From ef6ba4bd222bff2257de6286513540a5eb88bf73 Mon Sep 17 00:00:00 2001 From: James Turland Date: Mon, 8 Jul 2024 11:19:54 +0100 Subject: [PATCH] add-kubernetes --- .../Kubernetes/default-headers.yaml | 16 +++ .../Kubernetes/homeassistant-deployment.yaml | 94 ++++++++++++++ Home-Assistant/Kubernetes/ingress.yaml | 26 ++++ Home-Assistant/Kubernetes/sealed-secret.yaml | 18 +++ Home-Assistant/Kubernetes/secret.yaml | 11 ++ Jellyfin/Kubernetes/default-headers.yaml | 16 +++ Jellyfin/Kubernetes/ingress.yaml | 26 ++++ Jellyfin/Kubernetes/jellyfin-deployment.yaml | 85 +++++++++++++ Jellyfin/Kubernetes/networkpolicy.yaml | 24 ++++ Jellyfin/Kubernetes/pv-smb.yaml | 27 ++++ Jellyfin/Kubernetes/pvc-smb.yaml | 14 +++ Mosquitto/Kubernetes/deployment.yaml | 50 ++++++++ Mosquitto/Kubernetes/namespace.yaml | 6 + Mosquitto/Kubernetes/pv.yaml | 19 +++ Mosquitto/Kubernetes/pvc.yaml | 13 ++ Mosquitto/Kubernetes/service.yaml | 22 ++++ Pihole/Kubernetes/default-headers.yaml | 16 +++ Pihole/Kubernetes/ingress.yaml | 24 ++++ Pihole/Kubernetes/middleware.yaml | 18 +++ Pihole/Kubernetes/networkpolicy.yaml | 17 +++ Pihole/Kubernetes/pihole-deployment.yaml | 118 ++++++++++++++++++ Pihole/Kubernetes/sealed-secret.yaml | 16 +++ Plex/Kubernetes/default-headers.yaml | 16 +++ Plex/Kubernetes/ingress.yaml | 26 ++++ Plex/Kubernetes/networkpolicy.yaml | 24 ++++ Plex/Kubernetes/plex-deployment-2.yaml | 105 ++++++++++++++++ Plex/Kubernetes/pms-docker-service.yaml | 55 ++++++++ Plex/Kubernetes/pv-smb.yaml | 27 ++++ Plex/Kubernetes/pvc-smb.yaml | 14 +++ UptimeKuma/Kubernetes/default-headers.yaml | 16 +++ UptimeKuma/Kubernetes/deployment.yaml | 83 ++++++++++++ UptimeKuma/Kubernetes/ingress.yaml | 26 ++++ UptimeKuma/Kubernetes/longhorn-pv.yaml | 18 +++ Vaultwarden/Kubernetes/default-headers.yaml | 16 +++ Vaultwarden/Kubernetes/deployment.yaml | 53 ++++++++ Vaultwarden/Kubernetes/ingress.yaml | 27 ++++ Vaultwarden/Kubernetes/ipwhitelist.yaml | 11 ++ Vaultwarden/Kubernetes/networkpolicy.yaml | 35 ++++++ Wireguard/Kubernetes/default-headers.yaml | 16 +++ Wireguard/Kubernetes/deployment.yaml | 91 ++++++++++++++ Wireguard/Kubernetes/ingress.yaml | 26 ++++ Wireguard/Kubernetes/ingressRouteUDP.yaml | 14 +++ 42 files changed, 1375 insertions(+) create mode 100644 Home-Assistant/Kubernetes/default-headers.yaml create mode 100644 Home-Assistant/Kubernetes/homeassistant-deployment.yaml create mode 100644 Home-Assistant/Kubernetes/ingress.yaml create mode 100644 Home-Assistant/Kubernetes/sealed-secret.yaml create mode 100644 Home-Assistant/Kubernetes/secret.yaml create mode 100644 Jellyfin/Kubernetes/default-headers.yaml create mode 100644 Jellyfin/Kubernetes/ingress.yaml create mode 100644 Jellyfin/Kubernetes/jellyfin-deployment.yaml create mode 100644 Jellyfin/Kubernetes/networkpolicy.yaml create mode 100644 Jellyfin/Kubernetes/pv-smb.yaml create mode 100644 Jellyfin/Kubernetes/pvc-smb.yaml create mode 100644 Mosquitto/Kubernetes/deployment.yaml create mode 100644 Mosquitto/Kubernetes/namespace.yaml create mode 100644 Mosquitto/Kubernetes/pv.yaml create mode 100644 Mosquitto/Kubernetes/pvc.yaml create mode 100644 Mosquitto/Kubernetes/service.yaml create mode 100644 Pihole/Kubernetes/default-headers.yaml create mode 100644 Pihole/Kubernetes/ingress.yaml create mode 100644 Pihole/Kubernetes/middleware.yaml create mode 100644 Pihole/Kubernetes/networkpolicy.yaml create mode 100644 Pihole/Kubernetes/pihole-deployment.yaml create mode 100644 Pihole/Kubernetes/sealed-secret.yaml create mode 100644 Plex/Kubernetes/default-headers.yaml create mode 100644 Plex/Kubernetes/ingress.yaml create mode 100644 Plex/Kubernetes/networkpolicy.yaml create mode 100644 Plex/Kubernetes/plex-deployment-2.yaml create mode 100644 Plex/Kubernetes/pms-docker-service.yaml create mode 100644 Plex/Kubernetes/pv-smb.yaml create mode 100644 Plex/Kubernetes/pvc-smb.yaml create mode 100644 UptimeKuma/Kubernetes/default-headers.yaml create mode 100644 UptimeKuma/Kubernetes/deployment.yaml create mode 100644 UptimeKuma/Kubernetes/ingress.yaml create mode 100644 UptimeKuma/Kubernetes/longhorn-pv.yaml create mode 100644 Vaultwarden/Kubernetes/default-headers.yaml create mode 100644 Vaultwarden/Kubernetes/deployment.yaml create mode 100644 Vaultwarden/Kubernetes/ingress.yaml create mode 100644 Vaultwarden/Kubernetes/ipwhitelist.yaml create mode 100644 Vaultwarden/Kubernetes/networkpolicy.yaml create mode 100644 Wireguard/Kubernetes/default-headers.yaml create mode 100644 Wireguard/Kubernetes/deployment.yaml create mode 100644 Wireguard/Kubernetes/ingress.yaml create mode 100644 Wireguard/Kubernetes/ingressRouteUDP.yaml diff --git a/Home-Assistant/Kubernetes/default-headers.yaml b/Home-Assistant/Kubernetes/default-headers.yaml new file mode 100644 index 0000000..31d15f2 --- /dev/null +++ b/Home-Assistant/Kubernetes/default-headers.yaml @@ -0,0 +1,16 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: default-headers + namespace: homeassistant +spec: + headers: + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsPreload: true + stsSeconds: 15552000 + customFrameOptionsValue: SAMEORIGIN + customRequestHeaders: + X-Forwarded-Proto: https \ No newline at end of file diff --git a/Home-Assistant/Kubernetes/homeassistant-deployment.yaml b/Home-Assistant/Kubernetes/homeassistant-deployment.yaml new file mode 100644 index 0000000..9a07f9c --- /dev/null +++ b/Home-Assistant/Kubernetes/homeassistant-deployment.yaml @@ -0,0 +1,94 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: homeassistant + app.kubernetes.io/instance: homeassistant + name: homeassistant + namespace: homeassistant +spec: + replicas: 1 + selector: + matchLabels: + app: homeassistant + template: + metadata: + labels: + app: homeassistant + app.kubernetes.io/name: homeassistant + spec: + nodeSelector: + worker: "true" + containers: + - image: homeassistant/home-assistant:latest + imagePullPolicy: Always + name: homeassistant + ports: + - containerPort: 8123 + name: web + protocol: TCP + env: + - name: TZ + value: Europe/London + volumeMounts: + - mountPath: /config + name: homeassistant + subPath: config + - image: docker.io/postgres:12-alpine + imagePullPolicy: IfNotPresent + name: homeassistant-db + ports: + - containerPort: 5432 + name: db + protocol: TCP + env: + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: secrets + key: POSTGRES_USER + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: secrets + key: POSTGRES_PASSWORD + - name: POSTGRES_DB + valueFrom: + secretKeyRef: + name: secrets + key: POSTGRES_DB + - name: POSTGRES_INITDB_ARGS + value: --encoding=UTF-8 + volumeMounts: + - mountPath: /var/lib/postgresql/data + name: homeassistant + subPath: schemas + volumes: + - name: homeassistant + persistentVolumeClaim: + claimName: homeassistant + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: homeassistant + name: homeassistant + namespace: homeassistant +spec: + ports: + - name: web-tcp + port: 80 + protocol: TCP + targetPort: 8123 + - name: db + port: 5432 + protocol: TCP + targetPort: 5432 + selector: + app: homeassistant + externalTrafficPolicy: Local + loadBalancerIP: 192.168.200.17 + type: LoadBalancer diff --git a/Home-Assistant/Kubernetes/ingress.yaml b/Home-Assistant/Kubernetes/ingress.yaml new file mode 100644 index 0000000..0455d1d --- /dev/null +++ b/Home-Assistant/Kubernetes/ingress.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: homeassistant + namespace: homeassistant + annotations: + kubernetes.io/ingress.class: traefik-external +spec: + entryPoints: + - websecure + routes: + - match: Host(`www.ha.yourdomain.co.uk`) + kind: Rule + services: + - name: homeassistant + port: 80 + - match: Host(`ha.yourdomain.co.uk`) + kind: Rule + services: + - name: homeassistant + port: 80 + middlewares: + - name: default-headers + tls: + secretName: yourdomain-tls diff --git a/Home-Assistant/Kubernetes/sealed-secret.yaml b/Home-Assistant/Kubernetes/sealed-secret.yaml new file mode 100644 index 0000000..73f0408 --- /dev/null +++ b/Home-Assistant/Kubernetes/sealed-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: secrets + namespace: homeassistant +spec: + encryptedData: + POSTGRES_DB: some-secret + POSTGRES_PASSWORD: some-secret + POSTGRES_USER: some-secret + template: + metadata: + creationTimestamp: null + name: secrets + namespace: homeassistant + type: Opaque + diff --git a/Home-Assistant/Kubernetes/secret.yaml b/Home-Assistant/Kubernetes/secret.yaml new file mode 100644 index 0000000..062bab3 --- /dev/null +++ b/Home-Assistant/Kubernetes/secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: secrets + namespace: homeassistant +type: Opaque +data: + POSTGRES_USER: some-secret + POSTGRES_PASSWORD: some-secret + POSTGRES_DB: some-secret + \ No newline at end of file diff --git a/Jellyfin/Kubernetes/default-headers.yaml b/Jellyfin/Kubernetes/default-headers.yaml new file mode 100644 index 0000000..1ff5310 --- /dev/null +++ b/Jellyfin/Kubernetes/default-headers.yaml @@ -0,0 +1,16 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: default-headers + namespace: jellyfin +spec: + headers: + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsPreload: true + stsSeconds: 15552000 + customFrameOptionsValue: SAMEORIGIN + customRequestHeaders: + X-Forwarded-Proto: https \ No newline at end of file diff --git a/Jellyfin/Kubernetes/ingress.yaml b/Jellyfin/Kubernetes/ingress.yaml new file mode 100644 index 0000000..48d93c8 --- /dev/null +++ b/Jellyfin/Kubernetes/ingress.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: jellyfin + namespace: jellyfin + annotations: + kubernetes.io/ingress.class: traefik-external +spec: + entryPoints: + - websecure + routes: + - match: Host(`www.jellyfin.yourdomain.co.uk`) + kind: Rule + services: + - name: jellyfin + port: 8096 + - match: Host(`jellyfin.yourdomain.co.uk`) + kind: Rule + services: + - name: jellyfin + port: 8096 + middlewares: + - name: default-headers + tls: + secretName: yourdomain-tls \ No newline at end of file diff --git a/Jellyfin/Kubernetes/jellyfin-deployment.yaml b/Jellyfin/Kubernetes/jellyfin-deployment.yaml new file mode 100644 index 0000000..c09d8aa --- /dev/null +++ b/Jellyfin/Kubernetes/jellyfin-deployment.yaml @@ -0,0 +1,85 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: jellyfin + app.kubernetes.io/instance: jellyfin + app.kubernetes.io/name: jellyfin + name: jellyfin + namespace: jellyfin +spec: + replicas: 1 + selector: + matchLabels: + app: jellyfin + template: + metadata: + labels: + app: jellyfin + app.kubernetes.io/name: jellyfin + spec: + nodeSelector: + # gpu: "true" + worker: "true" + containers: + - image: jellyfin/jellyfin + imagePullPolicy: Always + name: jellyfin + ports: + - containerPort: 8096 + name: web + protocol: TCP + env: + - name: TZ + value: Europe/London + volumeMounts: + - mountPath: /config + name: jellyfin + subPath: config + - mountPath: /cache + name: jellyfin + subPath: cache + - mountPath: "/Audiobooks" + readOnly: false + name: smb + subPath: Audiobooks + - mountPath: "/Films" + readOnly: false + name: smb + subPath: Films + - mountPath: "/TVShows" + readOnly: false + name: smb + subPath: TVShows + - mountPath: "/Music" + readOnly: false + name: smb + subPath: Music + volumes: + - name: jellyfin + persistentVolumeClaim: + claimName: jellyfin + - name: smb + persistentVolumeClaim: + claimName: pvc-jellyfin-smb +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: jellyfin + name: jellyfin + namespace: jellyfin +spec: + ports: + - name: web-tcp + port: 8096 + protocol: TCP + targetPort: 8096 + - name: web-udp + port: 8096 + protocol: UDP + targetPort: 8096 + selector: + app: jellyfin \ No newline at end of file diff --git a/Jellyfin/Kubernetes/networkpolicy.yaml b/Jellyfin/Kubernetes/networkpolicy.yaml new file mode 100644 index 0000000..d35888c --- /dev/null +++ b/Jellyfin/Kubernetes/networkpolicy.yaml @@ -0,0 +1,24 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-internet-only + namespace: jellyfin +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: "0.0.0.0/0" + except: + - "10.0.0.0/8" + - "172.16.0.0/12" + - "192.168.0.0/16" + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "kube-system" + - podSelector: + matchLabels: + k8s-app: "kube-dns" \ No newline at end of file diff --git a/Jellyfin/Kubernetes/pv-smb.yaml b/Jellyfin/Kubernetes/pv-smb.yaml new file mode 100644 index 0000000..55fa075 --- /dev/null +++ b/Jellyfin/Kubernetes/pv-smb.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + annotations: + pv.kubernetes.io/provisioned-by: smb.csi.k8s.io + name: pv-jellyfin-smb +spec: + capacity: + storage: 100Gi + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + storageClassName: smb + mountOptions: + - dir_mode=0777 + - file_mode=0777 + csi: + driver: smb.csi.k8s.io + readOnly: false + # volumeHandle format: {smb-server-address}#{sub-dir-name}#{share-name} + # make sure this value is unique for every share in the cluster + volumeHandle: jellyfin + volumeAttributes: + source: "//192.168.x.x/your-nas" + nodeStageSecretRef: + name: smbcreds + namespace: default \ No newline at end of file diff --git a/Jellyfin/Kubernetes/pvc-smb.yaml b/Jellyfin/Kubernetes/pvc-smb.yaml new file mode 100644 index 0000000..87402b0 --- /dev/null +++ b/Jellyfin/Kubernetes/pvc-smb.yaml @@ -0,0 +1,14 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: pvc-jellyfin-smb + namespace: jellyfin +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + volumeName: pv-jellyfin-smb + storageClassName: smb \ No newline at end of file diff --git a/Mosquitto/Kubernetes/deployment.yaml b/Mosquitto/Kubernetes/deployment.yaml new file mode 100644 index 0000000..e2d5c0b --- /dev/null +++ b/Mosquitto/Kubernetes/deployment.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: mosquitto + name: mosquitto + namespace: mosquitto +spec: + replicas: 1 + selector: + matchLabels: + app: mosquitto + template: + metadata: + labels: + app: mosquitto + app.kubernetes.io/name: mosquitto + spec: + nodeSelector: + worker: "true" + containers: + - image: eclipse-mosquitto:latest + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 0.5 + memory: 500Mi + name: mosquitto + ports: + - containerPort: 1883 + name: mqtt + protocol: TCP + - containerPort: 9001 + name: websocket + protocol: TCP + volumeMounts: + - mountPath: /mosquitto/config/ + name: mosquitto + subPath: config + - mountPath: "/mosquitto/data" + name: mosquitto + subPath: "data" + - mountPath: "/mosquitto/log" + name: mosquitto + subPath: log + volumes: + - name: mosquitto + persistentVolumeClaim: + claimName: mosquitto \ No newline at end of file diff --git a/Mosquitto/Kubernetes/namespace.yaml b/Mosquitto/Kubernetes/namespace.yaml new file mode 100644 index 0000000..e370c39 --- /dev/null +++ b/Mosquitto/Kubernetes/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: mosquitto + labels: + name: mosquitto \ No newline at end of file diff --git a/Mosquitto/Kubernetes/pv.yaml b/Mosquitto/Kubernetes/pv.yaml new file mode 100644 index 0000000..28c1a97 --- /dev/null +++ b/Mosquitto/Kubernetes/pv.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: mosquitto +spec: + capacity: + storage: 1Gi + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + storageClassName: longhorn + csi: + driver: driver.longhorn.io + fsType: ext4 + volumeAttributes: + numberOfReplicas: '2' + staleReplicaTimeout: '2880' + volumeHandle: mosquitto \ No newline at end of file diff --git a/Mosquitto/Kubernetes/pvc.yaml b/Mosquitto/Kubernetes/pvc.yaml new file mode 100644 index 0000000..ea67589 --- /dev/null +++ b/Mosquitto/Kubernetes/pvc.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: mosquitto + namespace: mosquitto +spec: + accessModes: + - ReadWriteOnce + storageClassName: longhorn + resources: + requests: + storage: 1Gi + volumeName: mosquitto \ No newline at end of file diff --git a/Mosquitto/Kubernetes/service.yaml b/Mosquitto/Kubernetes/service.yaml new file mode 100644 index 0000000..1afacc6 --- /dev/null +++ b/Mosquitto/Kubernetes/service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: mosquitto + name: mosquitto + namespace: mosquitto +spec: + ports: + - name: mqtt + port: 1883 + protocol: TCP + targetPort: 1883 + - name: websocket + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: mosquitto + externalTrafficPolicy: Local + loadBalancerIP: 192.168.200.14 + type: LoadBalancer \ No newline at end of file diff --git a/Pihole/Kubernetes/default-headers.yaml b/Pihole/Kubernetes/default-headers.yaml new file mode 100644 index 0000000..7650a68 --- /dev/null +++ b/Pihole/Kubernetes/default-headers.yaml @@ -0,0 +1,16 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: default-headers + namespace: pihole +spec: + headers: + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsPreload: true + stsSeconds: 15552000 + customFrameOptionsValue: SAMEORIGIN + customRequestHeaders: + X-Forwarded-Proto: https \ No newline at end of file diff --git a/Pihole/Kubernetes/ingress.yaml b/Pihole/Kubernetes/ingress.yaml new file mode 100644 index 0000000..a9d6249 --- /dev/null +++ b/Pihole/Kubernetes/ingress.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: pihole + namespace: pihole + annotations: + kubernetes.io/ingress.class: traefik-external +spec: + entryPoints: + - websecure + routes: + - match: Host(`pihole.yourdomain.co.uk`) + kind: Rule + services: + - name: pihole + port: 80 + middlewares: + - name: default-headers + - name: dashboard-redirect + - name: dashboard-prefix + + tls: + secretName: yourdomain-tls diff --git a/Pihole/Kubernetes/middleware.yaml b/Pihole/Kubernetes/middleware.yaml new file mode 100644 index 0000000..13ecd52 --- /dev/null +++ b/Pihole/Kubernetes/middleware.yaml @@ -0,0 +1,18 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: dashboard-redirect + namespace: pihole +spec: + redirectRegex: + regex: /admin/$ + replacement: / +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: dashboard-prefix + namespace: pihole +spec: + addPrefix: + prefix: /admin \ No newline at end of file diff --git a/Pihole/Kubernetes/networkpolicy.yaml b/Pihole/Kubernetes/networkpolicy.yaml new file mode 100644 index 0000000..c9ff519 --- /dev/null +++ b/Pihole/Kubernetes/networkpolicy.yaml @@ -0,0 +1,17 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-internet-only + namespace: pihole +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 10.0.0.0/8 + - 192.168.0.0/16 + - 172.16.0.0/20 \ No newline at end of file diff --git a/Pihole/Kubernetes/pihole-deployment.yaml b/Pihole/Kubernetes/pihole-deployment.yaml new file mode 100644 index 0000000..f4fcfa3 --- /dev/null +++ b/Pihole/Kubernetes/pihole-deployment.yaml @@ -0,0 +1,118 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pihole +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: pihole + app.kubernetes.io/name: pihole + name: pihole + namespace: pihole +spec: + replicas: 1 + selector: + matchLabels: + app: pihole + template: + metadata: + labels: + app: pihole + app.kubernetes.io/name: pihole + spec: + nodeSelector: + worker: "true" + containers: + - image: visibilityspots/cloudflared + imagePullPolicy: IfNotPresent + name: cloudflared + ports: + - containerPort: 53 + name: dns + protocol: TCP + - containerPort: 67 + name: dns-udp + protocol: UDP + env: + - name: TUNNEL_METRICS + value: 127.0.0.1:3000 + - env: + - name: TZ + value: "Europe/London" + - name: WEBPASSWORD + valueFrom: + secretKeyRef: + name: web-pass + key: WEBPASSWORD + - name: FTLCONF_LOCAL_IPV4 + value: 192.168.200.11 + - name: PIHOLE_DNS_ + value: 127.0.0.1#5054 + image: pihole/pihole:latest + imagePullPolicy: Always + name: pihole + ports: + - containerPort: 80 + name: pihole-http + protocol: TCP + - containerPort: 53 + name: dns + protocol: TCP + - containerPort: 53 + name: dns-udp + protocol: UDP + - containerPort: 443 + name: pihole-ssl + protocol: TCP + - containerPort: 67 + name: client-udp + protocol: UDP + volumeMounts: + - mountPath: /etc/pihole + name: pihole + securityContext: + capabilities: + add: + - NET_ADMIN + restartPolicy: Always + volumes: + - name: pihole + persistentVolumeClaim: + claimName: pihole +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: pihole + name: pihole + namespace: pihole +spec: + ports: + - name: dns-udp + port: 53 + protocol: UDP + targetPort: 53 + - name: client-udp + port: 67 + protocol: UDP + targetPort: 67 + - name: pihole-http + port: 80 + protocol: TCP + targetPort: 80 + - name: pihole-https + port: 443 + protocol: TCP + targetPort: 443 + - name: dns + port: 53 + protocol: TCP + targetPort: 53 + selector: + app: pihole + externalTrafficPolicy: Local + loadBalancerIP: 192.168.200.11 + type: LoadBalancer \ No newline at end of file diff --git a/Pihole/Kubernetes/sealed-secret.yaml b/Pihole/Kubernetes/sealed-secret.yaml new file mode 100644 index 0000000..a94de10 --- /dev/null +++ b/Pihole/Kubernetes/sealed-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: web-pass + namespace: pihole +spec: + encryptedData: + WEBPASSWORD: some-secret + template: + metadata: + creationTimestamp: null + name: web-pass + namespace: pihole + type: Opaque + diff --git a/Plex/Kubernetes/default-headers.yaml b/Plex/Kubernetes/default-headers.yaml new file mode 100644 index 0000000..99b33b6 --- /dev/null +++ b/Plex/Kubernetes/default-headers.yaml @@ -0,0 +1,16 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: default-headers + namespace: plex +spec: + headers: + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsPreload: true + stsSeconds: 15552000 + customFrameOptionsValue: SAMEORIGIN + customRequestHeaders: + X-Forwarded-Proto: https \ No newline at end of file diff --git a/Plex/Kubernetes/ingress.yaml b/Plex/Kubernetes/ingress.yaml new file mode 100644 index 0000000..aac5eba --- /dev/null +++ b/Plex/Kubernetes/ingress.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: plex + namespace: plex + annotations: + kubernetes.io/ingress.class: traefik-external +spec: + entryPoints: + - websecure + routes: + - match: Host(`www.plex.yourdomain.co.uk`) + kind: Rule + services: + - name: plex + port: 32400 + - match: Host(`plex.yourdomain.co.uk`) + kind: Rule + services: + - name: plex + port: 32400 + middlewares: + - name: default-headers + tls: + secretName: yourdomain-tls diff --git a/Plex/Kubernetes/networkpolicy.yaml b/Plex/Kubernetes/networkpolicy.yaml new file mode 100644 index 0000000..9a6ce21 --- /dev/null +++ b/Plex/Kubernetes/networkpolicy.yaml @@ -0,0 +1,24 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-internet-only + namespace: plex +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: "0.0.0.0/0" + except: + - "10.0.0.0/8" + - "172.16.0.0/12" + - "192.168.0.0/16" + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "kube-system" + - podSelector: + matchLabels: + k8s-app: "kube-dns" \ No newline at end of file diff --git a/Plex/Kubernetes/plex-deployment-2.yaml b/Plex/Kubernetes/plex-deployment-2.yaml new file mode 100644 index 0000000..523bf43 --- /dev/null +++ b/Plex/Kubernetes/plex-deployment-2.yaml @@ -0,0 +1,105 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: plex + name: plex + namespace: plex +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: plex + strategy: + type: Recreate + template: + metadata: + labels: + app: plex + spec: + affinity: {} + containers: + - name: plex + securityContext: + privileged: true + image: plexinc/pms-docker:latest + imagePullPolicy: IfNotPresent + readinessProbe: + httpGet: + path: /identity + port: 32400 + initialDelaySeconds: 10 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /identity + port: 32400 + initialDelaySeconds: 15 + timeoutSeconds: 10 + resources: + requests: + gpu.intel.com/i915: "1" + cpu: 1000m + memory: 7.5Gi + limits: + gpu.intel.com/i915: "1" + env: + - name: PUID + value: "99" + - name: PGID + value: "100" + - name: TZ + value: Europe/London + - name: VERSION + value: docker + - name: ADVERTISE_IP + value: 'https://plex.yourdomain.co.uk:443' + - name: ALLOWED_NETWORKS + value: 192.168.0.0/16,10.0.0.0/8 + - name: PLEX_CLAIM + value: claim-your-token + volumeMounts: + - mountPath: /config + name: plex-longhorn + - mountPath: /transcode + name: transcode + - mountPath: /data + name: plex-longhorn + - mountPath: /Films + name: plex-smb + readOnly: true + subPath: Films + - mountPath: /TVShows + name: plex-smb + readOnly: true + subPath: TVShows + - mountPath: /Audiobooks + name: plex-smb + readOnly: true + subPath: Audiobooks + - mountPath: /Music + name: plex-smb + readOnly: true + subPath: Music + dnsConfig: {} + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + volumes: + - name: plex-longhorn + persistentVolumeClaim: + claimName: plex + readOnly: false + - name: plex-smb + persistentVolumeClaim: + claimName: pvc-plex-smb + readOnly: true + - name: transcode + emptyDir: + medium: Memory + sizeLimit: 10Gi \ No newline at end of file diff --git a/Plex/Kubernetes/pms-docker-service.yaml b/Plex/Kubernetes/pms-docker-service.yaml new file mode 100644 index 0000000..8b91c6f --- /dev/null +++ b/Plex/Kubernetes/pms-docker-service.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + kompose.cmd: ./kompose convert -f plex/docker-compose.yml + kompose.version: 1.27.0 (b0ed6a2c9) + creationTimestamp: null + labels: + io.kompose.service: pms-docker + name: plex + namespace: plex +spec: + ports: + - name: "32400" + port: 32400 + protocol: TCP + targetPort: 32400 + - name: "32400-udp" + port: 32400 + protocol: UDP + targetPort: 32400 + - name: "3005" + port: 3005 + targetPort: 3005 + - name: "8324" + port: 8324 + targetPort: 8324 + - name: "32469" + port: 32469 + targetPort: 32469 + - name: "1900" + port: 1900 + protocol: UDP + targetPort: 1900 + - name: "32410" + port: 32410 + protocol: UDP + targetPort: 32410 + - name: "32412" + port: 32412 + protocol: UDP + targetPort: 32412 + - name: "32413" + port: 32413 + protocol: UDP + targetPort: 32413 + - name: "32414" + port: 32414 + protocol: UDP + targetPort: 32414 + selector: + app: plex + externalTrafficPolicy: Local + loadBalancerIP: 192.168.200.12 + type: LoadBalancer \ No newline at end of file diff --git a/Plex/Kubernetes/pv-smb.yaml b/Plex/Kubernetes/pv-smb.yaml new file mode 100644 index 0000000..95d07f7 --- /dev/null +++ b/Plex/Kubernetes/pv-smb.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + annotations: + pv.kubernetes.io/provisioned-by: smb.csi.k8s.io + name: pv-plex-smb +spec: + capacity: + storage: 100Gi + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + storageClassName: smb + mountOptions: + - dir_mode=0777 + - file_mode=0777 + csi: + driver: smb.csi.k8s.io + readOnly: false + # volumeHandle format: {smb-server-address}#{sub-dir-name}#{share-name} + # make sure this value is unique for every share in the cluster + volumeHandle: plex + volumeAttributes: + source: "//192.168.x.x/your-nas" + nodeStageSecretRef: + name: smbcreds + namespace: default \ No newline at end of file diff --git a/Plex/Kubernetes/pvc-smb.yaml b/Plex/Kubernetes/pvc-smb.yaml new file mode 100644 index 0000000..6516569 --- /dev/null +++ b/Plex/Kubernetes/pvc-smb.yaml @@ -0,0 +1,14 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: pvc-plex-smb + namespace: plex +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + volumeName: pv-plex-smb + storageClassName: smb \ No newline at end of file diff --git a/UptimeKuma/Kubernetes/default-headers.yaml b/UptimeKuma/Kubernetes/default-headers.yaml new file mode 100644 index 0000000..157b9dc --- /dev/null +++ b/UptimeKuma/Kubernetes/default-headers.yaml @@ -0,0 +1,16 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: default-headers + namespace: uptime-kuma +spec: + headers: + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsPreload: true + stsSeconds: 15552000 + customFrameOptionsValue: SAMEORIGIN + customRequestHeaders: + X-Forwarded-Proto: https \ No newline at end of file diff --git a/UptimeKuma/Kubernetes/deployment.yaml b/UptimeKuma/Kubernetes/deployment.yaml new file mode 100644 index 0000000..0ec8914 --- /dev/null +++ b/UptimeKuma/Kubernetes/deployment.yaml @@ -0,0 +1,83 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: uptime-kuma + labels: + app: uptime-kuma + app.kubernetes.io/instance: uptime-kuma + app.kubernetes.io/name: uptime-kuma + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: uptime-kuma + namespace: uptime-kuma + labels: + app: uptime-kuma + app.kubernetes.io/instance: uptime-kuma + app.kubernetes.io/name: uptime-kuma +spec: + replicas: 1 + selector: + matchLabels: + app: uptime-kuma + template: + metadata: + labels: + app: uptime-kuma + app.kubernetes.io/instance: uptime-kuma + app.kubernetes.io/name: uptime-kuma + spec: + nodeSelector: + worker: "true" + containers: + - name: uptime-kuma + image: louislam/uptime-kuma:1 + ports: + - containerPort: 3001 + volumeMounts: + - name: uptime-kuma + mountPath: /app/data + volumes: + - name: uptime-kuma + persistentVolumeClaim: + claimName: uptime-kuma + +--- +apiVersion: v1 +kind: Service +metadata: + name: uptime-kuma + namespace: uptime-kuma + labels: + app: uptime-kuma + app.kubernetes.io/instance: uptime-kuma + app.kubernetes.io/name: uptime-kuma +spec: + type: ClusterIP + selector: + app: uptime-kuma + ports: + - name: http + port: 80 + targetPort: 3001 + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: uptime-kuma-data + namespace: uptime-kuma + labels: + app: uptime-kuma + app.kubernetes.io/instance: uptime-kuma + app.kubernetes.io/name: uptime-kuma +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 3Gi + storageClassName: longhorn \ No newline at end of file diff --git a/UptimeKuma/Kubernetes/ingress.yaml b/UptimeKuma/Kubernetes/ingress.yaml new file mode 100644 index 0000000..5bac6f9 --- /dev/null +++ b/UptimeKuma/Kubernetes/ingress.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: uptime-kuma + namespace: uptime-kuma + annotations: + kubernetes.io/ingress.class: traefik-external +spec: + entryPoints: + - websecure + routes: + - match: Host(`www.uptime-kuma.yourdomain.co.uk`) + kind: Rule + services: + - name: uptime-kuma + port: 80 + - match: Host(`uptime-kuma.yourdomain.co.uk`) + kind: Rule + services: + - name: uptime-kuma + port: 80 + middlewares: + - name: default-headers + tls: + secretName: yourdomain-tls diff --git a/UptimeKuma/Kubernetes/longhorn-pv.yaml b/UptimeKuma/Kubernetes/longhorn-pv.yaml new file mode 100644 index 0000000..5f2738f --- /dev/null +++ b/UptimeKuma/Kubernetes/longhorn-pv.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: uptime-kuma + labels: + app: uptime-kuma + app.kubernetes.io/instance: uptime-kuma + app.kubernetes.io/name: uptime-kuma +spec: + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + storageClassName: longhorn + csi: + driver: driver.longhorn.io + volumeHandle: uptime-kuma diff --git a/Vaultwarden/Kubernetes/default-headers.yaml b/Vaultwarden/Kubernetes/default-headers.yaml new file mode 100644 index 0000000..e2f9a35 --- /dev/null +++ b/Vaultwarden/Kubernetes/default-headers.yaml @@ -0,0 +1,16 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: default-headers + namespace: vaultwarden +spec: + headers: + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsPreload: true + stsSeconds: 15552000 + customFrameOptionsValue: SAMEORIGIN + customRequestHeaders: + X-Forwarded-Proto: https \ No newline at end of file diff --git a/Vaultwarden/Kubernetes/deployment.yaml b/Vaultwarden/Kubernetes/deployment.yaml new file mode 100644 index 0000000..947f17a --- /dev/null +++ b/Vaultwarden/Kubernetes/deployment.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: vaultwarden + app.kubernetes.io/instance: vaultwarden + name: vaultwarden + namespace: vaultwarden +spec: + replicas: 1 + selector: + matchLabels: + app: vaultwarden + template: + metadata: + labels: + app: vaultwarden + app.kubernetes.io/name: vaultwarden + spec: + nodeSelector: + worker: "true" + containers: + - image: vaultwarden/server:latest + imagePullPolicy: Always + name: vaultwarden + ports: + - containerPort: 80 + name: web + protocol: TCP + volumeMounts: + - mountPath: /data/ + name: vaultwarden + volumes: + - name: vaultwarden + persistentVolumeClaim: + claimName: vaultwarden +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: vaultwarden + name: vaultwarden + namespace: vaultwarden +spec: + ports: + - name: web-tcp + port: 80 + protocol: TCP + targetPort: 80 + selector: + app: vaultwarden \ No newline at end of file diff --git a/Vaultwarden/Kubernetes/ingress.yaml b/Vaultwarden/Kubernetes/ingress.yaml new file mode 100644 index 0000000..131b79a --- /dev/null +++ b/Vaultwarden/Kubernetes/ingress.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: vaultwarden + namespace: vaultwarden + annotations: + kubernetes.io/ingress.class: traefik-external +spec: + entryPoints: + - websecure + routes: + - match: Host(`www.vaultwarden.yourdomain.co.uk`) + kind: Rule + services: + - name: vaultwarden + port: 80 + - match: Host(`vaultwarden.yourdomain.co.uk`) + kind: Rule + services: + - name: vaultwarden + port: 80 + middlewares: + - name: default-headers + - name: local-ipwhitelist + tls: + secretName: yourdomain-tls \ No newline at end of file diff --git a/Vaultwarden/Kubernetes/ipwhitelist.yaml b/Vaultwarden/Kubernetes/ipwhitelist.yaml new file mode 100644 index 0000000..2e7fdc1 --- /dev/null +++ b/Vaultwarden/Kubernetes/ipwhitelist.yaml @@ -0,0 +1,11 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: local-ipwhitelist + namespace: vaultwarden +spec: + ipWhiteList: + sourceRange: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 diff --git a/Vaultwarden/Kubernetes/networkpolicy.yaml b/Vaultwarden/Kubernetes/networkpolicy.yaml new file mode 100644 index 0000000..62dc06b --- /dev/null +++ b/Vaultwarden/Kubernetes/networkpolicy.yaml @@ -0,0 +1,35 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-internet-only + namespace: vaultwarden +spec: + podSelector: {} + policyTypes: + - Egress + - Ingress + egress: + - to: + - ipBlock: + cidr: "0.0.0.0/0" + except: + - "10.0.0.0/8" + - "172.16.0.0/12" + - "192.168.0.0/16" + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "kube-system" + - podSelector: + matchLabels: + k8s-app: "kube-dns" + ingress: + - from: + - ipBlock: + cidr: "10.0.0.0/8" + - from: + - ipBlock: + cidr: "172.16.0.0/12" + - from: + - ipBlock: + cidr: "192.168.0.0/16" diff --git a/Wireguard/Kubernetes/default-headers.yaml b/Wireguard/Kubernetes/default-headers.yaml new file mode 100644 index 0000000..4e14585 --- /dev/null +++ b/Wireguard/Kubernetes/default-headers.yaml @@ -0,0 +1,16 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: default-headers + namespace: wg-easy +spec: + headers: + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsPreload: true + stsSeconds: 15552000 + customFrameOptionsValue: SAMEORIGIN + customRequestHeaders: + X-Forwarded-Proto: https \ No newline at end of file diff --git a/Wireguard/Kubernetes/deployment.yaml b/Wireguard/Kubernetes/deployment.yaml new file mode 100644 index 0000000..afc3230 --- /dev/null +++ b/Wireguard/Kubernetes/deployment.yaml @@ -0,0 +1,91 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: wg-easy + app.kubernetes.io/instance: wg-easy + app.kubernetes.io/name: wg-easy + name: wg-easy + namespace: wg-easy +spec: + replicas: 1 + selector: + matchLabels: + app: wg-easy + template: + metadata: + labels: + app: wg-easy + app.kubernetes.io/name: wg-easy + spec: + nodeSelector: + worker: "true" + # securityContext: + # sysctls: + # - name: net.ipv4.ip_forward + # value: "1" + # - name: net.ipv4.conf.all.src_valid_mark + # value: "1" + containers: + - env: + - name: WG_HOST + value: "wg.yourdomain.co.uk" + - name: PASSWORD + value: "some-password-or-use-sealed-secrets" + - name: WG_DEFAULT_DNS + value: "10.43.0.10, wg-easy.svc.cluster.local" + image: weejewel/wg-easy + imagePullPolicy: Always + name: wg-easy + ports: + - containerPort: 51820 + - containerPort: 51821 + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + volumeMounts: + - mountPath: /etc/wireguard + name: wg-easy + restartPolicy: Always + volumes: + - name: wg-easy + persistentVolumeClaim: + claimName: wg-easy +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: wg-easy + name: wg-easy-udp + namespace: wg-easy +spec: + ports: + - name: wg-easy-udp + port: 51820 + protocol: UDP + targetPort: 51820 + selector: + app: wg-easy + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: wg-easy + name: wg-easy-web + namespace: wg-easy +spec: + ports: + - name: wg-easy-web + port: 51821 + protocol: TCP + targetPort: 51821 + selector: + app: wg-easy + type: ClusterIP diff --git a/Wireguard/Kubernetes/ingress.yaml b/Wireguard/Kubernetes/ingress.yaml new file mode 100644 index 0000000..ad95393 --- /dev/null +++ b/Wireguard/Kubernetes/ingress.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: wg-easy + namespace: wg-easy + annotations: + kubernetes.io/ingress.class: traefik-external +spec: + entryPoints: + - websecure + routes: + - match: Host(`www.wg-easy.yourdomain.co.uk`) + kind: Rule + services: + - name: wg-easy-web + port: 51821 + - match: Host(`wg-easy.yourdomain.co.uk`) + kind: Rule + services: + - name: wg-easy-web + port: 51821 + middlewares: + - name: default-headers + tls: + secretName: yourdomain-tls diff --git a/Wireguard/Kubernetes/ingressRouteUDP.yaml b/Wireguard/Kubernetes/ingressRouteUDP.yaml new file mode 100644 index 0000000..f66d4ee --- /dev/null +++ b/Wireguard/Kubernetes/ingressRouteUDP.yaml @@ -0,0 +1,14 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRouteUDP +metadata: + name: wg-easy + namespace: wg-easy + annotations: + kubernetes.io/ingress.class: traefik-external +spec: + entryPoints: + - wireguard + routes: + - services: + - name: wg-easy-udp + port: 51820 \ No newline at end of file