Update chart version

.gitignore

@@ -0,0 +1 @@
+.idea

argocd/Chart.yaml

@@ -9,6 +9,6 @@ appVersion: "1.16.0"
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 6.7.11
+  version: 6.11.1
 
 

argocd/templates/argocd.yaml

@@ -18,3 +18,42 @@ spec:
       selfHeal: true  
     syncOptions:
       - CreateNamespace=true 
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: argocd-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`argocd.internal.durp.info`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: argocd-server
+          port: 443
+          scheme: https
+  tls:
+    secretName: argocd-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: argocd-tls
+spec:
+  secretName: argocd-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "argocd.internal.durp.info"
+  dnsNames:
+    - "argocd.internal.durp.info"

argocd/templates/metallb-system.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: metallb-system
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: metallb-system
+  destination:
+    namespace: metallb-system
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+
+

authentik/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: authentik
   repository: https://charts.goauthentik.io
-  version: 2024.4.1
+  version: 2024.8.3

authentik/values.yaml

@@ -26,6 +26,8 @@ authentik:
   server:
     name: server
     replicas: 3
+  worker:
+    replicas: 3
   postgresql:
     enabled: true
     image:

bitwarden/templates/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
       - name: bitwarden
-        image: registry.internal.durp.info/vaultwarden/server:1.30.3
+        image: registry.internal.durp.info/vaultwarden/server:1.32.0
         imagePullPolicy: Always
         volumeMounts:
         - name: bitwarden-pvc

cert-manager/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: 1.*.*
+  version: v1.15.3

crossplane/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: crossplane
   repository: https://charts.crossplane.io/stable
-  version: 1.12.0
+  version: 1.17.1

durpapi/Chart.yaml

@@ -1,11 +1,13 @@
-version: 0.1.0-dev0144
 apiVersion: v2
 name: durpapi
-dependencies:
-- version: 12.5.*
-  condition: postgresql.enabled
-  name: postgresql
-  repository: https://charts.bitnami.com/bitnami
 description: A Helm chart for Kubernetes
 type: application
+
+version: 0.1.0-dev0184
 appVersion: 0.1.0
+
+dependencies:
+- condition: postgresql.enabled
+  version: 12.5.*
+  repository: https://charts.bitnami.com/bitnami
+  name: postgresql

durpapi/values.yaml

@@ -10,15 +10,15 @@ deployment:
   probe:
     readiness:  
       httpGet:
-        path: /api/health/gethealth
+        path: /health/gethealth
         port: 8080
     liveness: 
       httpGet:
-        path: /api/health/gethealth
+        path: /health/gethealth
         port: 8080
     startup: 
       httpGet:
-        path: /api/health/gethealth
+        path: /health/gethealth
         port: 8080
 service:
   type: ClusterIP

external-dns/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
   repository: https://charts.bitnami.com/bitnami
-  version: 6.20.3
+  version: 8.3.8

external-dns/values.yaml

@@ -11,6 +11,6 @@ external-dns:
   provider: cloudflare
   cloudflare:
     secretName : "external-dns"
-    proxied: true
+    proxied: false
 
-  policy: sync
+  policy: sync

external-secrets/Chart.yaml

@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: external-secrets
   repository: https://charts.external-secrets.io
-  version: 0.8.1
+  version: 0.10.4
 

gatekeeper/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: gatekeeper
   repository: https://open-policy-agent.github.io/gatekeeper/charts
-  version: 3.14.0
+  version: 3.17.1

gatekeeper/values.yaml

@@ -1,277 +1,278 @@
-gatekeeper:
+#gatekeeper:
-  replicas: 3
+#  replicas: 3
-  revisionHistoryLimit: 10
+#  revisionHistoryLimit: 10
-  auditInterval: 60
+#  auditInterval: 60
-  metricsBackends: ["prometheus"]
+#  metricsBackends: ["prometheus"]
-  auditMatchKindOnly: false
+#  auditMatchKindOnly: false
-  constraintViolationsLimit: 20
+#  constraintViolationsLimit: 20
-  auditFromCache: false
+#  auditFromCache: false
-  disableMutation: false
+#  disableMutation: false
-  disableValidatingWebhook: false
+#  disableValidatingWebhook: false
-  validatingWebhookName: gatekeeper-validating-webhook-configuration
+#  validatingWebhookName: gatekeeper-validating-webhook-configuration
-  validatingWebhookTimeoutSeconds: 3
+#  validatingWebhookTimeoutSeconds: 3
-  validatingWebhookFailurePolicy: Ignore
+#  validatingWebhookFailurePolicy: Ignore
-  validatingWebhookAnnotations: {}
+#  validatingWebhookAnnotations: {}
-  validatingWebhookExemptNamespacesLabels: {}
+#  validatingWebhookExemptNamespacesLabels: {}
-  validatingWebhookObjectSelector: {}
+#  validatingWebhookObjectSelector: {}
-  validatingWebhookCheckIgnoreFailurePolicy: Fail
+#  validatingWebhookCheckIgnoreFailurePolicy: Fail
-  validatingWebhookCustomRules: {}
+#  validatingWebhookCustomRules: {}
-  validatingWebhookURL: null
+#  validatingWebhookURL: null
-  enableDeleteOperations: false
+#  enableDeleteOperations: false
-  enableExternalData: true
+#  enableExternalData: true
-  enableGeneratorResourceExpansion: true
+#  enableGeneratorResourceExpansion: true
-  enableTLSHealthcheck: false
+#  enableTLSHealthcheck: false
-  maxServingThreads: -1
+#  maxServingThreads: -1
-  mutatingWebhookName: gatekeeper-mutating-webhook-configuration
+#  mutatingWebhookName: gatekeeper-mutating-webhook-configuration
-  mutatingWebhookFailurePolicy: Ignore
+#  mutatingWebhookFailurePolicy: Ignore
-  mutatingWebhookReinvocationPolicy: Never
+#  mutatingWebhookReinvocationPolicy: Never
-  mutatingWebhookAnnotations: {}
+#  mutatingWebhookAnnotations: {}
-  mutatingWebhookExemptNamespacesLabels: {}
+#  mutatingWebhookExemptNamespacesLabels: {}
-  mutatingWebhookObjectSelector: {}
+#  mutatingWebhookObjectSelector: {}
-  mutatingWebhookTimeoutSeconds: 1
+#  mutatingWebhookTimeoutSeconds: 1
-  mutatingWebhookCustomRules: {}
+#  mutatingWebhookCustomRules: {}
-  mutatingWebhookURL: null
+#  mutatingWebhookURL: null
-  mutationAnnotations: false
+#  mutationAnnotations: false
-  auditChunkSize: 500
+#  auditChunkSize: 500
-  logLevel: INFO
+#  logLevel: INFO
-  logDenies: false
+#  logDenies: false
-  logMutations: false
+#  logMutations: false
-  emitAdmissionEvents: false
+#  emitAdmissionEvents: false
-  emitAuditEvents: false
+#  emitAuditEvents: false
-  admissionEventsInvolvedNamespace: false
+#  admissionEventsInvolvedNamespace: false
-  auditEventsInvolvedNamespace: false
+#  auditEventsInvolvedNamespace: false
-  resourceQuota: true
+#  resourceQuota: true
-  externaldataProviderResponseCacheTTL: 3m
+#  externaldataProviderResponseCacheTTL: 3m
-  image:
+#  image:
-    repository: openpolicyagent/gatekeeper
+#    repository: openpolicyagent/gatekeeper
-    crdRepository: openpolicyagent/gatekeeper-crds
+#    crdRepository: openpolicyagent/gatekeeper-crds
-    release: v3.15.0-beta.0
+#    release: v3.15.0-beta.0
-    pullPolicy: Always
+#    pullPolicy: Always
-    pullSecrets: []
+#    pullSecrets: []
-  preInstall:
+#  preInstall:
-    crdRepository:
+#    crdRepository:
-      image:
+#      image:
-        repository: null
+#        repository: null
-        tag: v3.15.0-beta.0
+#        tag: v3.15.0-beta.0
-  postUpgrade:
+#  postUpgrade:
-    labelNamespace:
+#    labelNamespace:
-      enabled: false
+#      enabled: false
-      image:
+#      image:
-        repository: openpolicyagent/gatekeeper-crds
+#        repository: openpolicyagent/gatekeeper-crds
-        tag: v3.15.0-beta.0
+#        tag: v3.15.0-beta.0
-        pullPolicy: IfNotPresent
+#        pullPolicy: IfNotPresent
-        pullSecrets: []
+#        pullSecrets: []
-      extraNamespaces: []
+#      extraNamespaces: []
-      podSecurity: ["pod-security.kubernetes.io/audit=restricted",
+#      podSecurity: ["pod-security.kubernetes.io/audit=restricted",
-        "pod-security.kubernetes.io/audit-version=latest",
+#        "pod-security.kubernetes.io/audit-version=latest",
-        "pod-security.kubernetes.io/warn=restricted",
+#        "pod-security.kubernetes.io/warn=restricted",
-        "pod-security.kubernetes.io/warn-version=latest",
+#        "pod-security.kubernetes.io/warn-version=latest",
-        "pod-security.kubernetes.io/enforce=restricted",
+#        "pod-security.kubernetes.io/enforce=restricted",
-        "pod-security.kubernetes.io/enforce-version=v1.24"]
+#        "pod-security.kubernetes.io/enforce-version=v1.24"]
-      extraAnnotations: {}
+#      extraAnnotations: {}
-      priorityClassName: ""
+#      priorityClassName: ""
-    affinity: {}
+#    affinity: {}
-    tolerations: []
+#    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
+#    nodeSelector: {kubernetes.io/os: linux}
-    resources: {}
+#    resources: {}
-    securityContext:
+#    securityContext:
-      allowPrivilegeEscalation: false
+#      allowPrivilegeEscalation: false
-      capabilities:
+#      capabilities:
-        drop:
+#        drop:
-        - ALL
+#        - ALL
-      readOnlyRootFilesystem: true
+#      readOnlyRootFilesystem: true
-      runAsGroup: 999
+#      runAsGroup: 999
-      runAsNonRoot: true
+#      runAsNonRoot: true
-      runAsUser: 1000
+#      runAsUser: 1000
-  postInstall:
+#  postInstall:
-    labelNamespace:
+#    labelNamespace:
-      enabled: true
+#      enabled: true
-      extraRules: []
+#      extraRules: []
-      image:
+#      image:
-        repository: openpolicyagent/gatekeeper-crds
+#        repository: openpolicyagent/gatekeeper-crds
-        tag: v3.15.0-beta.0
+#        tag: v3.15.0-beta.0
-        pullPolicy: IfNotPresent
+#        pullPolicy: IfNotPresent
-        pullSecrets: []
+#        pullSecrets: []
-      extraNamespaces: []
+#      extraNamespaces: []
-      podSecurity: ["pod-security.kubernetes.io/audit=restricted",
+#      podSecurity: ["pod-security.kubernetes.io/audit=restricted",
-        "pod-security.kubernetes.io/audit-version=latest",
+#        "pod-security.kubernetes.io/audit-version=latest",
-        "pod-security.kubernetes.io/warn=restricted",
+#        "pod-security.kubernetes.io/warn=restricted",
-        "pod-security.kubernetes.io/warn-version=latest",
+#        "pod-security.kubernetes.io/warn-version=latest",
-        "pod-security.kubernetes.io/enforce=restricted",
+#        "pod-security.kubernetes.io/enforce=restricted",
-        "pod-security.kubernetes.io/enforce-version=v1.24"]
+#        "pod-security.kubernetes.io/enforce-version=v1.24"]
-      extraAnnotations: {}
+#      extraAnnotations: {}
-      priorityClassName: ""
+#      priorityClassName: ""
-    probeWebhook:
+#    probeWebhook:
-      enabled: true
+#      enabled: true
-      image:
+#      image:
-        repository: curlimages/curl
+#        repository: curlimages/curl
-        tag: 7.83.1
+#        tag: 7.83.1
-        pullPolicy: IfNotPresent
+#        pullPolicy: IfNotPresent
-        pullSecrets: []
+#        pullSecrets: []
-      waitTimeout: 60
+#      waitTimeout: 60
-      httpTimeout: 2
+#      httpTimeout: 2
-      insecureHTTPS: false
+#      insecureHTTPS: false
-      priorityClassName: ""
+#      priorityClassName: ""
-    affinity: {}
+#    affinity: {}
-    tolerations: []
+#    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
+#    nodeSelector: {kubernetes.io/os: linux}
-    securityContext:
+#    securityContext:
-      allowPrivilegeEscalation: false
+#      allowPrivilegeEscalation: false
-      capabilities:
+#      capabilities:
-        drop:
+#        drop:
-        - ALL
+#        - ALL
-      readOnlyRootFilesystem: true
+#      readOnlyRootFilesystem: true
-      runAsGroup: 999
+#      runAsGroup: 999
-      runAsNonRoot: true
+#      runAsNonRoot: true
-      runAsUser: 1000
+#      runAsUser: 1000
-  preUninstall:
+#  preUninstall:
-    deleteWebhookConfigurations:
+#    deleteWebhookConfigurations:
-      extraRules: []
+#      extraRules: []
-      enabled: false
+#      enabled: false
-      image:
+#      image:
-        repository: openpolicyagent/gatekeeper-crds
+#        repository: openpolicyagent/gatekeeper-crds
-        tag: v3.15.0-beta.0
+#        tag: v3.15.0-beta.0
-        pullPolicy: IfNotPresent
+#        pullPolicy: IfNotPresent
-        pullSecrets: []
+#        pullSecrets: []
-      priorityClassName: ""
+#      priorityClassName: ""
-    affinity: {}
+#    affinity: {}
-    tolerations: []
+#    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
+#    nodeSelector: {kubernetes.io/os: linux}
-    resources: {}
+#    resources: {}
-    securityContext:
+#    securityContext:
-      allowPrivilegeEscalation: false
+#      allowPrivilegeEscalation: false
-      capabilities:
+#      capabilities:
-        drop:
+#        drop:
-        - ALL
+#        - ALL
-      readOnlyRootFilesystem: true
+#      readOnlyRootFilesystem: true
-      runAsGroup: 999
+#      runAsGroup: 999
-      runAsNonRoot: true
+#      runAsNonRoot: true
-      runAsUser: 1000
+#      runAsUser: 1000
-  podAnnotations: {}
+#  podAnnotations: {}
-  auditPodAnnotations: {}
+#  auditPodAnnotations: {}
-  podLabels: {}
+#  podLabels: {}
-  podCountLimit: "100"
+#  podCountLimit: "100"
-  secretAnnotations: {}
+#  secretAnnotations: {}
-  enableRuntimeDefaultSeccompProfile: true
+#  enableRuntimeDefaultSeccompProfile: true
-  controllerManager:
+#  controllerManager:
-    exemptNamespaces: []
+#    exemptNamespaces: []
-    exemptNamespacePrefixes: []
+#    exemptNamespacePrefixes: []
-    hostNetwork: false
+#    hostNetwork: false
-    dnsPolicy: ClusterFirst
+#    dnsPolicy: ClusterFirst
-    port: 8443
+#    port: 8443
-    metricsPort: 8888
+#    metricsPort: 8888
-    healthPort: 9090
+#    healthPort: 9090
-    readinessTimeout: 1
+#    readinessTimeout: 1
-    livenessTimeout: 1
+#    livenessTimeout: 1
-    priorityClassName: system-cluster-critical
+#    priorityClassName: system-cluster-critical
-    disableCertRotation: false
+#    disableCertRotation: false
-    tlsMinVersion: 1.3
+#    tlsMinVersion: 1.3
-    clientCertName: ""
+#    clientCertName: ""
-    strategyType: RollingUpdate
+#    strategyType: RollingUpdate
-    affinity:
+#    affinity:
-      podAntiAffinity:
+#      podAntiAffinity:
-        preferredDuringSchedulingIgnoredDuringExecution:
+#        preferredDuringSchedulingIgnoredDuringExecution:
-          - podAffinityTerm:
+#          - podAffinityTerm:
-              labelSelector:
+#              labelSelector:
-                matchExpressions:
+#                matchExpressions:
-                  - key: gatekeeper.sh/operation
+#                  - key: gatekeeper.sh/operation
-                    operator: In
+#                    operator: In
-                    values:
+#                    values:
-                      - webhook
+#                      - webhook
-              topologyKey: kubernetes.io/hostname
+#              topologyKey: kubernetes.io/hostname
-            weight: 100
+#            weight: 100
-    topologySpreadConstraints: []
+#    topologySpreadConstraints: []
-    tolerations: []
+#    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
+#    nodeSelector: {kubernetes.io/os: linux}
-    resources:
+#    resources:
-      limits:
+#      limits:
-        memory: 512Mi
+#        memory: 512Mi
-      requests:
+#      requests:
-        cpu: 100m
+#        cpu: 100m
-        memory: 512Mi
+#        memory: 512Mi
-    securityContext:
+#    securityContext:
-      allowPrivilegeEscalation: false
+#      allowPrivilegeEscalation: false
-      capabilities:
+#      capabilities:
-        drop:
+#        drop:
-        - ALL
+#        - ALL
-      readOnlyRootFilesystem: true
+#      readOnlyRootFilesystem: true
-      runAsGroup: 999
+#      runAsGroup: 999
-      runAsNonRoot: true
+#      runAsNonRoot: true
-      runAsUser: 1000
+#      runAsUser: 1000
-    podSecurityContext:
+#    podSecurityContext:
-      fsGroup: 999
+#      fsGroup: 999
-      supplementalGroups:
+#      supplementalGroups:
-        - 999
+#        - 999
-    extraRules: []
+#    extraRules: []
-    networkPolicy:
+#    networkPolicy:
-      enabled: false
+#      enabled: false
-      ingress: { }
+#      ingress: { }
-        # - from:
+#        # - from:
-        #   - ipBlock:
+#        #   - ipBlock:
-        #       cidr: 0.0.0.0/0
+#        #       cidr: 0.0.0.0/0
-  audit:
+#  audit:
-    enablePubsub: false
+#    enablePubsub: false
-    connection: audit-connection
+#    connection: audit-connection
-    channel: audit-channel
+#    channel: audit-channel
-    hostNetwork: false
+#    hostNetwork: false
-    dnsPolicy: ClusterFirst
+#    dnsPolicy: ClusterFirst
-    metricsPort: 8888
+#    metricsPort: 8888
-    healthPort: 9090
+#    healthPort: 9090
-    readinessTimeout: 1
+#    readinessTimeout: 1
-    livenessTimeout: 1
+#    livenessTimeout: 1
-    priorityClassName: system-cluster-critical
+#    priorityClassName: system-cluster-critical
-    disableCertRotation: false
+#    disableCertRotation: false
-    affinity: {}
+#    affinity: {}
-    tolerations: []
+#    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
+#    nodeSelector: {kubernetes.io/os: linux}
-    resources:
+#    resources:
-      limits:
+#      limits:
-        memory: 512Mi
+#        memory: 512Mi
-      requests:
+#      requests:
-        cpu: 100m
+#        cpu: 100m
-        memory: 512Mi
+#        memory: 512Mi
-    securityContext:
+#    securityContext:
-      allowPrivilegeEscalation: false
+#      allowPrivilegeEscalation: false
-      capabilities:
+#      capabilities:
-        drop:
+#        drop:
-        - ALL
+#        - ALL
-      readOnlyRootFilesystem: true
+#      readOnlyRootFilesystem: true
-      runAsGroup: 999
+#      runAsGroup: 999
-      runAsNonRoot: true
+#      runAsNonRoot: true
-      runAsUser: 1000
+#      runAsUser: 1000
-    podSecurityContext:
+#    podSecurityContext:
-      fsGroup: 999
+#      fsGroup: 999
-      supplementalGroups:
+#      supplementalGroups:
-        - 999
+#        - 999
-    writeToRAMDisk: false
+#    writeToRAMDisk: false
-    extraRules: []
+#    extraRules: []
-  crds:
+#  crds:
-    affinity: {}
+#    affinity: {}
-    tolerations: []
+#    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
+#    nodeSelector: {kubernetes.io/os: linux}
-    resources: {}
+#    resources: {}
-    securityContext:
+#    securityContext:
-      allowPrivilegeEscalation: false
+#      allowPrivilegeEscalation: false
-      capabilities:
+#      capabilities:
-        drop:
+#        drop:
-        - ALL
+#        - ALL
-      readOnlyRootFilesystem: true
+#      readOnlyRootFilesystem: true
-      runAsGroup: 65532
+#      runAsGroup: 65532
-      runAsNonRoot: true
+#      runAsNonRoot: true
-      runAsUser: 65532
+#      runAsUser: 65532
-  pdb:
+#  pdb:
-    controllerManager:
+#    controllerManager:
-      minAvailable: 1
+#      minAvailable: 1
-  service: {}
+#  service: {}
-  disabledBuiltins: ["{http.send}"]
+#  disabledBuiltins: ["{http.send}"]
-  psp:
+#  psp:
-    enabled: true
+#    enabled: true
-  upgradeCRDs:
+#  upgradeCRDs:
-    enabled: true
+#    enabled: true
-    extraRules: []
+#    extraRules: []
-    priorityClassName: ""
+#    priorityClassName: ""
-  rbac:
+#  rbac:
-    create: true
+#    create: true
-  externalCertInjection:
+#  externalCertInjection:
-    enabled: false
+#    enabled: false
-    secretName: gatekeeper-webhook-server-cert
+#    secretName: gatekeeper-webhook-server-cert
+#

gitlab-runner/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: gitlab-runner
   repository: https://charts.gitlab.io/
-  version: 0.43.0
+  version: 0.69.0

heimdall/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: heimdall
   repository: https://djjudas21.github.io/charts/
-  version: 8.5.2
+  version: 8.5.4

internalproxy/templates/argocd.yaml

@@ -1,46 +1,46 @@
-apiVersion: traefik.containo.us/v1alpha1
+#apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+#kind: IngressRoute
-metadata:
+#metadata:
-  name: argocd-ingress
+#  name: argocd-ingress
-  annotations:
+#  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
+#    cert-manager.io/cluster-issuer: letsencrypt-production
-spec:
+#spec:
-  entryPoints:
+#  entryPoints:
-    - websecure
+#    - websecure
-  routes:
+#  routes:
-  - match: Host(`argocd.internal.durp.info`)
+#  - match: Host(`argocd.internal.durp.info`)
-    middlewares:
+#    middlewares:
-    - name: whitelist
+#    - name: whitelist
-      namespace: traefik  
+#      namespace: traefik
-    kind: Rule
+#    kind: Rule
-    services:
+#    services:
-    - name: argocd-server
+#    - name: argocd-server
-      port: 443
+#      port: 443
-      scheme: https
+#      scheme: https
-  tls:
+#  tls:
-    secretName: argocd-tls  
+#    secretName: argocd-tls
-
+#
----
+#---
-
+#
-kind: Service
+#kind: Service
-apiVersion: v1
+#apiVersion: v1
-metadata:
+#metadata:
-  name: argocd-server
+#  name: argocd-server
-spec:
+#spec:
-  type: ExternalName
+#  type: ExternalName
-  externalName: argocd-server.argocd.svc.cluster.local  
+#  externalName: argocd-server.argocd.svc.cluster.local
-
+#
----
+#---
-
+#
-apiVersion: cert-manager.io/v1
+#apiVersion: cert-manager.io/v1
-kind: Certificate
+#kind: Certificate
-metadata:
+#metadata:
-  name: argocd-tls
+#  name: argocd-tls
-spec:
+#spec:
-  secretName: argocd-tls
+#  secretName: argocd-tls
-  issuerRef:
+#  issuerRef:
-    name: letsencrypt-production
+#    name: letsencrypt-production
-    kind: ClusterIssuer
+#    kind: ClusterIssuer
-  commonName: "argocd.internal.durp.info"
+#  commonName: "argocd.internal.durp.info"
-  dnsNames:
+#  dnsNames:
-  - "argocd.internal.durp.info"  
+#  - "argocd.internal.durp.info"

internalproxy/templates/blueiris.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: blueiris
+spec:
+  ports:
+    - name: app
+      port: 81
+      protocol: TCP
+      targetPort: 81
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: blueiris
+subsets:
+  - addresses:
+      - ip: 192.168.99.2
+    ports:
+      - name: app
+        port: 81
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blueiris-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`blueiris.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: blueiris
+          port: 81
+          scheme: http
+  tls:
+    secretName: blueiris-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: blueiris-tls
+spec:
+  secretName: blueiris-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "blueiris.internal.durp.info"
+  dnsNames:
+    - "blueiris.internal.durp.info"

internalproxy/templates/gitea.yaml

@@ -1,3 +1,66 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea
+spec:
+  ports:
+    - name: app
+      port: 3000
+      protocol: TCP
+      targetPort: 3000
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: gitea
+subsets:
+  - addresses:
+      - ip: 192.168.20.253
+    ports:
+      - name: app
+        port: 3000
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitea.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: gitea
+          port: 3000
+          scheme: http
+  tls:
+    secretName: gitea-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitea-tls
+spec:
+  secretName: gitea-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "gitea.durp.info"
+  dnsNames:
+    - "gitea.durp.info"
+
+---
+
 kind: Service
 apiVersion: v1
 metadata:

internalproxy/templates/guac.yaml

@@ -1,71 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: guac-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: guac.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
-
----
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: guac
-spec:
-  ports:
-  - name: app
-    port: 8082
-    protocol: TCP
-    targetPort: 8082
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: guac
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 8082
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: guac-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`guac.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    services:
-    - name: guac
-      port: 8082
-  tls:
-    secretName: guac-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: guac-tls
-spec:
-  secretName: guac-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "guac.durp.info"
-  dnsNames:
-  - "guac.durp.info"  

internalproxy/templates/jellyfin.yaml

@@ -1,3 +1,66 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: jellyfin
+spec:
+  ports:
+    - name: app
+      port: 8096
+      protocol: TCP
+      targetPort: 8096
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: jellyfin
+subsets:
+  - addresses:
+      - ip: 192.168.20.253
+    ports:
+      - name: app
+        port: 8096
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: jellyfin-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`jellyfin.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: jellyfin
+          port: 8096
+          scheme: http
+  tls:
+    secretName: jellyfin-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: jellyfin-tls
+spec:
+  secretName: jellyfin-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "jellyfin.durp.info"
+  dnsNames:
+    - "jellyfin.durp.info"
+
+---
+
 kind: Service
 apiVersion: v1
 metadata:

internalproxy/templates/kasm.yaml

@@ -1,3 +1,66 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kasm
+spec:
+  ports:
+    - name: app
+      port: 443
+      protocol: TCP
+      targetPort: 443
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: kasm
+subsets:
+  - addresses:
+      - ip: 192.168.20.104
+    ports:
+      - name: app
+        port: 443
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kasm-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`kasm.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: kasm
+          port: 443
+          scheme: https
+  tls:
+    secretName: kasm-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kasm-tls
+spec:
+  secretName: kasm-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "kasm.durp.info"
+  dnsNames:
+    - "kasm.durp.info"
+
+---
+
 kind: Service
 apiVersion: v1
 metadata:

internalproxy/templates/minio.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: minio
+spec:
+  ports:
+    - name: app
+      port: 9769
+      protocol: TCP
+      targetPort: 9769
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: minio
+subsets:
+  - addresses:
+      - ip: 192.168.20.253
+    ports:
+      - name: app
+        port: 9769
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: minio-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`minio.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: minio
+          port: 9769
+          scheme: http
+  tls:
+    secretName: minio-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: minio-tls
+spec:
+  secretName: minio-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "minio.internal.durp.info"
+  dnsNames:
+    - "minio.internal.durp.info"

internalproxy/templates/octopus.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: octopus
+spec:
+  ports:
+    - name: app
+      port: 443
+      protocol: TCP
+      targetPort: 443
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: octopus
+subsets:
+  - addresses:
+      - ip: 192.168.20.105
+    ports:
+      - name: app
+        port: 443
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: octopus-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`octopus.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: octopus
+          port: 443
+          scheme: https
+  tls:
+    secretName: octopus-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: octopus-tls
+spec:
+  secretName: octopus-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "octopus.internal.durp.info"
+  dnsNames:
+    - "octopus.internal.durp.info"

internalproxy/templates/ollama.yaml

@@ -0,0 +1,101 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: ollama-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: ollama-secret
+  data:
+    - secretKey: users
+      remoteRef:
+        key: secrets/internalproxy/ollama
+        property: users
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: ollama-basic-auth
+spec:
+  basicAuth:
+    secret: ollama-secret
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: ollama
+spec:
+  ports:
+    - name: app
+      port: 11435
+      protocol: TCP
+      targetPort: 11435
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: ollama
+subsets:
+  - addresses:
+      - ip: 192.168.20.104
+    ports:
+      - name: app
+        port: 11435
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ollama-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`ollama.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: ollama-basic-auth
+      kind: Rule
+      services:
+        - name: ollama
+          port: 11435
+  tls:
+    secretName: ollama-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ollama-tls
+spec:
+  secretName: ollama-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "ollama.durp.info"
+  dnsNames:
+    - "ollama.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: ollama-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: ollama.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

internalproxy/templates/pfsense.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pfsense
+spec:
+  ports:
+    - name: app
+      port: 10443
+      protocol: TCP
+      targetPort: 10443
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: pfsense
+subsets:
+  - addresses:
+      - ip: 192.168.20.1
+    ports:
+      - name: app
+        port: 10443
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: pfsense-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`pfsense.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: pfsense
+          port: 10443
+          scheme: https
+  tls:
+    secretName: pfsense-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: pfsense-tls
+spec:
+  secretName: pfsense-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "pfsense.internal.durp.info"
+  dnsNames:
+    - "pfsense.internal.durp.info"

internalproxy/templates/plex.yaml

@@ -1,3 +1,66 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: plex
+spec:
+  ports:
+    - name: app
+      port: 32400
+      protocol: TCP
+      targetPort: 32400
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: plex
+subsets:
+  - addresses:
+      - ip: 192.168.20.253
+    ports:
+      - name: app
+        port: 32400
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: plex-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`plex.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: plex
+          port: 32400
+          scheme: https
+  tls:
+    secretName: plex-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: plex-tls
+spec:
+  secretName: plex-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "plex.durp.info"
+  dnsNames:
+    - "plex.durp.info"
+
+---
+
 kind: Service
 apiVersion: v1
 metadata:

internalproxy/templates/portainer.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer
+spec:
+  ports:
+    - name: app
+      port: 9443
+      protocol: TCP
+      targetPort: 9443
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: portainer
+subsets:
+  - addresses:
+      - ip: 192.168.20.104
+    ports:
+      - name: app
+        port: 9443
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: portainer-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`portainer.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: portainer
+          port: 9443
+          scheme: https
+  tls:
+    secretName: portainer-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: portainer-tls
+spec:
+  secretName: portainer-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "portainer.internal.durp.info"
+  dnsNames:
+    - "portainer.internal.durp.info"

internalproxy/templates/proxmox.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: proxmox
+spec:
+  ports:
+    - name: app
+      port: 8006
+      protocol: TCP
+      targetPort: 8006
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: proxmox
+subsets:
+  - addresses:
+      - ip: 192.168.21.252
+    ports:
+      - name: app
+        port: 8006
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: proxmox-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`proxmox.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: proxmox
+          port: 8006
+          scheme: https
+  tls:
+    secretName: proxmox-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: proxmox-tls
+spec:
+  secretName: proxmox-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "proxmox.internal.durp.info"
+  dnsNames:
+    - "proxmox.internal.durp.info"

internalproxy/templates/registry-internal.yaml

@@ -5,9 +5,9 @@ metadata:
 spec:
   ports:
   - name: app
-    port: 5001
+    port: 5000
     protocol: TCP
-    targetPort: 5001
+    targetPort: 5000
   clusterIP: None
   type: ClusterIP
 
@@ -22,7 +22,7 @@ subsets:
   - ip: 192.168.20.253
   ports:
   - name: app
-    port: 5001
+    port: 5000
     protocol: TCP
 
 ---    
@@ -39,9 +39,9 @@ spec:
     kind: Rule
     services:
     - name: registry-internal
-      port: 5001
+      port: 5000
   tls:
-    secretName: registry-tls
+    secretName: registry-internal-tls
 
 ---
 
@@ -54,6 +54,6 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "registry.durp.info"
+  commonName: "registry.internal.durp.info"
   dnsNames:
-  - "registry.durp.info"  
+  - "registry.internal.durp.info"

internalproxy/templates/s3.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: s3
+spec:
+  ports:
+    - name: app
+      port: 9768
+      protocol: TCP
+      targetPort: 9768
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: s3
+subsets:
+  - addresses:
+      - ip: 192.168.20.253
+    ports:
+      - name: app
+        port: 9768
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: s3-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`s3.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: s3
+          port: 9768
+          scheme: http
+  tls:
+    secretName: s3-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: s3-tls
+spec:
+  secretName: s3-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "s3.internal.durp.info"
+  dnsNames:
+    - "s3.internal.durp.info"

internalproxy/templates/semaphore.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: semaphore
+spec:
+  ports:
+    - name: app
+      port: 3001
+      protocol: TCP
+      targetPort: 3001
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: semaphore
+subsets:
+  - addresses:
+      - ip: 192.168.20.253
+    ports:
+      - name: app
+        port: 3001
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: semaphore-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`semaphore.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: semaphore
+          port: 3001
+          scheme: http
+  tls:
+    secretName: semaphore-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: semaphore-tls
+spec:
+  secretName: semaphore-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "semaphore.internal.durp.info"
+  dnsNames:
+    - "semaphore.internal.durp.info"

internalproxy/templates/unraid.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: unraid
+spec:
+  ports:
+    - name: app
+      port: 443
+      protocol: TCP
+      targetPort: 443
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: unraid
+subsets:
+  - addresses:
+      - ip: 192.168.20.253
+    ports:
+      - name: app
+        port: 443
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: unraid-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`unraid.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: unraid
+          port: 443
+          scheme: https
+  tls:
+    secretName: unraid-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: unraid-tls
+spec:
+  secretName: unraid-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "unraid.internal.durp.info"
+  dnsNames:
+    - "unraid.internal.durp.info"

internalproxy/templates/wazuh.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: wazuh
+spec:
+  ports:
+    - name: app
+      port: 443
+      protocol: TCP
+      targetPort: 443
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: wazuh
+subsets:
+  - addresses:
+      - ip: 192.168.20.102
+    ports:
+      - name: app
+        port: 443
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: wazuh-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`wazuh.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: wazuh
+          port: 443
+          scheme: https
+  tls:
+    secretName: wazuh-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wazuh-tls
+spec:
+  secretName: wazuh-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "wazuh.internal.durp.info"
+  dnsNames:
+    - "wazuh.internal.durp.info"

kube-prometheus-stack/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: kube-prometheus-stack
   repository: https://prometheus-community.github.io/helm-charts
-  version: 40.5.0
+  version: 63.1.0

kubeclarity/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: kubeclarity
   repository: https://openclarity.github.io/kubeclarity
-  version: 2.22.0
+  version: 2.23.3

longhorn/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: longhorn
   repository: https://charts.longhorn.io
-  version: 1.3.2
+  version: 1.7.1

longhorn/values.yaml

@@ -57,7 +57,7 @@ longhorn:
           {
             "name":"backup", 
             "task":"backup", 
-            "cron":"0 */6 * * *", 
+            "cron":"0 0 * * ?", 
             "retain":24
           }
         ]'
@@ -76,7 +76,7 @@ longhorn:
     snapshotterReplicaCount: ~
   
   defaultSettings:
-    backupTarget: S3://longhorn@us-east-1/
+    backupTarget: S3://longhorn-master@us-east-1/
     backupTargetCredentialSecret: longhorn-backup-token-secret
     allowRecurringJobWhileVolumeDetached: ~
     createDefaultDiskLabeledNodes: ~

metallb-system/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: metallb-system
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: metallb
+  repository: https://metallb.github.io/metallb
+  version: 0.14.8
+

metallb-system/templates/config.yaml

@@ -0,0 +1,17 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: cheap
+spec:
+  addresses:
+    - 192.168.20.130-192.168.20.140
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: poop
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+  - cheap
+

metallb-system/values.yaml

@@ -0,0 +1,197 @@
+metallb:
+  imagePullSecrets: []
+  nameOverride: ""
+  fullnameOverride: ""
+  loadBalancerClass: ""
+
+  rbac:
+    create: true
+
+  prometheus:
+    scrapeAnnotations: false
+    metricsPort: 7472
+    speakerMetricsTLSSecret: ""
+    controllerMetricsTLSSecret: ""
+    rbacPrometheus: true
+    serviceAccount: ""
+    namespace: ""
+    rbacProxy:
+      repository: gcr.io/kubebuilder/kube-rbac-proxy
+      tag: v0.12.0
+      pullPolicy:
+    podMonitor:
+      enabled: false
+      additionalLabels: {}
+      annotations: {}
+      jobLabel: "app.kubernetes.io/name"
+      interval:
+      metricRelabelings: []
+      relabelings: []
+    serviceMonitor:
+      enabled: false
+      speaker:
+        additionalLabels: {}
+        annotations: {}
+        tlsConfig:
+          insecureSkipVerify: true
+      controller:
+        additionalLabels: {}
+        annotations: {}
+        tlsConfig:
+          insecureSkipVerify: true
+      jobLabel: "app.kubernetes.io/name"
+      interval:
+      metricRelabelings: []
+      relabelings: []
+    prometheusRule:
+      enabled: false
+      additionalLabels: {}
+      annotations: {}
+      staleConfig:
+        enabled: true
+        labels:
+          severity: warning
+      configNotLoaded:
+        enabled: true
+        labels:
+          severity: warning
+      addressPoolExhausted:
+        enabled: true
+        labels:
+          severity: alert
+      addressPoolUsage:
+        enabled: true
+        thresholds:
+          - percent: 75
+            labels:
+              severity: warning
+          - percent: 85
+            labels:
+              severity: warning
+          - percent: 95
+            labels:
+              severity: alert
+      bgpSessionDown:
+        enabled: true
+        labels:
+          severity: alert
+
+      extraAlerts: []
+
+  controller:
+    enabled: true
+    # -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
+    logLevel: info
+    image:
+      repository: quay.io/metallb/controller
+      tag:
+      pullPolicy:
+    strategy:
+      type: RollingUpdate
+    serviceAccount:
+      create: true
+      name: ""
+      annotations: {}
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 65534
+      fsGroup: 65534
+    resources: {}
+    nodeSelector: {}
+    tolerations: []
+    priorityClassName: ""
+    runtimeClassName: ""
+    affinity: {}
+    podAnnotations: {}
+    labels: {}
+    livenessProbe:
+      enabled: true
+      failureThreshold: 3
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      successThreshold: 1
+      timeoutSeconds: 1
+    readinessProbe:
+      enabled: true
+      failureThreshold: 3
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      successThreshold: 1
+      timeoutSeconds: 1
+    tlsMinVersion: "VersionTLS12"
+    tlsCipherSuites: ""
+
+    extraContainers: []
+
+  speaker:
+    enabled: true
+    logLevel: debug
+    tolerateMaster: true
+    memberlist:
+      enabled: true
+      mlBindPort: 7946
+      mlBindAddrOverride: ""
+      mlSecretKeyPath: "/etc/ml_secret_key"
+    excludeInterfaces:
+      enabled: true
+    ignoreExcludeLB: false
+
+    image:
+      repository: quay.io/metallb/speaker
+      tag:
+      pullPolicy:
+    updateStrategy:
+      type: RollingUpdate
+    serviceAccount:
+      create: true
+      name: ""
+      annotations: {}
+    securityContext: {}
+    resources: {}
+    nodeSelector: {}
+    tolerations: []
+    priorityClassName: ""
+    affinity: {}
+    runtimeClassName: ""
+    podAnnotations: {}
+    labels:
+      pod-security.kubernetes.io/enforce: privileged
+      pod-security.kubernetes.io/audit: privileged
+      pod-security.kubernetes.io/warn: privileged
+    livenessProbe:
+      enabled: true
+      failureThreshold: 3
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      successThreshold: 1
+      timeoutSeconds: 1
+    readinessProbe:
+      enabled: true
+      failureThreshold: 3
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      successThreshold: 1
+      timeoutSeconds: 1
+    startupProbe:
+      enabled: true
+      failureThreshold: 30
+      periodSeconds: 5
+    frr:
+      enabled: true
+      image:
+        repository: quay.io/frrouting/frr
+        tag: 9.0.2
+        pullPolicy:
+      metricsPort: 7473
+      resources: {}
+    reloader:
+      resources: {}
+    frrMetrics:
+      resources: {}
+    extraContainers: []
+  crds:
+    enabled: true
+    validationFailurePolicy: Fail
+  frrk8s:
+    enabled: false
+

traefik/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
   repository: https://traefik.github.io/charts
-  version: 22.1.0
+  version: 24.0.0

traefik/templates/middlewares.yaml

@@ -30,5 +30,7 @@ metadata:
 spec:
   ipWhiteList:
     sourceRange:
-      - 192.168.20.1/32      
+      - 192.168.20.1/32
       - 10.0.0.0/8
+      - 192.168.30.0/24
+      - 192.168.130.0/24

traefik/values.yaml

@@ -730,22 +730,22 @@ traefik:
   ## Create HorizontalPodAutoscaler object.
   ##
   autoscaling:
-    enabled: false
+    enabled: true
-    minReplicas: 1
+    minReplicas: 3
     maxReplicas: 10
     metrics:
-    - type: Resource
-      resource:
-        name: cpu
-        target:
-          type: Utilization
-          averageUtilization: 60
     - type: Resource
       resource:
         name: memory
         target:
           type: Utilization
-          averageUtilization: 60
+          averageUtilization: 80
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 80
     behavior:
       scaleDown:
         stabilizationWindowSeconds: 300
@@ -819,13 +819,13 @@ traefik:
   # Additional serviceAccount annotations (e.g. for oidc authentication)
   serviceAccountAnnotations: {}
 
-  resources: {}
+  resources:
-    # requests:
+    requests:
-    #   cpu: "100m"
+      cpu: "100m"
-    #   memory: "50Mi"
+      memory: "128Mi"
-    # limits:
+    limits:
-    #   cpu: "300m"
+      cpu: "300m"
-    #   memory: "150Mi"
+      memory: "256Mi"
 
   # This example pod anti-affinity forces the scheduler to put traefik pods
   # on nodes where no other traefik pods are scheduled.

vault/values.yaml

@@ -39,14 +39,13 @@ vault:
     ha:
       enabled: false
       replicas: 3
-    resources: {}
+    resources:
-    # resources:
+      requests:
-    #   requests:
+        memory: 256Mi
-    #     memory: 256Mi
+        cpu: 250m
-    #     cpu: 250m
+      limits:
-    #   limits:
+        memory: 256Mi
-    #     memory: 256Mi
+        cpu: 250m
-    #     cpu: 250m
 
     dataStorage:
       enabled: true