From affd43a11411fb903da85bb01f324cde27195ee3 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Sat, 19 Jul 2025 13:08:07 +0800 Subject: [PATCH] feat: add ESPHome --- kube/deploy/apps/esphome/app/hr.yaml | 15 +++++++++++++-- kube/deploy/apps/esphome/app/pvc.yaml | 18 ++++++++++++++++++ kube/deploy/apps/home-assistant/app/hr.yaml | 1 + .../cilium/netpols/labelled-allow-egress.yaml | 13 +++++++++++++ 4 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 kube/deploy/apps/esphome/app/pvc.yaml diff --git a/kube/deploy/apps/esphome/app/hr.yaml b/kube/deploy/apps/esphome/app/hr.yaml index 4ddebb57..6b7112d1 100644 --- a/kube/deploy/apps/esphome/app/hr.yaml +++ b/kube/deploy/apps/esphome/app/hr.yaml @@ -24,6 +24,7 @@ spec: labels: ingress.home.arpa/nginx-internal: allow egress.home.arpa/iot: allow + egress.home.arpa/esp: allow # authentik.home.arpa/https: allow egress.home.arpa/internet: allow containers: @@ -39,6 +40,7 @@ spec: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] + add: ["NET_"] resources: requests: cpu: "5m" @@ -76,8 +78,17 @@ spec: globalMounts: - subPath: data path: /config - cache: - type: emptyDir + misc: + existingClaim: esphome-misc + globalMounts: + - subPath: cache + path: /cache + - subPath: dot-cache + path: /config/.cache + - subPath: dot-local + path: /config/.local + - subPath: dot-esphome + path: /config/.esphome config: type: configMap name: esphome-config diff --git a/kube/deploy/apps/esphome/app/pvc.yaml b/kube/deploy/apps/esphome/app/pvc.yaml new file mode 100644 index 00000000..4bb75e13 --- /dev/null +++ b/kube/deploy/apps/esphome/app/pvc.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: "esphome-misc" + namespace: &app "esphome" + annotations: + description: "PVC for ESPHome cache etc" + labels: + app.kubernetes.io/name: *app + snapshot.home.arpa/enabled: "true" + kustomize.toolkit.fluxcd.io/prune: "Disabled" +spec: + storageClassName: "file-ec-2-1" + accessModes: ["ReadWriteMany"] + resources: + requests: + storage: "10Gi" diff --git a/kube/deploy/apps/home-assistant/app/hr.yaml b/kube/deploy/apps/home-assistant/app/hr.yaml index cb9c168e..6914a02b 100644 --- a/kube/deploy/apps/home-assistant/app/hr.yaml +++ b/kube/deploy/apps/home-assistant/app/hr.yaml @@ -26,6 +26,7 @@ spec: ingress.home.arpa/nginx-internal: allow ingress.home.arpa/world: allow egress.home.arpa/iot: allow + egress.home.arpa/esp: allow egress.home.arpa/appletv: allow egress.home.arpa/r2: allow egress.home.arpa/pypi: allow # entrypoint does a `uv pip install uv` in the venv diff --git a/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml b/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml index 4ff8735f..6ed28816 100644 --- a/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml +++ b/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml @@ -518,6 +518,19 @@ spec: # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy +metadata: + name: labelled-allow-egress-esp +spec: + endpointSelector: + matchLabels: + egress.home.arpa/esp: "allow" + egress: + - toCIDRSet: + - cidr: "${IP_VLAN_ESP_CIDR}" +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy metadata: name: labelled-allow-egress-appletv spec: