update

Mr prd

See merge request developerdurp/homelab!2

argocd/templates/argocd.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: dmz
+    targetRevision: prd
     path: argocd
   destination:
     namespace: argocd

argocd/templates/authentik.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: authentik
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: prd
+    path: authentik
+  destination:
+    namespace: authentik
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+

argocd/templates/bitwarden.yaml

@@ -1,23 +1,23 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: internalproxy
+  name: bitwarden
   namespace: argocd
 spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: dmz
-    path: internalproxy
+    targetRevision: prd
+    path: bitwarden
     directory:
       recurse: true
   destination:
     server: https://kubernetes.default.svc
-    namespace: internalproxy
+    namespace: bitwarden
   syncPolicy:
     automated:
       prune: true
-      selfHeal: true  
+      selfHeal: false
     syncOptions:
       - CreateNamespace=true   
 

argocd/templates/cert-manager.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: dmz
+    targetRevision: prd
     path: cert-manager
   destination:
     namespace: cert-manager

argocd/templates/crossplane.yml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: crossplane
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: prd
+    path: crossplane
+  destination:
+    namespace: crossplane
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 

argocd/templates/durpapi.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: durpapi
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: prd
+    path: durpapi
+  destination:
+    namespace: durpapi
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 

argocd/templates/durpot.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: durpot
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: prd
+    path: durpot
+  destination:
+    namespace: durpot
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 

argocd/templates/external-dns.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: dmz
+    targetRevision: prd
     path: external-dns
   destination:
     namespace: external-dns

argocd/templates/external-secrets.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: dmz
+    targetRevision: prd
     path: external-secrets
   destination:
     namespace: external-secrets

argocd/templates/gatekeeper.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: dmz
+    targetRevision: prd
     path: gatekeeper
   destination:
     namespace: gatekeeper

argocd/templates/gitlab-runner.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: dmz
+    targetRevision: prd
     path: gitlab-runner
   destination:
     namespace: gitlab-runner

argocd/templates/heimdall.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: heimdall
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: prd
+    path: heimdall
+  destination:
+    namespace: heimdall
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 

argocd/templates/ingress.yaml

@@ -8,9 +8,9 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`argocd.internal.durp.info`)
+  - match: Host(`argocd.internal.prd.durp.info`)
     middlewares:
-    - name: whitelist
+    - name: internal-only
       namespace: traefik  
     kind: Rule
     services:
@@ -22,16 +22,6 @@ spec:
 
 ---
 
-kind: Service
-apiVersion: v1
-metadata:
-  name: argocd-server
-spec:
-  type: ExternalName
-  externalName: argocd-server.argocd.svc.cluster.local  
-
----
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -41,6 +31,6 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "argocd.internal.durp.info"
+  commonName: "argocd.internal.prd.durp.info"
   dnsNames:
-  - "argocd.internal.durp.info"  
+  - "argocd.internal.prd.durp.info"  

argocd/templates/krakend.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: krakend
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: prd
+    path: krakend
+  destination:
+    namespace: krakend
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 

argocd/templates/kube-prometheus-stack.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: dmz
+    targetRevision: prd
     path: kube-prometheus-stack
   destination:
     namespace: kube-prometheus-stack

argocd/templates/kubeclarity.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: dmz
+    targetRevision: prd
     path: kubeclarity
   destination:
     namespace: kubeclarity

argocd/templates/littlelink.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: littlelink
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: prd
+    path: littlelink
+    directory:
+      recurse: true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: littlelink
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true        

argocd/templates/longhorn.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: dmz
+    targetRevision: prd
     path: longhorn
   destination:
     namespace: longhorn-system

argocd/templates/metallb-system.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: dmz
+    targetRevision: prd
     path: metallb-system
   destination:
     namespace: metallb-system
@@ -19,4 +19,3 @@ spec:
     syncOptions:
       - CreateNamespace=true 
 
-

argocd/templates/nfs-client.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nfs-client
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: prd
+    path: nfs-client
+    directory:
+      recurse: true
+  destination:
+    namespace: nfs-client
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+

argocd/templates/open-webui.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-webui
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: prd
+    path: open-webui
+  destination:
+    namespace: open-webui
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 

argocd/templates/secrets.yaml

@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: vault-argocd
+  labels:
+    app.kubernetes.io/part-of: argocd
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: client-secret
+  data:
+  - secretKey: clientSecret
+    remoteRef:
+      key: secrets/argocd/authentik
+      property: clientsecret

argocd/templates/traefik.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: dmz
+    targetRevision: prd
     path: traefik
   destination:
     namespace: traefik

argocd/templates/uptimekuma.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: dmz
+    targetRevision: prd
     path: uptimekuma
     directory:
       recurse: true

argocd/templates/vault.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: dmz
+    targetRevision: prd
     path: vault
   destination:
     namespace: vault

argocd/values.yaml

@@ -33,13 +33,13 @@ argo-cd:
     cm:
       create: true
       annotations: {}
-      url: https://argocd.internal.durp.info
+      url: https://argocd.internal.prd.durp.info
       oidc.tls.insecure.skip.verify: "true"
       dex.config: |
         connectors:
           - config:
-              issuer: https://authentik.durp.info/application/o/argocd/
-              clientID: dbb8ffc06104fb6e7fac3e4ae7fafb1d90437625
+              issuer: https://authentik.prd.durp.info/application/o/argocd/
+              clientID: lKuMgyYaOlQMNAUSjsRVYgkwZG9UT6CeFWeTLAcl
               clientSecret: $client-secret:clientSecret
               insecureEnableGroups: true
               scopes:

authentik/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: authentik
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: authentik
+  repository: https://charts.goauthentik.io
+  version: 2024.4.1

authentik/templates/authentik-pv.yaml

@@ -0,0 +1,24 @@
+#apiVersion: v1
+#kind: PersistentVolume
+#metadata:
+#  annotations:
+#    pv.kubernetes.io/provisioned-by: durp.info/nfs
+#  finalizers:
+#  - kubernetes.io/pv-protection
+#  name: authentik-pv
+#spec:
+#  accessModes:
+#  - ReadWriteMany
+#  capacity:
+#    storage: 10Gi
+#  claimRef:
+#    apiVersion: v1
+#    kind: PersistentVolumeClaim
+#    name: authentik-pvc
+#    namespace: authentik
+#  nfs:
+#    path: /mnt/user/k3s/authentik
+#    server: 192.168.20.253
+#  persistentVolumeReclaimPolicy: Retain
+#  storageClassName: nfs-storage
+#  volumeMode: Filesystem

authentik/templates/authentik-pvc.yaml

@@ -0,0 +1,18 @@
+#apiVersion: v1
+#kind: PersistentVolumeClaim
+#metadata:
+#  labels:
+#    app.kubernetes.io/component: app
+#    app.kubernetes.io/instance: authentik
+#    app.kubernetes.io/managed-by: Helm
+#    app.kubernetes.io/name: authentik
+#    helm.sh/chart: authentik-2.14.4
+#  name: authentik-pvc
+#  namespace: authentik
+#spec:
+#  accessModes:
+#    - ReadWriteMany
+#  resources:
+#    requests:
+#      storage: 10Gi
+#  storageClassName: nfs-storage

authentik/templates/ingress.yaml

@@ -0,0 +1,42 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authentik-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`authentik.prd.durp.info`) && PathPrefix(`/`) 
+    kind: Rule
+    services:
+    - name: authentik-server
+      port: 80
+  tls:
+    secretName: authentik-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: authentik-tls
+spec:
+  secretName: authentik-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "authentik.prd.durp.info"
+  dnsNames:
+  - "authentik.prd.durp.info" 
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: authentik-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: authentik.prd.durp.info
+spec:
+  type: ExternalName
+  externalName:.prd.durp.info

authentik/templates/secrets.yaml

@@ -0,0 +1,28 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: db-pass
+  data:
+  - secretKey: dbpass
+    remoteRef:
+      key: secrets/authentik/database
+      property: dbpass
+  - secretKey: secretkey
+    remoteRef:
+      key: secrets/authentik/database
+      property: secretkey     
+  - secretKey: postgresql-postgres-password 
+    remoteRef:
+      key: secrets/authentik/database
+      property: dbpass
+  - secretKey: postgresql-password 
+    remoteRef:
+      key: secrets/authentik/database
+      property: dbpass
+        

authentik/values.yaml

@@ -0,0 +1,60 @@
+authentik:
+  global:
+    env: 
+      - name: AUTHENTIK_REDIS__DB
+        value: "1"
+      - name: AUTHENTIK_POSTGRESQL__PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: db-pass
+            key: dbpass
+      - name: AUTHENTIK_SECRET_KEY
+        valueFrom:
+          secretKeyRef:
+            name: db-pass
+            key: secretkey
+    revisionHistoryLimit: 1
+    image:
+      repository: registry.internal.durp.info/goauthentik/server
+      pullPolicy: Always
+  authentik:
+    outposts:
+      container_image_base: registry.internal.durp.info/goauthentik/%(type)s:%(version)s
+    postgresql:
+      host: '{{ .Release.Name }}-postgresql-hl'
+      name: "authentik"
+      user: "authentik"
+      port: 5432
+  server:
+    name: server
+    replicas: 3
+  postgresql:
+    enabled: true
+    image:
+      registry: registry.internal.durp.info
+      repository: bitnami/postgresql
+      pullPolicy: Always
+    auth:
+      username: "authentik"
+      existingSecret: db-pass
+      secretKeys:
+        adminPasswordKey: dbpass 
+        userPasswordKey: dbpass
+        
+          #postgresqlUsername: "authentik"
+          #postgresqlDatabase: "authentik"
+          #existingSecret: db-pass 
+    persistence:
+      enabled: true
+      storageClass: longhorn
+      accessModes:
+        - ReadWriteMany
+  redis:
+    enabled: true
+    image:
+      registry: registry.internal.durp.info
+      repository: bitnami/redis
+      pullPolicy: Always
+    architecture: standalone
+    auth:
+      enabled: false

bitwarden/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
-name: internalproxy
+name: bitwarden
 description: A Helm chart for Kubernetes
 type: application
 
 version: 0.1.0
-appVersion: "0.1.0"
+appVersion: "1.16.0"

bitwarden/templates/bitwarden-pv.yaml

@@ -0,0 +1,25 @@
+#apiVersion: v1
+#kind: PersistentVolume
+#metadata:
+#  annotations:
+#    pv.kubernetes.io/provisioned-by: durp.info/nfs
+#  finalizers:
+#  - kubernetes.io/pv-protection
+#  name: bitwarden-pv
+#spec:
+#  accessModes:
+#  - ReadWriteMany
+#  capacity:
+#    storage: 10Gi
+#  claimRef:
+#    apiVersion: v1
+#    kind: PersistentVolumeClaim
+#    name: bitwarden-pvc
+#    namespace: bitwarden
+#  nfs:
+#    path: /mnt/user/k3s/bitwarden
+#    server: 192.168.20.253
+#  persistentVolumeReclaimPolicy: Retain
+#  storageClassName: nfs-storage
+#  volumeMode: Filesystem
+#

bitwarden/templates/bitwarden-pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bitwarden-pvc
+spec:
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi

bitwarden/templates/deployment.yaml

@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: bitwarden
+  name: bitwarden
+  labels:
+    app: bitwarden
+spec:
+  selector:
+    matchLabels:
+      app: bitwarden
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: bitwarden
+    spec:
+      containers:
+      - name: bitwarden
+        image: registry.internal.durp.info/vaultwarden/server:1.30.5
+        imagePullPolicy: Always
+        volumeMounts:
+        - name: bitwarden-pvc
+          mountPath: /data
+          subPath: bitwaren-data              
+        ports:
+        - name: http
+          containerPort: 80
+        env:
+          - name: SIGNUPS_ALLOWED
+            value: "TRUE"
+          - name: INVITATIONS_ALLOWED
+            value: "FALSE"                      
+          - name: WEBSOCKET_ENABLED
+            value: "TRUE"          
+          - name: ROCKET_ENV
+            value: "staging"              
+          - name: ROCKET_PORT
+            value: "80"            
+          - name: ROCKET_WORKERS
+            value: "10"
+          - name: ADMIN_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: bitwarden-secret
+                key: ADMIN_TOKEN
+      volumes:
+      - name: bitwarden-pvc
+        persistentVolumeClaim:
+          claimName: bitwarden-pvc             

bitwarden/templates/ingress.yaml

@@ -0,0 +1,63 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: bitwarden-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`bitwarden.prd.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    services:
+    - name: bitwarden
+      port: 80
+  tls:
+    secretName: bitwarden-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: bitwarden-tls
+spec:
+  secretName: bitwarden-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "bitwarden.prd.durp.info"
+  dnsNames:
+  - "bitwarden.prd.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: bitwarden-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: bitwarden.prd.durp.info
+spec:
+  type: ExternalName
+  externalName:.prd.durp.info
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: bitwarden-admin-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`bitwarden.prd.durp.info`) && PathPrefix(`/admin`)
+    kind: Rule
+    middlewares:
+    - name: whitelist
+      namespace: traefik  
+    services:
+    - name: bitwarden
+      port: 80
+  tls:
+    secretName: bitwarden-tls

bitwarden/templates/secrets.yaml

@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: bitwarden-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: bitwarden-secret
+  data:
+  - secretKey: ADMIN_TOKEN
+    remoteRef:
+      key: secrets/bitwarden/admin
+      property: ADMIN_TOKEN
+

bitwarden/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: bitwarden
+spec:
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80
+    protocol: TCP
+  selector:
+    app: bitwarden

cert-manager/templates/self-signed.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-cluster-issuer
+spec:
+  selfSigned: {}

crossplane/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: crossplane
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: crossplane
+  repository: https://charts.crossplane.io/stable
+  version: 1.16.0

crossplane/templates/gitlab.yml

@@ -0,0 +1,55 @@
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+  name: provider-gitlab
+spec:
+  package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.7.0
+---
+
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitlab-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: gitlab-secret
+  data:
+  - secretKey: accesstoken
+    remoteRef:
+      key: secrets/gitlab/token
+      property: accesstoken
+
+---
+
+#apiVersion: gitlab.crossplane.io/v1beta1
+#kind: ProviderConfig
+#metadata:
+#  name: gitlab-provider
+#spec:
+#  baseURL: https://gitlab.com/
+#  credentials:
+#    source: Secret
+#    secretRef:
+#      namespace: crossplane
+#      name: gitlab-secret
+#      key: accesstoken
+#
+#---
+#
+#apiVersion: projects.gitlab.crossplane.io/v1alpha1
+#kind: Project
+#metadata:
+#  name: example-project
+#spec:
+#  deletionPolicy: Orphan
+#  forProvider:
+#    name: "Example Project"
+#    description: "example project description"
+#  providerConfigRef:
+#    name: gitlab-provider
+#    policy:
+#      resolution: Optional
+#      resolve: Always

crossplane/values.yaml

@@ -0,0 +1,186 @@
+# helm-docs renders these comments into markdown. Use markdown formatting where
+# appropiate.
+#
+# -- The number of Crossplane pod `replicas` to deploy.
+replicas: 1
+
+# -- The deployment strategy for the Crossplane and RBAC Manager pods.
+deploymentStrategy: RollingUpdate
+
+image:
+  # -- Repository for the Crossplane pod image.
+  repository: xpkg.upbound.io/crossplane/crossplane
+  # -- The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`.
+  tag: ""
+  # -- The image pull policy used for Crossplane and RBAC Manager pods.
+  pullPolicy: IfNotPresent
+
+# -- Add `nodeSelectors` to the Crossplane pod deployment.
+nodeSelector: {}
+# -- Add `tolerations` to the Crossplane pod deployment.
+tolerations: []
+# -- Add `affinities` to the Crossplane pod deployment.
+affinity: {}
+
+# -- Enable `hostNetwork` for the Crossplane deployment. Caution: enabling `hostNetwork` grants the Crossplane Pod access to the host network namespace. Consider setting `dnsPolicy` to `ClusterFirstWithHostNet`.
+hostNetwork: false
+
+# -- Specify the `dnsPolicy` to be used by the Crossplane pod.
+dnsPolicy: ""
+
+# -- Add custom `labels` to the Crossplane pod deployment.
+customLabels: {}
+
+# -- Add custom `annotations` to the Crossplane pod deployment.
+customAnnotations: {}
+
+serviceAccount:
+  # -- Add custom `annotations` to the Crossplane ServiceAccount.
+  customAnnotations: {}
+
+# -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the Crossplane pod.
+leaderElection: true
+# -- Add custom arguments to the Crossplane pod.
+args: []
+
+provider:
+  # -- A list of Provider packages to install.
+  packages: []
+
+configuration:
+  # -- A list of Configuration packages to install.
+  packages: []
+
+function:
+  # -- A list of Function packages to install
+  packages: []
+
+# -- The imagePullSecret names to add to the Crossplane ServiceAccount.
+imagePullSecrets: []
+
+registryCaBundleConfig:
+  # -- The ConfigMap name containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates.
+  name: ""
+  # -- The ConfigMap key containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates.
+  key: ""
+
+service:
+  # -- Configure annotations on the service object. Only enabled when webhooks.enabled = true
+  customAnnotations: {}
+
+webhooks:
+  # -- Enable webhooks for Crossplane and installed Provider packages.
+  enabled: true
+
+rbacManager:
+  # -- Deploy the RBAC Manager pod and its required roles.
+  deploy: true
+  # -- Don't install aggregated Crossplane ClusterRoles.
+  skipAggregatedClusterRoles: false
+  # -- The number of RBAC Manager pod `replicas` to deploy.
+  replicas: 1
+  # -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the RBAC Manager pod.
+  leaderElection: true
+  # -- Add custom arguments to the RBAC Manager pod.
+  args: []
+  # -- Add `nodeSelectors` to the RBAC Manager pod deployment.
+  nodeSelector: {}
+  # -- Add `tolerations` to the RBAC Manager pod deployment.
+  tolerations: []
+  # -- Add `affinities` to the RBAC Manager pod deployment.
+  affinity: {}
+
+# -- The PriorityClass name to apply to the Crossplane and RBAC Manager pods.
+priorityClassName: ""
+
+resourcesCrossplane:
+  limits:
+    # -- CPU resource limits for the Crossplane pod.
+    cpu: 500m
+    # -- Memory resource limits for the Crossplane pod.
+    memory: 1024Mi
+  requests:
+    # -- CPU resource requests for the Crossplane pod.
+    cpu: 100m
+    # -- Memory resource requests for the Crossplane pod.
+    memory: 256Mi
+
+securityContextCrossplane:
+  # -- The user ID used by the Crossplane pod.
+  runAsUser: 65532
+  # -- The group ID used by the Crossplane pod.
+  runAsGroup: 65532
+  # -- Enable `allowPrivilegeEscalation` for the Crossplane pod.
+  allowPrivilegeEscalation: false
+  # -- Set the Crossplane pod root file system as read-only.
+  readOnlyRootFilesystem: true
+
+packageCache:
+  # -- Set to `Memory` to hold the package cache in a RAM backed file system. Useful for Crossplane development.
+  medium: ""
+  # -- The size limit for the package cache. If medium is `Memory` the `sizeLimit` can't exceed Node memory.
+  sizeLimit: 20Mi
+  # -- The name of a PersistentVolumeClaim to use as the package cache. Disables the default package cache `emptyDir` Volume.
+  pvc: ""
+  # -- The name of a ConfigMap to use as the package cache. Disables the default package cache `emptyDir` Volume.
+  configMap: ""
+
+resourcesRBACManager:
+  limits:
+    # -- CPU resource limits for the RBAC Manager pod.
+    cpu: 100m
+    # -- Memory resource limits for the RBAC Manager pod.
+    memory: 512Mi
+  requests:
+    # -- CPU resource requests for the RBAC Manager pod.
+    cpu: 100m
+    # -- Memory resource requests for the RBAC Manager pod.
+    memory: 256Mi
+
+securityContextRBACManager:
+  # -- The user ID used by the RBAC Manager pod.
+  runAsUser: 65532
+  # -- The group ID used by the RBAC Manager pod.
+  runAsGroup: 65532
+  # -- Enable `allowPrivilegeEscalation` for the RBAC Manager pod.
+  allowPrivilegeEscalation: false
+  # -- Set the RBAC Manager pod root file system as read-only.
+  readOnlyRootFilesystem: true
+
+metrics:
+  # -- Enable Prometheus path, port and scrape annotations and expose port 8080 for both the Crossplane and RBAC Manager pods.
+  enabled: false
+
+# -- Add custom environmental variables to the Crossplane pod deployment.
+# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`.
+extraEnvVarsCrossplane: {}
+
+# -- Add custom environmental variables to the RBAC Manager pod deployment.
+# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`.
+extraEnvVarsRBACManager: {}
+
+# -- Add a custom `securityContext` to the Crossplane pod.
+podSecurityContextCrossplane: {}
+
+# -- Add a custom `securityContext` to the RBAC Manager pod.
+podSecurityContextRBACManager: {}
+
+# -- Add custom `volumes` to the Crossplane pod.
+extraVolumesCrossplane: {}
+
+# -- Add custom `volumeMounts` to the Crossplane pod.
+extraVolumeMountsCrossplane: {}
+
+# -- To add arbitrary Kubernetes Objects during a Helm Install
+extraObjects: []
+  # - apiVersion: pkg.crossplane.io/v1alpha1
+  #   kind: ControllerConfig
+  #   metadata:
+  #     name: aws-config
+  #     annotations:
+  #       eks.amazonaws.com/role-arn: arn:aws:iam::123456789101:role/example
+  #       helm.sh/hook: post-install
+  #   spec:
+  #     podSecurityContext:
+  #       fsGroup: 2000
+

durpapi/Chart.yaml

@@ -0,0 +1,11 @@
+description: A Helm chart for Kubernetes
+name: durpapi
+appVersion: 0.1.0
+dependencies:
+- condition: postgresql.enabled
+  name: postgresql
+  version: 12.5.*
+  repository: https://charts.bitnami.com/bitnami
+version: 0.1.0-dev0184
+apiVersion: v2
+type: application

durpapi/templates/deployment.yaml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    app: {{ .Chart.Name }}
+spec:
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: {{ .Chart.Name }}
+  replicas: {{ .Values.deployment.hpa.minReplicas }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Chart.Name }}
+    spec:
+      containers:
+      - name: api
+        image: "{{ .Values.deployment.image }}:{{ default .Chart.Version .Values.deployment.tag }}"
+        imagePullPolicy: {{ .Values.deployment.imagePullPolicy }}   
+        readinessProbe:
+          {{- toYaml .Values.deployment.probe.readiness | nindent 12 }}
+        livenessProbe:
+          {{- toYaml .Values.deployment.probe.liveness | nindent 12 }}
+        startupProbe:
+          {{- toYaml .Values.deployment.probe.startup | nindent 12 }}
+        ports:
+        - name: http
+          containerPort: {{ .Values.service.targetport }}
+        env:
+          - name: host
+            value: {{ .Values.swagger.host }}
+          - name: version
+            value: {{ default .Chart.Version .Values.deployment.tag }}
+        envFrom:
+        - secretRef:
+            name: {{ .Values.deployment.secretfile }} 

durpapi/templates/hpa.yaml

@@ -0,0 +1,24 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: "{{ .Chart.Name }}-hpa"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ .Chart.Name }}
+  minReplicas: {{ .Values.deployment.hpa.minReplicas  }}
+  maxReplicas: {{ .Values.deployment.hpa.maxReplicas  }}
+  metrics:
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: 80
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 40

durpapi/templates/ingress.yaml

@@ -0,0 +1,44 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: "{{ .Chart.Name }}-ingress"
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host("api.prd.durp.info") && PathPrefix(`/api`)
+    kind: Rule
+    middlewares:
+      - name: jwt
+    services:
+    - name: "durpapi-service"
+      port: 80
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: "{{ .Chart.Name }}-swagger"
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host("api.prd.durp.info") && PathPrefix(`/swagger`)
+    kind: Rule
+    services:
+    - name: "durpapi-service"
+      port: 80
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: jwt
+spec:
+  plugin:
+    jwt:
+      Required: true
+      Keys:
+        - https://authentik.prd.durp.info/application/o/api/jwks/

durpapi/templates/secrets.yaml

@@ -0,0 +1,39 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: durpapi-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: durpapi-secret
+  data:
+  - secretKey: db_host
+    remoteRef:
+      key: secrets/durpapi/postgres
+      property: db_host
+  - secretKey: db_port
+    remoteRef:
+      key: secrets/durpapi/postgres
+      property: db_port
+  - secretKey: db_pass
+    remoteRef:
+      key: secrets/durpapi/postgres
+      property: db_pass
+  - secretKey: db_user
+    remoteRef:
+      key: secrets/durpapi/postgres
+      property: db_user                                                        
+  - secretKey: db_sslmode
+    remoteRef:
+      key: secrets/durpapi/postgres
+      property: db_sslmode
+  - secretKey: db_name
+    remoteRef:
+      key: secrets/durpapi/postgres
+      property: db_name
+  - secretKey: llamaurl
+    remoteRef:
+      key: secrets/durpapi/llamaurl
+      property: llamaurl

durpapi/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Chart.Name }}-service"
+spec:
+  ports:
+  - name: http
+    port: {{ .Values.service.port }}
+    targetPort: {{ .Values.service.targetport }}
+    protocol: TCP
+  selector:
+    app: {{ .Chart.Name }}

durpapi/values.yaml

@@ -0,0 +1,39 @@
+ingress:
+  enabled: false
+deployment: 
+  image: registry.internal.durp.info/developerdurp/durpapi
+  secretfile: durpapi-secret
+  imagePullPolicy: Always
+  hpa:
+    minReplicas: 3
+    maxReplicas: 10
+  probe:
+    readiness:  
+      httpGet:
+        path: /api/health/gethealth
+        port: 8080
+    liveness: 
+      httpGet:
+        path: /api/health/gethealth
+        port: 8080
+    startup: 
+      httpGet:
+        path: /api/health/gethealth
+        port: 8080
+service:
+  type: ClusterIP
+  port: 80
+  targetport: 8080
+
+swagger:
+  host: api.durp.info
+postgresql:
+  enabled: true
+  auth:
+    existingSecret: durpapi-secret
+    secretKeys:
+      adminPasswordKey: db_pass
+      userPasswordKey: db_pass
+      replicationPasswordKey: db_pass
+    database: postgres
+    username: postgres

durpot/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: durpapi
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: durpot
+  repository: https://gitlab.com/api/v4/projects/45025485/packages/helm/stable
+  version: 0.1.0-dev0038

durpot/templates/secrets.yaml

@@ -0,0 +1,43 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: durpot-secert
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: durpot-secret
+  data:
+  - secretKey: OPENAI_API_KEY
+    remoteRef:
+      key: secrets/durpot/openai
+      property: OPENAI_API_KEY
+  - secretKey: BOTPREFIX
+    remoteRef:
+      key: secrets/durpot/discord
+      property: BOTPREFIX
+  - secretKey: ChannelID
+    remoteRef:
+      key: secrets/durpot/discord
+      property: ChannelID
+  - secretKey: TOKEN
+    remoteRef:
+      key: secrets/durpot/discord
+      property: TOKEN
+  - secretKey: ClientID
+    remoteRef:
+      key: secrets/durpot/auth
+      property: ClientID
+  - secretKey: Password
+    remoteRef:
+      key: secrets/durpot/auth
+      property: Password
+  - secretKey: TokenURL
+    remoteRef:
+      key: secrets/durpot/auth
+      property: TokenURL
+  - secretKey: Username
+    remoteRef:
+      key: secrets/durpot/auth
+      property: Username

external-dns/values.yaml

@@ -4,7 +4,7 @@ external-dns:
 
   image:
     pullPolicy: Always
-  txtPrefix: "dmz-"
+  txtPrefix: "prd-"
   sources:
     - service
 

external-secrets/templates/secret-store.yaml

@@ -1,33 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault
-spec:
-  provider:
-    vault:
-      server: "https://vault.internal.prd.durp.info"
-      path: "secrets"
-      version: "v2"
-      auth:
-        kubernetes:
-          mountPath: "kubernetes"
-          role: "dmz-external-secrets"
-
----
-
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: cloudflare-api-token-secret
-spec:
-  secretStoreRef:
-    name: vault
-    kind: ClusterSecretStore
-  target:
-    name: cloudflare-api-token-secret
-  data:
-  - secretKey: cloudflare-api-token-secret
-    remoteRef:
-      key: secrets/cert-manager
-      property: cloudflare-api-token-secret
-

heimdall/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: heimdall
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: heimdall
+  repository: https://djjudas21.github.io/charts/
+  version: 8.5.2

heimdall/templates/ingress.yaml

@@ -0,0 +1,52 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  annotations:
+  name: heimdall-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`heimdall.prd.durp.info`) && PathPrefix(`/`)
+    middlewares:
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    kind: Rule
+    services:
+    - name: heimdall
+      port: 80
+  - match: Host(`heimdall.prd.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
+    kind: Rule
+    services:
+    - name: ak-outpost-authentik-embedded-outpost
+      namespace: authentik
+      port: 9000
+  tls:
+    secretName: heimdall-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: heimdall-tls
+spec:
+  secretName: heimdall-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "heimdall.prd.durp.info"
+  dnsNames:
+  - "heimdall.prd.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: heimdall-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: heimdall.prd.durp.info
+spec:
+  type: ExternalName
+  externalName:.prd.durp.info

heimdall/values.yaml

@@ -0,0 +1,28 @@
+heimdall:
+
+  image:
+    registry: 
+    repository: registry.internal.durp.info/linuxserver/heimdall
+    pullPolicy: Always    
+
+  env:
+    TZ: UTC
+    PUID: "1000"
+    PGID: "1000"
+
+  service:
+    main:
+      annotations:
+          external-dns.alpha.kubernetes.io/hostname: heimdall.durp.info
+          external-dns.alpha.kubernetes.io/target: home.durp.info
+      ports:
+        http:
+          port: 80
+
+  ingress:
+    main:
+      enabled: false
+
+  persistence:
+    config:
+      enabled: true

internalproxy/templates/duplicati-ingress.yaml

@@ -1,70 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: duplicati
-spec:
-  ports:
-  - name: app
-    port: 8200
-    protocol: TCP
-    targetPort: 8200
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: duplicati
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 8200
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: duplicati-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/`)
-    middlewares:
-    - name: whitelist
-      namespace: traefik
-    - name: authentik-proxy-provider
-      namespace: traefik  
-    kind: Rule
-    services:
-    - name: duplicati
-      port: 8200
-  - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
-    kind: Rule
-    services:
-    - name: ak-outpost-authentik-embedded-outpost
-      namespace: authentik
-      port: 9000
-  tls:
-    secretName: duplicati-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: duplicati-tls
-spec:
-  secretName: duplicati-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "duplicati.internal.durp.info"
-  dnsNames:
-  - "duplicati.internal.durp.info"  

internalproxy/templates/gitea.yaml

@@ -1,9 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: gitea-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: gitea.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

internalproxy/templates/guac.yaml

@@ -1,71 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: guac-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: guac.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
-
----
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: guac
-spec:
-  ports:
-  - name: app
-    port: 8082
-    protocol: TCP
-    targetPort: 8082
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: guac
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 8082
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: guac-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`guac.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    services:
-    - name: guac
-      port: 8082
-  tls:
-    secretName: guac-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: guac-tls
-spec:
-  secretName: guac-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "guac.durp.info"
-  dnsNames:
-  - "guac.durp.info"  

internalproxy/templates/jellyfin.yaml

@@ -1,9 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: jellyfin-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: jellyfin.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info  

internalproxy/templates/kasm.yaml

@@ -1,9 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: kasm-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: kasm.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

internalproxy/templates/nexus.yaml

@@ -1,71 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: nexus
-spec:
-  ports:
-  - name: app
-    port: 8081
-    protocol: TCP
-    targetPort: 8081
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: nexus
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 8081
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: nexus-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`nexus.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    services:
-    - name: nexus
-      port: 8081
-  tls:
-    secretName: nexus-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: nexus-tls
-spec:
-  secretName: nexus-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "nexus.durp.info"
-  dnsNames:
-  - "nexus.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: nexus-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: nexus.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

internalproxy/templates/plex.yaml

@@ -1,9 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: plex-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: plex.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info  

internalproxy/templates/registry-internal.yaml

@@ -1,59 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: registry-internal
-spec:
-  ports:
-  - name: app
-    port: 5001
-    protocol: TCP
-    targetPort: 5001
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: registry-internal
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 5001
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: registry-internal-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`registry.internal.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    services:
-    - name: registry-internal
-      port: 5001
-  tls:
-    secretName: registry-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: registry-internal-tls
-spec:
-  secretName: registry-internal-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "registry.durp.info"
-  dnsNames:
-  - "registry.durp.info"  

internalproxy/templates/registry.yaml

@@ -1,71 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: registry
-spec:
-  ports:
-  - name: app
-    port: 5000
-    protocol: TCP
-    targetPort: 5000
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: registry
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 5000
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: registry-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`registry.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    services:
-    - name: registry
-      port: 5000
-  tls:
-    secretName: registry-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: registry-tls
-spec:
-  secretName: registry-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "registry.durp.info"
-  dnsNames:
-  - "registry.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: registry-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

internalproxy/templates/smokeping.yaml

@@ -1,82 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: smokeping
-spec:
-  ports:
-  - name: app
-    port: 81
-    protocol: TCP
-    targetPort: 81
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: smokeping
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 81
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: smokeping-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`smokeping.durp.info`) && PathPrefix(`/`)
-    middlewares:
-    - name: whitelist
-      namespace: traefik
-    - name: authentik-proxy-provider
-      namespace: traefik  
-    kind: Rule
-    services:
-    - name: smokeping
-      port: 81
-  - match: Host(`smokeping.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
-    kind: Rule
-    services:
-    - name: ak-outpost-authentik-embedded-outpost
-      namespace: authentik
-      port: 9000
-  tls:
-    secretName: smokeping-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: smokeping-tls
-spec:
-  secretName: smokeping-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "smokeping.durp.info"
-  dnsNames:
-  - "smokeping.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: smokeping-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: smokeping.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info  

internalproxy/templates/speedtest.yaml

@@ -1,74 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: speedtest
-spec:
-  ports:
-  - name: app
-    port: 6580
-    protocol: TCP
-    targetPort: 6580
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: speedtest
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 6580
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: speedtest-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    middlewares:
-    - name: authentik-proxy-provider
-      namespace: traefik 
-    services:
-    - name: speedtest
-      port: 6580
-  tls:
-    secretName: speedtest-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: speedtest-tls
-spec:
-  secretName: speedtest-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "speedtest.durp.info"
-  dnsNames:
-  - "speedtest.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: speedtest-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

internalproxy/templates/tdarr.yaml

@@ -1,67 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: tdarr
-spec:
-  ports:
-  - name: app
-    port: 8267
-    protocol: TCP
-    targetPort: 8267
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: tdarr
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 8267
-    protocol: TCP
-
----
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: tdarr-ingress
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`tdarr.internal.durp.info`)
-    middlewares:
-    - name: whitelist
-      namespace: traefik  
-    - name: authentik-proxy-provider
-      namespace: traefik  
-    kind: Rule
-    services:
-    - name: tdarr
-      port: 8267
-      scheme: http
-  tls:
-    secretName: tdarr-tls  
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: tdarr-tls
-spec:
-  secretName: tdarr-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "tdarr.internal.durp.info"
-  dnsNames:
-  - "tdarr.internal.durp.info"  

krakend/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: krakend
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"

krakend/templates/deployments.yaml

@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: krakend
+  name: krakend
+  labels:
+    app: krakend
+spec:
+  selector:
+    matchLabels:
+      app: krakend
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: krakend
+    spec:
+      volumes:
+      - name: krakend-secret
+        secret:
+          secretName: krakend-secret
+      containers:
+      - name: krakend
+        image: registry.internal.durp.info/devopsfaith/krakend:2.4.3
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /__health
+            port: 8080
+        readinessProbe:
+          httpGet:
+            path: /__health
+            port: 8080            
+        ports:
+        - name: http
+          containerPort: 8080          
+        volumeMounts:
+        - name: krakend-secret
+          mountPath: /etc/krakend

krakend/templates/ingress.yaml

@@ -0,0 +1,56 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: api-tls
+spec:
+  secretName: api-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "api.prd.durp.info"
+  dnsNames:
+  - "api.prd.durp.info"        
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: krakend-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`api.prd.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: krakend-service
+          port: 8080
+          scheme: http
+  tls:
+    secretName: api-tls
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: api-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: api.prd.durp.info
+spec:
+  type: ExternalName
+  externalName:.prd.durp.info
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: api-developer-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: developer.prd.durp.info
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
+spec:
+  type: ExternalName
+  externalName: developerdurp.github.io

krakend/templates/secrets.yaml

@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: krakend-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: krakend-secret
+  data:
+  - secretKey: krakend.json
+    remoteRef:
+      key: secrets/krakend/config
+      property: config

krakend/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: krakend-service
+spec:
+  ports:
+  - name: http
+    port: 8080
+    targetPort: 8080
+    protocol: TCP
+  selector:
+    app: krakend

kube-prometheus-stack/templates/ingress.yaml

@@ -6,7 +6,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`grafana.durp.info`) && PathPrefix(`/`) 
+  - match: Host(`grafana.prd.durp.info`) && PathPrefix(`/`) 
     kind: Rule
     services:
     - name: grafana
@@ -25,9 +25,9 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "grafana.durp.info"
+  commonName: "grafana.prd.durp.info"
   dnsNames:
-  - "grafana.durp.info"  
+  - "grafana.prd.durp.info"  
 
 ---
 
@@ -39,7 +39,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`) 
+  - match: Host(`alertmanager.prd.durp.info`) && PathPrefix(`/`) 
     middlewares:
     - name: whitelist
       namespace: traefik
@@ -63,9 +63,9 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "alertmanager.durp.info"
+  commonName: "alertmanager.prd.durp.info"
   dnsNames:
-  - "alertmanager.durp.info"  
+  - "alertmanager.prd.durp.info"  
 
 ---
 
@@ -74,7 +74,7 @@ apiVersion: v1
 metadata:
   name: grafana-external-dns
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
+    external-dns.alpha.kubernetes.io/hostname: grafana.prd.durp.info
 spec:
   type: ExternalName
-  externalName: durp.info  
+  externalName:.prd.durp.info  

kubeclarity/templates/ingress.yaml

@@ -6,7 +6,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`kubeclarity.durp.info`) && PathPrefix(`/`)
+  - match: Host(`kubeclarity.prd.durp.info`) && PathPrefix(`/`)
     middlewares:
     - name: whitelist
       namespace: traefik
@@ -30,9 +30,9 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "kubeclarity.durp.info"
+  commonName: "kubeclarity.prd.durp.info"
   dnsNames:
-  - "kubeclarity.durp.info"  
+  - "kubeclarity.prd.durp.info"  
 
 ---
 
@@ -41,7 +41,7 @@ apiVersion: v1
 metadata:
   name: kubeclarity-external-dns
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: kubeclarity.durp.info
+    external-dns.alpha.kubernetes.io/hostname: kubeclarity.prd.durp.info
 spec:
   type: ExternalName
-  externalName: durp.info
+  externalName:.prd.durp.info

littlelink/templates/deployment.yaml

@@ -0,0 +1,99 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: littlelink
+  name: littlelink
+  labels:
+    app: littlelink
+spec:
+  selector:
+    matchLabels:
+      app: littlelink
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: littlelink
+    spec:
+      containers:
+      - name: littlelink
+        image: registry.internal.durp.info/techno-tim/littlelink-server:latest
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthcheck
+            port: 3000
+        readinessProbe:
+          httpGet:
+            path: /healthcheck
+            port: 3000            
+        env:
+          - name: META_TITLE
+            value: DeveloperDurp
+          - name: META_DESCRIPTION
+            value: The Durpy Developer
+          - name: META_AUTHOR
+            value: DeveloperDurp
+          - name: LANG
+            value: en
+          - name: META_INDEX_STATUS
+            value: all
+          - name: OG_TITLE
+            value: DeveloperDurp
+          - name: OG_DESCRIPTION
+            value: DeveloperDurp
+          - name: OG_URL
+            value: https://gitlab.com/developerdurp
+          - name: OG_IMAGE
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : OG_IMAGE_WIDTH
+            value: "400"
+          - name : OG_IMAGE_HEIGHT
+            value: "400"
+          - name : THEME
+            value: Dark 
+          - name : FAVICON_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : AVATAR_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : AVATAR_2X_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png   
+          - name : AVATAR_ALT
+            value: DeveloperDurp Profile Pic
+          - name : NAME
+            value: DeveloperDurp
+          - name : BIO
+            value: Sup Nerd,
+          - name : BUTTON_ORDER
+            value: GITHUB,GITLAB,YOUTUBE,TWITTER,COFFEE,EMAIL
+          - name : TWITTER
+            value: https://twitter.com/developerdurp                
+          - name : GITHUB
+            value: https://github.com/DeveloperDurp
+          - name : GITLAB
+            value: https://gitlab.com/developerdurp
+          - name: YOUTUBE
+            value: https://www.youtube.com/channel/UC1rGa6s6kER_gLpIQsxeMVQ
+          - name : EMAIL
+            value: DeveloperDurp@durp.info
+          - name : EMAIL_TEXT
+            value: DeveloperDurp@durp.info            
+          - name : FOOTER
+            value: DeveloperDurp © 2022         
+          - name: CUSTOM_BUTTON_TEXT
+            value: BuyMeACoffee
+          - name: CUSTOM_BUTTON_URL
+            value: https://www.buymeacoffee.com/DeveloperDurp
+          - name: CUSTOM_BUTTON_COLOR
+            value: '#ffdd00'          
+          - name: CUSTOM_BUTTON_TEXT_COLOR
+            value: '#000000'
+          - name: CUSTOM_BUTTON_ALT_TEXT
+            value: Support
+          - name: CUSTOM_BUTTON_NAME
+            value: COFFEE
+          - name: CUSTOM_BUTTON_ICON
+            value: fa-solid fa-cup-togo
+        ports:
+        - name: http
+          containerPort: 3000          

littlelink/templates/ingress.yaml

@@ -0,0 +1,42 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: littlelink-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`links.prd.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    services:
+    - name: littlelink
+      port: 80
+  tls:
+    secretName: littlelink-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: littlelink-tls
+spec:
+  secretName: littlelink-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "links.prd.durp.info"
+  dnsNames:
+  - "links.prd.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: links-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: links.prd.durp.info
+spec:
+  type: ExternalName
+  externalName:.prd.durp.info

littlelink/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: littlelink
+spec:
+  ports:
+  - name: http
+    port: 80
+    targetPort: 3000
+    protocol: TCP 
+  selector:
+    app: littlelink

longhorn/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: longhorn
   repository: https://charts.longhorn.io
-  version: 1.3.2
+  version: 1.6.1

longhorn/templates/ingress.yaml

@@ -6,17 +6,17 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`longhorn.internal.durp.info`) && PathPrefix(`/`)
+  - match: Host(`longhorn.internal.prd.durp.info`) && PathPrefix(`/`)
     middlewares:
     - name: whitelist
       namespace: traefik
-    - name: authentik-proxy-provider
-      namespace: traefik  
+        #- name: authentik-proxy-provider
+        #  namespace: traefik  
     kind: Rule
     services:
     - name: longhorn-frontend
       port: 80
-  - match: Host(`longhorn.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
+  - match: Host(`longhorn.internal.prd.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
     kind: Rule
     services:
     - name: ak-outpost-authentik-embedded-outpost
@@ -36,6 +36,6 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "longhorn.internal.durp.info"
+  commonName: "longhorn.internal.prd.durp.info"
   dnsNames:
-  - "longhorn.internal.durp.info"  
+  - "longhorn.internal.prd.durp.info"  

longhorn/values.yaml

@@ -47,7 +47,7 @@ longhorn:
   persistence:
     defaultClass: true
     defaultFsType: ext4
-    defaultClassReplicaCount: 3
+    defaultClassReplicaCount: 1
     defaultDataLocality: disabled # best-effort otherwise
     reclaimPolicy: Retain
     migratable: false
@@ -76,7 +76,7 @@ longhorn:
     snapshotterReplicaCount: ~
   
   defaultSettings:
-    backupTarget: S3://longhorn@us-east-1/
+    backupTarget: S3://longhorn-prd@us-east-1/
     backupTargetCredentialSecret: longhorn-backup-token-secret
     allowRecurringJobWhileVolumeDetached: ~
     createDefaultDiskLabeledNodes: ~
@@ -238,7 +238,7 @@ longhorn:
     #   certificate:
   
   # Configure a pod security policy in the Longhorn namespace to allow privileged pods
-  enablePSP: true
+  enablePSP: false
   
   ## Specify override namespace, specifically this is useful for using longhorn as sub-chart
   ## and its release namespace is not the `longhorn-system`

metallb-system/Chart.yaml

@@ -10,4 +10,3 @@ dependencies:
 - name: metallb
   repository: https://metallb.github.io/metallb
   version: 0.14.5
-

metallb-system/templates/config.yaml

@@ -4,14 +4,13 @@ metadata:
   name: cheap
 spec:
   addresses:
-    - 192.168.20.34-192.168.20.39
+    - 192.168.11.130-192.168.11.140
 ---
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
-  name: pool
+  name: poop
   namespace: metallb-system
 spec:
   ipAddressPools:
   - cheap
-

metallb-system/values.yaml

@@ -194,4 +194,3 @@ metallb:
     validationFailurePolicy: Fail
   frrk8s:
     enabled: false
-

nfs-client/Chart.yml

@@ -0,0 +1,8 @@
+apiVersion: v2
+name: nfs-client
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+

nfs-client/templates/cluster-role-binding.yml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: run-nfs-client-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: nfs-client-provisioner
+    namespace: nfs-client 
+roleRef:
+  kind: ClusterRole
+  name: nfs-client-provisioner-runner
+  apiGroup: rbac.authorization.k8s.io

nfs-client/templates/cluster-role.yml

@@ -0,0 +1,20 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: nfs-client-provisioner-runner  
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]   

nfs-client/templates/provisioner.yml

@@ -0,0 +1,42 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: nfs-client-provisioner
+  namespace: nfs-client 
+spec:
+  selector:
+    matchLabels:
+      app: nfs-client-provisioner
+  replicas: 1
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: nfs-client-provisioner
+    spec:
+      serviceAccountName: nfs-client-provisioner
+      containers:
+        - name: nfs-client-provisioner
+          image: gcr.io/k8s-staging-sig-storage/nfs-subdir-external-provisioner:v4.0.0
+          resources:
+            requests:
+              cpu: 500m
+              memory: 512Mi
+            limits:
+              memory: 1Gi
+          volumeMounts:
+            - name: nfs-client-ssd
+              mountPath: /persistentvolumes
+          env:
+            - name: PROVISIONER_NAME
+              value: durp.info/nfs
+            - name: NFS_SERVER
+              value: 192.168.20.253
+            - name: NFS_PATH
+              value: /mnt/user/k3s-dev 
+      volumes:
+        - name: nfs-client-ssd
+          nfs:
+            server: 192.168.20.253
+            path: /mnt/user/k3s-dev

nfs-client/templates/role-binding.yml

@@ -0,0 +1,13 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: leader-locking-nfs-client-provisioner
+  namespace: nfs-client
+subjects:
+  - kind: ServiceAccount
+    name: nfs-client-provisioner    
+    namespace: nfs-client 
+roleRef:
+  kind: Role
+  name: leader-locking-nfs-client-provisioner
+  apiGroup: rbac.authorization.k8s.io

nfs-client/templates/role.yml

@@ -0,0 +1,9 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: leader-locking-nfs-client-provisioner
+  namespace: nfs-client 
+rules:
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]

nfs-client/templates/service-account.yml

@@ -0,0 +1,5 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: nfs-client-provisioner
+  namespace: nfs-client 

nfs-client/templates/storage-class.yml

@@ -0,0 +1,10 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: nfs-storage
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "false"
+provisioner: durp.info/nfs
+parameters:
+  archiveOnDelete: "false"
+reclaimPolicy: Retain

open-webui/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: open-webui
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"

open-webui/templates/deployment.yaml

@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: open-webui
+  name: open-webui
+  labels:
+    app: open-webui
+spec:
+  selector:
+    matchLabels:
+      app: open-webui
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: open-webui
+    spec:
+      containers:
+      - name: open-webui
+        image: registry.internal.durp.info/open-webui/open-webui:main
+        imagePullPolicy: Always
+        volumeMounts:
+        - name: open-webui-pvc
+          mountPath: /app/backend/data
+        ports:
+        - name: http
+          containerPort: 8080
+        env:
+          - name: OLLAMA_BASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: open-webui-secret
+                key: OLLAMA_BASE_URL
+      volumes:
+      - name: open-webui-pvc
+        persistentVolumeClaim:
+          claimName: open-webui-pvc             

open-webui/templates/ingress.yaml

@@ -0,0 +1,42 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: open-webui-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`open-webui.prd.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    services:
+    - name: open-webui
+      port: 8080
+  tls:
+    secretName: open-webui-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: open-webui-tls
+spec:
+  secretName: open-webui-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "open-webui.prd.durp.info"
+  dnsNames:
+  - "open-webui.prd.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: open-webui-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: open-webui.prd.durp.info
+spec:
+  type: ExternalName
+  externalName: prd.durp.info

open-webui/templates/pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: open-webui-pvc
+spec:
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi