beenull/JG-mirror
1
0
Fork 0
mirror of https://github.com/JamesTurland/JimsGarage.git synced 2024-11-21 15:30:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

add-kubernetes

Browse source
This commit is contained in:
James Turland 2024-07-08 11:19:54 +01:00
parent 0cd8339e6e
commit ef6ba4bd22
42 changed files with 1375 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
Home-Assistant/Kubernetes/default-headers.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: default-headers
namespace: homeassistant
spec:
headers:
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https

94
Home-Assistant/Kubernetes/homeassistant-deployment.yaml Normal file
View file

@ -0,0 +1,94 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: homeassistant
app.kubernetes.io/instance: homeassistant
name: homeassistant
namespace: homeassistant
spec:
replicas: 1
selector:
matchLabels:
app: homeassistant
template:
metadata:
labels:
app: homeassistant
app.kubernetes.io/name: homeassistant
spec:
nodeSelector:
worker: "true"
containers:
- image: homeassistant/home-assistant:latest
imagePullPolicy: Always
name: homeassistant
ports:
- containerPort: 8123
name: web
protocol: TCP
env:
- name: TZ
value: Europe/London
volumeMounts:
- mountPath: /config
name: homeassistant
subPath: config
- image: docker.io/postgres:12-alpine
imagePullPolicy: IfNotPresent
name: homeassistant-db
ports:
- containerPort: 5432
name: db
protocol: TCP
env:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: secrets
key: POSTGRES_USER
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: secrets
key: POSTGRES_PASSWORD
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: secrets
key: POSTGRES_DB
- name: POSTGRES_INITDB_ARGS
value: --encoding=UTF-8
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: homeassistant
subPath: schemas
volumes:
- name: homeassistant
persistentVolumeClaim:
claimName: homeassistant
---
apiVersion: v1
kind: Service
metadata:
labels:
app: homeassistant
name: homeassistant
namespace: homeassistant
spec:
ports:
- name: web-tcp
port: 80
protocol: TCP
targetPort: 8123
- name: db
port: 5432
protocol: TCP
targetPort: 5432
selector:
app: homeassistant
externalTrafficPolicy: Local
loadBalancerIP: 192.168.200.17
type: LoadBalancer

26
Home-Assistant/Kubernetes/ingress.yaml Normal file
View file

@ -0,0 +1,26 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: homeassistant
namespace: homeassistant
annotations:
kubernetes.io/ingress.class: traefik-external
spec:
entryPoints:
- websecure
routes:
- match: Host(`www.ha.yourdomain.co.uk`)
kind: Rule
services:
- name: homeassistant
port: 80
- match: Host(`ha.yourdomain.co.uk`)
kind: Rule
services:
- name: homeassistant
port: 80
middlewares:
- name: default-headers
tls:
secretName: yourdomain-tls

18
Home-Assistant/Kubernetes/sealed-secret.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: secrets
namespace: homeassistant
spec:
encryptedData:
POSTGRES_DB: some-secret
POSTGRES_PASSWORD: some-secret
POSTGRES_USER: some-secret
template:
metadata:
creationTimestamp: null
name: secrets
namespace: homeassistant
type: Opaque

11
Home-Assistant/Kubernetes/secret.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Secret
metadata:
name: secrets
namespace: homeassistant
type: Opaque
data:
POSTGRES_USER: some-secret
POSTGRES_PASSWORD: some-secret
POSTGRES_DB: some-secret

16
Jellyfin/Kubernetes/default-headers.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: default-headers
namespace: jellyfin
spec:
headers:
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https

26
Jellyfin/Kubernetes/ingress.yaml Normal file
View file

@ -0,0 +1,26 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: jellyfin
namespace: jellyfin
annotations:
kubernetes.io/ingress.class: traefik-external
spec:
entryPoints:
- websecure
routes:
- match: Host(`www.jellyfin.yourdomain.co.uk`)
kind: Rule
services:
- name: jellyfin
port: 8096
- match: Host(`jellyfin.yourdomain.co.uk`)
kind: Rule
services:
- name: jellyfin
port: 8096
middlewares:
- name: default-headers
tls:
secretName: yourdomain-tls

85
Jellyfin/Kubernetes/jellyfin-deployment.yaml Normal file
View file

@ -0,0 +1,85 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: jellyfin
app.kubernetes.io/instance: jellyfin
app.kubernetes.io/name: jellyfin
name: jellyfin
namespace: jellyfin
spec:
replicas: 1
selector:
matchLabels:
app: jellyfin
template:
metadata:
labels:
app: jellyfin
app.kubernetes.io/name: jellyfin
spec:
nodeSelector:
# gpu: "true"
worker: "true"
containers:
- image: jellyfin/jellyfin
imagePullPolicy: Always
name: jellyfin
ports:
- containerPort: 8096
name: web
protocol: TCP
env:
- name: TZ
value: Europe/London
volumeMounts:
- mountPath: /config
name: jellyfin
subPath: config
- mountPath: /cache
name: jellyfin
subPath: cache
- mountPath: "/Audiobooks"
readOnly: false
name: smb
subPath: Audiobooks
- mountPath: "/Films"
readOnly: false
name: smb
subPath: Films
- mountPath: "/TVShows"
readOnly: false
name: smb
subPath: TVShows
- mountPath: "/Music"
readOnly: false
name: smb
subPath: Music
volumes:
- name: jellyfin
persistentVolumeClaim:
claimName: jellyfin
- name: smb
persistentVolumeClaim:
claimName: pvc-jellyfin-smb
---
apiVersion: v1
kind: Service
metadata:
labels:
app: jellyfin
name: jellyfin
namespace: jellyfin
spec:
ports:
- name: web-tcp
port: 8096
protocol: TCP
targetPort: 8096
- name: web-udp
port: 8096
protocol: UDP
targetPort: 8096
selector:
app: jellyfin

24
Jellyfin/Kubernetes/networkpolicy.yaml Normal file
View file

@ -0,0 +1,24 @@
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-internet-only
namespace: jellyfin
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: "0.0.0.0/0"
except:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: "kube-system"
- podSelector:
matchLabels:
k8s-app: "kube-dns"

27
Jellyfin/Kubernetes/pv-smb.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: v1
kind: PersistentVolume
metadata:
annotations:
pv.kubernetes.io/provisioned-by: smb.csi.k8s.io
name: pv-jellyfin-smb
spec:
capacity:
storage: 100Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: smb
mountOptions:
- dir_mode=0777
- file_mode=0777
csi:
driver: smb.csi.k8s.io
readOnly: false
# volumeHandle format: {smb-server-address}#{sub-dir-name}#{share-name}
# make sure this value is unique for every share in the cluster
volumeHandle: jellyfin
volumeAttributes:
source: "//192.168.x.x/your-nas"
nodeStageSecretRef:
name: smbcreds
namespace: default

14
Jellyfin/Kubernetes/pvc-smb.yaml Normal file
View file

@ -0,0 +1,14 @@
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: pvc-jellyfin-smb
namespace: jellyfin
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
volumeName: pv-jellyfin-smb
storageClassName: smb

50
Mosquitto/Kubernetes/deployment.yaml Normal file
View file

@ -0,0 +1,50 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: mosquitto
name: mosquitto
namespace: mosquitto
spec:
replicas: 1
selector:
matchLabels:
app: mosquitto
template:
metadata:
labels:
app: mosquitto
app.kubernetes.io/name: mosquitto
spec:
nodeSelector:
worker: "true"
containers:
- image: eclipse-mosquitto:latest
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 0.5
memory: 500Mi
name: mosquitto
ports:
- containerPort: 1883
name: mqtt
protocol: TCP
- containerPort: 9001
name: websocket
protocol: TCP
volumeMounts:
- mountPath: /mosquitto/config/
name: mosquitto
subPath: config
- mountPath: "/mosquitto/data"
name: mosquitto
subPath: "data"
- mountPath: "/mosquitto/log"
name: mosquitto
subPath: log
volumes:
- name: mosquitto
persistentVolumeClaim:
claimName: mosquitto

6
Mosquitto/Kubernetes/namespace.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: mosquitto
labels:
name: mosquitto

19
Mosquitto/Kubernetes/pv.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: mosquitto
spec:
capacity:
storage: 1Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: longhorn
csi:
driver: driver.longhorn.io
fsType: ext4
volumeAttributes:
numberOfReplicas: '2'
staleReplicaTimeout: '2880'
volumeHandle: mosquitto

13
Mosquitto/Kubernetes/pvc.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mosquitto
namespace: mosquitto
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 1Gi
volumeName: mosquitto

22
Mosquitto/Kubernetes/service.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: mosquitto
name: mosquitto
namespace: mosquitto
spec:
ports:
- name: mqtt
port: 1883
protocol: TCP
targetPort: 1883
- name: websocket
port: 9001
protocol: TCP
targetPort: 9001
selector:
app: mosquitto
externalTrafficPolicy: Local
loadBalancerIP: 192.168.200.14
type: LoadBalancer

16
Pihole/Kubernetes/default-headers.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: default-headers
namespace: pihole
spec:
headers:
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https

24
Pihole/Kubernetes/ingress.yaml Normal file
View file

@ -0,0 +1,24 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: pihole
namespace: pihole
annotations:
kubernetes.io/ingress.class: traefik-external
spec:
entryPoints:
- websecure
routes:
- match: Host(`pihole.yourdomain.co.uk`)
kind: Rule
services:
- name: pihole
port: 80
middlewares:
- name: default-headers
- name: dashboard-redirect
- name: dashboard-prefix
tls:
secretName: yourdomain-tls

18
Pihole/Kubernetes/middleware.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: dashboard-redirect
namespace: pihole
spec:
redirectRegex:
regex: /admin/$
replacement: /
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: dashboard-prefix
namespace: pihole
spec:
addPrefix:
prefix: /admin

17
Pihole/Kubernetes/networkpolicy.yaml Normal file
View file

@ -0,0 +1,17 @@
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-internet-only
namespace: pihole
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/20

118
Pihole/Kubernetes/pihole-deployment.yaml Normal file
View file

@ -0,0 +1,118 @@
apiVersion: v1
kind: Namespace
metadata:
name: pihole
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/instance: pihole
app.kubernetes.io/name: pihole
name: pihole
namespace: pihole
spec:
replicas: 1
selector:
matchLabels:
app: pihole
template:
metadata:
labels:
app: pihole
app.kubernetes.io/name: pihole
spec:
nodeSelector:
worker: "true"
containers:
- image: visibilityspots/cloudflared
imagePullPolicy: IfNotPresent
name: cloudflared
ports:
- containerPort: 53
name: dns
protocol: TCP
- containerPort: 67
name: dns-udp
protocol: UDP
env:
- name: TUNNEL_METRICS
value: 127.0.0.1:3000
- env:
- name: TZ
value: "Europe/London"
- name: WEBPASSWORD
valueFrom:
secretKeyRef:
name: web-pass
key: WEBPASSWORD
- name: FTLCONF_LOCAL_IPV4
value: 192.168.200.11
- name: PIHOLE_DNS_
value: 127.0.0.1#5054
image: pihole/pihole:latest
imagePullPolicy: Always
name: pihole
ports:
- containerPort: 80
name: pihole-http
protocol: TCP
- containerPort: 53
name: dns
protocol: TCP
- containerPort: 53
name: dns-udp
protocol: UDP
- containerPort: 443
name: pihole-ssl
protocol: TCP
- containerPort: 67
name: client-udp
protocol: UDP
volumeMounts:
- mountPath: /etc/pihole
name: pihole
securityContext:
capabilities:
add:
- NET_ADMIN
restartPolicy: Always
volumes:
- name: pihole
persistentVolumeClaim:
claimName: pihole
---
apiVersion: v1
kind: Service
metadata:
labels:
app: pihole
name: pihole
namespace: pihole
spec:
ports:
- name: dns-udp
port: 53
protocol: UDP
targetPort: 53
- name: client-udp
port: 67
protocol: UDP
targetPort: 67
- name: pihole-http
port: 80
protocol: TCP
targetPort: 80
- name: pihole-https
port: 443
protocol: TCP
targetPort: 443
- name: dns
port: 53
protocol: TCP
targetPort: 53
selector:
app: pihole
externalTrafficPolicy: Local
loadBalancerIP: 192.168.200.11
type: LoadBalancer

16
Pihole/Kubernetes/sealed-secret.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: web-pass
namespace: pihole
spec:
encryptedData:
WEBPASSWORD: some-secret
template:
metadata:
creationTimestamp: null
name: web-pass
namespace: pihole
type: Opaque

16
Plex/Kubernetes/default-headers.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: default-headers
namespace: plex
spec:
headers:
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https

26
Plex/Kubernetes/ingress.yaml Normal file
View file

@ -0,0 +1,26 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: plex
namespace: plex
annotations:
kubernetes.io/ingress.class: traefik-external
spec:
entryPoints:
- websecure
routes:
- match: Host(`www.plex.yourdomain.co.uk`)
kind: Rule
services:
- name: plex
port: 32400
- match: Host(`plex.yourdomain.co.uk`)
kind: Rule
services:
- name: plex
port: 32400
middlewares:
- name: default-headers
tls:
secretName: yourdomain-tls

24
Plex/Kubernetes/networkpolicy.yaml Normal file
View file

@ -0,0 +1,24 @@
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-internet-only
namespace: plex
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: "0.0.0.0/0"
except:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: "kube-system"
- podSelector:
matchLabels:
k8s-app: "kube-dns"

105
Plex/Kubernetes/plex-deployment-2.yaml Normal file
View file

@ -0,0 +1,105 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: plex
name: plex
namespace: plex
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: plex
strategy:
type: Recreate
template:
metadata:
labels:
app: plex
spec:
affinity: {}
containers:
- name: plex
securityContext:
privileged: true
image: plexinc/pms-docker:latest
imagePullPolicy: IfNotPresent
readinessProbe:
httpGet:
path: /identity
port: 32400
initialDelaySeconds: 10
timeoutSeconds: 5
livenessProbe:
httpGet:
path: /identity
port: 32400
initialDelaySeconds: 15
timeoutSeconds: 10
resources:
requests:
gpu.intel.com/i915: "1"
cpu: 1000m
memory: 7.5Gi
limits:
gpu.intel.com/i915: "1"
env:
- name: PUID
value: "99"
- name: PGID
value: "100"
- name: TZ
value: Europe/London
- name: VERSION
value: docker
- name: ADVERTISE_IP
value: 'https://plex.yourdomain.co.uk:443'
- name: ALLOWED_NETWORKS
value: 192.168.0.0/16,10.0.0.0/8
- name: PLEX_CLAIM
value: claim-your-token
volumeMounts:
- mountPath: /config
name: plex-longhorn
- mountPath: /transcode
name: transcode
- mountPath: /data
name: plex-longhorn
- mountPath: /Films
name: plex-smb
readOnly: true
subPath: Films
- mountPath: /TVShows
name: plex-smb
readOnly: true
subPath: TVShows
- mountPath: /Audiobooks
name: plex-smb
readOnly: true
subPath: Audiobooks
- mountPath: /Music
name: plex-smb
readOnly: true
subPath: Music
dnsConfig: {}
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- name: plex-longhorn
persistentVolumeClaim:
claimName: plex
readOnly: false
- name: plex-smb
persistentVolumeClaim:
claimName: pvc-plex-smb
readOnly: true
- name: transcode
emptyDir:
medium: Memory
sizeLimit: 10Gi

55
Plex/Kubernetes/pms-docker-service.yaml Normal file
View file

@ -0,0 +1,55 @@
apiVersion: v1
kind: Service
metadata:
annotations:
kompose.cmd: ./kompose convert -f plex/docker-compose.yml
kompose.version: 1.27.0 (b0ed6a2c9)
creationTimestamp: null
labels:
io.kompose.service: pms-docker
name: plex
namespace: plex
spec:
ports:
- name: "32400"
port: 32400
protocol: TCP
targetPort: 32400
- name: "32400-udp"
port: 32400
protocol: UDP
targetPort: 32400
- name: "3005"
port: 3005
targetPort: 3005
- name: "8324"
port: 8324
targetPort: 8324
- name: "32469"
port: 32469
targetPort: 32469
- name: "1900"
port: 1900
protocol: UDP
targetPort: 1900
- name: "32410"
port: 32410
protocol: UDP
targetPort: 32410
- name: "32412"
port: 32412
protocol: UDP
targetPort: 32412
- name: "32413"
port: 32413
protocol: UDP
targetPort: 32413
- name: "32414"
port: 32414
protocol: UDP
targetPort: 32414
selector:
app: plex
externalTrafficPolicy: Local
loadBalancerIP: 192.168.200.12
type: LoadBalancer

27
Plex/Kubernetes/pv-smb.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: v1
kind: PersistentVolume
metadata:
annotations:
pv.kubernetes.io/provisioned-by: smb.csi.k8s.io
name: pv-plex-smb
spec:
capacity:
storage: 100Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: smb
mountOptions:
- dir_mode=0777
- file_mode=0777
csi:
driver: smb.csi.k8s.io
readOnly: false
# volumeHandle format: {smb-server-address}#{sub-dir-name}#{share-name}
# make sure this value is unique for every share in the cluster
volumeHandle: plex
volumeAttributes:
source: "//192.168.x.x/your-nas"
nodeStageSecretRef:
name: smbcreds
namespace: default

14
Plex/Kubernetes/pvc-smb.yaml Normal file
View file

@ -0,0 +1,14 @@
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: pvc-plex-smb
namespace: plex
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
volumeName: pv-plex-smb
storageClassName: smb

16
UptimeKuma/Kubernetes/default-headers.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: default-headers
namespace: uptime-kuma
spec:
headers:
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https

83
UptimeKuma/Kubernetes/deployment.yaml Normal file
View file

@ -0,0 +1,83 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: uptime-kuma
labels:
app: uptime-kuma
app.kubernetes.io/instance: uptime-kuma
app.kubernetes.io/name: uptime-kuma
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: uptime-kuma
namespace: uptime-kuma
labels:
app: uptime-kuma
app.kubernetes.io/instance: uptime-kuma
app.kubernetes.io/name: uptime-kuma
spec:
replicas: 1
selector:
matchLabels:
app: uptime-kuma
template:
metadata:
labels:
app: uptime-kuma
app.kubernetes.io/instance: uptime-kuma
app.kubernetes.io/name: uptime-kuma
spec:
nodeSelector:
worker: "true"
containers:
- name: uptime-kuma
image: louislam/uptime-kuma:1
ports:
- containerPort: 3001
volumeMounts:
- name: uptime-kuma
mountPath: /app/data
volumes:
- name: uptime-kuma
persistentVolumeClaim:
claimName: uptime-kuma
---
apiVersion: v1
kind: Service
metadata:
name: uptime-kuma
namespace: uptime-kuma
labels:
app: uptime-kuma
app.kubernetes.io/instance: uptime-kuma
app.kubernetes.io/name: uptime-kuma
spec:
type: ClusterIP
selector:
app: uptime-kuma
ports:
- name: http
port: 80
targetPort: 3001
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: uptime-kuma-data
namespace: uptime-kuma
labels:
app: uptime-kuma
app.kubernetes.io/instance: uptime-kuma
app.kubernetes.io/name: uptime-kuma
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 3Gi
storageClassName: longhorn

26
UptimeKuma/Kubernetes/ingress.yaml Normal file
View file

@ -0,0 +1,26 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: uptime-kuma
namespace: uptime-kuma
annotations:
kubernetes.io/ingress.class: traefik-external
spec:
entryPoints:
- websecure
routes:
- match: Host(`www.uptime-kuma.yourdomain.co.uk`)
kind: Rule
services:
- name: uptime-kuma
port: 80
- match: Host(`uptime-kuma.yourdomain.co.uk`)
kind: Rule
services:
- name: uptime-kuma
port: 80
middlewares:
- name: default-headers
tls:
secretName: yourdomain-tls

18
UptimeKuma/Kubernetes/longhorn-pv.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: uptime-kuma
labels:
app: uptime-kuma
app.kubernetes.io/instance: uptime-kuma
app.kubernetes.io/name: uptime-kuma
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: longhorn
csi:
driver: driver.longhorn.io
volumeHandle: uptime-kuma

16
Vaultwarden/Kubernetes/default-headers.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: default-headers
namespace: vaultwarden
spec:
headers:
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https

53
Vaultwarden/Kubernetes/deployment.yaml Normal file
View file

@ -0,0 +1,53 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: vaultwarden
app.kubernetes.io/instance: vaultwarden
name: vaultwarden
namespace: vaultwarden
spec:
replicas: 1
selector:
matchLabels:
app: vaultwarden
template:
metadata:
labels:
app: vaultwarden
app.kubernetes.io/name: vaultwarden
spec:
nodeSelector:
worker: "true"
containers:
- image: vaultwarden/server:latest
imagePullPolicy: Always
name: vaultwarden
ports:
- containerPort: 80
name: web
protocol: TCP
volumeMounts:
- mountPath: /data/
name: vaultwarden
volumes:
- name: vaultwarden
persistentVolumeClaim:
claimName: vaultwarden
---
apiVersion: v1
kind: Service
metadata:
labels:
app: vaultwarden
name: vaultwarden
namespace: vaultwarden
spec:
ports:
- name: web-tcp
port: 80
protocol: TCP
targetPort: 80
selector:
app: vaultwarden

27
Vaultwarden/Kubernetes/ingress.yaml Normal file
View file

@ -0,0 +1,27 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: vaultwarden
namespace: vaultwarden
annotations:
kubernetes.io/ingress.class: traefik-external
spec:
entryPoints:
- websecure
routes:
- match: Host(`www.vaultwarden.yourdomain.co.uk`)
kind: Rule
services:
- name: vaultwarden
port: 80
- match: Host(`vaultwarden.yourdomain.co.uk`)
kind: Rule
services:
- name: vaultwarden
port: 80
middlewares:
- name: default-headers
- name: local-ipwhitelist
tls:
secretName: yourdomain-tls

11
Vaultwarden/Kubernetes/ipwhitelist.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: local-ipwhitelist
namespace: vaultwarden
spec:
ipWhiteList:
sourceRange:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16

35
Vaultwarden/Kubernetes/networkpolicy.yaml Normal file
View file

@ -0,0 +1,35 @@
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-internet-only
namespace: vaultwarden
spec:
podSelector: {}
policyTypes:
- Egress
- Ingress
egress:
- to:
- ipBlock:
cidr: "0.0.0.0/0"
except:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: "kube-system"
- podSelector:
matchLabels:
k8s-app: "kube-dns"
ingress:
- from:
- ipBlock:
cidr: "10.0.0.0/8"
- from:
- ipBlock:
cidr: "172.16.0.0/12"
- from:
- ipBlock:
cidr: "192.168.0.0/16"

16
Wireguard/Kubernetes/default-headers.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: default-headers
namespace: wg-easy
spec:
headers:
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https

91
Wireguard/Kubernetes/deployment.yaml Normal file
View file

@ -0,0 +1,91 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: wg-easy
app.kubernetes.io/instance: wg-easy
app.kubernetes.io/name: wg-easy
name: wg-easy
namespace: wg-easy
spec:
replicas: 1
selector:
matchLabels:
app: wg-easy
template:
metadata:
labels:
app: wg-easy
app.kubernetes.io/name: wg-easy
spec:
nodeSelector:
worker: "true"
# securityContext:
# sysctls:
# - name: net.ipv4.ip_forward
# value: "1"
# - name: net.ipv4.conf.all.src_valid_mark
# value: "1"
containers:
- env:
- name: WG_HOST
value: "wg.yourdomain.co.uk"
- name: PASSWORD
value: "some-password-or-use-sealed-secrets"
- name: WG_DEFAULT_DNS
value: "10.43.0.10, wg-easy.svc.cluster.local"
image: weejewel/wg-easy
imagePullPolicy: Always
name: wg-easy
ports:
- containerPort: 51820
- containerPort: 51821
resources: {}
securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
volumeMounts:
- mountPath: /etc/wireguard
name: wg-easy
restartPolicy: Always
volumes:
- name: wg-easy
persistentVolumeClaim:
claimName: wg-easy
---
apiVersion: v1
kind: Service
metadata:
labels:
app: wg-easy
name: wg-easy-udp
namespace: wg-easy
spec:
ports:
- name: wg-easy-udp
port: 51820
protocol: UDP
targetPort: 51820
selector:
app: wg-easy
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app: wg-easy
name: wg-easy-web
namespace: wg-easy
spec:
ports:
- name: wg-easy-web
port: 51821
protocol: TCP
targetPort: 51821
selector:
app: wg-easy
type: ClusterIP

26
Wireguard/Kubernetes/ingress.yaml Normal file
View file

@ -0,0 +1,26 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: wg-easy
namespace: wg-easy
annotations:
kubernetes.io/ingress.class: traefik-external
spec:
entryPoints:
- websecure
routes:
- match: Host(`www.wg-easy.yourdomain.co.uk`)
kind: Rule
services:
- name: wg-easy-web
port: 51821
- match: Host(`wg-easy.yourdomain.co.uk`)
kind: Rule
services:
- name: wg-easy-web
port: 51821
middlewares:
- name: default-headers
tls:
secretName: yourdomain-tls

14
Wireguard/Kubernetes/ingressRouteUDP.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: wg-easy
namespace: wg-easy
annotations:
kubernetes.io/ingress.class: traefik-external
spec:
entryPoints:
- wireguard
routes:
- services:
- name: wg-easy-udp
port: 51820