Split manifests into infra/ and applications/
This commit is contained in:
51
applications/authentik/authentik-httproute.yaml
Normal file
51
applications/authentik/authentik-httproute.yaml
Normal file
@@ -0,0 +1,51 @@
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: authentik-route
|
||||
namespace: authentik
|
||||
spec:
|
||||
parentRefs:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-internal
|
||||
namespace: envoy-gateway
|
||||
sectionName: authentik
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-public
|
||||
namespace: envoy-gateway
|
||||
sectionName: authentik
|
||||
hostnames:
|
||||
- "auth.jsme.be"
|
||||
rules:
|
||||
- matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
filters:
|
||||
- type: RequestHeaderModifier
|
||||
requestHeaderModifier:
|
||||
set:
|
||||
- name: X-Forwarded-Host
|
||||
value: "auth.jsme.be"
|
||||
- name: X-Forwarded-Proto
|
||||
value: https
|
||||
- type: ResponseHeaderModifier
|
||||
responseHeaderModifier:
|
||||
set:
|
||||
- name: Strict-Transport-Security
|
||||
value: "max-age=31536000; includeSubDomains"
|
||||
- name: X-Content-Type-Options
|
||||
value: nosniff
|
||||
- name: X-Frame-Options
|
||||
value: SAMEORIGIN
|
||||
- name: Referrer-Policy
|
||||
value: strict-origin-when-cross-origin
|
||||
- name: Permissions-Policy
|
||||
value: "camera=(), microphone=(), geolocation=(), payment=()"
|
||||
backendRefs:
|
||||
- name: authentik-server
|
||||
port: 80
|
||||
kind: Service
|
||||
group: ""
|
||||
weight: 1
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: authentik-postgres-data
|
||||
namespace: authentik
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: longhorn
|
||||
resources:
|
||||
requests:
|
||||
storage: 10Gi
|
||||
@@ -0,0 +1,11 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: authentik-postgresql
|
||||
namespace: authentik
|
||||
spec:
|
||||
selector:
|
||||
app: authentik-postgresql
|
||||
ports:
|
||||
- port: 5432
|
||||
targetPort: 5432
|
||||
@@ -0,0 +1,52 @@
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: authentik-postgresql
|
||||
namespace: authentik
|
||||
spec:
|
||||
serviceName: authentik-postgresql
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: authentik-postgresql
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: authentik-postgresql
|
||||
spec:
|
||||
containers:
|
||||
- name: authentik-postgresql
|
||||
image: postgres:16-alpine
|
||||
ports:
|
||||
- containerPort: 5432
|
||||
env:
|
||||
- name: POSTGRES_DB
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: db_name
|
||||
- name: POSTGRES_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: db_user
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: db_password
|
||||
- name: PGDATA
|
||||
value: /var/lib/postgresql/data/pgdata
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /var/lib/postgresql/data
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
memory: 512Mi
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: authentik-postgres-data
|
||||
106
applications/authentik/server/authentik-server-deployment.yaml
Normal file
106
applications/authentik/server/authentik-server-deployment.yaml
Normal file
@@ -0,0 +1,106 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: authentik-server
|
||||
namespace: authentik
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: authentik-server
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: authentik-server
|
||||
spec:
|
||||
containers:
|
||||
- name: authentik
|
||||
image: ghcr.io/goauthentik/server:2026.5.2
|
||||
command: ["ak"]
|
||||
args: ["server"]
|
||||
ports:
|
||||
- containerPort: 9000
|
||||
name: http
|
||||
- containerPort: 9443
|
||||
name: https
|
||||
env:
|
||||
- name: AUTHENTIK_POSTGRESQL__HOST
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: db_host
|
||||
- name: AUTHENTIK_POSTGRESQL__NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: db_name
|
||||
- name: AUTHENTIK_POSTGRESQL__USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: db_user
|
||||
- name: AUTHENTIK_POSTGRESQL__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: db_password
|
||||
- name: AUTHENTIK_SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: AUTHENTIK_SECRET_KEY
|
||||
- name: AUTHENTIK_EMAIL__HOST
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: email_host
|
||||
- name: AUTHENTIK_EMAIL__PORT
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: email_port
|
||||
- name: AUTHENTIK_EMAIL__USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: email_username
|
||||
- name: AUTHENTIK_EMAIL__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: email_password
|
||||
- name: AUTHENTIK_EMAIL__FROM
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: email_from
|
||||
- name: AUTHENTIK_EMAIL__USE_TLS
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: email_use_tls
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /data
|
||||
- name: templates
|
||||
mountPath: /templates
|
||||
- name: dshm
|
||||
mountPath: /dev/shm
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
memory: 1Gi
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: authentik-server-data
|
||||
- name: templates
|
||||
emptyDir: {}
|
||||
- name: dshm
|
||||
emptyDir:
|
||||
medium: Memory
|
||||
sizeLimit: 512Mi
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: authentik-server-data
|
||||
namespace: authentik
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: longhorn
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
15
applications/authentik/server/authentik-server-service.yaml
Normal file
15
applications/authentik/server/authentik-server-service.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: authentik-server
|
||||
namespace: authentik
|
||||
spec:
|
||||
selector:
|
||||
app: authentik-server
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
targetPort: 9000
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 9443
|
||||
107
applications/authentik/worker/authentik-worker-deployment.yaml
Normal file
107
applications/authentik/worker/authentik-worker-deployment.yaml
Normal file
@@ -0,0 +1,107 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: authentik-worker
|
||||
namespace: authentik
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: authentik-worker
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: authentik-worker
|
||||
spec:
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
containers:
|
||||
- name: authentik
|
||||
image: ghcr.io/goauthentik/server:2026.5.2
|
||||
command: ["ak"]
|
||||
args: ["worker"]
|
||||
env:
|
||||
- name: AUTHENTIK_POSTGRESQL__HOST
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: db_host
|
||||
- name: AUTHENTIK_POSTGRESQL__NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: db_name
|
||||
- name: AUTHENTIK_POSTGRESQL__USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: db_user
|
||||
- name: AUTHENTIK_POSTGRESQL__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: db_password
|
||||
- name: AUTHENTIK_SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: AUTHENTIK_SECRET_KEY
|
||||
- name: AUTHENTIK_EMAIL__HOST
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: email_host
|
||||
- name: AUTHENTIK_EMAIL__PORT
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: email_port
|
||||
- name: AUTHENTIK_EMAIL__USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: email_username
|
||||
- name: AUTHENTIK_EMAIL__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: email_password
|
||||
- name: AUTHENTIK_EMAIL__FROM
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: email_from
|
||||
- name: AUTHENTIK_EMAIL__USE_TLS
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: email_use_tls
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /data
|
||||
- name: certs
|
||||
mountPath: /certs
|
||||
- name: templates
|
||||
mountPath: /templates
|
||||
- name: dshm
|
||||
mountPath: /dev/shm
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
memory: 1Gi
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: authentik-worker-data
|
||||
- name: templates
|
||||
emptyDir: {}
|
||||
- name: certs
|
||||
emptyDir: {}
|
||||
- name: dshm
|
||||
emptyDir:
|
||||
medium: Memory
|
||||
sizeLimit: 512Mi
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: authentik-worker-data
|
||||
namespace: authentik
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: longhorn
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
14
applications/azure-ddns-python/azure-ddns-service.yaml
Executable file
14
applications/azure-ddns-python/azure-ddns-service.yaml
Executable file
@@ -0,0 +1,14 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: azure-ddns
|
||||
namespace: azure-ddns
|
||||
spec:
|
||||
selector:
|
||||
app: azure-ddns
|
||||
ports:
|
||||
- name: azure-ddns
|
||||
port: 443
|
||||
targetPort: 443
|
||||
protocol: TCP
|
||||
type: ClusterIP
|
||||
69
applications/azure-ddns-python/azure-ddns-statefulset.yaml
Executable file
69
applications/azure-ddns-python/azure-ddns-statefulset.yaml
Executable file
@@ -0,0 +1,69 @@
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: azure-ddns
|
||||
namespace: azure-ddns
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: azure-ddns
|
||||
serviceName: azure-ddns
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: azure-ddns
|
||||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- name: azure-ddns
|
||||
image: gitea.jsme.be/jeffrey/azure-ddns-python:1.1
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 200m
|
||||
memory: 256Mi
|
||||
env:
|
||||
- name: AZURE_TENANT_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: azure-ddns-secrets
|
||||
key: TENANT_ID
|
||||
- name: AZURE_CLIENT_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: azure-ddns-secrets
|
||||
key: CLIENT_ID
|
||||
- name: AZURE_CLIENT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: azure-ddns-secrets
|
||||
key: CLIENT_SECRET
|
||||
- name: AZURE_SUBSCRIPTION_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: azure-ddns-secrets
|
||||
key: SUBSCRIPTION_ID
|
||||
- name: AZURE_RESOURCE_GROUP
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: azure-ddns-secrets
|
||||
key: RESOURCE_GROUP
|
||||
- name: AZURE_ZONE_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: azure-ddns-secrets
|
||||
key: AZURE_ZONE_NAME
|
||||
- name: GOTIFY_URL
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: azure-ddns-secrets
|
||||
key: GOTIFY_URL
|
||||
- name: GOTIFY_TOKEN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: azure-ddns-secrets
|
||||
key: GOTIFY_TOKEN
|
||||
restartPolicy: Always
|
||||
29
applications/bentopdf/bentopdf-deployment.yaml
Normal file
29
applications/bentopdf/bentopdf-deployment.yaml
Normal file
@@ -0,0 +1,29 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
namespace: bentopdf
|
||||
name: bentopdf
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: bentopdf
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: bentopdf
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 10
|
||||
containers:
|
||||
- name: bentopdf
|
||||
image: ghcr.io/alam00000/bentopdf:v2.8.2-amd64
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 200m
|
||||
memory: 256Mi
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
51
applications/bentopdf/bentopdf-httproute.yaml
Normal file
51
applications/bentopdf/bentopdf-httproute.yaml
Normal file
@@ -0,0 +1,51 @@
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: bentopdf-route
|
||||
namespace: bentopdf
|
||||
spec:
|
||||
parentRefs:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-internal
|
||||
namespace: envoy-gateway
|
||||
sectionName: bentopdf
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-public
|
||||
namespace: envoy-gateway
|
||||
sectionName: bentopdf
|
||||
hostnames:
|
||||
- "pdf.jsme.be"
|
||||
rules:
|
||||
- matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
filters:
|
||||
- type: RequestHeaderModifier
|
||||
requestHeaderModifier:
|
||||
set:
|
||||
- name: X-Forwarded-Host
|
||||
value: "pdf.jsme.be"
|
||||
- name: X-Forwarded-Proto
|
||||
value: https
|
||||
- type: ResponseHeaderModifier
|
||||
responseHeaderModifier:
|
||||
set:
|
||||
- name: Strict-Transport-Security
|
||||
value: "max-age=31536000; includeSubDomains"
|
||||
- name: X-Content-Type-Options
|
||||
value: nosniff
|
||||
- name: X-Frame-Options
|
||||
value: SAMEORIGIN
|
||||
- name: Referrer-Policy
|
||||
value: strict-origin-when-cross-origin
|
||||
- name: Permissions-Policy
|
||||
value: "camera=(), microphone=(), geolocation=(), payment=()"
|
||||
backendRefs:
|
||||
- name: bentopdf
|
||||
port: 8080
|
||||
kind: Service
|
||||
group: ""
|
||||
weight: 1
|
||||
13
applications/bentopdf/bentopdf-service.yaml
Normal file
13
applications/bentopdf/bentopdf-service.yaml
Normal file
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: bentopdf
|
||||
namespace: bentopdf
|
||||
spec:
|
||||
selector:
|
||||
app: bentopdf
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8080
|
||||
targetPort: 8080
|
||||
type: ClusterIP
|
||||
12
applications/comfyui/comfyui-persistentvolumeclaim.yaml
Normal file
12
applications/comfyui/comfyui-persistentvolumeclaim.yaml
Normal file
@@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: comfyui-pvc
|
||||
namespace: comfyui
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: longhorn
|
||||
resources:
|
||||
requests:
|
||||
storage: 50Gi
|
||||
13
applications/comfyui/comfyui-service.yaml
Normal file
13
applications/comfyui/comfyui-service.yaml
Normal file
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: comfyui
|
||||
namespace: comfyui
|
||||
spec:
|
||||
selector:
|
||||
app: comfyui
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8188
|
||||
targetPort: 8188
|
||||
type: ClusterIP
|
||||
44
applications/comfyui/comfyui-statefulset.yaml
Normal file
44
applications/comfyui/comfyui-statefulset.yaml
Normal file
@@ -0,0 +1,44 @@
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: comfyui
|
||||
namespace: comfyui
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: comfyui
|
||||
serviceName: comfyui
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: comfyui
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 30
|
||||
nodeSelector:
|
||||
kubernetes.io/hostname: kubernetes-worker-1.jsme.be
|
||||
containers:
|
||||
- name: comfyui
|
||||
image: ghcr.io/ai-dock/comfyui:latest
|
||||
ports:
|
||||
- containerPort: 8188
|
||||
env:
|
||||
- name: COMFYUI_FLAGS
|
||||
value: "--listen 0.0.0.0 --port 8188 --use-xpu"
|
||||
- name: AUTO_UPDATE
|
||||
value: "false"
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /config
|
||||
- name: dri
|
||||
mountPath: /dev/dri
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: comfyui-pvc
|
||||
- name: dri
|
||||
hostPath:
|
||||
path: /dev/dri
|
||||
46
applications/databasus/databasus-httproute.yaml
Normal file
46
applications/databasus/databasus-httproute.yaml
Normal file
@@ -0,0 +1,46 @@
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: databasus-route
|
||||
namespace: databasus
|
||||
spec:
|
||||
parentRefs:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-internal
|
||||
namespace: envoy-gateway
|
||||
sectionName: databasus
|
||||
hostnames:
|
||||
- "databasus.jsme.be"
|
||||
rules:
|
||||
- matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
filters:
|
||||
- type: RequestHeaderModifier
|
||||
requestHeaderModifier:
|
||||
set:
|
||||
- name: X-Forwarded-Host
|
||||
value: "databasus.jsme.be"
|
||||
- name: X-Forwarded-Proto
|
||||
value: https
|
||||
- type: ResponseHeaderModifier
|
||||
responseHeaderModifier:
|
||||
set:
|
||||
- name: Strict-Transport-Security
|
||||
value: "max-age=31536000; includeSubDomains"
|
||||
- name: X-Content-Type-Options
|
||||
value: nosniff
|
||||
- name: X-Frame-Options
|
||||
value: SAMEORIGIN
|
||||
- name: Referrer-Policy
|
||||
value: strict-origin-when-cross-origin
|
||||
- name: Permissions-Policy
|
||||
value: "camera=(), microphone=(), geolocation=(), payment=()"
|
||||
backendRefs:
|
||||
- name: databasus-svc
|
||||
port: 4005
|
||||
kind: Service
|
||||
group: ""
|
||||
weight: 1
|
||||
4
applications/databasus/databasus-namespace.yaml
Normal file
4
applications/databasus/databasus-namespace.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: databasus
|
||||
12
applications/databasus/databasus-persistentvolumeclaim.yaml
Normal file
12
applications/databasus/databasus-persistentvolumeclaim.yaml
Normal file
@@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: databasus-pvc
|
||||
namespace: databasus
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
storageClassName: longhorn-static
|
||||
resources:
|
||||
requests:
|
||||
storage: 10Gi
|
||||
13
applications/databasus/databasus-service.yaml
Normal file
13
applications/databasus/databasus-service.yaml
Normal file
@@ -0,0 +1,13 @@
|
||||
kind: Service
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: databasus-svc
|
||||
namespace: databasus
|
||||
spec:
|
||||
ports:
|
||||
- name: databasus
|
||||
port: 4005
|
||||
targetPort: 4005
|
||||
selector:
|
||||
app: databasus
|
||||
type: ClusterIP
|
||||
38
applications/databasus/databasus-statefulset.yaml
Normal file
38
applications/databasus/databasus-statefulset.yaml
Normal file
@@ -0,0 +1,38 @@
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: databasus
|
||||
namespace: databasus
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: databasus
|
||||
serviceName: databasus-svc
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: databasus
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 10
|
||||
containers:
|
||||
- name: databasus
|
||||
image: databasus/databasus:latest
|
||||
imagePullPolicy: Always
|
||||
resources:
|
||||
requests:
|
||||
cpu: 200m
|
||||
memory: 512Mi
|
||||
limits:
|
||||
cpu: 1000m
|
||||
memory: 2Gi
|
||||
ports:
|
||||
- containerPort: 4005
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /databasus-data
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: databasus-pvc
|
||||
29
applications/excalidraw/excalidraw-deployment.yaml
Normal file
29
applications/excalidraw/excalidraw-deployment.yaml
Normal file
@@ -0,0 +1,29 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: excalidraw
|
||||
namespace: excalidraw
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: excalidraw
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: excalidraw
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 10
|
||||
containers:
|
||||
- name: excalidraw
|
||||
image: excalidraw/excalidraw:latest
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 200m
|
||||
memory: 256Mi
|
||||
ports:
|
||||
- containerPort: 80
|
||||
51
applications/excalidraw/excalidraw-httproute.yaml
Normal file
51
applications/excalidraw/excalidraw-httproute.yaml
Normal file
@@ -0,0 +1,51 @@
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: excalidraw-route
|
||||
namespace: excalidraw
|
||||
spec:
|
||||
parentRefs:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-internal
|
||||
namespace: envoy-gateway
|
||||
sectionName: excalidraw
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-public
|
||||
namespace: envoy-gateway
|
||||
sectionName: excalidraw
|
||||
hostnames:
|
||||
- "draw.jsme.be"
|
||||
rules:
|
||||
- matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
filters:
|
||||
- type: RequestHeaderModifier
|
||||
requestHeaderModifier:
|
||||
set:
|
||||
- name: X-Forwarded-Host
|
||||
value: "draw.jsme.be"
|
||||
- name: X-Forwarded-Proto
|
||||
value: https
|
||||
- type: ResponseHeaderModifier
|
||||
responseHeaderModifier:
|
||||
set:
|
||||
- name: Strict-Transport-Security
|
||||
value: "max-age=31536000; includeSubDomains"
|
||||
- name: X-Content-Type-Options
|
||||
value: nosniff
|
||||
- name: X-Frame-Options
|
||||
value: SAMEORIGIN
|
||||
- name: Referrer-Policy
|
||||
value: strict-origin-when-cross-origin
|
||||
- name: Permissions-Policy
|
||||
value: "camera=(), microphone=(), geolocation=(), payment=()"
|
||||
backendRefs:
|
||||
- name: excalidraw
|
||||
port: 80
|
||||
kind: Service
|
||||
group: ""
|
||||
weight: 1
|
||||
13
applications/excalidraw/excalidraw-service.yaml
Normal file
13
applications/excalidraw/excalidraw-service.yaml
Normal file
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: excalidraw
|
||||
namespace: excalidraw
|
||||
spec:
|
||||
selector:
|
||||
app: excalidraw
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
targetPort: 80
|
||||
type: ClusterIP
|
||||
51
applications/gitea/gitea-httproute.yaml
Normal file
51
applications/gitea/gitea-httproute.yaml
Normal file
@@ -0,0 +1,51 @@
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: gitea-route
|
||||
namespace: gitea
|
||||
spec:
|
||||
parentRefs:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-internal
|
||||
namespace: envoy-gateway
|
||||
sectionName: gitea
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-public
|
||||
namespace: envoy-gateway
|
||||
sectionName: gitea
|
||||
hostnames:
|
||||
- "gitea.jsme.be"
|
||||
rules:
|
||||
- matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
filters:
|
||||
- type: RequestHeaderModifier
|
||||
requestHeaderModifier:
|
||||
set:
|
||||
- name: X-Forwarded-Host
|
||||
value: "gitea.jsme.be"
|
||||
- name: X-Forwarded-Proto
|
||||
value: https
|
||||
- type: ResponseHeaderModifier
|
||||
responseHeaderModifier:
|
||||
set:
|
||||
- name: Strict-Transport-Security
|
||||
value: "max-age=31536000; includeSubDomains"
|
||||
- name: X-Content-Type-Options
|
||||
value: nosniff
|
||||
- name: X-Frame-Options
|
||||
value: SAMEORIGIN
|
||||
- name: Referrer-Policy
|
||||
value: strict-origin-when-cross-origin
|
||||
- name: Permissions-Policy
|
||||
value: "camera=(), microphone=(), geolocation=(), payment=()"
|
||||
backendRefs:
|
||||
- name: gitea
|
||||
port: 3000
|
||||
kind: Service
|
||||
group: ""
|
||||
weight: 1
|
||||
4
applications/gitea/gitea-namespace.yaml
Normal file
4
applications/gitea/gitea-namespace.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: gitea
|
||||
38
applications/gitea/gitea/gitea-persistentvolumeclaim.yaml
Normal file
38
applications/gitea/gitea/gitea-persistentvolumeclaim.yaml
Normal file
@@ -0,0 +1,38 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
name: containers-data-smb
|
||||
spec:
|
||||
capacity:
|
||||
storage: 5Gi
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
persistentVolumeReclaimPolicy: Retain
|
||||
mountOptions:
|
||||
- dir_mode=0700
|
||||
- file_mode=0700
|
||||
- noperm
|
||||
- uid=1000
|
||||
- gid=1000
|
||||
csi:
|
||||
driver: smb.csi.k8s.io
|
||||
volumeHandle: containers
|
||||
volumeAttributes:
|
||||
source: "//10.8.14.2/containers"
|
||||
nodeStageSecretRef:
|
||||
name: gitea-secrets
|
||||
namespace: gitea
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
namespace: gitea
|
||||
name: gitea-pvc
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
volumeName: containers-data-smb
|
||||
storageClassName: ""
|
||||
14
applications/gitea/gitea/gitea-service.yaml
Normal file
14
applications/gitea/gitea/gitea-service.yaml
Normal file
@@ -0,0 +1,14 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: gitea
|
||||
namespace: gitea
|
||||
spec:
|
||||
selector:
|
||||
app: gitea
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: gitea-svc
|
||||
protocol: TCP
|
||||
port: 3000
|
||||
targetPort: 3000
|
||||
71
applications/gitea/gitea/gitea-statefulset.yaml
Normal file
71
applications/gitea/gitea/gitea-statefulset.yaml
Normal file
@@ -0,0 +1,71 @@
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: gitea
|
||||
namespace: gitea
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: gitea
|
||||
serviceName: gitea
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: gitea
|
||||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- name: gitea
|
||||
image: docker.gitea.com/gitea:1.25
|
||||
resources:
|
||||
requests:
|
||||
cpu: 200m
|
||||
memory: 512Mi
|
||||
limits:
|
||||
cpu: 1000m
|
||||
memory: 1Gi
|
||||
ports:
|
||||
- containerPort: 3000
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /data
|
||||
subPath: Gitea
|
||||
env:
|
||||
- name: GITEA__database__HOST
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-secrets
|
||||
key: db_host
|
||||
- name: GITEA__database__DB_TYPE
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-secrets
|
||||
key: db_type
|
||||
- name: GITEA__database__NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-secrets
|
||||
key: db_name
|
||||
- name: GITEA__database__USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-secrets
|
||||
key: db_user
|
||||
- name: GITEA__database__PASSWD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-secrets
|
||||
key: db_password
|
||||
- name: USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-secrets
|
||||
key: gitea_user
|
||||
restartPolicy: Always
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: gitea-pvc
|
||||
|
||||
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
namespace: gitea
|
||||
name: gitea-postgresql-pvc
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
storageClassName: longhorn-static
|
||||
volumeName: gitea-postgresql-data
|
||||
resources:
|
||||
requests:
|
||||
storage: 10Gi
|
||||
14
applications/gitea/postgres/gitea-postgres-service.yaml
Normal file
14
applications/gitea/postgres/gitea-postgres-service.yaml
Normal file
@@ -0,0 +1,14 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: gitea-postgresql
|
||||
namespace: gitea
|
||||
spec:
|
||||
selector:
|
||||
app: gitea-postgresql
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: postgresql-port
|
||||
protocol: TCP
|
||||
port: 5432
|
||||
targetPort: 5432
|
||||
55
applications/gitea/postgres/gitea-postgres-statefulset.yaml
Normal file
55
applications/gitea/postgres/gitea-postgres-statefulset.yaml
Normal file
@@ -0,0 +1,55 @@
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
namespace: gitea
|
||||
name: gitea-postgresql
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: gitea-postgresql
|
||||
serviceName: gitea-postgresql
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: gitea-postgresql
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- name: gitea-postgresql
|
||||
image: postgres:18
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 512Mi
|
||||
ports:
|
||||
- containerPort: 5432
|
||||
volumeMounts:
|
||||
- name: gitea-postgresql-database
|
||||
mountPath: /var/lib/postgresql/volumes/pgdata
|
||||
env:
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-secrets
|
||||
key: db_password
|
||||
- name: POSTGRES_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-secrets
|
||||
key: db_user
|
||||
- name: POSTGRES_DB
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-secrets
|
||||
key: db_name
|
||||
- name: PGDATA
|
||||
value: /var/lib/postgresql/volumes/pgdata/data
|
||||
volumes:
|
||||
- name: gitea-postgresql-database
|
||||
persistentVolumeClaim:
|
||||
claimName: gitea-postgresql-pvc
|
||||
500
applications/gitea/runner/GITEA-ACTIONS.md
Normal file
500
applications/gitea/runner/GITEA-ACTIONS.md
Normal file
@@ -0,0 +1,500 @@
|
||||
# Gitea Actions Reference
|
||||
|
||||
> Based on Gitea 1.21+ and act_runner v0.2.x
|
||||
> Gitea Actions is compatible with GitHub Actions syntax. Both `github.*` and `gitea.*` context namespaces work; prefer `gitea.*` for Gitea-specific deployments.
|
||||
|
||||
---
|
||||
|
||||
## Table of Contents
|
||||
|
||||
1. [Workflow File Location](#workflow-file-location)
|
||||
2. [Trigger Events (`on:`)](#trigger-events-on)
|
||||
3. [Context Variables](#context-variables)
|
||||
4. [Secrets](#secrets)
|
||||
5. [Variables (`vars`)](#variables-vars)
|
||||
6. [Built-in Environment Variables](#built-in-environment-variables)
|
||||
7. [Expression Syntax & Functions](#expression-syntax--functions)
|
||||
8. [Runner Labels](#runner-labels)
|
||||
9. [Differences from GitHub Actions](#differences-from-github-actions)
|
||||
10. [Unsupported Features](#unsupported-features)
|
||||
11. [Badge URLs](#badge-urls)
|
||||
|
||||
---
|
||||
|
||||
## Workflow File Location
|
||||
|
||||
```
|
||||
.gitea/workflows/<name>.yaml
|
||||
```
|
||||
|
||||
Basic structure:
|
||||
|
||||
```yaml
|
||||
name: My Workflow
|
||||
run-name: ${{ gitea.actor }} triggered ${{ gitea.event_name }}
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Run something
|
||||
run: echo "Hello from ${{ gitea.actor }}"
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Trigger Events (`on:`)
|
||||
|
||||
### Supported Events
|
||||
|
||||
| Event | Activity Types |
|
||||
|---|---|
|
||||
| `push` | — |
|
||||
| `pull_request` | `opened`, `edited`, `closed`, `reopened`, `assigned`, `unassigned`, `synchronize`, `labeled`, `unlabeled` |
|
||||
| `pull_request_review` | `submitted`, `edited` |
|
||||
| `pull_request_review_comment` | `created`, `edited` |
|
||||
| `issues` | `opened`, `edited`, `closed`, `reopened`, `assigned`, `unassigned`, `milestoned`, `demilestoned`, `labeled`, `unlabeled` |
|
||||
| `issue_comment` | `created`, `edited`, `deleted` |
|
||||
| `release` | `published`, `edited` |
|
||||
| `registry_package` | `published` |
|
||||
| `create` | — |
|
||||
| `delete` | — |
|
||||
| `fork` | — |
|
||||
| `gollum` | — |
|
||||
| `workflow_dispatch` | — |
|
||||
| `workflow_run` | `requested`, `completed` |
|
||||
| `schedule` | — |
|
||||
|
||||
### Filter Options
|
||||
|
||||
```yaml
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- 'feature/**'
|
||||
tags:
|
||||
- 'v*'
|
||||
paths:
|
||||
- 'src/**'
|
||||
pull_request:
|
||||
types: [opened, synchronize]
|
||||
branches:
|
||||
- main
|
||||
schedule:
|
||||
- cron: '0 1 * * *'
|
||||
- cron: '@daily' # Gitea extension (not available in GitHub Actions)
|
||||
- cron: '@hourly' # Gitea extension
|
||||
- cron: '@weekly' # Gitea extension
|
||||
- cron: '@monthly' # Gitea extension
|
||||
- cron: '@yearly' # Gitea extension
|
||||
```
|
||||
|
||||
### `workflow_dispatch` with Inputs
|
||||
|
||||
Adds a "Run workflow" button in the Gitea UI. The workflow must be on the **default branch** to appear.
|
||||
|
||||
```yaml
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
environment:
|
||||
description: 'Target environment'
|
||||
required: true
|
||||
type: choice
|
||||
options:
|
||||
- staging
|
||||
- production
|
||||
dry_run:
|
||||
description: 'Dry run'
|
||||
required: false
|
||||
type: boolean
|
||||
default: false
|
||||
version:
|
||||
description: 'Version number'
|
||||
type: string
|
||||
```
|
||||
|
||||
Supported input types: `string`, `boolean`, `choice`, `number`, `environment`
|
||||
|
||||
Access inputs via: `${{ inputs.environment }}` or `${{ gitea.event.inputs.environment }}`
|
||||
|
||||
---
|
||||
|
||||
## Context Variables
|
||||
|
||||
### `gitea.*` / `github.*`
|
||||
|
||||
Both namespaces are identical. Prefer `gitea.*`.
|
||||
|
||||
| Variable | Description |
|
||||
|---|---|
|
||||
| `gitea.actor` | Username that triggered the workflow |
|
||||
| `gitea.event_name` | Triggering event name (`push`, `pull_request`, etc.) |
|
||||
| `gitea.event` | Full event payload object |
|
||||
| `gitea.ref` | Full ref (`refs/heads/main`, `refs/pull/1/head`) |
|
||||
| `gitea.ref_name` | Short ref name (`main`, `v1.0`) |
|
||||
| `gitea.ref_type` | `branch` or `tag` |
|
||||
| `gitea.sha` | Full commit SHA |
|
||||
| `gitea.repository` | `owner/repo` |
|
||||
| `gitea.repository_owner` | Repository owner (user or org name) |
|
||||
| `gitea.workspace` | Workspace path on the runner |
|
||||
| `gitea.run_id` | Unique ID for this workflow run |
|
||||
| `gitea.run_number` | Sequential run number for this workflow |
|
||||
| `gitea.server_url` | Gitea instance base URL |
|
||||
| `gitea.api_url` | Gitea API URL |
|
||||
| `gitea.head_ref` | PR source branch name |
|
||||
| `gitea.base_ref` | PR target branch name |
|
||||
| `gitea.token` | Auto-generated short-lived job token |
|
||||
| `gitea.workflow` | Workflow name |
|
||||
| `gitea.job` | Current job ID |
|
||||
|
||||
> **Note**: `gitea.repository_owner` preserves original casing. Use `tr '[:upper:]' '[:lower:]'` when used in Docker image tags.
|
||||
|
||||
### `runner.*`
|
||||
|
||||
| Variable | Description |
|
||||
|---|---|
|
||||
| `runner.os` | `Linux`, `Windows`, or `macOS` |
|
||||
| `runner.arch` | `X64`, `ARM64`, etc. |
|
||||
| `runner.name` | Runner name |
|
||||
| `runner.tool_cache` | Tool cache directory |
|
||||
| `runner.temp` | Temp directory |
|
||||
|
||||
### `steps.*`
|
||||
|
||||
```yaml
|
||||
steps.<step_id>.outputs.<output_name>
|
||||
steps.<step_id>.conclusion # success, failure, cancelled, skipped
|
||||
steps.<step_id>.outcome # success, failure, cancelled, skipped
|
||||
```
|
||||
|
||||
### `needs.*`
|
||||
|
||||
```yaml
|
||||
needs.<job_id>.outputs.<output_name>
|
||||
needs.<job_id>.result # success, failure, cancelled, skipped
|
||||
```
|
||||
|
||||
### `secrets.*`
|
||||
|
||||
```yaml
|
||||
secrets.GITEA_TOKEN # auto-generated job token (cannot push to package registry)
|
||||
secrets.GITHUB_TOKEN # alias for the same token
|
||||
secrets.<SECRET_NAME> # user-defined secrets
|
||||
```
|
||||
|
||||
### `vars.*`
|
||||
|
||||
```yaml
|
||||
vars.<VARIABLE_NAME> # non-sensitive config variables (stored in UPPERCASE)
|
||||
```
|
||||
|
||||
### `inputs.*`
|
||||
|
||||
```yaml
|
||||
inputs.<input_name> # for workflow_dispatch and workflow_call
|
||||
```
|
||||
|
||||
### `matrix.*` / `strategy.*`
|
||||
|
||||
```yaml
|
||||
matrix.<dimension> # current matrix combination value
|
||||
strategy.fail-fast
|
||||
strategy.max-parallel
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Secrets
|
||||
|
||||
### Scope (highest to lowest priority)
|
||||
|
||||
1. Repository secrets
|
||||
2. Organization secrets
|
||||
3. User secrets
|
||||
|
||||
### Rules
|
||||
|
||||
- Allowed characters: `[a-zA-Z0-9_]`
|
||||
- Cannot start with `GITHUB_`, `GITEA_`, or a number
|
||||
- Case-insensitive
|
||||
|
||||
### Usage
|
||||
|
||||
```yaml
|
||||
steps:
|
||||
- name: Use secret
|
||||
env:
|
||||
API_KEY: ${{ secrets.API_KEY }}
|
||||
run: ./deploy.sh $API_KEY
|
||||
```
|
||||
|
||||
### Auto Token (`GITEA_TOKEN`)
|
||||
|
||||
Automatically injected into every job. Short-lived — invalidated when the job completes.
|
||||
|
||||
**Known limitation**: `GITEA_TOKEN` / `GITHUB_TOKEN` **cannot push to the Gitea package/container registry**. Use a Personal Access Token (PAT) with `package` scope stored as a manual secret instead.
|
||||
|
||||
---
|
||||
|
||||
## Variables (`vars`)
|
||||
|
||||
Non-sensitive configuration values, visible in logs.
|
||||
|
||||
### Scope (highest to lowest priority)
|
||||
|
||||
1. Repository variables
|
||||
2. Organization variables
|
||||
3. User variables
|
||||
|
||||
### Rules
|
||||
|
||||
- Allowed characters: `[a-zA-Z0-9_]`
|
||||
- Cannot start with `GITHUB_`, `GITEA_`, `CI`, or a number
|
||||
- Keys are stored and accessed in **UPPERCASE**
|
||||
|
||||
### Usage
|
||||
|
||||
```yaml
|
||||
steps:
|
||||
- run: echo "Deploying to ${{ vars.ENVIRONMENT }}"
|
||||
```
|
||||
|
||||
### Inline `env` (workflow/job/step level)
|
||||
|
||||
```yaml
|
||||
env:
|
||||
GLOBAL_VAR: "value" # available to all jobs
|
||||
|
||||
jobs:
|
||||
build:
|
||||
env:
|
||||
JOB_VAR: "value" # available to all steps in this job
|
||||
steps:
|
||||
- env:
|
||||
STEP_VAR: "value" # only this step
|
||||
run: echo $STEP_VAR
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Built-in Environment Variables
|
||||
|
||||
Automatically injected into every step:
|
||||
|
||||
| Variable | Description |
|
||||
|---|---|
|
||||
| `CI` | Always `true` |
|
||||
| `GITHUB_WORKFLOW` / `GITEA_WORKFLOW` | Workflow name |
|
||||
| `GITHUB_RUN_ID` / `GITEA_RUN_ID` | Unique run ID |
|
||||
| `GITHUB_RUN_NUMBER` / `GITEA_RUN_NUMBER` | Sequential run number |
|
||||
| `GITHUB_ACTOR` / `GITEA_ACTOR` | Triggering username |
|
||||
| `GITHUB_REPOSITORY` | `owner/repo` |
|
||||
| `GITHUB_EVENT_NAME` | Event name |
|
||||
| `GITHUB_SHA` | Commit SHA |
|
||||
| `GITHUB_REF` | Full ref |
|
||||
| `GITHUB_REF_NAME` | Short ref name |
|
||||
| `GITHUB_REF_TYPE` | `branch` or `tag` |
|
||||
| `GITHUB_HEAD_REF` | PR source branch |
|
||||
| `GITHUB_BASE_REF` | PR target branch |
|
||||
| `GITHUB_WORKSPACE` | Workspace directory |
|
||||
| `GITHUB_SERVER_URL` | Gitea instance URL |
|
||||
| `GITHUB_API_URL` | Gitea API URL |
|
||||
| `GITHUB_TOKEN` / `GITEA_TOKEN` | Auto job token |
|
||||
| `RUNNER_OS` | Runner OS |
|
||||
| `RUNNER_ARCH` | Runner architecture |
|
||||
| `RUNNER_NAME` | Runner name |
|
||||
| `RUNNER_TEMP` | Temp directory |
|
||||
| `RUNNER_TOOL_CACHE` | Tool cache directory |
|
||||
|
||||
---
|
||||
|
||||
## Expression Syntax & Functions
|
||||
|
||||
### Syntax
|
||||
|
||||
```yaml
|
||||
${{ <expression> }}
|
||||
|
||||
# In `if:` blocks, the ${{ }} wrapper is optional:
|
||||
if: github.ref == 'refs/heads/main'
|
||||
if: ${{ github.ref == 'refs/heads/main' }}
|
||||
```
|
||||
|
||||
### Operators
|
||||
|
||||
| Operator | Description |
|
||||
|---|---|
|
||||
| `( )` | Grouping |
|
||||
| `[ ]` | Index |
|
||||
| `.` | Property access |
|
||||
| `!` | Not |
|
||||
| `<` `>` `<=` `>=` | Comparison |
|
||||
| `==` `!=` | Equality |
|
||||
| `&&` `\|\|` | Logical AND / OR |
|
||||
|
||||
### Functions
|
||||
|
||||
| Function | Description |
|
||||
|---|---|
|
||||
| `contains(search, item)` | True if string/array contains item |
|
||||
| `startsWith(str, prefix)` | Case-insensitive prefix check |
|
||||
| `endsWith(str, suffix)` | Case-insensitive suffix check |
|
||||
| `format(str, val0, val1, ...)` | String formatting with `{0}`, `{1}` placeholders |
|
||||
| `join(array, separator)` | Join array with delimiter |
|
||||
| `toJSON(value)` | Serialize to JSON string |
|
||||
| `fromJSON(value)` | Parse JSON string to object |
|
||||
| `hashFiles(path)` | SHA-256 hash of file(s) matching glob |
|
||||
| `success()` | True if all previous steps succeeded |
|
||||
| `failure()` | True if any previous step failed |
|
||||
| `cancelled()` | True if workflow was cancelled |
|
||||
| `always()` | Always true; forces step execution |
|
||||
|
||||
### Examples
|
||||
|
||||
```yaml
|
||||
if: contains(gitea.ref, 'main')
|
||||
if: startsWith(gitea.ref, 'refs/tags/')
|
||||
if: always()
|
||||
if: failure()
|
||||
if: success() && gitea.ref == 'refs/heads/main'
|
||||
run: echo ${{ format('Hello {0}', gitea.actor) }}
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Runner Labels
|
||||
|
||||
Labels map `runs-on:` values in workflows to runner execution environments.
|
||||
|
||||
### Label Format
|
||||
|
||||
```
|
||||
<label>:<schema>:<image>
|
||||
```
|
||||
|
||||
- `docker://<image>` — run the job in a Docker container
|
||||
- `host` — run directly on the runner host machine
|
||||
|
||||
### Examples
|
||||
|
||||
```yaml
|
||||
# In act_runner config.yaml
|
||||
runner:
|
||||
labels:
|
||||
- "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
|
||||
- "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
|
||||
- "node18:docker://node:18-bullseye"
|
||||
- "python311:docker://python:3.11-slim"
|
||||
- "native:host"
|
||||
```
|
||||
|
||||
### Runner Scope
|
||||
|
||||
| Scope | Picks up jobs from |
|
||||
|---|---|
|
||||
| Instance-level | All repos on the Gitea instance |
|
||||
| Organization-level | All repos in that organization |
|
||||
| Repository-level | That specific repo only |
|
||||
|
||||
### Registering a Runner
|
||||
|
||||
```bash
|
||||
# Interactive
|
||||
./act_runner register
|
||||
|
||||
# Non-interactive
|
||||
./act_runner register \
|
||||
--instance https://gitea.example.com \
|
||||
--token <registration-token> \
|
||||
--name my-runner \
|
||||
--labels ubuntu-latest:docker://gitea/runner-images:ubuntu-latest
|
||||
```
|
||||
|
||||
Get tokens from:
|
||||
- **Instance-level**: Admin Panel → Actions → Runners
|
||||
- **Org-level**: Org Settings → Actions → Runners
|
||||
- **Repo-level**: Repo Settings → Actions → Runners
|
||||
|
||||
---
|
||||
|
||||
## Differences from GitHub Actions
|
||||
|
||||
### Gitea Additions
|
||||
|
||||
| Feature | Details |
|
||||
|---|---|
|
||||
| Absolute action URLs | `uses: https://github.com/actions/checkout@v4` or any git URL |
|
||||
| Go-based actions | Actions can be written in Go |
|
||||
| Extended cron syntax | `@daily`, `@hourly`, `@weekly`, `@monthly`, `@yearly` |
|
||||
| `gitea.*` context | Recommended namespace alias for `github.*` |
|
||||
| Permissive context | `env` context usable in more places than GitHub allows |
|
||||
| `DEFAULT_ACTIONS_URL` | Server config to pull actions from own Gitea instance instead of GitHub |
|
||||
|
||||
### Behavioral Differences
|
||||
|
||||
| Behavior | GitHub Actions | Gitea Actions |
|
||||
|---|---|---|
|
||||
| PR ref | `refs/pull/:n/merge` (merge preview) | `refs/pull/:n/head` (PR head) |
|
||||
| Unqualified action source | Always GitHub.com | Configurable via `DEFAULT_ACTIONS_URL` |
|
||||
| `GITHUB_TOKEN` for packages | Works | **Does not work** — use PAT |
|
||||
| `permissions:` keyword | Enforced | Ignored |
|
||||
| `continue-on-error:` | Supported | Ignored |
|
||||
| `timeout-minutes:` | Supported | Ignored |
|
||||
|
||||
---
|
||||
|
||||
## Unsupported Features
|
||||
|
||||
| Feature | Status |
|
||||
|---|---|
|
||||
| `permissions:` keyword | Ignored |
|
||||
| `jobs.<id>.timeout-minutes` | Ignored |
|
||||
| `jobs.<id>.continue-on-error` | Ignored |
|
||||
| `jobs.<id>.environment` | Ignored |
|
||||
| Problem Matchers | Not supported |
|
||||
| Log annotations (`::error::`, `::warning::`) | Not supported |
|
||||
| `GITEA_TOKEN` for container registry | Does not work — use PAT with `package` scope |
|
||||
|
||||
---
|
||||
|
||||
## Badge URLs
|
||||
|
||||
```
|
||||
https://<gitea-instance>/<owner>/<repo>/actions/workflows/<workflow-file>/badge.svg
|
||||
```
|
||||
|
||||
### Query Parameters
|
||||
|
||||
| Parameter | Values | Default |
|
||||
|---|---|---|
|
||||
| `branch` | Any branch name | Default branch |
|
||||
| `event` | Event name (`push`, `pull_request`, etc.) | None |
|
||||
| `style` | `flat`, `flat-square` | `flat` |
|
||||
|
||||
### Example
|
||||
|
||||
```markdown
|
||||
[](https://gitea.jsme.be/Jeffrey/azure-ddns-python/actions)
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Sources
|
||||
|
||||
- [Gitea Actions Overview](https://docs.gitea.com/usage/actions/overview)
|
||||
- [Gitea Actions Quickstart](https://docs.gitea.com/usage/actions/quickstart)
|
||||
- [act-runner Documentation](https://docs.gitea.com/usage/actions/act-runner)
|
||||
- [Workflow File Reference](https://docs.gitea.com/usage/actions/workflow-file)
|
||||
- [Compared to GitHub Actions](https://docs.gitea.com/usage/actions/comparison)
|
||||
- [Secrets](https://docs.gitea.com/usage/actions/secrets)
|
||||
- [Variables](https://docs.gitea.com/usage/actions/variables)
|
||||
- [Badge](https://docs.gitea.com/usage/actions/badge)
|
||||
- [act_runner config example](https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml)
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: gitea-runner-pvc
|
||||
namespace: gitea
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: longhorn-static
|
||||
volumeName: gitea-runner-data
|
||||
resources:
|
||||
requests:
|
||||
storage: 20Gi
|
||||
164
applications/gitea/runner/values.yaml
Normal file
164
applications/gitea/runner/values.yaml
Normal file
@@ -0,0 +1,164 @@
|
||||
# Configure Gitea Actions
|
||||
## @section Gitea Actions
|
||||
#
|
||||
## @param enabled Create an act runner StatefulSet.
|
||||
## @param init.image.repository The image used for the init containers
|
||||
## @param init.image.tag The image tag used for the init containers
|
||||
## @param statefulset.replicas the amount of (replica) runner pods deployed
|
||||
## @param statefulset.timezone is the timezone that will be set in the act_runner image
|
||||
## @param statefulset.annotations Act runner annotations
|
||||
## @param statefulset.labels Act runner labels
|
||||
## @param statefulset.resources Act runner resources
|
||||
## @param statefulset.nodeSelector NodeSelector for the statefulset
|
||||
## @param statefulset.tolerations Tolerations for the statefulset
|
||||
## @param statefulset.affinity Affinity for the statefulset
|
||||
## @param statefulset.extraVolumes Extra volumes for the statefulset
|
||||
## @param statefulset.actRunner.repository The Gitea act runner image
|
||||
## @param statefulset.actRunner.tag The Gitea act runner tag
|
||||
## @param statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy
|
||||
## @param statefulset.actRunner.extraVolumeMounts Allows mounting extra volumes in the act runner container
|
||||
## @param statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details.
|
||||
## @param statefulset.dind.repository The Docker-in-Docker image
|
||||
## @param statefulset.dind.tag The Docker-in-Docker image tag
|
||||
## @param statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy
|
||||
## @param statefulset.dind.extraVolumeMounts Allows mounting extra volumes in the Docker-in-Docker container
|
||||
## @param statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`
|
||||
## @param statefulset.persistence.size Size for persistence to store act runner data
|
||||
## @param existingSecret Secret that contains the token
|
||||
## @param existingSecretKey Secret key
|
||||
## @param giteaRootURL URL the act_runner registers and connect with
|
||||
enabled: true
|
||||
statefulset:
|
||||
replicas: 1
|
||||
timezone: Europe/Brussels
|
||||
annotations: {}
|
||||
labels: {}
|
||||
resources: {}
|
||||
nodeSelector: {}
|
||||
tolerations: []
|
||||
affinity: {}
|
||||
extraVolumes: []
|
||||
|
||||
actRunner:
|
||||
registry: docker.io
|
||||
repository: gitea/act_runner
|
||||
tag: 0.2.13
|
||||
pullPolicy: IfNotPresent
|
||||
extraVolumeMounts: []
|
||||
|
||||
# See full example here: https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml
|
||||
config: |
|
||||
log:
|
||||
level: debug
|
||||
runner:
|
||||
# Where to store the registration result.
|
||||
file: .runner
|
||||
# The timeout for a job to be finished.
|
||||
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
|
||||
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
|
||||
timeout: 3h
|
||||
# The timeout for the runner to wait for running jobs to finish when shutting down.
|
||||
# Any running jobs that haven't finished after this timeout will be cancelled.
|
||||
shutdown_timeout: 0s
|
||||
# Whether skip verifying the TLS certificate of the Gitea instance.
|
||||
insecure: false
|
||||
# The timeout for fetching the job from the Gitea instance.
|
||||
fetch_timeout: 5s
|
||||
# The interval for fetching the job from the Gitea instance.
|
||||
fetch_interval: 2s
|
||||
labels:
|
||||
- "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
|
||||
- "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
|
||||
cache:
|
||||
# Enable cache server to use actions/cache.
|
||||
enabled: true
|
||||
# The directory to store the cache data.
|
||||
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
|
||||
dir: ""
|
||||
# The host of the cache server.
|
||||
# It's not for the address to listen, but the address to connect from job containers.
|
||||
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
|
||||
host: ""
|
||||
# The port of the cache server.
|
||||
# 0 means to use a random available port.
|
||||
port: 0
|
||||
# The external cache server URL. Valid only when enable is true.
|
||||
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
|
||||
# The URL should generally end with "/".
|
||||
external_server: ""
|
||||
container:
|
||||
# Specifies the network to which the container will connect.
|
||||
# Could be host, bridge or the name of a custom network.
|
||||
# If it's empty, act_runner will create a network automatically.
|
||||
network: "host"
|
||||
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
|
||||
privileged: true
|
||||
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
|
||||
options:
|
||||
# The parent directory of a job's working directory.
|
||||
# NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically.
|
||||
# If the path starts with '/', the '/' will be trimmed.
|
||||
# For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
|
||||
# If it's empty, /workspace will be used.
|
||||
workdir_parent:
|
||||
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
|
||||
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
|
||||
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
|
||||
# valid_volumes:
|
||||
# - data
|
||||
# - /src/*.json
|
||||
# If you want to allow any volume, please use the following configuration:
|
||||
# valid_volumes:
|
||||
# - '**'
|
||||
valid_volumes: [/var/run/docker.sock]
|
||||
# overrides the docker client host with the specified one.
|
||||
# If it's empty, act_runner will find an available docker host automatically.
|
||||
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
|
||||
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
|
||||
docker_host: ""
|
||||
# Pull docker image(s) even if already present
|
||||
force_pull: false
|
||||
# Rebuild docker image(s) even if already present
|
||||
force_rebuild: false
|
||||
# Always require a reachable docker daemon, even if not required by act_runner
|
||||
require_docker: false
|
||||
# Timeout to wait for the docker daemon to be reachable, if docker is required by require_docker or act_runner
|
||||
docker_timeout: 0s
|
||||
dind:
|
||||
repository: docker
|
||||
tag: 28.3.3-dind
|
||||
pullPolicy: IfNotPresent
|
||||
extraVolumeMounts: []
|
||||
|
||||
# If the container keeps crashing in your environment, you might have to add the `DOCKER_IPTABLES_LEGACY` environment variable.
|
||||
# See https://github.com/docker-library/docker/issues/463#issuecomment-1881909456
|
||||
extraEnvs:
|
||||
[]
|
||||
# - name: "DOCKER_IPTABLES_LEGACY"
|
||||
# value: "1"
|
||||
|
||||
persistence:
|
||||
size: 15Gi
|
||||
|
||||
init:
|
||||
image:
|
||||
repository: busybox
|
||||
# Overrides the image tag whose default is the chart appVersion.
|
||||
tag: "1.37.0"
|
||||
|
||||
## Specify an existing token secret
|
||||
##
|
||||
existingSecret: "gitea-secrets"
|
||||
existingSecretKey: "runner_token"
|
||||
|
||||
## Specify the root URL of the Gitea instance
|
||||
giteaRootURL: "https://gitea.jsme.be"
|
||||
|
||||
## @section Global
|
||||
#
|
||||
## @param global.imageRegistry global image registry override
|
||||
## @param global.storageClass global storage class override
|
||||
global:
|
||||
imageRegistry: ""
|
||||
storageClass: ""
|
||||
|
||||
51
applications/gotify/gotify-httproute.yaml
Normal file
51
applications/gotify/gotify-httproute.yaml
Normal file
@@ -0,0 +1,51 @@
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: gotify-route
|
||||
namespace: gotify
|
||||
spec:
|
||||
parentRefs:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-internal
|
||||
namespace: envoy-gateway
|
||||
sectionName: gotify
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-public
|
||||
namespace: envoy-gateway
|
||||
sectionName: gotify
|
||||
hostnames:
|
||||
- "gotify.jsme.be"
|
||||
rules:
|
||||
- matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
filters:
|
||||
- type: RequestHeaderModifier
|
||||
requestHeaderModifier:
|
||||
set:
|
||||
- name: X-Forwarded-Host
|
||||
value: "gotify.jsme.be"
|
||||
- name: X-Forwarded-Proto
|
||||
value: https
|
||||
- type: ResponseHeaderModifier
|
||||
responseHeaderModifier:
|
||||
set:
|
||||
- name: Strict-Transport-Security
|
||||
value: "max-age=31536000; includeSubDomains"
|
||||
- name: X-Content-Type-Options
|
||||
value: nosniff
|
||||
- name: X-Frame-Options
|
||||
value: SAMEORIGIN
|
||||
- name: Referrer-Policy
|
||||
value: strict-origin-when-cross-origin
|
||||
- name: Permissions-Policy
|
||||
value: "camera=(), microphone=(), geolocation=(), payment=()"
|
||||
backendRefs:
|
||||
- name: gotify
|
||||
port: 80
|
||||
kind: Service
|
||||
group: ""
|
||||
weight: 1
|
||||
13
applications/gotify/gotify-persistentvolumeclaim.yaml
Normal file
13
applications/gotify/gotify-persistentvolumeclaim.yaml
Normal file
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: gotify-data-pvc
|
||||
namespace: gotify
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: longhorn-static
|
||||
volumeName: gotify-data
|
||||
resources:
|
||||
requests:
|
||||
storage: 5Gi
|
||||
13
applications/gotify/gotify-service.yaml
Normal file
13
applications/gotify/gotify-service.yaml
Normal file
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: gotify
|
||||
namespace: gotify
|
||||
spec:
|
||||
selector:
|
||||
app: gotify
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
targetPort: 80
|
||||
type: ClusterIP
|
||||
63
applications/gotify/gotify-statefulset.yaml
Normal file
63
applications/gotify/gotify-statefulset.yaml
Normal file
@@ -0,0 +1,63 @@
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: gotify
|
||||
namespace: gotify
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: gotify
|
||||
serviceName: gotify
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: gotify
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 10
|
||||
containers:
|
||||
- name: gotify
|
||||
image: gotify/server:2.9.1
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 200m
|
||||
memory: 256Mi
|
||||
ports:
|
||||
- containerPort: 80
|
||||
name: http
|
||||
env:
|
||||
- name: GOTIFY_DEFAULTUSER_PASS
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gotify-secrets
|
||||
key: default_user_pass
|
||||
- name: GOTIFY_DATABASE_DIALECT
|
||||
value: postgres
|
||||
- name: DB_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gotify-secrets
|
||||
key: db_user
|
||||
- name: DB_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gotify-secrets
|
||||
key: db_password
|
||||
- name: DB_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gotify-secrets
|
||||
key: db_name
|
||||
- name: GOTIFY_DATABASE_CONNECTION
|
||||
value: "host=gotify-postgresql port=5432 user=$(DB_USER) dbname=$(DB_NAME) password=$(DB_PASSWORD) sslmode=disable"
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /app/data
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: gotify-data-pvc
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: gotify-postgresql-pvc
|
||||
namespace: gotify
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: longhorn
|
||||
resources:
|
||||
requests:
|
||||
storage: 2Gi
|
||||
14
applications/gotify/postgres/gotify-postgres-service.yaml
Normal file
14
applications/gotify/postgres/gotify-postgres-service.yaml
Normal file
@@ -0,0 +1,14 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: gotify-postgresql
|
||||
namespace: gotify
|
||||
spec:
|
||||
selector:
|
||||
app: gotify-postgresql
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: gotify-postgresql-port
|
||||
protocol: TCP
|
||||
port: 5432
|
||||
targetPort: 5432
|
||||
@@ -0,0 +1,55 @@
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: gotify-postgresql
|
||||
namespace: gotify
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: gotify-postgresql
|
||||
serviceName: gotify-postgresql
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: gotify-postgresql
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- name: gotify-postgresql
|
||||
image: postgres:18
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 512Mi
|
||||
ports:
|
||||
- containerPort: 5432
|
||||
volumeMounts:
|
||||
- name: gotify-postgresql-database
|
||||
mountPath: /var/lib/postgresql/pgdata
|
||||
env:
|
||||
- name: PGDATA
|
||||
value: /var/lib/postgresql/pgdata/data
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gotify-secrets
|
||||
key: db_password
|
||||
- name: POSTGRES_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gotify-secrets
|
||||
key: db_user
|
||||
- name: POSTGRES_DB
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gotify-secrets
|
||||
key: db_name
|
||||
volumes:
|
||||
- name: gotify-postgresql-database
|
||||
persistentVolumeClaim:
|
||||
claimName: gotify-postgresql-pvc
|
||||
51
applications/immich/immich/immich-httproute.yaml
Normal file
51
applications/immich/immich/immich-httproute.yaml
Normal file
@@ -0,0 +1,51 @@
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: immich-route
|
||||
namespace: immich
|
||||
spec:
|
||||
parentRefs:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-internal
|
||||
namespace: envoy-gateway
|
||||
sectionName: immich
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-public
|
||||
namespace: envoy-gateway
|
||||
sectionName: immich
|
||||
hostnames:
|
||||
- "photos.jsme.be"
|
||||
rules:
|
||||
- matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
filters:
|
||||
- type: RequestHeaderModifier
|
||||
requestHeaderModifier:
|
||||
set:
|
||||
- name: X-Forwarded-Host
|
||||
value: "photos.jsme.be"
|
||||
- name: X-Forwarded-Proto
|
||||
value: https
|
||||
- type: ResponseHeaderModifier
|
||||
responseHeaderModifier:
|
||||
set:
|
||||
- name: Strict-Transport-Security
|
||||
value: "max-age=31536000; includeSubDomains"
|
||||
- name: X-Content-Type-Options
|
||||
value: nosniff
|
||||
- name: X-Frame-Options
|
||||
value: SAMEORIGIN
|
||||
- name: Referrer-Policy
|
||||
value: strict-origin-when-cross-origin
|
||||
- name: Permissions-Policy
|
||||
value: "camera=(), microphone=(), geolocation=(), payment=()"
|
||||
backendRefs:
|
||||
- name: immich
|
||||
port: 2283
|
||||
kind: Service
|
||||
group: ""
|
||||
weight: 1
|
||||
36
applications/immich/immich/immich-persistentvolumeclaim.yaml
Normal file
36
applications/immich/immich/immich-persistentvolumeclaim.yaml
Normal file
@@ -0,0 +1,36 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
name: immich-data-smb
|
||||
spec:
|
||||
capacity:
|
||||
storage: 5Gi
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
persistentVolumeReclaimPolicy: Retain
|
||||
mountOptions:
|
||||
- dir_mode=0700
|
||||
- file_mode=0700
|
||||
- noperm
|
||||
csi:
|
||||
driver: smb.csi.k8s.io
|
||||
volumeHandle: immich-photos
|
||||
volumeAttributes:
|
||||
source: "//10.8.14.2/Photos"
|
||||
nodeStageSecretRef:
|
||||
name: immich-secrets
|
||||
namespace: immich
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
namespace: immich
|
||||
name: immich-pvc
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
volumeName: immich-data-smb
|
||||
storageClassName: ""
|
||||
13
applications/immich/immich/immich-service.yaml
Normal file
13
applications/immich/immich/immich-service.yaml
Normal file
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
namespace: immich
|
||||
name: immich
|
||||
spec:
|
||||
selector:
|
||||
app: immich
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 2283
|
||||
targetPort: 2283
|
||||
type: ClusterIP
|
||||
61
applications/immich/immich/immich-statefulset.yaml
Normal file
61
applications/immich/immich/immich-statefulset.yaml
Normal file
@@ -0,0 +1,61 @@
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
namespace: immich
|
||||
name: immich
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: immich
|
||||
serviceName: immich
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: immich
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- name: immich
|
||||
image: ghcr.io/immich-app/immich-server:v2.7.5
|
||||
resources:
|
||||
requests:
|
||||
memory: "256Mi"
|
||||
cpu: "250m"
|
||||
limits:
|
||||
memory: "2Gi"
|
||||
cpu: "2000m"
|
||||
ports:
|
||||
- containerPort: 2283
|
||||
env:
|
||||
- name: TZ
|
||||
value: "Europe/Brussels"
|
||||
- name: DB_HOSTNAME
|
||||
value: "immich-postgresql.immich.svc.cluster.local"
|
||||
- name: DB_DATABASE_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-secrets
|
||||
key: db_name
|
||||
- name: DB_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-secrets
|
||||
key: db_user
|
||||
- name: DB_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-secrets
|
||||
key: db_password
|
||||
- name: REDIS_HOSTNAME
|
||||
value: "valkey.immich.svc.cluster.local"
|
||||
- name: IMMICH_PORT
|
||||
value: "2283"
|
||||
volumeMounts:
|
||||
- name: photos
|
||||
mountPath: /data
|
||||
volumes:
|
||||
- name: photos
|
||||
persistentVolumeClaim:
|
||||
claimName: immich-pvc
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
namespace: immich
|
||||
name: immich-postgresql-pvc
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: longhorn-static
|
||||
resources:
|
||||
requests:
|
||||
storage: 5Gi
|
||||
14
applications/immich/postgres/immich-postgres-service.yaml
Normal file
14
applications/immich/postgres/immich-postgres-service.yaml
Normal file
@@ -0,0 +1,14 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: immich-postgresql
|
||||
namespace: immich
|
||||
spec:
|
||||
selector:
|
||||
app: immich-postgresql
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: immich-postgresql-port
|
||||
protocol: TCP
|
||||
port: 5432
|
||||
targetPort: 5432
|
||||
@@ -0,0 +1,53 @@
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
namespace: immich
|
||||
name: immich-postgresql
|
||||
spec:
|
||||
replicas: 1
|
||||
serviceName: immich-postgresql
|
||||
selector:
|
||||
matchLabels:
|
||||
app: immich-postgresql
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: immich-postgresql
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- name: immich-postgresql
|
||||
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0
|
||||
resources:
|
||||
requests:
|
||||
memory: "256Mi"
|
||||
cpu: "100m"
|
||||
limits:
|
||||
memory: "1Gi"
|
||||
cpu: "500m"
|
||||
ports:
|
||||
- containerPort: 5432
|
||||
volumeMounts:
|
||||
- name: immich-postgresql-immich
|
||||
mountPath: /var/lib/postgresql/pgdata
|
||||
env:
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-secrets
|
||||
key: db_password
|
||||
- name: POSTGRES_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-secrets
|
||||
key: db_user
|
||||
- name: POSTGRES_DB
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-secrets
|
||||
key: db_name
|
||||
volumes:
|
||||
- name: immich-postgresql-immich
|
||||
persistentVolumeClaim:
|
||||
claimName: immich-postgresql-pvc
|
||||
28
applications/immich/valkey/immich-valkey-deployment.yaml
Normal file
28
applications/immich/valkey/immich-valkey-deployment.yaml
Normal file
@@ -0,0 +1,28 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
namespace: immich
|
||||
name: valkey
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: valkey
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: valkey
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
containers:
|
||||
- name: valkey
|
||||
image: valkey/valkey:9
|
||||
resources:
|
||||
requests:
|
||||
memory: "64Mi"
|
||||
cpu: "50m"
|
||||
limits:
|
||||
memory: "256Mi"
|
||||
cpu: "200m"
|
||||
ports:
|
||||
- containerPort: 6379
|
||||
14
applications/immich/valkey/immich-valkey-service.yaml
Normal file
14
applications/immich/valkey/immich-valkey-service.yaml
Normal file
@@ -0,0 +1,14 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: valkey
|
||||
namespace: immich
|
||||
spec:
|
||||
selector:
|
||||
app: valkey
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: valkey-port
|
||||
protocol: TCP
|
||||
port: 6379
|
||||
targetPort: 6379
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: affine-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/affine"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: affine-secrets
|
||||
secretNamespace: affine
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: authentik-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/authentik"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: authentik-secrets
|
||||
secretNamespace: authentik
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: azure-ddns-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/azure-ddns"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: azure-ddns-secrets
|
||||
secretNamespace: azure-ddns
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: gitea-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/gitea"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: gitea-secrets
|
||||
secretNamespace: gitea
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: gotify-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/gotify"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: gotify-secrets
|
||||
secretNamespace: gotify
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: immich-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/immich"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: immich-secrets
|
||||
secretNamespace: immich
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: jellyfin-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/jellyfin"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: jellyfin-secrets
|
||||
secretNamespace: jellyfin
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: longhorn-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/longhorn"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: longhorn-secrets
|
||||
secretNamespace: longhorn-system
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: minecraft-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/minecraft"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: minecraft-secrets
|
||||
secretNamespace: minecraft
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: n8n-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/n8n"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: n8n-secrets
|
||||
secretNamespace: n8n
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: netbootxyz-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/netbootxyz"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: netbootxyz-secrets
|
||||
secretNamespace: netbootxyz
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: openwebui-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/openwebui"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: openwebui-secrets
|
||||
secretNamespace: openwebui
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: passbolt-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/passbolt"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: passbolt-secrets
|
||||
secretNamespace: passbolt
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: pelican-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/pelican"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: pelican-secrets
|
||||
secretNamespace: pelican
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: resume-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/reactive_resume"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: resume-secrets
|
||||
secretNamespace: resume
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: searxng-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/searxng"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: searxng-secrets
|
||||
secretNamespace: searxng
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: uptime-kuma-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/uptime-kuma"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: uptime-kuma-secrets
|
||||
secretNamespace: uptime-kuma
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: vaultwarden-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/vaultwarden"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: vaultwarden-secrets
|
||||
secretNamespace: vaultwarden
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: victoria-metrics-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/victoria-metrics"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: victoria-metrics-secrets
|
||||
secretNamespace: victoria-metrics
|
||||
secretType: Opaque
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
name: zipline-secrets
|
||||
namespace: infisical
|
||||
spec:
|
||||
hostAPI: https://infisical.jsme.be
|
||||
resyncInterval: 30
|
||||
authentication:
|
||||
universalAuth:
|
||||
secretsScope:
|
||||
projectSlug: "kubernetes"
|
||||
envSlug: "prod"
|
||||
secretsPath: "/zipline"
|
||||
recursive: true
|
||||
credentialsRef:
|
||||
secretName: infisical-universal-auth
|
||||
secretNamespace: infisical
|
||||
managedSecretReference:
|
||||
secretName: zipline-secrets
|
||||
secretNamespace: zipline
|
||||
secretType: Opaque
|
||||
18
applications/infisical/infisical-endpointslice.yaml
Normal file
18
applications/infisical/infisical-endpointslice.yaml
Normal file
@@ -0,0 +1,18 @@
|
||||
apiVersion: discovery.k8s.io/v1
|
||||
kind: EndpointSlice
|
||||
metadata:
|
||||
name: infisical
|
||||
namespace: infisical
|
||||
labels:
|
||||
kubernetes.io/service-name: infisical
|
||||
addressType: IPv4
|
||||
ports:
|
||||
- port: 8080
|
||||
protocol: TCP
|
||||
endpoints:
|
||||
- addresses:
|
||||
- "10.8.11.98"
|
||||
conditions:
|
||||
ready: true
|
||||
serving: true
|
||||
terminating: false
|
||||
46
applications/infisical/infisical-httproute.yaml
Normal file
46
applications/infisical/infisical-httproute.yaml
Normal file
@@ -0,0 +1,46 @@
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: infisical-route
|
||||
namespace: infisical
|
||||
spec:
|
||||
parentRefs:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-internal
|
||||
namespace: envoy-gateway
|
||||
sectionName: infisical
|
||||
hostnames:
|
||||
- "infisical.jsme.be"
|
||||
rules:
|
||||
- matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
filters:
|
||||
- type: RequestHeaderModifier
|
||||
requestHeaderModifier:
|
||||
set:
|
||||
- name: X-Forwarded-Host
|
||||
value: "infisical.jsme.be"
|
||||
- name: X-Forwarded-Proto
|
||||
value: https
|
||||
- type: ResponseHeaderModifier
|
||||
responseHeaderModifier:
|
||||
set:
|
||||
- name: Strict-Transport-Security
|
||||
value: "max-age=31536000; includeSubDomains"
|
||||
- name: X-Content-Type-Options
|
||||
value: nosniff
|
||||
- name: X-Frame-Options
|
||||
value: SAMEORIGIN
|
||||
- name: Referrer-Policy
|
||||
value: strict-origin-when-cross-origin
|
||||
- name: Permissions-Policy
|
||||
value: "camera=(), microphone=(), geolocation=(), payment=()"
|
||||
backendRefs:
|
||||
- name: infisical
|
||||
port: 8080
|
||||
kind: Service
|
||||
group: ""
|
||||
weight: 1
|
||||
11
applications/infisical/infisical-service.yaml
Normal file
11
applications/infisical/infisical-service.yaml
Normal file
@@ -0,0 +1,11 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: infisical
|
||||
namespace: infisical
|
||||
spec:
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8080
|
||||
targetPort: 8080
|
||||
type: ClusterIP
|
||||
30
applications/infisical/template-infisical-secret.yaml
Normal file
30
applications/infisical/template-infisical-secret.yaml
Normal file
@@ -0,0 +1,30 @@
|
||||
# Copy this file and replace:
|
||||
# - SERVICE_NAME: the service/folder name
|
||||
# - SERVICE_NAMESPACE: the namespace where the secret should be created
|
||||
#
|
||||
# Example: for a service called "my-app" in namespace "my-app":
|
||||
# - SERVICE_NAME → my-app
|
||||
# - SERVICE_NAMESPACE → my-app
|
||||
#
|
||||
# apiVersion: secrets.infisical.com/v1alpha1
|
||||
# kind: InfisicalSecret
|
||||
# metadata:
|
||||
# name: SERVICE_NAME-secrets
|
||||
# namespace: infisical
|
||||
# spec:
|
||||
# hostAPI: https://infisical.jsme.be
|
||||
# resyncInterval: 60
|
||||
# authentication:
|
||||
# universalAuth:
|
||||
# secretsScope:
|
||||
# projectSlug: "kubernetes"
|
||||
# envSlug: "prod"
|
||||
# secretsPath: "/SERVICE_NAME"
|
||||
# recursive: true
|
||||
# credentialsRef:
|
||||
# secretName: infisical-universal-auth
|
||||
# secretNamespace: infisical
|
||||
# managedSecretReference:
|
||||
# secretName: SERVICE_NAME-secrets
|
||||
# secretNamespace: SERVICE_NAMESPACE
|
||||
# secretType: Opaque
|
||||
9
applications/infisical/universal-auth-secret.yaml
Normal file
9
applications/infisical/universal-auth-secret.yaml
Normal file
@@ -0,0 +1,9 @@
|
||||
# apiVersion: v1
|
||||
# kind: Secret
|
||||
# metadata:
|
||||
# name: infisical-universal-auth
|
||||
# namespace: infisical
|
||||
# type: Opaque
|
||||
# stringData:
|
||||
# clientId: ""
|
||||
# clientSecret: ""
|
||||
29
applications/it-tools/it-tools-deployment.yaml
Normal file
29
applications/it-tools/it-tools-deployment.yaml
Normal file
@@ -0,0 +1,29 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
namespace: it-tools
|
||||
name: ittools
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: ittools
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: ittools
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 10
|
||||
containers:
|
||||
- name: it-tools
|
||||
image: sharevb/it-tools:stable
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 200m
|
||||
memory: 256Mi
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
51
applications/it-tools/it-tools-httproute.yaml
Normal file
51
applications/it-tools/it-tools-httproute.yaml
Normal file
@@ -0,0 +1,51 @@
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: it-tools-route
|
||||
namespace: it-tools
|
||||
spec:
|
||||
parentRefs:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-internal
|
||||
namespace: envoy-gateway
|
||||
sectionName: it-tools
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-public
|
||||
namespace: envoy-gateway
|
||||
sectionName: it-tools
|
||||
hostnames:
|
||||
- "tools.jsme.be"
|
||||
rules:
|
||||
- matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
filters:
|
||||
- type: RequestHeaderModifier
|
||||
requestHeaderModifier:
|
||||
set:
|
||||
- name: X-Forwarded-Host
|
||||
value: "tools.jsme.be"
|
||||
- name: X-Forwarded-Proto
|
||||
value: https
|
||||
- type: ResponseHeaderModifier
|
||||
responseHeaderModifier:
|
||||
set:
|
||||
- name: Strict-Transport-Security
|
||||
value: "max-age=31536000; includeSubDomains"
|
||||
- name: X-Content-Type-Options
|
||||
value: nosniff
|
||||
- name: X-Frame-Options
|
||||
value: SAMEORIGIN
|
||||
- name: Referrer-Policy
|
||||
value: strict-origin-when-cross-origin
|
||||
- name: Permissions-Policy
|
||||
value: "camera=(), microphone=(), geolocation=(), payment=()"
|
||||
backendRefs:
|
||||
- name: ittools
|
||||
port: 8080
|
||||
kind: Service
|
||||
group: ""
|
||||
weight: 1
|
||||
13
applications/it-tools/it-tools-service.yaml
Normal file
13
applications/it-tools/it-tools-service.yaml
Normal file
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: ittools
|
||||
namespace: it-tools
|
||||
spec:
|
||||
selector:
|
||||
app: ittools
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8080
|
||||
targetPort: 8080
|
||||
type: ClusterIP
|
||||
49
applications/jellyfin/jellyfin-httproute.yaml
Normal file
49
applications/jellyfin/jellyfin-httproute.yaml
Normal file
@@ -0,0 +1,49 @@
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: jellyfin-route
|
||||
namespace: jellyfin
|
||||
spec:
|
||||
parentRefs:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-internal
|
||||
namespace: envoy-gateway
|
||||
sectionName: jellyfin
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-public
|
||||
namespace: envoy-gateway
|
||||
sectionName: jellyfin
|
||||
hostnames:
|
||||
- "jellyfin.jsme.be"
|
||||
rules:
|
||||
- matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
filters:
|
||||
- type: RequestHeaderModifier
|
||||
requestHeaderModifier:
|
||||
set:
|
||||
- name: X-Forwarded-Host
|
||||
value: "jellyfin.jsme.be"
|
||||
- name: X-Forwarded-Proto
|
||||
value: https
|
||||
- type: ResponseHeaderModifier
|
||||
responseHeaderModifier:
|
||||
set:
|
||||
- name: Strict-Transport-Security
|
||||
value: "max-age=31536000; includeSubDomains"
|
||||
- name: X-Content-Type-Options
|
||||
value: nosniff
|
||||
- name: Referrer-Policy
|
||||
value: strict-origin-when-cross-origin
|
||||
- name: Permissions-Policy
|
||||
value: "camera=(), microphone=(), geolocation=(), payment=()"
|
||||
backendRefs:
|
||||
- name: jellyfin
|
||||
port: 8096
|
||||
kind: Service
|
||||
group: ""
|
||||
weight: 1
|
||||
13
applications/jellyfin/jellyfin-persistentvolumeclaim.yaml
Normal file
13
applications/jellyfin/jellyfin-persistentvolumeclaim.yaml
Normal file
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
namespace: jellyfin
|
||||
name: jellyfin-pvc
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: longhorn-static
|
||||
volumeName: jellyfin-pvc
|
||||
resources:
|
||||
requests:
|
||||
storage: 40Gi
|
||||
13
applications/jellyfin/jellyfin-service.yaml
Normal file
13
applications/jellyfin/jellyfin-service.yaml
Normal file
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
namespace: jellyfin
|
||||
name: jellyfin
|
||||
spec:
|
||||
selector:
|
||||
app: jellyfin
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8096
|
||||
targetPort: 8096
|
||||
type: ClusterIP
|
||||
@@ -0,0 +1,33 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
name: smb-media-pv
|
||||
namespace: jellyfin
|
||||
spec:
|
||||
capacity:
|
||||
storage: 50Gi
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
persistentVolumeReclaimPolicy: Retain
|
||||
csi:
|
||||
driver: smb.csi.k8s.io
|
||||
volumeHandle: smb-media-pv
|
||||
volumeAttributes:
|
||||
source: "//10.8.14.2/Media"
|
||||
nodeStageSecretRef:
|
||||
name: jellyfin-secrets
|
||||
namespace: jellyfin
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
namespace: jellyfin
|
||||
name: smb-media-pvc
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
resources:
|
||||
requests:
|
||||
storage: 10Gi
|
||||
volumeName: smb-media-pv
|
||||
storageClassName: ""
|
||||
42
applications/jellyfin/jellyfin-statefulset.yaml
Normal file
42
applications/jellyfin/jellyfin-statefulset.yaml
Normal file
@@ -0,0 +1,42 @@
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
namespace: jellyfin
|
||||
name: jellyfin
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: jellyfin
|
||||
serviceName: jellyfin
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: jellyfin
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 60
|
||||
nodeSelector:
|
||||
gpu: "true"
|
||||
containers:
|
||||
- name: jellyfin
|
||||
image: jellyfin/jellyfin:10.11.9
|
||||
ports:
|
||||
- containerPort: 8096
|
||||
resources:
|
||||
limits:
|
||||
gpu.intel.com/i915: "1"
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /config
|
||||
- name: media
|
||||
mountPath: /media
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: config
|
||||
persistentVolumeClaim:
|
||||
claimName: jellyfin-pvc
|
||||
- name: media
|
||||
persistentVolumeClaim:
|
||||
claimName: smb-media-pvc
|
||||
|
||||
36
applications/jenkins/jenkins-deployment.yaml
Normal file
36
applications/jenkins/jenkins-deployment.yaml
Normal file
@@ -0,0 +1,36 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
namespace: jenkins
|
||||
name: jenkins
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: jenkins
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: jenkins
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 10
|
||||
containers:
|
||||
- name: jenkins
|
||||
image: jenkins/jenkins:latest-jdk21
|
||||
resources:
|
||||
requests:
|
||||
cpu: 500m
|
||||
memory: 1Gi
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 4Gi
|
||||
volumeMounts:
|
||||
- name: jenkins-volume
|
||||
mountPath: /var/jenkins_home
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
volumes:
|
||||
- name: jenkins-volume
|
||||
persistentVolumeClaim:
|
||||
claimName: jenkins-pvc
|
||||
46
applications/jenkins/jenkins-httproute.yaml
Normal file
46
applications/jenkins/jenkins-httproute.yaml
Normal file
@@ -0,0 +1,46 @@
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: jenkins-route
|
||||
namespace: jenkins
|
||||
spec:
|
||||
parentRefs:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: gateway-internal
|
||||
namespace: envoy-gateway
|
||||
sectionName: jenkins
|
||||
hostnames:
|
||||
- "jenkins.jsme.be"
|
||||
rules:
|
||||
- matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
filters:
|
||||
- type: RequestHeaderModifier
|
||||
requestHeaderModifier:
|
||||
set:
|
||||
- name: X-Forwarded-Host
|
||||
value: "jenkins.jsme.be"
|
||||
- name: X-Forwarded-Proto
|
||||
value: https
|
||||
- type: ResponseHeaderModifier
|
||||
responseHeaderModifier:
|
||||
set:
|
||||
- name: Strict-Transport-Security
|
||||
value: "max-age=31536000; includeSubDomains"
|
||||
- name: X-Content-Type-Options
|
||||
value: nosniff
|
||||
- name: X-Frame-Options
|
||||
value: SAMEORIGIN
|
||||
- name: Referrer-Policy
|
||||
value: strict-origin-when-cross-origin
|
||||
- name: Permissions-Policy
|
||||
value: "camera=(), microphone=(), geolocation=(), payment=()"
|
||||
backendRefs:
|
||||
- name: jenkins-svc-ingress
|
||||
port: 8080
|
||||
kind: Service
|
||||
group: ""
|
||||
weight: 1
|
||||
12
applications/jenkins/jenkins-persistentvolumeclaim.yaml
Normal file
12
applications/jenkins/jenkins-persistentvolumeclaim.yaml
Normal file
@@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: jenkins-pvc
|
||||
namespace: jenkins
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
storageClassName: longhorn-static
|
||||
resources:
|
||||
requests:
|
||||
storage: 100Gi
|
||||
@@ -0,0 +1,80 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: atm-backups
|
||||
namespace: minecraft
|
||||
data:
|
||||
ftbbackups2.json: |
|
||||
{
|
||||
// Allow the creation of backups automatically
|
||||
"enabled": true,
|
||||
// Permission level to use the /backup command
|
||||
"command_permission_level": 3,
|
||||
// Only send backup status to server ops
|
||||
"notify_op_only": true,
|
||||
// Don't send backup status at all
|
||||
"do_not_notify": false,
|
||||
/* Backup retention mode. Valid Modes: MAX_BACKUPS, TIERED
|
||||
Note: TIERED mode is an experimental feature, Use at your own risk.
|
||||
*/
|
||||
"retention_mode": "MAX_BACKUPS",
|
||||
// Applies to retention_mode:MAX_BACKUPS, Sets the maximum number of backups to keep
|
||||
"max_backups": 5,
|
||||
// Applies to retention_mode:TIERED, The latest x number of backups will be retained
|
||||
"keep_latest": 5,
|
||||
// Applies to retention_mode:TIERED, Sets number of hourly backups to keep
|
||||
"keep_hourly": 1,
|
||||
// Applies to retention_mode:TIERED, Sets number of daily backups to keep
|
||||
"keep_daily": 1,
|
||||
// Applies to retention_mode:TIERED, Sets number of weekly backups to keep
|
||||
"keep_weekly": 1,
|
||||
// Applies to retention_mode:TIERED, Sets number of monthly backups to keep
|
||||
"keep_monthly": 1,
|
||||
/* This is done with an implementation of cron from the Quartz java library.
|
||||
More info here
|
||||
(http://www.cronmaker.com)
|
||||
*/
|
||||
"backup_cron": "0 */30 * * * ?",
|
||||
// Time between manual backups using the command
|
||||
"manual_backups_time": 0,
|
||||
// Only run a backup if a player has been online since the last backup
|
||||
"only_if_players_been_online": true,
|
||||
// Additional directories to include in backup
|
||||
"additional_directories": [],
|
||||
/* Additional files and directories to include in backup.
|
||||
Can specify a file name, path relative to server directory or wildcard file path
|
||||
Examples: (All file paths are relative to server root)
|
||||
fileName.txt Any/all file named "fileName.txt"
|
||||
folder/file.txt Exact file path
|
||||
folder/ Everything in this folder
|
||||
path/starts/with* Any files who's path starts with
|
||||
*path/ends/with.txt Any files who's path ends with
|
||||
*path/contains* Any files who's path contains
|
||||
*/
|
||||
"additional_files": [],
|
||||
// Display file size in backup message
|
||||
"display_file_size": false,
|
||||
// backup location
|
||||
"backup_location": ".",
|
||||
// Specify the backup format. Valid options are ZIP and DIRECTORY
|
||||
"backup_format": "ZIP",
|
||||
// Minimum free disk space in MB. If a backup's creation would leave less than this amount of disk space remaining, the backup will be aborted.
|
||||
"minimum_free_space": 500,
|
||||
// If the previous backup failed due to lack of space, the oldest backup will be deleted to free space.
|
||||
"free_space_if_needed": false,
|
||||
/* Specify files or folders to be excluded.
|
||||
Can specify a file name, path relative to server directory or wildcard file path
|
||||
Examples: (All file paths are relative to server root)
|
||||
fileName.txt Any/all file named "fileName.txt"
|
||||
folder/file.txt Exact file path
|
||||
folder/ Everything in this folder
|
||||
path/starts/with* Any files who's path starts with
|
||||
*path/ends/with.txt Any files who's path ends with
|
||||
*path/contains* Any files who's path contains
|
||||
*/
|
||||
"excluded": [],
|
||||
/* The dimension used when creating backup preview image, specify "all" to enable automatic detection of primary dimension (can be very slow)
|
||||
Specify "none" to disable preview
|
||||
*/
|
||||
"preview_dimension": "minecraft:overworld"
|
||||
}
|
||||
@@ -0,0 +1,230 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: atm-ftbchunks
|
||||
namespace: minecraft
|
||||
data:
|
||||
ftbchunks-world.snbt: |
|
||||
# Server-specific configuration for FTB Chunks
|
||||
# Modpack defaults should be defined in <instance>/config/ftbchunks-world.snbt
|
||||
# (may be overwritten on modpack update)
|
||||
# Server admins may locally override this by copying into <instance>/world/serverconfig/ftbchunks-world.snbt
|
||||
# (will NOT be overwritten on modpack update)
|
||||
|
||||
{
|
||||
# Forced modes won't let players change their ally settings
|
||||
# Default: "default"
|
||||
# Valid values: "default", "forced_all", "forced_none"
|
||||
ally_mode: "default"
|
||||
|
||||
# Disables all land protection. Useful for private servers where everyone is trusted and claims are only used for force-loading
|
||||
# Default: false
|
||||
disable_protection: false
|
||||
|
||||
# Minimap for clients connecting to this server will be disabled
|
||||
# Default: false
|
||||
force_disable_minimap: false
|
||||
|
||||
# If true, "Location Visibility" team settings are ignored, and all players can see each other anywhere on the map.
|
||||
# Default: false
|
||||
location_mode_override: false
|
||||
|
||||
# Interval in ticks to send updates to clients with long-range player tracking data.
|
||||
# Lower values mean more frequent updates but more server load and network traffic; be careful with this, especially on busy servers.
|
||||
# Setting this to 0 disables long-range tracking.
|
||||
# Default: 20
|
||||
# Range: 0 ~ 2147483647
|
||||
long_range_tracker_interval: 20
|
||||
|
||||
# Requires you to claim chunks in order to edit and interact with blocks
|
||||
# Default: false
|
||||
no_wilderness: false
|
||||
|
||||
# Dimension ID's where the no_wilderness rule is enforced - building is only allowed in claimed chunks. If this is non-empty, it overrides the 'no_wilderness' setting.
|
||||
# Default: []
|
||||
no_wilderness_dimensions: [ ]
|
||||
|
||||
# If true, pistons are prevented from pushing/pulling blocks across claims owned by different teams (unless the target claim has public 'edit block' permissions defined). If 'disable_protection' is set to true, this setting is ignored.
|
||||
# Default: true
|
||||
piston_protection: true
|
||||
|
||||
# When true, standard FTB Chunk explosion protection is applied in protected chunks when the source of the explosion cannot be determined
|
||||
# (Ghast fireballs are a common case - vanilla supplies a null entity source)
|
||||
# Default: true
|
||||
protect_unknown_explosions: true
|
||||
|
||||
# Should PvP combat be allowed in claimed chunks? Default is ALWAYS; NEVER prevents it in all claimed chunks; PER_TEAM allows teams to decide if PvP is allowed in their claims
|
||||
# Default: "always"
|
||||
# Valid values: "always", "never", "per_team"
|
||||
pvp_mode: "always"
|
||||
|
||||
# If true, the player must have the 'ftbchunks_mapping' Game stage to be able to use the map and minimap.
|
||||
# Requires KubeJS and/or Gamestages to be installed.
|
||||
# Default: false
|
||||
require_game_stage: false
|
||||
claiming: {
|
||||
# Dimension ID's where chunks may not be claimed. Add "minecraft:the_end" to this list if you want to disable chunk claiming in The End, or "othermod:*" to disable chunk claiming in *all* dimensions added by "othermod"
|
||||
# Default: []
|
||||
claim_dimension_blacklist: [ ]
|
||||
|
||||
# Dimension ID's where chunks may be claimed. If non-empty, chunks may be claimed *only* in these dimensions (and the dimension is not in "claim_dimension_blacklist"). Same syntax as for "claim_dimension_blacklist".
|
||||
# Default: []
|
||||
claim_dimension_whitelist: [ ]
|
||||
|
||||
# Hard limit for the number of chunks a team can claim, regardless of how many members. Default of 0 means no hard limit.
|
||||
# Default: 0
|
||||
# Range: 0 ~ 2147483647
|
||||
hard_team_claim_limit: 0
|
||||
|
||||
# Max claimed chunks.
|
||||
# You can override this with FTB Ranks 'ftbchunks.max_claimed' permission
|
||||
# Default: 500
|
||||
# Range: -∞ ~ +∞
|
||||
max_claimed_chunks: 500
|
||||
|
||||
# Maximum time (in real-world days) where if no player in a team logs in, the team automatically loses their claims.
|
||||
# Prevents chunks being claimed indefinitely by teams who no longer play.
|
||||
# Default of 0 means no automatic loss of claims.
|
||||
# Default: 0.0
|
||||
# Range: 0.0 ~ 3650.0
|
||||
max_idle_days_before_unclaim: 0.0d
|
||||
|
||||
# Method by which party claim & force-load limits are calculated.
|
||||
# LARGEST: use the limits of the member with the largest limits
|
||||
# SUM: add up all the members' limits
|
||||
# OWNER: use the party owner's limits only
|
||||
# AVERAGE: use the average of all members' limits.
|
||||
# Default: "largest"
|
||||
# Valid values: "largest", "owner", "sum", "average"
|
||||
party_limit_mode: "largest"
|
||||
}
|
||||
custom_behaviour: {
|
||||
chunks_with_custom_y: [ ]
|
||||
|
||||
# Custom minimum Y level to scan when rendering map, used if use_custom_min_y_level is true
|
||||
# Default: -32768
|
||||
# Range: -32768 ~ 32767
|
||||
custom_min_y_level: -32768
|
||||
|
||||
# Override minimum Y level used when rendering map
|
||||
# Default: false
|
||||
use_custom_min_y_level: false
|
||||
}
|
||||
dev: {
|
||||
# Enable dev commands
|
||||
# Default: false
|
||||
commands: false
|
||||
}
|
||||
fake_players: {
|
||||
# Override to disable/enable fake players like miners and auto-clickers globally.
|
||||
# Default will check this setting for each team
|
||||
# Default: "check"
|
||||
# Valid values: "check", "deny", "allow"
|
||||
fake_players: "check"
|
||||
|
||||
# Maximum time in days to keep logs of prevented fakeplayer access to a team's claims.
|
||||
# Default: 7
|
||||
# Range: 1 ~ 2147483647
|
||||
max_prevented_log_age: 7
|
||||
}
|
||||
force_loading: {
|
||||
# Control how force-loaded chunks work.
|
||||
# NEVER: only allow chunk force-loading if the owning team has at least one online player.
|
||||
# ALWAYS: always allow force-loading, even if no players are online.
|
||||
# DEFAULT: allow force-loading IF the team has at least one player with the 'ftbchunks.chunk_load_offline' FTB Ranks permission.
|
||||
# Default: "default"
|
||||
# Valid values: "default", "always", "never"
|
||||
force_load_mode: "always"
|
||||
|
||||
# Hard limit for the number of chunks a team can force-load, regardless of how many members. Default of 0 means no hard limit.
|
||||
# Default: 0
|
||||
# Range: 0 ~ 2147483647
|
||||
hard_team_force_limit: 0
|
||||
|
||||
# Max force loaded chunks.
|
||||
# You can override this with FTB Ranks 'ftbchunks.max_force_loaded' permission
|
||||
# Default: 25
|
||||
# Range: -∞ ~ +∞
|
||||
max_force_loaded_chunks: 25
|
||||
|
||||
# Maximum time (in real-world days) where if no player in a team logs in, any forceloaded chunks owned by the team are no longer forceloaded.
|
||||
# Prevents chunks being forceloaded indefinitely by teams who no longer play.
|
||||
# Default of 0 means no automatic loss of forceloading.
|
||||
# Default: 0.0
|
||||
# Range: 0.0 ~ 3650.0
|
||||
max_idle_days_before_unforce: 0.0d
|
||||
}
|
||||
team_prop_defaults: {
|
||||
# Default explosion protection for claimed chunks
|
||||
# Default: false
|
||||
def_allow_explosions: false
|
||||
|
||||
# Default mode for block breaking and placing in claimed chunks (NeoForge only)
|
||||
# Default: "allies"
|
||||
# Valid values: "allies", "private", "public"
|
||||
def_block_edit: "allies"
|
||||
|
||||
# Default mode for block interaction, breaking and placing in claimed chunks (Fabric only)
|
||||
# Default: "allies"
|
||||
# Valid values: "allies", "private", "public"
|
||||
def_block_edit_interact: "allies"
|
||||
|
||||
# Default mode for block interaction (right-click) in claimed chunks (NeoForge only)
|
||||
# Default: "allies"
|
||||
# Valid values: "allies", "private", "public"
|
||||
def_block_interact: "allies"
|
||||
|
||||
# Default claim visibility for claimed chunks
|
||||
# Default: "public"
|
||||
# Valid values: "allies", "private", "public"
|
||||
def_claim_visibility: "public"
|
||||
|
||||
# Default mode for left-clicking non-living entities (armor stands, item frames...) in claimed chunks
|
||||
# Default: "allies"
|
||||
# Valid values: "allies", "private", "public"
|
||||
def_entity_attack: "allies"
|
||||
|
||||
# Default mode for entity interaction in claimed chunks
|
||||
# Default: "allies"
|
||||
# Valid values: "allies", "private", "public"
|
||||
def_entity_interact: "allies"
|
||||
|
||||
# Default allow fake player IDs which are the same as real permitted players
|
||||
# Default: true
|
||||
def_fake_player_ids: true
|
||||
|
||||
# Default allow-fake-player setting for team properties
|
||||
# Default: false
|
||||
def_fake_players: false
|
||||
|
||||
# Default mob griefing protection for claimed chunks
|
||||
# Default: false
|
||||
def_mob_griefing: false
|
||||
|
||||
# Default named fake players who should be allowed by default
|
||||
# Default: []
|
||||
def_named_fake_players: [ ]
|
||||
|
||||
# Default long-range player visibility on map
|
||||
# Default: "allies"
|
||||
# Valid values: "allies", "private", "public"
|
||||
def_player_visibility: "allies"
|
||||
|
||||
# Default PvP setting in claimed chunks
|
||||
# Default: true
|
||||
def_pvp: true
|
||||
}
|
||||
waypoint_sharing: {
|
||||
# Allow players to share waypoints with their party.
|
||||
# Default: true
|
||||
waypoint_sharing_party: true
|
||||
|
||||
# Allow players to share waypoints with other players.
|
||||
# Default: true
|
||||
waypoint_sharing_players: true
|
||||
|
||||
# Allow players to share waypoints with the entire server.
|
||||
# Default: true
|
||||
waypoint_sharing_server: true
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,386 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: atm-ftbessentials
|
||||
namespace: minecraft
|
||||
data:
|
||||
ftbessentials.snbt: |
|
||||
# FTB Essentials config file
|
||||
# If you're a modpack maker, edit defaultconfigs/ftbessentials-server.snbt instead
|
||||
|
||||
{
|
||||
# If true, the mod will register its commands to the 'ftbessentials' namespace as well as the root namespace
|
||||
# otherwise it will only register to the root namespace
|
||||
# This setting has no effect if 'register_to_namespace' is false
|
||||
# Default: false
|
||||
register_alias_as_well_as_namespace: false
|
||||
|
||||
# If true, the mod will register its commands to the 'ftbessentials' namespace,
|
||||
# otherwise it will register to the root namespace
|
||||
# Default: false
|
||||
register_to_namespace: false
|
||||
|
||||
# Admin commands for cheating and moderation
|
||||
admin: {
|
||||
# Allows admins to extinguish themselves or a player using a command
|
||||
extinguish: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows admins to fully feed themselves or a player using a command
|
||||
feed: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows admins to toggle flying status using a command, without having to use Creative Mode
|
||||
fly: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows admins to toggle invincibility using a command, without having to use Creative Mode
|
||||
god: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows admins to fully heal (health, food, fire, potion effects) themselves or a player using a command
|
||||
heal: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows admins to view other users' inventories using a command
|
||||
invsee: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows admins to configure kits of items that can be given to players.
|
||||
kit: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows admins to restrict players from chatting by using a command to mute (or unmute) them
|
||||
mute: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows admins to change walk speed for themselves or a player
|
||||
speed: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows admins to change the location of offline players.
|
||||
tp_offline: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
}
|
||||
|
||||
# Cross-mod integration
|
||||
integration: {
|
||||
# If true, and FTB Team Bases is installed, then the '/spawn' command will instead send players to the lobby
|
||||
# Default: true
|
||||
team_bases_spawn_override: true
|
||||
}
|
||||
|
||||
# Miscellaneous features and utilities
|
||||
misc: {
|
||||
# Allows users to access an Anvil GUI without needing an Anvil.
|
||||
anvil: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows users to access a Crafting Table GUI without needing a Crafting Table.
|
||||
crafting: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows users to access their ender chest, as well as admins to manage other players' ender chests.
|
||||
enderchest: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows users to set a custom hat as their head item by using a command
|
||||
hat: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows users to kick themselves from the server, for example if they are stuck or desynced
|
||||
kickme: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows users to view leaderboard stats about everyone on the server.
|
||||
leaderboard: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows users to list nearby players, sorted by distance
|
||||
near: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows users to change their display name, as well as admins to change nicknames for other users
|
||||
nick: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows users to announce their recording or streaming status to the server by using commands
|
||||
rec: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows users to access a Smithing Table GUI without needing a Smithing Table.
|
||||
smithing: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows users to access a Stonecutter GUI without needing a Stonecutter.
|
||||
stonecutter: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Enables usage of a trash can inventory, which can be used to void unneeded items
|
||||
trashcan: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
}
|
||||
|
||||
# Teleportation-related settings
|
||||
teleportation: {
|
||||
# If true, admin-level players (i.e. permission level >= 2) are exempt from
|
||||
# the dimension controls defined in teleportation -> blacklists and
|
||||
# in teleportation -> rtp -> dimension_blacklist/whitelist
|
||||
# Default: true
|
||||
admins_exempt_dimension_blacklists: true
|
||||
|
||||
# Allows users to return to their previous location after teleporting (or dying)
|
||||
back: {
|
||||
# Cooldown between /back commands (in seconds)
|
||||
# You can override this with FTB Ranks using ftbessentials.back.cooldown
|
||||
# Default: 30
|
||||
# Range: 0 ~ 604800
|
||||
cooldown: 30
|
||||
|
||||
# Default: true
|
||||
enabled: true
|
||||
|
||||
# Max size of the teleport history. This limits how many times you can use /back
|
||||
# You can override this with FTB Ranks using ftbessentials.back.max
|
||||
# Default: 10
|
||||
# Range: 0 ~ 2147483647
|
||||
max: 10
|
||||
|
||||
# Should be the /back command only be used for returning to the last death point?
|
||||
# Default: false
|
||||
only_on_death: false
|
||||
|
||||
# Warm-up time before /back command executes (in seconds)
|
||||
# You can override this with FTB Ranks using ftbessentials.back.warmup
|
||||
# Default: 0
|
||||
# Range: 0 ~ 604800
|
||||
warmup: 0
|
||||
}
|
||||
|
||||
# Blacklists for all teleport commands
|
||||
# Wildcarded dimensions (e.g. 'somemod:*') are supported
|
||||
blacklists: {
|
||||
# Dimensions players aren't permitted to run teleport commands in.
|
||||
# Default: []
|
||||
from: [ ]
|
||||
|
||||
# Dimensions players aren't permitted to teleport into.
|
||||
# Default: []
|
||||
to: [ ]
|
||||
}
|
||||
|
||||
# Allows users to set 'homes', which they can then freely teleport to by using /home afterwards
|
||||
home: {
|
||||
# Cooldown between /home commands (in seconds)
|
||||
# You can override this with FTB Ranks using ftbessentials.home.cooldown
|
||||
# Default: 10
|
||||
# Range: 0 ~ 604800
|
||||
cooldown: 10
|
||||
|
||||
# Default: true
|
||||
enabled: true
|
||||
|
||||
# The minimum Y value for homes, as set by the /sethome command
|
||||
# Default: -2147483648
|
||||
# Range: -∞ ~ +∞
|
||||
home_min_y: -2147483648
|
||||
|
||||
# Max amount of homes a user can have.
|
||||
# You can override this with FTB Ranks using ftbessentials.home.max
|
||||
# Default: 1
|
||||
# Range: 0 ~ 2147483647
|
||||
max: 3
|
||||
|
||||
# Warm-up time before /home command executes (in seconds)
|
||||
# You can override this with FTB Ranks using ftbessentials.home.warmup
|
||||
# Default: 0
|
||||
# Range: 0 ~ 604800
|
||||
warmup: 0
|
||||
}
|
||||
|
||||
# Allows admins to jump (teleport) to the focused block
|
||||
jump: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
playerspawn: {
|
||||
# Cooldown between /playerspawn commands (in seconds)
|
||||
# You can override this with FTB Ranks using ftbessentials.playerspawn.cooldown
|
||||
# Default: 10
|
||||
# Range: 0 ~ 604800
|
||||
cooldown: 10
|
||||
|
||||
# Default: true
|
||||
enabled: true
|
||||
|
||||
# Warm-up time before /playerspawn command executes (in seconds)
|
||||
# You can override this with FTB Ranks using ftbessentials.playerspawn.warmup
|
||||
# Default: 0
|
||||
# Range: 0 ~ 604800
|
||||
warmup: 0
|
||||
}
|
||||
|
||||
# Allows players to teleport to a random point in the Wilderness
|
||||
# Note: This currently does not respect Claimed Chunks yet!
|
||||
rtp: {
|
||||
# Allow player to specify (only) custom max distance in rtp command
|
||||
# You can override this with FTB Ranks using ftbessentials.rtp.custom_max
|
||||
# Default: false
|
||||
allow_custom_max_distance: false
|
||||
|
||||
# Allow player to specify custom min and max distance in rtp command
|
||||
# You can override this with FTB Ranks using ftbessentials.rtp.custom_min_max
|
||||
# Default: false
|
||||
allow_custom_min_max_distance: false
|
||||
|
||||
# Cooldown between /rtp commands (in seconds)
|
||||
# You can override this with FTB Ranks using ftbessentials.rtp.cooldown
|
||||
# Default: 600
|
||||
# Range: 0 ~ 604800
|
||||
cooldown: 600
|
||||
|
||||
# Blacklisted dimension ID's for /rtp (player *must not* be in any of these dimensions)
|
||||
# Wildcarded dimensions (e.g. 'somemod:*') are supported
|
||||
# Default: ["minecraft:the_end"]
|
||||
dimension_blacklist: ["minecraft:the_end"]
|
||||
|
||||
# Whitelisted dimension ID's for /rtp (if non-empty, player *must* be in one of these dimensions)
|
||||
# Wildcarded dimensions (e.g. 'somemod:*') are supported
|
||||
# Default: []
|
||||
dimension_whitelist: [ ]
|
||||
|
||||
# Default: true
|
||||
enabled: true
|
||||
|
||||
# /rtp max distance from spawn point
|
||||
# Default: 25000
|
||||
# Range: 0 ~ 30000000
|
||||
max_distance: 25000
|
||||
|
||||
# Number of tries before /rtp gives up
|
||||
# Default: 100
|
||||
# Range: 1 ~ 1000
|
||||
max_tries: 100
|
||||
|
||||
# /rtp min distance from spawn point
|
||||
# Default: 500
|
||||
# Range: 0 ~ 30000000
|
||||
min_distance: 500
|
||||
|
||||
# Warm-up time before /rtp command executes (in seconds)
|
||||
# You can override this with FTB Ranks using ftbessentials.rtp.warmup
|
||||
# Default: 0
|
||||
# Range: 0 ~ 604800
|
||||
warmup: 0
|
||||
}
|
||||
spawn: {
|
||||
# Cooldown between /spawn commands (in seconds)
|
||||
# You can override this with FTB Ranks using ftbessentials.spawn.cooldown
|
||||
# Default: 10
|
||||
# Range: 0 ~ 604800
|
||||
cooldown: 10
|
||||
|
||||
# Default: true
|
||||
enabled: true
|
||||
|
||||
# Warm-up time before /spawn command executes (in seconds)
|
||||
# You can override this with FTB Ranks using ftbessentials.spawn.warmup
|
||||
# Default: 0
|
||||
# Range: 0 ~ 604800
|
||||
warmup: 0
|
||||
}
|
||||
|
||||
# Allows players to create requests to teleport to other users on the server,
|
||||
# as well as requesting other players to teleport to them
|
||||
tpa: {
|
||||
# Cooldown between /tpa commands (in seconds)
|
||||
# You can override this with FTB Ranks using ftbessentials.tpa.cooldown
|
||||
# Default: 10
|
||||
# Range: 0 ~ 604800
|
||||
cooldown: 10
|
||||
|
||||
# Default: true
|
||||
enabled: true
|
||||
|
||||
# Warm-up time before /tpa command executes (in seconds)
|
||||
# You can override this with FTB Ranks using ftbessentials.tpa.warmup
|
||||
# Default: 0
|
||||
# Range: 0 ~ 604800
|
||||
warmup: 0
|
||||
}
|
||||
|
||||
# Allows admins to teleport to the location a user was last seen at
|
||||
tpl: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows admins to teleport to dimension
|
||||
tpx: {
|
||||
# Default: true
|
||||
enabled: true
|
||||
}
|
||||
|
||||
# Allows admins to create 'warps', which are fixed points in the world that users may teleport to using /warp
|
||||
warp: {
|
||||
# Cooldown between /warp commands (in seconds)
|
||||
# You can override this with FTB Ranks using ftbessentials.warp.cooldown
|
||||
# Default: 10
|
||||
# Range: 0 ~ 604800
|
||||
cooldown: 10
|
||||
|
||||
# Default: true
|
||||
enabled: true
|
||||
|
||||
# Warm-up time before /warp command executes (in seconds)
|
||||
# You can override this with FTB Ranks using ftbessentials.warp.warmup
|
||||
# Default: 0
|
||||
# Range: 0 ~ 604800
|
||||
warmup: 0
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: atm-ops
|
||||
namespace: minecraft
|
||||
data:
|
||||
ops.json: |
|
||||
[
|
||||
{
|
||||
"uuid": "e599e817-cf9d-4871-ad26-e6e239a55011",
|
||||
"name": "DefNotJeffrey",
|
||||
"level": 4,
|
||||
"bypassesPlayerLimit": false
|
||||
}
|
||||
]
|
||||
@@ -0,0 +1,45 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: atm-pvc
|
||||
namespace: minecraft
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
storageClassName: longhorn-static
|
||||
resources:
|
||||
requests:
|
||||
storage: 10Gi
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
name: atm10-backups-smb
|
||||
spec:
|
||||
capacity:
|
||||
storage: 5Gi
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
persistentVolumeReclaimPolicy: Retain
|
||||
csi:
|
||||
driver: smb.csi.k8s.io
|
||||
volumeHandle: backups
|
||||
volumeAttributes:
|
||||
source: "//10.8.14.2/minecraft-backups"
|
||||
nodeStageSecretRef:
|
||||
name: minecraft-secrets
|
||||
namespace: minecraft
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
namespace: minecraft
|
||||
name: atm10-backups
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
volumeName: atm10-backups-smb
|
||||
storageClassName: ""
|
||||
@@ -0,0 +1,68 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: atm-properties
|
||||
namespace: minecraft
|
||||
data:
|
||||
server.properties: |
|
||||
accepts-transfers=false
|
||||
allow-flight=true
|
||||
allow-nether=true
|
||||
broadcast-console-to-ops=true
|
||||
broadcast-rcon-to-ops=true
|
||||
bug-report-link=
|
||||
difficulty=easy
|
||||
enable-command-block=false
|
||||
enable-jmx-monitoring=false
|
||||
enable-query=false
|
||||
enable-rcon=true
|
||||
enable-status=true
|
||||
enforce-secure-profile=true
|
||||
enforce-whitelist=false
|
||||
entity-broadcast-range-percentage=100
|
||||
force-gamemode=false
|
||||
function-permission-level=2
|
||||
gamemode=survival
|
||||
generate-structures=true
|
||||
generator-settings={}
|
||||
hardcore=false
|
||||
hide-online-players=false
|
||||
initial-disabled-packs=
|
||||
initial-enabled-packs=vanilla
|
||||
level-name=world
|
||||
level-seed=
|
||||
level-type=minecraft\:normal
|
||||
log-ips=true
|
||||
max-chained-neighbor-updates=1000000
|
||||
max-players=20
|
||||
max-tick-time=180000
|
||||
max-world-size=29999984
|
||||
motd=All the Mods 10
|
||||
network-compression-threshold=256
|
||||
online-mode=true
|
||||
op-permission-level=4
|
||||
player-idle-timeout=0
|
||||
prevent-proxy-connections=false
|
||||
pvp=true
|
||||
query.port=25565
|
||||
rate-limit=0
|
||||
rcon.password=J8SCfyqh2KC7NVstYK
|
||||
rcon.port=25575
|
||||
region-file-compression=deflate
|
||||
require-resource-pack=false
|
||||
resource-pack=
|
||||
resource-pack-id=
|
||||
resource-pack-prompt=
|
||||
resource-pack-sha1=
|
||||
server-ip=
|
||||
server-port=25565
|
||||
simulation-distance=10
|
||||
spawn-animals=true
|
||||
spawn-monsters=true
|
||||
spawn-npcs=true
|
||||
spawn-protection=16
|
||||
sync-chunk-writes=true
|
||||
text-filtering-config=
|
||||
use-native-transport=true
|
||||
view-distance=10
|
||||
white-list=true
|
||||
19
applications/minecraft/atm10/minecraft-atm10-service.yaml
Normal file
19
applications/minecraft/atm10/minecraft-atm10-service.yaml
Normal file
@@ -0,0 +1,19 @@
|
||||
kind: Service
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: atm-loadbalancer
|
||||
namespace: minecraft
|
||||
spec:
|
||||
ports:
|
||||
- name: atm-tcp
|
||||
port: 25565
|
||||
targetPort: 25565
|
||||
protocol: TCP
|
||||
- name: rcon
|
||||
port: 25575
|
||||
targetPort: 25575
|
||||
protocol: TCP
|
||||
selector:
|
||||
app: atm
|
||||
type: LoadBalancer
|
||||
externalTrafficPolicy: Local
|
||||
@@ -0,0 +1,69 @@
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
namespace: minecraft
|
||||
name: atm
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: atm
|
||||
serviceName: atm-loadbalancer
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: atm
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 10
|
||||
containers:
|
||||
- name: atm
|
||||
image: gitea.jsme.be/jeffrey/atm10:6.1
|
||||
imagePullPolicy: Always
|
||||
resources:
|
||||
requests:
|
||||
cpu: 2000m
|
||||
memory: 8Gi
|
||||
limits:
|
||||
cpu: 4000m
|
||||
memory: 12Gi
|
||||
volumeMounts:
|
||||
- name: world
|
||||
mountPath: /opt/minecraft/world
|
||||
- name: backups
|
||||
mountPath: /opt/minecraft/backups
|
||||
subPath: atm
|
||||
- name: properties-file
|
||||
mountPath: /opt/minecraft/server.properties
|
||||
subPath: server.properties
|
||||
- name: whitelist
|
||||
mountPath: /opt/minecraft/whitelist.json
|
||||
subPath: whitelist.json
|
||||
- name: ftbessentials
|
||||
mountPath: /opt/minecraft/config/ftbessentials.snbt
|
||||
subPath: ftbessentials.snbt
|
||||
- name: ops
|
||||
mountPath: /opt/minecraft/ops.json
|
||||
subPath: ops.json
|
||||
ports:
|
||||
- containerPort: 25565
|
||||
- containerPort: 25575
|
||||
volumes:
|
||||
- name: world
|
||||
persistentVolumeClaim:
|
||||
claimName: atm-pvc
|
||||
- name: backups
|
||||
persistentVolumeClaim:
|
||||
claimName: atm10-backups
|
||||
- name: properties-file
|
||||
configMap:
|
||||
name: atm-properties
|
||||
- name: whitelist
|
||||
configMap:
|
||||
name: atm-whitelist
|
||||
- name: ftbessentials
|
||||
configMap:
|
||||
name: atm-ftbessentials
|
||||
- name: ops
|
||||
configMap:
|
||||
name: atm-ops
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: atm-whitelist
|
||||
namespace: minecraft
|
||||
data:
|
||||
whitelist.json: |
|
||||
[
|
||||
{
|
||||
"uuid": "e599e817-cf9d-4871-ad26-e6e239a55011",
|
||||
"name": "DefNotJeffrey"
|
||||
}
|
||||
]
|
||||
@@ -0,0 +1,80 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: homestead-backups
|
||||
namespace: minecraft
|
||||
data:
|
||||
ftbbackups2.json: |
|
||||
{
|
||||
// Allow the creation of backups automatically
|
||||
"enabled": true,
|
||||
// Permission level to use the /backup command
|
||||
"command_permission_level": 3,
|
||||
// Only send backup status to server ops
|
||||
"notify_op_only": true,
|
||||
// Don't send backup status at all
|
||||
"do_not_notify": false,
|
||||
/* Backup retention mode. Valid Modes: MAX_BACKUPS, TIERED
|
||||
Note: TIERED mode is an experimental feature, Use at your own risk.
|
||||
*/
|
||||
"retention_mode": "MAX_BACKUPS",
|
||||
// Applies to retention_mode:MAX_BACKUPS, Sets the maximum number of backups to keep
|
||||
"max_backups": 8,
|
||||
// Applies to retention_mode:TIERED, The latest x number of backups will be retained
|
||||
"keep_latest": 5,
|
||||
// Applies to retention_mode:TIERED, Sets number of hourly backups to keep
|
||||
"keep_hourly": 3,
|
||||
// Applies to retention_mode:TIERED, Sets number of daily backups to keep
|
||||
"keep_daily": 2,
|
||||
// Applies to retention_mode:TIERED, Sets number of weekly backups to keep
|
||||
"keep_weekly": 2,
|
||||
// Applies to retention_mode:TIERED, Sets number of monthly backups to keep
|
||||
"keep_monthly": 1,
|
||||
/* This is done with an implementation of cron from the Quartz java library.
|
||||
More info here
|
||||
(http://www.cronmaker.com)
|
||||
*/
|
||||
"backup_cron": "0 */30 * * * ?",
|
||||
// Time between manual backups using the command
|
||||
"manual_backups_time": 0,
|
||||
// Only run a backup if a player has been online since the last backup
|
||||
"only_if_players_been_online": true,
|
||||
// Additional directories to include in backup
|
||||
"additional_directories": [],
|
||||
/* Additional files and directories to include in backup.
|
||||
Can specify a file name, path relative to server directory or wildcard file path
|
||||
Examples: (All file paths are relative to server root)
|
||||
fileName.txt Any/all file named "fileName.txt"
|
||||
folder/file.txt Exact file path
|
||||
folder/ Everything in this folder
|
||||
path/starts/with* Any files who's path starts with
|
||||
*path/ends/with.txt Any files who's path ends with
|
||||
*path/contains* Any files who's path contains
|
||||
*/
|
||||
"additional_files": [],
|
||||
// Display file size in backup message
|
||||
"display_file_size": false,
|
||||
// backup location
|
||||
"backup_location": ".",
|
||||
// Specify the backup format. Valid options are ZIP and DIRECTORY
|
||||
"backup_format": "ZIP",
|
||||
// Minimum free disk space in MB. If a backup's creation would leave less than this amount of disk space remaining, the backup will be aborted.
|
||||
"minimum_free_space": 500,
|
||||
// If the previous backup failed due to lack of space, the oldest backup will be deleted to free space.
|
||||
"free_space_if_needed": false,
|
||||
/* Specify files or folders to be excluded.
|
||||
Can specify a file name, path relative to server directory or wildcard file path
|
||||
Examples: (All file paths are relative to server root)
|
||||
fileName.txt Any/all file named "fileName.txt"
|
||||
folder/file.txt Exact file path
|
||||
folder/ Everything in this folder
|
||||
path/starts/with* Any files who's path starts with
|
||||
*path/ends/with.txt Any files who's path ends with
|
||||
*path/contains* Any files who's path contains
|
||||
*/
|
||||
"excluded": [],
|
||||
/* The dimension used when creating backup preview image, specify "all" to enable automatic detection of primary dimension (can be very slow)
|
||||
Specify "none" to disable preview
|
||||
*/
|
||||
"preview_dimension": "minecraft:overworld"
|
||||
}
|
||||
@@ -0,0 +1,21 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: homestead-ops
|
||||
namespace: minecraft
|
||||
data:
|
||||
ops.json: |
|
||||
[
|
||||
{
|
||||
"uuid": "e599e817-cf9d-4871-ad26-e6e239a55011",
|
||||
"name": "DefNotJeffrey",
|
||||
"level": 4,
|
||||
"bypassesPlayerLimit": false
|
||||
},
|
||||
{
|
||||
"uuid": "2c6f52c4-7c98-46a7-9014-34a6781eed64",
|
||||
"name": "Splakra",
|
||||
"level": 4,
|
||||
"bypassesPlayerLimit": false
|
||||
}
|
||||
]
|
||||
@@ -0,0 +1,45 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: homestead-pvc
|
||||
namespace: minecraft
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
storageClassName: longhorn-static
|
||||
resources:
|
||||
requests:
|
||||
storage: 30Gi
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
name: minecraft-backups-smb
|
||||
spec:
|
||||
capacity:
|
||||
storage: 5Gi
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
persistentVolumeReclaimPolicy: Retain
|
||||
csi:
|
||||
driver: smb.csi.k8s.io
|
||||
volumeHandle: backups
|
||||
volumeAttributes:
|
||||
source: "//10.8.14.2/minecraft-backups"
|
||||
nodeStageSecretRef:
|
||||
name: minecraft-secrets
|
||||
namespace: minecraft
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
namespace: minecraft
|
||||
name: minecraft-backups
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
volumeName: minecraft-backups-smb
|
||||
storageClassName: ""
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user