Split manifests into infra/ and applications/

This commit is contained in:
2026-06-21 12:14:38 +02:00
parent 64e8bf7d78
commit c40577589d
360 changed files with 69 additions and 67 deletions

View File

@@ -0,0 +1,51 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: authentik-route
namespace: authentik
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-internal
namespace: envoy-gateway
sectionName: authentik
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-public
namespace: envoy-gateway
sectionName: authentik
hostnames:
- "auth.jsme.be"
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Forwarded-Host
value: "auth.jsme.be"
- name: X-Forwarded-Proto
value: https
- type: ResponseHeaderModifier
responseHeaderModifier:
set:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: nosniff
- name: X-Frame-Options
value: SAMEORIGIN
- name: Referrer-Policy
value: strict-origin-when-cross-origin
- name: Permissions-Policy
value: "camera=(), microphone=(), geolocation=(), payment=()"
backendRefs:
- name: authentik-server
port: 80
kind: Service
group: ""
weight: 1

View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: authentik-postgres-data
namespace: authentik
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 10Gi

View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: authentik-postgresql
namespace: authentik
spec:
selector:
app: authentik-postgresql
ports:
- port: 5432
targetPort: 5432

View File

@@ -0,0 +1,52 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: authentik-postgresql
namespace: authentik
spec:
serviceName: authentik-postgresql
replicas: 1
selector:
matchLabels:
app: authentik-postgresql
template:
metadata:
labels:
app: authentik-postgresql
spec:
containers:
- name: authentik-postgresql
image: postgres:16-alpine
ports:
- containerPort: 5432
env:
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: authentik-secrets
key: db_name
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: authentik-secrets
key: db_user
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: authentik-secrets
key: db_password
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 512Mi
volumes:
- name: data
persistentVolumeClaim:
claimName: authentik-postgres-data

View File

@@ -0,0 +1,106 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: authentik-server
namespace: authentik
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: authentik-server
template:
metadata:
labels:
app: authentik-server
spec:
containers:
- name: authentik
image: ghcr.io/goauthentik/server:2026.5.2
command: ["ak"]
args: ["server"]
ports:
- containerPort: 9000
name: http
- containerPort: 9443
name: https
env:
- name: AUTHENTIK_POSTGRESQL__HOST
valueFrom:
secretKeyRef:
name: authentik-secrets
key: db_host
- name: AUTHENTIK_POSTGRESQL__NAME
valueFrom:
secretKeyRef:
name: authentik-secrets
key: db_name
- name: AUTHENTIK_POSTGRESQL__USER
valueFrom:
secretKeyRef:
name: authentik-secrets
key: db_user
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-secrets
key: db_password
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-secrets
key: AUTHENTIK_SECRET_KEY
- name: AUTHENTIK_EMAIL__HOST
valueFrom:
secretKeyRef:
name: authentik-secrets
key: email_host
- name: AUTHENTIK_EMAIL__PORT
valueFrom:
secretKeyRef:
name: authentik-secrets
key: email_port
- name: AUTHENTIK_EMAIL__USERNAME
valueFrom:
secretKeyRef:
name: authentik-secrets
key: email_username
- name: AUTHENTIK_EMAIL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-secrets
key: email_password
- name: AUTHENTIK_EMAIL__FROM
valueFrom:
secretKeyRef:
name: authentik-secrets
key: email_from
- name: AUTHENTIK_EMAIL__USE_TLS
valueFrom:
secretKeyRef:
name: authentik-secrets
key: email_use_tls
volumeMounts:
- name: data
mountPath: /data
- name: templates
mountPath: /templates
- name: dshm
mountPath: /dev/shm
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 1Gi
volumes:
- name: data
persistentVolumeClaim:
claimName: authentik-server-data
- name: templates
emptyDir: {}
- name: dshm
emptyDir:
medium: Memory
sizeLimit: 512Mi

View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: authentik-server-data
namespace: authentik
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 1Gi

View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: authentik-server
namespace: authentik
spec:
selector:
app: authentik-server
ports:
- name: http
port: 80
targetPort: 9000
- name: https
port: 443
targetPort: 9443

View File

@@ -0,0 +1,107 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: authentik-worker
namespace: authentik
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: authentik-worker
template:
metadata:
labels:
app: authentik-worker
spec:
securityContext:
runAsUser: 0
containers:
- name: authentik
image: ghcr.io/goauthentik/server:2026.5.2
command: ["ak"]
args: ["worker"]
env:
- name: AUTHENTIK_POSTGRESQL__HOST
valueFrom:
secretKeyRef:
name: authentik-secrets
key: db_host
- name: AUTHENTIK_POSTGRESQL__NAME
valueFrom:
secretKeyRef:
name: authentik-secrets
key: db_name
- name: AUTHENTIK_POSTGRESQL__USER
valueFrom:
secretKeyRef:
name: authentik-secrets
key: db_user
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-secrets
key: db_password
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-secrets
key: AUTHENTIK_SECRET_KEY
- name: AUTHENTIK_EMAIL__HOST
valueFrom:
secretKeyRef:
name: authentik-secrets
key: email_host
- name: AUTHENTIK_EMAIL__PORT
valueFrom:
secretKeyRef:
name: authentik-secrets
key: email_port
- name: AUTHENTIK_EMAIL__USERNAME
valueFrom:
secretKeyRef:
name: authentik-secrets
key: email_username
- name: AUTHENTIK_EMAIL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-secrets
key: email_password
- name: AUTHENTIK_EMAIL__FROM
valueFrom:
secretKeyRef:
name: authentik-secrets
key: email_from
- name: AUTHENTIK_EMAIL__USE_TLS
valueFrom:
secretKeyRef:
name: authentik-secrets
key: email_use_tls
volumeMounts:
- name: data
mountPath: /data
- name: certs
mountPath: /certs
- name: templates
mountPath: /templates
- name: dshm
mountPath: /dev/shm
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 1Gi
volumes:
- name: data
persistentVolumeClaim:
claimName: authentik-worker-data
- name: templates
emptyDir: {}
- name: certs
emptyDir: {}
- name: dshm
emptyDir:
medium: Memory
sizeLimit: 512Mi

View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: authentik-worker-data
namespace: authentik
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 1Gi

View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: azure-ddns
namespace: azure-ddns
spec:
selector:
app: azure-ddns
ports:
- name: azure-ddns
port: 443
targetPort: 443
protocol: TCP
type: ClusterIP

View File

@@ -0,0 +1,69 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: azure-ddns
namespace: azure-ddns
spec:
replicas: 1
selector:
matchLabels:
app: azure-ddns
serviceName: azure-ddns
template:
metadata:
labels:
app: azure-ddns
spec:
terminationGracePeriodSeconds: 60
containers:
- name: azure-ddns
image: gitea.jsme.be/jeffrey/azure-ddns-python:1.1
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
env:
- name: AZURE_TENANT_ID
valueFrom:
secretKeyRef:
name: azure-ddns-secrets
key: TENANT_ID
- name: AZURE_CLIENT_ID
valueFrom:
secretKeyRef:
name: azure-ddns-secrets
key: CLIENT_ID
- name: AZURE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: azure-ddns-secrets
key: CLIENT_SECRET
- name: AZURE_SUBSCRIPTION_ID
valueFrom:
secretKeyRef:
name: azure-ddns-secrets
key: SUBSCRIPTION_ID
- name: AZURE_RESOURCE_GROUP
valueFrom:
secretKeyRef:
name: azure-ddns-secrets
key: RESOURCE_GROUP
- name: AZURE_ZONE_NAME
valueFrom:
secretKeyRef:
name: azure-ddns-secrets
key: AZURE_ZONE_NAME
- name: GOTIFY_URL
valueFrom:
secretKeyRef:
name: azure-ddns-secrets
key: GOTIFY_URL
- name: GOTIFY_TOKEN
valueFrom:
secretKeyRef:
name: azure-ddns-secrets
key: GOTIFY_TOKEN
restartPolicy: Always

View File

@@ -0,0 +1,29 @@
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: bentopdf
name: bentopdf
spec:
replicas: 1
selector:
matchLabels:
app: bentopdf
template:
metadata:
labels:
app: bentopdf
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 10
containers:
- name: bentopdf
image: ghcr.io/alam00000/bentopdf:v2.8.2-amd64
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
ports:
- containerPort: 8080

View File

@@ -0,0 +1,51 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: bentopdf-route
namespace: bentopdf
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-internal
namespace: envoy-gateway
sectionName: bentopdf
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-public
namespace: envoy-gateway
sectionName: bentopdf
hostnames:
- "pdf.jsme.be"
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Forwarded-Host
value: "pdf.jsme.be"
- name: X-Forwarded-Proto
value: https
- type: ResponseHeaderModifier
responseHeaderModifier:
set:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: nosniff
- name: X-Frame-Options
value: SAMEORIGIN
- name: Referrer-Policy
value: strict-origin-when-cross-origin
- name: Permissions-Policy
value: "camera=(), microphone=(), geolocation=(), payment=()"
backendRefs:
- name: bentopdf
port: 8080
kind: Service
group: ""
weight: 1

View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: bentopdf
namespace: bentopdf
spec:
selector:
app: bentopdf
ports:
- protocol: TCP
port: 8080
targetPort: 8080
type: ClusterIP

View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: comfyui-pvc
namespace: comfyui
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 50Gi

View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: comfyui
namespace: comfyui
spec:
selector:
app: comfyui
ports:
- protocol: TCP
port: 8188
targetPort: 8188
type: ClusterIP

View File

@@ -0,0 +1,44 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: comfyui
namespace: comfyui
spec:
replicas: 1
selector:
matchLabels:
app: comfyui
serviceName: comfyui
template:
metadata:
labels:
app: comfyui
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 30
nodeSelector:
kubernetes.io/hostname: kubernetes-worker-1.jsme.be
containers:
- name: comfyui
image: ghcr.io/ai-dock/comfyui:latest
ports:
- containerPort: 8188
env:
- name: COMFYUI_FLAGS
value: "--listen 0.0.0.0 --port 8188 --use-xpu"
- name: AUTO_UPDATE
value: "false"
securityContext:
privileged: true
volumeMounts:
- name: data
mountPath: /config
- name: dri
mountPath: /dev/dri
volumes:
- name: data
persistentVolumeClaim:
claimName: comfyui-pvc
- name: dri
hostPath:
path: /dev/dri

View File

@@ -0,0 +1,46 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: databasus-route
namespace: databasus
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-internal
namespace: envoy-gateway
sectionName: databasus
hostnames:
- "databasus.jsme.be"
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Forwarded-Host
value: "databasus.jsme.be"
- name: X-Forwarded-Proto
value: https
- type: ResponseHeaderModifier
responseHeaderModifier:
set:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: nosniff
- name: X-Frame-Options
value: SAMEORIGIN
- name: Referrer-Policy
value: strict-origin-when-cross-origin
- name: Permissions-Policy
value: "camera=(), microphone=(), geolocation=(), payment=()"
backendRefs:
- name: databasus-svc
port: 4005
kind: Service
group: ""
weight: 1

View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: databasus

View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: databasus-pvc
namespace: databasus
spec:
accessModes:
- ReadWriteMany
storageClassName: longhorn-static
resources:
requests:
storage: 10Gi

View File

@@ -0,0 +1,13 @@
kind: Service
apiVersion: v1
metadata:
name: databasus-svc
namespace: databasus
spec:
ports:
- name: databasus
port: 4005
targetPort: 4005
selector:
app: databasus
type: ClusterIP

View File

@@ -0,0 +1,38 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: databasus
namespace: databasus
spec:
replicas: 1
selector:
matchLabels:
app: databasus
serviceName: databasus-svc
template:
metadata:
labels:
app: databasus
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 10
containers:
- name: databasus
image: databasus/databasus:latest
imagePullPolicy: Always
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 2Gi
ports:
- containerPort: 4005
volumeMounts:
- name: data
mountPath: /databasus-data
volumes:
- name: data
persistentVolumeClaim:
claimName: databasus-pvc

View File

@@ -0,0 +1,29 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: excalidraw
namespace: excalidraw
spec:
replicas: 1
selector:
matchLabels:
app: excalidraw
template:
metadata:
labels:
app: excalidraw
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 10
containers:
- name: excalidraw
image: excalidraw/excalidraw:latest
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
ports:
- containerPort: 80

View File

@@ -0,0 +1,51 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: excalidraw-route
namespace: excalidraw
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-internal
namespace: envoy-gateway
sectionName: excalidraw
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-public
namespace: envoy-gateway
sectionName: excalidraw
hostnames:
- "draw.jsme.be"
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Forwarded-Host
value: "draw.jsme.be"
- name: X-Forwarded-Proto
value: https
- type: ResponseHeaderModifier
responseHeaderModifier:
set:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: nosniff
- name: X-Frame-Options
value: SAMEORIGIN
- name: Referrer-Policy
value: strict-origin-when-cross-origin
- name: Permissions-Policy
value: "camera=(), microphone=(), geolocation=(), payment=()"
backendRefs:
- name: excalidraw
port: 80
kind: Service
group: ""
weight: 1

View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: excalidraw
namespace: excalidraw
spec:
selector:
app: excalidraw
ports:
- name: http
port: 80
targetPort: 80
type: ClusterIP

View File

@@ -0,0 +1,51 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: gitea-route
namespace: gitea
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-internal
namespace: envoy-gateway
sectionName: gitea
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-public
namespace: envoy-gateway
sectionName: gitea
hostnames:
- "gitea.jsme.be"
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Forwarded-Host
value: "gitea.jsme.be"
- name: X-Forwarded-Proto
value: https
- type: ResponseHeaderModifier
responseHeaderModifier:
set:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: nosniff
- name: X-Frame-Options
value: SAMEORIGIN
- name: Referrer-Policy
value: strict-origin-when-cross-origin
- name: Permissions-Policy
value: "camera=(), microphone=(), geolocation=(), payment=()"
backendRefs:
- name: gitea
port: 3000
kind: Service
group: ""
weight: 1

View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: gitea

View File

@@ -0,0 +1,38 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: containers-data-smb
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
mountOptions:
- dir_mode=0700
- file_mode=0700
- noperm
- uid=1000
- gid=1000
csi:
driver: smb.csi.k8s.io
volumeHandle: containers
volumeAttributes:
source: "//10.8.14.2/containers"
nodeStageSecretRef:
name: gitea-secrets
namespace: gitea
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: gitea
name: gitea-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
volumeName: containers-data-smb
storageClassName: ""

View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: gitea
namespace: gitea
spec:
selector:
app: gitea
type: ClusterIP
ports:
- name: gitea-svc
protocol: TCP
port: 3000
targetPort: 3000

View File

@@ -0,0 +1,71 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: gitea
namespace: gitea
spec:
replicas: 1
selector:
matchLabels:
app: gitea
serviceName: gitea
template:
metadata:
labels:
app: gitea
spec:
terminationGracePeriodSeconds: 60
containers:
- name: gitea
image: docker.gitea.com/gitea:1.25
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 1Gi
ports:
- containerPort: 3000
volumeMounts:
- name: data
mountPath: /data
subPath: Gitea
env:
- name: GITEA__database__HOST
valueFrom:
secretKeyRef:
name: gitea-secrets
key: db_host
- name: GITEA__database__DB_TYPE
valueFrom:
secretKeyRef:
name: gitea-secrets
key: db_type
- name: GITEA__database__NAME
valueFrom:
secretKeyRef:
name: gitea-secrets
key: db_name
- name: GITEA__database__USER
valueFrom:
secretKeyRef:
name: gitea-secrets
key: db_user
- name: GITEA__database__PASSWD
valueFrom:
secretKeyRef:
name: gitea-secrets
key: db_password
- name: USER
valueFrom:
secretKeyRef:
name: gitea-secrets
key: gitea_user
restartPolicy: Always
volumes:
- name: data
persistentVolumeClaim:
claimName: gitea-pvc

View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: gitea
name: gitea-postgresql-pvc
spec:
accessModes:
- ReadWriteMany
storageClassName: longhorn-static
volumeName: gitea-postgresql-data
resources:
requests:
storage: 10Gi

View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: gitea-postgresql
namespace: gitea
spec:
selector:
app: gitea-postgresql
type: ClusterIP
ports:
- name: postgresql-port
protocol: TCP
port: 5432
targetPort: 5432

View File

@@ -0,0 +1,55 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
namespace: gitea
name: gitea-postgresql
spec:
replicas: 1
selector:
matchLabels:
app: gitea-postgresql
serviceName: gitea-postgresql
template:
metadata:
labels:
app: gitea-postgresql
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 60
containers:
- name: gitea-postgresql
image: postgres:18
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
ports:
- containerPort: 5432
volumeMounts:
- name: gitea-postgresql-database
mountPath: /var/lib/postgresql/volumes/pgdata
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: gitea-secrets
key: db_password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: gitea-secrets
key: db_user
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: gitea-secrets
key: db_name
- name: PGDATA
value: /var/lib/postgresql/volumes/pgdata/data
volumes:
- name: gitea-postgresql-database
persistentVolumeClaim:
claimName: gitea-postgresql-pvc

View File

@@ -0,0 +1,500 @@
# Gitea Actions Reference
> Based on Gitea 1.21+ and act_runner v0.2.x
> Gitea Actions is compatible with GitHub Actions syntax. Both `github.*` and `gitea.*` context namespaces work; prefer `gitea.*` for Gitea-specific deployments.
---
## Table of Contents
1. [Workflow File Location](#workflow-file-location)
2. [Trigger Events (`on:`)](#trigger-events-on)
3. [Context Variables](#context-variables)
4. [Secrets](#secrets)
5. [Variables (`vars`)](#variables-vars)
6. [Built-in Environment Variables](#built-in-environment-variables)
7. [Expression Syntax & Functions](#expression-syntax--functions)
8. [Runner Labels](#runner-labels)
9. [Differences from GitHub Actions](#differences-from-github-actions)
10. [Unsupported Features](#unsupported-features)
11. [Badge URLs](#badge-urls)
---
## Workflow File Location
```
.gitea/workflows/<name>.yaml
```
Basic structure:
```yaml
name: My Workflow
run-name: ${{ gitea.actor }} triggered ${{ gitea.event_name }}
on:
push:
branches:
- main
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run something
run: echo "Hello from ${{ gitea.actor }}"
```
---
## Trigger Events (`on:`)
### Supported Events
| Event | Activity Types |
|---|---|
| `push` | — |
| `pull_request` | `opened`, `edited`, `closed`, `reopened`, `assigned`, `unassigned`, `synchronize`, `labeled`, `unlabeled` |
| `pull_request_review` | `submitted`, `edited` |
| `pull_request_review_comment` | `created`, `edited` |
| `issues` | `opened`, `edited`, `closed`, `reopened`, `assigned`, `unassigned`, `milestoned`, `demilestoned`, `labeled`, `unlabeled` |
| `issue_comment` | `created`, `edited`, `deleted` |
| `release` | `published`, `edited` |
| `registry_package` | `published` |
| `create` | — |
| `delete` | — |
| `fork` | — |
| `gollum` | — |
| `workflow_dispatch` | — |
| `workflow_run` | `requested`, `completed` |
| `schedule` | — |
### Filter Options
```yaml
on:
push:
branches:
- main
- 'feature/**'
tags:
- 'v*'
paths:
- 'src/**'
pull_request:
types: [opened, synchronize]
branches:
- main
schedule:
- cron: '0 1 * * *'
- cron: '@daily' # Gitea extension (not available in GitHub Actions)
- cron: '@hourly' # Gitea extension
- cron: '@weekly' # Gitea extension
- cron: '@monthly' # Gitea extension
- cron: '@yearly' # Gitea extension
```
### `workflow_dispatch` with Inputs
Adds a "Run workflow" button in the Gitea UI. The workflow must be on the **default branch** to appear.
```yaml
on:
workflow_dispatch:
inputs:
environment:
description: 'Target environment'
required: true
type: choice
options:
- staging
- production
dry_run:
description: 'Dry run'
required: false
type: boolean
default: false
version:
description: 'Version number'
type: string
```
Supported input types: `string`, `boolean`, `choice`, `number`, `environment`
Access inputs via: `${{ inputs.environment }}` or `${{ gitea.event.inputs.environment }}`
---
## Context Variables
### `gitea.*` / `github.*`
Both namespaces are identical. Prefer `gitea.*`.
| Variable | Description |
|---|---|
| `gitea.actor` | Username that triggered the workflow |
| `gitea.event_name` | Triggering event name (`push`, `pull_request`, etc.) |
| `gitea.event` | Full event payload object |
| `gitea.ref` | Full ref (`refs/heads/main`, `refs/pull/1/head`) |
| `gitea.ref_name` | Short ref name (`main`, `v1.0`) |
| `gitea.ref_type` | `branch` or `tag` |
| `gitea.sha` | Full commit SHA |
| `gitea.repository` | `owner/repo` |
| `gitea.repository_owner` | Repository owner (user or org name) |
| `gitea.workspace` | Workspace path on the runner |
| `gitea.run_id` | Unique ID for this workflow run |
| `gitea.run_number` | Sequential run number for this workflow |
| `gitea.server_url` | Gitea instance base URL |
| `gitea.api_url` | Gitea API URL |
| `gitea.head_ref` | PR source branch name |
| `gitea.base_ref` | PR target branch name |
| `gitea.token` | Auto-generated short-lived job token |
| `gitea.workflow` | Workflow name |
| `gitea.job` | Current job ID |
> **Note**: `gitea.repository_owner` preserves original casing. Use `tr '[:upper:]' '[:lower:]'` when used in Docker image tags.
### `runner.*`
| Variable | Description |
|---|---|
| `runner.os` | `Linux`, `Windows`, or `macOS` |
| `runner.arch` | `X64`, `ARM64`, etc. |
| `runner.name` | Runner name |
| `runner.tool_cache` | Tool cache directory |
| `runner.temp` | Temp directory |
### `steps.*`
```yaml
steps.<step_id>.outputs.<output_name>
steps.<step_id>.conclusion # success, failure, cancelled, skipped
steps.<step_id>.outcome # success, failure, cancelled, skipped
```
### `needs.*`
```yaml
needs.<job_id>.outputs.<output_name>
needs.<job_id>.result # success, failure, cancelled, skipped
```
### `secrets.*`
```yaml
secrets.GITEA_TOKEN # auto-generated job token (cannot push to package registry)
secrets.GITHUB_TOKEN # alias for the same token
secrets.<SECRET_NAME> # user-defined secrets
```
### `vars.*`
```yaml
vars.<VARIABLE_NAME> # non-sensitive config variables (stored in UPPERCASE)
```
### `inputs.*`
```yaml
inputs.<input_name> # for workflow_dispatch and workflow_call
```
### `matrix.*` / `strategy.*`
```yaml
matrix.<dimension> # current matrix combination value
strategy.fail-fast
strategy.max-parallel
```
---
## Secrets
### Scope (highest to lowest priority)
1. Repository secrets
2. Organization secrets
3. User secrets
### Rules
- Allowed characters: `[a-zA-Z0-9_]`
- Cannot start with `GITHUB_`, `GITEA_`, or a number
- Case-insensitive
### Usage
```yaml
steps:
- name: Use secret
env:
API_KEY: ${{ secrets.API_KEY }}
run: ./deploy.sh $API_KEY
```
### Auto Token (`GITEA_TOKEN`)
Automatically injected into every job. Short-lived — invalidated when the job completes.
**Known limitation**: `GITEA_TOKEN` / `GITHUB_TOKEN` **cannot push to the Gitea package/container registry**. Use a Personal Access Token (PAT) with `package` scope stored as a manual secret instead.
---
## Variables (`vars`)
Non-sensitive configuration values, visible in logs.
### Scope (highest to lowest priority)
1. Repository variables
2. Organization variables
3. User variables
### Rules
- Allowed characters: `[a-zA-Z0-9_]`
- Cannot start with `GITHUB_`, `GITEA_`, `CI`, or a number
- Keys are stored and accessed in **UPPERCASE**
### Usage
```yaml
steps:
- run: echo "Deploying to ${{ vars.ENVIRONMENT }}"
```
### Inline `env` (workflow/job/step level)
```yaml
env:
GLOBAL_VAR: "value" # available to all jobs
jobs:
build:
env:
JOB_VAR: "value" # available to all steps in this job
steps:
- env:
STEP_VAR: "value" # only this step
run: echo $STEP_VAR
```
---
## Built-in Environment Variables
Automatically injected into every step:
| Variable | Description |
|---|---|
| `CI` | Always `true` |
| `GITHUB_WORKFLOW` / `GITEA_WORKFLOW` | Workflow name |
| `GITHUB_RUN_ID` / `GITEA_RUN_ID` | Unique run ID |
| `GITHUB_RUN_NUMBER` / `GITEA_RUN_NUMBER` | Sequential run number |
| `GITHUB_ACTOR` / `GITEA_ACTOR` | Triggering username |
| `GITHUB_REPOSITORY` | `owner/repo` |
| `GITHUB_EVENT_NAME` | Event name |
| `GITHUB_SHA` | Commit SHA |
| `GITHUB_REF` | Full ref |
| `GITHUB_REF_NAME` | Short ref name |
| `GITHUB_REF_TYPE` | `branch` or `tag` |
| `GITHUB_HEAD_REF` | PR source branch |
| `GITHUB_BASE_REF` | PR target branch |
| `GITHUB_WORKSPACE` | Workspace directory |
| `GITHUB_SERVER_URL` | Gitea instance URL |
| `GITHUB_API_URL` | Gitea API URL |
| `GITHUB_TOKEN` / `GITEA_TOKEN` | Auto job token |
| `RUNNER_OS` | Runner OS |
| `RUNNER_ARCH` | Runner architecture |
| `RUNNER_NAME` | Runner name |
| `RUNNER_TEMP` | Temp directory |
| `RUNNER_TOOL_CACHE` | Tool cache directory |
---
## Expression Syntax & Functions
### Syntax
```yaml
${{ <expression> }}
# In `if:` blocks, the ${{ }} wrapper is optional:
if: github.ref == 'refs/heads/main'
if: ${{ github.ref == 'refs/heads/main' }}
```
### Operators
| Operator | Description |
|---|---|
| `( )` | Grouping |
| `[ ]` | Index |
| `.` | Property access |
| `!` | Not |
| `<` `>` `<=` `>=` | Comparison |
| `==` `!=` | Equality |
| `&&` `\|\|` | Logical AND / OR |
### Functions
| Function | Description |
|---|---|
| `contains(search, item)` | True if string/array contains item |
| `startsWith(str, prefix)` | Case-insensitive prefix check |
| `endsWith(str, suffix)` | Case-insensitive suffix check |
| `format(str, val0, val1, ...)` | String formatting with `{0}`, `{1}` placeholders |
| `join(array, separator)` | Join array with delimiter |
| `toJSON(value)` | Serialize to JSON string |
| `fromJSON(value)` | Parse JSON string to object |
| `hashFiles(path)` | SHA-256 hash of file(s) matching glob |
| `success()` | True if all previous steps succeeded |
| `failure()` | True if any previous step failed |
| `cancelled()` | True if workflow was cancelled |
| `always()` | Always true; forces step execution |
### Examples
```yaml
if: contains(gitea.ref, 'main')
if: startsWith(gitea.ref, 'refs/tags/')
if: always()
if: failure()
if: success() && gitea.ref == 'refs/heads/main'
run: echo ${{ format('Hello {0}', gitea.actor) }}
```
---
## Runner Labels
Labels map `runs-on:` values in workflows to runner execution environments.
### Label Format
```
<label>:<schema>:<image>
```
- `docker://<image>` — run the job in a Docker container
- `host` — run directly on the runner host machine
### Examples
```yaml
# In act_runner config.yaml
runner:
labels:
- "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
- "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
- "node18:docker://node:18-bullseye"
- "python311:docker://python:3.11-slim"
- "native:host"
```
### Runner Scope
| Scope | Picks up jobs from |
|---|---|
| Instance-level | All repos on the Gitea instance |
| Organization-level | All repos in that organization |
| Repository-level | That specific repo only |
### Registering a Runner
```bash
# Interactive
./act_runner register
# Non-interactive
./act_runner register \
--instance https://gitea.example.com \
--token <registration-token> \
--name my-runner \
--labels ubuntu-latest:docker://gitea/runner-images:ubuntu-latest
```
Get tokens from:
- **Instance-level**: Admin Panel → Actions → Runners
- **Org-level**: Org Settings → Actions → Runners
- **Repo-level**: Repo Settings → Actions → Runners
---
## Differences from GitHub Actions
### Gitea Additions
| Feature | Details |
|---|---|
| Absolute action URLs | `uses: https://github.com/actions/checkout@v4` or any git URL |
| Go-based actions | Actions can be written in Go |
| Extended cron syntax | `@daily`, `@hourly`, `@weekly`, `@monthly`, `@yearly` |
| `gitea.*` context | Recommended namespace alias for `github.*` |
| Permissive context | `env` context usable in more places than GitHub allows |
| `DEFAULT_ACTIONS_URL` | Server config to pull actions from own Gitea instance instead of GitHub |
### Behavioral Differences
| Behavior | GitHub Actions | Gitea Actions |
|---|---|---|
| PR ref | `refs/pull/:n/merge` (merge preview) | `refs/pull/:n/head` (PR head) |
| Unqualified action source | Always GitHub.com | Configurable via `DEFAULT_ACTIONS_URL` |
| `GITHUB_TOKEN` for packages | Works | **Does not work** — use PAT |
| `permissions:` keyword | Enforced | Ignored |
| `continue-on-error:` | Supported | Ignored |
| `timeout-minutes:` | Supported | Ignored |
---
## Unsupported Features
| Feature | Status |
|---|---|
| `permissions:` keyword | Ignored |
| `jobs.<id>.timeout-minutes` | Ignored |
| `jobs.<id>.continue-on-error` | Ignored |
| `jobs.<id>.environment` | Ignored |
| Problem Matchers | Not supported |
| Log annotations (`::error::`, `::warning::`) | Not supported |
| `GITEA_TOKEN` for container registry | Does not work — use PAT with `package` scope |
---
## Badge URLs
```
https://<gitea-instance>/<owner>/<repo>/actions/workflows/<workflow-file>/badge.svg
```
### Query Parameters
| Parameter | Values | Default |
|---|---|---|
| `branch` | Any branch name | Default branch |
| `event` | Event name (`push`, `pull_request`, etc.) | None |
| `style` | `flat`, `flat-square` | `flat` |
### Example
```markdown
[![Build](https://gitea.jsme.be/Jeffrey/azure-ddns-python/actions/workflows/build-push.yaml/badge.svg?branch=main)](https://gitea.jsme.be/Jeffrey/azure-ddns-python/actions)
```
---
## Sources
- [Gitea Actions Overview](https://docs.gitea.com/usage/actions/overview)
- [Gitea Actions Quickstart](https://docs.gitea.com/usage/actions/quickstart)
- [act-runner Documentation](https://docs.gitea.com/usage/actions/act-runner)
- [Workflow File Reference](https://docs.gitea.com/usage/actions/workflow-file)
- [Compared to GitHub Actions](https://docs.gitea.com/usage/actions/comparison)
- [Secrets](https://docs.gitea.com/usage/actions/secrets)
- [Variables](https://docs.gitea.com/usage/actions/variables)
- [Badge](https://docs.gitea.com/usage/actions/badge)
- [act_runner config example](https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml)

View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-runner-pvc
namespace: gitea
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn-static
volumeName: gitea-runner-data
resources:
requests:
storage: 20Gi

View File

@@ -0,0 +1,164 @@
# Configure Gitea Actions
## @section Gitea Actions
#
## @param enabled Create an act runner StatefulSet.
## @param init.image.repository The image used for the init containers
## @param init.image.tag The image tag used for the init containers
## @param statefulset.replicas the amount of (replica) runner pods deployed
## @param statefulset.timezone is the timezone that will be set in the act_runner image
## @param statefulset.annotations Act runner annotations
## @param statefulset.labels Act runner labels
## @param statefulset.resources Act runner resources
## @param statefulset.nodeSelector NodeSelector for the statefulset
## @param statefulset.tolerations Tolerations for the statefulset
## @param statefulset.affinity Affinity for the statefulset
## @param statefulset.extraVolumes Extra volumes for the statefulset
## @param statefulset.actRunner.repository The Gitea act runner image
## @param statefulset.actRunner.tag The Gitea act runner tag
## @param statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy
## @param statefulset.actRunner.extraVolumeMounts Allows mounting extra volumes in the act runner container
## @param statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details.
## @param statefulset.dind.repository The Docker-in-Docker image
## @param statefulset.dind.tag The Docker-in-Docker image tag
## @param statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy
## @param statefulset.dind.extraVolumeMounts Allows mounting extra volumes in the Docker-in-Docker container
## @param statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`
## @param statefulset.persistence.size Size for persistence to store act runner data
## @param existingSecret Secret that contains the token
## @param existingSecretKey Secret key
## @param giteaRootURL URL the act_runner registers and connect with
enabled: true
statefulset:
replicas: 1
timezone: Europe/Brussels
annotations: {}
labels: {}
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
extraVolumes: []
actRunner:
registry: docker.io
repository: gitea/act_runner
tag: 0.2.13
pullPolicy: IfNotPresent
extraVolumeMounts: []
# See full example here: https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml
config: |
log:
level: debug
runner:
# Where to store the registration result.
file: .runner
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
# The timeout for the runner to wait for running jobs to finish when shutting down.
# Any running jobs that haven't finished after this timeout will be cancelled.
shutdown_timeout: 0s
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
labels:
- "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
- "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
cache:
# Enable cache server to use actions/cache.
enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
dir: ""
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: ""
# The port of the cache server.
# 0 means to use a random available port.
port: 0
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
external_server: ""
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: "host"
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: true
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options:
# The parent directory of a job's working directory.
# NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically.
# If the path starts with '/', the '/' will be trimmed.
# For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: [/var/run/docker.sock]
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
# Pull docker image(s) even if already present
force_pull: false
# Rebuild docker image(s) even if already present
force_rebuild: false
# Always require a reachable docker daemon, even if not required by act_runner
require_docker: false
# Timeout to wait for the docker daemon to be reachable, if docker is required by require_docker or act_runner
docker_timeout: 0s
dind:
repository: docker
tag: 28.3.3-dind
pullPolicy: IfNotPresent
extraVolumeMounts: []
# If the container keeps crashing in your environment, you might have to add the `DOCKER_IPTABLES_LEGACY` environment variable.
# See https://github.com/docker-library/docker/issues/463#issuecomment-1881909456
extraEnvs:
[]
# - name: "DOCKER_IPTABLES_LEGACY"
# value: "1"
persistence:
size: 15Gi
init:
image:
repository: busybox
# Overrides the image tag whose default is the chart appVersion.
tag: "1.37.0"
## Specify an existing token secret
##
existingSecret: "gitea-secrets"
existingSecretKey: "runner_token"
## Specify the root URL of the Gitea instance
giteaRootURL: "https://gitea.jsme.be"
## @section Global
#
## @param global.imageRegistry global image registry override
## @param global.storageClass global storage class override
global:
imageRegistry: ""
storageClass: ""

View File

@@ -0,0 +1,51 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: gotify-route
namespace: gotify
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-internal
namespace: envoy-gateway
sectionName: gotify
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-public
namespace: envoy-gateway
sectionName: gotify
hostnames:
- "gotify.jsme.be"
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Forwarded-Host
value: "gotify.jsme.be"
- name: X-Forwarded-Proto
value: https
- type: ResponseHeaderModifier
responseHeaderModifier:
set:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: nosniff
- name: X-Frame-Options
value: SAMEORIGIN
- name: Referrer-Policy
value: strict-origin-when-cross-origin
- name: Permissions-Policy
value: "camera=(), microphone=(), geolocation=(), payment=()"
backendRefs:
- name: gotify
port: 80
kind: Service
group: ""
weight: 1

View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gotify-data-pvc
namespace: gotify
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn-static
volumeName: gotify-data
resources:
requests:
storage: 5Gi

View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: gotify
namespace: gotify
spec:
selector:
app: gotify
ports:
- name: http
port: 80
targetPort: 80
type: ClusterIP

View File

@@ -0,0 +1,63 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: gotify
namespace: gotify
spec:
replicas: 1
selector:
matchLabels:
app: gotify
serviceName: gotify
template:
metadata:
labels:
app: gotify
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 10
containers:
- name: gotify
image: gotify/server:2.9.1
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
ports:
- containerPort: 80
name: http
env:
- name: GOTIFY_DEFAULTUSER_PASS
valueFrom:
secretKeyRef:
name: gotify-secrets
key: default_user_pass
- name: GOTIFY_DATABASE_DIALECT
value: postgres
- name: DB_USER
valueFrom:
secretKeyRef:
name: gotify-secrets
key: db_user
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: gotify-secrets
key: db_password
- name: DB_NAME
valueFrom:
secretKeyRef:
name: gotify-secrets
key: db_name
- name: GOTIFY_DATABASE_CONNECTION
value: "host=gotify-postgresql port=5432 user=$(DB_USER) dbname=$(DB_NAME) password=$(DB_PASSWORD) sslmode=disable"
volumeMounts:
- name: data
mountPath: /app/data
volumes:
- name: data
persistentVolumeClaim:
claimName: gotify-data-pvc

View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gotify-postgresql-pvc
namespace: gotify
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 2Gi

View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: gotify-postgresql
namespace: gotify
spec:
selector:
app: gotify-postgresql
type: ClusterIP
ports:
- name: gotify-postgresql-port
protocol: TCP
port: 5432
targetPort: 5432

View File

@@ -0,0 +1,55 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: gotify-postgresql
namespace: gotify
spec:
replicas: 1
selector:
matchLabels:
app: gotify-postgresql
serviceName: gotify-postgresql
template:
metadata:
labels:
app: gotify-postgresql
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 60
containers:
- name: gotify-postgresql
image: postgres:18
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
ports:
- containerPort: 5432
volumeMounts:
- name: gotify-postgresql-database
mountPath: /var/lib/postgresql/pgdata
env:
- name: PGDATA
value: /var/lib/postgresql/pgdata/data
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: gotify-secrets
key: db_password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: gotify-secrets
key: db_user
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: gotify-secrets
key: db_name
volumes:
- name: gotify-postgresql-database
persistentVolumeClaim:
claimName: gotify-postgresql-pvc

View File

@@ -0,0 +1,51 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: immich-route
namespace: immich
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-internal
namespace: envoy-gateway
sectionName: immich
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-public
namespace: envoy-gateway
sectionName: immich
hostnames:
- "photos.jsme.be"
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Forwarded-Host
value: "photos.jsme.be"
- name: X-Forwarded-Proto
value: https
- type: ResponseHeaderModifier
responseHeaderModifier:
set:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: nosniff
- name: X-Frame-Options
value: SAMEORIGIN
- name: Referrer-Policy
value: strict-origin-when-cross-origin
- name: Permissions-Policy
value: "camera=(), microphone=(), geolocation=(), payment=()"
backendRefs:
- name: immich
port: 2283
kind: Service
group: ""
weight: 1

View File

@@ -0,0 +1,36 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: immich-data-smb
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
mountOptions:
- dir_mode=0700
- file_mode=0700
- noperm
csi:
driver: smb.csi.k8s.io
volumeHandle: immich-photos
volumeAttributes:
source: "//10.8.14.2/Photos"
nodeStageSecretRef:
name: immich-secrets
namespace: immich
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: immich
name: immich-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
volumeName: immich-data-smb
storageClassName: ""

View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
namespace: immich
name: immich
spec:
selector:
app: immich
ports:
- protocol: TCP
port: 2283
targetPort: 2283
type: ClusterIP

View File

@@ -0,0 +1,61 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
namespace: immich
name: immich
spec:
replicas: 1
selector:
matchLabels:
app: immich
serviceName: immich
template:
metadata:
labels:
app: immich
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 60
containers:
- name: immich
image: ghcr.io/immich-app/immich-server:v2.7.5
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "2Gi"
cpu: "2000m"
ports:
- containerPort: 2283
env:
- name: TZ
value: "Europe/Brussels"
- name: DB_HOSTNAME
value: "immich-postgresql.immich.svc.cluster.local"
- name: DB_DATABASE_NAME
valueFrom:
secretKeyRef:
name: immich-secrets
key: db_name
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: immich-secrets
key: db_user
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: immich-secrets
key: db_password
- name: REDIS_HOSTNAME
value: "valkey.immich.svc.cluster.local"
- name: IMMICH_PORT
value: "2283"
volumeMounts:
- name: photos
mountPath: /data
volumes:
- name: photos
persistentVolumeClaim:
claimName: immich-pvc

View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: immich
name: immich-postgresql-pvc
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn-static
resources:
requests:
storage: 5Gi

View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: immich-postgresql
namespace: immich
spec:
selector:
app: immich-postgresql
type: ClusterIP
ports:
- name: immich-postgresql-port
protocol: TCP
port: 5432
targetPort: 5432

View File

@@ -0,0 +1,53 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
namespace: immich
name: immich-postgresql
spec:
replicas: 1
serviceName: immich-postgresql
selector:
matchLabels:
app: immich-postgresql
template:
metadata:
labels:
app: immich-postgresql
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 60
containers:
- name: immich-postgresql
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "1Gi"
cpu: "500m"
ports:
- containerPort: 5432
volumeMounts:
- name: immich-postgresql-immich
mountPath: /var/lib/postgresql/pgdata
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: immich-secrets
key: db_password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: immich-secrets
key: db_user
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: immich-secrets
key: db_name
volumes:
- name: immich-postgresql-immich
persistentVolumeClaim:
claimName: immich-postgresql-pvc

View File

@@ -0,0 +1,28 @@
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: immich
name: valkey
spec:
replicas: 1
selector:
matchLabels:
app: valkey
template:
metadata:
labels:
app: valkey
spec:
restartPolicy: Always
containers:
- name: valkey
image: valkey/valkey:9
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "256Mi"
cpu: "200m"
ports:
- containerPort: 6379

View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: valkey
namespace: immich
spec:
selector:
app: valkey
type: ClusterIP
ports:
- name: valkey-port
protocol: TCP
port: 6379
targetPort: 6379

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: affine-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/affine"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: affine-secrets
secretNamespace: affine
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: authentik-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/authentik"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: authentik-secrets
secretNamespace: authentik
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: azure-ddns-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/azure-ddns"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: azure-ddns-secrets
secretNamespace: azure-ddns
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: gitea-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/gitea"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: gitea-secrets
secretNamespace: gitea
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: gotify-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/gotify"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: gotify-secrets
secretNamespace: gotify
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: immich-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/immich"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: immich-secrets
secretNamespace: immich
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: jellyfin-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/jellyfin"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: jellyfin-secrets
secretNamespace: jellyfin
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: longhorn-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/longhorn"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: longhorn-secrets
secretNamespace: longhorn-system
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: minecraft-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/minecraft"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: minecraft-secrets
secretNamespace: minecraft
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: n8n-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/n8n"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: n8n-secrets
secretNamespace: n8n
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: netbootxyz-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/netbootxyz"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: netbootxyz-secrets
secretNamespace: netbootxyz
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: openwebui-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/openwebui"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: openwebui-secrets
secretNamespace: openwebui
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: passbolt-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/passbolt"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: passbolt-secrets
secretNamespace: passbolt
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: pelican-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/pelican"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: pelican-secrets
secretNamespace: pelican
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: resume-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/reactive_resume"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: resume-secrets
secretNamespace: resume
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: searxng-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/searxng"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: searxng-secrets
secretNamespace: searxng
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: uptime-kuma-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/uptime-kuma"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: uptime-kuma-secrets
secretNamespace: uptime-kuma
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: vaultwarden-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/vaultwarden"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: vaultwarden-secrets
secretNamespace: vaultwarden
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: victoria-metrics-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/victoria-metrics"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: victoria-metrics-secrets
secretNamespace: victoria-metrics
secretType: Opaque

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: zipline-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/zipline"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: zipline-secrets
secretNamespace: zipline
secretType: Opaque

View File

@@ -0,0 +1,18 @@
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: infisical
namespace: infisical
labels:
kubernetes.io/service-name: infisical
addressType: IPv4
ports:
- port: 8080
protocol: TCP
endpoints:
- addresses:
- "10.8.11.98"
conditions:
ready: true
serving: true
terminating: false

View File

@@ -0,0 +1,46 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: infisical-route
namespace: infisical
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-internal
namespace: envoy-gateway
sectionName: infisical
hostnames:
- "infisical.jsme.be"
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Forwarded-Host
value: "infisical.jsme.be"
- name: X-Forwarded-Proto
value: https
- type: ResponseHeaderModifier
responseHeaderModifier:
set:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: nosniff
- name: X-Frame-Options
value: SAMEORIGIN
- name: Referrer-Policy
value: strict-origin-when-cross-origin
- name: Permissions-Policy
value: "camera=(), microphone=(), geolocation=(), payment=()"
backendRefs:
- name: infisical
port: 8080
kind: Service
group: ""
weight: 1

View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: infisical
namespace: infisical
spec:
ports:
- protocol: TCP
port: 8080
targetPort: 8080
type: ClusterIP

View File

@@ -0,0 +1,30 @@
# Copy this file and replace:
# - SERVICE_NAME: the service/folder name
# - SERVICE_NAMESPACE: the namespace where the secret should be created
#
# Example: for a service called "my-app" in namespace "my-app":
# - SERVICE_NAME → my-app
# - SERVICE_NAMESPACE → my-app
#
# apiVersion: secrets.infisical.com/v1alpha1
# kind: InfisicalSecret
# metadata:
# name: SERVICE_NAME-secrets
# namespace: infisical
# spec:
# hostAPI: https://infisical.jsme.be
# resyncInterval: 60
# authentication:
# universalAuth:
# secretsScope:
# projectSlug: "kubernetes"
# envSlug: "prod"
# secretsPath: "/SERVICE_NAME"
# recursive: true
# credentialsRef:
# secretName: infisical-universal-auth
# secretNamespace: infisical
# managedSecretReference:
# secretName: SERVICE_NAME-secrets
# secretNamespace: SERVICE_NAMESPACE
# secretType: Opaque

View File

@@ -0,0 +1,9 @@
# apiVersion: v1
# kind: Secret
# metadata:
# name: infisical-universal-auth
# namespace: infisical
# type: Opaque
# stringData:
# clientId: ""
# clientSecret: ""

View File

@@ -0,0 +1,29 @@
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: it-tools
name: ittools
spec:
replicas: 1
selector:
matchLabels:
app: ittools
template:
metadata:
labels:
app: ittools
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 10
containers:
- name: it-tools
image: sharevb/it-tools:stable
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
ports:
- containerPort: 8080

View File

@@ -0,0 +1,51 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: it-tools-route
namespace: it-tools
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-internal
namespace: envoy-gateway
sectionName: it-tools
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-public
namespace: envoy-gateway
sectionName: it-tools
hostnames:
- "tools.jsme.be"
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Forwarded-Host
value: "tools.jsme.be"
- name: X-Forwarded-Proto
value: https
- type: ResponseHeaderModifier
responseHeaderModifier:
set:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: nosniff
- name: X-Frame-Options
value: SAMEORIGIN
- name: Referrer-Policy
value: strict-origin-when-cross-origin
- name: Permissions-Policy
value: "camera=(), microphone=(), geolocation=(), payment=()"
backendRefs:
- name: ittools
port: 8080
kind: Service
group: ""
weight: 1

View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: ittools
namespace: it-tools
spec:
selector:
app: ittools
ports:
- protocol: TCP
port: 8080
targetPort: 8080
type: ClusterIP

View File

@@ -0,0 +1,49 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: jellyfin-route
namespace: jellyfin
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-internal
namespace: envoy-gateway
sectionName: jellyfin
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-public
namespace: envoy-gateway
sectionName: jellyfin
hostnames:
- "jellyfin.jsme.be"
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Forwarded-Host
value: "jellyfin.jsme.be"
- name: X-Forwarded-Proto
value: https
- type: ResponseHeaderModifier
responseHeaderModifier:
set:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: nosniff
- name: Referrer-Policy
value: strict-origin-when-cross-origin
- name: Permissions-Policy
value: "camera=(), microphone=(), geolocation=(), payment=()"
backendRefs:
- name: jellyfin
port: 8096
kind: Service
group: ""
weight: 1

View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: jellyfin
name: jellyfin-pvc
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn-static
volumeName: jellyfin-pvc
resources:
requests:
storage: 40Gi

View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
namespace: jellyfin
name: jellyfin
spec:
selector:
app: jellyfin
ports:
- protocol: TCP
port: 8096
targetPort: 8096
type: ClusterIP

View File

@@ -0,0 +1,33 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: smb-media-pv
namespace: jellyfin
spec:
capacity:
storage: 50Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
csi:
driver: smb.csi.k8s.io
volumeHandle: smb-media-pv
volumeAttributes:
source: "//10.8.14.2/Media"
nodeStageSecretRef:
name: jellyfin-secrets
namespace: jellyfin
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: jellyfin
name: smb-media-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
volumeName: smb-media-pv
storageClassName: ""

View File

@@ -0,0 +1,42 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
namespace: jellyfin
name: jellyfin
spec:
replicas: 1
selector:
matchLabels:
app: jellyfin
serviceName: jellyfin
template:
metadata:
labels:
app: jellyfin
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 60
nodeSelector:
gpu: "true"
containers:
- name: jellyfin
image: jellyfin/jellyfin:10.11.9
ports:
- containerPort: 8096
resources:
limits:
gpu.intel.com/i915: "1"
volumeMounts:
- name: config
mountPath: /config
- name: media
mountPath: /media
readOnly: true
volumes:
- name: config
persistentVolumeClaim:
claimName: jellyfin-pvc
- name: media
persistentVolumeClaim:
claimName: smb-media-pvc

View File

@@ -0,0 +1,36 @@
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: jenkins
name: jenkins
spec:
replicas: 1
selector:
matchLabels:
app: jenkins
template:
metadata:
labels:
app: jenkins
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 10
containers:
- name: jenkins
image: jenkins/jenkins:latest-jdk21
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 2000m
memory: 4Gi
volumeMounts:
- name: jenkins-volume
mountPath: /var/jenkins_home
ports:
- containerPort: 8080
volumes:
- name: jenkins-volume
persistentVolumeClaim:
claimName: jenkins-pvc

View File

@@ -0,0 +1,46 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: jenkins-route
namespace: jenkins
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-internal
namespace: envoy-gateway
sectionName: jenkins
hostnames:
- "jenkins.jsme.be"
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Forwarded-Host
value: "jenkins.jsme.be"
- name: X-Forwarded-Proto
value: https
- type: ResponseHeaderModifier
responseHeaderModifier:
set:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: nosniff
- name: X-Frame-Options
value: SAMEORIGIN
- name: Referrer-Policy
value: strict-origin-when-cross-origin
- name: Permissions-Policy
value: "camera=(), microphone=(), geolocation=(), payment=()"
backendRefs:
- name: jenkins-svc-ingress
port: 8080
kind: Service
group: ""
weight: 1

View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jenkins-pvc
namespace: jenkins
spec:
accessModes:
- ReadWriteMany
storageClassName: longhorn-static
resources:
requests:
storage: 100Gi

View File

@@ -0,0 +1,80 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: atm-backups
namespace: minecraft
data:
ftbbackups2.json: |
{
// Allow the creation of backups automatically
"enabled": true,
// Permission level to use the /backup command
"command_permission_level": 3,
// Only send backup status to server ops
"notify_op_only": true,
// Don't send backup status at all
"do_not_notify": false,
/* Backup retention mode. Valid Modes: MAX_BACKUPS, TIERED
Note: TIERED mode is an experimental feature, Use at your own risk.
*/
"retention_mode": "MAX_BACKUPS",
// Applies to retention_mode:MAX_BACKUPS, Sets the maximum number of backups to keep
"max_backups": 5,
// Applies to retention_mode:TIERED, The latest x number of backups will be retained
"keep_latest": 5,
// Applies to retention_mode:TIERED, Sets number of hourly backups to keep
"keep_hourly": 1,
// Applies to retention_mode:TIERED, Sets number of daily backups to keep
"keep_daily": 1,
// Applies to retention_mode:TIERED, Sets number of weekly backups to keep
"keep_weekly": 1,
// Applies to retention_mode:TIERED, Sets number of monthly backups to keep
"keep_monthly": 1,
/* This is done with an implementation of cron from the Quartz java library.
More info here
(http://www.cronmaker.com)
*/
"backup_cron": "0 */30 * * * ?",
// Time between manual backups using the command
"manual_backups_time": 0,
// Only run a backup if a player has been online since the last backup
"only_if_players_been_online": true,
// Additional directories to include in backup
"additional_directories": [],
/* Additional files and directories to include in backup.
Can specify a file name, path relative to server directory or wildcard file path
Examples: (All file paths are relative to server root)
fileName.txt Any/all file named "fileName.txt"
folder/file.txt Exact file path
folder/ Everything in this folder
path/starts/with* Any files who's path starts with
*path/ends/with.txt Any files who's path ends with
*path/contains* Any files who's path contains
*/
"additional_files": [],
// Display file size in backup message
"display_file_size": false,
// backup location
"backup_location": ".",
// Specify the backup format. Valid options are ZIP and DIRECTORY
"backup_format": "ZIP",
// Minimum free disk space in MB. If a backup's creation would leave less than this amount of disk space remaining, the backup will be aborted.
"minimum_free_space": 500,
// If the previous backup failed due to lack of space, the oldest backup will be deleted to free space.
"free_space_if_needed": false,
/* Specify files or folders to be excluded.
Can specify a file name, path relative to server directory or wildcard file path
Examples: (All file paths are relative to server root)
fileName.txt Any/all file named "fileName.txt"
folder/file.txt Exact file path
folder/ Everything in this folder
path/starts/with* Any files who's path starts with
*path/ends/with.txt Any files who's path ends with
*path/contains* Any files who's path contains
*/
"excluded": [],
/* The dimension used when creating backup preview image, specify "all" to enable automatic detection of primary dimension (can be very slow)
Specify "none" to disable preview
*/
"preview_dimension": "minecraft:overworld"
}

View File

@@ -0,0 +1,230 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: atm-ftbchunks
namespace: minecraft
data:
ftbchunks-world.snbt: |
# Server-specific configuration for FTB Chunks
# Modpack defaults should be defined in <instance>/config/ftbchunks-world.snbt
# (may be overwritten on modpack update)
# Server admins may locally override this by copying into <instance>/world/serverconfig/ftbchunks-world.snbt
# (will NOT be overwritten on modpack update)
{
# Forced modes won't let players change their ally settings
# Default: "default"
# Valid values: "default", "forced_all", "forced_none"
ally_mode: "default"
# Disables all land protection. Useful for private servers where everyone is trusted and claims are only used for force-loading
# Default: false
disable_protection: false
# Minimap for clients connecting to this server will be disabled
# Default: false
force_disable_minimap: false
# If true, "Location Visibility" team settings are ignored, and all players can see each other anywhere on the map.
# Default: false
location_mode_override: false
# Interval in ticks to send updates to clients with long-range player tracking data.
# Lower values mean more frequent updates but more server load and network traffic; be careful with this, especially on busy servers.
# Setting this to 0 disables long-range tracking.
# Default: 20
# Range: 0 ~ 2147483647
long_range_tracker_interval: 20
# Requires you to claim chunks in order to edit and interact with blocks
# Default: false
no_wilderness: false
# Dimension ID's where the no_wilderness rule is enforced - building is only allowed in claimed chunks. If this is non-empty, it overrides the 'no_wilderness' setting.
# Default: []
no_wilderness_dimensions: [ ]
# If true, pistons are prevented from pushing/pulling blocks across claims owned by different teams (unless the target claim has public 'edit block' permissions defined). If 'disable_protection' is set to true, this setting is ignored.
# Default: true
piston_protection: true
# When true, standard FTB Chunk explosion protection is applied in protected chunks when the source of the explosion cannot be determined
# (Ghast fireballs are a common case - vanilla supplies a null entity source)
# Default: true
protect_unknown_explosions: true
# Should PvP combat be allowed in claimed chunks? Default is ALWAYS; NEVER prevents it in all claimed chunks; PER_TEAM allows teams to decide if PvP is allowed in their claims
# Default: "always"
# Valid values: "always", "never", "per_team"
pvp_mode: "always"
# If true, the player must have the 'ftbchunks_mapping' Game stage to be able to use the map and minimap.
# Requires KubeJS and/or Gamestages to be installed.
# Default: false
require_game_stage: false
claiming: {
# Dimension ID's where chunks may not be claimed. Add "minecraft:the_end" to this list if you want to disable chunk claiming in The End, or "othermod:*" to disable chunk claiming in *all* dimensions added by "othermod"
# Default: []
claim_dimension_blacklist: [ ]
# Dimension ID's where chunks may be claimed. If non-empty, chunks may be claimed *only* in these dimensions (and the dimension is not in "claim_dimension_blacklist"). Same syntax as for "claim_dimension_blacklist".
# Default: []
claim_dimension_whitelist: [ ]
# Hard limit for the number of chunks a team can claim, regardless of how many members. Default of 0 means no hard limit.
# Default: 0
# Range: 0 ~ 2147483647
hard_team_claim_limit: 0
# Max claimed chunks.
# You can override this with FTB Ranks 'ftbchunks.max_claimed' permission
# Default: 500
# Range: -∞ ~ +∞
max_claimed_chunks: 500
# Maximum time (in real-world days) where if no player in a team logs in, the team automatically loses their claims.
# Prevents chunks being claimed indefinitely by teams who no longer play.
# Default of 0 means no automatic loss of claims.
# Default: 0.0
# Range: 0.0 ~ 3650.0
max_idle_days_before_unclaim: 0.0d
# Method by which party claim & force-load limits are calculated.
# LARGEST: use the limits of the member with the largest limits
# SUM: add up all the members' limits
# OWNER: use the party owner's limits only
# AVERAGE: use the average of all members' limits.
# Default: "largest"
# Valid values: "largest", "owner", "sum", "average"
party_limit_mode: "largest"
}
custom_behaviour: {
chunks_with_custom_y: [ ]
# Custom minimum Y level to scan when rendering map, used if use_custom_min_y_level is true
# Default: -32768
# Range: -32768 ~ 32767
custom_min_y_level: -32768
# Override minimum Y level used when rendering map
# Default: false
use_custom_min_y_level: false
}
dev: {
# Enable dev commands
# Default: false
commands: false
}
fake_players: {
# Override to disable/enable fake players like miners and auto-clickers globally.
# Default will check this setting for each team
# Default: "check"
# Valid values: "check", "deny", "allow"
fake_players: "check"
# Maximum time in days to keep logs of prevented fakeplayer access to a team's claims.
# Default: 7
# Range: 1 ~ 2147483647
max_prevented_log_age: 7
}
force_loading: {
# Control how force-loaded chunks work.
# NEVER: only allow chunk force-loading if the owning team has at least one online player.
# ALWAYS: always allow force-loading, even if no players are online.
# DEFAULT: allow force-loading IF the team has at least one player with the 'ftbchunks.chunk_load_offline' FTB Ranks permission.
# Default: "default"
# Valid values: "default", "always", "never"
force_load_mode: "always"
# Hard limit for the number of chunks a team can force-load, regardless of how many members. Default of 0 means no hard limit.
# Default: 0
# Range: 0 ~ 2147483647
hard_team_force_limit: 0
# Max force loaded chunks.
# You can override this with FTB Ranks 'ftbchunks.max_force_loaded' permission
# Default: 25
# Range: -∞ ~ +∞
max_force_loaded_chunks: 25
# Maximum time (in real-world days) where if no player in a team logs in, any forceloaded chunks owned by the team are no longer forceloaded.
# Prevents chunks being forceloaded indefinitely by teams who no longer play.
# Default of 0 means no automatic loss of forceloading.
# Default: 0.0
# Range: 0.0 ~ 3650.0
max_idle_days_before_unforce: 0.0d
}
team_prop_defaults: {
# Default explosion protection for claimed chunks
# Default: false
def_allow_explosions: false
# Default mode for block breaking and placing in claimed chunks (NeoForge only)
# Default: "allies"
# Valid values: "allies", "private", "public"
def_block_edit: "allies"
# Default mode for block interaction, breaking and placing in claimed chunks (Fabric only)
# Default: "allies"
# Valid values: "allies", "private", "public"
def_block_edit_interact: "allies"
# Default mode for block interaction (right-click) in claimed chunks (NeoForge only)
# Default: "allies"
# Valid values: "allies", "private", "public"
def_block_interact: "allies"
# Default claim visibility for claimed chunks
# Default: "public"
# Valid values: "allies", "private", "public"
def_claim_visibility: "public"
# Default mode for left-clicking non-living entities (armor stands, item frames...) in claimed chunks
# Default: "allies"
# Valid values: "allies", "private", "public"
def_entity_attack: "allies"
# Default mode for entity interaction in claimed chunks
# Default: "allies"
# Valid values: "allies", "private", "public"
def_entity_interact: "allies"
# Default allow fake player IDs which are the same as real permitted players
# Default: true
def_fake_player_ids: true
# Default allow-fake-player setting for team properties
# Default: false
def_fake_players: false
# Default mob griefing protection for claimed chunks
# Default: false
def_mob_griefing: false
# Default named fake players who should be allowed by default
# Default: []
def_named_fake_players: [ ]
# Default long-range player visibility on map
# Default: "allies"
# Valid values: "allies", "private", "public"
def_player_visibility: "allies"
# Default PvP setting in claimed chunks
# Default: true
def_pvp: true
}
waypoint_sharing: {
# Allow players to share waypoints with their party.
# Default: true
waypoint_sharing_party: true
# Allow players to share waypoints with other players.
# Default: true
waypoint_sharing_players: true
# Allow players to share waypoints with the entire server.
# Default: true
waypoint_sharing_server: true
}
}

View File

@@ -0,0 +1,386 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: atm-ftbessentials
namespace: minecraft
data:
ftbessentials.snbt: |
# FTB Essentials config file
# If you're a modpack maker, edit defaultconfigs/ftbessentials-server.snbt instead
{
# If true, the mod will register its commands to the 'ftbessentials' namespace as well as the root namespace
# otherwise it will only register to the root namespace
# This setting has no effect if 'register_to_namespace' is false
# Default: false
register_alias_as_well_as_namespace: false
# If true, the mod will register its commands to the 'ftbessentials' namespace,
# otherwise it will register to the root namespace
# Default: false
register_to_namespace: false
# Admin commands for cheating and moderation
admin: {
# Allows admins to extinguish themselves or a player using a command
extinguish: {
# Default: true
enabled: true
}
# Allows admins to fully feed themselves or a player using a command
feed: {
# Default: true
enabled: true
}
# Allows admins to toggle flying status using a command, without having to use Creative Mode
fly: {
# Default: true
enabled: true
}
# Allows admins to toggle invincibility using a command, without having to use Creative Mode
god: {
# Default: true
enabled: true
}
# Allows admins to fully heal (health, food, fire, potion effects) themselves or a player using a command
heal: {
# Default: true
enabled: true
}
# Allows admins to view other users' inventories using a command
invsee: {
# Default: true
enabled: true
}
# Allows admins to configure kits of items that can be given to players.
kit: {
# Default: true
enabled: true
}
# Allows admins to restrict players from chatting by using a command to mute (or unmute) them
mute: {
# Default: true
enabled: true
}
# Allows admins to change walk speed for themselves or a player
speed: {
# Default: true
enabled: true
}
# Allows admins to change the location of offline players.
tp_offline: {
# Default: true
enabled: true
}
}
# Cross-mod integration
integration: {
# If true, and FTB Team Bases is installed, then the '/spawn' command will instead send players to the lobby
# Default: true
team_bases_spawn_override: true
}
# Miscellaneous features and utilities
misc: {
# Allows users to access an Anvil GUI without needing an Anvil.
anvil: {
# Default: true
enabled: true
}
# Allows users to access a Crafting Table GUI without needing a Crafting Table.
crafting: {
# Default: true
enabled: true
}
# Allows users to access their ender chest, as well as admins to manage other players' ender chests.
enderchest: {
# Default: true
enabled: true
}
# Allows users to set a custom hat as their head item by using a command
hat: {
# Default: true
enabled: true
}
# Allows users to kick themselves from the server, for example if they are stuck or desynced
kickme: {
# Default: true
enabled: true
}
# Allows users to view leaderboard stats about everyone on the server.
leaderboard: {
# Default: true
enabled: true
}
# Allows users to list nearby players, sorted by distance
near: {
# Default: true
enabled: true
}
# Allows users to change their display name, as well as admins to change nicknames for other users
nick: {
# Default: true
enabled: true
}
# Allows users to announce their recording or streaming status to the server by using commands
rec: {
# Default: true
enabled: true
}
# Allows users to access a Smithing Table GUI without needing a Smithing Table.
smithing: {
# Default: true
enabled: true
}
# Allows users to access a Stonecutter GUI without needing a Stonecutter.
stonecutter: {
# Default: true
enabled: true
}
# Enables usage of a trash can inventory, which can be used to void unneeded items
trashcan: {
# Default: true
enabled: true
}
}
# Teleportation-related settings
teleportation: {
# If true, admin-level players (i.e. permission level >= 2) are exempt from
# the dimension controls defined in teleportation -> blacklists and
# in teleportation -> rtp -> dimension_blacklist/whitelist
# Default: true
admins_exempt_dimension_blacklists: true
# Allows users to return to their previous location after teleporting (or dying)
back: {
# Cooldown between /back commands (in seconds)
# You can override this with FTB Ranks using ftbessentials.back.cooldown
# Default: 30
# Range: 0 ~ 604800
cooldown: 30
# Default: true
enabled: true
# Max size of the teleport history. This limits how many times you can use /back
# You can override this with FTB Ranks using ftbessentials.back.max
# Default: 10
# Range: 0 ~ 2147483647
max: 10
# Should be the /back command only be used for returning to the last death point?
# Default: false
only_on_death: false
# Warm-up time before /back command executes (in seconds)
# You can override this with FTB Ranks using ftbessentials.back.warmup
# Default: 0
# Range: 0 ~ 604800
warmup: 0
}
# Blacklists for all teleport commands
# Wildcarded dimensions (e.g. 'somemod:*') are supported
blacklists: {
# Dimensions players aren't permitted to run teleport commands in.
# Default: []
from: [ ]
# Dimensions players aren't permitted to teleport into.
# Default: []
to: [ ]
}
# Allows users to set 'homes', which they can then freely teleport to by using /home afterwards
home: {
# Cooldown between /home commands (in seconds)
# You can override this with FTB Ranks using ftbessentials.home.cooldown
# Default: 10
# Range: 0 ~ 604800
cooldown: 10
# Default: true
enabled: true
# The minimum Y value for homes, as set by the /sethome command
# Default: -2147483648
# Range: -∞ ~ +∞
home_min_y: -2147483648
# Max amount of homes a user can have.
# You can override this with FTB Ranks using ftbessentials.home.max
# Default: 1
# Range: 0 ~ 2147483647
max: 3
# Warm-up time before /home command executes (in seconds)
# You can override this with FTB Ranks using ftbessentials.home.warmup
# Default: 0
# Range: 0 ~ 604800
warmup: 0
}
# Allows admins to jump (teleport) to the focused block
jump: {
# Default: true
enabled: true
}
playerspawn: {
# Cooldown between /playerspawn commands (in seconds)
# You can override this with FTB Ranks using ftbessentials.playerspawn.cooldown
# Default: 10
# Range: 0 ~ 604800
cooldown: 10
# Default: true
enabled: true
# Warm-up time before /playerspawn command executes (in seconds)
# You can override this with FTB Ranks using ftbessentials.playerspawn.warmup
# Default: 0
# Range: 0 ~ 604800
warmup: 0
}
# Allows players to teleport to a random point in the Wilderness
# Note: This currently does not respect Claimed Chunks yet!
rtp: {
# Allow player to specify (only) custom max distance in rtp command
# You can override this with FTB Ranks using ftbessentials.rtp.custom_max
# Default: false
allow_custom_max_distance: false
# Allow player to specify custom min and max distance in rtp command
# You can override this with FTB Ranks using ftbessentials.rtp.custom_min_max
# Default: false
allow_custom_min_max_distance: false
# Cooldown between /rtp commands (in seconds)
# You can override this with FTB Ranks using ftbessentials.rtp.cooldown
# Default: 600
# Range: 0 ~ 604800
cooldown: 600
# Blacklisted dimension ID's for /rtp (player *must not* be in any of these dimensions)
# Wildcarded dimensions (e.g. 'somemod:*') are supported
# Default: ["minecraft:the_end"]
dimension_blacklist: ["minecraft:the_end"]
# Whitelisted dimension ID's for /rtp (if non-empty, player *must* be in one of these dimensions)
# Wildcarded dimensions (e.g. 'somemod:*') are supported
# Default: []
dimension_whitelist: [ ]
# Default: true
enabled: true
# /rtp max distance from spawn point
# Default: 25000
# Range: 0 ~ 30000000
max_distance: 25000
# Number of tries before /rtp gives up
# Default: 100
# Range: 1 ~ 1000
max_tries: 100
# /rtp min distance from spawn point
# Default: 500
# Range: 0 ~ 30000000
min_distance: 500
# Warm-up time before /rtp command executes (in seconds)
# You can override this with FTB Ranks using ftbessentials.rtp.warmup
# Default: 0
# Range: 0 ~ 604800
warmup: 0
}
spawn: {
# Cooldown between /spawn commands (in seconds)
# You can override this with FTB Ranks using ftbessentials.spawn.cooldown
# Default: 10
# Range: 0 ~ 604800
cooldown: 10
# Default: true
enabled: true
# Warm-up time before /spawn command executes (in seconds)
# You can override this with FTB Ranks using ftbessentials.spawn.warmup
# Default: 0
# Range: 0 ~ 604800
warmup: 0
}
# Allows players to create requests to teleport to other users on the server,
# as well as requesting other players to teleport to them
tpa: {
# Cooldown between /tpa commands (in seconds)
# You can override this with FTB Ranks using ftbessentials.tpa.cooldown
# Default: 10
# Range: 0 ~ 604800
cooldown: 10
# Default: true
enabled: true
# Warm-up time before /tpa command executes (in seconds)
# You can override this with FTB Ranks using ftbessentials.tpa.warmup
# Default: 0
# Range: 0 ~ 604800
warmup: 0
}
# Allows admins to teleport to the location a user was last seen at
tpl: {
# Default: true
enabled: true
}
# Allows admins to teleport to dimension
tpx: {
# Default: true
enabled: true
}
# Allows admins to create 'warps', which are fixed points in the world that users may teleport to using /warp
warp: {
# Cooldown between /warp commands (in seconds)
# You can override this with FTB Ranks using ftbessentials.warp.cooldown
# Default: 10
# Range: 0 ~ 604800
cooldown: 10
# Default: true
enabled: true
# Warm-up time before /warp command executes (in seconds)
# You can override this with FTB Ranks using ftbessentials.warp.warmup
# Default: 0
# Range: 0 ~ 604800
warmup: 0
}
}
}

View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: atm-ops
namespace: minecraft
data:
ops.json: |
[
{
"uuid": "e599e817-cf9d-4871-ad26-e6e239a55011",
"name": "DefNotJeffrey",
"level": 4,
"bypassesPlayerLimit": false
}
]

View File

@@ -0,0 +1,45 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: atm-pvc
namespace: minecraft
spec:
accessModes:
- ReadWriteMany
storageClassName: longhorn-static
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: atm10-backups-smb
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
csi:
driver: smb.csi.k8s.io
volumeHandle: backups
volumeAttributes:
source: "//10.8.14.2/minecraft-backups"
nodeStageSecretRef:
name: minecraft-secrets
namespace: minecraft
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: minecraft
name: atm10-backups
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
volumeName: atm10-backups-smb
storageClassName: ""

View File

@@ -0,0 +1,68 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: atm-properties
namespace: minecraft
data:
server.properties: |
accepts-transfers=false
allow-flight=true
allow-nether=true
broadcast-console-to-ops=true
broadcast-rcon-to-ops=true
bug-report-link=
difficulty=easy
enable-command-block=false
enable-jmx-monitoring=false
enable-query=false
enable-rcon=true
enable-status=true
enforce-secure-profile=true
enforce-whitelist=false
entity-broadcast-range-percentage=100
force-gamemode=false
function-permission-level=2
gamemode=survival
generate-structures=true
generator-settings={}
hardcore=false
hide-online-players=false
initial-disabled-packs=
initial-enabled-packs=vanilla
level-name=world
level-seed=
level-type=minecraft\:normal
log-ips=true
max-chained-neighbor-updates=1000000
max-players=20
max-tick-time=180000
max-world-size=29999984
motd=All the Mods 10
network-compression-threshold=256
online-mode=true
op-permission-level=4
player-idle-timeout=0
prevent-proxy-connections=false
pvp=true
query.port=25565
rate-limit=0
rcon.password=J8SCfyqh2KC7NVstYK
rcon.port=25575
region-file-compression=deflate
require-resource-pack=false
resource-pack=
resource-pack-id=
resource-pack-prompt=
resource-pack-sha1=
server-ip=
server-port=25565
simulation-distance=10
spawn-animals=true
spawn-monsters=true
spawn-npcs=true
spawn-protection=16
sync-chunk-writes=true
text-filtering-config=
use-native-transport=true
view-distance=10
white-list=true

View File

@@ -0,0 +1,19 @@
kind: Service
apiVersion: v1
metadata:
name: atm-loadbalancer
namespace: minecraft
spec:
ports:
- name: atm-tcp
port: 25565
targetPort: 25565
protocol: TCP
- name: rcon
port: 25575
targetPort: 25575
protocol: TCP
selector:
app: atm
type: LoadBalancer
externalTrafficPolicy: Local

View File

@@ -0,0 +1,69 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
namespace: minecraft
name: atm
spec:
replicas: 1
selector:
matchLabels:
app: atm
serviceName: atm-loadbalancer
template:
metadata:
labels:
app: atm
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 10
containers:
- name: atm
image: gitea.jsme.be/jeffrey/atm10:6.1
imagePullPolicy: Always
resources:
requests:
cpu: 2000m
memory: 8Gi
limits:
cpu: 4000m
memory: 12Gi
volumeMounts:
- name: world
mountPath: /opt/minecraft/world
- name: backups
mountPath: /opt/minecraft/backups
subPath: atm
- name: properties-file
mountPath: /opt/minecraft/server.properties
subPath: server.properties
- name: whitelist
mountPath: /opt/minecraft/whitelist.json
subPath: whitelist.json
- name: ftbessentials
mountPath: /opt/minecraft/config/ftbessentials.snbt
subPath: ftbessentials.snbt
- name: ops
mountPath: /opt/minecraft/ops.json
subPath: ops.json
ports:
- containerPort: 25565
- containerPort: 25575
volumes:
- name: world
persistentVolumeClaim:
claimName: atm-pvc
- name: backups
persistentVolumeClaim:
claimName: atm10-backups
- name: properties-file
configMap:
name: atm-properties
- name: whitelist
configMap:
name: atm-whitelist
- name: ftbessentials
configMap:
name: atm-ftbessentials
- name: ops
configMap:
name: atm-ops

View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: atm-whitelist
namespace: minecraft
data:
whitelist.json: |
[
{
"uuid": "e599e817-cf9d-4871-ad26-e6e239a55011",
"name": "DefNotJeffrey"
}
]

View File

@@ -0,0 +1,80 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: homestead-backups
namespace: minecraft
data:
ftbbackups2.json: |
{
// Allow the creation of backups automatically
"enabled": true,
// Permission level to use the /backup command
"command_permission_level": 3,
// Only send backup status to server ops
"notify_op_only": true,
// Don't send backup status at all
"do_not_notify": false,
/* Backup retention mode. Valid Modes: MAX_BACKUPS, TIERED
Note: TIERED mode is an experimental feature, Use at your own risk.
*/
"retention_mode": "MAX_BACKUPS",
// Applies to retention_mode:MAX_BACKUPS, Sets the maximum number of backups to keep
"max_backups": 8,
// Applies to retention_mode:TIERED, The latest x number of backups will be retained
"keep_latest": 5,
// Applies to retention_mode:TIERED, Sets number of hourly backups to keep
"keep_hourly": 3,
// Applies to retention_mode:TIERED, Sets number of daily backups to keep
"keep_daily": 2,
// Applies to retention_mode:TIERED, Sets number of weekly backups to keep
"keep_weekly": 2,
// Applies to retention_mode:TIERED, Sets number of monthly backups to keep
"keep_monthly": 1,
/* This is done with an implementation of cron from the Quartz java library.
More info here
(http://www.cronmaker.com)
*/
"backup_cron": "0 */30 * * * ?",
// Time between manual backups using the command
"manual_backups_time": 0,
// Only run a backup if a player has been online since the last backup
"only_if_players_been_online": true,
// Additional directories to include in backup
"additional_directories": [],
/* Additional files and directories to include in backup.
Can specify a file name, path relative to server directory or wildcard file path
Examples: (All file paths are relative to server root)
fileName.txt Any/all file named "fileName.txt"
folder/file.txt Exact file path
folder/ Everything in this folder
path/starts/with* Any files who's path starts with
*path/ends/with.txt Any files who's path ends with
*path/contains* Any files who's path contains
*/
"additional_files": [],
// Display file size in backup message
"display_file_size": false,
// backup location
"backup_location": ".",
// Specify the backup format. Valid options are ZIP and DIRECTORY
"backup_format": "ZIP",
// Minimum free disk space in MB. If a backup's creation would leave less than this amount of disk space remaining, the backup will be aborted.
"minimum_free_space": 500,
// If the previous backup failed due to lack of space, the oldest backup will be deleted to free space.
"free_space_if_needed": false,
/* Specify files or folders to be excluded.
Can specify a file name, path relative to server directory or wildcard file path
Examples: (All file paths are relative to server root)
fileName.txt Any/all file named "fileName.txt"
folder/file.txt Exact file path
folder/ Everything in this folder
path/starts/with* Any files who's path starts with
*path/ends/with.txt Any files who's path ends with
*path/contains* Any files who's path contains
*/
"excluded": [],
/* The dimension used when creating backup preview image, specify "all" to enable automatic detection of primary dimension (can be very slow)
Specify "none" to disable preview
*/
"preview_dimension": "minecraft:overworld"
}

View File

@@ -0,0 +1,21 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: homestead-ops
namespace: minecraft
data:
ops.json: |
[
{
"uuid": "e599e817-cf9d-4871-ad26-e6e239a55011",
"name": "DefNotJeffrey",
"level": 4,
"bypassesPlayerLimit": false
},
{
"uuid": "2c6f52c4-7c98-46a7-9014-34a6781eed64",
"name": "Splakra",
"level": 4,
"bypassesPlayerLimit": false
}
]

View File

@@ -0,0 +1,45 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: homestead-pvc
namespace: minecraft
spec:
accessModes:
- ReadWriteMany
storageClassName: longhorn-static
resources:
requests:
storage: 30Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: minecraft-backups-smb
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
csi:
driver: smb.csi.k8s.io
volumeHandle: backups
volumeAttributes:
source: "//10.8.14.2/minecraft-backups"
nodeStageSecretRef:
name: minecraft-secrets
namespace: minecraft
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: minecraft
name: minecraft-backups
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
volumeName: minecraft-backups-smb
storageClassName: ""

Some files were not shown because too many files have changed in this diff Show More