From b8ed045fec817c7cf6d113af1d9cf6fe1b77241c Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Wed, 11 Jun 2025 18:17:09 +0800 Subject: [PATCH] fix(home-assistant): migrate to home-ops org --- .../kube}/deploy/apps/kah/deps/tls.yaml | 0 .../apps/kah/inspircd/dns-external.yaml | 0 .../kube}/deploy/apps/kah/inspircd/hr.yaml | 0 .../deploy/apps/kah/inspircd/netpol.yaml | 0 .../deploy/apps/kah/inspircd/secrets.yaml | 0 .../kube}/deploy/apps/kah/ks.yaml | 0 .../kube}/deploy/apps/kah/kustomization.yaml | 0 .../kube}/deploy/apps/kah/ns.yaml | 0 kube/deploy/apps/cyberchef/app/hr.yaml | 92 ++++++++++++------- kube/deploy/apps/cyberchef/ks.yaml | 10 +- kube/deploy/apps/cyberchef/ns.yaml | 5 + kube/deploy/apps/home-assistant/app/hr.yaml | 4 +- 12 files changed, 76 insertions(+), 35 deletions(-) rename {kube => .archive/kube}/deploy/apps/kah/deps/tls.yaml (100%) rename {kube => .archive/kube}/deploy/apps/kah/inspircd/dns-external.yaml (100%) rename {kube => .archive/kube}/deploy/apps/kah/inspircd/hr.yaml (100%) rename {kube => .archive/kube}/deploy/apps/kah/inspircd/netpol.yaml (100%) rename {kube => .archive/kube}/deploy/apps/kah/inspircd/secrets.yaml (100%) rename {kube => .archive/kube}/deploy/apps/kah/ks.yaml (100%) rename {kube => .archive/kube}/deploy/apps/kah/kustomization.yaml (100%) rename {kube => .archive/kube}/deploy/apps/kah/ns.yaml (100%) diff --git a/kube/deploy/apps/kah/deps/tls.yaml b/.archive/kube/deploy/apps/kah/deps/tls.yaml similarity index 100% rename from kube/deploy/apps/kah/deps/tls.yaml rename to .archive/kube/deploy/apps/kah/deps/tls.yaml diff --git a/kube/deploy/apps/kah/inspircd/dns-external.yaml b/.archive/kube/deploy/apps/kah/inspircd/dns-external.yaml similarity index 100% rename from kube/deploy/apps/kah/inspircd/dns-external.yaml rename to .archive/kube/deploy/apps/kah/inspircd/dns-external.yaml diff --git a/kube/deploy/apps/kah/inspircd/hr.yaml b/.archive/kube/deploy/apps/kah/inspircd/hr.yaml similarity index 100% rename from kube/deploy/apps/kah/inspircd/hr.yaml rename to .archive/kube/deploy/apps/kah/inspircd/hr.yaml diff --git a/kube/deploy/apps/kah/inspircd/netpol.yaml b/.archive/kube/deploy/apps/kah/inspircd/netpol.yaml similarity index 100% rename from kube/deploy/apps/kah/inspircd/netpol.yaml rename to .archive/kube/deploy/apps/kah/inspircd/netpol.yaml diff --git a/kube/deploy/apps/kah/inspircd/secrets.yaml b/.archive/kube/deploy/apps/kah/inspircd/secrets.yaml similarity index 100% rename from kube/deploy/apps/kah/inspircd/secrets.yaml rename to .archive/kube/deploy/apps/kah/inspircd/secrets.yaml diff --git a/kube/deploy/apps/kah/ks.yaml b/.archive/kube/deploy/apps/kah/ks.yaml similarity index 100% rename from kube/deploy/apps/kah/ks.yaml rename to .archive/kube/deploy/apps/kah/ks.yaml diff --git a/kube/deploy/apps/kah/kustomization.yaml b/.archive/kube/deploy/apps/kah/kustomization.yaml similarity index 100% rename from kube/deploy/apps/kah/kustomization.yaml rename to .archive/kube/deploy/apps/kah/kustomization.yaml diff --git a/kube/deploy/apps/kah/ns.yaml b/.archive/kube/deploy/apps/kah/ns.yaml similarity index 100% rename from kube/deploy/apps/kah/ns.yaml rename to .archive/kube/deploy/apps/kah/ns.yaml diff --git a/kube/deploy/apps/cyberchef/app/hr.yaml b/kube/deploy/apps/cyberchef/app/hr.yaml index f15be454..a5fb5b3b 100644 --- a/kube/deploy/apps/cyberchef/app/hr.yaml +++ b/kube/deploy/apps/cyberchef/app/hr.yaml @@ -1,58 +1,86 @@ --- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-4.0.1/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app cyberchef namespace: *app spec: + interval: 5m chart: spec: chart: app-template - version: 1.5.1 + version: 4.0.1 sourceRef: name: bjw-s kind: HelmRepository namespace: flux-system values: - global: - fullnameOverride: *app - automountServiceAccountToken: false - controller: - type: deployment - replicas: 1 - image: - repository: docker.io/mpepping/cyberchef - tag: v10.19.4@sha256:91e04eaaa1ba1eac6b8e410d6f7b340e1ea0450d48ccbb52ec67ce6faa3672c5 - podLabels: - ingress.home.arpa/nginx-internal: "allow" - env: - TZ: "${CONFIG_TZ}" + controllers: + app: + type: deployment + replicas: 2 + pod: + labels: + ingress.home.arpa/nginx-internal: allow + containers: + app: + image: &img + repository: docker.io/mpepping/cyberchef + tag: v10.19.4@sha256:91e04eaaa1ba1eac6b8e410d6f7b340e1ea0450d48ccbb52ec67ce6faa3672c5 + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + limits: + cpu: "1" + memory: "64Mi" + probes: + liveness: + enabled: true + readiness: + enabled: true service: - main: + app: + controller: app ports: http: - port: 8000 + port: 80 + targetPort: 8000 + protocol: HTTP + appProtocol: http ingress: main: - enabled: true - primary: true - ingressClassName: "nginx-internal" + className: nginx-internal hosts: - host: &host "${APP_DNS_CYBERCHEF:=cyberchef}" paths: - path: / pathType: Prefix + service: + identifier: app + port: http tls: - - hosts: - - *host - podSecurityContext: - runAsUser: &uid ${APP_UID_CYBERCHEF:=1000} - runAsGroup: *uid - fsGroup: *uid - fsGroupChangePolicy: Always - resources: - requests: - cpu: 10m - memory: 128Mi - limits: - memory: 256Mi + - hosts: [*host] + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + hostUsers: false + securityContext: + runAsNonRoot: true + runAsUser: &uid 1000 + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: Always + seccompProfile: { type: "RuntimeDefault" } + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "fuckoff.home.arpa/{{ .Release.Name }}" + operator: DoesNotExist diff --git a/kube/deploy/apps/cyberchef/ks.yaml b/kube/deploy/apps/cyberchef/ks.yaml index 655c12a1..b3ca7be8 100644 --- a/kube/deploy/apps/cyberchef/ks.yaml +++ b/kube/deploy/apps/cyberchef/ks.yaml @@ -4,7 +4,15 @@ kind: Kustomization metadata: name: cyberchef-app namespace: flux-system + labels: &l + app.kubernetes.io/name: "cyberchef" spec: + targetNamespace: "cyberchef" + commonMetadata: + labels: *l path: ./kube/deploy/apps/cyberchef/app + components: + - ../../../core/flux-system/alerts/template/ dependsOn: - - name: 1-core-ingress-nginx-app \ No newline at end of file + - name: crds + namespace: flux-system diff --git a/kube/deploy/apps/cyberchef/ns.yaml b/kube/deploy/apps/cyberchef/ns.yaml index b5ef4ddd..70c90a02 100644 --- a/kube/deploy/apps/cyberchef/ns.yaml +++ b/kube/deploy/apps/cyberchef/ns.yaml @@ -3,3 +3,8 @@ apiVersion: v1 kind: Namespace metadata: name: cyberchef + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps diff --git a/kube/deploy/apps/home-assistant/app/hr.yaml b/kube/deploy/apps/home-assistant/app/hr.yaml index 6f8aacfc..f8bae754 100644 --- a/kube/deploy/apps/home-assistant/app/hr.yaml +++ b/kube/deploy/apps/home-assistant/app/hr.yaml @@ -47,8 +47,8 @@ spec: containers: main: image: - repository: "ghcr.io/onedr0p/home-assistant" - tag: "2025.3.3@sha256:9e2a7177b4600653d6cb46dff01b1598189a5ae93be0b99242fbc039d32d79f1" + repository: ghcr.io/home-operations/home-assistant + tag: 2025.5.3@sha256:a480637f5064050f27e053a756ef2083b4346656e7c15713b574cfb1a9bbf3af env: TZ: "${CONFIG_TZ}" #envFrom: