add-kubernetes

Home-Assistant/Kubernetes/default-headers.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: default-headers
+  namespace: homeassistant
+spec:
+  headers:
+    browserXssFilter: true
+    contentTypeNosniff: true
+    forceSTSHeader: true
+    stsIncludeSubdomains: true
+    stsPreload: true
+    stsSeconds: 15552000
+    customFrameOptionsValue: SAMEORIGIN
+    customRequestHeaders:
+      X-Forwarded-Proto: https

Home-Assistant/Kubernetes/homeassistant-deployment.yaml

@@ -0,0 +1,94 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: homeassistant
+    app.kubernetes.io/instance: homeassistant
+  name: homeassistant
+  namespace: homeassistant
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: homeassistant
+  template:
+    metadata:
+      labels:
+        app: homeassistant
+        app.kubernetes.io/name: homeassistant
+    spec:
+      nodeSelector:
+        worker: "true"
+      containers:
+      - image: homeassistant/home-assistant:latest
+        imagePullPolicy: Always
+        name: homeassistant
+        ports:
+        - containerPort: 8123
+          name: web
+          protocol: TCP
+        env:
+        - name: TZ
+          value: Europe/London
+        volumeMounts:
+        - mountPath: /config
+          name: homeassistant
+          subPath: config
+      - image: docker.io/postgres:12-alpine
+        imagePullPolicy: IfNotPresent
+        name: homeassistant-db
+        ports:
+        - containerPort: 5432
+          name: db
+          protocol: TCP
+        env:
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: secrets
+              key: POSTGRES_USER
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: secrets
+              key: POSTGRES_PASSWORD
+        - name: POSTGRES_DB
+          valueFrom:
+            secretKeyRef:
+              name: secrets
+              key: POSTGRES_DB
+        - name: POSTGRES_INITDB_ARGS
+          value: --encoding=UTF-8
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          name: homeassistant
+          subPath: schemas
+      volumes:
+        - name: homeassistant
+          persistentVolumeClaim:
+            claimName: homeassistant
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: homeassistant
+  name: homeassistant
+  namespace: homeassistant 
+spec:
+  ports:
+  - name: web-tcp
+    port: 80
+    protocol: TCP
+    targetPort: 8123
+  - name: db
+    port: 5432
+    protocol: TCP
+    targetPort: 5432
+  selector:
+    app: homeassistant
+  externalTrafficPolicy: Local
+  loadBalancerIP: 192.168.200.17
+  type: LoadBalancer

Home-Assistant/Kubernetes/ingress.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: homeassistant
+  namespace: homeassistant
+  annotations: 
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`www.ha.yourdomain.co.uk`)
+      kind: Rule
+      services:
+        - name: homeassistant
+          port: 80
+    - match: Host(`ha.yourdomain.co.uk`)
+      kind: Rule
+      services:
+        - name: homeassistant
+          port: 80
+      middlewares:
+        - name: default-headers
+  tls:
+    secretName: yourdomain-tls

Home-Assistant/Kubernetes/sealed-secret.yaml

@@ -0,0 +1,18 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: secrets
+  namespace: homeassistant
+spec:
+  encryptedData:
+    POSTGRES_DB: some-secret
+    POSTGRES_PASSWORD: some-secret
+    POSTGRES_USER: some-secret
+  template:
+    metadata:
+      creationTimestamp: null
+      name: secrets
+      namespace: homeassistant
+    type: Opaque
+

Home-Assistant/Kubernetes/secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secrets
+  namespace: homeassistant
+type: Opaque
+data:
+  POSTGRES_USER: some-secret
+  POSTGRES_PASSWORD: some-secret
+  POSTGRES_DB: some-secret
+  

Jellyfin/Kubernetes/default-headers.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: default-headers
+  namespace: jellyfin
+spec:
+  headers:
+    browserXssFilter: true
+    contentTypeNosniff: true
+    forceSTSHeader: true
+    stsIncludeSubdomains: true
+    stsPreload: true
+    stsSeconds: 15552000
+    customFrameOptionsValue: SAMEORIGIN
+    customRequestHeaders:
+      X-Forwarded-Proto: https

Jellyfin/Kubernetes/ingress.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: jellyfin
+  namespace: jellyfin
+  annotations: 
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`www.jellyfin.yourdomain.co.uk`)
+      kind: Rule
+      services:
+        - name: jellyfin
+          port: 8096
+    - match: Host(`jellyfin.yourdomain.co.uk`)
+      kind: Rule
+      services:
+        - name: jellyfin
+          port: 8096
+      middlewares:
+        - name: default-headers
+  tls:
+    secretName: yourdomain-tls

Jellyfin/Kubernetes/jellyfin-deployment.yaml

@@ -0,0 +1,85 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: jellyfin
+    app.kubernetes.io/instance: jellyfin
+    app.kubernetes.io/name: jellyfin
+  name: jellyfin
+  namespace: jellyfin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: jellyfin
+  template:
+    metadata:
+      labels:
+        app: jellyfin
+        app.kubernetes.io/name: jellyfin
+    spec:
+      nodeSelector:
+      #  gpu: "true"
+        worker: "true"
+      containers:
+      - image: jellyfin/jellyfin
+        imagePullPolicy: Always
+        name: jellyfin
+        ports:
+        - containerPort: 8096
+          name: web
+          protocol: TCP
+        env:
+        - name: TZ
+          value: Europe/London
+        volumeMounts:
+        - mountPath: /config
+          name: jellyfin
+          subPath: config
+        - mountPath: /cache
+          name: jellyfin
+          subPath: cache
+        - mountPath: "/Audiobooks"
+          readOnly: false
+          name: smb
+          subPath: Audiobooks
+        - mountPath: "/Films"
+          readOnly: false
+          name: smb
+          subPath: Films
+        - mountPath: "/TVShows"
+          readOnly: false
+          name: smb
+          subPath: TVShows
+        - mountPath: "/Music"
+          readOnly: false
+          name: smb
+          subPath: Music
+      volumes:
+        - name: jellyfin
+          persistentVolumeClaim:
+            claimName: jellyfin
+        - name: smb
+          persistentVolumeClaim:
+            claimName: pvc-jellyfin-smb
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: jellyfin
+  name: jellyfin
+  namespace: jellyfin 
+spec:
+  ports:
+  - name: web-tcp
+    port: 8096
+    protocol: TCP
+    targetPort: 8096
+  - name: web-udp
+    port: 8096
+    protocol: UDP
+    targetPort: 8096
+  selector:
+    app: jellyfin

Jellyfin/Kubernetes/networkpolicy.yaml

@@ -0,0 +1,24 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-internet-only
+  namespace: jellyfin
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: "0.0.0.0/0"
+        except:
+        - "10.0.0.0/8"
+        - "172.16.0.0/12"
+        - "192.168.0.0/16"
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: "kube-system"
+    - podSelector:
+        matchLabels:
+          k8s-app: "kube-dns"

Jellyfin/Kubernetes/pv-smb.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  annotations:
+    pv.kubernetes.io/provisioned-by: smb.csi.k8s.io
+  name: pv-jellyfin-smb
+spec:
+  capacity:
+    storage: 100Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: smb
+  mountOptions:
+    - dir_mode=0777
+    - file_mode=0777
+  csi:
+    driver: smb.csi.k8s.io
+    readOnly: false
+    # volumeHandle format: {smb-server-address}#{sub-dir-name}#{share-name}
+    # make sure this value is unique for every share in the cluster
+    volumeHandle: jellyfin
+    volumeAttributes:
+      source: "//192.168.x.x/your-nas"
+    nodeStageSecretRef:
+      name: smbcreds
+      namespace: default

Jellyfin/Kubernetes/pvc-smb.yaml

@@ -0,0 +1,14 @@
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: pvc-jellyfin-smb
+  namespace: jellyfin
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+  volumeName: pv-jellyfin-smb
+  storageClassName: smb

Mosquitto/Kubernetes/deployment.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: mosquitto
+  name: mosquitto
+  namespace: mosquitto
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mosquitto
+  template:
+    metadata:
+      labels:
+        app: mosquitto
+        app.kubernetes.io/name: mosquitto
+    spec:
+      nodeSelector:
+        worker: "true"
+      containers:
+      - image: eclipse-mosquitto:latest
+        imagePullPolicy: IfNotPresent
+        resources:
+          limits:
+            cpu: 0.5
+            memory: 500Mi
+        name: mosquitto
+        ports:
+        - containerPort: 1883
+          name: mqtt
+          protocol: TCP
+        - containerPort: 9001
+          name: websocket
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /mosquitto/config/
+          name: mosquitto
+          subPath: config
+        - mountPath: "/mosquitto/data"
+          name: mosquitto
+          subPath: "data"
+        - mountPath: "/mosquitto/log"
+          name: mosquitto
+          subPath: log
+      volumes:
+        - name: mosquitto
+          persistentVolumeClaim:
+            claimName: mosquitto

Mosquitto/Kubernetes/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mosquitto
+  labels:
+    name: mosquitto

Mosquitto/Kubernetes/pv.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: mosquitto
+spec:
+  capacity:
+    storage: 1Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: longhorn
+  csi:
+    driver: driver.longhorn.io
+    fsType: ext4
+    volumeAttributes:
+      numberOfReplicas: '2'
+      staleReplicaTimeout: '2880'
+    volumeHandle: mosquitto

Mosquitto/Kubernetes/pvc.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mosquitto
+  namespace: mosquitto
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 1Gi
+  volumeName: mosquitto

Mosquitto/Kubernetes/service.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: mosquitto
+  name: mosquitto
+  namespace: mosquitto
+spec:
+  ports:
+  - name: mqtt
+    port: 1883
+    protocol: TCP
+    targetPort: 1883
+  - name: websocket
+    port: 9001
+    protocol: TCP
+    targetPort: 9001
+  selector:
+    app: mosquitto
+  externalTrafficPolicy: Local
+  loadBalancerIP: 192.168.200.14
+  type: LoadBalancer

Pihole/Kubernetes/default-headers.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: default-headers
+  namespace: pihole
+spec:
+  headers:
+    browserXssFilter: true
+    contentTypeNosniff: true
+    forceSTSHeader: true
+    stsIncludeSubdomains: true
+    stsPreload: true
+    stsSeconds: 15552000
+    customFrameOptionsValue: SAMEORIGIN
+    customRequestHeaders:
+      X-Forwarded-Proto: https

Pihole/Kubernetes/ingress.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: pihole
+  namespace: pihole
+  annotations: 
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`pihole.yourdomain.co.uk`)
+      kind: Rule
+      services:
+        - name: pihole
+          port: 80
+      middlewares:
+        - name: default-headers
+        - name: dashboard-redirect
+        - name: dashboard-prefix
+
+  tls:
+    secretName: yourdomain-tls

Pihole/Kubernetes/middleware.yaml

@@ -0,0 +1,18 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: dashboard-redirect
+  namespace: pihole
+spec:
+  redirectRegex:
+    regex: /admin/$
+    replacement: /
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: dashboard-prefix
+  namespace: pihole
+spec:
+  addPrefix:
+    prefix: /admin

Pihole/Kubernetes/networkpolicy.yaml

@@ -0,0 +1,17 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-internet-only
+  namespace: pihole
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+        - 10.0.0.0/8
+        - 192.168.0.0/16
+        - 172.16.0.0/20

Pihole/Kubernetes/pihole-deployment.yaml

@@ -0,0 +1,118 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: pihole
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: pihole
+    app.kubernetes.io/name: pihole
+  name: pihole
+  namespace: pihole
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pihole
+  template:
+    metadata:
+      labels:
+        app: pihole
+        app.kubernetes.io/name: pihole
+    spec:
+      nodeSelector:
+        worker: "true"
+      containers:
+      - image: visibilityspots/cloudflared
+        imagePullPolicy: IfNotPresent
+        name: cloudflared
+        ports:
+        - containerPort: 53
+          name: dns
+          protocol: TCP
+        - containerPort: 67
+          name: dns-udp
+          protocol: UDP
+        env:
+        - name: TUNNEL_METRICS
+          value: 127.0.0.1:3000
+      - env:
+        - name: TZ
+          value: "Europe/London"
+        - name: WEBPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: web-pass
+              key: WEBPASSWORD
+        - name: FTLCONF_LOCAL_IPV4
+          value: 192.168.200.11
+        - name: PIHOLE_DNS_
+          value: 127.0.0.1#5054 
+        image: pihole/pihole:latest
+        imagePullPolicy: Always
+        name: pihole
+        ports:
+        - containerPort: 80
+          name: pihole-http
+          protocol: TCP
+        - containerPort: 53
+          name: dns
+          protocol: TCP
+        - containerPort: 53
+          name: dns-udp
+          protocol: UDP
+        - containerPort: 443
+          name: pihole-ssl
+          protocol: TCP
+        - containerPort: 67
+          name: client-udp
+          protocol: UDP
+        volumeMounts:
+        - mountPath: /etc/pihole
+          name: pihole
+        securityContext:
+          capabilities:        
+            add:
+              - NET_ADMIN  
+      restartPolicy: Always
+      volumes:
+        - name: pihole
+          persistentVolumeClaim:
+            claimName: pihole
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: pihole
+  name: pihole
+  namespace: pihole
+spec:
+  ports:
+  - name: dns-udp
+    port: 53
+    protocol: UDP
+    targetPort: 53
+  - name: client-udp
+    port: 67
+    protocol: UDP
+    targetPort: 67
+  - name: pihole-http
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  - name: pihole-https
+    port: 443
+    protocol: TCP
+    targetPort: 443
+  - name: dns
+    port: 53
+    protocol: TCP
+    targetPort: 53
+  selector:
+    app: pihole
+  externalTrafficPolicy: Local
+  loadBalancerIP: 192.168.200.11
+  type: LoadBalancer

Pihole/Kubernetes/sealed-secret.yaml

@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: web-pass
+  namespace: pihole
+spec:
+  encryptedData:
+    WEBPASSWORD: some-secret
+  template:
+    metadata:
+      creationTimestamp: null
+      name: web-pass
+      namespace: pihole
+    type: Opaque
+

Plex/Kubernetes/default-headers.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: default-headers
+  namespace: plex
+spec:
+  headers:
+    browserXssFilter: true
+    contentTypeNosniff: true
+    forceSTSHeader: true
+    stsIncludeSubdomains: true
+    stsPreload: true
+    stsSeconds: 15552000
+    customFrameOptionsValue: SAMEORIGIN
+    customRequestHeaders:
+      X-Forwarded-Proto: https

Plex/Kubernetes/ingress.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: plex
+  namespace: plex
+  annotations: 
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`www.plex.yourdomain.co.uk`)
+      kind: Rule
+      services:
+        - name: plex
+          port: 32400
+    - match: Host(`plex.yourdomain.co.uk`)
+      kind: Rule
+      services:
+        - name: plex
+          port: 32400
+      middlewares:
+        - name: default-headers
+  tls:
+    secretName: yourdomain-tls

Plex/Kubernetes/networkpolicy.yaml

@@ -0,0 +1,24 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-internet-only
+  namespace: plex
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: "0.0.0.0/0"
+        except:
+        - "10.0.0.0/8"
+        - "172.16.0.0/12"
+        - "192.168.0.0/16"
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: "kube-system"
+    - podSelector:
+        matchLabels:
+          k8s-app: "kube-dns"

Plex/Kubernetes/plex-deployment-2.yaml

@@ -0,0 +1,105 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: plex
+  name: plex
+  namespace: plex
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: plex
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: plex
+    spec:
+      affinity: {}
+      containers:
+        - name: plex
+          securityContext:
+            privileged: true
+          image: plexinc/pms-docker:latest
+          imagePullPolicy: IfNotPresent
+          readinessProbe:
+            httpGet:
+              path: /identity
+              port: 32400
+            initialDelaySeconds: 10
+            timeoutSeconds: 5
+          livenessProbe:
+            httpGet:
+              path: /identity
+              port: 32400
+            initialDelaySeconds: 15
+            timeoutSeconds: 10
+          resources: 
+            requests: 
+              gpu.intel.com/i915: "1"
+              cpu: 1000m
+              memory: 7.5Gi
+            limits: 
+              gpu.intel.com/i915: "1"
+          env:
+            - name: PUID
+              value: "99"
+            - name: PGID
+              value: "100"
+            - name: TZ
+              value: Europe/London
+            - name: VERSION
+              value: docker
+            - name: ADVERTISE_IP
+              value: 'https://plex.yourdomain.co.uk:443'
+            - name: ALLOWED_NETWORKS
+              value: 192.168.0.0/16,10.0.0.0/8
+            - name: PLEX_CLAIM
+              value: claim-your-token
+          volumeMounts:
+            - mountPath: /config
+              name: plex-longhorn
+            - mountPath: /transcode
+              name: transcode
+            - mountPath: /data
+              name: plex-longhorn
+            - mountPath: /Films
+              name: plex-smb
+              readOnly: true
+              subPath: Films
+            - mountPath: /TVShows
+              name: plex-smb
+              readOnly: true
+              subPath: TVShows
+            - mountPath: /Audiobooks
+              name: plex-smb
+              readOnly: true
+              subPath: Audiobooks
+            - mountPath: /Music
+              name: plex-smb
+              readOnly: true
+              subPath: Music
+      dnsConfig: {}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - name: plex-longhorn
+          persistentVolumeClaim:
+            claimName: plex
+            readOnly: false
+        - name: plex-smb
+          persistentVolumeClaim:
+            claimName: pvc-plex-smb
+            readOnly: true
+        - name: transcode
+          emptyDir:
+            medium: Memory
+            sizeLimit: 10Gi

Plex/Kubernetes/pms-docker-service.yaml

@@ -0,0 +1,55 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kompose.cmd: ./kompose convert -f plex/docker-compose.yml
+    kompose.version: 1.27.0 (b0ed6a2c9)
+  creationTimestamp: null
+  labels:
+    io.kompose.service: pms-docker
+  name: plex
+  namespace: plex
+spec:
+  ports:
+    - name: "32400"
+      port: 32400
+      protocol: TCP
+      targetPort: 32400
+    - name: "32400-udp"
+      port: 32400
+      protocol: UDP
+      targetPort: 32400
+    - name: "3005"
+      port: 3005
+      targetPort: 3005
+    - name: "8324"
+      port: 8324
+      targetPort: 8324
+    - name: "32469"
+      port: 32469
+      targetPort: 32469
+    - name: "1900"
+      port: 1900
+      protocol: UDP
+      targetPort: 1900
+    - name: "32410"
+      port: 32410
+      protocol: UDP
+      targetPort: 32410
+    - name: "32412"
+      port: 32412
+      protocol: UDP
+      targetPort: 32412
+    - name: "32413"
+      port: 32413
+      protocol: UDP
+      targetPort: 32413
+    - name: "32414"
+      port: 32414
+      protocol: UDP
+      targetPort: 32414
+  selector:
+    app: plex
+  externalTrafficPolicy: Local
+  loadBalancerIP: 192.168.200.12
+  type: LoadBalancer

Plex/Kubernetes/pv-smb.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  annotations:
+    pv.kubernetes.io/provisioned-by: smb.csi.k8s.io
+  name: pv-plex-smb
+spec:
+  capacity:
+    storage: 100Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: smb
+  mountOptions:
+    - dir_mode=0777
+    - file_mode=0777
+  csi:
+    driver: smb.csi.k8s.io
+    readOnly: false
+    # volumeHandle format: {smb-server-address}#{sub-dir-name}#{share-name}
+    # make sure this value is unique for every share in the cluster
+    volumeHandle: plex
+    volumeAttributes:
+      source: "//192.168.x.x/your-nas"
+    nodeStageSecretRef:
+      name: smbcreds
+      namespace: default

Plex/Kubernetes/pvc-smb.yaml

@@ -0,0 +1,14 @@
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: pvc-plex-smb
+  namespace: plex
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+  volumeName: pv-plex-smb
+  storageClassName: smb

UptimeKuma/Kubernetes/default-headers.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: default-headers
+  namespace: uptime-kuma
+spec:
+  headers:
+    browserXssFilter: true
+    contentTypeNosniff: true
+    forceSTSHeader: true
+    stsIncludeSubdomains: true
+    stsPreload: true
+    stsSeconds: 15552000
+    customFrameOptionsValue: SAMEORIGIN
+    customRequestHeaders:
+      X-Forwarded-Proto: https

UptimeKuma/Kubernetes/deployment.yaml

@@ -0,0 +1,83 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: uptime-kuma
+  labels:
+    app: uptime-kuma
+    app.kubernetes.io/instance: uptime-kuma
+    app.kubernetes.io/name: uptime-kuma
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: uptime-kuma
+  namespace: uptime-kuma
+  labels:
+    app: uptime-kuma
+    app.kubernetes.io/instance: uptime-kuma
+    app.kubernetes.io/name: uptime-kuma
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: uptime-kuma
+  template:
+    metadata:
+      labels:
+        app: uptime-kuma
+        app.kubernetes.io/instance: uptime-kuma
+        app.kubernetes.io/name: uptime-kuma
+    spec:
+      nodeSelector:
+        worker: "true"
+      containers:
+        - name: uptime-kuma
+          image: louislam/uptime-kuma:1
+          ports:
+            - containerPort: 3001
+          volumeMounts:
+            - name: uptime-kuma
+              mountPath: /app/data
+      volumes:
+        - name: uptime-kuma
+          persistentVolumeClaim:
+            claimName: uptime-kuma
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: uptime-kuma
+  namespace: uptime-kuma
+  labels:
+    app: uptime-kuma
+    app.kubernetes.io/instance: uptime-kuma
+    app.kubernetes.io/name: uptime-kuma
+spec:
+  type: ClusterIP
+  selector:
+    app: uptime-kuma
+  ports:
+    - name: http
+      port: 80
+      targetPort: 3001
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: uptime-kuma-data
+  namespace: uptime-kuma
+  labels:
+    app: uptime-kuma
+    app.kubernetes.io/instance: uptime-kuma
+    app.kubernetes.io/name: uptime-kuma
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 3Gi
+  storageClassName: longhorn

UptimeKuma/Kubernetes/ingress.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: uptime-kuma
+  namespace: uptime-kuma
+  annotations: 
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`www.uptime-kuma.yourdomain.co.uk`)
+      kind: Rule
+      services:
+        - name: uptime-kuma
+          port: 80
+    - match: Host(`uptime-kuma.yourdomain.co.uk`)
+      kind: Rule
+      services:
+        - name: uptime-kuma
+          port: 80
+      middlewares:
+        - name: default-headers
+  tls:
+    secretName: yourdomain-tls

UptimeKuma/Kubernetes/longhorn-pv.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: uptime-kuma
+  labels:
+    app: uptime-kuma
+    app.kubernetes.io/instance: uptime-kuma
+    app.kubernetes.io/name: uptime-kuma
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: longhorn
+  csi:
+    driver: driver.longhorn.io
+    volumeHandle: uptime-kuma

Vaultwarden/Kubernetes/default-headers.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: default-headers
+  namespace: vaultwarden
+spec:
+  headers:
+    browserXssFilter: true
+    contentTypeNosniff: true
+    forceSTSHeader: true
+    stsIncludeSubdomains: true
+    stsPreload: true
+    stsSeconds: 15552000
+    customFrameOptionsValue: SAMEORIGIN
+    customRequestHeaders:
+      X-Forwarded-Proto: https

Vaultwarden/Kubernetes/deployment.yaml

@@ -0,0 +1,53 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: vaultwarden
+    app.kubernetes.io/instance: vaultwarden
+  name: vaultwarden
+  namespace: vaultwarden
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: vaultwarden
+  template:
+    metadata:
+      labels:
+        app: vaultwarden
+        app.kubernetes.io/name: vaultwarden
+    spec:
+      nodeSelector:
+        worker: "true"
+      containers:
+      - image: vaultwarden/server:latest
+        imagePullPolicy: Always
+        name: vaultwarden
+        ports:
+        - containerPort: 80
+          name: web
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /data/
+          name: vaultwarden
+      volumes:
+        - name: vaultwarden
+          persistentVolumeClaim:
+            claimName: vaultwarden
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: vaultwarden
+  name: vaultwarden
+  namespace: vaultwarden
+spec:
+  ports:
+  - name: web-tcp
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: vaultwarden

Vaultwarden/Kubernetes/ingress.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: vaultwarden
+  namespace: vaultwarden
+  annotations: 
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`www.vaultwarden.yourdomain.co.uk`)
+      kind: Rule
+      services:
+        - name: vaultwarden
+          port: 80
+    - match: Host(`vaultwarden.yourdomain.co.uk`)
+      kind: Rule
+      services:
+        - name: vaultwarden
+          port: 80
+      middlewares:
+        - name: default-headers
+        - name: local-ipwhitelist
+  tls:
+    secretName: yourdomain-tls

Vaultwarden/Kubernetes/ipwhitelist.yaml

@@ -0,0 +1,11 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: local-ipwhitelist
+  namespace: vaultwarden
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 10.0.0.0/8
+      - 172.16.0.0/12
+      - 192.168.0.0/16

Vaultwarden/Kubernetes/networkpolicy.yaml

@@ -0,0 +1,35 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-internet-only
+  namespace: vaultwarden
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  - Ingress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: "0.0.0.0/0"
+        except:
+        - "10.0.0.0/8"
+        - "172.16.0.0/12"
+        - "192.168.0.0/16"
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: "kube-system"
+    - podSelector:
+        matchLabels:
+          k8s-app: "kube-dns"
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: "10.0.0.0/8"
+  - from:
+    - ipBlock:
+        cidr: "172.16.0.0/12"
+  - from:
+    - ipBlock:
+        cidr: "192.168.0.0/16"

Wireguard/Kubernetes/default-headers.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: default-headers
+  namespace: wg-easy
+spec:
+  headers:
+    browserXssFilter: true
+    contentTypeNosniff: true
+    forceSTSHeader: true
+    stsIncludeSubdomains: true
+    stsPreload: true
+    stsSeconds: 15552000
+    customFrameOptionsValue: SAMEORIGIN
+    customRequestHeaders:
+      X-Forwarded-Proto: https

Wireguard/Kubernetes/deployment.yaml

@@ -0,0 +1,91 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: wg-easy
+    app.kubernetes.io/instance: wg-easy
+    app.kubernetes.io/name: wg-easy
+  name: wg-easy
+  namespace: wg-easy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: wg-easy
+  template:
+    metadata:
+      labels:
+        app: wg-easy
+        app.kubernetes.io/name: wg-easy
+    spec:
+      nodeSelector:
+        worker: "true"
+     # securityContext:
+     #   sysctls:
+     #   - name: net.ipv4.ip_forward
+     #     value: "1"
+     #   - name: net.ipv4.conf.all.src_valid_mark
+     #     value: "1"
+      containers:
+        - env:
+            - name: WG_HOST
+              value: "wg.yourdomain.co.uk"
+            - name: PASSWORD
+              value: "some-password-or-use-sealed-secrets"
+            - name: WG_DEFAULT_DNS
+              value: "10.43.0.10, wg-easy.svc.cluster.local"
+          image: weejewel/wg-easy
+          imagePullPolicy: Always
+          name: wg-easy
+          ports:
+            - containerPort: 51820
+            - containerPort: 51821
+          resources: {}
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+                - SYS_MODULE
+          volumeMounts:
+            - mountPath: /etc/wireguard
+              name: wg-easy
+      restartPolicy: Always
+      volumes:
+        - name: wg-easy
+          persistentVolumeClaim:
+            claimName: wg-easy
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: wg-easy
+  name: wg-easy-udp
+  namespace: wg-easy
+spec:
+  ports:
+  - name: wg-easy-udp
+    port: 51820
+    protocol: UDP
+    targetPort: 51820
+  selector:
+    app: wg-easy
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: wg-easy
+  name: wg-easy-web
+  namespace: wg-easy
+spec:
+  ports:
+  - name: wg-easy-web
+    port: 51821
+    protocol: TCP
+    targetPort: 51821
+  selector:
+    app: wg-easy
+  type: ClusterIP

Wireguard/Kubernetes/ingress.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: wg-easy
+  namespace: wg-easy
+  annotations: 
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`www.wg-easy.yourdomain.co.uk`)
+      kind: Rule
+      services:
+        - name: wg-easy-web
+          port: 51821
+    - match: Host(`wg-easy.yourdomain.co.uk`)
+      kind: Rule
+      services:
+        - name: wg-easy-web
+          port: 51821
+      middlewares:
+        - name: default-headers
+  tls:
+    secretName: yourdomain-tls

Wireguard/Kubernetes/ingressRouteUDP.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteUDP
+metadata:
+  name: wg-easy
+  namespace: wg-easy
+  annotations: 
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - wireguard
+  routes:
+    - services:
+        - name: wg-easy-udp
+          port: 51820