feat: add ESPHome

2026-01-28 10:18:26 +00:00 · 2025-07-19 13:08:07 +08:00
parent 66fe67dd33
commit affd43a114
4 changed files with 45 additions and 2 deletions
--- a/kube/deploy/apps/esphome/app/hr.yaml
+++ b/kube/deploy/apps/esphome/app/hr.yaml
@@ -24,6 +24,7 @@ spec:
          labels:
            ingress.home.arpa/nginx-internal: allow
            egress.home.arpa/iot: allow
+            egress.home.arpa/esp: allow
            # authentik.home.arpa/https: allow
            egress.home.arpa/internet: allow
        containers:
@@ -39,6 +40,7 @@ spec:
              allowPrivilegeEscalation: false
              capabilities:
                drop: ["ALL"]
+                add: ["NET_"]
            resources:
              requests:
                cpu: "5m"
@@ -76,8 +78,17 @@ spec:
        globalMounts:
          - subPath: data
            path: /config
-      cache:
-        type: emptyDir
+      misc:
+        existingClaim: esphome-misc
+        globalMounts:
+          - subPath: cache
+            path: /cache
+          - subPath: dot-cache
+            path: /config/.cache
+          - subPath: dot-local
+            path: /config/.local
+          - subPath: dot-esphome
+            path: /config/.esphome
      config:
        type: configMap
        name: esphome-config
--- a/kube/deploy/apps/esphome/app/pvc.yaml
+++ b/kube/deploy/apps/esphome/app/pvc.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "esphome-misc"
+  namespace: &app "esphome"
+  annotations:
+    description: "PVC for ESPHome cache etc"
+  labels:
+    app.kubernetes.io/name: *app
+    snapshot.home.arpa/enabled: "true"
+    kustomize.toolkit.fluxcd.io/prune: "Disabled"
+spec:
+  storageClassName: "file-ec-2-1"
+  accessModes: ["ReadWriteMany"]
+  resources:
+    requests:
+      storage: "10Gi"
--- a/kube/deploy/apps/home-assistant/app/hr.yaml
+++ b/kube/deploy/apps/home-assistant/app/hr.yaml
@@ -26,6 +26,7 @@ spec:
            ingress.home.arpa/nginx-internal: allow
            ingress.home.arpa/world: allow
            egress.home.arpa/iot: allow
+            egress.home.arpa/esp: allow
            egress.home.arpa/appletv: allow
            egress.home.arpa/r2: allow
            egress.home.arpa/pypi: allow # entrypoint does a `uv pip install uv` in the venv
--- a/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml
+++ b/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml
@@ -518,6 +518,19 @@ spec:
 # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
 apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: labelled-allow-egress-esp
+spec:
+  endpointSelector:
+    matchLabels:
+      egress.home.arpa/esp: "allow"
+  egress:
+    - toCIDRSet:
+        - cidr: "${IP_VLAN_ESP_CIDR}"
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
 metadata:
  name: labelled-allow-egress-appletv
 spec: