mthomson/fleet-infra
1
0
Fork 0
mirror of https://github.com/michaelthomson0797/fleet-infra.git synced 2026-02-04 04:59:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

move all certs to automatic issuer

Browse Source
This commit is contained in:
Michael Thomson
2025-12-18 06:17:35 -05:00
parent f1d0cbeedd
commit 27c6abb459
27 changed files with 49 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
apps/actual/ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: actual
namespace: actual
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"

3
apps/authentik/release.yaml
View File

@@ -25,6 +25,7 @@ spec:
enabled: true
ingressClassName: traefik
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
traefik.ingress.kubernetes.io/router.tls: "true"
@@ -32,7 +33,7 @@ spec:
hosts:
- authentik.michaelthomson.dev
tls:
- secretName: letsencrypt-wildcard-cert-michaelthomson.dev
- secretName: authentik-tls
hosts:
- authentik.michaelthomson.dev
volumes:

3
apps/baikal/ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: baikal
namespace: baikal
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -23,4 +24,4 @@ spec:
tls:
- hosts:
- baikal.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: baikal-tls

3
apps/booklore/release.yaml
View File

@@ -24,6 +24,7 @@ spec:
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -36,7 +37,7 @@ spec:
tls:
- hosts:
- booklore.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: booklore-tls
# If you want to bring your own persistence (such as a hostPath),
# disable these and do so in extraVolumes/extraVolumeMounts

3
apps/gitea/release.yaml
View File

@@ -31,6 +31,7 @@ spec:
enabled: true
className: traefik
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -43,7 +44,7 @@ spec:
tls:
- hosts:
- gitea.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: gitea-tls
persistence:
claimName: gitea-shared-storage

3
apps/homeassistant/ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: homeassistant
namespace: homeassistant
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
@@ -21,4 +22,4 @@ spec:
tls:
- hosts:
- ha.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: homeassistant-tls

3
apps/immich/release.yaml
View File

@@ -63,6 +63,7 @@ spec:
main:
enabled: true
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -74,7 +75,7 @@ spec:
tls:
- hosts:
- immich.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: immich-tls
machine-learning:
enabled: true

3
apps/karakeep/ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: karakeep-web-ingress
namespace: karakeep
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -23,4 +24,4 @@ spec:
tls:
- hosts:
- karakeep.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: karakeep-web-ingress-tls

6
apps/kube-prometheus-stack/release.yaml
View File

@@ -18,25 +18,27 @@ spec:
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- grafana.michaelthomson.dev
path: /
tls:
- secretName: letsencrypt-wildcard-cert-michaelthomson.dev
- secretName: grafana-tls
hosts:
- grafana.michaelthomson.dev
prometheus:
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- prometheus.michaelthomson.dev
path: /
tls:
- secretName: letsencrypt-wildcard-cert-michaelthomson.dev
- secretName: prometheus-tls
hosts:
- prometheus.michaelthomson.dev

3
apps/media/bazarr/ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: bazarr
namespace: media
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
# traefik.ingress.kubernetes.io/router.middlewares: authentik-bazarr@kubernetescrd
@@ -22,4 +23,4 @@ spec:
tls:
- hosts:
- bazarr.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: bazarr-tls

3
apps/media/jellyfin/ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: jellyfin
namespace: media
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -23,4 +24,4 @@ spec:
tls:
- hosts:
- jellyfin.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: jellyfin-tls

3
apps/media/jellyseerr/ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: jellyseerr
namespace: media
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -23,4 +24,4 @@ spec:
tls:
- hosts:
- jellyseerr.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: jellyseerr-tls

3
apps/media/prowlarr/ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: prowlarr
namespace: media
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
# traefik.ingress.kubernetes.io/router.middlewares: authentik-prowlarr@kubernetescrd
@@ -22,4 +23,4 @@ spec:
tls:
- hosts:
- prowlarr.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: prowlarr-tls

3
apps/media/radarr/ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: radarr
namespace: media
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
# traefik.ingress.kubernetes.io/router.middlewares: authentik-radarr@kubernetescrd
@@ -22,4 +23,4 @@ spec:
tls:
- hosts:
- radarr.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: radarr-tls

3
apps/media/sabnzbd/ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: sabnzbd
namespace: media
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
@@ -21,4 +22,4 @@ spec:
tls:
- hosts:
- sabnzbd.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: sabnzbd-tls

3
apps/media/sonarr/ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: sonarr
namespace: media
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
# traefik.ingress.kubernetes.io/router.middlewares: authentik-sonarr@kubernetescrd
@@ -22,4 +23,4 @@ spec:
tls:
- hosts:
- sonarr.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: sonarr-tls

6
apps/nextcloud/release.yaml
View File

@@ -21,6 +21,7 @@ spec:
enabled: true
className: traefik
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -28,7 +29,7 @@ spec:
tls:
- hosts:
- nextcloud.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: nextclout-tls
labels: {}
path: /
pathType: Prefix
@@ -151,6 +152,7 @@ spec:
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -163,7 +165,7 @@ spec:
tls:
- hosts:
- collabora.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: collabora-tls
cronjob:
enabled: true

3
apps/ntfy/ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: ntfy
namespace: ntfy
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -23,4 +24,4 @@ spec:
tls:
- hosts:
- ntfy.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: ntfy-tls

3
apps/pihole/release.yaml
View File

@@ -31,6 +31,7 @@ spec:
# -- Annotations for the ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
path: /
@@ -39,7 +40,7 @@ spec:
tls:
- hosts:
- pihole.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: pihole-tls
# -- `spec.PersitentVolumeClaim` configuration
persistentVolumeClaim:

31
apps/stirling-pdf/release.yaml
View File

@@ -1,31 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: stirling-pdf
namespace: stirling-pdf
spec:
chart:
spec:
chart: stirling-pdf-chart
version: 2.x
sourceRef:
kind: HelmRepository
name: stirling-pdf
interval: 15m
releaseName: stirling-pdf
values:
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
hosts:
- host: pdf.michaelthomson.dev
paths:
- path: "/"
pathType: ImplementationSpecific
tls:
- hosts:
- pdf.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
ingressClassName: traefik

8
apps/stirling-pdf/repository.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: stirling-pdf
namespace: stirling-pdf
spec:
interval: 15m
url: https://stirling-tools.github.io/Stirling-PDF-chart

3
apps/syncthing/ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: syncthing
namespace: syncthing
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -23,4 +24,4 @@ spec:
tls:
- hosts:
- syncthing.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: syncthing-tls

3
apps/uptime-kuma/uptime-kuma-ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: uptime-kuma
namespace: uptime-kuma
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -23,4 +24,4 @@ spec:
tls:
- hosts:
- kuma.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: uptime-kuma-tls

3
apps/vaultwarden/release.yaml
View File

@@ -43,6 +43,7 @@ spec:
enabled: true
class: "traefik"
additionalAnnotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -50,4 +51,4 @@ spec:
labels: {}
tls: true
hostname: "vaultwarden.michaelthomson.dev"
tlsSecret: "letsencrypt-wildcard-cert-michaelthomson.dev"
tlsSecret: vaultwarden-tls

3
apps/wg-easy/ingress.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: wg-easy
namespace: wg-easy
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -23,4 +24,4 @@ spec:
tls:
- hosts:
- wireguard.michaelthomson.dev
secretName: letsencrypt-wildcard-cert-michaelthomson.dev
secretName: wg-easy-tls

19
bootstrap/apps/kustomization-stirling-pdf.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: stirling-pdf
namespace: flux-system
spec:
interval: 15m
path: ./apps/stirling-pdf
prune: true # remove any elements later removed from the above path
wait: true
sourceRef:
kind: GitRepository
name: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
dependsOn:
- name: infra-configs

4
infrastructure/namespaces/namespace-stirling-pdf.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: stirling-pdf