crichardson/KubeApps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: crichardson:53aeddc7141a737c39bcfe2bebcf0422ce84dd12
Branches Tags
crichardson:main
crichardson:v210 crichardson:v204 crichardson:v203
...
compare: crichardson:v210
Branches Tags
crichardson:main
crichardson:v210 crichardson:v204 crichardson:v203

12 Commits
53aeddc714 ... v210

Author SHA1 Message Date
Chris Richardson
486feff6e6 asd 2025-07-10 22:14:41 -04:00
Chris Richardson
8dbc1f124e comment out 2025-07-02 23:37:54 -04:00
Chris Richardson
5ced4d798a update 2025-02-25 09:00:57 -05:00
Chris Richardson
d1a3ea125d working wg-easy 2025-02-07 13:59:33 -05:00
Chris Richardson
ac5cedef2a fix storage wg 2025-02-07 08:27:59 -05:00
Chris Richardson
7ecdd46001 wg-easy 2025-02-07 08:26:03 -05:00
Chris Richardson
2a09bf9223 new vpn 2025-02-07 07:36:30 -05:00
Chris Richardson
74b7773d12 add lb address vpn 2025-02-03 13:38:42 -05:00
Chris Richardson
e37783b29d add lb to vpn 2025-02-03 13:31:49 -05:00
Chris Richardson
26d1841770 remove ingress for now 2025-01-28 08:37:28 -05:00
Chris Richardson
47a2a0433f update lb for retrom 2025-01-27 13:55:40 -05:00
Chris Richardson
4f27b9647a retrom fix service name 2025-01-27 13:45:36 -05:00
37 changed files with 370 additions and 840 deletions
Expand all files Collapse all files

12
apps/bitwarden/bitwarden-deployment.yaml
View File

@@ -46,9 +46,7 @@ spec:
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /data - mountPath: /data
name: bitwarden-data name: bitwarden-data-nfs
- mountPath: /persistentvolumes
name: nfs-client-root
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
restartPolicy: Always restartPolicy: Always
schedulerName: default-scheduler schedulerName: default-scheduler
@@ -58,10 +56,6 @@ spec:
runAsUser: 0 runAsUser: 0
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
volumes: volumes:
- name: bitwarden-data - name: bitwarden-data-nfs
persistentVolumeClaim: persistentVolumeClaim:
claimName: bitwarden claimName: bitwarden-nfs
- name: nfs-client-root
nfs:
path: /volume1/k8s
server: 192.168.1.176

6
apps/bitwarden/bitwarden-storage.yaml
View File

@@ -1,12 +1,12 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: bitwarden name: bitwarden-nfs
namespace: default namespace: default
spec: spec:
storageClassName: synology-iscsi-storage-custom storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: 5Gi storage: 5Gi

24
apps/gittea/gitea-deployment.yaml
View File

@@ -33,24 +33,30 @@ spec:
- containerPort: 22 - containerPort: 22
name: gitea-ssh name: gitea-ssh
protocol: TCP protocol: TCP
env:
- name: USER_UID
value: "1000"
- name: USER_GID
value: "1000"
resources: {} resources: {}
terminationMessagePath: /dev/termination-log terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /data - mountPath: /data
name: gitea-storage name: gitea-storage-iscsi
- mountPath: /persistentvolumes - mountPath: /data2
name: nfs-client-root name: gitea-storage-nfs2
# - mountPath: /data-new
# name: gitea-storage-nfs
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
restartPolicy: Always restartPolicy: Always
schedulerName: default-scheduler schedulerName: default-scheduler
securityContext: {} securityContext: {}
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
volumes: volumes:
- name: gitea-storage - name: gitea-storage-iscsi
persistentVolumeClaim: persistentVolumeClaim:
claimName: gitea claimName: gitea-storage-iscsi
- name: nfs-client-root - name: gitea-storage-nfs2
nfs: persistentVolumeClaim:
path: /volume1/k8s claimName: gitea-nfs2
server: 192.168.1.176

2
apps/gittea/gitea-ingress.yaml
View File

@@ -5,6 +5,8 @@ metadata:
acme.cert-manager.io/http01-edit-in-place: "true" acme.cert-manager.io/http01-edit-in-place: "true"
cert-manager.io/issuer: letsencrypt-prod cert-manager.io/issuer: letsencrypt-prod
kubernetes.io/ingress.class: nginx kubernetes.io/ingress.class: nginx
nginx.org/client-max-body-size: "0"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
name: gittea-ingress name: gittea-ingress
namespace: default namespace: default
spec: spec:

17
apps/gittea/gitea-storage.yaml
View File

@@ -1,12 +1,25 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: gitea name: gitea-storage-iscsi
namespace: default namespace: default
spec: spec:
storageClassName: synology-iscsi-storage-custom storageClassName: synology-iscsi-storage-custom
accessModes: accessModes:
- ReadWriteMany - ReadWriteOnce
resources: resources:
requests: requests:
storage: 20Gi storage: 20Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-nfs2
namespace: default
spec:
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 20Gi

46
apps/gittea/runner-deployment.yaml Normal file
View File

@@ -0,0 +1,46 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: act-runner
name: act-runner
spec:
replicas: 1
selector:
matchLabels:
app: act-runner
strategy: {}
template:
metadata:
labels:
app: act-runner
spec:
restartPolicy: Always
volumes:
- name: runner-data-nfs
persistentVolumeClaim:
claimName: runner-data-nfs
securityContext:
fsGroup: 1000
containers:
- name: runner
image: vegardit/gitea-act-runner:dind-latest
imagePullPolicy: Always
# command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
env:
- name: GITEA_RUNNER_JOB_CONTAINER_PRIVILEGED
value: "true"
- name: GITEA_RUNNER_JOB_CONTAINER_NETWORK
value: "host"
- name: GITEA_INSTANCE_URL
value: http://gitea-service:80
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: runner-secret
key: token
securityContext:
privileged: true
volumeMounts:
- name: runner-data-nfs
mountPath: /data

6
apps/home-assistant/home-assistance-deploy.yaml
View File

@@ -43,13 +43,13 @@ spec:
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /config - mountPath: /config
name: home-assistants-config name: home-assistants-config-nfs
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
restartPolicy: Always restartPolicy: Always
schedulerName: default-scheduler schedulerName: default-scheduler
securityContext: {} securityContext: {}
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
volumes: volumes:
- name: home-assistants-config - name: home-assistants-config-nfs
persistentVolumeClaim: persistentVolumeClaim:
claimName: home-assistants-config claimName: home-assistants-config-nfs

8
apps/home-assistant/home-assistance-storage.yaml
View File

@@ -1,12 +1,12 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: home-assistants-config name: home-assistants-config-nfs
namespace: default namespace: default
spec: spec:
storageClassName: synology-iscsi-storage-custom storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: 5Gi storage: 5Gi

41
apps/ingress/ingress.yaml
View File

@@ -22,13 +22,6 @@ spec:
number: 7878 number: 7878
path: /radarr path: /radarr
pathType: Prefix pathType: Prefix
- backend:
service:
name: retrom-service
port:
number: 3000
path: /retrom
pathType: Prefix
- backend: - backend:
service: service:
name: nzbget-service name: nzbget-service
@@ -38,10 +31,10 @@ spec:
pathType: Prefix pathType: Prefix
- backend: - backend:
service: service:
name: prometheus-server name: prowlarr-service
port: port:
number: 80 number: 9696
path: /metric path: /prowlarr
pathType: Prefix pathType: Prefix
- backend: - backend:
service: service:
@@ -50,31 +43,3 @@ spec:
number: 8091 number: 8091
path: /zwave path: /zwave
pathType: Prefix pathType: Prefix
- backend:
service:
name: immich-server
port:
number: 2283
path: /immich
pathType: Prefix
- backend:
service:
name: overseerr-service
port:
number: 5055
path: /overseerr
pathType: Prefix
- backend:
service:
name: tautulli-service
port:
number: 8181
path: /tautulli
pathType: Prefix
- backend:
service:
name: home-assistants-service
port:
number: 7123
path: /ha
pathType: Prefix

27
apps/minio/mini-ui-ingress.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
acme.cert-manager.io/http01-edit-in-place: "true"
cert-manager.io/issuer: letsencrypt-prod
kubernetes.io/ingress.class: nginx
nginx.org/client-max-body-size: "0"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
name: minio-ui-ingress
namespace: default
spec:
rules:
- host: s3ui.lilpenguins.com
http:
paths:
- backend:
service:
name: minio-service
port:
number: 9001
path: /
pathType: Prefix
tls:
- hosts:
- s3ui.lilpenguins.com
secretName: minio-ui-tls-prod

13
apps/nzbget/nzbget-deployment.yaml
View File

@@ -41,7 +41,7 @@ spec:
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /config - mountPath: /config
name: nzbget-config name: nzbget-config-nfs
- mountPath: /downloads - mountPath: /downloads
name: nzbget-downloads name: nzbget-downloads
- mountPath: /tv - mountPath: /tv
@@ -50,17 +50,15 @@ spec:
name: nfs-movies name: nfs-movies
- mountPath: /books - mountPath: /books
name: nfs-books name: nfs-books
- mountPath: /persistentvolumes
name: nfs-client-root
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
restartPolicy: Always restartPolicy: Always
schedulerName: default-scheduler schedulerName: default-scheduler
securityContext: {} securityContext: {}
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
volumes: volumes:
- name: nzbget-config - name: nzbget-config-nfs
persistentVolumeClaim: persistentVolumeClaim:
claimName: nzbget-config claimName: nzbget-config-nfs
- name: nzbget-downloads - name: nzbget-downloads
emptyDir: emptyDir:
sizeLimit: 200Gi sizeLimit: 200Gi
@@ -76,7 +74,4 @@ spec:
nfs: nfs:
path: /volume2/vol2/Ebooks/ path: /volume2/vol2/Ebooks/
server: 192.168.1.78 server: 192.168.1.78
- name: nfs-client-root
nfs:
path: /volume1/k8s
server: 192.168.1.176

20
apps/nzbget/nzbget-storage.yaml
View File

@@ -1,26 +1,14 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: nzbget-config name: nzbget-config-nfs
namespace: default namespace: default
spec: spec:
storageClassName: synology-iscsi-storage storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: 1Gi storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nzbget-downloads
namespace: default
spec:
storageClassName: synology-iscsi-storage
accessModes:
- ReadWriteMany
resources:
requests:
storage: 500Gi

12
apps/overseerr/overseerr-deployment.yaml
View File

@@ -34,19 +34,13 @@ spec:
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /config - mountPath: /config
name: config name: config-nfs
- mountPath: /persistentvolumes
name: nfs-client-root
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
restartPolicy: Always restartPolicy: Always
schedulerName: default-scheduler schedulerName: default-scheduler
securityContext: {} securityContext: {}
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
volumes: volumes:
- name: config - name: config-nfs
persistentVolumeClaim: persistentVolumeClaim:
claimName: overseerr-config claimName: overseerr-config-nfs
- name: nfs-client-root
nfs:
path: /volume1/k8s
server: 192.168.1.176

7
apps/overseerr/overseerr-storage.yaml
View File

@@ -1,11 +1,12 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: overseerr-config name: overseerr-config-nfs
namespace: default namespace: default
spec: spec:
storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: 1Gi storage: 1Gi

12
apps/radarr/radarr-deployment.yaml
View File

@@ -34,25 +34,19 @@ spec:
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /config - mountPath: /config
name: radarr-config name: radarr-config-nfs
- mountPath: /movies - mountPath: /movies
name: nfs-movies name: nfs-movies
- mountPath: /persistentvolumes
name: nfs-client-root
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
restartPolicy: Always restartPolicy: Always
schedulerName: default-scheduler schedulerName: default-scheduler
securityContext: {} securityContext: {}
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
volumes: volumes:
- name: radarr-config - name: radarr-config-nfs
persistentVolumeClaim: persistentVolumeClaim:
claimName: radarr-config claimName: radarr-config-nfs
- name: nfs-movies - name: nfs-movies
nfs: nfs:
path: /volume1/Movies path: /volume1/Movies
server: 192.168.1.176 server: 192.168.1.176
- name: nfs-client-root
nfs:
path: /volume1/k8s
server: 192.168.1.176

6
apps/radarr/radarr-storage.yaml
View File

@@ -1,12 +1,12 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: radarr-config name: radarr-config-nfs
namespace: default namespace: default
spec: spec:
storageClassName: synology-iscsi-storage-custom storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: 5Gi storage: 5Gi

18
apps/retrom/retrom-deployment.yaml
View File

@@ -29,16 +29,18 @@ spec:
ports: ports:
- containerPort: 5101 - containerPort: 5101
protocol: TCP protocol: TCP
name: server
- containerPort: 3000 - containerPort: 3000
protocol: TCP protocol: TCP
name: web
resources: {} resources: {}
terminationMessagePath: /dev/termination-log terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /app/config/ - mountPath: /app/config
name: retrom-config name: retrom-config-nfs
- mountPath: /app/data/ - mountPath: /app/data
name: retrom-data name: retrom-data-nfs
- mountPath: /app/library - mountPath: /app/library
name: nfs-roms name: nfs-roms
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
@@ -47,12 +49,12 @@ spec:
securityContext: {} securityContext: {}
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
volumes: volumes:
- name: retrom-config - name: retrom-config-nfs
persistentVolumeClaim: persistentVolumeClaim:
claimName: retrom-config claimName: retrom-config-nfs
- name: retrom-data - name: retrom-data-nfs
persistentVolumeClaim: persistentVolumeClaim:
claimName: retrom-data claimName: retrom-data-nfs
- name: nfs-roms - name: nfs-roms
nfs: nfs:
path: /volume2/vol2/Downloads/Roms/retrom path: /volume2/vol2/Downloads/Roms/retrom

25
apps/retrom/retrom-ingress.yaml
View File

@@ -1,25 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
acme.cert-manager.io/http01-edit-in-place: "true"
cert-manager.io/issuer: letsencrypt-prod
kubernetes.io/ingress.class: nginx
name: retrom-ingress
namespace: default
spec:
rules:
- host: retrom.lilpenguins.com
http:
paths:
- backend:
service:
name: retrom-service
port:
number: 3000
path: /
pathType: Prefix
tls:
- hosts:
- retrom.lilpenguins.com
secretName: retrom-tls-prod

4
apps/retrom/retrom-service.yaml
View File

@@ -7,7 +7,11 @@ spec:
ports: ports:
- port: 5101 - port: 5101
targetPort: 5101 targetPort: 5101
name: server
- port: 3000 - port: 3000
targetPort: 3000 targetPort: 3000
name: web
selector: selector:
app: retrom app: retrom
sessionAffinity: None
type: LoadBalancer

15
apps/retrom/retrom-storage.yaml
View File

@@ -1,26 +1,25 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: retrom-config name: retrom-config-nfs
namespace: default namespace: default
spec: spec:
storageClassName: synology-iscsi-storage-custom storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: 2Gi storage: 2Gi
--- ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: retrom-data name: retrom-data-nfs
namespace: default namespace: default
spec: spec:
storageClassName: synology-iscsi-storage-custom storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: 20Gi storage: 20Gi

24
apps/sonarr/sonnarr-deployment.yaml
View File

@@ -34,35 +34,25 @@ spec:
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /downloads - mountPath: /downloads
name: downloads name: downloads-nfs
- mountPath: /sonarBK
name: sonar
- mountPath: /config - mountPath: /config
name: sonar-config name: sonar-config-nfs
- mountPath: /tv - mountPath: /tv
name: nfs-tv name: nfs-tv
- mountPath: /persistentvolumes
name: nfs-client-root
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
restartPolicy: Always restartPolicy: Always
schedulerName: default-scheduler schedulerName: default-scheduler
securityContext: {} securityContext: {}
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
volumes: volumes:
- name: downloads - name: downloads-nfs
persistentVolumeClaim: persistentVolumeClaim:
claimName: sonarr-downloads claimName: sonarr-downloads-nfs
- name: sonar - name: sonar-config-nfs
persistentVolumeClaim: persistentVolumeClaim:
claimName: sonarr claimName: sonarr-config-nfs
- name: sonar-config
persistentVolumeClaim:
claimName: sonarr-config
- name: nfs-tv - name: nfs-tv
nfs: nfs:
path: /volume2/vol2/TV/ path: /volume2/vol2/TV/
server: 192.168.1.78 server: 192.168.1.78
- name: nfs-client-root
nfs:
path: /volume1/k8s
server: 192.168.1.176

18
apps/sonarr/sonnarr-storage.yaml
View File

@@ -1,12 +1,12 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: sonarr name: sonarr-nfs
namespace: default namespace: default
spec: spec:
storageClassName: synology-iscsi-storage-custom storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: 1Gi storage: 1Gi
@@ -15,12 +15,12 @@ spec:
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: sonarr-config name: sonarr-config-nfs
namespace: default namespace: default
spec: spec:
storageClassName: synology-iscsi-storage-custom storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: 2Gi storage: 2Gi
@@ -29,12 +29,12 @@ spec:
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: sonarr-downloads name: sonarr-downloads-nfs
namespace: default namespace: default
spec: spec:
storageClassName: synology-iscsi-storage-custom storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: 50Gi storage: 50Gi

12
apps/tautulli/tautulli-deployment.yaml
View File

@@ -35,19 +35,13 @@ spec:
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /config - mountPath: /config
name: tautulli-config name: tautulli-config-nfs
- mountPath: /persistentvolumes
name: nfs-client-root
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
restartPolicy: Always restartPolicy: Always
schedulerName: default-scheduler schedulerName: default-scheduler
securityContext: {} securityContext: {}
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
volumes: volumes:
- name: tautulli-config - name: tautulli-config-nfs
persistentVolumeClaim: persistentVolumeClaim:
claimName: 10g-tautulli-config claimName: 10g-tautulli-config-nfs
- name: nfs-client-root
nfs:
path: /volume1/k8s
server: 192.168.1.176

12
apps/tautulli/tautulli-storage.yaml
View File

@@ -2,18 +2,12 @@ apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
annotations: annotations:
name: 10g-tautulli-config name: 10g-tautulli-config-nfs
namespace: default namespace: default
spec: spec:
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: 10Gi storage: 10Gi
storageClassName: synology-iscsi-storage storageClassName: nfs-client
status:
accessModes:
- ReadWriteMany
capacity:
storage: 10Gi
phase: Bound

8
apps/technitium/technitium-deploymet.yaml
View File

@@ -44,14 +44,14 @@ spec:
terminationMessagePath: /dev/termination-log terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /config - mountPath: /etc/dns
name: technitium-config name: technitium-config-nfs
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
restartPolicy: Always restartPolicy: Always
schedulerName: default-scheduler schedulerName: default-scheduler
securityContext: {} securityContext: {}
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
volumes: volumes:
- name: technitium-config - name: technitium-config-nfs
persistentVolumeClaim: persistentVolumeClaim:
claimName: technitium-config claimName: technitium-config-nfs

8
apps/technitium/technitium-storage.yaml
View File

@@ -1,12 +1,12 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: technitium-config name: technitium-config-nfs
namespace: default namespace: default
spec: spec:
storageClassName: synology-iscsi-storage-custom storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: 10Gi storage: 10Gi

11
apps/unifi/unifi-deployment.yaml
View File

@@ -52,14 +52,19 @@ spec:
terminationMessagePath: /dev/termination-log terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /config-nfs
name: unifi-config-nfs
- mountPath: /config - mountPath: /config
name: unifi-config name: unifi-config-nfs2
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
restartPolicy: Always restartPolicy: Always
schedulerName: default-scheduler schedulerName: default-scheduler
securityContext: {} securityContext: {}
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
volumes: volumes:
- name: unifi-config - name: unifi-config-nfs
persistentVolumeClaim: persistentVolumeClaim:
claimName: unifi-config claimName: unifi-config-nfs
- name: unifi-config-nfs2
persistentVolumeClaim:
claimName: unifi-config-nfs2

26
apps/unifi/unifi-storage.yaml
View File

@@ -10,3 +10,29 @@ spec:
resources: resources:
requests: requests:
storage: 200Gi storage: 200Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: unifi-config-nfs
namespace: default
spec:
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: unifi-config-nfs2
namespace: default
spec:
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi

6
apps/vpn/nate.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: vpn.wireguard-operator.io/v1alpha1
kind: WireguardPeer
metadata:
name: nate-ios
spec:
wireguardRef: "richardson-vpn"

6
apps/vpn/noah.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: vpn.wireguard-operator.io/v1alpha1
kind: WireguardPeer
metadata:
name: noah-ios
spec:
wireguardRef: "richardson-vpn"

603
apps/vpn/operator.yaml
View File

@@ -1,603 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
name: wireguard-system
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: wireguardpeers.vpn.wireguard-operator.io
spec:
group: vpn.wireguard-operator.io
names:
kind: WireguardPeer
listKind: WireguardPeerList
plural: wireguardpeers
singular: wireguardpeer
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: WireguardPeer is the Schema for the wireguardpeers API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: The desired state of the peer.
properties:
PrivateKeyRef:
description: The private key of the peer
properties:
secretKeyRef:
description: SecretKeySelector selects a key of a Secret.
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret or its key must be defined
type: boolean
required:
- key
type: object
required:
- secretKeyRef
type: object
address:
description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster Important: Run "make" to regenerate code after modifying this file The address of the peer.'
type: string
disabled:
description: Set to true to temporarily disable the peer.
type: boolean
dns:
description: The DNS configuration for the peer.
type: string
downloadSpeed:
properties:
config:
type: integer
unit:
enum:
- mbps
- kbps
type: string
type: object
egressNetworkPolicies:
description: Egress network policies for the peer.
items:
properties:
action:
description: Specifies the action to take when outgoing traffic from a Wireguard peer matches the policy. This could be 'Accept' or 'Reject'.
enum:
- ACCEPT
- REJECT
- Accept
- Reject
type: string
protocol:
description: Specifies the protocol to match for this policy. This could be TCP, UDP, or ICMP.
enum:
- TCP
- UDP
- ICMP
type: string
to:
description: A struct that specifies the destination address and port for the traffic. This could include IP addresses or hostnames, as well as specific port numbers or port ranges.
properties:
ip:
description: A string field that specifies the destination IP address for traffic that matches the policy.
type: string
port:
description: An integer field that specifies the destination port number for traffic that matches the policy.
format: int32
type: integer
type: object
type: object
type: array
publicKey:
description: The key used by the peer to authenticate with the wg server.
type: string
uploadSpeed:
properties:
config:
type: integer
unit:
enum:
- mbps
- kbps
type: string
type: object
wireguardRef:
description: The name of the Wireguard instance in k8s that the peer belongs to. The wg instance should be in the same namespace as the peer.
minLength: 1
type: string
required:
- wireguardRef
type: object
status:
description: A field that defines the observed state of the Wireguard peer. This includes fields like the current configuration and status of the peer.
properties:
config:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file A string field that contains the current configuration for the Wireguard peer.'
type: string
message:
description: A string field that provides additional information about the status of the Wireguard peer. This could include error messages or other information that helps to diagnose issues with the peer.
type: string
status:
description: A string field that represents the current status of the Wireguard peer. This could include values like ready, pending, or error.
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: wireguards.vpn.wireguard-operator.io
spec:
group: vpn.wireguard-operator.io
names:
kind: Wireguard
listKind: WireguardList
plural: wireguards
singular: wireguard
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Wireguard is the Schema for the wireguards API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: WireguardSpec defines the desired state of Wireguard
properties:
address:
description: A string field that specifies the address for the Wireguard VPN server. This is the public IP address or hostname that peers will use to connect to the VPN.
type: string
dns:
description: A string field that specifies the DNS server(s) to be used by the peers.
type: string
enableIpForwardOnPodInit:
description: A boolean field that specifies whether IP forwarding should be enabled on the Wireguard VPN pod at startup. This can be useful to enable if the peers are having problems with sending traffic to the internet.
type: boolean
mtu:
description: A string field that specifies the maximum transmission unit (MTU) size for Wireguard packets for all peers.
type: string
port:
description: A field that specifies the value to use for a nodePort ServiceType
format: int32
type: integer
serviceAnnotations:
additionalProperties:
type: string
description: A map of key value strings for service annotations
type: object
serviceType:
description: A field that specifies the type of Kubernetes service that should be used for the Wireguard VPN. This could be NodePort or LoadBalancer, depending on the needs of the deployment.
type: string
useWgUserspaceImplementation:
description: A boolean field that specifies whether to use the userspace implementation of Wireguard instead of the kernel one.
type: boolean
type: object
status:
description: WireguardStatus defines the observed state of Wireguard
properties:
address:
description: A string field that specifies the address for the Wireguard VPN server that is currently being used.
type: string
dns:
type: string
message:
description: A string field that provides additional information about the status of Wireguard. This could include error messages or other information that helps to diagnose issues with the wg instance.
type: string
port:
description: A string field that specifies the port for the Wireguard VPN server that is currently being used.
type: string
status:
description: A string field that represents the current status of Wireguard. This could include values like ready, pending, or error.
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: wireguard-controller-manager
namespace: wireguard-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: wireguard-leader-election-role
namespace: wireguard-system
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: wireguard-manager-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- pods
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- vpn.wireguard-operator.io
resources:
- wireguardpeers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- vpn.wireguard-operator.io
resources:
- wireguardpeers/finalizers
verbs:
- update
- apiGroups:
- vpn.wireguard-operator.io
resources:
- wireguardpeers/status
verbs:
- get
- patch
- update
- apiGroups:
- vpn.wireguard-operator.io
resources:
- wireguards
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- vpn.wireguard-operator.io
resources:
- wireguards/finalizers
verbs:
- update
- apiGroups:
- vpn.wireguard-operator.io
resources:
- wireguards/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: wireguard-metrics-reader
rules:
- nonResourceURLs:
- /metrics
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: wireguard-proxy-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: wireguard-leader-election-rolebinding
namespace: wireguard-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: wireguard-leader-election-role
subjects:
- kind: ServiceAccount
name: wireguard-controller-manager
namespace: wireguard-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: wireguard-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: wireguard-manager-role
subjects:
- kind: ServiceAccount
name: wireguard-controller-manager
namespace: wireguard-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: wireguard-proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: wireguard-proxy-role
subjects:
- kind: ServiceAccount
name: wireguard-controller-manager
namespace: wireguard-system
---
apiVersion: v1
data:
controller_manager_config.yaml: |
apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
kind: ControllerManagerConfig
health:
healthProbeBindAddress: :8081
metrics:
bindAddress: 127.0.0.1:8080
webhook:
port: 9443
leaderElection:
leaderElect: true
resourceName: a6d3bffc.wireguard-operator.io
kind: ConfigMap
metadata:
name: wireguard-manager-config
namespace: wireguard-system
---
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
name: wireguard-controller-manager-metrics-service
namespace: wireguard-system
spec:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
selector:
control-plane: controller-manager
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
control-plane: controller-manager
name: wireguard-controller-manager
namespace: wireguard-system
spec:
replicas: 1
selector:
matchLabels:
control-plane: controller-manager
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
labels:
control-plane: controller-manager
spec:
containers:
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=0
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
protocol: TCP
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
- args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
- --leader-elect
- --agent-image=ghcr.io/jodevsa/wireguard-operator/agent:v2.1.0
command:
- /manager
image: ghcr.io/jodevsa/wireguard-operator/manager:v2.1.0
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
name: manager
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
securityContext:
runAsNonRoot: true
serviceAccountName: wireguard-controller-manager
terminationGracePeriodSeconds: 10

6
apps/vpn/peer.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: vpn.wireguard-operator.io/v1alpha1
kind: WireguardPeer
metadata:
name: peer1
spec:
wireguardRef: "richardson-vpn"

6
apps/vpn/server.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: vpn.wireguard-operator.io/v1alpha1
kind: Wireguard
metadata:
name: "richardson-vpn"
spec:
mtu: "1380"

75
apps/wg-easy/deployment.yaml Normal file
View File

@@ -0,0 +1,75 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: wg-easy
namespace: wg-easy
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app.kubernetes.io/name: wg-easy
strategy:
# Restrict to a Single wg-easy instance, on redeploys it will tear down the old one before bring a new one up.
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/name: wg-easy
spec:
containers:
- name: wg-easy
# Specify external hostname and port as environment variables
env:
- name: WG_HOST
value: v.lilpenguins.com
- name: PASSWORD_HASH
value: '$2a$12$itaZHmItlUr5pcepxSTcNOQ9J4XLQPGkac36pdQox2gOdYmv2JdUq'
- name: WG_MTU
value: "1320"
image: ghcr.io/wg-easy/wg-easy
imagePullPolicy: IfNotPresent
ports:
- containerPort: 51820
name: wg
protocol: UDP
- containerPort: 51821
name: http
protocol: TCP
# Use the http server for pod health checks
livenessProbe:
failureThreshold: 3
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: http
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: http
timeoutSeconds: 1
startupProbe:
failureThreshold: 30
periodSeconds: 5
successThreshold: 1
tcpSocket:
port: http
timeoutSeconds: 1
# Give pod permissions to modify iptables and load the wireguard kernel module
securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
# Persistent storage location
volumeMounts:
- mountPath: /etc/wireguard
name: config
restartPolicy: Always
volumes:
- name: config
persistentVolumeClaim:
claimName: wg-easy-storage-nfs-claim

26
apps/wg-easy/ingress.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
acme.cert-manager.io/http01-edit-in-place: "true"
cert-manager.io/issuer: letsencrypt-prod
kubernetes.io/ingress.class: nginx
name: wg-easy
namespace: wg-easy
spec:
rules:
- host: v.lilpenguins.com
http:
paths:
- backend:
service:
name: wg-easy-http
port:
name: http
path: /
pathType: Prefix
tls:
- hosts:
- v.lilpenguins.com
secretName: v-lilpenguins-com-tls

30
apps/wg-easy/service.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: v1
kind: Service
metadata:
name: wg-easy-wg
namespace: wg-easy
spec:
ports:
- name: wg
port: 51820
protocol: UDP
targetPort: 51820
selector:
app.kubernetes.io/name: wg-easy
sessionAffinity: None
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: wg-easy-http
namespace: wg-easy
spec:
ports:
- name: http
port: 51821
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/name: wg-easy
type: ClusterIP

12
apps/wg-easy/storage.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: wg-easy-storage-nfs-claim
namespace: wg-easy
spec:
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi