update

.gitlab/.gitlab-ci.yml

@@ -1,2 +0,0 @@
-include:
-  - local: infra/.gitlab/.gitlab-ci.yml

argocd/Chart.yaml

@@ -9,6 +9,6 @@ appVersion: "1.16.0"
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 6.11.1
+  version: 6.7.11
 
 

argocd/templates/InternalProxy.yaml

@@ -7,8 +7,8 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/internalproxy
+    targetRevision: dmz
+    path: internalproxy
     directory:
       recurse: true
   destination:

argocd/templates/argocd.yaml

@@ -1,16 +1,16 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: durpot
+  name: argocd
   namespace: argocd
 spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/durpot
+    targetRevision: dmz
+    path: argocd
   destination:
-    namespace: durpot
+    namespace: argocd
     name: in-cluster
   syncPolicy:
     automated:

argocd/templates/cert-manager.yaml

@@ -7,8 +7,8 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: infra/cert-manager
+    targetRevision: dmz
+    path: cert-manager
   destination:
     namespace: cert-manager
     name: in-cluster
@@ -18,4 +18,3 @@ spec:
       selfHeal: true  
     syncOptions:
       - CreateNamespace=true 
-

argocd/templates/external-dns.yaml

@@ -7,8 +7,8 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/external-dns
+    targetRevision: dmz
+    path: external-dns
   destination:
     namespace: external-dns
     name: in-cluster

argocd/templates/external-secrets.yaml

@@ -7,8 +7,8 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/external-secrets
+    targetRevision: dmz
+    path: external-secrets
   destination:
     namespace: external-secrets
     name: in-cluster

argocd/templates/gatekeeper.yaml

@@ -7,8 +7,8 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/gatekeeper
+    targetRevision: dmz
+    path: gatekeeper
   destination:
     namespace: gatekeeper
     name: in-cluster

argocd/templates/gitlab-runner.yaml

@@ -7,8 +7,8 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/gitlab-runner
+    targetRevision: dmz
+    path: gitlab-runner
   destination:
     namespace: gitlab-runner
     name: in-cluster

argocd/templates/kube-prometheus-stack.yaml

@@ -7,8 +7,8 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/kube-prometheus-stack
+    targetRevision: dmz
+    path: kube-prometheus-stack
   destination:
     namespace: kube-prometheus-stack
     name: in-cluster

argocd/templates/kubeclarity.yaml

@@ -7,8 +7,8 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/kubeclarity
+    targetRevision: dmz
+    path: kubeclarity
   destination:
     namespace: kubeclarity
     name: in-cluster

argocd/templates/longhorn.yaml

@@ -7,8 +7,8 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: infra/longhorn
+    targetRevision: dmz
+    path: longhorn
   destination:
     namespace: longhorn-system
     name: in-cluster

argocd/templates/metallb-system.yaml

@@ -7,8 +7,8 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: infra/metallb-system
+    targetRevision: dmz
+    path: metallb-system
   destination:
     namespace: metallb-system
     name: in-cluster
@@ -19,3 +19,4 @@ spec:
     syncOptions:
       - CreateNamespace=true 
 
+

argocd/templates/traefik.yaml

@@ -7,8 +7,8 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: infra/traefik
+    targetRevision: dmz
+    path: traefik
   destination:
     namespace: traefik
     name: in-cluster
@@ -18,4 +18,3 @@ spec:
       selfHeal: true  
     syncOptions:
       - CreateNamespace=true 
-

argocd/templates/uptimekuma.yaml

@@ -7,8 +7,8 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/uptimekuma
+    targetRevision: dmz
+    path: uptimekuma
     directory:
       recurse: true
   destination:

argocd/templates/vault.yaml

@@ -7,8 +7,8 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: infra/vault
+    targetRevision: dmz
+    path: vault
   destination:
     namespace: vault
     name: in-cluster

cert-manager/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: 1.*.*

dmz/internalproxy/templates/ollama.yaml

@@ -1,101 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: ollama-secret
-spec:
-  secretStoreRef:
-    name: vault
-    kind: ClusterSecretStore
-  target:
-    name: ollama-secret
-  data:
-    - secretKey: users
-      remoteRef:
-        key: secrets/internalproxy/ollama
-        property: users
-
----
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: ollama-basic-auth
-spec:
-  basicAuth:
-    secret: ollama-secret
-
----
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: ollama
-spec:
-  ports:
-    - name: app
-      port: 11435
-      protocol: TCP
-      targetPort: 11435
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: ollama
-subsets:
-  - addresses:
-      - ip: 192.168.20.104
-    ports:
-      - name: app
-        port: 11435
-        protocol: TCP
-
----
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: ollama-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`ollama.durp.info`) && PathPrefix(`/`)
-      middlewares:
-        - name: ollama-basic-auth
-      kind: Rule
-      services:
-        - name: ollama
-          port: 11435
-  tls:
-    secretName: ollama-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: ollama-tls
-spec:
-  secretName: ollama-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "ollama.durp.info"
-  dnsNames:
-    - "ollama.durp.info"
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: ollama-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: ollama.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

external-dns/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
   repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 6.20.3

external-dns/values.yaml

@@ -4,10 +4,10 @@ external-dns:
 
   image:
     pullPolicy: Always
-
+  txtPrefix: "dmz-"
   sources:
     - service
-    
+
   provider: cloudflare
   cloudflare:
     secretName : "external-dns"

external-secrets/Chart.yaml

@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: external-secrets
   repository: https://charts.external-secrets.io
-  version: 0.10.4
+  version: 0.8.1
 

external-secrets/templates/secret-store.yaml

@@ -1,3 +1,20 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault
+spec:
+  provider:
+    vault:
+      server: "https://vault.internal.prd.durp.info"
+      path: "secrets"
+      version: "v2"
+      auth:
+        kubernetes:
+          mountPath: "kubernetes"
+          role: "dmz-external-secrets"
+
+---
+
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
@@ -11,13 +28,6 @@ spec:
   data:
   - secretKey: cloudflare-api-token-secret
     remoteRef:
-      key: kv/cert-manager
+      key: secrets/cert-manager
       property: cloudflare-api-token-secret
 
----
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault
-

gatekeeper/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: gatekeeper
   repository: https://open-policy-agent.github.io/gatekeeper/charts
-  version: 3.17.1
+  version: 3.14.0

gatekeeper/values.yaml

@@ -0,0 +1,277 @@
+gatekeeper:
+  replicas: 3
+  revisionHistoryLimit: 10
+  auditInterval: 60
+  metricsBackends: ["prometheus"]
+  auditMatchKindOnly: false
+  constraintViolationsLimit: 20
+  auditFromCache: false
+  disableMutation: false
+  disableValidatingWebhook: false
+  validatingWebhookName: gatekeeper-validating-webhook-configuration
+  validatingWebhookTimeoutSeconds: 3
+  validatingWebhookFailurePolicy: Ignore
+  validatingWebhookAnnotations: {}
+  validatingWebhookExemptNamespacesLabels: {}
+  validatingWebhookObjectSelector: {}
+  validatingWebhookCheckIgnoreFailurePolicy: Fail
+  validatingWebhookCustomRules: {}
+  validatingWebhookURL: null
+  enableDeleteOperations: false
+  enableExternalData: true
+  enableGeneratorResourceExpansion: true
+  enableTLSHealthcheck: false
+  maxServingThreads: -1
+  mutatingWebhookName: gatekeeper-mutating-webhook-configuration
+  mutatingWebhookFailurePolicy: Ignore
+  mutatingWebhookReinvocationPolicy: Never
+  mutatingWebhookAnnotations: {}
+  mutatingWebhookExemptNamespacesLabels: {}
+  mutatingWebhookObjectSelector: {}
+  mutatingWebhookTimeoutSeconds: 1
+  mutatingWebhookCustomRules: {}
+  mutatingWebhookURL: null
+  mutationAnnotations: false
+  auditChunkSize: 500
+  logLevel: INFO
+  logDenies: false
+  logMutations: false
+  emitAdmissionEvents: false
+  emitAuditEvents: false
+  admissionEventsInvolvedNamespace: false
+  auditEventsInvolvedNamespace: false
+  resourceQuota: true
+  externaldataProviderResponseCacheTTL: 3m
+  image:
+    repository: openpolicyagent/gatekeeper
+    crdRepository: openpolicyagent/gatekeeper-crds
+    release: v3.15.0-beta.0
+    pullPolicy: Always
+    pullSecrets: []
+  preInstall:
+    crdRepository:
+      image:
+        repository: null
+        tag: v3.15.0-beta.0
+  postUpgrade:
+    labelNamespace:
+      enabled: false
+      image:
+        repository: openpolicyagent/gatekeeper-crds
+        tag: v3.15.0-beta.0
+        pullPolicy: IfNotPresent
+        pullSecrets: []
+      extraNamespaces: []
+      podSecurity: ["pod-security.kubernetes.io/audit=restricted",
+        "pod-security.kubernetes.io/audit-version=latest",
+        "pod-security.kubernetes.io/warn=restricted",
+        "pod-security.kubernetes.io/warn-version=latest",
+        "pod-security.kubernetes.io/enforce=restricted",
+        "pod-security.kubernetes.io/enforce-version=v1.24"]
+      extraAnnotations: {}
+      priorityClassName: ""
+    affinity: {}
+    tolerations: []
+    nodeSelector: {kubernetes.io/os: linux}
+    resources: {}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
+      runAsGroup: 999
+      runAsNonRoot: true
+      runAsUser: 1000
+  postInstall:
+    labelNamespace:
+      enabled: true
+      extraRules: []
+      image:
+        repository: openpolicyagent/gatekeeper-crds
+        tag: v3.15.0-beta.0
+        pullPolicy: IfNotPresent
+        pullSecrets: []
+      extraNamespaces: []
+      podSecurity: ["pod-security.kubernetes.io/audit=restricted",
+        "pod-security.kubernetes.io/audit-version=latest",
+        "pod-security.kubernetes.io/warn=restricted",
+        "pod-security.kubernetes.io/warn-version=latest",
+        "pod-security.kubernetes.io/enforce=restricted",
+        "pod-security.kubernetes.io/enforce-version=v1.24"]
+      extraAnnotations: {}
+      priorityClassName: ""
+    probeWebhook:
+      enabled: true
+      image:
+        repository: curlimages/curl
+        tag: 7.83.1
+        pullPolicy: IfNotPresent
+        pullSecrets: []
+      waitTimeout: 60
+      httpTimeout: 2
+      insecureHTTPS: false
+      priorityClassName: ""
+    affinity: {}
+    tolerations: []
+    nodeSelector: {kubernetes.io/os: linux}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
+      runAsGroup: 999
+      runAsNonRoot: true
+      runAsUser: 1000
+  preUninstall:
+    deleteWebhookConfigurations:
+      extraRules: []
+      enabled: false
+      image:
+        repository: openpolicyagent/gatekeeper-crds
+        tag: v3.15.0-beta.0
+        pullPolicy: IfNotPresent
+        pullSecrets: []
+      priorityClassName: ""
+    affinity: {}
+    tolerations: []
+    nodeSelector: {kubernetes.io/os: linux}
+    resources: {}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
+      runAsGroup: 999
+      runAsNonRoot: true
+      runAsUser: 1000
+  podAnnotations: {}
+  auditPodAnnotations: {}
+  podLabels: {}
+  podCountLimit: "100"
+  secretAnnotations: {}
+  enableRuntimeDefaultSeccompProfile: true
+  controllerManager:
+    exemptNamespaces: []
+    exemptNamespacePrefixes: []
+    hostNetwork: false
+    dnsPolicy: ClusterFirst
+    port: 8443
+    metricsPort: 8888
+    healthPort: 9090
+    readinessTimeout: 1
+    livenessTimeout: 1
+    priorityClassName: system-cluster-critical
+    disableCertRotation: false
+    tlsMinVersion: 1.3
+    clientCertName: ""
+    strategyType: RollingUpdate
+    affinity:
+      podAntiAffinity:
+        preferredDuringSchedulingIgnoredDuringExecution:
+          - podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                  - key: gatekeeper.sh/operation
+                    operator: In
+                    values:
+                      - webhook
+              topologyKey: kubernetes.io/hostname
+            weight: 100
+    topologySpreadConstraints: []
+    tolerations: []
+    nodeSelector: {kubernetes.io/os: linux}
+    resources:
+      limits:
+        memory: 512Mi
+      requests:
+        cpu: 100m
+        memory: 512Mi
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
+      runAsGroup: 999
+      runAsNonRoot: true
+      runAsUser: 1000
+    podSecurityContext:
+      fsGroup: 999
+      supplementalGroups:
+        - 999
+    extraRules: []
+    networkPolicy:
+      enabled: false
+      ingress: { }
+        # - from:
+        #   - ipBlock:
+        #       cidr: 0.0.0.0/0
+  audit:
+    enablePubsub: false
+    connection: audit-connection
+    channel: audit-channel
+    hostNetwork: false
+    dnsPolicy: ClusterFirst
+    metricsPort: 8888
+    healthPort: 9090
+    readinessTimeout: 1
+    livenessTimeout: 1
+    priorityClassName: system-cluster-critical
+    disableCertRotation: false
+    affinity: {}
+    tolerations: []
+    nodeSelector: {kubernetes.io/os: linux}
+    resources:
+      limits:
+        memory: 512Mi
+      requests:
+        cpu: 100m
+        memory: 512Mi
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
+      runAsGroup: 999
+      runAsNonRoot: true
+      runAsUser: 1000
+    podSecurityContext:
+      fsGroup: 999
+      supplementalGroups:
+        - 999
+    writeToRAMDisk: false
+    extraRules: []
+  crds:
+    affinity: {}
+    tolerations: []
+    nodeSelector: {kubernetes.io/os: linux}
+    resources: {}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
+      runAsGroup: 65532
+      runAsNonRoot: true
+      runAsUser: 65532
+  pdb:
+    controllerManager:
+      minAvailable: 1
+  service: {}
+  disabledBuiltins: ["{http.send}"]
+  psp:
+    enabled: true
+  upgradeCRDs:
+    enabled: true
+    extraRules: []
+    priorityClassName: ""
+  rbac:
+    create: true
+  externalCertInjection:
+    enabled: false
+    secretName: gatekeeper-webhook-server-cert

gitlab-runner/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: gitlab-runner
   repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.43.0

infra/.gitlab/.gitlab-ci.yml

@@ -1,95 +0,0 @@
-stages:
-  - plan
-  - apply
-  - destroy
-
-variables:
-  WORKDIR: $CI_PROJECT_DIR/infra/terraform
-  GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/infra
-
-image:
-  name: registry.internal.durp.info/opentofu/opentofu:latest
-  entrypoint: [""]
-
-.tf-init:
-  before_script:
-    - cd $WORKDIR
-    - tofu init 
-      -reconfigure 
-      -backend-config="address=${GITLAB_TF_ADDRESS}" 
-      -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" 
-      -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock"
-      -backend-config="username=gitlab-ci-token" 
-      -backend-config="password=${CI_JOB_TOKEN}"
-      -backend-config="lock_method=POST"
-      -backend-config="unlock_method=DELETE"
-      -backend-config="retry_wait_min=5"
-
-format:
-  stage: .pre
-  allow_failure: false
-  script:
-    - cd $WORKDIR
-    - tofu fmt -diff -check -write=false
-  rules:
-    - changes:
-        - "infra/terraform/*.tf"
-
-validate:
-  stage: .pre
-  allow_failure: false
-  extends: .tf-init
-  script:
-    - tofu validate
-  rules:
-    - changes:
-        - "infra/terraform/*.tf"
-
-plan-infrastructure:
-  stage: plan
-  variables:
-    PLAN: plan.tfplan
-    JSON_PLAN_FILE: tfplan.json
-    ENVIRONMENT_NAME: infra
-  allow_failure: false
-  extends: .tf-init
-  script:
-    - apk add --update curl jq
-    - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
-    - tofu plan -out=$PLAN $ARGUMENTS
-    - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE
-  artifacts:
-    reports:
-      terraform: $WORKDIR/$JSON_PLAN_FILE
-  needs: ["validate","format"]
-  rules:
-    - changes:
-        - "infra/terraform/*.tf"
-
-apply-infrastructure:
-  stage: apply
-  variables:
-    ENVIRONMENT_NAME: infra
-  allow_failure: false
-  extends: .tf-init
-  script:
-    - tofu apply -auto-approve $ARGUMENTS
-  rules:
-    - changes:
-        - "infra/terraform/*.tf"
-      when: manual
-  needs: ["plan-infrastructure"]
-
-destroy-infrastructure:
-  stage: destroy
-  variables:
-    ENVIRONMENT_NAME: infra
-  allow_failure: false
-  extends: .tf-init
-  script:
-    - tofu destroy -auto-approve $ARGUMENTS
-  rules:
-    - changes:
-        - "infra/terraform/*.tf"
-      when: manual
-  needs: ["plan-infrastructure"]

infra/argocd/Chart.yaml

@@ -1,12 +0,0 @@
-apiVersion: v2
-name: argocd
-description: A Helm chart for Kubernetes
-type: application
-
-version: 0.1.0
-appVersion: "1.16.0"
-
-dependencies:
-- name: argo-cd
-  repository: https://argoproj.github.io/argo-helm
-  version: 6.11.1

infra/argocd/templates/argocd.yaml

@@ -1,79 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: argocd
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: infra/argocd
-  destination:
-    namespace: argocd
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-
----
-
-#apiVersion: external-secrets.io/v1beta1
-#kind: ExternalSecret
-#metadata:
-#  name: vault-argocd
-#  labels:
-#    app.kubernetes.io/part-of: argocd
-#spec:
-#  secretStoreRef:
-#    name: vault
-#    kind: ClusterSecretStore
-#  target:
-#    name: client-secret
-#  data:
-#  - secretKey: clientSecret
-#    remoteRef:
-#      key: secrets/argocd/authentik
-#      property: clientsecret
-
----
-
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: argocd-ingress
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`argocd.infra.durp.info`)
-      #middlewares:
-      #  - name: whitelist
-      #    namespace: traefik
-      kind: Rule
-      services:
-        - name: argocd-server
-          port: 443
-          scheme: https
-  tls:
-    secretName: argocd-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: argocd-tls
-spec:
-  secretName: argocd-tls
-  issuerRef:
-    name: vault-issuer
-    kind: ClusterIssuer
-  commonName: "argocd.infra.durp.info"
-  dnsNames:
-    - "argocd.infra.durp.info"

infra/argocd/templates/external-secrets.yaml

@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: external-secrets
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: infra/external-secrets
-  destination:
-    namespace: external-secrets
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 
-

infra/argocd/values.yaml

@@ -1,62 +0,0 @@
-argo-cd:
-
-  global:
-    revisionHistoryLimit: 1
-    image:
-      repository: registry.internal.durp.info/argoproj/argocd
-      imagePullPolicy: Always
-
-  server:
-    #extraArgs:
-    #  - --dex-server-plaintext
-    #  - --dex-server=argocd-dex-server:5556
-    # oidc.config: |
-    #   name: AzureAD
-    #   issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
-    #   clientID: CLIENT_ID
-    #   clientSecret: $oidc.azuread.clientSecret
-    #   requestedIDTokenClaims:
-    #     groups:
-    #       essential: true
-    #   requestedScopes:
-    #     - openid
-    #     - profile
-    #     - email
-
-  dex:
-    enabled: true
-    image:
-      repository: registry.internal.durp.info/dexidp/dex
-      imagePullPolicy: Always
-
-  configs:
-    cm:
-      create: true
-      annotations: {}
-      url: https://argocd.internal.durp.info
-      oidc.tls.insecure.skip.verify: "true"
-      dex.config: |
-        connectors:
-          - config:
-              issuer: https://authentik.durp.info/application/o/argocd/
-              clientID: dbb8ffc06104fb6e7fac3e4ae7fafb1d90437625
-              clientSecret: $client-secret:clientSecret
-              insecureEnableGroups: true
-              scopes:
-                - openid
-                - profile
-                - email
-                - groups
-            name: authentik
-            type: oidc
-            id: authentik
-
-    rbac:
-      create: true
-      policy.csv: |
-        g, ArgoCD Admins, role:admin
-      scopes: "[groups]"
-
-  server:
-    route: 
-      enabled: false

infra/authentik/Chart.yaml

@@ -1,12 +0,0 @@
-apiVersion: v2
-name: authentik
-description: A Helm chart for Kubernetes
-type: application
-
-version: 0.1.0
-appVersion: "1.16.0"
-
-dependencies:
-- name: authentik
-  repository: https://charts.goauthentik.io
-  version: 2024.8.3

infra/authentik/templates/ingress.yaml

@@ -1,42 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: authentik-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
-    kind: Rule
-    services:
-    - name: authentik-server
-      port: 80
-  tls:
-    secretName: authentik-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: authentik-tls
-spec:
-  secretName: authentik-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "authentik.durp.info"
-  dnsNames:
-  - "authentik.durp.info" 
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: authentik-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

infra/authentik/templates/secrets.yaml

@@ -1,28 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: authentik-secret
-spec:
-  secretStoreRef:
-    name: vault
-    kind: ClusterSecretStore
-  target:
-    name: db-pass
-  data:
-  - secretKey: dbpass
-    remoteRef:
-      key: secrets/authentik/database
-      property: dbpass
-  - secretKey: secretkey
-    remoteRef:
-      key: secrets/authentik/database
-      property: secretkey     
-  - secretKey: postgresql-postgres-password 
-    remoteRef:
-      key: secrets/authentik/database
-      property: dbpass
-  - secretKey: postgresql-password 
-    remoteRef:
-      key: secrets/authentik/database
-      property: dbpass
-        

infra/authentik/values.yaml

@@ -1,56 +0,0 @@
-authentik:
-  global:
-    env: 
-      - name: AUTHENTIK_POSTGRESQL__PASSWORD
-        valueFrom:
-          secretKeyRef:
-            name: db-pass
-            key: dbpass
-      - name: AUTHENTIK_SECRET_KEY
-        valueFrom:
-          secretKeyRef:
-            name: db-pass
-            key: secretkey
-    revisionHistoryLimit: 1
-    image:
-      repository: registry.durp.info/goauthentik/server
-      pullPolicy: Always
-  authentik:
-    outposts:
-      container_image_base: registry.durp.info/goauthentik/%(type)s:%(version)s
-    postgresql:
-      host: '{{ .Release.Name }}-postgresql-hl'
-      name: "authentik"
-      user: "authentik"
-      port: 5432
-  server:
-    name: server
-    replicas: 3
-  worker:
-    replicas: 3
-  postgresql:
-    enabled: true
-    image:
-      registry: registry.durp.info
-      repository: bitnami/postgresql
-      pullPolicy: Always
-    postgresqlUsername: "authentik"
-    postgresqlDatabase: "authentik"
-    existingSecret: db-pass 
-    persistence:
-      enabled: true
-      storageClass: longhorn
-      accessModes:
-        - ReadWriteMany
-  redis:
-    enabled: true
-    master:
-      persistence:
-        enabled: false    
-    image:
-      registry: registry.durp.info
-      repository: bitnami/redis
-      pullPolicy: Always
-    architecture: standalone
-    auth:
-      enabled: false

infra/cert-manager/templates/issuer.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: issuer
-secrets:
-  - name:  issuer-token-lmzpj

infra/cert-manager/values.yaml

@@ -1,26 +0,0 @@
-cert-manager:
-  crds:
-    enabled: true
-  image:
-    registry: registry.internal.durp.info
-    repository: jetstack/cert-manager-controller
-    pullPolicy: Always
-  replicaCount: 3
-  #extraArgs:
-  #  - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
-  #  - --dns01-recursive-nameservers-only
-  #podDnsPolicy: None
-  #podDnsConfig:
-  #  nameservers:
-  #    - "1.1.1.1"
-  #    - "1.0.0.1"
-  webhook:
-    image:
-      registry: registry.internal.durp.info
-      repository: jetstack/cert-manager-webhook
-      pullPolicy: Always  
-  cainjector:
-    image:
-      registry: registry.internal.durp.info
-      repository: jetstack/cert-manager-cainjector
-      pullPolicy: Always

infra/external-secrets/Chart.yaml

@@ -1,11 +0,0 @@
-apiVersion: v2
-name: external-secrets
-description: A Helm chart for Kubernetes
-type: application
-version: 0.0.1
-appVersion: 0.0.1
-
-dependencies:
-- name: external-secrets
-  repository: https://charts.external-secrets.io
-  version: 0.13.0

infra/external-secrets/templates/ca.yaml

@@ -1,81 +0,0 @@
-apiVersion: v1
-data:
-  vault.pem: |
-    -----BEGIN CERTIFICATE-----
-    MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL
-    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy
-    MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN
-    BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq
-    scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW
-    2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I
-    jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr
-    XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS
-    1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB
-    o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
-    BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2
-    dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6
-    Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo
-    dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw
-    MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp
-    L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy
-    cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu
-    Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx
-    L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k
-    dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L
-    5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k
-    /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6
-    GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj
-    tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo
-    1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9
-    +Q/cdsO5lg==
-    -----END CERTIFICATE-----
-    -----BEGIN CERTIFICATE-----
-    MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL
-    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy
-    MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
-    AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH
-    4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/
-    S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk
-    U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3
-    6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ
-    +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD
-    VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V
-    55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0
-    BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw
-    LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt
-    dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC
-    hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF
-    BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br
-    aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0
-    cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz
-    Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq
-    hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE
-    QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB
-    ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN
-    Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9
-    zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls
-    AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw==
-    -----END CERTIFICATE-----
-    -----BEGIN CERTIFICATE-----
-    MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL
-    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy
-    MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
-    AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox
-    p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb
-    /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ
-    l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7
-    GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE
-    N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B
-    Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1
-    8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R
-    BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k
-    r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1
-    AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y
-    rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD
-    dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx
-    Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv
-    55Fn
-    -----END CERTIFICATE-----
-kind: ConfigMap
-metadata:
-  name: ca-pemstore

infra/external-secrets/values.yaml

@@ -1,70 +0,0 @@
-external-secrets:
-  replicaCount: 3
-  revisionHistoryLimit: 1
-  leaderElect: true
-
-  installCRDs: true
-  crds:
-    createClusterExternalSecret: true
-    createClusterSecretStore: true
-    createClusterGenerator: true
-    createPushSecret: true
-    conversion:
-      enabled: false
-
-  image:
-    repository: registry.internal.durp.info/external-secrets/external-secrets
-    pullPolicy: Always
-
-  extraVolumes: 
-    - name: ca-pemstore
-      configMap:
-        name: ca-pemstore
-
-  extraVolumeMounts: 
-    - name: ca-pemstore
-      mountPath: /etc/ssl/certs/vault.pem
-      subPath: vault.pem
-      readOnly: true
-
-  resources: 
-    requests:
-      memory: 32Mi
-      cpu: 10m
-    limits:
-      memory: 32Mi
-      cpu: 10m
-
-  webhook:
-    log:
-      level: debug
-    image:
-      repository: registry.internal.durp.info/external-secrets/external-secrets
-      pullPolicy: Always
-
-    resources: 
-      requests:
-        memory: 32Mi
-        cpu: 10m
-      limits:
-        memory: 32Mi
-        cpu: 10m
-
-  certController:
-    create: false
-    revisionHistoryLimit: 1
-    log:
-      level: debug
-
-    image:
-      repository: registry.internal.durp.info/external-secrets/external-secrets
-      pullPolicy: Always
-      tag: ""
-
-    resources: 
-      requests:
-        memory: 32Mi
-        cpu: 10m
-      limits:
-        memory: 32Mi
-        cpu: 10m

infra/longhorn/templates/ingress.yaml

@@ -1,32 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: longhorn-ingress
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`longhorn.infra.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    services:
-    - name: longhorn-frontend
-      port: 80
-  tls:
-    secretName: longhorn-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: longhorn-tls
-spec:
-  secretName: longhorn-tls
-  issuerRef:
-    name: vault-issuer
-    kind: ClusterIssuer
-  commonName: "longhorn.infra.durp.info"
-  dnsNames:
-    - "longhorn.infra.durp.info"

infra/longhorn/templates/secrets.yaml

@@ -1,30 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault
-
----
-
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: external-longhorn-backup-token-secret
-spec:
-  secretStoreRef:
-    name: vault
-    kind: ClusterSecretStore
-  target:
-    name: longhorn-backup-token-secret
-  data:
-  - secretKey: AWS_ACCESS_KEY_ID
-    remoteRef:
-      key: kv/longhorn/backup
-      property: AWS_ACCESS_KEY_ID
-  - secretKey: AWS_ENDPOINTS 
-    remoteRef:
-      key: kv/longhorn/backup
-      property: AWS_ENDPOINTS 
-  - secretKey: AWS_SECRET_ACCESS_KEY
-    remoteRef:
-      key: kv/longhorn/backup
-      property: AWS_SECRET_ACCESS_KEY

infra/longhorn/values.yaml

@@ -1,192 +0,0 @@
-longhorn: 
-  global:
-    cattle:
-      systemDefaultRegistry: ""
-  
-  image:
-    longhorn:
-      engine:
-        repository: longhornio/longhorn-engine
-      manager:
-        repository: longhornio/longhorn-manager
-      ui:
-        repository: longhornio/longhorn-ui
-      instanceManager:
-        repository: longhornio/longhorn-instance-manager
-      shareManager:
-        repository: longhornio/longhorn-share-manager
-      backingImageManager:
-        repository: longhornio/backing-image-manager
-    csi:
-      attacher:
-        repository: longhornio/csi-attacher
-      provisioner:
-        repository: longhornio/csi-provisioner
-      nodeDriverRegistrar:
-        repository: longhornio/csi-node-driver-registrar
-      resizer:
-        repository: longhornio/csi-resizer
-      snapshotter:
-        repository: longhornio/csi-snapshotter
-    pullPolicy: Always
-  
-  service:
-    ui:
-      type: ClusterIP
-      nodePort: null
-    manager:
-      type: ClusterIP
-      nodePort: ""
-      loadBalancerIP: ""
-      loadBalancerSourceRanges: ""
-  
-  persistence:
-    defaultClass: true
-    defaultFsType: ext4
-    defaultClassReplicaCount: 3
-    defaultDataLocality: disabled # best-effort otherwise
-    reclaimPolicy: Delete
-    migratable: false
-    recurringJobSelector:
-      enable: true
-      jobList: '[
-          {
-            "name":"backup", 
-            "task":"backup", 
-            "cron":"0 0 * * *", 
-            "retain":24
-          }
-        ]'
-    backingImage:
-      enable: false
-      name: ~
-      dataSourceType: ~
-      dataSourceParameters: ~
-      expectedChecksum: ~
-  
-  csi:
-    kubeletRootDir: ~
-    attacherReplicaCount: ~
-    provisionerReplicaCount: ~
-    resizerReplicaCount: ~
-    snapshotterReplicaCount: ~
-  
-  defaultSettings:
-    backupTarget: S3://longhorn-master@us-east-1/
-    backupTargetCredentialSecret: longhorn-backup-token-secret
-    allowRecurringJobWhileVolumeDetached: ~
-    createDefaultDiskLabeledNodes: ~
-    defaultDataPath: ~
-    defaultDataLocality: ~
-    replicaSoftAntiAffinity: ~
-    replicaAutoBalance: ~
-    storageOverProvisioningPercentage: ~
-    storageMinimalAvailablePercentage: ~
-    upgradeChecker: ~
-    defaultReplicaCount: ~
-    defaultLonghornStaticStorageClass: longhorn
-    backupstorePollInterval: ~
-    taintToleration: ~
-    systemManagedComponentsNodeSelector: ~
-    priorityClass: ~
-    autoSalvage: ~
-    autoDeletePodWhenVolumeDetachedUnexpectedly: ~
-    disableSchedulingOnCordonedNode: ~
-    replicaZoneSoftAntiAffinity: ~
-    nodeDownPodDeletionPolicy: ~
-    allowNodeDrainWithLastHealthyReplica: ~
-    mkfsExt4Parameters: ~
-    disableReplicaRebuild: ~
-    replicaReplenishmentWaitInterval: ~
-    concurrentReplicaRebuildPerNodeLimit: ~
-    disableRevisionCounter: ~
-    systemManagedPodsImagePullPolicy: ~
-    allowVolumeCreationWithDegradedAvailability: ~
-    autoCleanupSystemGeneratedSnapshot: ~
-    concurrentAutomaticEngineUpgradePerNodeLimit: ~
-    backingImageCleanupWaitInterval: ~
-    backingImageRecoveryWaitInterval: ~
-    guaranteedEngineManagerCPU: ~
-    guaranteedReplicaManagerCPU: ~
-    kubernetesClusterAutoscalerEnabled: ~
-    orphanAutoDeletion: ~
-    storageNetwork: ~
-  privateRegistry:
-    createSecret: ~
-    registryUrl: ~
-    registryUser: ~
-    registryPasswd: ~
-    registrySecret: ~
-  
-  longhornManager:
-    priorityClass: ~
-    tolerations: []
-    ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above
-    ## and uncomment this example block
-    # - key: "key"
-    #   operator: "Equal"
-    #   value: "value"
-    #   effect: "NoSchedule"
-    nodeSelector: {}
-    ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above
-    ## and uncomment this example block
-    #  label-key1: "label-value1"
-    #  label-key2: "label-value2"
-  
-  longhornDriver:
-    priorityClass: ~
-    tolerations: []
-    ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above
-    ## and uncomment this example block
-    # - key: "key"
-    #   operator: "Equal"
-    #   value: "value"
-    #   effect: "NoSchedule"
-    nodeSelector: {}
-    ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above
-    ## and uncomment this example block
-    #  label-key1: "label-value1"
-    #  label-key2: "label-value2"
-  
-  longhornUI:
-    priorityClass: ~
-    tolerations: []
-    ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above
-    ## and uncomment this example block
-    # - key: "key"
-    #   operator: "Equal"
-    #   value: "value"
-    #   effect: "NoSchedule"
-    nodeSelector: {}
-    ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above
-    ## and uncomment this example block
-    #  label-key1: "label-value1"
-    #  label-key2: "label-value2"
-  
-  resources: {}
-    # We usually recommend not to specify default resources and to leave this as a conscious
-    # choice for the user. This also increases chances charts run on environments with little
-    # resources, such as Minikube. If you do want to specify resources, uncomment the following
-    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-    # limits:
-    #  cpu: 100m
-    #  memory: 128Mi
-    # requests:
-    #  cpu: 100m
-    #  memory: 128Mi
-    #
-  
-  ingress:
-    enabled: false
-  
-  ## Specify override namespace, specifically this is useful for using longhorn as sub-chart
-  ## and its release namespace is not the `longhorn-system`
-  namespaceOverride: ""
-  
-  # Annotations to add to the Longhorn Manager DaemonSet Pods. Optional.
-  annotations: {}
-  
-  serviceAccount:
-    # Annotations to add to the service account
-    annotations: {}
-  

infra/metallb-system/Chart.yaml

@@ -1,12 +0,0 @@
-apiVersion: v2
-name: metallb-system
-description: A Helm chart for Kubernetes
-type: application
-
-version: 0.1.0
-appVersion: "1.16.0"
-
-dependencies:
-- name: metallb
-  repository: https://metallb.github.io/metallb
-  version: 0.14.9

infra/terraform/main.tf

@@ -1,159 +0,0 @@
-terraform {
-  backend "http" {}
-  required_providers {
-    proxmox = {
-      source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
-    }
-  }
-}
-
-provider "proxmox" {
-  pm_parallel     = 1
-  pm_tls_insecure = true
-  pm_api_url      = var.pm_api_url
-  pm_user         = var.pm_user
-  pm_password     = var.pm_password
-  pm_debug        = false
-}
-
-locals {
-  sshkeys    = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEphzWgwUZnvL6E5luKLt3WO0HK7Kh63arSMoNl5gmjzXyhG1DDW0OKfoIl0T+JZw/ZjQ7iii6tmSLFRk6nuYCldqe5GVcFxvTzX4/xGEioAyG0IiUGKy6s+9xzO8QXF0EtSNPH0nfHNKcCjgwWAzM+Lt6gW0Vqs+aU5ICuDiEchmvYPz+rBaVldJVTG7m3ogKJ2aIF7HU/pCPp5l0E9gMOw7s0ABijuc3KXLEWCYgL39jIST6pFH9ceRLmu8Xy5zXHAkkEEauY/e6ld0hlzLadiUD7zYJMdDcm0oRvenYcUlaUl9gS0569IpfsJsjCejuqOxCKzTHPJDOT0f9TbIqPXkGq3s9oEJGpQW+Z8g41BqRpjBCdBk+yv39bzKxlwlumDwqgx1WP8xxKavAWYNqNRG7sBhoWwtxYEOhKXoLNjBaeDRnO5OY5AQJvONWpuByyz0R/gTh4bOFVD+Y8WWlKbT4zfhnN70XvapRsbZiaGhJBPwByAMGg6XxSbC6xtbyligVGCEjCXbTLkeKq1w0DuItY+FBGO3J2k90OiciTVSeyiVz9J/Y03UB0gHdsMCoVNrj+9QWfrTLDhM7D5YrXUt5nj2LQTcbtf49zoQXWxUhozlg42E/FJU/Yla7y55qWizAEVyP2/Ks/PHrF679k59HNd2IJ/aicA9QnmWtLQ== ansible"
-  template   = "Debian12-Template"
-  storage    = "cache-domains"
-  emulatessd = true
-  format     = "raw"
-  dnsserver  = "192.168.12.1"
-  tags       = "postgres"
-  vlan       = 12
-  haproxy = {
-    count  = 3
-    name   = ["haproxy-01", "haproxy-02", "haproxy-03"]
-    cores  = 2
-    memory = "1024"
-    drive  = 20
-    node   = ["mothership", "overlord", "vanguard"]
-    ip     = ["31", "32", "33"]
-  }
-  postgres = {
-    count  = 3
-    name   = ["postgres-01", "postgres-02", "postgres-03"]
-    cores  = 4
-    memory = "4096"
-    drive  = 40
-    node   = ["mothership", "overlord", "vanguard"]
-    ip     = ["34", "35", "36"]
-  }
-}
-
-resource "proxmox_vm_qemu" "haproxy" {
-  count       = local.haproxy.count
-  ciuser      = "administrator"
-  vmid        = "${local.vlan}${local.haproxy.ip[count.index]}"
-  name        = local.haproxy.name[count.index]
-  target_node = local.haproxy.node[count.index]
-  clone       = local.template
-  tags        = local.tags
-  qemu_os     = "l26"
-  full_clone  = true
-  os_type     = "cloud-init"
-  agent       = 1
-  cores       = local.haproxy.cores
-  sockets     = 1
-  cpu_type    = "host"
-  memory      = local.haproxy.memory
-  scsihw      = "virtio-scsi-pci"
-  #bootdisk    = "scsi0"
-  boot    = "order=virtio0"
-  onboot  = true
-  sshkeys = local.sshkeys
-  vga         = "serial0"
-  serial {
-    id   = 0
-    type = "socket"
-  }
-  disks {
-    ide {
-      ide2 {
-        cloudinit {
-          storage = local.storage
-        }
-      }
-    }
-    virtio {
-      virtio0 {
-        disk {
-          size    = local.haproxy.drive
-          format  = local.format
-          storage = local.storage
-        }
-      }
-    }
-  }
-  network {
-    id     = 0
-    model  = "virtio"
-    bridge = "vmbr0"
-    tag    = local.vlan
-  }
-  #Cloud Init Settings
-  ipconfig0    = "ip=192.168.${local.vlan}.${local.haproxy.ip[count.index]}/24,gw=192.168.${local.vlan}.1"
-  searchdomain = "durp.loc"
-  nameserver   = local.dnsserver
-}
-
-resource "proxmox_vm_qemu" "postgres" {
-  count       = local.postgres.count
-  ciuser      = "administrator"
-  vmid        = "${local.vlan}${local.postgres.ip[count.index]}"
-  name        = local.postgres.name[count.index]
-  target_node = local.postgres.node[count.index]
-  clone       = local.template
-  tags        = local.tags
-  qemu_os     = "l26"
-  full_clone  = true
-  os_type     = "cloud-init"
-  agent       = 1
-  cores       = local.postgres.cores
-  sockets     = 1
-  cpu_type    = "host"
-  memory      = local.postgres.memory
-  scsihw      = "virtio-scsi-pci"
-  #bootdisk    = "scsi0"
-  boot    = "order=virtio0"
-  onboot  = true
-  sshkeys = local.sshkeys
-  vga         = "serial0"
-  serial {
-    id   = 0
-    type = "socket"
-  }
-  disks {
-    ide {
-      ide2 {
-        cloudinit {
-          storage = local.storage
-        }
-      }
-    }
-    virtio {
-      virtio0 {
-        disk {
-          size    = local.postgres.drive
-          format  = local.format
-          storage = local.storage
-        }
-      }
-    }
-  }
-  network {
-    id     = 0
-    model  = "virtio"
-    bridge = "vmbr0"
-    tag    = local.vlan
-  }
-  #Cloud Init Settings
-  ipconfig0    = "ip=192.168.${local.vlan}.${local.postgres.ip[count.index]}/24,gw=192.168.${local.vlan}.1"
-  searchdomain = "durp.loc"
-  nameserver   = local.dnsserver
-}

infra/terraform/variables.tf

@@ -1,14 +0,0 @@
-variable "pm_api_url" {
-  description = "API URL to Proxmox provider"
-  type        = string
-}
-
-variable "pm_password" {
-  description = "Passowrd to Proxmox provider"
-  type        = string
-}
-
-variable "pm_user" {
-  description = "UIsername to Proxmox provider"
-  type        = string
-}

infra/traefik/values.yaml

@@ -1,47 +0,0 @@
-traefik:
-  image: 
-    registry: registry.durp.info
-    repository: traefik
-    pullPolicy: Always
-  
-  deployment:
-    replicas: 3
-    revisionHistoryLimit: 1
-  
-  ingressRoute:
-    dashboard:
-      enabled: true
-  
-  additionalArguments: 
-    - "--serversTransport.insecureSkipVerify=true"
-    - "--log.level=DEBUG"
-    - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
-    - --experimental.plugins.jwt.version=v0.7.0
-  
-  autoscaling:
-    enabled: true
-    minReplicas: 3
-    maxReplicas: 10
-    metrics:
-    - type: Resource
-      resource:
-        name: cpu
-        target:
-          type: Utilization
-          averageUtilization: 80
-    behavior:
-      scaleDown:
-        stabilizationWindowSeconds: 300
-        policies:
-        - type: Pods
-          value: 1
-          periodSeconds: 60
-  
-  
-  # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
-  resources: 
-    requests:
-      cpu: "100m"
-      memory: "512Mi"
-    limits:
-      memory: "512Mi"

infra/vault/Chart.yaml

@@ -1,12 +0,0 @@
-apiVersion: v2
-name: vault
-description: A Helm chart for Kubernetes
-type: application
-version: 0.0.1
-appVersion: 0.0.1
-
-dependencies:
-- name: vault
-  repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
-

infra/vault/templates/ingress.yaml

@@ -1,33 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: vault-ingress
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`vault.infra.durp.info`)
-    kind: Rule
-    services:
-    - name: vault
-      port: 8200
-      scheme: https
-  tls:
-    secretName: vault-tls  
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: vault-tls
-spec:
-  secretName: vault-tls
-  issuerRef:
-    name: vault-issuer
-    kind: ClusterIssuer
-  commonName: "vault.infra.durp.info"
-  dnsNames:
-    - "vault.infra.durp.info"

infra/vault/templates/sa.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: issuer

infra/vault/templates/secret-store.yaml

@@ -1,17 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault
-spec:
-  provider:
-    vault:
-      server: "https://vault.infra.durp.info"
-      path: "kv"
-      version: "v2"
-      auth:
-        kubernetes:
-          mountPath: "kubernetes"
-          role: "external-secrets"
-          serviceAccountRef:
-            name: "vault"
-

infra/vault/values.yaml

@@ -1,140 +0,0 @@
-vault:
-  global:
-    enabled: true
-    tlsDisable: false
-    resources:
-      requests:
-        memory: 256Mi
-        cpu: 250m
-      limits:
-        memory: 256Mi
-        cpu: 250m
-  
-  server:
-    image:
-      repository: "hashicorp/vault"
-    # These Resource Limits are in line with node requirements in the
-    # Vault Reference Architecture for a Small Cluster
-    #resources:
-    #  requests:
-    #    memory: 8Gi
-    #    cpu: 2000m
-    #  limits:
-    #    memory: 16Gi
-    #    cpu: 2000m
-  
-    # For HA configuration and because we need to manually init the vault,
-    # we need to define custom readiness/liveness Probe settings
-    readinessProbe:
-      enabled: true
-      path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
-    livenessProbe:
-      enabled: true
-      path: "/v1/sys/health?standbyok=true"
-      initialDelaySeconds: 60
-  
-    # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
-    # used to include variables required for auto-unseal.
-    extraEnvironmentVars:
-      VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca
-
-    extraSecretEnvironmentVars: 
-      - envName: VAULT_TOKEN
-        secretName: autounseal
-        secretKey: VAULT_TOKEN
-  
-    volumes:
-      - name: userconfig-vault-server-tls
-        secret:
-          defaultMode: 420
-          secretName: vault-server-tls 
-
-    volumeMounts:
-      - mountPath: /vault/userconfig/vault-server-tls
-        name: userconfig-vault-server-tls
-        readOnly: true
-  
-    # This configures the Vault Statefulset to create a PVC for audit logs.
-    # See https://www.vaultproject.io/docs/audit/index.html to know more
-    auditStorage:
-      enabled: true
-  
-    standalone:
-      enabled: false
-
-      config: |
-        disable_mlock = true
-        ui = true
-        listener "tcp" {
-          address = "[::]:8200"
-          cluster_address = "[::]:8201"
-            tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
-            tls_key_file  = "/vault/userconfig/vault-server-tls/vault.key"
-        }
-
-        seal "transit" {
-          address = "https://root-vault.internal.durp.info"
-          disable_renewal = "false"
-          key_name = "autounseal"
-          mount_path = "transit/"
-          tls_skip_verify = "true"
-        }
-
-        storage "raft" {
-            path = "/vault/data"
-        }
-  
-    # Run Vault in "HA" mode.
-    ha:
-      enabled: true
-      replicas: 3
-      raft:
-        enabled: true
-        setNodeId: true
-  
-        config: |
-          ui = true
-          cluster_name = "vault-integrated-storage"
-          listener "tcp" {
-            address = "[::]:8200"
-            cluster_address = "[::]:8201"
-            tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
-            tls_key_file  = "/vault/userconfig/vault-server-tls/vault.key"
-          }
-
-          seal "transit" {
-            address = "https://root-vault.internal.durp.info"
-            disable_renewal = "false"
-            key_name = "autounseal"
-            mount_path = "transit/"
-            tls_skip_verify = "true"
-          }
-  
-          storage "raft" {
-            path = "/vault/data"
-            retry_join {
-              leader_api_addr = "https://vault-0.vault-internal:8200"
-              leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
-              leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
-              leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
-            }
-            retry_join {
-              leader_api_addr = "https://vault-1.vault-internal:8200"
-              leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
-              leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
-              leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
-            }
-            retry_join {
-              leader_api_addr = "https://vault-2.vault-internal:8200"
-              leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
-              leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
-              leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
-            }
-          } 
-  
-  # Vault UI
-  ui:
-    enabled: false
-    serviceType: "LoadBalancer"
-    serviceNodePort: null
-    externalPort: 8200

internalproxy/templates/argocd.yaml

@@ -1,37 +1,46 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
-  name: vault-ingress
+  name: argocd-ingress
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`vault.internal.durp.info`)
+  - match: Host(`argocd.internal.durp.info`)
     middlewares:
     - name: whitelist
       namespace: traefik  
     kind: Rule
     services:
-    - name: vault
-      port: 8200
-      scheme: http
+    - name: argocd-server
+      port: 443
+      scheme: https
   tls:
-    secretName: vault-tls  
+    secretName: argocd-tls  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: argocd-server
+spec:
+  type: ExternalName
+  externalName: argocd-server.argocd.svc.cluster.local  
 
 ---
 
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: vault-tls
+  name: argocd-tls
 spec:
-  secretName: vault-tls
+  secretName: argocd-tls
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "vault.internal.durp.info"
+  commonName: "argocd.internal.durp.info"
   dnsNames:
-  - "vault.internal.durp.info"  
-
+  - "argocd.internal.durp.info"  

internalproxy/templates/gitea.yaml

@@ -0,0 +1,9 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: gitea-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: gitea.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

internalproxy/templates/guac.yaml

@@ -1,7 +1,19 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: guac-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: guac.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info
+
+---
+
 apiVersion: v1
 kind: Service
 metadata:
-  name: redlib
+  name: guac
 spec:
   ports:
   - name: app
@@ -16,7 +28,7 @@ spec:
 apiVersion: v1
 kind: Endpoints
 metadata:
-  name: redlib
+  name: guac
 subsets:
 - addresses:
   - ip: 192.168.20.253
@@ -30,39 +42,30 @@ subsets:
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
-  name: redlib-ingress
+  name: guac-ingress
 spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
-    middlewares:
-    - name: authentik-proxy-provider
-      namespace: traefik  
+  - match: Host(`guac.durp.info`) && PathPrefix(`/`)
     kind: Rule
     services:
-    - name: redlib
+    - name: guac
       port: 8082
-  - match: Host(`redlib.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
-    kind: Rule
-    services:
-    - name: ak-outpost-authentik-embedded-outpost
-      namespace: authentik
-      port: 9000
   tls:
-    secretName: redlib-tls
+    secretName: guac-tls
 
 ---
 
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: redlib-tls
+  name: guac-tls
 spec:
-  secretName: redlib-tls
+  secretName: guac-tls
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "redlib.durp.info"
+  commonName: "guac.durp.info"
   dnsNames:
-  - "redlib.durp.info"  
+  - "guac.durp.info"  

internalproxy/templates/jellyfin.yaml

@@ -0,0 +1,9 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: jellyfin-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: jellyfin.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info  

internalproxy/templates/kasm.yaml

@@ -0,0 +1,9 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: kasm-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: kasm.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

internalproxy/templates/plex.yaml

@@ -0,0 +1,9 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: plex-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: plex.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info  

internalproxy/templates/registry-internal.yaml

@@ -5,9 +5,9 @@ metadata:
 spec:
   ports:
   - name: app
-    port: 5000
+    port: 5001
     protocol: TCP
-    targetPort: 5000
+    targetPort: 5001
   clusterIP: None
   type: ClusterIP
 
@@ -22,7 +22,7 @@ subsets:
   - ip: 192.168.20.253
   ports:
   - name: app
-    port: 5000
+    port: 5001
     protocol: TCP
 
 ---    
@@ -39,9 +39,9 @@ spec:
     kind: Rule
     services:
     - name: registry-internal
-      port: 5000
+      port: 5001
   tls:
-    secretName: registry-internal-tls
+    secretName: registry-tls
 
 ---
 
@@ -54,6 +54,6 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "registry.internal.durp.info"
+  commonName: "registry.durp.info"
   dnsNames:
-  - "registry.internal.durp.info"
+  - "registry.durp.info"  

kube-prometheus-stack/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: kube-prometheus-stack
   repository: https://prometheus-community.github.io/helm-charts
-  version: 63.1.0
+  version: 40.5.0

kubeclarity/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: kubeclarity
   repository: https://openclarity.github.io/kubeclarity
-  version: 2.23.3
+  version: 2.22.0

longhorn/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: longhorn
   repository: https://charts.longhorn.io
-  version: 1.7.2
+  version: 1.3.2

longhorn/values.yaml

@@ -57,7 +57,7 @@ longhorn:
           {
             "name":"backup", 
             "task":"backup", 
-            "cron":"0 0 * * ?", 
+            "cron":"0 */6 * * *", 
             "retain":24
           }
         ]'
@@ -76,7 +76,7 @@ longhorn:
     snapshotterReplicaCount: ~
   
   defaultSettings:
-    backupTarget: S3://longhorn-master@us-east-1/
+    backupTarget: S3://longhorn@us-east-1/
     backupTargetCredentialSecret: longhorn-backup-token-secret
     allowRecurringJobWhileVolumeDetached: ~
     createDefaultDiskLabeledNodes: ~

master/argocd/templates/argocd.yaml

@@ -1,59 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: argocd
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/argocd
-  destination:
-    namespace: argocd
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 
-
----
-
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: argocd-ingress
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`argocd.internal.durp.info`)
-      middlewares:
-        - name: whitelist
-          namespace: traefik
-      kind: Rule
-      services:
-        - name: argocd-server
-          port: 443
-          scheme: https
-  tls:
-    secretName: argocd-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: argocd-tls
-spec:
-  secretName: argocd-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "argocd.internal.durp.info"
-  dnsNames:
-    - "argocd.internal.durp.info"

master/argocd/templates/authentik.yaml

@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: authentik
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/authentik
-  destination:
-    namespace: authentik
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 
-

master/argocd/templates/bitwarden.yaml

@@ -1,23 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: bitwarden
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/bitwarden
-    directory:
-      recurse: true
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: bitwarden
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: false
-    syncOptions:
-      - CreateNamespace=true   
-

master/argocd/templates/cert-manager.yaml

@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: cert-manager
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/cert-manager
-  destination:
-    namespace: cert-manager
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 

master/argocd/templates/crossplane.yml

@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: crossplane
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/crossplane
-  destination:
-    namespace: crossplane
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 

master/argocd/templates/durpapi.yaml

@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: durpapi
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/durpapi
-  destination:
-    namespace: durpapi
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 

master/argocd/templates/heimdall.yaml

@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: heimdall
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/heimdall
-  destination:
-    namespace: heimdall
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 

master/argocd/templates/krakend.yaml

@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: krakend
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/krakend
-  destination:
-    namespace: krakend
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 

master/argocd/templates/littlelink.yaml

@@ -1,22 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: littlelink
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/littlelink
-    directory:
-      recurse: true
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: littlelink
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true        

master/argocd/templates/longhorn.yaml

@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: longhorn-system
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/longhorn
-  destination:
-    namespace: longhorn-system
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 
-

master/argocd/templates/metallb-system.yaml

@@ -1,22 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: metallb-system
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/metallb-system
-  destination:
-    namespace: metallb-system
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 
-
-

master/argocd/templates/nfs-client.yaml

@@ -1,23 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: nfs-client
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/nfs-client
-    directory:
-      recurse: true
-  destination:
-    namespace: nfs-client
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 
-

master/argocd/templates/open-webui.yaml

@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: open-webui
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: master/open-webui
-  destination:
-    namespace: open-webui
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true