update

Mr prd

See merge request developerdurp/homelab!2

.gitignore

@@ -0,0 +1 @@
+.idea

argocd/templates/argocd.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: argocd
   destination:
     namespace: argocd

argocd/templates/authentik.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: authentik
   destination:
     namespace: authentik

argocd/templates/bitwarden.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: bitwarden
     directory:
       recurse: true

argocd/templates/cert-manager.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: cert-manager
   destination:
     namespace: cert-manager

argocd/templates/crossplane.yml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: crossplane
   destination:
     namespace: crossplane

argocd/templates/durpapi.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: durpapi
   destination:
     namespace: durpapi

argocd/templates/durpot.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: durpot
   destination:
     namespace: durpot

argocd/templates/external-dns.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: external-dns
   destination:
     namespace: external-dns

argocd/templates/external-secrets.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: external-secrets
   destination:
     namespace: external-secrets

argocd/templates/gatekeeper.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: gatekeeper
   destination:
     namespace: gatekeeper

argocd/templates/gitlab-runner.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: gitlab-runner
   destination:
     namespace: gitlab-runner

argocd/templates/heimdall.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: heimdall
   destination:
     namespace: heimdall

argocd/templates/ingress.yaml

@@ -8,9 +8,9 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`argocd.internal.durp.info`)
+  - match: Host(`argocd.internal.prd.durp.info`)
     middlewares:
-    - name: whitelist
+    - name: internal-only
       namespace: traefik  
     kind: Rule
     services:
@@ -22,16 +22,6 @@ spec:
 
 ---
 
-kind: Service
-apiVersion: v1
-metadata:
-  name: argocd-server
-spec:
-  type: ExternalName
-  externalName: argocd-server.argocd.svc.cluster.local  
-
----
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -41,6 +31,6 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "argocd.internal.durp.info"
+  commonName: "argocd.internal.prd.durp.info"
   dnsNames:
-  - "argocd.internal.durp.info"  
+  - "argocd.internal.prd.durp.info"  

argocd/templates/krakend.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: krakend
   destination:
     namespace: krakend

argocd/templates/kube-prometheus-stack.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: kube-prometheus-stack
   destination:
     namespace: kube-prometheus-stack

argocd/templates/kubeclarity.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: kubeclarity
   destination:
     namespace: kubeclarity

argocd/templates/littlelink.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: littlelink
     directory:
       recurse: true

argocd/templates/longhorn.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: longhorn
   destination:
     namespace: longhorn-system

argocd/templates/metallb-system.yaml

@@ -1,23 +1,21 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: internalproxy
+  name: metallb-system
   namespace: argocd
 spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: internalproxy
-    directory:
-      recurse: true
+    targetRevision: prd
+    path: metallb-system
   destination:
-    server: https://kubernetes.default.svc
-    namespace: internalproxy
+    namespace: metallb-system
+    name: in-cluster
   syncPolicy:
     automated:
       prune: true
       selfHeal: true  
     syncOptions:
-      - CreateNamespace=true   
+      - CreateNamespace=true 
 

argocd/templates/nfs-client.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: nfs-client
     directory:
       recurse: true

argocd/templates/open-webui.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: open-webui
   destination:
     namespace: open-webui

argocd/templates/traefik.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: traefik
   destination:
     namespace: traefik

argocd/templates/uptimekuma.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: uptimekuma
     directory:
       recurse: true

argocd/templates/vault.yaml

@@ -7,7 +7,7 @@ spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+    targetRevision: prd
     path: vault
   destination:
     namespace: vault

argocd/values.yaml

@@ -33,13 +33,13 @@ argo-cd:
     cm:
       create: true
       annotations: {}
-      url: https://argocd.internal.durp.info
+      url: https://argocd.internal.prd.durp.info
       oidc.tls.insecure.skip.verify: "true"
       dex.config: |
         connectors:
           - config:
-              issuer: https://authentik.durp.info/application/o/argocd/
-              clientID: dbb8ffc06104fb6e7fac3e4ae7fafb1d90437625
+              issuer: https://authentik.prd.durp.info/application/o/argocd/
+              clientID: lKuMgyYaOlQMNAUSjsRVYgkwZG9UT6CeFWeTLAcl
               clientSecret: $client-secret:clientSecret
               insecureEnableGroups: true
               scopes:

authentik/templates/ingress.yaml

@@ -6,7 +6,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
+  - match: Host(`authentik.prd.durp.info`) && PathPrefix(`/`) 
     kind: Rule
     services:
     - name: authentik-server
@@ -25,9 +25,9 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "authentik.durp.info"
+  commonName: "authentik.prd.durp.info"
   dnsNames:
-  - "authentik.durp.info" 
+  - "authentik.prd.durp.info" 
 
 ---
 
@@ -36,7 +36,7 @@ apiVersion: v1
 metadata:
   name: authentik-external-dns
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
+    external-dns.alpha.kubernetes.io/hostname: authentik.prd.durp.info
 spec:
   type: ExternalName
-  externalName: durp.info
+  externalName:.prd.durp.info

authentik/values.yaml

@@ -1,6 +1,8 @@
 authentik:
   global:
     env: 
+      - name: AUTHENTIK_REDIS__DB
+        value: "1"
       - name: AUTHENTIK_POSTGRESQL__PASSWORD
         valueFrom:
           secretKeyRef:
@@ -32,9 +34,16 @@ authentik:
       registry: registry.internal.durp.info
       repository: bitnami/postgresql
       pullPolicy: Always
-    postgresqlUsername: "authentik"
-    postgresqlDatabase: "authentik"
-    existingSecret: db-pass 
+    auth:
+      username: "authentik"
+      existingSecret: db-pass
+      secretKeys:
+        adminPasswordKey: dbpass 
+        userPasswordKey: dbpass
+        
+          #postgresqlUsername: "authentik"
+          #postgresqlDatabase: "authentik"
+          #existingSecret: db-pass 
     persistence:
       enabled: true
       storageClass: longhorn

bitwarden/templates/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
       - name: bitwarden
-        image: registry.internal.durp.info/vaultwarden/server:1.30.3
+        image: registry.internal.durp.info/vaultwarden/server:1.30.5
         imagePullPolicy: Always
         volumeMounts:
         - name: bitwarden-pvc
@@ -28,7 +28,7 @@ spec:
           containerPort: 80
         env:
           - name: SIGNUPS_ALLOWED
-            value: "FALSE"
+            value: "TRUE"
           - name: INVITATIONS_ALLOWED
             value: "FALSE"                      
           - name: WEBSOCKET_ENABLED
@@ -39,7 +39,7 @@ spec:
             value: "80"            
           - name: ROCKET_WORKERS
             value: "10"
-          - name: SECRET_USERNAME
+          - name: ADMIN_TOKEN
             valueFrom:
               secretKeyRef:
                 name: bitwarden-secret

bitwarden/templates/ingress.yaml

@@ -6,7 +6,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`)
+  - match: Host(`bitwarden.prd.durp.info`) && PathPrefix(`/`)
     kind: Rule
     services:
     - name: bitwarden
@@ -25,9 +25,9 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "bitwarden.durp.info"
+  commonName: "bitwarden.prd.durp.info"
   dnsNames:
-  - "bitwarden.durp.info"  
+  - "bitwarden.prd.durp.info"  
 
 ---
 
@@ -36,7 +36,28 @@ apiVersion: v1
 metadata:
   name: bitwarden-external-dns
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: bitwarden.durp.info
+    external-dns.alpha.kubernetes.io/hostname: bitwarden.prd.durp.info
 spec:
   type: ExternalName
-  externalName: durp.info
+  externalName:.prd.durp.info
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: bitwarden-admin-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`bitwarden.prd.durp.info`) && PathPrefix(`/admin`)
+    kind: Rule
+    middlewares:
+    - name: whitelist
+      namespace: traefik  
+    services:
+    - name: bitwarden
+      port: 80
+  tls:
+    secretName: bitwarden-tls

cert-manager/templates/self-signed.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-cluster-issuer
+spec:
+  selfSigned: {}

crossplane/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: crossplane
   repository: https://charts.crossplane.io/stable
-  version: 1.12.0
+  version: 1.16.0

crossplane/templates/gitlab.yml

@@ -3,7 +3,7 @@ kind: Provider
 metadata:
   name: provider-gitlab
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.5.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.7.0
 ---
 
 apiVersion: external-secrets.io/v1beta1

crossplane/values.yaml

@@ -0,0 +1,186 @@
+# helm-docs renders these comments into markdown. Use markdown formatting where
+# appropiate.
+#
+# -- The number of Crossplane pod `replicas` to deploy.
+replicas: 1
+
+# -- The deployment strategy for the Crossplane and RBAC Manager pods.
+deploymentStrategy: RollingUpdate
+
+image:
+  # -- Repository for the Crossplane pod image.
+  repository: xpkg.upbound.io/crossplane/crossplane
+  # -- The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`.
+  tag: ""
+  # -- The image pull policy used for Crossplane and RBAC Manager pods.
+  pullPolicy: IfNotPresent
+
+# -- Add `nodeSelectors` to the Crossplane pod deployment.
+nodeSelector: {}
+# -- Add `tolerations` to the Crossplane pod deployment.
+tolerations: []
+# -- Add `affinities` to the Crossplane pod deployment.
+affinity: {}
+
+# -- Enable `hostNetwork` for the Crossplane deployment. Caution: enabling `hostNetwork` grants the Crossplane Pod access to the host network namespace. Consider setting `dnsPolicy` to `ClusterFirstWithHostNet`.
+hostNetwork: false
+
+# -- Specify the `dnsPolicy` to be used by the Crossplane pod.
+dnsPolicy: ""
+
+# -- Add custom `labels` to the Crossplane pod deployment.
+customLabels: {}
+
+# -- Add custom `annotations` to the Crossplane pod deployment.
+customAnnotations: {}
+
+serviceAccount:
+  # -- Add custom `annotations` to the Crossplane ServiceAccount.
+  customAnnotations: {}
+
+# -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the Crossplane pod.
+leaderElection: true
+# -- Add custom arguments to the Crossplane pod.
+args: []
+
+provider:
+  # -- A list of Provider packages to install.
+  packages: []
+
+configuration:
+  # -- A list of Configuration packages to install.
+  packages: []
+
+function:
+  # -- A list of Function packages to install
+  packages: []
+
+# -- The imagePullSecret names to add to the Crossplane ServiceAccount.
+imagePullSecrets: []
+
+registryCaBundleConfig:
+  # -- The ConfigMap name containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates.
+  name: ""
+  # -- The ConfigMap key containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates.
+  key: ""
+
+service:
+  # -- Configure annotations on the service object. Only enabled when webhooks.enabled = true
+  customAnnotations: {}
+
+webhooks:
+  # -- Enable webhooks for Crossplane and installed Provider packages.
+  enabled: true
+
+rbacManager:
+  # -- Deploy the RBAC Manager pod and its required roles.
+  deploy: true
+  # -- Don't install aggregated Crossplane ClusterRoles.
+  skipAggregatedClusterRoles: false
+  # -- The number of RBAC Manager pod `replicas` to deploy.
+  replicas: 1
+  # -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the RBAC Manager pod.
+  leaderElection: true
+  # -- Add custom arguments to the RBAC Manager pod.
+  args: []
+  # -- Add `nodeSelectors` to the RBAC Manager pod deployment.
+  nodeSelector: {}
+  # -- Add `tolerations` to the RBAC Manager pod deployment.
+  tolerations: []
+  # -- Add `affinities` to the RBAC Manager pod deployment.
+  affinity: {}
+
+# -- The PriorityClass name to apply to the Crossplane and RBAC Manager pods.
+priorityClassName: ""
+
+resourcesCrossplane:
+  limits:
+    # -- CPU resource limits for the Crossplane pod.
+    cpu: 500m
+    # -- Memory resource limits for the Crossplane pod.
+    memory: 1024Mi
+  requests:
+    # -- CPU resource requests for the Crossplane pod.
+    cpu: 100m
+    # -- Memory resource requests for the Crossplane pod.
+    memory: 256Mi
+
+securityContextCrossplane:
+  # -- The user ID used by the Crossplane pod.
+  runAsUser: 65532
+  # -- The group ID used by the Crossplane pod.
+  runAsGroup: 65532
+  # -- Enable `allowPrivilegeEscalation` for the Crossplane pod.
+  allowPrivilegeEscalation: false
+  # -- Set the Crossplane pod root file system as read-only.
+  readOnlyRootFilesystem: true
+
+packageCache:
+  # -- Set to `Memory` to hold the package cache in a RAM backed file system. Useful for Crossplane development.
+  medium: ""
+  # -- The size limit for the package cache. If medium is `Memory` the `sizeLimit` can't exceed Node memory.
+  sizeLimit: 20Mi
+  # -- The name of a PersistentVolumeClaim to use as the package cache. Disables the default package cache `emptyDir` Volume.
+  pvc: ""
+  # -- The name of a ConfigMap to use as the package cache. Disables the default package cache `emptyDir` Volume.
+  configMap: ""
+
+resourcesRBACManager:
+  limits:
+    # -- CPU resource limits for the RBAC Manager pod.
+    cpu: 100m
+    # -- Memory resource limits for the RBAC Manager pod.
+    memory: 512Mi
+  requests:
+    # -- CPU resource requests for the RBAC Manager pod.
+    cpu: 100m
+    # -- Memory resource requests for the RBAC Manager pod.
+    memory: 256Mi
+
+securityContextRBACManager:
+  # -- The user ID used by the RBAC Manager pod.
+  runAsUser: 65532
+  # -- The group ID used by the RBAC Manager pod.
+  runAsGroup: 65532
+  # -- Enable `allowPrivilegeEscalation` for the RBAC Manager pod.
+  allowPrivilegeEscalation: false
+  # -- Set the RBAC Manager pod root file system as read-only.
+  readOnlyRootFilesystem: true
+
+metrics:
+  # -- Enable Prometheus path, port and scrape annotations and expose port 8080 for both the Crossplane and RBAC Manager pods.
+  enabled: false
+
+# -- Add custom environmental variables to the Crossplane pod deployment.
+# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`.
+extraEnvVarsCrossplane: {}
+
+# -- Add custom environmental variables to the RBAC Manager pod deployment.
+# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`.
+extraEnvVarsRBACManager: {}
+
+# -- Add a custom `securityContext` to the Crossplane pod.
+podSecurityContextCrossplane: {}
+
+# -- Add a custom `securityContext` to the RBAC Manager pod.
+podSecurityContextRBACManager: {}
+
+# -- Add custom `volumes` to the Crossplane pod.
+extraVolumesCrossplane: {}
+
+# -- Add custom `volumeMounts` to the Crossplane pod.
+extraVolumeMountsCrossplane: {}
+
+# -- To add arbitrary Kubernetes Objects during a Helm Install
+extraObjects: []
+  # - apiVersion: pkg.crossplane.io/v1alpha1
+  #   kind: ControllerConfig
+  #   metadata:
+  #     name: aws-config
+  #     annotations:
+  #       eks.amazonaws.com/role-arn: arn:aws:iam::123456789101:role/example
+  #       helm.sh/hook: post-install
+  #   spec:
+  #     podSecurityContext:
+  #       fsGroup: 2000
+

durpapi/Chart.yaml

@@ -1,11 +1,11 @@
-version: 0.1.0-dev0144
-apiVersion: v2
-name: durpapi
-dependencies:
-- version: 12.5.*
-  condition: postgresql.enabled
-  name: postgresql
-  repository: https://charts.bitnami.com/bitnami
 description: A Helm chart for Kubernetes
-type: application
+name: durpapi
 appVersion: 0.1.0
+dependencies:
+- condition: postgresql.enabled
+  name: postgresql
+  version: 12.5.*
+  repository: https://charts.bitnami.com/bitnami
+version: 0.1.0-dev0184
+apiVersion: v2
+type: application

durpapi/templates/ingress.yaml

@@ -6,7 +6,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host("api.durp.info") && PathPrefix(`/api`)
+  - match: Host("api.prd.durp.info") && PathPrefix(`/api`)
     kind: Rule
     middlewares:
       - name: jwt
@@ -24,7 +24,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host("api.durp.info") && PathPrefix(`/swagger`)
+  - match: Host("api.prd.durp.info") && PathPrefix(`/swagger`)
     kind: Rule
     services:
     - name: "durpapi-service"
@@ -41,4 +41,4 @@ spec:
     jwt:
       Required: true
       Keys:
-        - https://authentik.durp.info/application/o/api/jwks
+        - https://authentik.prd.durp.info/application/o/api/jwks/

external-dns/values.yaml

@@ -4,13 +4,13 @@ external-dns:
 
   image:
     pullPolicy: Always
-
+  txtPrefix: "prd-"
   sources:
     - service
-    
+
   provider: cloudflare
   cloudflare:
     secretName : "external-dns"
-    proxied: true
+    proxied: false
 
-  policy: sync
+  policy: sync

heimdall/templates/ingress.yaml

@@ -7,7 +7,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`heimdall.durp.info`) && PathPrefix(`/`)
+  - match: Host(`heimdall.prd.durp.info`) && PathPrefix(`/`)
     middlewares:
     - name: authentik-proxy-provider
       namespace: traefik  
@@ -15,7 +15,7 @@ spec:
     services:
     - name: heimdall
       port: 80
-  - match: Host(`heimdall.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
+  - match: Host(`heimdall.prd.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
     kind: Rule
     services:
     - name: ak-outpost-authentik-embedded-outpost
@@ -35,9 +35,9 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "heimdall.durp.info"
+  commonName: "heimdall.prd.durp.info"
   dnsNames:
-  - "heimdall.durp.info"  
+  - "heimdall.prd.durp.info"  
 
 ---
 
@@ -46,7 +46,7 @@ apiVersion: v1
 metadata:
   name: heimdall-external-dns
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: heimdall.durp.info
+    external-dns.alpha.kubernetes.io/hostname: heimdall.prd.durp.info
 spec:
   type: ExternalName
-  externalName: durp.info
+  externalName:.prd.durp.info

internalproxy/Chart.yaml

@@ -1,7 +0,0 @@
-apiVersion: v2
-name: internalproxy
-description: A Helm chart for Kubernetes
-type: application
-
-version: 0.1.0
-appVersion: "0.1.0"

internalproxy/templates/duplicati-ingress.yaml

@@ -1,70 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: duplicati
-spec:
-  ports:
-  - name: app
-    port: 8200
-    protocol: TCP
-    targetPort: 8200
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: duplicati
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 8200
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: duplicati-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/`)
-    middlewares:
-    - name: whitelist
-      namespace: traefik
-    - name: authentik-proxy-provider
-      namespace: traefik  
-    kind: Rule
-    services:
-    - name: duplicati
-      port: 8200
-  - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
-    kind: Rule
-    services:
-    - name: ak-outpost-authentik-embedded-outpost
-      namespace: authentik
-      port: 9000
-  tls:
-    secretName: duplicati-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: duplicati-tls
-spec:
-  secretName: duplicati-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "duplicati.internal.durp.info"
-  dnsNames:
-  - "duplicati.internal.durp.info"  

internalproxy/templates/gitea.yaml

@@ -1,9 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: gitea-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: gitea.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

internalproxy/templates/guac.yaml

@@ -1,71 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: guac-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: guac.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
-
----
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: guac
-spec:
-  ports:
-  - name: app
-    port: 8082
-    protocol: TCP
-    targetPort: 8082
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: guac
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 8082
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: guac-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`guac.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    services:
-    - name: guac
-      port: 8082
-  tls:
-    secretName: guac-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: guac-tls
-spec:
-  secretName: guac-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "guac.durp.info"
-  dnsNames:
-  - "guac.durp.info"  

internalproxy/templates/jellyfin.yaml

@@ -1,9 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: jellyfin-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: jellyfin.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info  

internalproxy/templates/kasm.yaml

@@ -1,9 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: kasm-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: kasm.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

internalproxy/templates/nexus.yaml

@@ -1,71 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: nexus
-spec:
-  ports:
-  - name: app
-    port: 8081
-    protocol: TCP
-    targetPort: 8081
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: nexus
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 8081
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: nexus-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`nexus.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    services:
-    - name: nexus
-      port: 8081
-  tls:
-    secretName: nexus-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: nexus-tls
-spec:
-  secretName: nexus-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "nexus.durp.info"
-  dnsNames:
-  - "nexus.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: nexus-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: nexus.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

internalproxy/templates/plex.yaml

@@ -1,9 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: plex-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: plex.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info  

internalproxy/templates/registry-internal.yaml

@@ -1,59 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: registry-internal
-spec:
-  ports:
-  - name: app
-    port: 5001
-    protocol: TCP
-    targetPort: 5001
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: registry-internal
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 5001
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: registry-internal-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`registry.internal.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    services:
-    - name: registry-internal
-      port: 5001
-  tls:
-    secretName: registry-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: registry-internal-tls
-spec:
-  secretName: registry-internal-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "registry.durp.info"
-  dnsNames:
-  - "registry.durp.info"  

internalproxy/templates/registry.yaml

@@ -1,71 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: registry
-spec:
-  ports:
-  - name: app
-    port: 5000
-    protocol: TCP
-    targetPort: 5000
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: registry
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 5000
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: registry-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`registry.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    services:
-    - name: registry
-      port: 5000
-  tls:
-    secretName: registry-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: registry-tls
-spec:
-  secretName: registry-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "registry.durp.info"
-  dnsNames:
-  - "registry.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: registry-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

internalproxy/templates/smokeping.yaml

@@ -1,82 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: smokeping
-spec:
-  ports:
-  - name: app
-    port: 81
-    protocol: TCP
-    targetPort: 81
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: smokeping
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 81
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: smokeping-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`smokeping.durp.info`) && PathPrefix(`/`)
-    middlewares:
-    - name: whitelist
-      namespace: traefik
-    - name: authentik-proxy-provider
-      namespace: traefik  
-    kind: Rule
-    services:
-    - name: smokeping
-      port: 81
-  - match: Host(`smokeping.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
-    kind: Rule
-    services:
-    - name: ak-outpost-authentik-embedded-outpost
-      namespace: authentik
-      port: 9000
-  tls:
-    secretName: smokeping-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: smokeping-tls
-spec:
-  secretName: smokeping-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "smokeping.durp.info"
-  dnsNames:
-  - "smokeping.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: smokeping-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: smokeping.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info  

internalproxy/templates/speedtest.yaml

@@ -1,74 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: speedtest
-spec:
-  ports:
-  - name: app
-    port: 6580
-    protocol: TCP
-    targetPort: 6580
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: speedtest
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 6580
-    protocol: TCP
-
----    
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: speedtest-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    middlewares:
-    - name: authentik-proxy-provider
-      namespace: traefik 
-    services:
-    - name: speedtest
-      port: 6580
-  tls:
-    secretName: speedtest-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: speedtest-tls
-spec:
-  secretName: speedtest-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "speedtest.durp.info"
-  dnsNames:
-  - "speedtest.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: speedtest-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

internalproxy/templates/tdarr.yaml

@@ -1,67 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: tdarr
-spec:
-  ports:
-  - name: app
-    port: 8267
-    protocol: TCP
-    targetPort: 8267
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: tdarr
-subsets:
-- addresses:
-  - ip: 192.168.20.253
-  ports:
-  - name: app
-    port: 8267
-    protocol: TCP
-
----
-
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: tdarr-ingress
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`tdarr.internal.durp.info`)
-    middlewares:
-    - name: whitelist
-      namespace: traefik  
-    - name: authentik-proxy-provider
-      namespace: traefik  
-    kind: Rule
-    services:
-    - name: tdarr
-      port: 8267
-      scheme: http
-  tls:
-    secretName: tdarr-tls  
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: tdarr-tls
-spec:
-  secretName: tdarr-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "tdarr.internal.durp.info"
-  dnsNames:
-  - "tdarr.internal.durp.info"  

krakend/templates/ingress.yaml

@@ -7,9 +7,9 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "api.durp.info"
+  commonName: "api.prd.durp.info"
   dnsNames:
-  - "api.durp.info"        
+  - "api.prd.durp.info"        
 
 ---
 
@@ -21,7 +21,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`api.durp.info`) && PathPrefix(`/`)
+    - match: Host(`api.prd.durp.info`) && PathPrefix(`/`)
       kind: Rule
       services:
         - name: krakend-service
@@ -37,10 +37,10 @@ apiVersion: v1
 metadata:
   name: api-external-dns
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: api.durp.info
+    external-dns.alpha.kubernetes.io/hostname: api.prd.durp.info
 spec:
   type: ExternalName
-  externalName: durp.info
+  externalName:.prd.durp.info
 
 ---
 
@@ -49,7 +49,7 @@ apiVersion: v1
 metadata:
   name: api-developer-dns
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: developer.durp.info
+    external-dns.alpha.kubernetes.io/hostname: developer.prd.durp.info
     external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
 spec:
   type: ExternalName

kube-prometheus-stack/templates/ingress.yaml

@@ -6,7 +6,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`grafana.durp.info`) && PathPrefix(`/`) 
+  - match: Host(`grafana.prd.durp.info`) && PathPrefix(`/`) 
     kind: Rule
     services:
     - name: grafana
@@ -25,9 +25,9 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "grafana.durp.info"
+  commonName: "grafana.prd.durp.info"
   dnsNames:
-  - "grafana.durp.info"  
+  - "grafana.prd.durp.info"  
 
 ---
 
@@ -39,7 +39,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`) 
+  - match: Host(`alertmanager.prd.durp.info`) && PathPrefix(`/`) 
     middlewares:
     - name: whitelist
       namespace: traefik
@@ -63,9 +63,9 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "alertmanager.durp.info"
+  commonName: "alertmanager.prd.durp.info"
   dnsNames:
-  - "alertmanager.durp.info"  
+  - "alertmanager.prd.durp.info"  
 
 ---
 
@@ -74,7 +74,7 @@ apiVersion: v1
 metadata:
   name: grafana-external-dns
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
+    external-dns.alpha.kubernetes.io/hostname: grafana.prd.durp.info
 spec:
   type: ExternalName
-  externalName: durp.info  
+  externalName:.prd.durp.info  

kubeclarity/templates/ingress.yaml

@@ -6,7 +6,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`kubeclarity.durp.info`) && PathPrefix(`/`)
+  - match: Host(`kubeclarity.prd.durp.info`) && PathPrefix(`/`)
     middlewares:
     - name: whitelist
       namespace: traefik
@@ -30,9 +30,9 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "kubeclarity.durp.info"
+  commonName: "kubeclarity.prd.durp.info"
   dnsNames:
-  - "kubeclarity.durp.info"  
+  - "kubeclarity.prd.durp.info"  
 
 ---
 
@@ -41,7 +41,7 @@ apiVersion: v1
 metadata:
   name: kubeclarity-external-dns
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: kubeclarity.durp.info
+    external-dns.alpha.kubernetes.io/hostname: kubeclarity.prd.durp.info
 spec:
   type: ExternalName
-  externalName: durp.info
+  externalName:.prd.durp.info

littlelink/templates/ingress.yaml

@@ -6,7 +6,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`links.durp.info`) && PathPrefix(`/`)
+  - match: Host(`links.prd.durp.info`) && PathPrefix(`/`)
     kind: Rule
     services:
     - name: littlelink
@@ -25,9 +25,9 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "links.durp.info"
+  commonName: "links.prd.durp.info"
   dnsNames:
-  - "links.durp.info"  
+  - "links.prd.durp.info"  
 
 ---
 
@@ -36,7 +36,7 @@ apiVersion: v1
 metadata:
   name: links-external-dns
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: links.durp.info
+    external-dns.alpha.kubernetes.io/hostname: links.prd.durp.info
 spec:
   type: ExternalName
-  externalName: durp.info
+  externalName:.prd.durp.info

longhorn/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: longhorn
   repository: https://charts.longhorn.io
-  version: 1.3.2
+  version: 1.6.1

longhorn/templates/ingress.yaml

@@ -6,17 +6,17 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`longhorn.internal.durp.info`) && PathPrefix(`/`)
+  - match: Host(`longhorn.internal.prd.durp.info`) && PathPrefix(`/`)
     middlewares:
     - name: whitelist
       namespace: traefik
-    - name: authentik-proxy-provider
-      namespace: traefik  
+        #- name: authentik-proxy-provider
+        #  namespace: traefik  
     kind: Rule
     services:
     - name: longhorn-frontend
       port: 80
-  - match: Host(`longhorn.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
+  - match: Host(`longhorn.internal.prd.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
     kind: Rule
     services:
     - name: ak-outpost-authentik-embedded-outpost
@@ -36,6 +36,6 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "longhorn.internal.durp.info"
+  commonName: "longhorn.internal.prd.durp.info"
   dnsNames:
-  - "longhorn.internal.durp.info"  
+  - "longhorn.internal.prd.durp.info"  

longhorn/values.yaml

@@ -47,7 +47,7 @@ longhorn:
   persistence:
     defaultClass: true
     defaultFsType: ext4
-    defaultClassReplicaCount: 3
+    defaultClassReplicaCount: 1
     defaultDataLocality: disabled # best-effort otherwise
     reclaimPolicy: Retain
     migratable: false
@@ -76,7 +76,7 @@ longhorn:
     snapshotterReplicaCount: ~
   
   defaultSettings:
-    backupTarget: S3://longhorn@us-east-1/
+    backupTarget: S3://longhorn-prd@us-east-1/
     backupTargetCredentialSecret: longhorn-backup-token-secret
     allowRecurringJobWhileVolumeDetached: ~
     createDefaultDiskLabeledNodes: ~
@@ -238,7 +238,7 @@ longhorn:
     #   certificate:
   
   # Configure a pod security policy in the Longhorn namespace to allow privileged pods
-  enablePSP: true
+  enablePSP: false
   
   ## Specify override namespace, specifically this is useful for using longhorn as sub-chart
   ## and its release namespace is not the `longhorn-system`

metallb-system/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: metallb-system
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: metallb
+  repository: https://metallb.github.io/metallb
+  version: 0.14.5

metallb-system/templates/config.yaml

@@ -0,0 +1,16 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: cheap
+spec:
+  addresses:
+    - 192.168.11.130-192.168.11.140
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: poop
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+  - cheap

metallb-system/values.yaml

@@ -0,0 +1,196 @@
+metallb:
+  imagePullSecrets: []
+  nameOverride: ""
+  fullnameOverride: ""
+  loadBalancerClass: ""
+
+  rbac:
+    create: true
+
+  prometheus:
+    scrapeAnnotations: false
+    metricsPort: 7472
+    speakerMetricsTLSSecret: ""
+    controllerMetricsTLSSecret: ""
+    rbacPrometheus: true
+    serviceAccount: ""
+    namespace: ""
+    rbacProxy:
+      repository: gcr.io/kubebuilder/kube-rbac-proxy
+      tag: v0.12.0
+      pullPolicy:
+    podMonitor:
+      enabled: false
+      additionalLabels: {}
+      annotations: {}
+      jobLabel: "app.kubernetes.io/name"
+      interval:
+      metricRelabelings: []
+      relabelings: []
+    serviceMonitor:
+      enabled: false
+      speaker:
+        additionalLabels: {}
+        annotations: {}
+        tlsConfig:
+          insecureSkipVerify: true
+      controller:
+        additionalLabels: {}
+        annotations: {}
+        tlsConfig:
+          insecureSkipVerify: true
+      jobLabel: "app.kubernetes.io/name"
+      interval:
+      metricRelabelings: []
+      relabelings: []
+    prometheusRule:
+      enabled: false
+      additionalLabels: {}
+      annotations: {}
+      staleConfig:
+        enabled: true
+        labels:
+          severity: warning
+      configNotLoaded:
+        enabled: true
+        labels:
+          severity: warning
+      addressPoolExhausted:
+        enabled: true
+        labels:
+          severity: alert
+      addressPoolUsage:
+        enabled: true
+        thresholds:
+          - percent: 75
+            labels:
+              severity: warning
+          - percent: 85
+            labels:
+              severity: warning
+          - percent: 95
+            labels:
+              severity: alert
+      bgpSessionDown:
+        enabled: true
+        labels:
+          severity: alert
+
+      extraAlerts: []
+
+  controller:
+    enabled: true
+    # -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
+    logLevel: info
+    image:
+      repository: quay.io/metallb/controller
+      tag:
+      pullPolicy:
+    strategy:
+      type: RollingUpdate
+    serviceAccount:
+      create: true
+      name: ""
+      annotations: {}
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 65534
+      fsGroup: 65534
+    resources: {}
+    nodeSelector: {}
+    tolerations: []
+    priorityClassName: ""
+    runtimeClassName: ""
+    affinity: {}
+    podAnnotations: {}
+    labels: {}
+    livenessProbe:
+      enabled: true
+      failureThreshold: 3
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      successThreshold: 1
+      timeoutSeconds: 1
+    readinessProbe:
+      enabled: true
+      failureThreshold: 3
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      successThreshold: 1
+      timeoutSeconds: 1
+    tlsMinVersion: "VersionTLS12"
+    tlsCipherSuites: ""
+
+    extraContainers: []
+
+  speaker:
+    enabled: true
+    logLevel: debug
+    tolerateMaster: true
+    memberlist:
+      enabled: true
+      mlBindPort: 7946
+      mlBindAddrOverride: ""
+      mlSecretKeyPath: "/etc/ml_secret_key"
+    excludeInterfaces:
+      enabled: true
+    ignoreExcludeLB: false
+
+    image:
+      repository: quay.io/metallb/speaker
+      tag:
+      pullPolicy:
+    updateStrategy:
+      type: RollingUpdate
+    serviceAccount:
+      create: true
+      name: ""
+      annotations: {}
+    securityContext: {}
+    resources: {}
+    nodeSelector: {}
+    tolerations: []
+    priorityClassName: ""
+    affinity: {}
+    runtimeClassName: ""
+    podAnnotations: {}
+    labels:
+      pod-security.kubernetes.io/enforce: privileged
+      pod-security.kubernetes.io/audit: privileged
+      pod-security.kubernetes.io/warn: privileged
+    livenessProbe:
+      enabled: true
+      failureThreshold: 3
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      successThreshold: 1
+      timeoutSeconds: 1
+    readinessProbe:
+      enabled: true
+      failureThreshold: 3
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      successThreshold: 1
+      timeoutSeconds: 1
+    startupProbe:
+      enabled: true
+      failureThreshold: 30
+      periodSeconds: 5
+    frr:
+      enabled: true
+      image:
+        repository: quay.io/frrouting/frr
+        tag: 9.0.2
+        pullPolicy:
+      metricsPort: 7473
+      resources: {}
+    reloader:
+      resources: {}
+    frrMetrics:
+      resources: {}
+    extraContainers: []
+  crds:
+    enabled: true
+    validationFailurePolicy: Fail
+  frrk8s:
+    enabled: false

nfs-client/templates/provisioner.yml

@@ -34,9 +34,9 @@ spec:
             - name: NFS_SERVER
               value: 192.168.20.253
             - name: NFS_PATH
-              value: /mnt/user/k3s 
+              value: /mnt/user/k3s-dev 
       volumes:
         - name: nfs-client-ssd
           nfs:
             server: 192.168.20.253
-            path: /mnt/user/k3s
+            path: /mnt/user/k3s-dev

open-webui/templates/ingress.yaml

@@ -6,7 +6,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`open-webui.durp.info`) && PathPrefix(`/`)
+  - match: Host(`open-webui.prd.durp.info`) && PathPrefix(`/`)
     kind: Rule
     services:
     - name: open-webui
@@ -25,9 +25,9 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "open-webui.durp.info"
+  commonName: "open-webui.prd.durp.info"
   dnsNames:
-  - "open-webui.durp.info"  
+  - "open-webui.prd.durp.info"  
 
 ---
 
@@ -36,7 +36,7 @@ apiVersion: v1
 metadata:
   name: open-webui-external-dns
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: open-webui.durp.info
+    external-dns.alpha.kubernetes.io/hostname: open-webui.prd.durp.info
 spec:
   type: ExternalName
-  externalName: durp.info
+  externalName: prd.durp.info

traefik/templates/ingress.yaml

@@ -6,7 +6,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`traefik.internal.durp.info`)
+  - match: Host(`traefik.internal.prd.durp.info`)
     middlewares:
     - name: authentik-proxy-provider
       namespace: traefik    
@@ -14,7 +14,7 @@ spec:
     services:
     - name: api@internal
       kind: TraefikService
-  - match: Host(`traefik.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
+  - match: Host(`traefik.internal.prd.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
     kind: Rule
     services:
     - name: ak-outpost-authentik-embedded-outpost
@@ -34,6 +34,6 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "traefik.internal.durp.info"
+  commonName: "traefik.internal.prd.durp.info"
   dnsNames:
-  - "traefik.internal.durp.info"
+  - "traefik.internal.prd.durp.info"

traefik/templates/middleware-chain.yaml

@@ -0,0 +1,9 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: internal-only
+spec:
+  chain:
+    middlewares:
+    - name: traefik-real-ip
+    - name: whitelist

traefik/templates/middlewares.yaml

@@ -20,15 +20,30 @@ spec:
       - X-authentik-meta-app
       - X-authentik-meta-version
 
+
 ---
 
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: whitelist
-  namespace: traefik
 spec:
   ipWhiteList:
     sourceRange:
-      - 192.168.20.1/32      
+      - 192.168.10.1/32
+      - 192.168.30.1/24
       - 10.0.0.0/8
+    ipStrategy:
+      depth: 1
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-real-ip
+spec:
+  plugin:
+    traefik-real-ip:
+      excludednets:
+        - "1.1.1.1/24"

traefik/values.yaml

@@ -502,6 +502,8 @@ traefik:
     - "--log.level=DEBUG"
     - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
     - --experimental.plugins.jwt.version=v0.7.0
+    - --experimental.plugins.traefik-real-ip.moduleName=github.com/soulbalz/traefik-real-ip
+    - --experimental.plugins.traefik-real-ip.version=v1.0.3
 
 
   # Environment variables to be passed to Traefik's binary
@@ -578,9 +580,10 @@ traefik:
       redirectTo: websecure
       #
       # Trust forwarded  headers information (X-Forwarded-*).
-      # forwardedHeaders:
-      #   trustedIPs: []
-      #   insecure: false
+      forwardedHeaders:
+        trustedIPs: 
+          - "192.168.11.1"
+        insecure: false
       #
       # Enable the Proxy Protocol header parsing for the entry point
       # proxyProtocol:
@@ -608,9 +611,10 @@ traefik:
       # advertisedPort: 4443
       #
       ## Trust forwarded  headers information (X-Forwarded-*).
-      #forwardedHeaders:
-      #  trustedIPs: []
-      #  insecure: false
+      forwardedHeaders:
+        trustedIPs: 
+          - "192.168.11.1"
+        insecure: false
       #
       ## Enable the Proxy Protocol header parsing for the entry point
       #proxyProtocol:

uptimekuma/templates/ingress.yaml

@@ -6,7 +6,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`kuma.durp.info`) && PathPrefix(`/`)
+  - match: Host(`kuma.prd.durp.info`) && PathPrefix(`/`)
     middlewares:
     - name: authentik-proxy-provider
       namespace: traefik    
@@ -28,9 +28,9 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "kuma.durp.info"
+  commonName: "kuma.prd.durp.info"
   dnsNames:
-  - "kuma.durp.info"  
+  - "kuma.prd.durp.info"  
 
 ---
 
@@ -39,7 +39,7 @@ apiVersion: v1
 metadata:
   name: heimdall-external-dns
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: kuma.durp.info
+    external-dns.alpha.kubernetes.io/hostname: kuma.prd.durp.info
 spec:
   type: ExternalName
-  externalName: durp.info
+  externalName: prd.durp.info

vault/templates/ingress.yaml

@@ -8,9 +8,9 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`vault.internal.durp.info`)
+  - match: Host(`vault.internal.prd.durp.info`)
     middlewares:
-    - name: whitelist
+    - name: internal-only
       namespace: traefik  
     kind: Rule
     services:
@@ -31,7 +31,7 @@ spec:
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "vault.internal.durp.info"
+  commonName: "vault.internal.prd.durp.info"
   dnsNames:
-  - "vault.internal.durp.info"  
+  - "vault.internal.prd.durp.info"  
 

vault/values.yaml

@@ -14,7 +14,7 @@ vault:
   injector:
     enabled: "-"
 
-    replicas: 3
+    replicas: 2
     leaderElector:
       enabled: true