github-personal/Biohazard
1
0
Fork 0
mirror of https://github.com/outbackdingo/Biohazard.git synced 2026-01-27 10:18:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: cleanup

Browse Source
This commit is contained in:
JJGadgets
2024-09-30 14:57:15 +08:00
parent 4672d8a54f
commit 3bafc97cf5
30 changed files with 83 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
kube/deploy/apps/media-edit/app/es.yaml → .archive/kube/deploy/apps/media-edit/app/es.yaml
View File

0
kube/deploy/apps/media-edit/app/hr.yaml → .archive/kube/deploy/apps/media-edit/app/hr.yaml
View File

0
kube/deploy/apps/media-edit/ks.yaml → .archive/kube/deploy/apps/media-edit/ks.yaml
View File

0
kube/deploy/apps/media-edit/kustomization.yaml → .archive/kube/deploy/apps/media-edit/kustomization.yaml
View File

0
kube/deploy/apps/media-edit/ns.yaml → .archive/kube/deploy/apps/media-edit/ns.yaml
View File

0
kube/deploy/apps/ollama/app/es.yaml → .archive/kube/deploy/apps/ollama/app/es.yaml
View File

0
kube/deploy/apps/ollama/app/hr.yaml → .archive/kube/deploy/apps/ollama/app/hr.yaml
View File

0
kube/deploy/apps/ollama/app/pvc.yaml → .archive/kube/deploy/apps/ollama/app/pvc.yaml
View File

0
kube/deploy/apps/ollama/ks.yaml → .archive/kube/deploy/apps/ollama/ks.yaml
View File

0
kube/deploy/apps/ollama/kustomization.yaml → .archive/kube/deploy/apps/ollama/kustomization.yaml
View File

0
kube/deploy/apps/ollama/ns.yaml → .archive/kube/deploy/apps/ollama/ns.yaml
View File

4
kube/deploy/apps/atuin/app/hr.yaml
View File

@@ -40,13 +40,13 @@ spec:
primary: true
ingressClassName: "nginx-internal"
hosts:
- host: &host "${APP_DNS_ATUIN}"
- host: &host "${APP_DNS_ATUIN:=atuin}"
paths:
- path: /
pathType: Prefix
tls: [hosts: [*host]]
podSecurityContext:
runAsUser: &uid ${APP_UID_ATUIN}
runAsUser: &uid ${APP_UID_ATUIN:=1000}
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: Always

6
kube/deploy/apps/audiobookshelf/app/hr.yaml
View File

@@ -49,7 +49,7 @@ spec:
primary: true
className: "nginx-internal"
hosts:
- host: &host "${APP_DNS_AUDIOBOOKSHELF}"
- host: &host "${APP_DNS_AUDIOBOOKSHELF:=audiobookshelf}"
paths:
- path: /
pathType: Prefix
@@ -84,7 +84,7 @@ spec:
defaultPodOptions:
automountServiceAccountToken: false
securityContext:
runAsUser: &uid ${APP_UID_AUDIOBOOKSHELF}
runAsUser: &uid ${APP_UID_AUDIOBOOKSHELF:=1000}
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: Always
fsGroupChangePolicy: Always

14
kube/deploy/apps/code-server/app/hr.yaml
View File

@@ -72,8 +72,8 @@ spec:
type: LoadBalancer
externalTrafficPolicy: Cluster
annotations:
coredns.io/hostname: "vs-ssh.${DNS_SHORT}"
io.cilium/lb-ipam-ips: "${APP_IP_CODE_SERVER_SSH}"
coredns.io/hostname: "vs-ssh.${DNS_SHORT:=internal}"
io.cilium/lb-ipam-ips: "${APP_IP_CODE_SERVER_SSH:=127.0.0.1}"
tailscale.com/expose: "true"
tailscale.com/hostname: "vs-ssh"
labels:
@@ -95,7 +95,7 @@ spec:
nginx.ingress.kubernetes.io/whitelist-source-range: |
${IP_JJ_V4}
hosts:
- host: &host "vs.${DNS_SHORT}"
- host: &host "vs.${DNS_SHORT:=internal}"
paths:
- &path
path: /
@@ -103,13 +103,13 @@ spec:
service: &http
name: main
port: http
- host: &host "hugo.${DNS_SHORT}"
- host: &host "hugo.${DNS_SHORT:=internal}"
paths:
- <<: *path
service: &hugo
name: main
port: hugo
- host: &host "vs-test.${DNS_SHORT}"
- host: &host "vs-test.${DNS_SHORT:=internal}"
paths:
- <<: *path
service: &test
@@ -124,7 +124,7 @@ spec:
annotations:
tailscale.com/tags: "tag:jjgadgets-apps"
hosts:
- host: &host "vs.${DNS_TS}"
- host: &host "vs.${DNS_TS:=ts.net}"
paths:
- <<: *path
service: *http
@@ -203,7 +203,7 @@ spec:
defaultPodOptions:
automountServiceAccountToken: true
enableServiceLinks: true
hostname: "${CLUSTER_NAME}-code-server"
hostname: "${CLUSTER_NAME:=biohazard}-code-server"
securityContext:
runAsNonRoot: true
runAsUser: &uid 1000 # `coder` user

6
kube/deploy/apps/cyberchef/app/hr.yaml
View File

@@ -38,7 +38,7 @@ spec:
primary: true
ingressClassName: "nginx-internal"
hosts:
- host: &host "${APP_DNS_CYBERCHEF}"
- host: &host "${APP_DNS_CYBERCHEF:=cyberchef}"
paths:
- path: /
pathType: Prefix
@@ -46,7 +46,7 @@ spec:
- hosts:
- *host
podSecurityContext:
runAsUser: &uid ${APP_UID_CYBERCHEF}
runAsUser: &uid ${APP_UID_CYBERCHEF:=1000}
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: Always
@@ -55,4 +55,4 @@ spec:
cpu: 10m
memory: 128Mi
limits:
memory: 256Mi
memory: 256Mi

5
kube/deploy/apps/gokapi/app/hr.yaml
View File

@@ -32,13 +32,12 @@ spec:
enabled: true
ingressClassName: "nginx-external"
hosts:
- host: "${APP_DNS_GOKAPI}"
- host: &host "${APP_DNS_GOKAPI:=gokapi}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- "${APP_DNS_GOKAPI}"
- hosts: [*host]
secretName: long-domain-tls
persistence:
config:

6
kube/deploy/apps/home-assistant/app/hr.yaml
View File

@@ -107,7 +107,7 @@ spec:
primary: true
className: "nginx-internal"
hosts:
- host: &host "${APP_DNS_HOME_ASSISTANT}"
- host: &host "${APP_DNS_HOME_ASSISTANT:=home-assistant}"
paths: &paths
- path: /
pathType: Prefix
@@ -121,7 +121,7 @@ spec:
primary: false
className: "tailscale"
hosts:
- host: &host "hass-edit.${DNS_TS}"
- host: &host "hass-edit.${DNS_TS:=ts.net}"
paths: &paths
- path: /
pathType: Prefix
@@ -157,7 +157,7 @@ spec:
enableServiceLinks: false
securityContext:
runAsNonRoot: true
runAsUser: &uid ${APP_UID_HOME_ASSISTANT}
runAsUser: &uid ${APP_UID_HOME_ASSISTANT:=1000}
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: "Always"

6
kube/deploy/apps/joplin/app/hr.yaml
View File

@@ -83,7 +83,7 @@ spec:
# external-dns.alpha.kubernetes.io/target: "${DNS_SHORT_CF}"
# external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
hosts:
- host: &host "${APP_DNS_JOPLIN}"
- host: &host "${APP_DNS_JOPLIN:=joplin}"
paths:
- path: /
pathType: Prefix
@@ -91,7 +91,7 @@ spec:
- hosts:
- *host
podSecurityContext:
runAsUser: &uid ${APP_UID_JOPLIN}
runAsUser: &uid ${APP_UID_JOPLIN:=1000}
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: Always
@@ -112,4 +112,4 @@ spec:
cpu: 10m
memory: 128Mi
limits:
memory: 6000Mi
memory: 6000Mi

8
kube/deploy/apps/media/kavita/app/hr.yaml
View File

@@ -71,8 +71,8 @@ spec:
nas:
enabled: true
type: nfs
server: "${IP_TRUENAS}"
path: "${PATH_NAS_MEDIA}"
server: "${IP_TRUENAS:=127.0.0.1}"
path: "${PATH_NAS_MEDIA:=/kavita}"
globalMounts:
- path: "/nas"
readOnly: true
@@ -91,8 +91,8 @@ spec:
backups:
enabled: true
type: nfs
server: "${IP_TRUENAS}"
path: "${PATH_NAS_BACKUPS_K8S}"
server: "${IP_TRUENAS:=127.0.0.1}"
path: "${PATH_NAS_BACKUPS_K8S:=/backups}"
globalMounts:
- subPath: "kavita"
path: "/kavita/config/backups"

8
kube/deploy/apps/media/komga/app/hr.yaml
View File

@@ -91,8 +91,8 @@ spec:
path: /ceph
nfs:
type: nfs
server: "${IP_TRUENAS}"
path: "${PATH_NAS_MEDIA}"
server: "${IP_TRUENAS:=127.0.0.1}"
path: "${PATH_NAS_MEDIA:=/media}"
globalMounts:
- path: /nas
readOnly: true
@@ -110,8 +110,8 @@ spec:
automountServiceAccountToken: false
enableServiceLinks: false
hostAliases:
- ip: "${APP_IP_AUTHENTIK}"
hostnames: ["${APP_DNS_AUTHENTIK}"]
- ip: "${APP_IP_AUTHENTIK:=127.0.0.1}"
hostnames: ["${APP_DNS_AUTHENTIK:=authentik}"]
securityContext:
runAsNonRoot: true
runAsUser: &uid ${APP_DNS_KOMGA:=1000}

8
kube/deploy/apps/miniflux/app/hr.yaml
View File

@@ -26,7 +26,7 @@ spec:
podLabels:
ingress.home.arpa/nginx-internal: "allow"
db.home.arpa/pg: "pg-default"
egress.home.arpa/world: "allow"
egress.home.arpa/internet: "allow"
egress.home.arpa/nginx-external: "allow" # authentik
env:
TZ: "${CONFIG_TZ}"
@@ -56,7 +56,7 @@ spec:
primary: true
ingressClassName: "nginx-internal"
hosts:
- host: &host "${APP_DNS_MINIFLUX}"
- host: &host "${APP_DNS_MINIFLUX:=miniflux}"
paths:
- path: /
pathType: Prefix
@@ -64,7 +64,7 @@ spec:
- hosts:
- *host
podSecurityContext:
runAsUser: &uid ${APP_UID_MINIFLUX}
runAsUser: &uid ${APP_UID_MINIFLUX:=1000}
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: Always
@@ -74,4 +74,4 @@ spec:
memory: 128Mi
limits:
cpu: 3000m
memory: 512Mi
memory: 512Mi

22
kube/deploy/apps/navidrome/app/hr.yaml
View File

@@ -81,7 +81,7 @@ spec:
nginx.ingress.kubernetes.io/auth-signin: |-
https://${APP_DNS_NAVIDROME}/outpost.goauthentik.io/start?rd=$escaped_request_uri
hosts:
- host: &host "${APP_DNS_NAVIDROME}"
- host: &host "${APP_DNS_NAVIDROME:=navidrome}"
paths: &paths
- path: /
pathType: Prefix
@@ -90,6 +90,20 @@ spec:
port: http
tls:
- hosts: [*host]
subsonic: # bypass forward auth
enabled: true
primary: false
className: nginx-internal
hosts:
- host: &host "${APP_DNS_NAVIDROME:=navidrome}"
paths: &paths
- path: /rest
pathType: Prefix
service:
name: main
port: http
tls:
- hosts: [*host]
persistence:
config:
enabled: true
@@ -100,8 +114,8 @@ spec:
nfs:
enabled: true
type: nfs
server: "${IP_TRUENAS}"
path: "${PATH_NAS_MEDIA}"
server: "${IP_TRUENAS:=127.0.0.1}"
path: "${PATH_NAS_MEDIA:=/media}"
globalMounts:
- subPath: Music
path: /media
@@ -118,7 +132,7 @@ spec:
enableServiceLinks: false
securityContext:
runAsNonRoot: true
runAsUser: &uid ${APP_UID_NAVIDROME}
runAsUser: &uid ${APP_UID_NAVIDROME:=1000}
runAsGroup: *uid
fsGroup: *uid
supplementalGroups: [6969] # NAS

6
kube/deploy/apps/ocis/app/hr.yaml
View File

@@ -33,7 +33,7 @@ spec:
env:
TZ: "${CONFIG_TZ}"
OCIS_INSECURE: true
OCIS_URL: "https://${APP_DNS_OCIS}"
OCIS_URL: "https://${APP_DNS_OCIS:=ocis}"
PROXY_TLS: false
DEMO_USERS: false
PROXY_HTTP_ADDR: 0.0.0.0:9200
@@ -101,7 +101,7 @@ spec:
annotations:
nginx.ingress.kubernetes.io/custom-http-errors: "502"
hosts:
- host: &host "${APP_DNS_OCIS}"
- host: &host "${APP_DNS_OCIS:=ocis}"
paths: &paths
- path: /
pathType: Prefix
@@ -138,7 +138,7 @@ spec:
hostnames: ["${APP_DNS_AUTHENTIK}"]
securityContext:
runAsNonRoot: true
runAsUser: &uid ${APP_UID_OCIS}
runAsUser: &uid ${APP_UID_OCIS:=1000}
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: "Always"

10
kube/deploy/apps/paperless-ngx/app/hr.yaml
View File

@@ -166,7 +166,7 @@ spec:
primary: true
className: "nginx-internal"
hosts:
- host: &host "${APP_DNS_PAPERLESS_NGX}"
- host: &host "${APP_DNS_PAPERLESS_NGX:=paperless}"
paths:
- path: "/"
pathType: Prefix
@@ -194,8 +194,8 @@ spec:
nas:
enabled: true
type: nfs
server: "${IP_TRUENAS}"
path: "${PATH_NAS_PERSIST_K8S}/paperless-ngx"
server: "${IP_TRUENAS:=127.0.0.1}"
path: "${PATH_NAS_PERSIST_K8S:=/data}/paperless-ngx"
advancedMounts:
main:
main:
@@ -239,8 +239,8 @@ spec:
automountServiceAccountToken: false
enableServiceLinks: false # avoid exposing too much info in env vars in case of lateral movement attempt
hostAliases:
- ip: "${APP_IP_AUTHENTIK}"
hostnames: ["${APP_DNS_AUTHENTIK}"]
- ip: "${APP_IP_AUTHENTIK:=127.0.0.1}"
hostnames: ["${APP_DNS_AUTHENTIK:=authentik}"]
securityContext:
runAsNonRoot: false
runAsUser: &uid 1000 # hardcoded `paperless` user

4
kube/deploy/apps/restic-rest-nfs/app/hr.yaml
View File

@@ -92,8 +92,8 @@ spec:
data:
enabled: true
type: nfs
server: "${IP_TRUENAS}"
path: "${PATH_NAS_PERSIST_K8S}"
server: "${IP_TRUENAS:=127.0.0.1}"
path: "${PATH_NAS_PERSIST_K8S:=/restic}"
advancedMounts:
main:
main:

4
kube/deploy/apps/thelounge/app/hr.yaml
View File

@@ -41,7 +41,7 @@ spec:
primary: true
ingressClassName: "nginx-internal"
hosts:
- host: &host "${APP_DNS_THELOUNGE}"
- host: &host "${APP_DNS_THELOUNGE:=thelounge}"
paths:
- path: /
pathType: Prefix
@@ -49,7 +49,7 @@ spec:
- hosts:
- *host
podSecurityContext:
runAsUser: &uid ${APP_UID_THELOUNGE}
runAsUser: &uid ${APP_UID_THELOUNGE:=1000}
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: Always

8
kube/deploy/apps/vikunja/app/hr.yaml
View File

@@ -95,7 +95,7 @@ spec:
primary: true
className: "nginx-internal"
hosts:
- host: &host "${APP_DNS_VIKUNJA}"
- host: &host "${APP_DNS_VIKUNJA:=vikunja}"
paths: &paths
- path: /
pathType: Prefix
@@ -130,11 +130,11 @@ spec:
automountServiceAccountToken: false
enableServiceLinks: false
hostAliases:
- ip: "${APP_IP_AUTHENTIK}"
hostnames: ["${APP_DNS_AUTHENTIK}"]
- ip: "${APP_IP_AUTHENTIK:=127.0.0.1}"
hostnames: ["${APP_DNS_AUTHENTIK:=authentik}"]
securityContext:
runAsNonRoot: true
runAsUser: &uid ${APP_UID_VIKUNJA}
runAsUser: &uid ${APP_UID_VIKUNJA:=1000}
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: "Always"

8
kube/deploy/apps/zipline/app/hr.yaml
View File

@@ -104,7 +104,7 @@ spec:
nginx.ingress.kubernetes.io/custom-http-errors: "400,403,404,405,409,410,411,412,413,414,415,416,417,418,421,425,431,451,500,501,502,503,504,505,506,510"
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8, 100.64.0.0/10"
hosts:
- host: &host "${APP_DNS_ZIPLINE}"
- host: &host "${APP_DNS_ZIPLINE:=zipline}"
paths:
- path: /
pathType: Prefix
@@ -140,7 +140,7 @@ spec:
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
nginx.ingress.kubernetes.io/custom-http-errors: "400,403,404,405,409,410,411,412,413,414,415,416,417,418,421,425,431,451,500,501,502,503,504,505,506,510"
hosts:
- host: &exthost "${DNS_SHORT}"
- host: &exthost "${DNS_SHORT:=localhost}"
paths:
- path: *shorten
pathType: Prefix
@@ -166,7 +166,7 @@ spec:
- hosts:
- *exthost
podSecurityContext:
runAsUser: &uid ${APP_UID_ZIPLINE}
runAsUser: &uid ${APP_UID_ZIPLINE:=1000}
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: Always
@@ -175,4 +175,4 @@ spec:
cpu: 10m
memory: 128Mi
limits:
memory: 6000Mi
memory: 6000Mi

10
kube/deploy/core/monitoring/alertmanager/app/hr.yaml
View File

@@ -37,12 +37,14 @@ spec:
- --web.route-prefix=/
- --web.listen-address=:9093
- --cluster.listen-address=[$(POD_IP)]:9094
- --cluster.advertise-address=$(POD_IP):9094
- "--cluster.label=${CLUSTER_NAME}"
- --cluster.peer=alertmanager.monitoring.svc.cluster.local:9094
- --cluster.peer=alertmanager-local-0.monitoring.svc.cluster.local:9094
- --cluster.peer=alertmanager-local-1.monitoring.svc.cluster.local:9094
- --cluster.peer=alertmanager-local-2.monitoring.svc.cluster.local:9094
- --cluster.reconnect-timeout=5m
- --cluster.reconnect-timeout=1h
#- --cluster.probe-interval=5s # hopefully lower DNS requests?
env:
TZ: "${CONFIG_TZ}"
POD_IP:
@@ -142,10 +144,10 @@ spec:
primary: true
className: "nginx-external"
annotations:
external-dns.alpha.kubernetes.io/target: "${DNS_CF}"
external-dns.alpha.kubernetes.io/target: "${DNS_CF:=127.0.0.1}"
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
hosts:
- host: &host "${APP_DNS_ALERTMANAGER}"
- host: &host "${APP_DNS_ALERTMANAGER:=alertmanager}"
paths: &paths
- path: /
pathType: Prefix
@@ -159,7 +161,7 @@ spec:
primary: false
className: "tailscale"
hosts:
- host: &host "${APP_DNS_ALERTMANAGER_TS}"
- host: &host "${APP_DNS_ALERTMANAGER_TS:=alertmanager}"
paths: *paths
tls:
- hosts: [*host]

8
kube/deploy/core/monitoring/karma/app/hr.yaml
View File

@@ -58,11 +58,11 @@ spec:
primary: true
className: "nginx-external"
annotations:
external-dns.alpha.kubernetes.io/target: "${DNS_CF}"
external-dns.alpha.kubernetes.io/target: "${DNS_CF:=127.0.0.1}"
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
# external auth managed by Cloudflare Zero Trust, so authentik won't be SPoF if internal access not working
hosts:
- host: &host "${APP_DNS_KARMA}"
- host: &host "${APP_DNS_KARMA:=karma}"
paths: &paths
- path: /
pathType: Prefix
@@ -76,7 +76,7 @@ spec:
primary: true
className: "tailscale"
hosts:
- host: &host "${APP_DNS_TS_KARMA}"
- host: &host "${APP_DNS_TS_KARMA:=karma}"
paths: *paths
tls:
- hosts: [*host]
@@ -85,7 +85,7 @@ spec:
enableServiceLinks: false
securityContext:
runAsNonRoot: true
runAsUser: &uid ${APP_UID_KARMA}
runAsUser: &uid ${APP_UID_KARMA:=1000}
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: "Always"