initial refactor

infrastructure/configs/cert-manager/certificate-wildcard-cert-letsencrypt-prod.yaml

@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: letsencrypt-wildcard-cert-michaelthomson.dev
+  namespace: letsencrypt-wildcard-cert
+spec:
+  # secretName doesn't have to match the certificate name, but it may as well, for simplicity!
+  secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ""
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: ""
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+    - "michaelthomson.dev"
+    - "*.michaelthomson.dev"

infrastructure/configs/cert-manager/cluster-issuer-letsencrypt-prod.yaml

@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: michael@michaelthomson.dev
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - selector:
+        dnsZones:
+          - "michaelthomson.dev"
+      dns01:
+        cloudflare:
+          email: michael@michaelthomson.dev
+          apiKeySecretRef:
+            name: cloudflare-api-key
+            key: cloudflare_api_key

infrastructure/configs/metallb/ipaddresspool.yaml

@@ -0,0 +1,9 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: metallb-pool
+  namespace: metallb-system
+spec:
+  addresses:
+  - 192.168.2.200-192.168.2.250
+

infrastructure/configs/metallb/l2advertisement.yaml

@@ -0,0 +1,8 @@
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: my-l2-advertisment
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+  - metallb-pool

infrastructure/controllers/cert-manager/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager

infrastructure/controllers/cert-manager/release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.17.x
+      sourceRef:
+        kind: HelmRepository
+        name: cert-manager
+  interval: 15m
+  timeout: 5m
+  releaseName: cert-manager
+  values:
+    installCRDs: true

infrastructure/controllers/cert-manager/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 15m
+  url: https://charts.jetstack.io

infrastructure/controllers/cert-manager/secret-cloudflare-api-key.yaml

@@ -0,0 +1,21 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "cloudflare-api-key",
+    "namespace": "cert-manager",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "cloudflare-api-key",
+        "namespace": "cert-manager",
+        "creationTimestamp": null
+      }
+    },
+    "encryptedData": {
+      "cloudflare_api_key": "AgChqWD0JHDwnlg+U+O3Yl0acYIeDnekCj1gRu1kQVFIIukO0rZxxgwDBwB1FAnK7+H/tZsoQCLg+YRmmzqXW7fcxsvad7Ba35JFZnXXc4heCji1FeTZm9M8lLKPXsr/jSV2d2md4BFXxeHBwQtq6Km5OsPkeGiUGVo09w7q0dBhp7wcJ6Dgu3m2c2x8hQKVz0zR4AreMBRwmCw7x/dXPmoCuz/dRQzbQGZ57Z0nZ/4OWF/YBv8NYzjK7//R9QKMGXJJ28NcrXv06v/0CNtVoADbue/kD4d1a9MTBojkHSNvd8CIsIFSnBDPYP4ApnmGBiirfnVJ//AE7iVSCtl96SR9pwqFnE2xCXaAGBlWLVebCGx45W0q3qbC6isZbQLjdekQNu4LDjMs5QQVUM7/+6SusxKJrFbNEyKpWjV6IDQBaZTMkO3gTAq3ZRXGoiLy/FZZihudGa8bym7GJGkl0ZVb8hpkUBiNp3cHQFizdCMVF/3ebjmn0Mf250Kg0J6iymECZ2IdHsjjmRYyJv3Mi7wWdiCG8nOhUwwi1/379rjkbPSZadng/MmgDc8p1IhIFiaLaXTHwr3ZYtQOXpdzAQGJXtIYX4ZO5CFwoCf3UDneCjEntJwi9htaH+KtZFx2Um4LTChsTKEk4D4f64vj7a5k7neSwgpZYZg7DncAubbqKY5vgGuZlT2KMkJPs45LNO713Rf48pom/ZAxWJz6b52r+T0UYhZeF/Ffb1Kw1jrJzENu8ONj"
+    }
+  }
+}

infrastructure/controllers/cnpg/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cnpg

infrastructure/controllers/cnpg/release.yaml

@@ -0,0 +1,17 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cnpg
+  namespace: cnpg
+spec:
+  chart:
+    spec:
+      chart: cloudnative-pg
+      version: 0.24.x
+      sourceRef:
+        kind: HelmRepository
+        name: cnpg
+  interval: 15m
+  timeout: 5m
+  releaseName: cnpg
+  values:

infrastructure/controllers/cnpg/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cnpg
+  namespace: cnpg
+spec:
+  interval: 15m
+  url: https://cloudnative-pg.github.io/charts

infrastructure/controllers/external-dns/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external-dns

infrastructure/controllers/external-dns/release.yaml

@@ -0,0 +1,40 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: external-dns
+  namespace: external-dns
+spec:
+  chartRef:
+    kind: OCIRepository
+    name: external-dns
+  interval: 15m
+  timeout: 5m
+  releaseName: external-dns
+  values:
+    sources:
+      - crd
+      # - service
+      # - ingress
+      # - contour-httpproxy
+    provider: cloudflare
+    cloudflare:
+      ## @param cloudflare.apiToken When using the Cloudflare provider, `CF_API_TOKEN` to set (optional)
+      ##
+      apiToken: ""
+      ## @param cloudflare.apiKey When using the Cloudflare provider, `CF_API_KEY` to set (optional)
+      ##
+      apiKey: ""
+      ## @param cloudflare.secretName When using the Cloudflare provider, it's the name of the secret containing cloudflare_api_token or cloudflare_api_key.
+      ## This ignores cloudflare.apiToken, and cloudflare.apiKey
+      ##
+      secretName: "cloudflare-api-key"
+      ## @param cloudflare.email When using the Cloudflare provider, `CF_API_EMAIL` to set (optional). Needed when using CF_API_KEY
+      ##
+      email: "michael@michaelthomson.dev"
+      ## @param cloudflare.proxied When using the Cloudflare provider, enable the proxy feature (DDOS protection, CDN...) (optional)
+      ##
+      proxied: false
+    crd:
+      ## @param crd.create Install and use the integrated DNSEndpoint CRD
+      ##
+      create: true

infrastructure/controllers/external-dns/repository.yaml

@@ -0,0 +1,10 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: external-dns
+  namespace: external-dns
+spec:
+  interval: 15m
+  url: oci://registry-1.docker.io/bitnamicharts/external-dns
+  ref:
+    semver: ">=8.0.0"

infrastructure/controllers/external-dns/sealedsecret-cloudflare-api-key.yaml

@@ -0,0 +1,21 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "cloudflare-api-key",
+    "namespace": "external-dns",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "cloudflare-api-key",
+        "namespace": "external-dns",
+        "creationTimestamp": null
+      }
+    },
+    "encryptedData": {
+      "cloudflare_api_key": "AgDbQ3Suck0P6dSEtuB8cfk4P47jVuieaekex+miPlhrB3I7n/YLPK3lEdoYAt49NrciMlq877iniuYylwnh8HOSevvZ47H86KthofJY3iu8anTTS5q4dkxonnqHuBPH0LTg+uvdkChxe7kuozePB0XJjQV4qdejEDTh6Q7es5dzIW9kdxHGlDRyIsgeI+YpZCZOApzU+bR+ARt39AWWpyRkn140CSAFjsF6XRJ+Enwsn9nbfZfb71s3J8hy/3BCY8fCPuqAXWoQY9pr4BwYo6TjFthlesMYZ3rsAPuBelwEO9OeWySKfVOZx3ZbTdG0aObYhr1KOMs1wTSbu0Y9Ob59WZRT78eXD3B9Un2Bm5GhQLZaw0KAwzg1uLZ2LGcOcV3Dzd5XXLa8/pajrlF/iJQkMYZlaLVfgakhi5TpM4QCTHD4Wj95ZzO16VqJ8ak4qU+l3eJ/GuO+cnMtvAF/VjEiGj9PF9fZRkcPl7HoDTOGeXgbvVcWsSyktZe9BeAkHmB326bK8gnvs6MwJZC/SFR187ngBkSDOQ89LNx1pNnu4SNYu6EHvtaNI62+a6AsNsdrku3fTW0bdNI7rPwZvmL257mnnF7ih4BZvRDxBWudAcQyw+YZdlQC5NRpFr7e0ZgFP1CvDjvNtBBaZsHELKJyFCy7vhhiOrrHpYGZfvTFgGd2/ny2n92HyhJtvpMSJNfaqjAOVu7Kp5bFa99GSSP1CZXjxHxCEzVblZdyOGW63iMwgNp7"
+    }
+  }
+}

infrastructure/controllers/longhorn/dns-endpoint.yaml

@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: longhorn.michaelthomson.dev
+  namespace: longhorn-system
+spec:
+  endpoints:
+  - dnsName: longhorn.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+    - server.michaelthomson.dev

infrastructure/controllers/longhorn/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: longhorn-system

infrastructure/controllers/longhorn/release.yaml

@@ -0,0 +1,40 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: longhorn
+  namespace: longhorn-system
+spec:
+  chart:
+    spec:
+      chart: longhorn
+      version: 1.8.x
+      sourceRef:
+        kind: HelmRepository
+        name: longhorn
+  interval: 15m
+  timeout: 5m
+  releaseName: longhorn
+  values:
+    persistence:
+      defaultClassReplicaCount: 2
+
+    defaultSettings:
+      backupTarget: s3://mthomson-longhorn-backups@us-west-004/
+      backupTargetCredentialSecret: longhorn-backblaze-secret
+      replicaAutoBalance: best-effort
+      defaultDataLocality: best-effort
+      defaultReplicaCount: 2
+      replicaZoneSoftAntiAffinity: true
+      replicaDiskSoftAntiAffinity: false
+      replicaSoftAntiAffinity: false
+
+    ingress:
+      enabled: true
+      ingressClassName: traefik
+      host: longhorn.michaelthomson.dev
+      tls: true
+      secureBackends: true
+      tlsSecret: letsencrypt-wildcard-cert-michaelthomson.dev
+      annotations:
+        traefik.ingress.kubernetes.io/router.tls: "true"
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure

infrastructure/controllers/longhorn/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: longhorn
+  namespace: longhorn
+spec:
+  interval: 15m
+  url: https://charts.longhorn.io

infrastructure/controllers/longhorn/secret-backblaze.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: longhorn-backblaze-secret
+  namespace: longhorn-system
+spec:
+  encryptedData:
+    AWS_ACCESS_KEY_ID: AgAcQuAtfsr8a8MIvPpZIocp2JLMzhdRhbWLY/yB9qJtkRwXId3S+wLN7YLVI3yMhkRbCkVDZgtu6Usysc530fKOj6r65gWDPVatwJHgUXouvbz1Iq1fPtsE/LbYOD2AZhulfb2cyo3A9jzcoYZxi+KyaymW4JHcHIwHnSVvakvqIYx1QCf30MnOjrLn9+B2NIg5qpYoplc1gCLVy7oGTXolFJJMAiIJ41YwLAZCltk/RXJxWKrvD5BilgPK3W+Fhf7QUFddEfhv/gIGMHmXCH9MouZviQpJVo7/FvzNG0Q6lRHKFHcxh8vhtvrpx8O2qjjZVSrMRtepgla7ZblOuP//1n72JBYQmC7VE1cvPjXSnybU4Z+cm5GQSwvVpWzVvdQyl7V1e7jgTi5sYdilUbVtltLDuugRttuLnJNhSMQSOAv0SDae9HYldOvjoMnpJN3DleCYoyw0gT0xH7U5EOIX/LogPIp/poO7tAj406xwpS2MDatFgPItPvjebBjxbCUekJF0wzQuxqd54s26CNaq50CKPkg7jJI5HO7T0PnUdj3sF+aa49fPpBZtJ8ftmZ84n8sZTaMXKLWxD1XaVL48Ded3s4SWoCHoVfrd/OqkXqHlXzWmgF9wnm101WZR2QrUgYakL8cldlN05r3zRtMe/KMn5rNihcYcSvRikKHk0mj0uzYnNrlNtzKUWyxanJiui99c9twJ8LC8znLt0LqxRE2u0DRVRc1L
+    AWS_ENDPOINTS: AgCb1f3nEIo8gLibM2XtJG+ALI1qpVMipyRnBXxL5REy/AJ3fO1gr2Nzz3XWMdCcwVY3yX5zarLcFUlM5hNRYfDZ8Huj4GDc99YvoY/aBaEiIHDpeu73ASkl7cS2qplTFGIxLz26SoWLFKWGpOu2DWQNtHh7tpcQ/qfcm5zK+4m+IF/pEAQv+w5QF0bSNnziYlSo89rVuSA9SpevdbwMwGWvN6bi5QbPSXYqjogO8BsNOQAWhFIKkxEWkDuEGh0Cwd02VstcLDNrqgNsR1ajMTEqfsUo3hJyVo/AF8O72pSSe4gaNzkaU3TW6EXguZ+a3t9Jy8oiS5nyCEiSkPiv3k4giHpVomP8gweyau+1w+PJm4oq2ABW43VBxE1CoQVnI8q/egvVyj0OvsZONsMWY392WfuF9El6D5qhSW+Un7IboZy9GfWsrd5sCmhi0NHEJGHOrk5nNCdfca0SwfNn+iKj0cIky7klvUqYxxcnfRppmMpTeGLVgOsFOKykeRVLcH8mnqg7xHrTJ9ICtILIarynscT5mKwyvvzS9txPIEvDlOt6nSnbmfukZRW1YN8nz04Bcdxpy4bquQlkNmX6n13rhemHT1nKsrYo+J8IwgnEqGKydztxhf9x2+sJ4ZiOOtuXqp7oXXt74HbS7WnBmdkfz3eqEEYzGcagXKr/KYiPHG3+fcgUORhrJl8LGCSTEq4JzUYyenDQ95agiHSShr+tZb1I0Urue9sILUfC9N4=
+    AWS_SECRET_ACCESS_KEY: AgCQK+kf92LH+oZVII9iLWBw7A23nm3DgysJP8NR4evZF1qjeiD6XZ4GBOTgnkCiBN8c+4KZ1WpKjrQADsodOqSx7W0Ts+A6wI9MD4q6cRzMiesUlXiYn4yQS63RjO5VSrMZUnvUOzh5NQs94yzxc7Q+GqNa1EDK2H2gBz5nRNyRmXgV/6xdl6AQrGagvCusetZjTRtujgfSW0Oz/k6Ap+1BG+FJT1TR1jxgccNslR7Lyy5FOEOXhcB/qf7FgOibwJmV0xfAM1SvMAewLgJiIJzIq+dZWhwX+AjTWmpTOtCJ2xvWtHio3zwVDN0yH4+8MrFHQQ9Fbh+4PU+4h4fzi28cmpCk6sWzRhuhK+NyDBBoB+halvpNCI2XXEFIAiUoLhAj81sEdp+H+STXcR+RGrflg7CdIfuHluPr62yxLfDOV7Vk66FLIccz7UIDbUz2XS359eBe/B+KJ9w7saAZeyt1Dg52tiJUtqq7bQ43v+CrSNYX60qLJe07oTbEtR6jN1oGBQteBuPmRcP73DTVkevUX5Boi3VxPmV/lmTMleJyRVxW2BvdMIb8OnOjJ3oML4AaFOjhYi6v6KLDRKdKcq4EeafM9C7rFMtvj77LoMh9zCjS0Swq02wsuPKUSvsbsXKhe6pgpgydrjh9InfdskIn4RejY2xYiXINV4LkUZmo76DKpJiJiZUEO3tA8pnWlY/ot3AJVu3YJlaWn7cCozSLSnuz+RtSzazQ1p1v/U6M
+  template:
+    metadata:
+      creationTimestamp: null
+      name: longhorn-backblaze-secret
+      namespace: longhorn-system

infrastructure/controllers/metallb/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: metallb-system

infrastructure/controllers/metallb/release.yaml

@@ -0,0 +1,17 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: metallb
+  namespace: metallb-system
+spec:
+  chart:
+    spec:
+      chart: metallb
+      version: 0.15.x
+      sourceRef:
+        kind: HelmRepository
+        name: metallb
+  interval: 15m
+  timeout: 5m
+  releaseName: metallb
+  values:

infrastructure/controllers/metallb/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: metallb
+  namespace: metallb
+spec:
+  interval: 15m
+  url: https://metallb.github.io/metallb

infrastructure/controllers/nfs-subdir-external-provisioner/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nfs-subdir-external-provisioner

infrastructure/controllers/nfs-subdir-external-provisioner/release.yaml

@@ -0,0 +1,131 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: nfs-subdir-external-provisioner
+  namespace: nfs-subdir-external-provisioner
+spec:
+  chart:
+    spec:
+      chart: nfs-subdir-external-provisioner
+      version: 4.x.x
+      sourceRef:
+        kind: HelmRepository
+        name: nfs-subdir-external-provisioner
+  interval: 15m
+  timeout: 5m
+  releaseName: nfs-subdir-external-provisioner
+  values:
+    replicaCount: 1
+    strategyType: Recreate
+
+    image:
+      repository: registry.k8s.io/sig-storage/nfs-subdir-external-provisioner
+      tag: v4.0.2
+      pullPolicy: IfNotPresent
+    imagePullSecrets: []
+
+    nfs:
+      server: 192.168.2.50
+      path: /volume1/k8sdata
+      mountOptions:
+      volumeName: nfs-subdir-external-provisioner-root
+      # Reclaim policy for the main nfs volume
+      reclaimPolicy: Retain
+
+    # For creating the StorageClass automatically:
+    storageClass:
+      create: true
+
+      # Set a provisioner name. If unset, a name will be generated.
+      # provisionerName:
+
+      # Set StorageClass as the default StorageClass
+      # Ignored if storageClass.create is false
+      defaultClass: false
+
+      # Set a StorageClass name
+      # Ignored if storageClass.create is false
+      name: nfs-client
+
+      # Allow volume to be expanded dynamically
+      allowVolumeExpansion: true
+
+      # Method used to reclaim an obsoleted volume
+      reclaimPolicy: Delete
+
+      # When set to false your PVs will not be archived by the provisioner upon deletion of the PVC.
+      archiveOnDelete: true
+
+      # If it exists and has 'delete' value, delete the directory. If it exists and has 'retain' value, save the directory.
+      # Overrides archiveOnDelete.
+      # Ignored if value not set.
+      onDelete:
+
+      # Specifies a template for creating a directory path via PVC metadata's such as labels, annotations, name or namespace.
+      # Ignored if value not set.
+      pathPattern: "${.PVC.namespace}-${.PVC.name}"
+
+      # Set access mode - ReadWriteOnce, ReadOnlyMany or ReadWriteMany
+      accessModes: ReadWriteOnce
+
+      # Set volume bindinng mode - Immediate or WaitForFirstConsumer
+      volumeBindingMode: Immediate
+
+      # Storage class annotations
+      annotations: {}
+
+    leaderElection:
+      # When set to false leader election will be disabled
+      enabled: true
+
+    ## For RBAC support:
+    rbac:
+      # Specifies whether RBAC resources should be created
+      create: true
+
+    # If true, create & use Pod Security Policy resources
+    # https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+    podSecurityPolicy:
+      enabled: false
+
+    # Deployment pod annotations
+    podAnnotations: {}
+
+    ## Set pod priorityClassName
+    # priorityClassName: ""
+
+    podSecurityContext: {}
+
+    securityContext: {}
+
+    serviceAccount:
+      # Specifies whether a ServiceAccount should be created
+      create: true
+
+      # Annotations to add to the service account
+      annotations: {}
+
+      # The name of the ServiceAccount to use.
+      # If not set and create is true, a name is generated using the fullname template
+      name:
+
+    resources: {}
+      # limits:
+      #  cpu: 100m
+      #  memory: 128Mi
+      # requests:
+      #  cpu: 100m
+      #  memory: 128Mi
+
+    nodeSelector: {}
+
+    tolerations: []
+
+    affinity: {}
+
+    # Additional labels for any resource created
+    labels: {}
+
+    podDisruptionBudget:
+      enabled: false
+      maxUnavailable: 1

infrastructure/controllers/nfs-subdir-external-provisioner/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: nfs-subdir-external-provisioner
+  namespace: nfs-subdir-external-provisioner
+spec:
+  interval: 15m
+  url: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner

infrastructure/controllers/nvidia-device-plugin/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nvidia-device-plugin

infrastructure/controllers/nvidia-device-plugin/release.yaml

@@ -0,0 +1,175 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: nvidia-device-plugin
+  namespace: nvidia-device-plugin
+spec:
+  chart:
+    spec:
+      chart: nvidia-device-plugin
+      version: 0.x
+      sourceRef:
+        kind: HelmRepository
+        name: nvidia-device-plugin
+  interval: 15m
+  timeout: 5m
+  releaseName: nvidia-device-plugin
+  values:
+    # Plugin configuration
+    # Only one of "name" or "map" should ever be set for a given deployment.
+    # Use "name" to point to an external ConfigMap with a list of configurations.
+    # Use "map" to build an integrated ConfigMap from a set of configurations as
+    # part of this helm chart. An example of setting "map" might be:
+    # config:
+    #   map:
+    #     default: |-
+    #       version: v1
+    #       flags:
+    #         migStrategy: none
+    #     mig-single: |-
+    #       version: v1
+    #       flags:
+    #         migStrategy: single
+    #     mig-mixed: |-
+    #       version: v1
+    #       flags:
+    #         migStrategy: mixed
+    config:
+      # ConfigMap name if pulling from an external ConfigMap
+      name: ""
+      # Set of named configs to build an integrated ConfigMap from
+      map: {}
+      # Default config name within the ConfigMap
+      default: ""
+      # List of fallback strategies to attempt if no config is selected and no default is provided
+      fallbackStrategies: ["named" , "single"]
+
+    compatWithCPUManager: null
+    migStrategy: null
+    failOnInitError: null
+    deviceListStrategy: null
+    deviceIDStrategy: null
+    nvidiaDriverRoot: null
+    gdsEnabled: null
+    mofedEnabled: null
+    deviceDiscoveryStrategy: null
+
+    nameOverride: ""
+    fullnameOverride: ""
+    namespaceOverride: ""
+    selectorLabelsOverride: {}
+
+    allowDefaultNamespace: false
+
+    imagePullSecrets: []
+    image:
+      repository: nvcr.io/nvidia/k8s-device-plugin
+      pullPolicy: IfNotPresent
+      # Overrides the image tag whose default is the chart appVersion.
+      tag: ""
+
+    updateStrategy:
+      type: RollingUpdate
+
+    podAnnotations: {}
+    podSecurityContext: {}
+    securityContext: {}
+
+    resources: {}
+    nodeSelector: {}
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+          - matchExpressions:
+            # On discrete-GPU based systems NFD adds the following label where 10de is the NVIDIA PCI vendor ID
+            - key: feature.node.kubernetes.io/pci-10de.present
+              operator: In
+              values:
+              - "true"
+          - matchExpressions:
+            # On some Tegra-based systems NFD detects the CPU vendor ID as NVIDIA
+            - key: feature.node.kubernetes.io/cpu-model.vendor_id
+              operator: In
+              values:
+              - "NVIDIA"
+          - matchExpressions:
+            # We allow a GPU deployment to be forced by setting the following label to "true"
+            - key: "nvidia.com/gpu.present"
+              operator: In
+              values:
+              - "true"
+    tolerations:
+      # This toleration is deprecated. Kept here for backward compatibility
+      # See https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - key: nvidia.com/gpu
+        operator: Exists
+        effect: NoSchedule
+
+    # Mark this pod as a critical add-on; when enabled, the critical add-on
+    # scheduler reserves resources for critical add-on pods so that they can
+    # be rescheduled after a failure.
+    # See https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
+    priorityClassName: "system-node-critical"
+
+    runtimeClassName: nvidia
+
+    devicePlugin:
+      enabled: true
+
+    gfd:
+      enabled: true
+      nameOverride: gpu-feature-discovery
+      namespaceOverride: ""
+      noTimestamp: null
+      sleepInterval: null
+      securityContext:
+        # privileged access is required for the gpu-feature-discovery to access the
+        # vgpu info on a host.
+        # TODO: This should be optional and detected automatically.
+        privileged: true
+
+    # Helm dependency
+    nfd:
+      nameOverride: node-feature-discovery
+      enableNodeFeatureApi: false
+      master:
+        serviceAccount:
+          name: node-feature-discovery
+          create: true
+        config:
+          extraLabelNs: ["nvidia.com"]
+
+      worker:
+        tolerations:
+        - key: "node-role.kubernetes.io/master"
+          operator: "Equal"
+          value: ""
+          effect: "NoSchedule"
+        - key: "nvidia.com/gpu"
+          operator: "Equal"
+          value: "present"
+          effect: "NoSchedule"
+        config:
+          sources:
+            pci:
+              deviceClassWhitelist:
+              - "02"
+              - "03"
+              deviceLabelFields:
+              - vendor
+
+    mps:
+      # root specifies the location where files and folders for managing MPS will
+      # be created. This includes a daemon-specific /dev/shm and pipe and log
+      # directories.
+      # Pipe directories will be created at {{ mps.root }}/{{ .ResourceName }}
+      root: "/run/nvidia/mps"
+
+
+    cdi:
+      # nvidiaHookPath specifies the path to the nvidia-cdi-hook or nvidia-ctk executables on the host.
+      # This is required to ensure that the generated CDI specification refers to the correct CDI hooks.
+      nvidiaHookPath: null

infrastructure/controllers/nvidia-device-plugin/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: nvidia-device-plugin
+  namespace: nvidia-device-plugin
+spec:
+  interval: 15m
+  url: https://nvidia.github.io/k8s-device-plugin

infrastructure/controllers/reflector/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: reflector

infrastructure/controllers/reflector/release.yaml

@@ -0,0 +1,122 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: reflector
+  namespace: reflector
+spec:
+  chart:
+    spec:
+      chart: reflector
+      version: v7.x
+      sourceRef:
+        kind: HelmRepository
+        name: reflector
+  interval: 15m
+  timeout: 5m
+  releaseName: reflector
+  values:
+    # Default values for reflector.
+    # This is a YAML-formatted file.
+    # Declare variables to be passed into your templates.
+
+    replicaCount: 2
+
+    image:
+      repository: emberstack/kubernetes-reflector
+      pullPolicy: IfNotPresent
+      # Overrides the image tag whose default is the chart appVersion.
+      tag: ""
+
+    imagePullSecrets: []
+    nameOverride: ""
+    fullnameOverride: ""
+
+    cron:
+      enabled: false
+      schedule: "*/5 * * * *"
+      activeDeadlineSeconds: 600
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+
+    configuration:
+      logging:
+        minimumLevel: Information
+      watcher:
+        timeout: ""
+      kubernetes:
+        skipTlsVerify: false
+
+    rbac:
+      enabled: true
+
+    serviceAccount:
+      # Specifies whether a service account should be created
+      create: true
+      # Annotations to add to the service account
+      annotations: {}
+      # The name of the service account to use.
+      # If not set and create is true, a name is generated using the fullname template
+      name: ""
+
+    # additional annotations to set on the pod
+    podAnnotations: {}
+    # additional labels to set on the pod
+    podLabels: {}
+    # additional env vars to add to the pod
+    extraEnv: []
+
+    podSecurityContext:
+      fsGroup: 2000
+
+    securityContext:
+      capabilities:
+        drop:
+          - ALL
+      readOnlyRootFilesystem: false
+      runAsNonRoot: true
+      runAsUser: 1000
+
+    healthcheck:
+      httpGet:
+        path: /healthz
+        port: http
+
+    livenessProbe:
+      initialDelaySeconds: 5
+      periodSeconds: 10
+    readinessProbe:
+      initialDelaySeconds: 5
+      periodSeconds: 10
+    startupProbe:
+      # The application will have a maximum of 50s (10 * 5 = 50s) to finish its startup.
+      failureThreshold: 10
+      periodSeconds: 5
+
+    resources:
+      {}
+      # We usually recommend not to specify default resources and to leave this as a conscious
+      # choice for the user. This also increases chances charts run on environments with little
+      # resources, such as Minikube. If you do want to specify resources, uncomment the following
+      # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+      # requests:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    autoscaling:
+      enabled: false
+      minReplicas: 1
+      maxReplicas: 100
+      targetCPUUtilizationPercentage: 80
+      # targetMemoryUtilizationPercentage: 80
+
+    nodeSelector: {}
+
+    tolerations: []
+
+    affinity: {}
+
+    priorityClassName: ""

infrastructure/controllers/reflector/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: reflector
+  namespace: reflector
+spec:
+  interval: 15m
+  url: https://emberstack.github.io/helm-charts

infrastructure/controllers/sealed-secrets/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: sealed-secrets

infrastructure/controllers/sealed-secrets/release.yaml

@@ -0,0 +1,17 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: sealed-secrets
+  namespace: sealed-secrets
+spec:
+  chart:
+    spec:
+      chart: sealed-secrets
+      version: 2.x
+      sourceRef:
+        kind: HelmRepository
+        name: sealed-secrets
+  interval: 15m
+  timeout: 5m
+  releaseName: sealed-secrets
+  values:

infrastructure/controllers/sealed-secrets/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: sealed-secrets
+  namespace: sealed-secrets
+spec:
+  interval: 15m
+  url: https://bitnami-labs.github.io/sealed-secrets

infrastructure/controllers/traefik/dns-endpoint.yaml

@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: server.michaelthomson.dev
+  namespace: traefik
+spec:
+  endpoints:
+  - dnsName: server.michaelthomson.dev
+    recordTTL: 180
+    recordType: A
+    targets:
+    - 192.168.2.200

infrastructure/controllers/traefik/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik

infrastructure/controllers/traefik/release.yaml

@@ -0,0 +1,42 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  chart:
+    spec:
+      chart: traefik
+      version: 27.x 
+      sourceRef:
+        kind: HelmRepository
+        name: traefik
+  interval: 15m
+  timeout: 5m
+  releaseName: traefik
+  values:
+    providers:
+      kubernetesCRD:
+        allowCrossNamespace: true
+    ingressRoute:
+      dashboard:
+        matchRule: Host(`server.michaelthomson.dev`)
+        entryPoints: ["websecure"]
+        tls:
+          secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+          domains:
+            - main: server.michaelthomson.dev
+    ports:
+      wireguard-udp:
+        port: 51822
+        protocol: UDP
+        expose:
+          default: true
+
+    service:
+      annotations: 
+        metallb.universe.tf/loadBalancerIPs: 192.168.2.200
+
+    logs:
+      access:
+        enabled: true

infrastructure/controllers/traefik/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  interval: 15m
+  url: https://helm.traefik.io/traefik