
+ interval: 5m
+ releaseName: cert-manager
+ chart:
+ spec:
+ chart: cert-manager
+ version: v1.16.3
+ sourceRef:
+ kind: HelmRepository
+ name: cert-manager-repo
+ namespace: flux-system
+ values:
+ installCRDs: true
+ replicaCount: 1
+ extraArgs:
+ - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
+ - --dns01-recursive-nameservers-only
+ podDnsPolicy: None
+ podDnsConfig:
+ nameservers:
+ - "1.1.1.1"
+ - "9.9.9.9"
diff --git a/kubernetes/apps/production/cert-manager/helmrepo.yaml b/kubernetes/apps/production/cert-manager/helmrepo.yaml
new file mode 100644
index 0000000..87204f2
--- /dev/null
+++ b/kubernetes/apps/production/cert-manager/helmrepo.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+ name: cert-manager-repo
+ namespace: flux-system
+spec:
+ interval: 1m
+ url: https://charts.jetstack.io
diff --git a/kubernetes/apps/production/cert-manager/issuers/letsencrypt.yaml b/kubernetes/apps/production/cert-manager/issuers/letsencrypt.yaml
new file mode 100644
index 0000000..c94d51e
--- /dev/null
+++ b/kubernetes/apps/production/cert-manager/issuers/letsencrypt.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: letsencrypt-production
+spec:
+ acme:
+ server: https://acme-v02.api.letsencrypt.org/directory
+ email: matt@mafyuh.dev
+ privateKeySecretRef:
+ name: letsencrypt-production
+ solvers:
+ - dns01:
+ cloudflare:
+ email: matt@mafyuh.dev
+ apiTokenSecretRef:
+ name: cloudflare-token-secret
+ key: cloudflare-token
+ selector:
+ dnsZones:
+ - "mafyuh.com"
\ No newline at end of file
diff --git a/kubernetes/apps/production/cert-manager/issuers/secret-cf-token.yaml b/kubernetes/apps/production/cert-manager/issuers/secret-cf-token.yaml
new file mode 100644
index 0000000..70c4018
--- /dev/null
+++ b/kubernetes/apps/production/cert-manager/issuers/secret-cf-token.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: cloudflare-token-secret
+ namespace: cert-manager
+type: Opaque
+stringData:
+ cloudflare-token: ENC[AES256_GCM,data:v2kjVp6LLc/VG+ufNNfZel5ehCuZlglaVeKjfiw0YWlaO7YDYhrVbQ==,iv:+ME0TvaiOhoariGhZ+00UWvEkwlvwLhsG4zv6A0qZy8=,tag:2ZVGoDCzVeluB2Xz35mfEg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age18z6wevr8ze5azvq7nfty3l29s7887l8n5mefr64avhlthtr4uvnqw90nfs
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5d1BDMzRsZG1RekZ1QXJ4
+ MkZmejc2N0N5L3ZDMktuWjFNQ0FuWjBiVUFFCmFhc3JCT1poSUY4c0pVblhXWHE3
+ YVIza1ROWTFzb1QvWFY5KzR1QTFLclkKLS0tIGxHMUVUUytoMFZwVVR6eTliUlVS
+ NXFHeGlQZjZuOUZOUlFjWDByeE1nTkUKIj2H5RlZXGnCoRv8C5AMcwiiuAVZq/d2
+ J70Wv/Dq/k4QNWC357Zj8sgMJicDjpOHbwgBwj6b+StEmPAeWgFBVg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-01-28T04:59:18Z"
+ mac: ENC[AES256_GCM,data:6P0dTpxLmBacIJd3OQzPoh89l0eGarG7nc4X2rl/ULLn7IfiRh7CAo1RYbypCLzlo60WQGOD1bY0vzd+E652vqdV4BjuLG4WYm3lDTZ8BbpwUw1G2y9+5gg8zQPVhBcbGg9xV+gszTcaF6oziFT2q6OqD4Hhbgt8vCXOLD13bG4=,iv:5OFeeyapfZXaZyKNYDKzOTNCxocYS7f0ryW5ubJ16TQ=,tag:peEEC2Re+LCGRRd/hRdiwg==,type:str]
+ pgp: []
+ encrypted_regex: ^(data|stringData)$
+ version: 3.9.4
diff --git a/kubernetes/apps/production/cert-manager/kustomization.yaml b/kubernetes/apps/production/cert-manager/kustomization.yaml
new file mode 100644
index 0000000..f404a37
--- /dev/null
+++ b/kubernetes/apps/production/cert-manager/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - certificates/local.yaml
+ - helmrelease.yaml
+ - helmrepo.yaml
+ - issuers/letsencrypt.yaml
+ - issuers/secret-cf-token.yaml
+ - namespace.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/cert-manager/namespace.yaml b/kubernetes/apps/production/cert-manager/namespace.yaml
new file mode 100644
index 0000000..8225b4b
--- /dev/null
+++ b/kubernetes/apps/production/cert-manager/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: cert-manager
+ labels:
+ name: cert-manager
\ No newline at end of file
diff --git a/kubernetes/apps/production/kustomization.yaml b/kubernetes/apps/production/kustomization.yaml
new file mode 100644
index 0000000..807da4d
--- /dev/null
+++ b/kubernetes/apps/production/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - arr/
+ - authentik/
+ - cert-manager/
+ - longhorn/
+ - nginx/
+ - reflector/
\ No newline at end of file
diff --git a/kubernetes/apps/production/longhorn/helmrelease.yaml b/kubernetes/apps/production/longhorn/helmrelease.yaml
new file mode 100644
index 0000000..879a621
--- /dev/null
+++ b/kubernetes/apps/production/longhorn/helmrelease.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ name: longhorn-release
+ namespace: longhorn-system
+spec:
+ chart:
+ spec:
+ chart: longhorn
+ reconcileStrategy: ChartVersion
+ sourceRef:
+ kind: HelmRepository
+ name: longhorn-repo
+ version: v1.8.0
+ interval: 1m0s
diff --git a/kubernetes/apps/production/longhorn/helmrepo.yaml b/kubernetes/apps/production/longhorn/helmrepo.yaml
new file mode 100644
index 0000000..177e36b
--- /dev/null
+++ b/kubernetes/apps/production/longhorn/helmrepo.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+ name: longhorn-repo
+ namespace: flux-system
+spec:
+ interval: 1m0s
+ url: https://charts.longhorn.io
diff --git a/kubernetes/apps/production/longhorn/ingress.yaml b/kubernetes/apps/production/longhorn/ingress.yaml
new file mode 100644
index 0000000..51faad3
--- /dev/null
+++ b/kubernetes/apps/production/longhorn/ingress.yaml
@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: longhorn-ingress
+ namespace: longhorn-system
+ annotations:
+ # Prevent the controller from redirecting (308) to HTTPS
+ nginx.ingress.kubernetes.io/ssl-redirect: 'true'
+ # Custom max body size for file uploading, like backing image uploading
+ nginx.ingress.kubernetes.io/proxy-body-size: 10000m
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: "longhorn.local.mafyuh.com"
+ http:
+ paths:
+ - pathType: Prefix
+ path: "/"
+ backend:
+ service:
+ name: longhorn-frontend
+ port:
+ number: 80
+ tls:
+ - hosts:
+ - longhorn.local.mafyuh.com
+ secretName: local-mafyuh-com-production-tls
diff --git a/kubernetes/apps/production/longhorn/kustomization.yaml b/kubernetes/apps/production/longhorn/kustomization.yaml
new file mode 100644
index 0000000..4fd5012
--- /dev/null
+++ b/kubernetes/apps/production/longhorn/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - helmrelease.yaml
+ - helmrepo.yaml
+ - ingress.yaml
+ - namespace.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/longhorn/namespace.yaml b/kubernetes/apps/production/longhorn/namespace.yaml
new file mode 100644
index 0000000..be5f617
--- /dev/null
+++ b/kubernetes/apps/production/longhorn/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: longhorn-system
+ labels:
+ name: longhorn-system
\ No newline at end of file
diff --git a/kubernetes/apps/production/nginx/helmrelease.yaml b/kubernetes/apps/production/nginx/helmrelease.yaml
new file mode 100644
index 0000000..7bfee86
--- /dev/null
+++ b/kubernetes/apps/production/nginx/helmrelease.yaml
@@ -0,0 +1,20 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ name: nginx-ingress
+ namespace: ingress-nginx
+spec:
+ interval: 5m
+ releaseName: nginx-ingress
+ chart:
+ spec:
+ chart: ingress-nginx
+ version: 4.12.0
+ sourceRef:
+ kind: HelmRepository
+ name: nginx-ingress-repo
+ namespace: flux-system
+ values:
+ controller:
+ service:
+ type: LoadBalancer
diff --git a/kubernetes/apps/production/nginx/helmrepo.yaml b/kubernetes/apps/production/nginx/helmrepo.yaml
new file mode 100644
index 0000000..f36f115
--- /dev/null
+++ b/kubernetes/apps/production/nginx/helmrepo.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+ name: nginx-ingress-repo
+ namespace: flux-system
+spec:
+ interval: 1m
+ url: https://kubernetes.github.io/ingress-nginx
diff --git a/kubernetes/apps/production/nginx/kustomization.yaml b/kubernetes/apps/production/nginx/kustomization.yaml
new file mode 100644
index 0000000..5748949
--- /dev/null
+++ b/kubernetes/apps/production/nginx/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - helmrelease.yaml
+ - helmrepo.yaml
+ - namespace.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/nginx/namespace.yaml b/kubernetes/apps/production/nginx/namespace.yaml
new file mode 100644
index 0000000..be87e98
--- /dev/null
+++ b/kubernetes/apps/production/nginx/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: nginx-ingress
+ labels:
+ name: nginx-ingress
\ No newline at end of file
diff --git a/kubernetes/apps/production/reflector/helmrelease.yaml b/kubernetes/apps/production/reflector/helmrelease.yaml
new file mode 100644
index 0000000..1a7a9bd
--- /dev/null
+++ b/kubernetes/apps/production/reflector/helmrelease.yaml
@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ name: reflector
+ namespace: reflector-system
+spec:
+ interval: 5m
+ releaseName: reflector
+ chart:
+ spec:
+ chart: reflector
+ version: 7.1.288
+ sourceRef:
+ kind: HelmRepository
+ name: reflector-repo
+ namespace: flux-system
+ values:
+ replicaCount: 1
\ No newline at end of file
diff --git a/kubernetes/apps/production/reflector/helmrepo.yaml b/kubernetes/apps/production/reflector/helmrepo.yaml
new file mode 100644
index 0000000..1c384e3
--- /dev/null
+++ b/kubernetes/apps/production/reflector/helmrepo.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+ name: reflector-repo
+ namespace: flux-system
+spec:
+ interval: 1m
+ url: https://emberstack.github.io/helm-charts
\ No newline at end of file
diff --git a/kubernetes/apps/production/reflector/kustomization.yaml b/kubernetes/apps/production/reflector/kustomization.yaml
new file mode 100644
index 0000000..82492a5
--- /dev/null
+++ b/kubernetes/apps/production/reflector/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - helmrepo.yaml
+ - helmrelease.yaml
+ - namespace.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/reflector/namespace.yaml b/kubernetes/apps/production/reflector/namespace.yaml
new file mode 100644
index 0000000..a5aea43
--- /dev/null
+++ b/kubernetes/apps/production/reflector/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: reflector-system
+ labels:
+ name: reflector-system
\ No newline at end of file
diff --git a/kubernetes/cluster/production/README.md b/kubernetes/cluster/production/README.md
new file mode 100644
index 0000000..e69de29
diff --git a/kubernetes/cluster/production/flux-system/gotk-sync.yaml b/kubernetes/cluster/production/flux-system/gotk-sync.yaml
index 11be014..2ff915e 100644
--- a/kubernetes/cluster/production/flux-system/gotk-sync.yaml
+++ b/kubernetes/cluster/production/flux-system/gotk-sync.yaml
@@ -20,7 +20,7 @@ metadata:
namespace: flux-system
spec:
interval: 10m0s
- path: ./kubernetes/cluster/production
+ path: ./kubernetes
prune: true
sourceRef:
kind: GitRepository
diff --git a/kubernetes/kustomization.yaml b/kubernetes/kustomization.yaml
new file mode 100644
index 0000000..0162701
--- /dev/null
+++ b/kubernetes/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- apps/
+- cluster/production/
diff --git a/kubernetes/secrets/qbitty-secrets.yaml b/kubernetes/secrets/qbitty-secrets.yaml
new file mode 100644
index 0000000..282e7e7
--- /dev/null
+++ b/kubernetes/secrets/qbitty-secrets.yaml
@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: qbitty-wireguard
+ namespace: arr
+type: Opaque
+data:
+ wg0.conf: ENC[AES256_GCM,data:J1FCcmGCNtrz1TY8XodUZsAjKGyJ7jhhRmIoCIpYECmIGbH6KIcpxegrl6yu4gQ4g3ESTfZEpgGUXdXB44+EOz1FrzxQzEOvm5XvOyWClPYxm0ihKDEXUEWJiNqA+ALK7HJ1xWtNr1Y/YSoDlRjUW28x16vMDfc6xAI+L6SIAy++laAE0SC7L6C6AAU92y9GbEz9jvFTG4KpkagxJs/OwEXSdveaF/14BiPfmkPBfBF/+YHdFM8bOBpk0oIPv4FMpyOItMHJLVETaMgLHEktUAj5tzFh42zi2niUBH3zcwrxJ5P7auU/br2kzamgeiNavg20KG4p45DasV5KCX8L/qjM4mBD4GcVuO0yssCQFRac9QkesR3cKG7BjfHEoRbgprr8wPdOJCcLel9neUT0L4xs9UO9HoX2aZG1yHWaJv/NidnTyp9gKVKmzKYy1ozs7+iVKGI0GNmRExvr9OqGhP0kW+KZZUlHWx36KXumL3nojseR+dVN2lMFzv25vXqbYPI7YGe+7vp48IB6Iy7KDGmylAKT9zi/+UHPGBaNauMguFWgRN5++SzVmU0GqwMzlsFU+CChc0Bx7j1W5EjxOrRYp6twHj4HrfIDKedi4Pk6eOQeX1brdSAqW3mNP7eebscS8KU7ZEXZRXQy,iv:HbWrbhbeqy72eudik8gj+0nd39QoXl9zVhc7jWgjlNU=,tag:FT/SKHF0ZhKV3sXBzdfhgQ==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age18z6wevr8ze5azvq7nfty3l29s7887l8n5mefr64avhlthtr4uvnqw90nfs
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvQXNzeStVQW9XSnUrZnha
+ Q2s4OVpaMjRMTTFPWjMrZjFEcE0wWkJFNGtvClVZWXBDK3pJcERBS3ZGbWk1Nks3
+ eXFkMjl3dHZsa3ZUSEFmM09hWlpPbWsKLS0tIDBmTTREck11R3dzaFdMS3FmYUFH
+ R0hKRmJoSDd0UHFBZzI2cExUdlhXZjQKHAmiPndRDpUsfgi1mofov5T28KDB7GEL
+ tL7srFCfQUQfCfgWXTNf00KiSZkKjYwOKistaExEN90kllfjjjSWZg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-02-02T03:30:13Z"
+ mac: ENC[AES256_GCM,data:/zhxrwAFbIQz0apwH/fZFQ5nIEjBuxZnb2VN4LAuUCxA7wslfueEcQvwmRpjviibHR2yhnGXReQ7ZpBuKmI3ME19/KhoHxaPxokWIEb1l1oXhpOfvnItGzYB+hQjP8Rxup6J4p40VbfkUXku5p7zcGecjdrbn09VViZT/XwIYnk=,iv:I+J/ab0AXtjIy0TV+1WHzpNLPITZfkY9iUTS6jq6ZME=,tag:cdLwYNS0RYsAkJYFhKJNtg==,type:str]
+ pgp: []
+ encrypted_regex: ^(data|stringData)$
+ version: 3.9.4
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: lan-network
+ namespace: arr
+type: Opaque
+stringData:
+ lan-network: ENC[AES256_GCM,data:7fOVwSQw8916epH8LUir4ZKAEVxooiFGbk+V7FE1ZUI2EWPyfmQ=,iv:yHp2luIyl0Lgy7JjI8jE624M0Hsa4Pquo5TiPRyG5gw=,tag:B4SowM3MQubE986WhA1gLg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age18z6wevr8ze5azvq7nfty3l29s7887l8n5mefr64avhlthtr4uvnqw90nfs
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvQXNzeStVQW9XSnUrZnha
+ Q2s4OVpaMjRMTTFPWjMrZjFEcE0wWkJFNGtvClVZWXBDK3pJcERBS3ZGbWk1Nks3
+ eXFkMjl3dHZsa3ZUSEFmM09hWlpPbWsKLS0tIDBmTTREck11R3dzaFdMS3FmYUFH
+ R0hKRmJoSDd0UHFBZzI2cExUdlhXZjQKHAmiPndRDpUsfgi1mofov5T28KDB7GEL
+ tL7srFCfQUQfCfgWXTNf00KiSZkKjYwOKistaExEN90kllfjjjSWZg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-02-02T03:30:13Z"
+ mac: ENC[AES256_GCM,data:/zhxrwAFbIQz0apwH/fZFQ5nIEjBuxZnb2VN4LAuUCxA7wslfueEcQvwmRpjviibHR2yhnGXReQ7ZpBuKmI3ME19/KhoHxaPxokWIEb1l1oXhpOfvnItGzYB+hQjP8Rxup6J4p40VbfkUXku5p7zcGecjdrbn09VViZT/XwIYnk=,iv:I+J/ab0AXtjIy0TV+1WHzpNLPITZfkY9iUTS6jq6ZME=,tag:cdLwYNS0RYsAkJYFhKJNtg==,type:str]
+ pgp: []
+ encrypted_regex: ^(data|stringData)$
+ version: 3.9.4
diff --git a/kubernetes/secrets/secret-cf-token.yaml b/kubernetes/secrets/secret-cf-token.yaml
new file mode 100644
index 0000000..70c4018
--- /dev/null
+++ b/kubernetes/secrets/secret-cf-token.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: cloudflare-token-secret
+ namespace: cert-manager
+type: Opaque
+stringData:
+ cloudflare-token: ENC[AES256_GCM,data:v2kjVp6LLc/VG+ufNNfZel5ehCuZlglaVeKjfiw0YWlaO7YDYhrVbQ==,iv:+ME0TvaiOhoariGhZ+00UWvEkwlvwLhsG4zv6A0qZy8=,tag:2ZVGoDCzVeluB2Xz35mfEg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age18z6wevr8ze5azvq7nfty3l29s7887l8n5mefr64avhlthtr4uvnqw90nfs
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5d1BDMzRsZG1RekZ1QXJ4
+ MkZmejc2N0N5L3ZDMktuWjFNQ0FuWjBiVUFFCmFhc3JCT1poSUY4c0pVblhXWHE3
+ YVIza1ROWTFzb1QvWFY5KzR1QTFLclkKLS0tIGxHMUVUUytoMFZwVVR6eTliUlVS
+ NXFHeGlQZjZuOUZOUlFjWDByeE1nTkUKIj2H5RlZXGnCoRv8C5AMcwiiuAVZq/d2
+ J70Wv/Dq/k4QNWC357Zj8sgMJicDjpOHbwgBwj6b+StEmPAeWgFBVg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-01-28T04:59:18Z"
+ mac: ENC[AES256_GCM,data:6P0dTpxLmBacIJd3OQzPoh89l0eGarG7nc4X2rl/ULLn7IfiRh7CAo1RYbypCLzlo60WQGOD1bY0vzd+E652vqdV4BjuLG4WYm3lDTZ8BbpwUw1G2y9+5gg8zQPVhBcbGg9xV+gszTcaF6oziFT2q6OqD4Hhbgt8vCXOLD13bG4=,iv:5OFeeyapfZXaZyKNYDKzOTNCxocYS7f0ryW5ubJ16TQ=,tag:peEEC2Re+LCGRRd/hRdiwg==,type:str]
+ pgp: []
+ encrypted_regex: ^(data|stringData)$
+ version: 3.9.4
diff --git a/terraform/flux/main.tf b/terraform/flux/main.tf
index b527f8d..5885325 100644
--- a/terraform/flux/main.tf
+++ b/terraform/flux/main.tf
@@ -7,7 +7,7 @@ provider "flux" {
config_path = "~/.kube/config"
}
git = {
- url = "https://git.mafyuh.dev/mafyuh/k3s"
+ url = "https://git.mafyuh.dev/mafyuh/iac"
http = {
username = "mafyuh"
password = data.bitwarden-secrets_secret.git_flux_password.value
@@ -16,5 +16,9 @@ provider "flux" {
}
resource "flux_bootstrap_git" "flux" {
- path = "cluster/production"
+ path = "kubernetes/cluster/production"
+
+ lifecycle {
+ ignore_changes = all
+ }
}
\ No newline at end of file