dogfalo/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dogfalo:958eb9b0e334c8fe0c10396705e94320aec1559d
Branches Tags
dogfalo:main
...
compare: dogfalo:99ab70ed8eddc98532a6264395154a7ea00dfcdf
Branches Tags
dogfalo:main

10 Commits
958eb9b0e3 ... 99ab70ed8e

Author SHA1 Message Date
Alvin Wang
99ab70ed8e Added gitea 2026-04-22 16:51:54 -07:00
Alvin Wang
4301877f33 Update docs to match live cluster state 
Audited the running cluster and fixed all .md files:
- Node info: Fedora 43, Lima (not OrbStack), worker IP 10.0.1.58
- Networking: fixed public/internal hostname tables, all *.dog internals
- Storage: removed Longhorn refs (not deployed), documented hostPath/local-path
- Services: moved Seerr to media chart, utils is Zerobyte only
- Bootstrap: reordered steps, MetalLB/traefik-internal as manual pre-deploy
- Headlamp.md/MetalLB.md: added context and explanations

Made-with: Cursor
 2026-04-22 14:59:34 -07:00
Alvin Wang
2dfa47403d Added tasks 2026-04-22 14:48:34 -07:00
Alvin Wang
28c23faf24 new setup 2026-04-22 14:31:16 -07:00
Alvin Wang
0a5c149c5f point plex to use local data on mac-worker 2026-04-20 22:54:11 -04:00
Alvin Wang
82c91b8a06 use local path for letsencrypt 2026-04-20 17:08:50 -04:00
Alvin Wang
9bb83b459c WIP: separate traefik for public 2026-04-20 16:36:57 -04:00
Alvin Wang
888a3af835 migrate paperless 2026-04-20 13:00:54 -04:00
Alvin Wang
aeb19a521c set up mealie 2026-04-20 12:09:03 -04:00
Alvin Wang
33036b8420 add headlamp 2026-04-20 11:42:32 -04:00
60 changed files with 969 additions and 359 deletions
Show Stats Expand all files Collapse all files

0
.sops.yaml Normal file → Executable file
View File

30
AGENTS.md Normal file → Executable file
View File

@ -1,11 +1,31 @@
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
dogbox Ready control-plane 3h31m v1.34.6+k3s1 10.0.1.2 <none> Fedora Linux 40 (Server Edition) 6.9.6-200.fc40.x86_64 containerd://2.2.2-bd1.34
mac-worker Ready <none> 3h13m v1.34.6+k3s1 192.168.139.12 <none> Ubuntu 25.10 6.17.8-orbstack-00308-g8f9c941121b1 containerd://2.2.2-bd1.34
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
localhost.localdomain Ready control-plane v1.34.6+k3s1 10.0.1.2 <none> Fedora Linux 43 (Server Edition) 6.17.1-300.fc43.x86_64 containerd://2.2.2-bd1.34
lima-mac-worker Ready <none> v1.34.6+k3s1 10.0.1.58 <none> Ubuntu 25.10 6.17.0-22-generic containerd://2.2.2-bd1.34
The mac-worker is running inside orbstack linux VM if that matters.
The mac-worker is running inside a Lima VM on macOS.
I have a DNS rewrite pointing *.internal to 10.0.1.250 which is traefik-internal.
/dogstore/ is a NFS path that's available to all nodes
secrets are managed by sops
## Load balancers
Two LB implementations coexist: k3s klipper (servicelb) and MetalLB. They are
separated by `loadBalancerClass` so they don't conflict.
- **klipper** handles services with NO `loadBalancerClass`. It creates svclb
DaemonSet pods that bind host ports directly on every node.
- **MetalLB** handles services with `loadBalancerClass: metallb`. Its pool has
`autoAssign: false`, so it only assigns IPs to services that explicitly
request a pool via the `metallb.io/address-pool` annotation.
| Service | loadBalancerClass | LB | External IPs |
|------------------|-------------------|----------|---------------------------|
| traefik | (none) | klipper | 10.0.1.2, 10.0.1.58 |
| traefik-internal | metallb | MetalLB | 10.0.1.250 |
`loadBalancerClass` is immutable on k8s Services. Changing it requires deleting
the Service first, then redeploying (`kubectl delete svc … && helm upgrade`).

22
Headlamp.md Normal file
View File

@ -0,0 +1,22 @@
# Headlamp — Manual Token Access
The `charts/headlamp` Helm chart deploys Headlamp with its own in-cluster
ServiceAccount (`headlamp`) and a `cluster-admin` ClusterRoleBinding. That
SA is used by the running pod and does not require manual setup.
To generate a **bearer token** for logging in to the Headlamp UI (e.g. from
a browser), create a separate short-lived token:
```bash
kubectl -n apps create token headlamp --duration=48h
```
If you need a dedicated SA for external/long-lived access instead:
```bash
kubectl -n apps create serviceaccount headlamp-admin
kubectl create clusterrolebinding headlamp-admin \
--serviceaccount=apps:headlamp-admin \
--clusterrole=cluster-admin
kubectl -n apps create token headlamp-admin
```

17
MetalLB.md Normal file
View File

@ -0,0 +1,17 @@
# MetalLB — Manual Setup
MetalLB is **not** included in `bootstrap.sh deploy`. It must be installed
manually before deploying `traefik-internal` (which depends on the MetalLB
`loadBalancerClass`).
```bash
helm repo add metallb https://metallb.github.io/metallb
helm repo update
helm dependency build charts/metallb
helm upgrade --install metallb charts/metallb -n kube-system --wait
```
The chart wraps the upstream MetalLB subchart and adds a custom
`IPAddressPool` + `L2Advertisement` (defined in `charts/metallb/templates/pool.yaml`).
The pool assigns a single IP (`10.0.1.250`) with `autoAssign: false`, so only
services that explicitly request the `internal` pool via annotation get that IP.

167
README.md Normal file → Executable file
View File

@ -1,6 +1,6 @@
# Homelab — k3s Cluster
2-node k3s cluster (1 manager, 1 worker) running a self-hosted homelab stack on `ratboo.me`.
2-node k3s cluster (1 control-plane, 1 worker) running a self-hosted homelab stack on `ratboo.me`.
## Architecture
@ -8,8 +8,8 @@
| Node | Role | OS | IP | Runtime |
|------|------|----|----|---------|
| **dogbox** | control-plane | Fedora 40 Server | `10.0.1.2` | k3s server + containerd |
| **mac-worker** | worker | Ubuntu 25.10 (OrbStack VM) | `192.168.139.12` | k3s agent + containerd |
| **localhost.localdomain** (dogbox) | control-plane | Fedora Linux 43 (Server Edition) | `10.0.1.2` | k3s v1.34.6 + containerd |
| **lima-mac-worker** | worker | Ubuntu 25.10 (Lima VM on macOS) | `10.0.1.58` | k3s v1.34.6 + containerd |
### Overview
@ -20,61 +20,70 @@
*.ratboo.me
┌──────────────────────────┼──────────────────────────┐
│ dogbox (manager) │
│ Fedora 40 · 10.0.1.2 │
│ │
│ ┌─────────────────┐ ┌──────────────────────┐ │
│ │ k3s server │ │ Traefik (k3s) │ │
│ │ control-plane │ │ :443 websecure │ │
│ └─────────────────┘ │ Let's Encrypt + CF │ │
│ └──────────┬───────────┘ │
│ ┌─────────────────┐ │ │
│ │ traefik-internal │ Routes to pods across │
│ │ :80 LB 10.0.1.250│ both nodes via CNI │
│ │ (MetalLB L2) │ │ │
│ └─────────────────┘ │ │
│ Longhorn │ │
└──────────────┬─────────────────────┼─────────────────┘
│ │
NFS /dogstore k3s cluster
│ │
┌──────────────┴─────────────────────┼─────────────────┐
│ mac-worker (worker) │
│ Ubuntu 25.10 · OrbStack VM │
│ 192.168.139.12 │
│ localhost.localdomain (dogbox) │
│ Fedora 43 · 10.0.1.2 │
│ │
│ Longhorn · workload pods │
└──────────────────────────────────────────────────────┘
│ ┌─────────────────┐ ┌──────────────────────┐ │
│ │ k3s server │ │ Traefik (k3s) │ │
│ │ control-plane │ │ :443 websecure │ │
│ └─────────────────┘ │ Let's Encrypt + CF │ │
│ └──────────┬───────────┘ │
│ ┌──────────────────┐ │ │
│ │ traefik-internal │ Routes to pods across │
│ │ :80/:443 MetalLB │ both nodes via CNI │
│ │ LB 10.0.1.250 │ │ │
│ └──────────────────┘ │ │
└───────────────┬───────────────────┼──────────────────┘
│ │
NFS /dogstore k3s cluster
│ │
┌───────────────┴───────────────────┼──────────────────┐
│ lima-mac-worker (worker) │
│ Ubuntu 25.10 · Lima VM on macOS │
│ 10.0.1.58 │
│ │
│ workload pods │
└───────────────────────────────────────────────────────┘
```
### Networking
**Public ingress** — k3s bundles Traefik, configured via `HelmChartConfig` in `traefik-config`. TLS terminates at Traefik using Let's Encrypt with Cloudflare DNS-01 challenge. HTTP automatically redirects to HTTPS.
**Public ingress** — k3s bundles Traefik, configured via `HelmChartConfig` in `traefik-config`. TLS terminates at Traefik using Let's Encrypt with Cloudflare DNS-01 challenge. HTTP automatically redirects to HTTPS. klipper (servicelb) exposes the public Traefik on every node IP.
| Public hostname | Service |
|-----------------|---------|
| `plex.ratboo.me` | Plex |
| `sonarr.ratboo.me` | Sonarr |
| `radarr.ratboo.me` | Radarr |
| `watch.ratboo.me` | Seerr |
| `paperless.ratboo.me` | Paperless-ngx |
| `mealie.ratboo.me` | Mealie |
| `watch.ratboo.me` | Seerr |
**Internal ingress** — A separate Traefik instance (`traefik-internal`) listens on `10.0.1.250:80`, served by MetalLB L2. A DNS rewrite points `*.internal` to that IP. Internal services use Traefik `IngressRoute` CRDs with `ingressClass: traefik-internal`.
**Internal ingress** — A separate Traefik instance (`traefik-internal`) listens on `10.0.1.250` (ports 80 and 443), served by MetalLB L2. A DNS rewrite points `*.internal` to that IP. Internal services use Traefik `IngressRoute` CRDs with `ingressClass: traefik-internal`. Every service with a `*-ingressroute.yaml` template gets an `*.dog` hostname on this Traefik.
| Internal hostname | Service |
|-------------------|---------|
| `homepage.rat` | Homepage |
| `glance.rat` | Glance |
| `plex.dog` | Plex |
| `sonarr.dog` | Sonarr |
| `radarr.dog` | Radarr |
| `bazarr.dog` | Bazarr |
| `prowlarr.dog` | Prowlarr |
| `qbittorrent.dog` | qBittorrent |
| `seerr.dog` | Seerr |
| `paperless.dog` | Paperless-ngx |
| `mealie.dog` | Mealie |
| `homepage.dog` | Homepage |
| `glance.dog` | Glance |
| `headlamp.dog` | Headlamp |
| `zerobyte.dog` | Zerobyte |
**Cluster-only (no ingress):** Prowlarr, Bazarr, qBittorrent, Zerobyte.
**No ingress:** unpackerr (background download-extraction daemon, no web UI).
### Storage
| Mechanism | Use |
|-----------|-----|
| **Longhorn** (`storageClass: longhorn`, replica count 2) | Small config/state PVCs — Traefik ACME (128Mi), app configs (120Gi), Paperless Postgres/Redis, Mealie data, Seerr, Zerobyte |
| **NFS via hostPath `/dogstore`** | Large/shared data — Plex media + transcode, Sonarr/Radarr/qBittorrent/unpackerr data trees, Paperless documents, Homepage/Glance configs |
| **NFS via hostPath `/dogstore`** | Large/shared data — Plex media + transcode, Sonarr/Radarr/qBittorrent/unpackerr data trees, Paperless documents, Homepage/Glance configs, ACME cert storage |
| **hostPath `/home/alvin/service-data`** | App config directories on dogbox (Seerr, etc.) |
| **local-path (default StorageClass)** | k3s built-in provisioner for any PVCs (rancher.io/local-path) |
### Secrets
@ -84,24 +93,23 @@ SOPS + age encryption. All secrets live in `secrets/secrets.enc.yaml`, encrypted
| Namespace | Contents |
|-----------|----------|
| `kube-system` | k3s Traefik, `traefik-config` (HelmChartConfig + redirect middleware) |
| `longhorn-system` | Longhorn storage |
| `media` | Plex, Sonarr, Radarr, Bazarr, Prowlarr, qBittorrent, unpackerr |
| `paperless` | Paperless-ngx, Redis, PostgreSQL |
| `apps` | Mealie, Homepage, Glance, Seerr, Zerobyte |
| `kube-system` | k3s Traefik + `traefik-config` (HelmChartConfig + redirect middleware), `traefik-internal`, MetalLB controller + speakers, CoreDNS, metrics-server |
| `media` | Plex, Sonarr, Radarr, Bazarr, Prowlarr, qBittorrent, unpackerr, Seerr |
| `apps` | Paperless-ngx + Postgres + Redis, Mealie, Homepage, Glance, Headlamp, Zerobyte |
## Services
| Chart | Namespace | Services | Notes |
|-------|-----------|----------|-------|
| traefik-config | kube-system | Traefik HelmChartConfig overlay | Cloudflare DNS-01, ACME on Longhorn |
| traefik-internal | | Internal Traefik instance | LB via MetalLB at `10.0.1.250` |
| metallb | — | MetalLB L2 pool | Single-IP pool for internal LB |
| media | media | Plex, Sonarr, Radarr, Bazarr, Prowlarr, qBittorrent, unpackerr | Media stack with `/dogstore` data paths |
| paperless | paperless | Paperless-ngx, Redis, PostgreSQL | Postgres 15, Redis 7 |
| mealie | apps | Mealie (v3.14.0) | Gemini API integration for recipes |
| traefik-config | kube-system | Traefik HelmChartConfig overlay | Cloudflare DNS-01, ACME on hostPath `/dogstore` |
| traefik-internal | kube-system | Internal Traefik instance | LB via MetalLB at `10.0.1.250`, ports 80/443/9095 |
| metallb | kube-system | MetalLB L2 pool | Single-IP pool (`10.0.1.250`) for internal LB |
| media | media | Plex, Sonarr, Radarr, Bazarr, Prowlarr, qBittorrent, unpackerr, Seerr | Media stack with `/dogstore` data paths |
| paperless | apps | Paperless-ngx, Redis, PostgreSQL | Postgres 15, Redis 7 |
| mealie | apps | Mealie (v3.16.0) | Gemini API integration for recipes |
| dashboards | apps | Homepage, Glance | Internal-only via `traefik-internal` |
| utils | apps | Seerr, Zerobyte | Seerr public, Zerobyte cluster-only |
| headlamp | apps | Headlamp | K8s dashboard, internal-only via `traefik-internal` |
| utils | apps | Zerobyte | Backup service, internal-only via `traefik-internal` |
## Prerequisites
@ -125,13 +133,7 @@ This prints the worker join command at the end.
K3S_URL="https://<manager-ip>:6443" K3S_TOKEN="<token>" ./scripts/bootstrap.sh agent
```
### 3. Install Longhorn
```bash
./scripts/bootstrap.sh longhorn
```
### 4. Set up SOPS encryption
### 3. Set up SOPS encryption
Generate an age keypair (run on each node):
@ -146,34 +148,54 @@ Copy the public key into `.sops.yaml`, replacing the placeholder. Then encrypt y
sops -e -i secrets/secrets.enc.yaml
```
### 5. Apply secrets
### 4. Apply secrets
```bash
./scripts/bootstrap.sh apply-secrets
```
### 6. Deploy all charts
### 5. Deploy MetalLB and internal Traefik (manual)
These are deployed separately before the main charts because other services depend on them:
```bash
helm dependency build charts/metallb
helm upgrade --install metallb charts/metallb -n kube-system --wait
helm upgrade --install traefik-internal charts/traefik-internal -n kube-system --wait
```
### 6. Deploy all application charts
```bash
./scripts/bootstrap.sh deploy
```
This installs (in order): `traefik-config`, `media`, `paperless`, `mealie`, `dashboards`, `utils`, `headlamp`.
Or deploy individually:
```bash
kubectl create namespace media
helm upgrade --install media charts/media -n media
kubectl create namespace paperless
helm upgrade --install paperless charts/paperless -n paperless
kubectl create namespace apps
helm upgrade --install mealie charts/mealie -n apps
helm upgrade --install dashboards charts/dashboards -n apps
helm upgrade --install utils charts/utils -n apps
# Traefik config goes in kube-system (managed by k3s)
helm upgrade --install traefik-config charts/traefik-config -n kube-system
kubectl create namespace apps
helm upgrade --install headlamp charts/headlamp -n apps
helm upgrade --install dashboards charts/dashboards -n apps
helm upgrade --install paperless charts/paperless -n apps
helm upgrade --install mealie charts/mealie -n apps
helm upgrade --install utils charts/utils -n apps
helm upgrade --install gitea charts/gitea -n apps
kubectl create namespace media
helm upgrade --install media charts/media -n media
```
### Optional: Install Longhorn
The bootstrap script includes a Longhorn install command, but it is not currently deployed:
```bash
./scripts/bootstrap.sh longhorn
```
## Verifying
@ -184,6 +206,7 @@ kubectl get pods -A
# Check ingress routes
kubectl get ingress -A
kubectl get ingressroute -A
# Test a specific service
curl -I https://mealie.ratboo.me
@ -210,12 +233,12 @@ homelab/
│ ├── traefik-config/ # k3s Traefik overrides (HelmChartConfig)
│ ├── traefik-internal/ # Separate internal Traefik instance
│ ├── metallb/ # MetalLB L2 for internal LB IP
│ ├── media/ # Plex, *arr stack, qBittorrent, unpackerr
│ ├── media/ # Plex, Sonarr, Radarr, Bazarr, Prowlarr, qBittorrent, unpackerr, Seerr
│ ├── paperless/ # Paperless-ngx + Postgres + Redis
│ ├── mealie/ # Mealie recipe manager
│ ├── dashboards/ # Homepage + Glance (internal only)
│ └── utils/ # Seerr + Zerobyte
│ ├── headlamp/ # Headlamp K8s dashboard (internal only)
│ └── utils/ # Zerobyte backup
└── secrets/
└── secrets.enc.yaml
```

0
charts/dashboards/Chart.yaml Normal file → Executable file
View File

0
charts/dashboards/templates/glance-ingressroute.yaml Normal file → Executable file
View File

0
charts/dashboards/templates/glance.yaml Normal file → Executable file
View File

0
charts/dashboards/templates/homepage-ingressroute.yaml Normal file → Executable file
View File

0
charts/dashboards/templates/homepage.yaml Normal file → Executable file
View File

0
charts/dashboards/values.yaml Normal file → Executable file
View File

5
charts/gitea/Chart.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v2
name: gitea
description: Gitea self-hosted Git service
version: 0.1.0
type: application

32
charts/gitea/templates/gitea-ingressroute.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: gitea
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- web
routes:
- match: Host(`gitea.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: gitea
port: 3000
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: gitea-tls
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- websecure
routes:
- match: Host(`gitea.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: gitea
port: 3000
tls: {}

102
charts/gitea/templates/gitea.yaml Normal file
View File

@ -0,0 +1,102 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea
labels:
app: gitea
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: gitea
template:
metadata:
labels:
app: gitea
spec:
nodeSelector:
homelab/node-role: worker
containers:
- name: gitea
image: {{ .Values.image }}
ports:
- name: http
containerPort: 3000
- name: ssh
containerPort: 2222
resources:
limits:
memory: {{ .Values.resources.limits.memory }}
env:
- name: USER_UID
value: {{ .Values.puid | quote }}
- name: USER_GID
value: {{ .Values.pgid | quote }}
- name: GITEA__server__DOMAIN
value: gitea.{{ .Values.domain }}
- name: GITEA__server__ROOT_URL
value: https://gitea.{{ .Values.domain }}
- name: GITEA__server__SSH_PORT
value: "2222"
- name: GITEA__server__SSH_LISTEN_PORT
value: "2222"
- name: GITEA__database__DB_TYPE
value: postgres
- name: GITEA__database__HOST
value: gitea-postgres:5432
- name: GITEA__database__NAME
value: {{ .Values.postgres.database }}
- name: GITEA__database__USER
value: {{ .Values.postgres.user }}
- name: GITEA__database__PASSWD
valueFrom:
secretKeyRef:
name: {{ .Values.secretName }}
key: GITEA_DB_PASS
- name: GITEA__service__DISABLE_REGISTRATION
value: "true"
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
hostPath:
path: /dogstore/service-data/gitea
type: DirectoryOrCreate
---
apiVersion: v1
kind: Service
metadata:
name: gitea
spec:
selector:
app: gitea
ports:
- name: http
port: 3000
targetPort: 3000
- name: ssh
port: 2222
targetPort: 2222
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls.certresolver: {{ .Values.certResolver }}
spec:
rules:
- host: gitea.{{ .Values.domain }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea
port:
number: 3000

59
charts/gitea/templates/postgres.yaml Normal file
View File

@ -0,0 +1,59 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea-postgres
labels:
app: gitea-postgres
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: gitea-postgres
template:
metadata:
labels:
app: gitea-postgres
spec:
initContainers:
- name: fix-permissions
image: busybox
command: ["sh", "-c", "chown -R 999:999 /data"]
volumeMounts:
- name: data
mountPath: /data
containers:
- name: postgres
image: {{ .Values.postgres.image }}
ports:
- containerPort: 5432
env:
- name: POSTGRES_DB
value: {{ .Values.postgres.database }}
- name: POSTGRES_USER
value: {{ .Values.postgres.user }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.secretName }}
key: GITEA_DB_PASS
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
volumes:
- name: data
hostPath:
path: /dogstore/service-data/gitea/pgdata
type: DirectoryOrCreate
---
apiVersion: v1
kind: Service
metadata:
name: gitea-postgres
spec:
selector:
app: gitea-postgres
ports:
- port: 5432
targetPort: 5432

19
charts/gitea/values.yaml Normal file
View File

@ -0,0 +1,19 @@
domain: ratboo.me
internalDomain: dog
certResolver: myresolver
tz: America/Los_Angeles
puid: "1000"
pgid: "1000"
image: gitea/gitea:1.23
secretName: gitea-secrets
resources:
limits:
memory: 512Mi
postgres:
image: docker.io/library/postgres:17
database: gitea
user: gitea

5
charts/headlamp/Chart.yaml Executable file
View File

@ -0,0 +1,5 @@
apiVersion: v2
name: headlamp
description: Headlamp Kubernetes dashboard
version: 0.1.0
type: application

32
charts/headlamp/templates/headlamp-ingressroute.yaml Executable file
View File

@ -0,0 +1,32 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: headlamp
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- web
routes:
- match: Host(`headlamp.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: headlamp
port: 4466
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: headlamp-tls
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- websecure
routes:
- match: Host(`headlamp.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: headlamp
port: 4466
tls: {}

59
charts/headlamp/templates/headlamp.yaml Executable file
View File

@ -0,0 +1,59 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: headlamp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: headlamp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: headlamp
namespace: {{ .Release.Namespace }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: headlamp
labels:
app: headlamp
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: headlamp
template:
metadata:
labels:
app: headlamp
spec:
serviceAccountName: headlamp
nodeSelector:
homelab/node-role: worker
containers:
- name: headlamp
image: {{ .Values.image }}
args:
- -in-cluster
- -plugins-dir=/headlamp/plugins
- -enable-helm
ports:
- containerPort: 4466
---
apiVersion: v1
kind: Service
metadata:
name: headlamp
spec:
selector:
app: headlamp
ports:
- port: 4466
targetPort: 4466

2
charts/headlamp/values.yaml Executable file
View File

@ -0,0 +1,2 @@
image: ghcr.io/headlamp-k8s/headlamp:latest
internalDomain: dog

0
charts/mealie/Chart.yaml Normal file → Executable file
View File

32
charts/mealie/templates/mealie-ingressroute.yaml Executable file
View File

@ -0,0 +1,32 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: mealie
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- web
routes:
- match: Host(`mealie.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: mealie
port: 9000
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: mealie-tls
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- websecure
routes:
- match: Host(`mealie.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: mealie
port: 9000
tls: {}

20
charts/mealie/templates/mealie.yaml Normal file → Executable file
View File

@ -1,16 +1,3 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mealie-data
labels:
app: mealie
spec:
accessModes: [ReadWriteOnce]
storageClassName: {{ .Values.storageClass }}
resources:
requests:
storage: {{ .Values.storageSize }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -29,6 +16,8 @@ spec:
labels:
app: mealie
spec:
nodeSelector:
homelab/node-role: worker
containers:
- name: mealie
image: {{ .Values.image }}
@ -66,8 +55,9 @@ spec:
mountPath: /app/data
volumes:
- name: data
persistentVolumeClaim:
claimName: mealie-data
hostPath:
path: /dogstore/service-data/mealie
type: DirectoryOrCreate
---
apiVersion: v1
kind: Service

5
charts/mealie/values.yaml Normal file → Executable file
View File

@ -1,14 +1,13 @@
domain: ratboo.me
internalDomain: dog
certResolver: myresolver
tz: America/Los_Angeles
puid: "1000"
pgid: "1000"
image: ghcr.io/mealie-recipes/mealie:v3.14.0
image: ghcr.io/mealie-recipes/mealie:v3.16.0
secretName: mealie-secrets
storageClass: longhorn
storageSize: 5Gi
resources:
limits:

0
charts/media/Chart.yaml Normal file → Executable file
View File

5
charts/media/templates/_helpers.tpl Normal file → Executable file
View File

@ -11,3 +11,8 @@ app.kubernetes.io/part-of: media
- name: TZ
value: {{ .Values.tz | quote }}
{{- end -}}
{{- define "media.requireMacWorker" -}}
nodeSelector:
homelab/node-role: worker
{{- end -}}

57
charts/media/templates/bazarr.yaml Normal file → Executable file
View File

@ -1,17 +1,3 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bazarr-config
labels:
app: bazarr
{{- include "media.labels" . | nindent 4 }}
spec:
accessModes: [ReadWriteOnce]
storageClassName: {{ .Values.storageClass }}
resources:
requests:
storage: {{ .Values.bazarr.configSize }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -31,6 +17,7 @@ spec:
labels:
app: bazarr
spec:
{{- include "media.requireMacWorker" . | nindent 6 }}
containers:
- name: bazarr
image: {{ .Values.bazarr.image }}
@ -47,15 +34,16 @@ spec:
mountPath: /tv
volumes:
- name: config
persistentVolumeClaim:
claimName: bazarr-config
hostPath:
path: {{ .Values.serviceData }}/bazarr/config
type: DirectoryOrCreate
- name: movies
hostPath:
path: {{ .Values.dogstore }}/sonarr/data/radarr-library
path: /dogstore/sonarr/data/radarr-library
type: DirectoryOrCreate
- name: tv
hostPath:
path: {{ .Values.dogstore }}/sonarr/data/library
path: /dogstore/sonarr/data/library
type: DirectoryOrCreate
---
apiVersion: v1
@ -70,3 +58,36 @@ spec:
ports:
- port: 6767
targetPort: 6767
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: bazarr-internal
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- web
routes:
- match: Host(`bazarr.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: bazarr
port: 6767
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: bazarr-internal-tls
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- websecure
routes:
- match: Host(`bazarr.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: bazarr
port: 6767
tls: {}

59
charts/media/templates/plex.yaml Normal file → Executable file
View File

@ -1,17 +1,3 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: plex-config
labels:
app: plex
{{- include "media.labels" . | nindent 4 }}
spec:
accessModes: [ReadWriteOnce]
storageClassName: {{ .Values.storageClass }}
resources:
requests:
storage: {{ .Values.plex.configSize }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -31,6 +17,7 @@ spec:
labels:
app: plex
spec:
{{- include "media.requireMacWorker" . | nindent 6 }}
containers:
- name: plex
image: {{ .Values.plex.image }}
@ -61,15 +48,16 @@ spec:
mountPath: /data
volumes:
- name: config
persistentVolumeClaim:
claimName: plex-config
hostPath:
path: /plex/database
type: Directory
- name: transcode
hostPath:
path: {{ .Values.dogstore }}/plex/transcode
type: DirectoryOrCreate
path: /plex/transcode
type: Directory
- name: data
hostPath:
path: {{ .Values.dogstore }}
path: /dogstore
type: Directory
---
apiVersion: v1
@ -106,3 +94,36 @@ spec:
name: plex
port:
number: 32400
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: plex-internal
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- web
routes:
- match: Host(`plex.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: plex
port: 32400
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: plex-internal-tls
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- websecure
routes:
- match: Host(`plex.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: plex
port: 32400
tls: {}

53
charts/media/templates/prowlarr.yaml Normal file → Executable file
View File

@ -1,17 +1,3 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: prowlarr-config
labels:
app: prowlarr
{{- include "media.labels" . | nindent 4 }}
spec:
accessModes: [ReadWriteOnce]
storageClassName: {{ .Values.storageClass }}
resources:
requests:
storage: {{ .Values.prowlarr.configSize }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -31,6 +17,7 @@ spec:
labels:
app: prowlarr
spec:
{{- include "media.requireMacWorker" . | nindent 6 }}
containers:
- name: prowlarr
image: {{ .Values.prowlarr.image }}
@ -43,8 +30,9 @@ spec:
mountPath: /config
volumes:
- name: config
persistentVolumeClaim:
claimName: prowlarr-config
hostPath:
path: {{ .Values.serviceData }}/prowlarr/config
type: DirectoryOrCreate
---
apiVersion: v1
kind: Service
@ -58,3 +46,36 @@ spec:
ports:
- port: 9696
targetPort: 9696
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: prowlarr-internal
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- web
routes:
- match: Host(`prowlarr.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: prowlarr
port: 9696
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: prowlarr-internal-tls
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- websecure
routes:
- match: Host(`prowlarr.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: prowlarr
port: 9696
tls: {}

55
charts/media/templates/qbittorrent.yaml Normal file → Executable file
View File

@ -1,17 +1,3 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: qbittorrent-config
labels:
app: qbittorrent
{{- include "media.labels" . | nindent 4 }}
spec:
accessModes: [ReadWriteOnce]
storageClassName: {{ .Values.storageClass }}
resources:
requests:
storage: {{ .Values.qbittorrent.configSize }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -31,6 +17,7 @@ spec:
labels:
app: qbittorrent
spec:
{{- include "media.requireMacWorker" . | nindent 6 }}
containers:
- name: qbittorrent
image: {{ .Values.qbittorrent.image }}
@ -52,11 +39,12 @@ spec:
mountPath: /data
volumes:
- name: config
persistentVolumeClaim:
claimName: qbittorrent-config
hostPath:
path: {{ .Values.serviceData }}/qbittorrent/config
type: DirectoryOrCreate
- name: data
hostPath:
path: {{ .Values.dogstore }}/sonarr/data
path: /dogstore/sonarr/data
type: DirectoryOrCreate
---
apiVersion: v1
@ -80,3 +68,36 @@ spec:
port: 34034
targetPort: 34034
protocol: UDP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: qbittorrent-internal
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- web
routes:
- match: Host(`qbittorrent.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: qbittorrent
port: {{ .Values.qbittorrent.webuiPort }}
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: qbittorrent-internal-tls
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- websecure
routes:
- match: Host(`qbittorrent.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: qbittorrent
port: {{ .Values.qbittorrent.webuiPort }}
tls: {}

67
charts/media/templates/radarr.yaml Normal file → Executable file
View File

@ -1,17 +1,3 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: radarr-config
labels:
app: radarr
{{- include "media.labels" . | nindent 4 }}
spec:
accessModes: [ReadWriteOnce]
storageClassName: {{ .Values.storageClass }}
resources:
requests:
storage: {{ .Values.radarr.configSize }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -31,6 +17,7 @@ spec:
labels:
app: radarr
spec:
{{- include "media.requireMacWorker" . | nindent 6 }}
containers:
- name: radarr
image: {{ .Values.radarr.image }}
@ -45,11 +32,12 @@ spec:
mountPath: /data
volumes:
- name: config
persistentVolumeClaim:
claimName: radarr-config
hostPath:
path: {{ .Values.serviceData }}/radarr/config
type: DirectoryOrCreate
- name: data
hostPath:
path: {{ .Values.dogstore }}/sonarr/data
path: /dogstore/sonarr/data # Media
type: DirectoryOrCreate
---
apiVersion: v1
@ -65,22 +53,35 @@ spec:
- port: 7878
targetPort: 7878
---
apiVersion: networking.k8s.io/v1
kind: Ingress
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: radarr
name: radarr-internal
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls.certresolver: {{ .Values.certResolver }}
kubernetes.io/ingress.class: traefik-internal
spec:
rules:
- host: radarr.{{ .Values.domain }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: radarr
port:
number: 7878
entryPoints:
- web
routes:
- match: Host(`radarr.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: radarr
port: 7878
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: radarr-internal-tls
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- websecure
routes:
- match: Host(`radarr.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: radarr
port: 7878
tls: {}

59
charts/utils/templates/seerr.yaml → charts/media/templates/seerr.yaml
View File

@ -1,22 +1,10 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: seerr-config
labels:
app: seerr
spec:
accessModes: [ReadWriteOnce]
storageClassName: {{ .Values.storageClass }}
resources:
requests:
storage: {{ .Values.seerr.storageSize }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: seerr
labels:
app: seerr
{{- include "media.labels" . | nindent 4 }}
spec:
replicas: 1
strategy:
@ -29,14 +17,15 @@ spec:
labels:
app: seerr
spec:
nodeSelector:
node-role.kubernetes.io/control-plane: "true"
containers:
- name: seerr
image: {{ .Values.seerr.image }}
ports:
- containerPort: 5055
env:
- name: TZ
value: {{ .Values.tz | quote }}
{{- include "media.commonEnv" . | nindent 12 }}
readinessProbe:
httpGet:
path: /api/v1/settings/public
@ -56,13 +45,16 @@ spec:
mountPath: /app/config
volumes:
- name: config
persistentVolumeClaim:
claimName: seerr-config
hostPath:
path: {{ .Values.dogboxServiceData }}/seerr/config
type: Directory
---
apiVersion: v1
kind: Service
metadata:
name: seerr
labels:
app: seerr
spec:
selector:
app: seerr
@ -89,3 +81,36 @@ spec:
name: seerr
port:
number: 5055
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: seerr-internal
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- web
routes:
- match: Host(`seerr.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: seerr
port: 5055
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: seerr-internal-tls
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- websecure
routes:
- match: Host(`seerr.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: seerr
port: 5055
tls: {}

67
charts/media/templates/sonarr.yaml Normal file → Executable file
View File

@ -1,17 +1,3 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: sonarr-config
labels:
app: sonarr
{{- include "media.labels" . | nindent 4 }}
spec:
accessModes: [ReadWriteOnce]
storageClassName: {{ .Values.storageClass }}
resources:
requests:
storage: {{ .Values.sonarr.configSize }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -31,6 +17,7 @@ spec:
labels:
app: sonarr
spec:
{{- include "media.requireMacWorker" . | nindent 6 }}
containers:
- name: sonarr
image: {{ .Values.sonarr.image }}
@ -45,11 +32,12 @@ spec:
mountPath: /data
volumes:
- name: config
persistentVolumeClaim:
claimName: sonarr-config
hostPath:
path: {{ .Values.serviceData }}/sonarr/config
type: DirectoryOrCreate
- name: data
hostPath:
path: {{ .Values.dogstore }}/sonarr/data
path: /dogstore/sonarr/data # TV + Movies Library
type: DirectoryOrCreate
---
apiVersion: v1
@ -65,22 +53,35 @@ spec:
- port: 8989
targetPort: 8989
---
apiVersion: networking.k8s.io/v1
kind: Ingress
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: sonarr
name: sonarr-internal
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls.certresolver: {{ .Values.certResolver }}
kubernetes.io/ingress.class: traefik-internal
spec:
rules:
- host: sonarr.{{ .Values.domain }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: sonarr
port:
number: 8989
entryPoints:
- web
routes:
- match: Host(`sonarr.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: sonarr
port: 8989
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: sonarr-internal-tls
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- websecure
routes:
- match: Host(`sonarr.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: sonarr
port: 8989
tls: {}

5
charts/media/templates/unpackerr.yaml Normal file → Executable file
View File

@ -17,6 +17,7 @@ spec:
labels:
app: unpackerr
spec:
{{- include "media.requireMacWorker" . | nindent 6 }}
containers:
- name: unpackerr
image: {{ .Values.unpackerr.image }}
@ -85,9 +86,9 @@ spec:
volumes:
- name: data
hostPath:
path: {{ .Values.dogstore }}/sonarr/data
path: /dogstore/sonarr/data
type: DirectoryOrCreate
- name: logs
hostPath:
path: {{ .Values.dogstore }}/logs/unpackerr
path: {{ .Values.serviceData }}/unpackerr/logs
type: DirectoryOrCreate

15
charts/media/values.yaml Normal file → Executable file
View File

@ -1,16 +1,15 @@
domain: ratboo.me
internalDomain: dog
certResolver: myresolver
tz: America/Los_Angeles
puid: "1000"
pgid: "1000"
dogstore: /dogstore
dogboxServiceData: /home/alvin/service-data
serviceData: /service-data
secretName: media-secrets
storageClass: longhorn
configStorageSize: 2Gi
plex:
image: plexinc/pms-docker:latest
advertiseIp: "https://plex.ratboo.me:443"
@ -18,24 +17,22 @@ plex:
sonarr:
image: ghcr.io/hotio/sonarr:latest
configSize: 2Gi
radarr:
image: ghcr.io/hotio/radarr:latest
configSize: 2Gi
bazarr:
image: lscr.io/linuxserver/bazarr:latest
configSize: 1Gi
prowlarr:
image: ghcr.io/hotio/prowlarr:latest
configSize: 1Gi
qbittorrent:
image: ghcr.io/hotio/qbittorrent:latest
configSize: 1Gi
webuiPort: 9191
unpackerr:
image: golift/unpackerr
seerr:
image: ghcr.io/seerr-team/seerr:latest

0
charts/metallb/Chart.lock Normal file → Executable file
View File

0
charts/metallb/Chart.yaml Normal file → Executable file
View File

7
charts/metallb/templates/pool.yaml Normal file → Executable file
View File

@ -3,7 +3,11 @@ apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: {{ .Values.pool.name }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "0"
spec:
autoAssign: false
addresses:
{{- range .Values.pool.addresses }}
- {{ . }}
@ -13,6 +17,9 @@ apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: {{ .Values.pool.name }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "1"
spec:
ipAddressPools:
- {{ .Values.pool.name }}

3
charts/metallb/values.yaml Normal file → Executable file
View File

@ -1,4 +1,5 @@
metallb:
loadBalancerClass: metallb
controller:
nodeSelector:
node-role.kubernetes.io/control-plane: "true"
@ -7,7 +8,7 @@ metallb:
effect: NoSchedule
pool:
enabled: false
enabled: true
name: internal
addresses:
- "10.0.1.250-10.0.1.250"

0
charts/paperless/Chart.yaml Normal file → Executable file
View File

32
charts/paperless/templates/paperless-ingressroute.yaml Executable file
View File

@ -0,0 +1,32 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: paperless
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- web
routes:
- match: Host(`paperless.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: paperless-webserver
port: 8000
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: paperless-tls
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- websecure
routes:
- match: Host(`paperless.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: paperless-webserver
port: 8000
tls: {}

27
charts/paperless/templates/postgres.yaml Normal file → Executable file
View File

@ -1,16 +1,3 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: paperless-postgres-data
labels:
app: paperless-postgres
spec:
accessModes: [ReadWriteOnce]
storageClassName: {{ .Values.storageClass }}
resources:
requests:
storage: {{ .Values.postgres.storageSize }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -29,6 +16,13 @@ spec:
labels:
app: paperless-postgres
spec:
initContainers:
- name: fix-permissions
image: busybox
command: ["sh", "-c", "chown -R 999:999 /data"]
volumeMounts:
- name: data
mountPath: /data
containers:
- name: postgres
image: {{ .Values.postgres.image }}
@ -43,14 +37,15 @@ spec:
valueFrom:
secretKeyRef:
name: {{ .Values.secretName }}
key: POSTGRES_PASSWORD
key: PAPERLESS_DB_PASS
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
volumes:
- name: data
persistentVolumeClaim:
claimName: paperless-postgres-data
hostPath:
path: {{ .Values.dogstore }}/service-data/paperless/pgdata
type: DirectoryOrCreate
---
apiVersion: v1
kind: Service

18
charts/paperless/templates/redis.yaml Normal file → Executable file
View File

@ -1,16 +1,3 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: paperless-redis-data
labels:
app: paperless-redis
spec:
accessModes: [ReadWriteOnce]
storageClassName: {{ .Values.storageClass }}
resources:
requests:
storage: {{ .Values.redis.storageSize }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -39,8 +26,9 @@ spec:
mountPath: /data
volumes:
- name: data
persistentVolumeClaim:
claimName: paperless-redis-data
hostPath:
path: {{ .Values.dogstore }}/service-data/paperless/redisdata
type: DirectoryOrCreate
---
apiVersion: v1
kind: Service

0
charts/paperless/templates/webserver.yaml Normal file → Executable file
View File

6
charts/paperless/values.yaml Normal file → Executable file
View File

@ -1,4 +1,5 @@
domain: ratboo.me
internalDomain: dog
certResolver: myresolver
tz: America/Los_Angeles
puid: "1000"
@ -7,18 +8,15 @@ pgid: "1000"
dogstore: /dogstore
secretName: paperless-secrets
storageClass: longhorn
webserver:
image: ghcr.io/paperless-ngx/paperless-ngx:latest
csrfTrustedOrigins: "https://paperless.ratboo.me"
csrfTrustedOrigins: "https://paperless.ratboo.me,http://paperless.dog,https://paperless.dog"
redis:
image: docker.io/library/redis:7
storageSize: 1Gi
postgres:
image: docker.io/library/postgres:15
storageSize: 5Gi
database: paperless
user: paperless

0
charts/traefik-config/Chart.yaml Normal file → Executable file
View File

0
charts/traefik-config/templates/middleware-redirect.yaml Normal file → Executable file
View File

23
charts/traefik-config/templates/helmchartconfig.yaml → charts/traefik-config/templates/traefik-config.yaml Normal file → Executable file
View File

@ -5,9 +5,11 @@ metadata:
namespace: kube-system
spec:
valuesContent: |-
service:
spec:
loadBalancerClass: io.k3s.klipper
nodeSelector:
node-role.kubernetes.io/control-plane: "true"
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
logs:
general:
level: WARN
@ -21,7 +23,7 @@ spec:
websecure:
tls:
certResolver: {{ .Values.certResolver }}
certResolvers:
certificatesResolvers:
{{ .Values.certResolver }}:
acme:
email: {{ .Values.acmeEmail }}
@ -35,7 +37,12 @@ spec:
secretKeyRef:
name: {{ .Values.cloudflare.secretName }}
key: {{ .Values.cloudflare.secretKey }}
persistence:
enabled: true
storageClass: longhorn
size: 128Mi
deployment:
additionalVolumes:
- name: acme
hostPath:
path: /dogstore/service-data/.letsencrypt
type: Directory
additionalVolumeMounts:
- name: acme
mountPath: /letsencrypt

2
charts/traefik-config/values.yaml Normal file → Executable file
View File

@ -9,4 +9,4 @@ cloudflare:
secretKey: CF_DNS_API_TOKEN
letsencrypt:
storagePath: /data/acme.json
storagePath: /letsencrypt/acme.json

0
charts/traefik-internal/Chart.yaml Normal file → Executable file
View File

0
charts/traefik-internal/templates/tls-store.yaml Normal file → Executable file
View File

1
charts/traefik-internal/templates/traefik-internal.yaml Normal file → Executable file
View File

@ -82,6 +82,7 @@ metadata:
metallb.io/address-pool: internal
spec:
type: LoadBalancer
loadBalancerClass: metallb
loadBalancerIP: {{ .Values.loadBalancerIP }}
selector:
app: traefik-internal

0
charts/traefik-internal/values.yaml Normal file → Executable file
View File

2
charts/utils/Chart.yaml Normal file → Executable file
View File

@ -1,5 +1,5 @@
apiVersion: v2
name: utils
description: Utility services -- Zerobyte backup and Seerr media requests
description: Utility services -- Zerobyte backup
version: 0.1.0
type: application

32
charts/utils/templates/zerobyte-ingressroute.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: zerobyte
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- web
routes:
- match: Host(`zerobyte.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: zerobyte
port: 4096
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: zerobyte-tls
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- websecure
routes:
- match: Host(`zerobyte.{{ .Values.internalDomain }}`)
kind: Rule
services:
- name: zerobyte
port: 4096
tls: {}

22
charts/utils/templates/zerobyte.yaml Normal file → Executable file
View File

@ -1,16 +1,3 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: zerobyte-data
labels:
app: zerobyte
spec:
accessModes: [ReadWriteOnce]
storageClassName: {{ .Values.storageClass }}
resources:
requests:
storage: {{ .Values.zerobyte.storageSize }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -38,12 +25,12 @@ spec:
- name: TZ
value: {{ .Values.tz | quote }}
- name: BASE_URL
value: http://{{ .Values.hostIp }}:4096
value: http://zerobyte.dog
- name: APP_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.zerobyte.secretName }}
key: APP_SECRET
key: ZEROBYTE_APP_SECRET
volumeMounts:
- name: data
mountPath: /var/lib/zerobyte
@ -52,8 +39,9 @@ spec:
readOnly: true
volumes:
- name: data
persistentVolumeClaim:
claimName: zerobyte-data
hostPath:
path: /home/alvin/service-data/zerobyte
type: DirectoryOrCreate
- name: localtime
hostPath:
path: /etc/localtime

6
charts/utils/values.yaml Normal file → Executable file
View File

@ -1,14 +1,10 @@
domain: ratboo.me
internalDomain: dog
certResolver: myresolver
tz: America/Los_Angeles
hostIp: "10.0.1.2"
storageClass: longhorn
zerobyte:
image: ghcr.io/nicotsx/zerobyte:v0.33
storageSize: 1Gi
secretName: zerobyte-secrets
seerr:
image: ghcr.io/seerr-team/seerr:latest
storageSize: 1Gi

6
scripts/bootstrap.sh
View File

@ -108,14 +108,16 @@ cmd_deploy() {
local charts_dir
charts_dir="$(cd "$(dirname "$0")/.." && pwd)/charts"
local -a chart_order=(traefik-config media paperless mealie dashboards utils)
local -a chart_order=(traefik-config media paperless mealie dashboards utils headlamp gitea)
local -A chart_ns=(
[traefik-config]=kube-system
[media]=media
[paperless]=paperless
[paperless]=apps
[mealie]=apps
[dashboards]=apps
[utils]=apps
[headlamp]=apps
[gitea]=apps
)
for chart in "${chart_order[@]}"; do

85
secrets/secrets.enc.yaml Normal file → Executable file
View File

@ -6,12 +6,12 @@
#ENC[AES256_GCM,data:y3lu8sygTZJ+TSJOyrFXShJGBu5gHYLT4A==,iv:xmugUAyc116U4nESzKAYcvz76BBGwHLK7HE61gnS2gE=,tag:1LTSMRi+Aat4hk2N7c+2gw==,type:comment]
#ENC[AES256_GCM,data:/ny7h4o0XSF1kROKuEUD9xrZJYOJ7mTZGIgTtIWHdclmdd9vYTLNl2+Hb9kHzCCWUgPXRg6pOww=,iv:47xT9Fct8sJrfIf8qRGD1xUTEkgdGf+KC9hWQ3XJG44=,tag:yix6VVO+g10cLbUwLWdTeA==,type:comment]
#ENC[AES256_GCM,data:du0a4InEiMTw4mg5EqVPpANM3j0FNpDSle2na/7Q0vM1Z4SE52Jvvz3ZIV99b1pY30QlFdnTGO/4grVJd7xiUYC5wCUNY/uGNYGX2HzOWZjByEb5p9VCOPS2Czl/pPGM9+9d08mn2u1Ww4Wt6a/hrFOUWQddjTNz7HwG66xT/YVTnCN++mTnkCbgQKIjV1YhpSQKWA5jNfgSqSVKwbEA60JvESavT51HSZnrAGKWIepaJc7S14jTp+tUdqA=,iv:SZKsksvhtXCcKByjV85stfmt/DGHSsSh+PTGuCfe874=,tag:IQWtYVrLFx8EfPtKb1tK9g==,type:comment]
apiVersion: ENC[AES256_GCM,data:3lY=,iv:MBpXRZ3rElkVBxAlvxmzORMCq0G87jB3Ik11tWMfz64=,tag:oPPwCxOiK3ePCWRhtHmN2w==,type:str]
kind: ENC[AES256_GCM,data:8+Toxlr5,iv:DTaS/GEKGLtZsHQBYTGaQZYSp9mr/A5Vbuqi7uq46rU=,tag:1YvMaF1/eLNkZv0F3Du0zA==,type:str]
apiVersion: ENC[AES256_GCM,data:F6o=,iv:8McPTAtRKlG0wpF1DUXRrhkzNuoD97Vu4OFyI8Opy28=,tag:DgEjMs6yXKFEv6Uu8A8WDg==,type:str]
kind: ENC[AES256_GCM,data:eVSn4ODQ,iv:iDOb7kRnWbW1CYKILAZwbtlhbAqwi/I+YXFbHsmz2KI=,tag:dcWY/PdP2eMRv1HxmfyHoQ==,type:str]
metadata:
name: ENC[AES256_GCM,data:RgUAwk6jY7DHv+CbTtyXx5nzEQQ=,iv:FeAx14K1od0ehMnbcpnD4FW1bpEF/3M+dq8NGoJwTJA=,tag:SziXyyeAgShOgsandPQD7A==,type:str]
namespace: ENC[AES256_GCM,data:IgxkBPTfQ8rEWzA=,iv:56aP5rBeH9aupBi338/9r4fXZ1ova8ubO7N8elr2/qM=,tag:vfFTXJrQ2J5vln/rBGl/og==,type:str]
type: ENC[AES256_GCM,data:Efo/5l3N,iv:moQ775VrJkfQFO3YPM3ZT77i0IzcWy/G7b5E4/XOyJY=,tag:zfEMZgXgO+qMQIvPrLeMsA==,type:str]
type: ENC[AES256_GCM,data:YMUJyMI2,iv:o++4jFOch8C8g5iKCzot/AcHnERRO/Yqn/uHuCAIFEI=,tag:ReJgAAajctyGo7xYr2Yc8w==,type:str]
stringData:
CF_DNS_API_TOKEN: ENC[AES256_GCM,data:74wQ12RQ9M7BckVfPjbRUnEbeaFB0aOPIhZHrFo=,iv:SIS0dJBpXkcJLjqEGnM1mtD1CB76MN2rZObyG8bCVe4=,tag:Rac0lPa5J2JSkdKcVc1PtQ==,type:str]
sops:
@ -25,18 +25,18 @@ sops:
eGZTZ0VSUElFZVpqWlVISjNYdnA4UFUK/uOyj7CKU0XLHHdPNKByO2c56JWQfhk5
oauimeYrkNE+06dhXgVcJiQH+HcB33tB9u3YS9LxFYs3R98zKAHG6g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-19T21:05:51Z"
mac: ENC[AES256_GCM,data:GQx4YuPIIfZxRpWtHCa8pCtidtmdYoIdMsK0dQJO42XT9KR5lbwNaP3v4GoaDoeM+L7iAn2OprpE54KkwIwRfb3NAjTeUvXO+J/Yi4ZJnLtuTOlAZrC8YvjmiZ6DaL8pvpRz7VUCfzNOoyrbjSJ2Qv/PWAUENcDEU7yOHNv7RBA=,iv:FqYd2F4vBqSCeKPsrWY/a8RePgkU2aP9cadB6nMyWaQ=,tag:FC75r3bMOQDZZwO0qJi4xg==,type:str]
lastmodified: "2026-04-22T23:40:49Z"
mac: ENC[AES256_GCM,data:WJrfgMP6ioP/GU65sv6tWIjYe//TgAwUDowG1mOqm5UlJ1LT31vs7vmmm+1tYO+jpjCoQlVM0S2e1z+CgrqSMye4+x3VhRTiQKW8DQAN7x8ILoDB+RVcmq8wlqMsubdUtBHray43YtGdeDj4f+Rr4FC84uf9Qgl4ywkiq5CKnc0=,iv:hkQ+QRw1VBbNzJEWx/pdbq7eZ5TrYie0xofzXWIgZDw=,tag:xcnSUQtiF407DHTG5NCALA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2
---
#ENC[AES256_GCM,data:ibx/1sx8LotfzeKT/rRsedIOoYD+F6aXbrA3QEqjfSrFAXWchGiLX9ddAY0q0DOGi7tFcty1rwWUj1Iiy+vd88zZDRhLSVgs0hIdqqPaHVubOWA7gAmxvZdb1faLU4cOAe7gL9bUdaBlGzQKat6miytnWBXL8qidoFl/Ps1wNNDXRBpe+TsQfVAp5T5jirq35s7GTeXUbQO3bNkKx/ZNHmV7ASctKeRv5TLuAJIwyU6UIGSSnx6Sdr43mZlm6iJjdoT6jQxeH7yB1Gut7g==,iv:wAtBwQNTI56JLHISsA1W00M3X+v6R6vEkNK1SVULsTg=,tag:Jk/4OdnXyV6/5VwFcXpX/A==,type:comment]
apiVersion: ENC[AES256_GCM,data:jNM=,iv:dt+kXGEjK6yS09KRE5I3uAXNLGN05RbO0GyjNTHYHtk=,tag:7z93Yh4m2SpZLHdxVIr1hw==,type:str]
kind: ENC[AES256_GCM,data:ORSVG3Tn,iv:gqhsNppUalHTDcKa7q/P3TR5t4VZC1gLc2MgY8V6xEw=,tag:vr764iOVWPJujZd4rxRYKA==,type:str]
apiVersion: ENC[AES256_GCM,data:F6o=,iv:8McPTAtRKlG0wpF1DUXRrhkzNuoD97Vu4OFyI8Opy28=,tag:DgEjMs6yXKFEv6Uu8A8WDg==,type:str]
kind: ENC[AES256_GCM,data:eVSn4ODQ,iv:iDOb7kRnWbW1CYKILAZwbtlhbAqwi/I+YXFbHsmz2KI=,tag:dcWY/PdP2eMRv1HxmfyHoQ==,type:str]
metadata:
name: ENC[AES256_GCM,data:1ngffZeDVnrLbux2pg==,iv:OXYS/A5PBvmIVw5qDu+Um7J/JhM8shVfP3KDIXNBCU0=,tag:wfmayiCBy22O+WIPBC3PPQ==,type:str]
namespace: ENC[AES256_GCM,data:xCM+W3I=,iv:0KLfoYx8Q+NVsm84KZX3tClbWdwuTpI6/pD7HQMK3Fk=,tag:hSFwqHfnHWOPvesUhWyo+Q==,type:str]
type: ENC[AES256_GCM,data:K3TlGbY8,iv:ZKm+PyQ4IAP0K1ymcMvWPOEUgUGzH93UkmH+rheJk7A=,tag:8tMEVI895tOOt8/tjiKRuw==,type:str]
type: ENC[AES256_GCM,data:YMUJyMI2,iv:o++4jFOch8C8g5iKCzot/AcHnERRO/Yqn/uHuCAIFEI=,tag:ReJgAAajctyGo7xYr2Yc8w==,type:str]
stringData:
PLEX_CLAIM: ENC[AES256_GCM,data:A+dwGU//qfy6sBoww5c36xs2WcwdbQY=,iv:S6wOadxaC4ITyZN/7u5Lcu8AeBFdQLRqRlCHH3oSj28=,tag:hlNKdZGzURuFgcSrUrZyJA==,type:str]
SONARR_API_KEY: ENC[AES256_GCM,data:VvU91ZNxv6tauBEyK9j8THxT8zw0mTLEmTTSRgYDEek=,iv:DZr5JL9T4f7XwQ03jkwVKfWA/xyAZlo4f/BKAzIIsQo=,tag:mCh8ExJvuoltcMlzAk6jpw==,type:str]
@ -52,18 +52,18 @@ sops:
eGZTZ0VSUElFZVpqWlVISjNYdnA4UFUK/uOyj7CKU0XLHHdPNKByO2c56JWQfhk5
oauimeYrkNE+06dhXgVcJiQH+HcB33tB9u3YS9LxFYs3R98zKAHG6g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-19T21:05:51Z"
mac: ENC[AES256_GCM,data:GQx4YuPIIfZxRpWtHCa8pCtidtmdYoIdMsK0dQJO42XT9KR5lbwNaP3v4GoaDoeM+L7iAn2OprpE54KkwIwRfb3NAjTeUvXO+J/Yi4ZJnLtuTOlAZrC8YvjmiZ6DaL8pvpRz7VUCfzNOoyrbjSJ2Qv/PWAUENcDEU7yOHNv7RBA=,iv:FqYd2F4vBqSCeKPsrWY/a8RePgkU2aP9cadB6nMyWaQ=,tag:FC75r3bMOQDZZwO0qJi4xg==,type:str]
lastmodified: "2026-04-22T23:40:49Z"
mac: ENC[AES256_GCM,data:WJrfgMP6ioP/GU65sv6tWIjYe//TgAwUDowG1mOqm5UlJ1LT31vs7vmmm+1tYO+jpjCoQlVM0S2e1z+CgrqSMye4+x3VhRTiQKW8DQAN7x8ILoDB+RVcmq8wlqMsubdUtBHray43YtGdeDj4f+Rr4FC84uf9Qgl4ywkiq5CKnc0=,iv:hkQ+QRw1VBbNzJEWx/pdbq7eZ5TrYie0xofzXWIgZDw=,tag:xcnSUQtiF407DHTG5NCALA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2
---
#ENC[AES256_GCM,data:rmGnwFT8rj+qcuyiuf4VdY5KJP5m4bMt9a1znHpQ+uYyrfzNoAH0eqn6yHMB3xAwFJtFOkzEdd0E1PaL5C30UbqtpwDNyzD0QYipIwDkQBGwRnkXXI8xw1ftE1zHcFWnPmnSH70hCJa+/Xu425pIyJeVlJhUqoOGkG5/gV0DQoVMnJXFXnh5a64Ggv7UzB92o9/iyUFMgi/7j4ePNQCc7Um1VePXc5mkRl8cQBbvwAgyMZo+IxDJ8hpS2HgbRGey5/RAxaDvRbwkyRU=,iv:Cl77wg8+J3D6QrIgbjRS/lzbJLf2qGkK/AtnIOoKG+E=,tag:m4TfMvHm5W612rrJJ+ytkA==,type:comment]
apiVersion: ENC[AES256_GCM,data:fyA=,iv:lkH+XfaHDNUNE3+oUW5lkA3ev0AEQZGe2y/J5H5G4AI=,tag:QCGr4Ia7Ea+CRWWoWSFaug==,type:str]
kind: ENC[AES256_GCM,data:GS9uiEv6,iv:9VAdvjoF7thUVtJRpyaDnBOVlZ9so1p5f4iaw1WxJ0w=,tag:gDCWZfn4zCdyRdMup9Vs3Q==,type:str]
apiVersion: ENC[AES256_GCM,data:F6o=,iv:8McPTAtRKlG0wpF1DUXRrhkzNuoD97Vu4OFyI8Opy28=,tag:DgEjMs6yXKFEv6Uu8A8WDg==,type:str]
kind: ENC[AES256_GCM,data:eVSn4ODQ,iv:iDOb7kRnWbW1CYKILAZwbtlhbAqwi/I+YXFbHsmz2KI=,tag:dcWY/PdP2eMRv1HxmfyHoQ==,type:str]
metadata:
name: ENC[AES256_GCM,data:XLV37KdISRoLUp4yo44=,iv:Hb2AQVYhhu5erfg+41edOfB4cT6O6e2k1ytEixVaZDk=,tag:2qP4C7sxSdkdnsTVRhsXcg==,type:str]
namespace: ENC[AES256_GCM,data:S/sYVQ==,iv:SuUw6GPbT7YF66+O2w8al89NcJBr3oi8C12nZIbNWWc=,tag:NBVJrXnAhVJqx325MQnOTQ==,type:str]
type: ENC[AES256_GCM,data:suP66pVq,iv:RrLuX+MOixEaR3iw4EMBCqkT03TW3xvmzdXsTf8kl2c=,tag:Id8xGXmFcmN+gYyZsohp3g==,type:str]
namespace: ENC[AES256_GCM,data:O6kz8Q==,iv:ZMv7m+YLaIChgNTM4Riopt2VUNg5HwUwdLR6bRA1Nf0=,tag:undk4ODEabPJbQKoa1He7A==,type:str]
type: ENC[AES256_GCM,data:YMUJyMI2,iv:o++4jFOch8C8g5iKCzot/AcHnERRO/Yqn/uHuCAIFEI=,tag:ReJgAAajctyGo7xYr2Yc8w==,type:str]
stringData:
OPENAI_API_KEY: ENC[AES256_GCM,data:1QtOURL+C0DcB4AQhvmQP2PqeNQm2VQWTr/alY4FQzbhCnpxSFLS,iv:hy+a7cAcUNYr1XkKK1JoG8imjh5kT7B2tr5FWfHgAds=,tag:72zQFszAQpPEzZ0v24V5yg==,type:str]
sops:
@ -77,18 +77,18 @@ sops:
eGZTZ0VSUElFZVpqWlVISjNYdnA4UFUK/uOyj7CKU0XLHHdPNKByO2c56JWQfhk5
oauimeYrkNE+06dhXgVcJiQH+HcB33tB9u3YS9LxFYs3R98zKAHG6g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-19T21:05:51Z"
mac: ENC[AES256_GCM,data:GQx4YuPIIfZxRpWtHCa8pCtidtmdYoIdMsK0dQJO42XT9KR5lbwNaP3v4GoaDoeM+L7iAn2OprpE54KkwIwRfb3NAjTeUvXO+J/Yi4ZJnLtuTOlAZrC8YvjmiZ6DaL8pvpRz7VUCfzNOoyrbjSJ2Qv/PWAUENcDEU7yOHNv7RBA=,iv:FqYd2F4vBqSCeKPsrWY/a8RePgkU2aP9cadB6nMyWaQ=,tag:FC75r3bMOQDZZwO0qJi4xg==,type:str]
lastmodified: "2026-04-22T23:40:49Z"
mac: ENC[AES256_GCM,data:WJrfgMP6ioP/GU65sv6tWIjYe//TgAwUDowG1mOqm5UlJ1LT31vs7vmmm+1tYO+jpjCoQlVM0S2e1z+CgrqSMye4+x3VhRTiQKW8DQAN7x8ILoDB+RVcmq8wlqMsubdUtBHray43YtGdeDj4f+Rr4FC84uf9Qgl4ywkiq5CKnc0=,iv:hkQ+QRw1VBbNzJEWx/pdbq7eZ5TrYie0xofzXWIgZDw=,tag:xcnSUQtiF407DHTG5NCALA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2
---
#ENC[AES256_GCM,data:3I2e5Uv2dvWtDWXnVh0AULaS9z2Pcd/iUHjvycTsfxhDpzEJfc0a0dISctuLpELEyBv1PtYemFZ/XeTqGJswTF4vvzM7UL6scPezIm674aOtjVqPj7/C3nQgfnuY1qgVY7duawWZeaozf8hBKef1JJ1qR1T3Mati3YBIaw3fp1qjYyKo47/F19UT/qtL6mlu8CE3/zIVbzZGsKwfqhYf6oLg2I7aNlvJ0/yWz8RSjwmtWj8WzUD1wZh+DnFRiTlbE+kLdgw=,iv:i+4OhA58TOv1pzPInqu9qi9zunYzpNbvHrELXVsXis8=,tag:XJyBP8nci2u5X7THGox3CQ==,type:comment]
apiVersion: ENC[AES256_GCM,data:RdI=,iv:YlI7VI5Tk6f99ZhiJEI/LaGgmYejt6/8k0wo+n8G19E=,tag:WY473Ft6vXo0NkpGlnGq/w==,type:str]
kind: ENC[AES256_GCM,data:5fh5Zy1D,iv:1qApXn+j2LFNs1fzrH8j6M84espcQz4cHwquEmsHDSU=,tag:MnWyue/omxF6Emrpsz9eEw==,type:str]
apiVersion: ENC[AES256_GCM,data:F6o=,iv:8McPTAtRKlG0wpF1DUXRrhkzNuoD97Vu4OFyI8Opy28=,tag:DgEjMs6yXKFEv6Uu8A8WDg==,type:str]
kind: ENC[AES256_GCM,data:eVSn4ODQ,iv:iDOb7kRnWbW1CYKILAZwbtlhbAqwi/I+YXFbHsmz2KI=,tag:dcWY/PdP2eMRv1HxmfyHoQ==,type:str]
metadata:
name: ENC[AES256_GCM,data:ZYLasrZQ1Bu0jcLbRQjmjCo=,iv:O0uBw2j+X0CPaUkYQvnTVRgl9nNZBDF058/hZB/WFwY=,tag:xuwCgyi5VT9enQ3HlYzW1g==,type:str]
namespace: ENC[AES256_GCM,data:Xr9+LDzWK7z+,iv:6iXdpkcUho23jU2BZLHKkxONTtQIYkZem9NVlyB/Ltk=,tag:3wV3EMtmqXr0yTUcfbqxCA==,type:str]
type: ENC[AES256_GCM,data:+5bc8NF8,iv:JpVUvDJZdk++m1K5pyuPTF1p17X62Mlwv6GKK9Hqoz8=,tag:Kdihg3qXXHD0ieypkcvWSg==,type:str]
namespace: ENC[AES256_GCM,data:O6kz8Q==,iv:ZMv7m+YLaIChgNTM4Riopt2VUNg5HwUwdLR6bRA1Nf0=,tag:undk4ODEabPJbQKoa1He7A==,type:str]
type: ENC[AES256_GCM,data:YMUJyMI2,iv:o++4jFOch8C8g5iKCzot/AcHnERRO/Yqn/uHuCAIFEI=,tag:ReJgAAajctyGo7xYr2Yc8w==,type:str]
stringData:
PAPERLESS_DB_PASS: ENC[AES256_GCM,data:5/oF170q34nO,iv:y09u1KOZaIoUNtDog0sEbkj5gKD8C3JQyvNDSy0ElkI=,tag:WvIMb0Z0l7XXC6wB59ZTtg==,type:str]
sops:
@ -102,18 +102,18 @@ sops:
eGZTZ0VSUElFZVpqWlVISjNYdnA4UFUK/uOyj7CKU0XLHHdPNKByO2c56JWQfhk5
oauimeYrkNE+06dhXgVcJiQH+HcB33tB9u3YS9LxFYs3R98zKAHG6g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-19T21:05:51Z"
mac: ENC[AES256_GCM,data:GQx4YuPIIfZxRpWtHCa8pCtidtmdYoIdMsK0dQJO42XT9KR5lbwNaP3v4GoaDoeM+L7iAn2OprpE54KkwIwRfb3NAjTeUvXO+J/Yi4ZJnLtuTOlAZrC8YvjmiZ6DaL8pvpRz7VUCfzNOoyrbjSJ2Qv/PWAUENcDEU7yOHNv7RBA=,iv:FqYd2F4vBqSCeKPsrWY/a8RePgkU2aP9cadB6nMyWaQ=,tag:FC75r3bMOQDZZwO0qJi4xg==,type:str]
lastmodified: "2026-04-22T23:40:49Z"
mac: ENC[AES256_GCM,data:WJrfgMP6ioP/GU65sv6tWIjYe//TgAwUDowG1mOqm5UlJ1LT31vs7vmmm+1tYO+jpjCoQlVM0S2e1z+CgrqSMye4+x3VhRTiQKW8DQAN7x8ILoDB+RVcmq8wlqMsubdUtBHray43YtGdeDj4f+Rr4FC84uf9Qgl4ywkiq5CKnc0=,iv:hkQ+QRw1VBbNzJEWx/pdbq7eZ5TrYie0xofzXWIgZDw=,tag:xcnSUQtiF407DHTG5NCALA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2
---
#ENC[AES256_GCM,data:txDOIoubztyTgbgUC4MMNxNIwDkjtF/m+H5YAZ6hdaHTCBjVZSVKhHjYJzLFPeHE2EL02SEgJaXSkyF0bWwWw/QfR/yCkiGPdZ0fAFDKtJJBtITkM4O5rwRCTEXsQXleWK5NM6M55s5ElWIlBE//uLt2+hPlDQv26EOwwAa9I7kW2bUPDGvYNJVc7mJSfjMQb6aOx1MzrA+PUryeBVdK0xdmBmiQaZyGC0MexEjBwAycVnCM,iv:u4rMeGWy1J779Z7JNFvWTsxDREbTWAS+bXFxQhPTyGA=,tag:mVoS7lSVAHcqPcQ6iqhjvA==,type:comment]
apiVersion: ENC[AES256_GCM,data:JGU=,iv:vr1Lkm9BBG2u8Ay0PGAIMTYUUKhMHIho3mVP1lY6it0=,tag:12JH+n4nUsYqmiy1+CnwfA==,type:str]
kind: ENC[AES256_GCM,data:VLdoeXnN,iv:eH+/KpTMtpclAxFnjX5mXxkF73HUMJlskNSS/iW+g+U=,tag:NE/Xdc9qsfFmXAyZ4y+3HQ==,type:str]
apiVersion: ENC[AES256_GCM,data:F6o=,iv:8McPTAtRKlG0wpF1DUXRrhkzNuoD97Vu4OFyI8Opy28=,tag:DgEjMs6yXKFEv6Uu8A8WDg==,type:str]
kind: ENC[AES256_GCM,data:eVSn4ODQ,iv:iDOb7kRnWbW1CYKILAZwbtlhbAqwi/I+YXFbHsmz2KI=,tag:dcWY/PdP2eMRv1HxmfyHoQ==,type:str]
metadata:
name: ENC[AES256_GCM,data:dKvmrGqwCK+KvfdBxcs=,iv:3B71qX/mVAJGMcKlxTrnfub3rp/o7PJ+mquxo+V6svY=,tag:gnvbDBvZexdbOHkQQNUInw==,type:str]
namespace: ENC[AES256_GCM,data:93lKXQ==,iv:TQq2ZC7l1uQBc0FNRg6sQRfLuLIokQHpgAzRTcFmGsE=,tag:Mv+ih+YMDfYIihWNgnztow==,type:str]
type: ENC[AES256_GCM,data:Ep25FUNF,iv:ZCzL99uhG0SYRXlu9j3GmgWtIxcfe6C9lEkP5EFr6SY=,tag:ANEtn7vXJisqoUlX7rEBAQ==,type:str]
namespace: ENC[AES256_GCM,data:O6kz8Q==,iv:ZMv7m+YLaIChgNTM4Riopt2VUNg5HwUwdLR6bRA1Nf0=,tag:undk4ODEabPJbQKoa1He7A==,type:str]
type: ENC[AES256_GCM,data:YMUJyMI2,iv:o++4jFOch8C8g5iKCzot/AcHnERRO/Yqn/uHuCAIFEI=,tag:ReJgAAajctyGo7xYr2Yc8w==,type:str]
stringData:
ADGUARD_PASSWORD: ENC[AES256_GCM,data:Keh2GHhvfSyp9Q==,iv:bJ2CdmjqMZUSVw2T1jerqT1gkiP6k+aL9VyGCVJ10wI=,tag:cfR6jRn6NyrZ3/2WM5SdKg==,type:str]
sops:
@ -127,8 +127,8 @@ sops:
eGZTZ0VSUElFZVpqWlVISjNYdnA4UFUK/uOyj7CKU0XLHHdPNKByO2c56JWQfhk5
oauimeYrkNE+06dhXgVcJiQH+HcB33tB9u3YS9LxFYs3R98zKAHG6g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-19T21:05:51Z"
mac: ENC[AES256_GCM,data:GQx4YuPIIfZxRpWtHCa8pCtidtmdYoIdMsK0dQJO42XT9KR5lbwNaP3v4GoaDoeM+L7iAn2OprpE54KkwIwRfb3NAjTeUvXO+J/Yi4ZJnLtuTOlAZrC8YvjmiZ6DaL8pvpRz7VUCfzNOoyrbjSJ2Qv/PWAUENcDEU7yOHNv7RBA=,iv:FqYd2F4vBqSCeKPsrWY/a8RePgkU2aP9cadB6nMyWaQ=,tag:FC75r3bMOQDZZwO0qJi4xg==,type:str]
lastmodified: "2026-04-22T23:40:49Z"
mac: ENC[AES256_GCM,data:WJrfgMP6ioP/GU65sv6tWIjYe//TgAwUDowG1mOqm5UlJ1LT31vs7vmmm+1tYO+jpjCoQlVM0S2e1z+CgrqSMye4+x3VhRTiQKW8DQAN7x8ILoDB+RVcmq8wlqMsubdUtBHray43YtGdeDj4f+Rr4FC84uf9Qgl4ywkiq5CKnc0=,iv:hkQ+QRw1VBbNzJEWx/pdbq7eZ5TrYie0xofzXWIgZDw=,tag:xcnSUQtiF407DHTG5NCALA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2
---
@ -152,7 +152,32 @@ sops:
eGZTZ0VSUElFZVpqWlVISjNYdnA4UFUK/uOyj7CKU0XLHHdPNKByO2c56JWQfhk5
oauimeYrkNE+06dhXgVcJiQH+HcB33tB9u3YS9LxFYs3R98zKAHG6g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-19T21:05:51Z"
mac: ENC[AES256_GCM,data:GQx4YuPIIfZxRpWtHCa8pCtidtmdYoIdMsK0dQJO42XT9KR5lbwNaP3v4GoaDoeM+L7iAn2OprpE54KkwIwRfb3NAjTeUvXO+J/Yi4ZJnLtuTOlAZrC8YvjmiZ6DaL8pvpRz7VUCfzNOoyrbjSJ2Qv/PWAUENcDEU7yOHNv7RBA=,iv:FqYd2F4vBqSCeKPsrWY/a8RePgkU2aP9cadB6nMyWaQ=,tag:FC75r3bMOQDZZwO0qJi4xg==,type:str]
lastmodified: "2026-04-22T23:40:49Z"
mac: ENC[AES256_GCM,data:WJrfgMP6ioP/GU65sv6tWIjYe//TgAwUDowG1mOqm5UlJ1LT31vs7vmmm+1tYO+jpjCoQlVM0S2e1z+CgrqSMye4+x3VhRTiQKW8DQAN7x8ILoDB+RVcmq8wlqMsubdUtBHray43YtGdeDj4f+Rr4FC84uf9Qgl4ywkiq5CKnc0=,iv:hkQ+QRw1VBbNzJEWx/pdbq7eZ5TrYie0xofzXWIgZDw=,tag:xcnSUQtiF407DHTG5NCALA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2
---
#ENC[AES256_GCM,data:nMA2+3xncC8MS36NjOh8hFQazy+v/nGIFIqSbnSFd/YtVOUsAPW46GMZrz6x0rrw4aCM5+E0j/nj9qhgNh3br2krltR5Owl0eNwn+xR36C5aPNgHdwtkVRtHPnv+j+d3nGKbgEvrvCpT83PDEdb2clt2ajrxffrrE3pGu2HDB4T2ogidDXFsl6i8bMxo/1zDYUoGS587aH93USGZ+s5BmHOlRVAg3W+Xg5FqepggiwJzSfvguIQtpH65JDmcuEjiwFvTbB3+WqHhWSJ5NQ==,iv:5Try5OdOks3JKpQ6A1wAS4wfwBcoBnqJAJGJ0pmdjZw=,tag:3/n5Uxf+zBLed0KhT4YvMg==,type:comment]
apiVersion: ENC[AES256_GCM,data:F6o=,iv:8McPTAtRKlG0wpF1DUXRrhkzNuoD97Vu4OFyI8Opy28=,tag:DgEjMs6yXKFEv6Uu8A8WDg==,type:str]
kind: ENC[AES256_GCM,data:eVSn4ODQ,iv:iDOb7kRnWbW1CYKILAZwbtlhbAqwi/I+YXFbHsmz2KI=,tag:dcWY/PdP2eMRv1HxmfyHoQ==,type:str]
metadata:
name: ENC[AES256_GCM,data:NXxSRxqzrL1BsWku/g==,iv:xCfwy3bNxd0wDyVEyWa6bgdcxZDIws+fdHPqUCNzMAs=,tag:xoFYlZ63vs8qdIC1XjObFw==,type:str]
namespace: ENC[AES256_GCM,data:O6kz8Q==,iv:ZMv7m+YLaIChgNTM4Riopt2VUNg5HwUwdLR6bRA1Nf0=,tag:undk4ODEabPJbQKoa1He7A==,type:str]
type: ENC[AES256_GCM,data:YMUJyMI2,iv:o++4jFOch8C8g5iKCzot/AcHnERRO/Yqn/uHuCAIFEI=,tag:ReJgAAajctyGo7xYr2Yc8w==,type:str]
stringData:
GITEA_DB_PASS: ENC[AES256_GCM,data:NcCI1tJCZEGLzE/Gj39zUPUVUWG65kWz7+/vk24TxgM=,iv:oXMBDmaPOoZiw9B9PKjCyRdON0jJaA0l6MBLrpEtdmU=,tag:1HzvvmvSOgkcWcl+Uy+dOQ==,type:str]
sops:
age:
- recipient: age12gv2cu66v80khwse5jgwcaukf3juvufkm2kw507gfnvecdpwt3hsjra7te
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNWFcrTlYrOW1Tb0xGUmVS
Q3VPb3VPMS9hRWQ4aDQzRGtFTXp4SU90YWlrCng5NkN3TUFEUGIrWkRCK1NMeVND
Z2RwV0JKVnRTMWUvWlpDRzhBQWtsNVkKLS0tIHZ2NkZaVTJSaE1vTjVVMXhzTmYz
eGZTZ0VSUElFZVpqWlVISjNYdnA4UFUK/uOyj7CKU0XLHHdPNKByO2c56JWQfhk5
oauimeYrkNE+06dhXgVcJiQH+HcB33tB9u3YS9LxFYs3R98zKAHG6g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-22T23:40:49Z"
mac: ENC[AES256_GCM,data:WJrfgMP6ioP/GU65sv6tWIjYe//TgAwUDowG1mOqm5UlJ1LT31vs7vmmm+1tYO+jpjCoQlVM0S2e1z+CgrqSMye4+x3VhRTiQKW8DQAN7x8ILoDB+RVcmq8wlqMsubdUtBHray43YtGdeDj4f+Rr4FC84uf9Qgl4ywkiq5CKnc0=,iv:hkQ+QRw1VBbNzJEWx/pdbq7eZ5TrYie0xofzXWIgZDw=,tag:xcnSUQtiF407DHTG5NCALA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2

6
tasks.TODO Normal file
View File

@ -0,0 +1,6 @@
[] Backup zerobyte restic
[] setup litestream vs litefs https://chatgpt.com/c/69e93964-aa84-83ea-83f1-2cbd0125b748
[]
migrate sqllite to postgres
add gitea