shahab/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: revamp and use single namespace and update to latest versions

Browse Source
This commit is contained in:
Shahab Dogar
2025-09-21 17:53:34 +05:00
parent 9b0434721b
commit cc90d7793a
18 changed files with 277 additions and 194 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
helm/values/authentik.values.yaml
View File

@@ -1,17 +1,86 @@
global:
addPrometheusAnnotations: true
securityContext:
runAsUser: 1000
fsGroup: 1000
env:
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-secret-key
key: password
- name: AUTHENTIK_EMAIL__USERNAME
valueFrom:
secretKeyRef:
name: smtp-token
key: authentik-username
- name: AUTHENTIK_EMAIL__PASSWORD
valueFrom:
secretKeyRef:
name: smtp-token
key: authentik-password
- name: AUTHENTIK_EMAIL__FROM
valueFrom:
secretKeyRef:
name: smtp-token
key: authentik-username
- name: AUTHENTIK_EMAIL__USE_TLS
value: "true"
- name: AUTHENTIK_POSTGRESQL__USER
valueFrom:
secretKeyRef:
name: authentik-postgres
key: username
- name: AUTHENTIK_POSTGRESQL__NAME
valueFrom:
secretKeyRef:
name: authentik-postgres
key: database
- name: AUTHENTIK_POSTGRESQL__SSLMODE
value: verify-full
- name: AUTHENTIK_POSTGRESQL__SSLROOTCERT
value: "/opt/authentik/certs/ca.crt"
- name: AUTHENTIK_POSTGRESQL__SSLCERT
value: "/opt/authentik/certs/tls.crt"
- name: AUTHENTIK_POSTGRESQL__SSLKEY
value: "/opt/authentik/certs/tls.key"
- name: AUTHENTIK_REDIS__PASSWORD
valueFrom:
secretKeyRef:
name: valkey
key: password
volumes:
- name: ssl-bundle
projected:
sources:
- secret:
name: authentik-client-cert
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
mode: 0600
- secret:
name: postgres-server-cert
items:
- key: ca.crt
path: ca.crt
volumeMounts:
- name: ssl-bundle
mountPath: /opt/authentik/certs
readOnly: true
authentik:
secret_key: "c8cc2e4a498c697a0443d96b31fe042c69c2158dc8bfb3da3878d1dbfbe6128e"
error_reporting:
enabled: false
email:
host: "smtp.protonmail.ch"
port: 587
postgresql:
host: postgres-cluster-rw.postgres-system.svc.cluster.local
user: file:///postgres-creds/username
password: file:///postgres-creds/password
host: postgres-cluster-rw
redis:
host: redis-master.redis-system.svc.cluster.local
password: file:///redis-creds/password
host: valkey
server:
replicas: 3
@@ -21,45 +90,20 @@ server:
cert-manager.io/cluster-issuer: cloudflare-issuer
cert-manager.io/acme-challenge-type: dns01
cert-manager.io/private-key-size: "4096"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
ingressClassName: nginx-internal
https: true
hosts:
- auth.dogar.dev
- auth.rihla.digital
tls:
- secretName: authentik-tls
hosts:
- auth.dogar.dev
- auth.rihla.digital
volumes:
- name: postgres-creds
secret:
secretName: authentik-postgres
- name: redis-creds
secret:
secretName: authentik-redis
volumeMounts:
- name: postgres-creds
mountPath: /postgres-creds
readOnly: true
- name: redis-creds
mountPath: /redis-creds
readOnly: true
worker:
replicas: 3
volumes:
- name: postgres-creds
secret:
secretName: authentik-postgres
- name: redis-creds
secret:
secretName: authentik-redis
volumeMounts:
- name: postgres-creds
mountPath: /postgres-creds
readOnly: true
- name: redis-creds
mountPath: /redis-creds
readOnly: true
postgresql:
enabled: false

2
helm/values/externaldns.values.yaml
View File

@@ -3,7 +3,7 @@ provider: pihole
policy: upsert-only
txtOwnerId: "homelab"
pihole:
server: http://pihole-web.pihole-system.svc.cluster.local
server: http://pihole-web
extraEnvVars:
- name: EXTERNAL_DNS_PIHOLE_PASSWORD
valueFrom:

101
helm/values/gitea.values.yaml
View File

@@ -1,22 +1,34 @@
global:
storageClass: longhorn-crypto
image:
rootless: false
service:
http:
annotations:
metallb.universe.tf/allow-shared-ip: gitea
port: 443
targetPort: 443
ssh:
annotations:
metallb.universe.tf/allow-shared-ip: gitea
ingress:
enabled: true
className: nginx-internal
annotations:
kubernetes.io/ingress.class: nginx-internal
cert-manager.io/cluster-issuer: cloudflare-issuer
cert-manager.io/acme-challenge-type: dns01
cert-manager.io/private-key-size: "4096"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
hosts:
- host: git.dogar.dev
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea-http
port:
number: 443
tls:
- secretName: gitea-tls
hosts:
@@ -37,19 +49,23 @@ gitea:
ENABLE_GZIP: true
LFS_START_SERVER: true
SSH_DOMAIN: git.dogar.dev
HTTP_PORT: 443
PROTOCOL: https
CERT_FILE: /opt/gitea/tls/cert.pem
KEY_FILE: /opt/gitea/tls/key.pem
database:
DB_TYPE: postgres
HOST: postgres-cluster-rw.postgres-system.svc.cluster.local:5432
HOST: postgres-cluster-rw
NAME: gitea
USER: gitea
SSL_MODE: require
cache:
ADAPTER: memcache
HOST: memcached.memcached-system.svc.cluster.local:11211
ADAPTER: memory
session:
PROVIDER: db
PROVIDER_CONFIG: ""
queue:
TYPE: redis
TYPE: channel
lfs:
STORAGE_TYPE: local
service:
@@ -69,27 +85,76 @@ gitea:
iconUrl: "https://goauthentik.io/img/icon.png"
scopes: "email profile"
additionalConfigFromEnvs:
- name: GITEA__DATABASE__PASSWD
valueFrom:
secretKeyRef:
name: gitea-postgres
key: password
- name: GITEA__QUEUE__CONN_STR
valueFrom:
secretKeyRef:
name: gitea-redis
key: password
- name: GITEA__MAILER__PASSWD
valueFrom:
secretKeyRef:
name: smtp-token
key: password
key: gitea-password
livenessProbe:
enabled: true
tcpSocket:
port: 443
readinessProbe:
enabled: true
tcpSocket:
port: 443
startupProbe:
enabled: true
tcpSocket:
port: 443
persistence:
enabled: true
storageClass: longhorn-crypto
accessModes:
- ReadWriteMany
deployment:
env:
- name: PGSSLMODE
value: verify-full
- name: PGSSLROOTCERT
value: /opt/gitea/.postgresql/root.crt
- name: PGSSLCERT
value: /opt/gitea/.postgresql/postgresql.crt
- name: PGSSLKEY
value: /opt/gitea/.postgresql/postgresql.key
extraVolumes:
- name: ssl-bundle
projected:
sources:
- secret:
name: gitea-client-cert
items:
- key: tls.crt
path: postgresql.crt
- key: tls.key
path: postgresql.key
mode: 0600
- secret:
name: postgres-server-cert
items:
- key: ca.crt
path: root.crt
- name: tls-bundle
projected:
sources:
- secret:
name: gitea-tls
items:
- key: tls.crt
path: cert.pem
- key: tls.key
path: key.pem
extraInitVolumeMounts:
- name: ssl-bundle
mountPath: /opt/gitea/.postgresql
readOnly: true
extraContainerVolumeMounts:
- name: ssl-bundle
mountPath: /opt/gitea/.postgresql
readOnly: true
- name: tls-bundle
mountPath: /opt/gitea/tls
readOnly: true
postgresql-ha:
enabled: false
redis-cluster:
valkey-cluster:
enabled: false

8
helm/values/longhorn.values.yaml
View File

@@ -1,8 +1,10 @@
defaultSettings:
backupTarget: "s3://homelab-backups@apac/longhorn"
backupTargetCredentialSecret: longhorn-backup
defaultReplicaCount: 2
storageOverProvisioningPercentage: 100
backupCompressionMethod: "gzip"
backupConcurrentLimit: 4
defaultBackupStore:
backupTarget: "s3://homelab@auto/longhorn"
backupTargetCredentialSecret: cloudflare-token
metrics:
serviceMonitor:
enabled: true

11
helm/values/memcached.values.yaml
View File

@@ -1,11 +0,0 @@
containerSecurityContext:
readOnlyRootFilesystem: false
service:
annotations:
external-dns.alpha.kubernetes.io/hostname: memcached.dogar.dev
metrics:
enabled: true
serviceMonitor:
enabled: true
interval: 10s
scrapeTimeout: 10s

10
helm/values/nginx-internal.values.yaml
View File

@@ -6,12 +6,6 @@ controller:
controllerValue: "k8s.io/ingress-nginx"
parameters: {}
ingressClass: nginx-internal
service:
annotations:
external-dns.alpha.kubernetes.io/hostname: "postgres.dogar.dev"
tcp:
22: "gitea-system/gitea-ssh:22"
5432: "postgres-system/postgres-cluster-rw:5432"
6379: "redis-system/redis-master-0:6379"
11211: "memcached-system/memcached:11211"
35432: "rihla/postgres-cluster-rw:5432"
22: "homelab/gitea-ssh:22"
25565: "minecraft/monifactory-server:25565"

14
helm/values/pihole.values.yaml
View File

@@ -3,8 +3,6 @@ DNS1:
1.1.1.1
DNS2:
1.0.0.1
nodeSelector:
pihole: "true"
admin:
enabled: true
existingSecret: pihole-admin
@@ -30,19 +28,16 @@ ingress:
serviceWeb:
annotations:
metallb.universe.tf/allow-shared-ip: pihole-svc
type: LoadBalancer
loadBalancerIP: 192.168.18.250
type: ClusterIP
https:
enabled: false
serviceDns:
annotations:
metallb.universe.tf/allow-shared-ip: pihole-svc
type: LoadBalancer
loadBalancerIP: 192.168.18.250
serviceDhcp:
annotations:
metallb.universe.tf/allow-shared-ip: pihole-svc
enabled: true
type: LoadBalancer
loadBalancerIP: 192.168.18.250
enabled: false
probes:
liveness:
enabled: false
@@ -55,7 +50,6 @@ dnsmasq:
- dhcp-host=B0:41:6F:0F:A0:CD,192.168.18.12,homelab-2
hostNetwork: true
hostname: pihole
privileged: true
capabilities:
add:
- NET_ADMIN

23
helm/values/redis.values.yaml
View File

@@ -1,23 +0,0 @@
architecture: standalone
auth:
enabled: true
sentinel: true
existingSecret: redis
existingSecretPasswordKey: password
master:
persistence:
enabled: false
service:
type: LoadBalancer
annotations:
external-dns.alpha.kubernetes.io/hostname: redis.dogar.dev
replica:
replicaCount: 0
persistence:
enabled: false
sentinel:
enabled: false