privileged gitea

apps/baikal/deployment.yaml

@@ -1,34 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: baikal
-  namespace: baikal
-spec:
-  selector:
-    matchLabels:
-      app: baikal
-  template:
-    metadata:
-      labels:
-        app: baikal
-    spec:
-      containers:
-        - name: baikal
-          image: ckulka/baikal:nginx
-          ports:
-            - containerPort: 80
-              name: http
-              protocol: TCP
-          volumeMounts:
-            - mountPath: /var/www/baikal/config
-              name: config
-            - mountPath: /var/www/baikal/Specific
-              name: data
-      restartPolicy: Always
-      volumes:
-        - name: config
-          persistentVolumeClaim:
-            claimName: config
-        - name: data
-          persistentVolumeClaim:
-            claimName: data

apps/baikal/ingress.yaml

@@ -1,27 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: baikal
-  namespace: baikal
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
-    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-spec:
-  rules:
-  - host: baikal.michaelthomson.dev
-    http:
-      paths:
-      - pathType: ImplementationSpecific
-        path: /
-        backend:
-          service:
-            name: baikal
-            port: 
-              name: http
-  tls:
-    - hosts:
-        - baikal.michaelthomson.dev
-      secretName: baikal-tls

apps/baikal/pvc-config.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: config
-  namespace: baikal
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi

apps/baikal/pvc-data.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: data
-  namespace: baikal
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi

apps/baikal/service.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: baikal
-  namespace: baikal
-spec:
-  selector:
-    app: baikal
-  ports:
-    - name: http
-      port: 80
-      targetPort: http

apps/immich/cluster.yaml

@@ -8,7 +8,7 @@ metadata:
     cnpg.io/skipEmptyWalArchiveCheck: enabled
 spec:
   imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17-0.3.0
-  instances: 2
+  instances: 3
 
   postgresql:
     shared_preload_libraries:

apps/minecraft/release.yaml

@@ -1,50 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: minecraft
-  namespace: minecraft
-spec:
-  chart:
-    spec:
-      chart: minecraft
-      version: 5.x
-      sourceRef:
-        kind: HelmRepository
-        name: minecraft
-  interval: 15m
-  releaseName: minecraft
-  values:
-    serviceAnnotations:
-      metallb.io/loadBalancerIPs: 192.168.18.201
-
-    minecraftServer:
-      # This must be overridden, since we can't accept this for the user.
-      eula: true
-      # One of: LATEST, SNAPSHOT, or a specific version (ie: "1.7.9").
-      version: "LATEST"
-      ## The type of Minecraft server to run, check for related settings below
-      ## Common types: "VANILLA", "FABRIC", "FORGE", "SPIGOT", "BUKKIT", "PAPER",
-      ## "FTBA", "SPONGEVANILLA", "AUTO_CURSEFORGE"
-      ## ref: https://docker-minecraft-server.readthedocs.io/en/latest/types-and-platforms
-      type: "VANILLA"
-      # One of: peaceful, easy, normal, and hard
-      difficulty: normal
-      # A comma-separated list of player names to whitelist.
-      whitelist: DrDeww,lolobinbolo
-      # A comma-separated list of player names who should be admins.
-      ops: DrDeww
-      # A server icon URL for server listings. Auto-scaled and transcoded.
-      icon:
-      # Message of the Day
-      motd: "Welcome to Michael's Minecraft Server"
-      worldSaveName: world
-      # If you adjust this, you may need to adjust resources.requests above to match.
-      memory: 1024M
-      serviceType: LoadBalancer
-
-    persistence:
-      dataDir:
-        enabled: true
-        Size: 8Gi
-        accessModes:
-          - ReadWriteOnce

apps/minecraft/repository.yaml

@@ -1,9 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: minecraft
-  namespace: minecraft
-spec:
-  interval: 15m
-  url: https://itzg.github.io/minecraft-server-charts/
-

apps/nextcloud/release.yaml

@@ -7,7 +7,7 @@ spec:
   chart:
     spec:
       chart: nextcloud
-      version: 8.x
+      version: 9.x
       sourceRef:
         kind: HelmRepository
         name: nextcloud
@@ -126,47 +126,6 @@ spec:
       global:
         storageClass: longhorn
 
-    collabora:
-      enabled: true
-
-      # image:
-      #   tag: 24.04.11.1.1
-
-      collabora:
-        extra_params: --o:ssl.enable=false --o:ssl.termination=true
-
-        existingSecret:
-          enabled: true
-          secretName: "collabora-secret"
-          usernameKey: "username"
-          passwordKey: "password"
-
-      # securityContext:
-      #   runAsNonRoot: true
-      #   privileged: true
-      #   capabilities:
-      #     add:
-      #       - SYS_ADMIN
-      #       - MKNOD
-
-      ingress:
-        enabled: true
-        annotations:
-          cert-manager.io/cluster-issuer: "letsencrypt-prod"
-          external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
-          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-          traefik.ingress.kubernetes.io/router.entrypoints: websecure
-          traefik.ingress.kubernetes.io/router.tls: "true"
-        hosts:
-          - host: collabora.michaelthomson.dev
-            paths:
-            - path: /
-              pathType: ImplementationSpecific
-        tls:
-          - hosts:
-              - collabora.michaelthomson.dev
-            secretName: collabora-tls
-
     cronjob:
       enabled: true
 

apps/ntfy/deployment.yaml

@@ -1,47 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: ntfy
-  namespace: ntfy
-  labels:
-    app: ntfy
-spec:
-  revisionHistoryLimit: 1
-  replicas: 1
-  selector:
-    matchLabels:
-      app: ntfy
-  template:
-    metadata:
-      labels:
-        app: ntfy
-    spec:
-      containers:
-        - name: ntfy
-          image: binwiederhier/ntfy:v1.28.0
-          args: ["serve"]
-          env:
-            - name: TZ
-              value: America/Toronto
-            - name: NTFY_DEBUG
-              value: "false"
-            - name: NTFY_LOG_LEVEL
-              value: INFO
-            - name: NTFY_BASE_URL
-              value: https://ntfy.michaelthomson.dev
-          ports: 
-            - containerPort: 80
-              name: http
-          volumeMounts:
-            - mountPath: /etc/ntfy
-              subPath: server.yml
-              name: config-volume
-            - mountPath: /var/cache/ntfy
-              name: cache-volume
-      volumes:
-        - name: config-volume
-          configMap:
-            name: server-config
-        - name: cache-volume
-          persistentVolumeClaim:
-            claimName: pvc

apps/ntfy/ingress.yaml

@@ -1,27 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: ntfy
-  namespace: ntfy
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
-    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-spec:
-  rules:
-  - host: ntfy.michaelthomson.dev
-    http:
-      paths:
-      - pathType: Prefix
-        path: /
-        backend:
-          service:
-            name: service
-            port: 
-              name: http
-  tls:
-    - hosts:
-        - ntfy.michaelthomson.dev
-      secretName: ntfy-tls

apps/ntfy/pvc.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: pvc
-  namespace: ntfy
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 1Gi

apps/ntfy/server-config.yaml

@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: server-config
-  namespace: ntfy
-data:
-  server.yml: |
-    cache-file: "/var/cache/ntfy/cache.db"
-    attachment-cache-dir: "/var/cache/ntfy/attachments"

apps/ntfy/service.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: service
-  namespace: ntfy
-spec:
-  type: ClusterIP
-  selector:
-    app: ntfy
-  ports:
-    - name: http
-      protocol: TCP
-      port: 80
-      targetPort:  http

apps/ollama/release.yaml

@@ -1,56 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: ollama
-  namespace: ollama
-spec:
-  chart:
-    spec:
-      chart: ollama
-      version: 1.x
-      sourceRef:
-        kind: HelmRepository
-        name: otwld
-  interval: 15m
-  releaseName: ollama
-  values:
-    runtimeClassName: nvidia
-    ollama:
-      gpu:
-        # -- Enable GPU integration
-        enabled: true
-        
-        # -- GPU type: 'nvidia' or 'amd'
-        type: 'nvidia'
-        
-        # -- Specify the number of GPU to 1
-        number: 1
-
-        nvidiaResource: "nvidia.com/gpu-all"
-       
-      # -- List of models to pull at container startup
-      models:
-        create:
-          - name: qwen3.5:9b-ctx32768
-            template: |
-              FROM qwen3.5:9b
-              PARAMETER num_ctx 32768
-        run:
-          - qwen3.5:9b-ctx32768
-
-    ingress:
-      enabled: true
-      annotations:
-        cert-manager.io/cluster-issuer: "letsencrypt-prod"
-        traefik.ingress.kubernetes.io/router.tls: "true"
-        traefik.ingress.kubernetes.io/router.entrypoints: websecure
-      hosts:
-      - host: ollama.michaelthomson.dev
-        paths:
-          - path: /
-            pathType: Prefix
-      path: /
-      tls:
-        - secretName: ollama-tls
-          hosts:
-            - ollama.michaelthomson.dev

apps/ollama/repository.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: otwld
-  namespace: ollama
-spec:
-  interval: 15m
-  url: https://helm.otwld.com/

apps/open-webui/release.yaml

@@ -1,27 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: open-webui
-  namespace: open-webui
-spec:
-  chart:
-    spec:
-      chart: open-webui
-      version: 12.x
-      sourceRef:
-        kind: HelmRepository
-        name: open-webui
-  interval: 15m
-  releaseName: open-webui
-  values:
-    ollama:
-      enabled: false
-    ingress:
-      enabled: true
-      annotations:
-        cert-manager.io/cluster-issuer: "letsencrypt-prod"
-        traefik.ingress.kubernetes.io/router.tls: "true"
-        traefik.ingress.kubernetes.io/router.entrypoints: websecure
-      host: "chat.michaelthomson.dev" # update to your real domain
-      tls: true
-      existingSecret: open-webui-tls

apps/open-webui/repository.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: open-webui
-  namespace: open-webui
-spec:
-  interval: 15m
-  url: https://helm.openwebui.com/

apps/wg-easy/config.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: wg-easy-config
-  namespace: wg-easy
-data:
-  LANG: "en"
-  WG_HOST: "wireguard.michaelthomson.dev"
-  WG_PORT: "30000"
-  UI_TRAFFIC_STATS: "true"
-  UI_CHART_TYPE: "1"
-  ENABLE_PROMETHEUS_METRICS: "true"

apps/wg-easy/deployment.yaml

@@ -1,48 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: wg-easy
-  namespace: wg-easy
-spec:
-  selector:
-    matchLabels:
-      app: wg-easy
-  template:
-    metadata:
-      labels:
-        app: wg-easy
-    spec:
-      # securityContext:
-      #   sysctls:
-      #   - name: net.ipv4.ip_forward
-      #     value: "1"
-      #   - name: net.ipv4.conf.all.src_valid_mark
-      #     value: "1"
-      containers:
-      - name: wg-easy
-        image: ghcr.io/wg-easy/wg-easy
-        imagePullPolicy: Always
-        envFrom:
-        - configMapRef:
-            name: wg-easy-config
-            optional: false
-        ports:
-        - containerPort: 30000
-          name: wg
-          protocol: UDP
-        - containerPort: 51821
-          name: http
-          protocol: TCP
-        securityContext:
-          capabilities:
-            add:
-            - NET_ADMIN
-            - SYS_MODULE
-        volumeMounts:
-        - name: config
-          mountPath: /etc/wireguard
-      restartPolicy: Always
-      volumes:
-      - name: config
-        persistentVolumeClaim:
-          claimName: wg-easy-config

apps/wg-easy/ingress.yaml

@@ -1,27 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: wg-easy
-  namespace: wg-easy
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
-    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-spec:
-  rules:
-  - host: wireguard.michaelthomson.dev
-    http:
-      paths:
-      - pathType: ImplementationSpecific
-        path: /
-        backend:
-          service:
-            name: wg-easy
-            port: 
-              name: http
-  tls:
-    - hosts:
-        - wireguard.michaelthomson.dev
-      secretName: wg-easy-tls

apps/wg-easy/pvc-config.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: wg-easy-config
-  namespace: wg-easy
-spec:
-  resources:
-    requests:
-      storage: 1Gi
-  storageClassName: longhorn
-  accessModes:
-    - ReadWriteOnce

apps/wg-easy/service-dns.yaml

@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: wg-easy-dns
-  namespace: wg-easy
-  annotations:
-    metallb.io/loadBalancerIPs: 192.168.18.245
-spec:
-  type: LoadBalancer
-  selector:
-    app: wg-easy
-  ports:
-  - name: wg
-    port: 30000
-    targetPort: wg
-    protocol: UDP

apps/wg-easy/service.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: wg-easy
-  namespace: wg-easy
-spec:
-  selector:
-    app: wg-easy
-  ports:
-  - port: 80
-    targetPort: http
-    name: http

bootstrap/apps/kustomization-baikal.yaml

@@ -1,19 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: baikal
-  namespace: flux-system
-spec:
-  interval: 15m
-  path: ./apps/baikal
-  prune: true # remove any elements later removed from the above path
-  wait: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
-  dependsOn:
-    - name: infra-configs

bootstrap/apps/kustomization-minecraft.yaml

@@ -1,19 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: minecraft
-  namespace: flux-system
-spec:
-  interval: 15m
-  path: ./apps/minecraft
-  prune: true # remove any elements later removed from the above path
-  wait: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
-  dependsOn:
-    - name: infra-configs

bootstrap/apps/kustomization-ntfy.yaml

@@ -1,19 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: ntfy
-  namespace: flux-system
-spec:
-  interval: 15m
-  path: ./apps/ntfy
-  prune: true # remove any elements later removed from the above path
-  wait: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
-  dependsOn:
-    - name: infra-configs

bootstrap/apps/kustomization-ollama.yaml

@@ -1,19 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: ollama
-  namespace: flux-system
-spec:
-  interval: 1m
-  path: ./apps/ollama
-  prune: true # remove any elements later removed from the above path
-  wait: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
-  dependsOn:
-    - name: infra-configs

bootstrap/apps/kustomization-open-webui.yaml

@@ -1,19 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: open-webui
-  namespace: flux-system
-spec:
-  interval: 1m
-  path: ./apps/open-webui
-  prune: true # remove any elements later removed from the above path
-  wait: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
-  dependsOn:
-    - name: infra-configs

bootstrap/apps/kustomization-wg-easy.yaml

@@ -1,19 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: wg-easy
-  namespace: flux-system
-spec:
-  interval: 15m
-  path: ./apps/wg-easy
-  prune: true # remove any elements later removed from the above path
-  wait: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
-  dependsOn:
-    - name: infra-configs

infrastructure/controllers/metallb/release.yaml

@@ -14,3 +14,5 @@ spec:
   interval: 15m
   releaseName: metallb
   values:
+    speaker:
+      ignoreExcludeLB: true

infrastructure/namespaces/namespace-baikal.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: baikal

infrastructure/namespaces/namespace-gitea.yaml

@@ -2,3 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: gitea
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

infrastructure/namespaces/namespace-homeassistant.yaml

@@ -2,3 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: homeassistant
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

infrastructure/namespaces/namespace-longhorn.yaml

@@ -2,3 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: longhorn-system
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

infrastructure/namespaces/namespace-media.yaml

@@ -2,3 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: media
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

infrastructure/namespaces/namespace-metallb.yaml

@@ -2,3 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: metallb-system
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

infrastructure/namespaces/namespace-minecraft.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: minecraft

infrastructure/namespaces/namespace-ntfy.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ntfy

infrastructure/namespaces/namespace-ollama.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ollama

infrastructure/namespaces/namespace-open-webui.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: open-webui

infrastructure/namespaces/namespace-sealed-secrets.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: sealed-secrets

infrastructure/namespaces/namespace-wg-easy.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: wg-easy