diff --git a/apps/actual/ingress.yaml b/apps/actual/ingress.yaml index 42aa8a7..01a97a1 100644 --- a/apps/actual/ingress.yaml +++ b/apps/actual/ingress.yaml @@ -4,6 +4,7 @@ metadata: name: actual namespace: actual annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" diff --git a/apps/authentik/release.yaml b/apps/authentik/release.yaml index dfb8de2..f279df2 100644 --- a/apps/authentik/release.yaml +++ b/apps/authentik/release.yaml @@ -25,6 +25,7 @@ spec: enabled: true ingressClassName: traefik annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" traefik.ingress.kubernetes.io/router.tls: "true" @@ -32,7 +33,7 @@ spec: hosts: - authentik.michaelthomson.dev tls: - - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + - secretName: authentik-tls hosts: - authentik.michaelthomson.dev volumes: diff --git a/apps/baikal/ingress.yaml b/apps/baikal/ingress.yaml index adcd760..a7caa88 100644 --- a/apps/baikal/ingress.yaml +++ b/apps/baikal/ingress.yaml @@ -4,6 +4,7 @@ metadata: name: baikal namespace: baikal annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -23,4 +24,4 @@ spec: tls: - hosts: - baikal.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: baikal-tls diff --git a/apps/booklore/release.yaml b/apps/booklore/release.yaml index 34147a3..3b660c4 100644 --- a/apps/booklore/release.yaml +++ b/apps/booklore/release.yaml @@ -24,6 +24,7 @@ spec: ingress: enabled: true annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -36,7 +37,7 @@ spec: tls: - hosts: - booklore.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: booklore-tls # If you want to bring your own persistence (such as a hostPath), # disable these and do so in extraVolumes/extraVolumeMounts diff --git a/apps/gitea/release.yaml b/apps/gitea/release.yaml index 8b6bf3a..06fc165 100644 --- a/apps/gitea/release.yaml +++ b/apps/gitea/release.yaml @@ -31,6 +31,7 @@ spec: enabled: true className: traefik annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "false" traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -43,7 +44,7 @@ spec: tls: - hosts: - gitea.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: gitea-tls persistence: claimName: gitea-shared-storage diff --git a/apps/homeassistant/ingress.yaml b/apps/homeassistant/ingress.yaml index e41a380..c88676d 100644 --- a/apps/homeassistant/ingress.yaml +++ b/apps/homeassistant/ingress.yaml @@ -4,6 +4,7 @@ metadata: name: homeassistant namespace: homeassistant annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" spec: @@ -21,4 +22,4 @@ spec: tls: - hosts: - ha.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: homeassistant-tls diff --git a/apps/immich/release.yaml b/apps/immich/release.yaml index bb0dca7..620ac10 100644 --- a/apps/immich/release.yaml +++ b/apps/immich/release.yaml @@ -63,6 +63,7 @@ spec: main: enabled: true annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -74,7 +75,7 @@ spec: tls: - hosts: - immich.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: immich-tls machine-learning: enabled: true diff --git a/apps/karakeep/ingress.yaml b/apps/karakeep/ingress.yaml index a09a9ed..960e882 100644 --- a/apps/karakeep/ingress.yaml +++ b/apps/karakeep/ingress.yaml @@ -4,6 +4,7 @@ metadata: name: karakeep-web-ingress namespace: karakeep annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -23,4 +24,4 @@ spec: tls: - hosts: - karakeep.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: karakeep-web-ingress-tls diff --git a/apps/kube-prometheus-stack/release.yaml b/apps/kube-prometheus-stack/release.yaml index c6f6eeb..5660c64 100644 --- a/apps/kube-prometheus-stack/release.yaml +++ b/apps/kube-prometheus-stack/release.yaml @@ -18,25 +18,27 @@ spec: ingress: enabled: true annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - grafana.michaelthomson.dev path: / tls: - - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + - secretName: grafana-tls hosts: - grafana.michaelthomson.dev prometheus: ingress: enabled: true annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - prometheus.michaelthomson.dev path: / tls: - - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + - secretName: prometheus-tls hosts: - prometheus.michaelthomson.dev diff --git a/apps/media/bazarr/ingress.yaml b/apps/media/bazarr/ingress.yaml index ea176ff..4c00294 100644 --- a/apps/media/bazarr/ingress.yaml +++ b/apps/media/bazarr/ingress.yaml @@ -4,6 +4,7 @@ metadata: name: bazarr namespace: media annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" # traefik.ingress.kubernetes.io/router.middlewares: authentik-bazarr@kubernetescrd @@ -22,4 +23,4 @@ spec: tls: - hosts: - bazarr.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: bazarr-tls diff --git a/apps/media/jellyfin/ingress.yaml b/apps/media/jellyfin/ingress.yaml index 36f3355..2b8ee93 100644 --- a/apps/media/jellyfin/ingress.yaml +++ b/apps/media/jellyfin/ingress.yaml @@ -4,6 +4,7 @@ metadata: name: jellyfin namespace: media annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -23,4 +24,4 @@ spec: tls: - hosts: - jellyfin.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: jellyfin-tls diff --git a/apps/media/jellyseerr/ingress.yaml b/apps/media/jellyseerr/ingress.yaml index 0c09116..d3ba3e6 100644 --- a/apps/media/jellyseerr/ingress.yaml +++ b/apps/media/jellyseerr/ingress.yaml @@ -4,6 +4,7 @@ metadata: name: jellyseerr namespace: media annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -23,4 +24,4 @@ spec: tls: - hosts: - jellyseerr.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: jellyseerr-tls diff --git a/apps/media/prowlarr/ingress.yaml b/apps/media/prowlarr/ingress.yaml index e9bb24e..ce54f9c 100644 --- a/apps/media/prowlarr/ingress.yaml +++ b/apps/media/prowlarr/ingress.yaml @@ -4,6 +4,7 @@ metadata: name: prowlarr namespace: media annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" # traefik.ingress.kubernetes.io/router.middlewares: authentik-prowlarr@kubernetescrd @@ -22,4 +23,4 @@ spec: tls: - hosts: - prowlarr.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: prowlarr-tls diff --git a/apps/media/radarr/ingress.yaml b/apps/media/radarr/ingress.yaml index be84e84..103b753 100644 --- a/apps/media/radarr/ingress.yaml +++ b/apps/media/radarr/ingress.yaml @@ -4,6 +4,7 @@ metadata: name: radarr namespace: media annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" # traefik.ingress.kubernetes.io/router.middlewares: authentik-radarr@kubernetescrd @@ -22,4 +23,4 @@ spec: tls: - hosts: - radarr.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: radarr-tls diff --git a/apps/media/sabnzbd/ingress.yaml b/apps/media/sabnzbd/ingress.yaml index 9b38520..b6af453 100644 --- a/apps/media/sabnzbd/ingress.yaml +++ b/apps/media/sabnzbd/ingress.yaml @@ -4,6 +4,7 @@ metadata: name: sabnzbd namespace: media annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" spec: @@ -21,4 +22,4 @@ spec: tls: - hosts: - sabnzbd.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: sabnzbd-tls diff --git a/apps/media/sonarr/ingress.yaml b/apps/media/sonarr/ingress.yaml index bcd3690..12d933c 100644 --- a/apps/media/sonarr/ingress.yaml +++ b/apps/media/sonarr/ingress.yaml @@ -4,6 +4,7 @@ metadata: name: sonarr namespace: media annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" # traefik.ingress.kubernetes.io/router.middlewares: authentik-sonarr@kubernetescrd @@ -22,4 +23,4 @@ spec: tls: - hosts: - sonarr.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: sonarr-tls diff --git a/apps/nextcloud/release.yaml b/apps/nextcloud/release.yaml index 93cf816..a7834c0 100644 --- a/apps/nextcloud/release.yaml +++ b/apps/nextcloud/release.yaml @@ -21,6 +21,7 @@ spec: enabled: true className: traefik annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -28,7 +29,7 @@ spec: tls: - hosts: - nextcloud.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: nextclout-tls labels: {} path: / pathType: Prefix @@ -151,6 +152,7 @@ spec: ingress: enabled: true annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -163,7 +165,7 @@ spec: tls: - hosts: - collabora.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: collabora-tls cronjob: enabled: true diff --git a/apps/ntfy/ingress.yaml b/apps/ntfy/ingress.yaml index a37ac42..fd8c7b9 100644 --- a/apps/ntfy/ingress.yaml +++ b/apps/ntfy/ingress.yaml @@ -4,6 +4,7 @@ metadata: name: ntfy namespace: ntfy annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -23,4 +24,4 @@ spec: tls: - hosts: - ntfy.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: ntfy-tls diff --git a/apps/pihole/release.yaml b/apps/pihole/release.yaml index f160e79..ed4cbc3 100644 --- a/apps/pihole/release.yaml +++ b/apps/pihole/release.yaml @@ -31,6 +31,7 @@ spec: # -- Annotations for the ingress annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" path: / @@ -39,7 +40,7 @@ spec: tls: - hosts: - pihole.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: pihole-tls # -- `spec.PersitentVolumeClaim` configuration persistentVolumeClaim: diff --git a/apps/stirling-pdf/release.yaml b/apps/stirling-pdf/release.yaml deleted file mode 100644 index 7f1ed64..0000000 --- a/apps/stirling-pdf/release.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: stirling-pdf - namespace: stirling-pdf -spec: - chart: - spec: - chart: stirling-pdf-chart - version: 2.x - sourceRef: - kind: HelmRepository - name: stirling-pdf - interval: 15m - releaseName: stirling-pdf - values: - ingress: - enabled: true - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.tls: "true" - hosts: - - host: pdf.michaelthomson.dev - paths: - - path: "/" - pathType: ImplementationSpecific - tls: - - hosts: - - pdf.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev - ingressClassName: traefik diff --git a/apps/stirling-pdf/repository.yaml b/apps/stirling-pdf/repository.yaml deleted file mode 100644 index 2666eb5..0000000 --- a/apps/stirling-pdf/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: stirling-pdf - namespace: stirling-pdf -spec: - interval: 15m - url: https://stirling-tools.github.io/Stirling-PDF-chart diff --git a/apps/syncthing/ingress.yaml b/apps/syncthing/ingress.yaml index b45dd1c..6412fd6 100644 --- a/apps/syncthing/ingress.yaml +++ b/apps/syncthing/ingress.yaml @@ -4,6 +4,7 @@ metadata: name: syncthing namespace: syncthing annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -23,4 +24,4 @@ spec: tls: - hosts: - syncthing.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: syncthing-tls diff --git a/apps/uptime-kuma/uptime-kuma-ingress.yaml b/apps/uptime-kuma/uptime-kuma-ingress.yaml index 7b6ab90..1be5d24 100644 --- a/apps/uptime-kuma/uptime-kuma-ingress.yaml +++ b/apps/uptime-kuma/uptime-kuma-ingress.yaml @@ -4,6 +4,7 @@ metadata: name: uptime-kuma namespace: uptime-kuma annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -23,4 +24,4 @@ spec: tls: - hosts: - kuma.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: uptime-kuma-tls diff --git a/apps/vaultwarden/release.yaml b/apps/vaultwarden/release.yaml index f465749..9f1f6e9 100644 --- a/apps/vaultwarden/release.yaml +++ b/apps/vaultwarden/release.yaml @@ -43,6 +43,7 @@ spec: enabled: true class: "traefik" additionalAnnotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -50,4 +51,4 @@ spec: labels: {} tls: true hostname: "vaultwarden.michaelthomson.dev" - tlsSecret: "letsencrypt-wildcard-cert-michaelthomson.dev" + tlsSecret: vaultwarden-tls diff --git a/apps/wg-easy/ingress.yaml b/apps/wg-easy/ingress.yaml index 874795a..59264eb 100644 --- a/apps/wg-easy/ingress.yaml +++ b/apps/wg-easy/ingress.yaml @@ -4,6 +4,7 @@ metadata: name: wg-easy namespace: wg-easy annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -23,4 +24,4 @@ spec: tls: - hosts: - wireguard.michaelthomson.dev - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + secretName: wg-easy-tls diff --git a/bootstrap/apps/kustomization-stirling-pdf.yaml b/bootstrap/apps/kustomization-stirling-pdf.yaml deleted file mode 100644 index 5526b8d..0000000 --- a/bootstrap/apps/kustomization-stirling-pdf.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: stirling-pdf - namespace: flux-system -spec: - interval: 15m - path: ./apps/stirling-pdf - prune: true # remove any elements later removed from the above path - wait: true - sourceRef: - kind: GitRepository - name: flux-system - decryption: - provider: sops - secretRef: - name: sops-age - dependsOn: - - name: infra-configs diff --git a/infrastructure/namespaces/namespace-stirling-pdf.yaml b/infrastructure/namespaces/namespace-stirling-pdf.yaml deleted file mode 100644 index 4928d47..0000000 --- a/infrastructure/namespaces/namespace-stirling-pdf.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: stirling-pdf