infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

Compare commits

base: infra:c20c662fe040be2bc7674e15018cd65a001ad23f
Branches Tags
infra:updatebot/authelia
infra:updatebot/paperless-ngx
infra:updatebot/firefly-iii
infra:updatebot/home-assistant
infra:master
infra:jenkins-buildroot
infra:xactmon-doc
infra:etcd
infra:dch-webhooks-secrets
..
compare: infra:9414a6b524b0403a0abe85e632bfaf1dcd49e985
Branches Tags
infra:updatebot/authelia
infra:updatebot/paperless-ngx
infra:updatebot/firefly-iii
infra:updatebot/home-assistant
infra:master
infra:jenkins-buildroot
infra:xactmon-doc
infra:etcd
infra:dch-webhooks-secrets

1 Commits
c20c662fe0 ... 9414a6b524

Author SHA1 Message Date
bot 9414a6b524 firefly-iii: Update to 6.3.2 2025-09-06 11:32:13 +00:00
31 changed files with 370 additions and 1026 deletions
Show Stats Expand all files Collapse all files

7
20125/config.yml
View File

@ -85,10 +85,3 @@ applications:
url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png
alerts: alerts:
- instance: *url5 - instance: *url5
- name: Music Assistant
url: &url6 https://music.pyrocufflink.blue/
icon:
url: https://music.pyrocufflink.blue/apple-touch-icon.png
alerts:
- instance: *url6

16
argocd/applications/csi-synology.yaml
View File

@ -1,16 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: csi-synology
namespace: argocd
spec:
destination:
server: https://kubernetes.default.svc
project: default
source:
path: democratic-csi
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master
syncPolicy:
automated:
prune: true

6
authelia/authelia.yaml
View File

@ -127,10 +127,9 @@ spec:
tls: tls:
- hosts: - hosts:
- auth.pyrocufflink.blue - auth.pyrocufflink.blue
- auth.pyrocufflink.net
rules: rules:
- host: auth.pyrocufflink.blue - host: auth.pyrocufflink.blue
http: &http http:
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
@ -139,5 +138,4 @@ spec:
name: authelia name: authelia
port: port:
name: http name: http
- host: auth.pyrocufflink.net
http: *http

2
authelia/configuration.yml
View File

@ -189,8 +189,6 @@ session:
cookies: cookies:
- domain: pyrocufflink.blue - domain: pyrocufflink.blue
authelia_url: 'https://auth.pyrocufflink.blue' authelia_url: 'https://auth.pyrocufflink.blue'
- domain: pyrocufflink.net
authelia_url: 'https://auth.pyrocufflink.net'
server: server:
buffers: buffers:

17
cert-manager/cert-exporter.config.yml Normal file
View File

@ -0,0 +1,17 @@
git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
certs:
- name: pyrocufflink-cert
namespace: default
key: certificates/_.pyrocufflink.net.key
cert: certificates/_.pyrocufflink.net.crt
bundle: certificates/_.pyrocufflink.net.pem
- name: dustinandtabitha-cert
namespace: default
key: certificates/dustinandtabitha.com.key
cert: certificates/dustinandtabitha.com.crt
bundle: certificates/dustinandtabitha.com.pem
- name: hlc-cert
namespace: default
key: certificates/hatchlearningcenter.org.key
cert: certificates/hatchlearningcenter.org.crt
bundle: certificates/hatchlearningcenter.org.pem

78
cert-manager/cert-exporter.yaml Normal file
View File

@ -0,0 +1,78 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-exporter
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-exporter
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
resourceNames:
- pyrocufflink-cert
- dustinandtabitha-cert
- hlc-cert
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-exporter
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-exporter
subjects:
- kind: ServiceAccount
name: cert-exporter
namespace: cert-manager
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: cert-exporter
namespace: cert-manager
spec:
timeZone: America/Chicago
schedule: '27 9,20 * * *'
jobTemplate: &jobtemplate
spec:
template:
spec:
containers:
- image: git.pyrocufflink.net/containerimages/cert-exporter
name: cert-exporter
volumeMounts:
- mountPath: /etc/cert-exporter/config.yml
name: config
subPath: config.yml
readOnly: true
- mountPath: /home/cert-exporter/.ssh/id_ed25519
name: sshkeys
subPath: cert-exporter.pem
readOnly: true
- mountPath: /etc/ssh/ssh_known_hosts
name: sshkeys
subPath: ssh_known_hosts
readOnly: true
securityContext:
fsGroup: 1000
serviceAccount: cert-exporter
volumes:
- name: config
configMap:
name: cert-exporter
- name: sshkeys
secret:
secretName: cert-exporter-sshkey
defaultMode: 00440
restartPolicy: Never

48
cert-manager/certificates.yaml
View File

@ -16,3 +16,51 @@ spec:
privateKey: privateKey:
algorithm: ECDSA algorithm: ECDSA
rotationPolicy: Always rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dustinandtabitha-cert
spec:
secretName: dustinandtabitha-cert
dnsNames:
- dustinandtabitha.com
- '*.dustinandtabitha.com'
- dustinandtabitha.xyz
- '*.dustinandtabitha.xyz'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hlc-cert
spec:
secretName: hlc-cert
dnsNames:
- hatchlearningcenter.org
- '*.hatchlearningcenter.org'
- hatchlearningcenter.com
- '*.hatchlearningcenter.com'
- hlckc.org
- '*.hlckc.org'
- hlckc.com
- '*.hlckc.com'
- hlcks.org
- '*.hlcks.org'
- hlcks.com
- '*.hlcks.com'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always

2
cert-manager/jenkins.yaml
View File

@ -11,6 +11,8 @@ rules:
- get - get
resourceNames: resourceNames:
- pyrocufflink-cert - pyrocufflink-cert
- dustinandtabitha-cert
- hlc-cert
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1

15
cert-manager/kustomization.yaml
View File

@ -5,10 +5,19 @@ resources:
- https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml - https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml
- cluster-issuer.yaml - cluster-issuer.yaml
- certificates.yaml - certificates.yaml
- cert-exporter.yaml
- dch-ca-issuer.yaml - dch-ca-issuer.yaml
- secrets.yaml - secrets.yaml
- jenkins.yaml - jenkins.yaml
configMapGenerator:
- name: cert-exporter
namespace: cert-manager
files:
- config.yml=cert-exporter.config.yml
options:
disableNameSuffixHash: True
secretGenerator: secretGenerator:
- name: zerossl-eab - name: zerossl-eab
namespace: cert-manager namespace: cert-manager
@ -17,6 +26,12 @@ secretGenerator:
options: options:
disableNameSuffixHash: true disableNameSuffixHash: true
- name: cert-exporter-sshkey
namespace: cert-manager
files:
- cert-exporter.pem
- ssh_known_hosts
- name: cloudflare - name: cloudflare
namespace: cert-manager namespace: cert-manager
files: files:

2
democratic-csi/.gitignore vendored
View File

@ -1,2 +0,0 @@
synology.password
synology-iscsi-chap.yaml

385
democratic-csi/democratic-csi.yaml
View File

@ -1,385 +0,0 @@
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: csi-synology-democratic-csi-node
namespace: democratic-csi
labels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: node
app.kubernetes.io/component: node-linux
spec:
selector:
matchLabels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: node
app.kubernetes.io/component: node-linux
template:
metadata:
labels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: node
app.kubernetes.io/component: node-linux
spec:
serviceAccount: csi-synology-democratic-csi-node-sa
priorityClassName: system-node-critical
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
hostAliases: []
hostIPC: true
hostPID: false
containers:
- name: csi-driver
image: docker.io/democraticcsi/democratic-csi:latest
args:
- --csi-version=1.5.0
- --csi-name=org.democratic-csi.iscsi-synology
- --driver-config-file=/config/driver-config-file.yaml
- --log-level=info
- --csi-mode=node
- --server-socket=/csi-data/csi.sock.internal
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
privileged: true
env:
- name: CSI_NODE_ID
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
terminationMessagePath: /tmp/termination-log
terminationMessagePolicy: File
livenessProbe:
failureThreshold: 3
exec:
command:
- bin/liveness-probe
- --csi-version=1.5.0
- --csi-address=/csi-data/csi.sock.internal
initialDelaySeconds: 10
timeoutSeconds: 15
periodSeconds: 60
volumeMounts:
- name: socket-dir
mountPath: /csi-data
- name: kubelet-dir
mountPath: /var/lib/kubelet
mountPropagation: Bidirectional
- name: iscsi-dir
mountPath: /etc/iscsi
mountPropagation: Bidirectional
- name: iscsi-info
mountPath: /var/lib/iscsi
mountPropagation: Bidirectional
- name: modules-dir
mountPath: /lib/modules
readOnly: true
- name: localtime
mountPath: /etc/localtime
readOnly: true
- name: udev-data
mountPath: /run/udev
- name: host-dir
mountPath: /host
mountPropagation: Bidirectional
- mountPath: /sys
name: sys-dir
- name: dev-dir
mountPath: /dev
- name: config
mountPath: /config
- name: csi-proxy
image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6
env:
- name: BIND_TO
value: unix:///csi-data/csi.sock
- name: PROXY_TO
value: unix:///csi-data/csi.sock.internal
volumeMounts:
- mountPath: /csi-data
name: socket-dir
- name: driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0
args:
- --v=5
- --csi-address=/csi-data/csi.sock
- --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
livenessProbe:
exec:
command:
- /csi-node-driver-registrar
- --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock
- --mode=kubelet-registration-probe
volumeMounts:
- mountPath: /csi-data
name: socket-dir
- name: registration-dir
mountPath: /registration
- name: kubelet-dir
mountPath: /var/lib/kubelet
- name: cleanup
image: docker.io/busybox:1.37.0
command:
- /bin/sh
args:
- -c
- |-
sleep infinity &
trap 'kill !$' INT TERM
wait
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- rm -rf /plugins/org.democratic-csi.iscsi-synology /registration/org.democratic-csi.iscsi-synology-reg.sock
volumeMounts:
- name: plugins-dir
mountPath: /plugins
- name: registration-dir
mountPath: /registration
volumes:
- name: socket-dir
hostPath:
path: /var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology
type: DirectoryOrCreate
- name: plugins-dir
hostPath:
path: /var/lib/kubelet/plugins
type: Directory
- name: registration-dir
hostPath:
path: /var/lib/kubelet/plugins_registry
type: Directory
- name: kubelet-dir
hostPath:
path: /var/lib/kubelet
type: Directory
- name: iscsi-dir
hostPath:
path: /etc/iscsi
type: Directory
- name: iscsi-info
hostPath:
path: /var/lib/iscsi
- name: dev-dir
hostPath:
path: /dev
type: Directory
- name: modules-dir
hostPath:
path: /lib/modules
- name: localtime
hostPath:
path: /etc/localtime
- name: udev-data
hostPath:
path: /run/udev
- name: sys-dir
hostPath:
path: /sys
type: Directory
- name: host-dir
hostPath:
path: /
type: Directory
- name: config
secret:
secretName: csi-synology-democratic-csi-driver-config
nodeSelector:
kubernetes.io/os: linux
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: csi-synology-democratic-csi-controller
namespace: democratic-csi
labels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: controller
app.kubernetes.io/component: controller-linux
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: controller
app.kubernetes.io/component: controller-linux
template:
metadata:
labels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: controller
app.kubernetes.io/component: controller-linux
spec:
serviceAccount: csi-synology-democratic-csi-controller-sa
priorityClassName: system-cluster-critical
hostNetwork: false
dnsPolicy: ClusterFirst
hostAliases: []
hostIPC: false
containers:
- name: external-attacher
image: registry.k8s.io/sig-storage/csi-attacher:v4.4.0
args:
- --v=5
- --leader-election
- --leader-election-namespace=democratic-csi
- --timeout=90s
- --worker-threads=10
- --csi-address=/csi-data/csi.sock
volumeMounts:
- mountPath: /csi-data
name: socket-dir
- name: external-provisioner
image: registry.k8s.io/sig-storage/csi-provisioner:v3.6.0
args:
- --v=5
- --leader-election
- --leader-election-namespace=democratic-csi
- --timeout=90s
- --worker-threads=10
- --extra-create-metadata
- --csi-address=/csi-data/csi.sock
volumeMounts:
- mountPath: /csi-data
name: socket-dir
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: external-resizer
image: "registry.k8s.io/sig-storage/csi-resizer:v1.9.0"
args:
- --v=5
- --leader-election
- --leader-election-namespace=democratic-csi
- --timeout=90s
- --workers=10
- --csi-address=/csi-data/csi.sock
volumeMounts:
- mountPath: /csi-data
name: socket-dir
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
# https://github.com/kubernetes-csi/external-snapshotter
# beware upgrading version:
# - https://github.com/rook/rook/issues/4178
# - https://github.com/kubernetes-csi/external-snapshotter/issues/147#issuecomment-513664310
- name: external-snapshotter
image: "registry.k8s.io/sig-storage/csi-snapshotter:v8.2.1"
args:
- --v=5
- --leader-election
- --leader-election-namespace=democratic-csi
- --timeout=90s
- --worker-threads=10
- --csi-address=/csi-data/csi.sock
volumeMounts:
- mountPath: /csi-data
name: socket-dir
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: csi-driver
image: docker.io/democraticcsi/democratic-csi:latest
args:
- --csi-version=1.5.0
- --csi-name=org.democratic-csi.iscsi-synology
- --driver-config-file=/config/driver-config-file.yaml
- --log-level=debug
- --csi-mode=controller
- --server-socket=/csi-data/csi.sock.internal
livenessProbe:
failureThreshold: 3
exec:
command:
- bin/liveness-probe
- --csi-version=1.5.0
- --csi-address=/csi-data/csi.sock.internal
initialDelaySeconds: 10
timeoutSeconds: 15
periodSeconds: 60
volumeMounts:
- name: socket-dir
mountPath: /csi-data
- name: config
mountPath: /config
- name: csi-proxy
image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6
env:
- name: BIND_TO
value: unix:///csi-data/csi.sock
- name: PROXY_TO
value: unix:///csi-data/csi.sock.internal
volumeMounts:
- mountPath: /csi-data
name: socket-dir
volumes:
- name: socket-dir
emptyDir: {}
- name: config
secret:
secretName: csi-synology-democratic-csi-driver-config
nodeSelector:
kubernetes.io/os: linux
---
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: org.democratic-csi.iscsi-synology
labels:
app.kubernetes.io/name: democratic-csi
spec:
attachRequired: true
podInfoOnMount: true

93
democratic-csi/driver-config-file.yaml
View File

@ -1,93 +0,0 @@
driver: synology-iscsi
httpConnection:
protocol: https
host: storage0.pyrocufflink.blue
port: 5001
username: democratic-csi
allowInsecure: true
# should be uniqe across all installs to the same nas
session: "democratic-csi"
serialize: true
# Choose the DSM volume this driver operates on. The default value is /volume1.
# synology:
# volume: /volume1
iscsi:
targetPortal: "server[:port]"
# for multipath
targetPortals: [] # [ "server[:port]", "server[:port]", ... ]
# leave empty to omit usage of -I with iscsiadm
interface: ""
# can be whatever you would like
baseiqn: "iqn.2000-01.com.synology:csi."
# MUST ensure uniqueness
# full iqn limit is 223 bytes, plan accordingly
namePrefix: ""
nameSuffix: ""
# documented below are several blocks
# pick the option appropriate for you based on what your backing fs is and desired features
# you do not need to alter dev_attribs under normal circumstances but they may be altered in advanced use-cases
# These options can also be configured per storage-class:
# See https://github.com/democratic-csi/democratic-csi/blob/master/docs/storage-class-parameters.md
lunTemplate:
# can be static value or handlebars template
#description: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}-{{ parameters.[csi.storage.k8s.io/pvc/name] }}"
# btrfs thin provisioning
type: "BLUN"
# tpws = Hardware-assisted zeroing
# caw = Hardware-assisted locking
# 3pc = Hardware-assisted data transfer
# tpu = Space reclamation
# can_snapshot = Snapshot
#dev_attribs:
#- dev_attrib: emulate_tpws
# enable: 1
#- dev_attrib: emulate_caw
# enable: 1
#- dev_attrib: emulate_3pc
# enable: 1
#- dev_attrib: emulate_tpu
# enable: 0
#- dev_attrib: can_snapshot
# enable: 1
# btfs thick provisioning
# only zeroing and locking supported
#type: "BLUN_THICK"
# tpws = Hardware-assisted zeroing
# caw = Hardware-assisted locking
#dev_attribs:
#- dev_attrib: emulate_tpws
# enable: 1
#- dev_attrib: emulate_caw
# enable: 1
# ext4 thinn provisioning UI sends everything with enabled=0
#type: "THIN"
# ext4 thin with advanced legacy features set
# can only alter tpu (all others are set as enabled=1)
#type: "ADV"
#dev_attribs:
#- dev_attrib: emulate_tpu
# enable: 1
# ext4 thick
# can only alter caw
#type: "FILE"
#dev_attribs:
#- dev_attrib: emulate_caw
# enable: 1
lunSnapshotTemplate:
is_locked: true
# https://kb.synology.com/en-me/DSM/tutorial/What_is_file_system_consistent_snapshot
is_app_consistent: true
targetTemplate:
auth_type: 0
max_sessions: 0

32
democratic-csi/kustomization.yaml
View File

@ -1,32 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: democratic-csi
labels:
- pairs:
app.kubernetes.io/instance: csi-synology
resources:
- namespace.yaml
- rbac.yaml
- democratic-csi.yaml
- secrets.yaml
- storageclass.yaml
patches:
- patch: |
kind: Deployment
apiVersion: apps/v1
metadata:
name: csi-synology-democratic-csi-controller
namespace: democratic-csi
spec:
template:
spec:
hostNetwork: true
images:
- name: docker.io/democraticcsi/democratic-csi
newName: ghcr.io/democratic-csi/democratic-csi
digest: sha256:da41c0c24cbcf67426519b48676175ab3a16e1d3e50847fa06152f5eddf834b1

4
democratic-csi/namespace.yaml
View File

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: democratic-csi

316
democratic-csi/rbac.yaml
View File

@ -1,316 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-synology-democratic-csi-controller-sa
namespace: democratic-csi
labels:
app.kubernetes.io/name: democratic-csi
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-synology-democratic-csi-node-sa
namespace: democratic-csi
labels:
app.kubernetes.io/name: democratic-csi
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-synology-democratic-csi-controller-cr
labels:
app.kubernetes.io/name: democratic-csi
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- create
- apiGroups:
-
resources:
- persistentvolumes
verbs:
- create
- delete
- get
- list
- watch
- update
- patch
- apiGroups:
-
resources:
- secrets
verbs:
- get
- list
- apiGroups:
-
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
-
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
-
resources:
- persistentvolumeclaims/status
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
-
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments/status
verbs:
- patch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- csi.storage.k8s.io
resources:
- csidrivers
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
-
resources:
- events
verbs:
- list
- watch
- create
- update
- patch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotclasses
verbs:
- get
- list
- watch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots/status
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotcontents
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotcontents/status
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
- apiGroups:
- csi.storage.k8s.io
resources:
- csinodeinfos
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- watch
- list
- delete
- update
- create
- apiGroups:
- storage.k8s.io
resources:
- csistoragecapacities
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
-
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- get
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-synology-democratic-csi-node-cr
labels:
app.kubernetes.io/name: democratic-csi
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- create
- apiGroups:
-
resources:
- nodes
verbs:
- get
- list
- watch
- update
- apiGroups:
-
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- update
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- watch
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-synology-democratic-csi-controller-rb
labels:
app.kubernetes.io/name: democratic-csi
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: csi-synology-democratic-csi-controller-cr
subjects:
- kind: ServiceAccount
name: csi-synology-democratic-csi-controller-sa
namespace: democratic-csi
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-synology-democratic-csi-node-rb
labels:
app.kubernetes.io/name: democratic-csi
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: csi-synology-democratic-csi-node-cr
subjects:
- kind: ServiceAccount
name: csi-synology-democratic-csi-node-sa
namespace: democratic-csi

73
democratic-csi/secrets.yaml
View File

@ -1,73 +0,0 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: csi-synology-democratic-csi-driver-config
namespace: democratic-csi
labels: &labels
app.kubernetes.io/name: synology-iscsi-driver-config
app.kubernetes.io/component: democratic-csi
app.kubernetes.io/part-of: democratic-csi
spec:
encryptedData:
synology.password: AgC6Ai4YXYUZZ0ve8MwzeWFb5QzLbCunHOhjela/TGCzPr48evXbj6wKKVIailXS2cpD948wQ9tEX5bK3ojlMIuuzjbux0ATpTuSN81JQPbvArINp9kYu/QK2Eg46tEk6f5W1VFVC2yYQySC9+7NLJRg8qk8gGUGUMt11mRcsyJ6iBnzEt+5xwK+adQB0/pHJPGGKKcOJY9ZUCdl+Q930ZvnSvrdZNcFKH1meFww7ujQ0NBV8ABpcJwEjJhfFi3tMBKpIPrYGsSVEmHYciwK2YLyeJ/Ao7GBIBKX5lIQl0aTi40oIsc3BV2ZTmM1a2ZuuQWg33+9/r3FaU6ZdYL84B9S+W6IG893yFH+22fcArxCzjVnb8oftzrl2J/M3UZhtL4vYakHjEVMqCm2hzHjGCAadXD1cs6xiqcl4mA40KbaEojxodZJyzlNBbTi4ZN4cIaIFO8FNYnewSXtYZBIUzgdNe65k9orpmaV+qpK4Q8Cd3uZg4RQwiygBPQE9BGSJ7cBc/dCqxevuZB1F1yOetpPlQgyIN6gixt6xzefPp0VWY1I1TI3kjLSRiRGWUK1NIL4J3TIdcBsuO8OXWh0D2c+n4/dIPX9peCN8COKXMwjBm9AHDZ1ImlnVZrAxzYCTPxtGRtJVp/4pW6aDWXCA7UWPdKroipw9FUAK64knqMoV7QS7c6Kw7cz2ajvAV84O/jNkRc7L20J35z30rSncH7l1/JV0XPOZh0XWE5068TQKQ==
template:
metadata:
name: csi-synology-democratic-csi-driver-config
namespace: democratic-csi
data:
driver-config-file.yaml: |
driver: synology-iscsi
httpConnection:
protocol: https
host: storage0.pyrocufflink.blue
port: 5001
username: democratic-csi
password: {{ index . "synology.password" }}
allowInsecure: true
session: democratic-csi
serialize: true
iscsi:
targetPortal: '[fd68:c2d2:500e:3ea3:8d42:e33e:264b:7c30]:3260'
baseiqn: iqn.2000-01.com.synology:csi.
lunTemplate:
type: BLUN
targetTemplate:
auth_type: 2 # 0: None; 1: CHAP; 2: Mutual CHAP
max_sessions: 0 # 0: Unlimited
chap: true
mutual_chap: true
lunSnapshotTemplate:
is_app_consistent: true
is_locked: true
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: synology-iscsi-provisioner
namespace: democratic-csi
spec:
encryptedData:
targetTemplate: AgDWYcaVFVlqHO1XCH0d0Okz2RHt1R1pc2ygTtP4ZYuc44IdfERzgGh9CWNbjY+Qf5K7kF4TOIwgRs1MLumaUg637VO7SYCl1kwWV6pZ/g4bLX1FGTl+XFIAH53EKxDD5nC9fl3VG46IA+dYBPoWFb0UYoI09eWHUg7vTRk1/0MTu19UPkc6VafhFXTfVNiUykF+264Ck3I9i9hMk3Buf9+E4qLHeyyfpMob7IRpdkz+ONYYrxHOGrwDgqFwcyiyliIYWjmOh/FV6kolffeNgSkXpWNNrLQOkkSOwUF6DalKiZd16nzLrvzKFWuDcdcRqxBBKaMUF/JK4BAkfi+MNRTaceCmoSkS21gVLbATb0L3Z7JaifdqRInPNMbkFYs+wILkozyJX0JANg4kuMBCW8GfPEMj9ck21dyeR+ucXcIc67GYS7L92d/ITZd2SWT6a6LRT1vBvroE8ybVf+3oOPUOtaSiZsZpNan2DO4kk/1ZD6clBvn5Cz0BqbVQxwwPSuGkvFXNpDX+xliN+QkohnWDQKi4cMvUqVUG7MyfbaCiGyXcH7enYxccBvIVVy6rXWXDtkzP4B30KeO7rfz0eDn7f+zYZPpwFE6TIorCNe+5zNC0uDwMKf7Csz3x78ZxXtYpdPpFpnboP5zWXhKZY4EfgiyV1HDoSAkzfC4zQV26DnH1nfN9OjYwNUdc75tw7VYuSWS8cEH71E9DdvcJv1XL0f7D5uV5RlGQP3sonWhFi73dLuqCNNwHtEOIV3XxJvN/gaoDRvQQMTosWK5pOs3CpiBGq+EYoM5KWZZhp29axSQ3NRefGoLwOsbeEg==
template:
metadata:
name: synology-iscsi-provisioner
namespace: democratic-csi
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: synology-iscsi-chap
namespace: democratic-csi
spec:
encryptedData:
node-db.node.session.auth.password: AgC2kAta4SiM1EcDAVdenwtKLGTrDJte1qSK3W8WO80zKycj54KBlWMvCLzala70/e1e26iRUWotgwUrrPQpYoAspR9kHIaGFccZvVh+JWJY1OIfCryvumN8jGk0ynN5IMo/ZTFTEE76XrEckvnRrZIcqb9K1RlpS5jRPA8vXDGBofXG4in/scZ08SNIsrELfcKvIsSZsYQF6aY3cQ+rcqePJBBG+5hDsu6qsBoib1tsfe2DoCZ2bYRu5BJFD6CneUTCcVvoBBYmMX+nS2Cvfz8OK+5H42q0W3Gzg6VJYrTsQ1PN5LLg5+xk6ENovw/PtohiwvP6RV9I2r6ev+RrrlWUPlC7XOD0qm2nUeG8D8J+9aP2prQ9zFgpuIZ//gIKKvMSsSJRZvSkbjJ6nrC9ViVmaC65dx89bYjr5vB+7Dm5ytQ6ars5rEpEexiPgGiobnCosn0wwMN1WP97VcpW8udqsticLSBFtANUUtnW2yZMRuVh7a2MutnlUXgODG+ZgkNaZE0cELfOynkhaf10aByuXIN1NX9VIdzfIbdZaIKvr0xKQSdKnbszoHQNOZieE4mXZ/w0BiiDilvyqtLP+3Maa+mFIjoo17zlf8PJD1dEUFckNUBJifVIV6vOHCKXO565IxyE9nNokXR7xkd6XEd3qefoV+9IpOt0NEkHehbSZzUy3JpyNbicdF1WyXb/uY9riacLptssZ4LF8eQ=
node-db.node.session.auth.password_in: AgCMw56LgARt7/dn2WhebQIv+uNLkGUxBkgbYOw+Po9eqgk622F7Y6pVWRAwicdPBM2cjnSrGjPO7nzgXhD0GIbW44WyvwM2w+n5klWmSC9prK+Orup3TMty2hKnSMLOR3rIfpUiRJ0NFvGkTvPzQ/ZDX3O4c88oG6UGVG3B4bQu6Kn5GJ5is2XAnh2dipBx18kLpEmL3hMMqpAy2x0qyf8vJxy39ZvAntk69ziliumqpxePecvbLPkkh2A1jwZR0guBDvBiksvoOyh+P7hTxj3ioVC3HZ4+i52tuvfqugo+INqKJfr15k6fA2cTFEHJ8kwkPtFQCA3bbvRAbcjl0malOIqBFBFwbJYvcauXZGP9m1uoMRni3FHn+1YkBdsvSnw66aYHc4gjN8VrLSziYH72TH8XJ6jEikeK5+nCN2+uhC+AetEUFcLCNM7sKXlS7pzIOQiZ3oB7FcQrsSUkt1Zjax5F6i0reRTdZd/qPLvt65NFwjG/a3yMLf141aHSRog+HGugm4/1A2USGmURmwGSVwAjfrK7b/dj3tMOG8BI4vVJ0UCyw65v0R9h4VEORyr4sXTgNx2+5HewEskDt3LyMzmw4Y6Sw2ftZmQxNEsSy+8BEF4zZj6foIAGuLShjI+4BR9aGnX4maL7IjR6cmj6qwinybfFYAMSx23Icw/aXUBgJ6Slgnd6l96g2RWcNGDxWM8Wq6p2W9VHvDY=
node-db.node.session.auth.username: AgBXplj0SXTinhqbpu5SvYJheYt9G4YNGE99UIi2F0n5QrCI7zvuuSQvA8EKCS5LQni+Og/wToJs1wLeUX4OstlQd3OvkpFDD+jrPVUDv04tlSeNJmaMrQe1pNk04GiLJKeDRRkG+9eTYSIKMsDLroofjHgiRH5wsBh0ncWDW1v5cNlpgq3EzgEQiKnL5zIPIXlHKkadZ9cvebtGoW7mGEnPI/QSnurhVfzEWCXCilxvyNDnBNIKK1rf79eDg1+ZecA0bvE2d7d1cfLhKG+Hd7JcRI0fxii+u1KTCBqbl6goCiCUi5KBfCMP45m7DTyMMPNSfsx9WVjR3ueEXucRGIfhTrV5Zo5Y+WY2c4MoW9XDw0JG/zzHJAOzd9CYk2b6EgEhJLXyHdhNp3JfN4lBpbM6r8RIoQTRImLH0BxytIXQ8kzMtJdkYt2rjV4ZR/fQB9UzGYBtLgWTrNbA+PgEBDB5nlVzbCXZ6uxfRadc2jv2fjGvzidIsfFOicrxWTQtnwSqbs8XAOydHU3Kk7Hrv8k22uaFETcz/tZI619wQL63SmA2igM0fBZcuc64Lx6wmzQBFA9CNKVuPHKFdPXM3s4GzrLqKMskAmDpYvtSlvSqsE2nv6sObS8Iyzm4o69V9+ma2LGD5bl6i7L2wiLlgvc8Ef+YviVzn8lVYqdKCce6F/5TQKNzvbdnJ0bJn6Q01CVHlYqbnyworsmf
node-db.node.session.auth.username_in: AgCT8KR/4GNoDa/TIv6YykoDaGKIP5yXkC/krWFYU5lBMSc3DreECmmow88/5xB4v+5dVt9eE7bJkgPqsUVNXlzDXpSSB/TS2iM/3sAd4ZHzZroTLIf+0QnDC2ZrybokcdmCjkFUgnDzJ9Vs+GqjUjL97LHPbTMc8ONwgiy6YmKLpc11V+JxWqSsKwGPM9ObdmI9rh/IZa19sksh86va3oqjDfElXEwKFkztV1f/NHCsWsuuov/Ku6Lisk5X0JIMKPTUUza0q3tZlJ/NotxNydHef+PA9R648XURQs/xp/hzrdttuMzxo7gT0YEsr8y9h7xlTPlR8we7/igjUMmS+ORRafg5m6PpHWanDxtHafhw9wfmvh0wEgXjC8Sz6Ub3Q9idBlHock60h+uyfsdlP3A2qMjdUXr0dFNBwXcGTaM/n5T18gO05/JSUv7CEdiuSlMnPjYzChAHDSCzxblk8CRDTcSjsSMvVBPjr5L+KQqGj3f6mm3lQnPwzXprS0//SsehRReAvbX5eGfd8Bu8nhRRtgEXvLqQdC7WxbWe0QjwB5ZRHt/4v5N1K8TXo8h6iZ6fcEtTfloMH07TitdwdYQm4uG7dfA7PA9KuqDs+R+phGFGWuzq1cMtp+hOJ6XpFgGyVhYAL/lyl3DddT1o9o7UhDCi4w7nSyxVamwyaGuUsF3lX2TyGVPjdGN1D5dlhRJ8YSPMDWOrZw==
template:
metadata:
name: synology-iscsi-chap
namespace: democratic-csi

20
democratic-csi/storageclass.yaml
View File

@ -1,20 +0,0 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: synology-iscsi
allowVolumeExpansion: true
provisioner: org.democratic-csi.iscsi-synology
parameters:
fsType: xfs
csi.storage.k8s.io/provisioner-secret-name: synology-iscsi-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: democratic-csi
csi.storage.k8s.io/node-stage-secret-name: synology-iscsi-chap
csi.storage.k8s.io/node-stage-secret-namespace: democratic-csi
---
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
name: synology-iscsi
driver: org.democratic-csi.iscsi-synology
deletionPolicy: Delete

20
dynk8s-provisioner/dynk8s-provisioner.yaml
View File

@ -1,3 +1,20 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: dynk8s-provisioner-pvc
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner-pvc
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: dynk8s-provisioner
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
@ -53,7 +70,8 @@ spec:
serviceAccountName: dynk8s-provisioner serviceAccountName: dynk8s-provisioner
volumes: volumes:
- name: dynk8s-provisioner - name: dynk8s-provisioner
emptyDir: {} persistentVolumeClaim:
claimName: dynk8s-provisioner-pvc
--- ---
apiVersion: v1 apiVersion: v1

10
firefly-iii/kustomization.yaml
View File

@ -36,16 +36,6 @@ patches:
spec: spec:
template: template:
spec: spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
containers: containers:
- name: firefly-iii - name: firefly-iii
volumeMounts: volumeMounts:

2
invoice-ninja/invoice-ninja.yaml
View File

@ -154,6 +154,8 @@ spec:
while sleep 60; do php artisan schedule:run; done while sleep 60; do php artisan schedule:run; done
env: *env env: *env
envFrom: *envFrom envFrom: *envFrom
securityContext:
readOnlyRootFilesystem: true
volumeMounts: *mounts volumeMounts: *mounts
enableServiceLinks: false enableServiceLinks: false
affinity: affinity:

170
jenkins/gentoo-storage.yaml Normal file
View File

@ -0,0 +1,170 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: portage
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: portage
app.kubernetes.io/component: gentoo
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 4Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: binpkgs
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: binpkgs
app.kubernetes.io/component: gentoo
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: gentoo-dist
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
data:
rsyncd.conf: |+
[gentoo-portage]
path = /var/db/repos/gentoo
[binpkgs]
path = /var/cache/binpkgs
---
apiVersion: v1
kind: Service
metadata:
name: gentoo-dist
namespace: jenkins-jobs
spec:
selector:
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
ports:
- name: rsync
port: 873
targetPort: rsync
type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gentoo-dist
namespace: jenkins-jobs
labels: &labels
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
spec:
selector:
matchLabels: *labels
template:
metadata:
labels: *labels
spec:
containers:
- name: rsync
image: docker.io/gentoo/stage3
command:
- /usr/bin/rsync
- --daemon
- --no-detach
- --port=8873
- --log-file=/dev/stderr
ports:
- name: rsync
containerPort: 8873
securityContext:
readOnlyRootFilesystem: true
runAsUser: 250
runAsGroup: 250
volumeMounts:
- mountPath: /etc/rsyncd.conf
name: config
subPath: rsyncd.conf
- mountPath: /var/db/repos/gentoo
name: portage
- mountPath: /var/cache/binpkgs
name: binpkgs
volumes:
- name: binpkgs
persistentVolumeClaim:
claimName: binpkgs
- name: config
configMap:
name: gentoo-dist
- name: portage
persistentVolumeClaim:
claimName: portage
---
apiVersion: batch/v1
kind: Job
metadata:
name: emerge-webrsync
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: emerge-webrsync
app.kubernetes.io/component: gentoo
spec:
template:
spec:
containers:
- name: sync
image: docker.io/gentoo/stage3
command:
- emerge-webrsync
volumeMounts:
- mountPath: /var/db/repos/gentoo
name: portage
restartPolicy: OnFailure
volumes:
- name: portage
persistentVolumeClaim:
claimName: portage
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: sync-portage
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: sync-portage
app.kubernetes.io/component: gentoo
spec:
schedule: 4 19 * * *
jobTemplate:
spec:
template:
spec:
containers:
- name: sync
image: docker.io/gentoo/stage3
command:
- emaint
- sync
volumeMounts:
- mountPath: /var/db/repos/gentoo
name: portage
restartPolicy: OnFailure
volumes:
- name: portage
persistentVolumeClaim:
claimName: portage

2
jenkins/kustomization.yaml
View File

@ -9,8 +9,8 @@ resources:
- jenkins.yaml - jenkins.yaml
- secrets.yaml - secrets.yaml
- iscsi.yaml - iscsi.yaml
- gentoo-storage.yaml
- ssh-host-keys - ssh-host-keys
- workspace-volume.yaml
patches: patches:
- patch: | - patch: |

15
jenkins/workspace-volume.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: buildroot-airplaypi
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: buildroot-airplaypi
app.kubernetes.io/component: jenkins
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
storageClassName: synology-iscsi

2
kitchen/kitchen.yaml
View File

@ -49,8 +49,6 @@ spec:
mountPath: /kitchen.yaml mountPath: /kitchen.yaml
subPath: config.yaml subPath: config.yaml
readOnly: true readOnly: true
nodeSelector:
kubernetes.io/arch: amd64
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
runAsUser: 17402 runAsUser: 17402

3
kitchen/secrets.yaml
View File

@ -48,9 +48,8 @@ spec:
calendar_url: >- calendar_url: >-
https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/projects_shared_by_332E433E-43B2-4E3D-A0A0-EB264C624707/ https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/projects_shared_by_332E433E-43B2-4E3D-A0A0-EB264C624707/
dtex: &dtex dtex: &dtex
<<: *credentials
calendar_url: >- calendar_url: >-
https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/pyrocufflinknet-1/?export https://outlook.office365.com/owa/calendar/0f775a4f7bba4abe91d2684668b0b04f@dtexsystems.com/5f42742af8ae4f8daaa810e1efca6e9e8531195936760897056/S-1-8-960331003-2552388381-4206165038-1812416686/reachcalendar.ics
agenda: agenda:
calendars: calendars:

8
snapshot-controller/kustomization.yaml
View File

@ -1,8 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kube-system
resources:
- https://github.com/kubernetes-csi/external-snapshotter//client/config/crd?ref=v8.3.0
- https://github.com/kubernetes-csi/external-snapshotter//deploy/kubernetes/snapshot-controller?ref=v8.3.0

3
victoria-metrics/alertmanager.yaml
View File

@ -70,7 +70,6 @@ spec:
- name: config - name: config
configMap: configMap:
name: alertmanager name: alertmanager
podManagementPolicy: Parallel
volumeClaimTemplates: volumeClaimTemplates:
- apiVersion: v1 - apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
@ -84,4 +83,4 @@ spec:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
requests: requests:
storage: 500M storage: 4G

2
victoria-metrics/alerts.yml
View File

@ -246,9 +246,7 @@ groups:
- alert: Last Backup Age - alert: Last Backup Age
expr: >- expr: >-
time() - restic_backup_timestamp{ time() - restic_backup_timestamp{
client_hostname!="bw0.pyrocufflink.blue",
client_hostname!="luma.pyrocufflink.blue", client_hostname!="luma.pyrocufflink.blue",
client_hostname!="purplepi.hatch",
client_hostname!="toad.pyrocufflink.blue", client_hostname!="toad.pyrocufflink.blue",
}> 604800 }> 604800
annotations: annotations:

10
victoria-metrics/kustomization.yaml
View File

@ -216,16 +216,6 @@ patches:
- --cluster.peer=alertmanager-0.alertmanager:9094 - --cluster.peer=alertmanager-0.alertmanager:9094
- --cluster.peer=alertmanager-1.alertmanager:9094 - --cluster.peer=alertmanager-1.alertmanager:9094
- patch: |
- op: add
path: /spec/volumeClaimTemplates/0/spec/storageClassName
value: synology-iscsi
target:
group: apps
version: v1
kind: StatefulSet
name: alertmanager
- patch: | - patch: |
- op: add - op: add
path: /spec/volumeClaimTemplates/0/spec/storageClassName path: /spec/volumeClaimTemplates/0/spec/storageClassName

16
victoria-metrics/scrape.yml
View File

@ -522,19 +522,3 @@ scrape_configs:
target_label: instance target_label: instance
- target_label: __address__ - target_label: __address__
replacement: blackbox-exporter:9115 replacement: blackbox-exporter:9115
- job_name: music-assistant
metrics_path: /probe
params:
module:
- http
static_configs:
- targets:
- music.pyrocufflink.blue
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: blackbox-exporter:9115

17
victoria-metrics/vmagent.yaml
View File

@ -136,6 +136,17 @@ spec:
- name: config - name: config
configMap: configMap:
name: vmagent name: vmagent
- name: tmpdata volumeClaimTemplates:
emptyDir: {} - apiVersion: v1
podManagementPolicy: Parallel kind: PersistentVolumeClaim
metadata:
name: tmpdata
labels:
app.kubernetes.io/name: vmagent
app.kubernetes.io/component: vmagent
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4G