djpbessems/Kubernetes.K3s.installLog
djpbessems/Kubernetes.K3s.installLog
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Delete commit history along with sensitive data

Browse Source
This commit is contained in:
Danny Bessems 2020-09-01 17:44:43 +02:00
commit 6892ae9ef6
41 changed files with 3786 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

251
README.md Normal file
View File

@ -0,0 +1,251 @@
*TODO: Files with sensitive data; move to Vault*
```
# line 6-8: services/Guacamole/configMap_Guacamole.yml
```
# Kubernetes.K3s.installLog
*3 VM's provisioned with Ubuntu Server 18.04*
## K3s cluster
On first node:
```
curl -sfL https://get.k3s.io | sh -s - --no-deploy traefik
cat /var/lib/rancher/k3s/server/token
kubectl config view --raw
```
On subsequent nodes:
```
curl -sfL https://get.k3s.io | K3S_URL=https://<fqdn or ip>:6443 K3S_TOKEN=<value from master> sh -
```
Install Rancher's [System Upgrade Controller](https://rancher.com/docs/k3s/latest/en/upgrades/automated/):
```
kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/download/v0.4.0/system-upgrade-controller.yaml
```
Apply a [server (master node)](https://code.spamasaurus.com/djpbessems/Kubernetes.K3s.installLog/src/branch/master/system/UpgradeController/plan-Server.yml) and [agent (worker node)](https://code.spamasaurus.com/djpbessems/Kubernetes.K3s.installLog/src/branch/master/system/UpgradeController/plan-Agent.yml) plan:
```
kubectl apply -f system/UpgradeController/plan-Server.yml -f system/UpgradeController/plan-Agent.yml
```
### 1) Persistent storage
SMB (CIFS) `FlexVolume`:
```
curl -Ls https://github.com/juliohm1978/kubernetes-cifs-volumedriver/blob/master/install.yaml -o storage/flexVolSMB/daemonSet-flexVolSMB.yml
```
Override drivername to something more sensible (see [storage/flexVolSMB/daemonSet-flexVolSMB.yml](https://code.spamasaurus.com/djpbessems/Kubernetes.K3s.installLog/src/branch/master/storage/flexVolSMB/daemonSet-flexVolSMB.yml))
```
spec:
template:
spec:
containers:
- image: juliohm/kubernetes-cifs-volumedriver-installer:2.0
...
env:
- name: VENDOR
value: mount
- name: DRIVER
value: smb
...
```
Perform installation:
```
kubectl apply -f storage/flexVolSMB/daemonSet-flexVolSMB.yml
```
Wait for installation to complete (check logs of all installer-pods), then delete `daemonSet`:
```
kubectl delete -f storage/flexVolSMB/daemonSet-flexVolSMB.yml
```
Store credentials in `secret`:
```
kubectl create secret generic --type=mount/smb smb-secret --from-literal=username=<<omitted>> --from-literal=password=<<omitted>>
```
---
*Optional*
Install [Longhorn](https://code.spamasaurus.com/djpbessems/Kubernetes.K3s.installLog/src/branch/master/storage/Longhorn/README.md) for block storage with NFS-backed backup schedules.
### 2) Ingress Controller
##### 2.1) Create `configMap`, `secret` and `persistentVolumeClaim`
The `configMap` contains Traefik's static and dynamic config:
```
kubectl apply -f ingress/Traefik2.x/configMap_traefik.yml
```
The `secret` contains credentials for Cloudflare's API:
```
kubectl create secret generic traefik-cloudflare --from-literal=CF_API_EMAIL=<<omitted>> --from-literal=CF_API_KEY=<<omitted>> --namespace kube-system
```
The `persistentVolumeClaim` will contain `/data/acme.json` (referenced as `existingClaim`):
```
kubectl apply -f ingress/Traefik2.x/pvc_traefik.yml
```
##### 2.2) Install Helm Chart
See [Traefik 2.x Helm Chart](https://github.com/containous/traefik-helm-chart):
```
helm repo add traefik https://containous.github.io/traefik-helm-chart
helm repo update
helm install traefik traefik/traefik --namespace kube-system --values=ingress/Traefik2.x/chart-values.yml
```
##### 2.3) Replace `IngressRoute` for Traefik's dashboard:
```
kubectl apply -f ingress/Traefik2.x/ingressRoute-Traefik.yaml
kubectl delete ingressroute traefik-dashboard --namespace kube-system
```
### 3) Secret management
*Perform these steps **after** configuring persistent storage **and** ingress*
##### 3.1) Create `persistentVolume` and `ingressRoute`
*Requires specifying a `uid` & `gid` in the flexvolSMB-`persistentVolume`*
```
kubectl apply -f services/Vault/persistentVolume-Vault.yml
kubectl apply -f services/Vault/ingressRoute-Vault.yml
```
##### 3.2) Install Helm Chart
See [HashiCorp Vault](https://www.vaultproject.io/docs/platform/k8s/helm/run):
```
kubectl create namespace vault
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
helm install vault hashicorp/vault --namespace vault --values=services/Vault/chart-values.yml
```
Configure Vault for use;
- Enable Kubernetes authentication (see https://www.vaultproject.io/api-docs/auth/kubernetes)
- Store basic access policy template
- Enable `kv`-engine
```
# kubectl exec -n vault -it vault-0 -- sh
vault auth enable kubernetes
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
cat <<EOF > /home/vault/app-policy.hcl
path "secret*" {
capabilities = ["read"]
}
EOF
vault secrets enable -path=secret -version=2 kv
```
### 4) Services
##### 4.1) [Adminer](https://www.adminer.org/) <small>(SQL management)</small>
```
kubectl apply -f services/Adminer/configMap_Adminer.yml
kubectl apply -f services/Adminer/deploy_Adminer.yml
```
Vault configuration:
```
vault kv put secret/adminer \
sqlitepw=<value>
vault write auth/kubernetes/role/adminer \
bound_service_account_names=adminer \
bound_service_account_namespaces=default \
policies=adminer \
ttl=1h
vault policy write adminer /home/vault/app-policy.hcl
```
##### 4.2) [Bitwarden_rs](https://github.com/dani-garcia/bitwarden_rs) <small>(password manager)</small>
*Requires [mount.cifs](https://linux.die.net/man/8/mount.cifs)' option `nobrl`*
```
kubectl apply -f services/Bitwarden/deployment_Bitwarden.yml
```
Vault configuration:
```
vault kv put secret/bitwarden \
admintoken=<value> \
yubicoclientid=<value> \
yubicosecretkey=<value>
vault write auth/kubernetes/role/bitwarden \
bound_service_account_names=bitwarden \
bound_service_account_namespaces=default \
policies=bitwarden \
ttl=1h
vault policy write bitwarden /home/vault/app-policy.hcl
```
##### 4.3) [DroneCI](https://drone.io/) <small>(contineous delivery)</small>
```
kubectl apply -f services/DroneCI/deployment_DroneCI.yml
```
Vault configuration:
```
vault kv put secret/drone \
rpcsecret=<value> \
giteaclientid=<value> \
giteaclientsecret=<value>
vault write auth/kubernetes/role/drone \
bound_service_account_names=drone \
bound_service_account_namespaces=default \
policies=drone \
ttl=1h
vault policy write drone /home/vault/app-policy.hcl
```
##### 4.4) [Gitea](https://gitea.io/) <small>(git repository)</small>
```
kubectl apply -f services/Gitea/deployment_Gitea.yml
```
##### 4.5) [Gotify](https://gotify.net/) <small>(notifications)</small>
```
kubectl apply -f services/Gotify/deploy_Gotify.yml
```
##### 4.6) [Guacamole](https://guacamole.apache.org/doc/gug/guacamole-docker.html) <small>(remote desktop gateway)</small>
*Requires specifying a `uid` & `gid` in both the `securityContext` of the MySQL container and the `persistentVolume`*
```
kubectl apply -f services/Guacamole/configMap_Guacamole.yml
kubectl apply -f services/Guacamole/deployment_Guacamole.yml
```
Wait for the included containers to start, then perform the following commands to initialize the database:
```
kubectl exec -i guacamole-<pod-id> --container guacamole -- /opt/guacamole/bin/initdb.sh --mysql > initdb.sql
kubectl exec -i guacamole-<pod-id> --container mysql -- mysql -uguacamole -pguacamole guacamole < initdb.sql
kubectl rollout restart deployment guacamole
```
##### 4.7) [Harbor](https://goharbor.io/) <small>(container image registry)</small>
Create `ingressRoute` and `persistentVolumeClaim`
```
kubectl apply -f services/Harbor/ingressRoute-Harbor.yml
kubectl apply -f services/Harbor/persistentVolumeClaim_Harbor.yml
```
Install Helm chart
```
kubectl create namespace harbor
helm repo add harbor https://helm.goharbor.io
helm repo update
helm install harbor harbor/harbor --namespace harbor --values=services/Harbor/chart-values.yml
```
##### 4.8) [Lighttpd](https://www.lighttpd.net/) <small>(webserver)</small>
*Serves various semi-containerized websites; respective webcontent is stored on fileshare*
```
kubectl apply -f services/Lighttpd/configMap_lighttpd.yml
kubectl apply -f services/Lighttpd/deploy_Lighttpd.yml
kubectl apply -f services/Lighttpd/cronJob-Spotweb.yml
```
##### 4.9) [Shaarli](https://github.com/shaarli/Shaarli) <small>(bookmarks/notes)</small>
```
kubectl apply -f services/Shaarli/deploy_Shaarli.yml
```
##### 4.10) [Theia](https://theia-ide.org/) <small>(web IDE)</small>
```
kubectl apply -f services/Theia/deploy_Theia.yml
```
##### 4.11) [Traefik-Certs-Dumper](https://github.com/ldez/traefik-certs-dumper) <small>(certificate tooling)</small>
```
kubectl apply -f services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml
```
##### 4.12) External `Endpoint`s
###### 4.12.1) NZBHydra, Plex, Radarr, SABnzbd & Sonarr <small>(automated media management)</small>
*Running externally, due to connectivity requirements*
```
kubectl apply -f services/PVR/deploy-PVR.yml
```
### 5) Miscellaneous
*Various notes/useful links*
* Replacement for [not-yet-deprecated](https://github.com/kubernetes/kubectl/issues/151) `kubectl get all -A`:
kubectl get $(kubectl api-resources --verbs=list -o name | paste -sd, -) --ignore-not-found --all-namespaces
* ...

44
ingress/Traefik2.x/chart-values.yml Normal file
View File

@ -0,0 +1,44 @@
ports:
web:
# port: 80
# exposedPort: 80
redirectTo: websecure
# websecure:
# port: 443
# exposedPort: 443
volumes:
- name: traefik-configmap
mountPath: /etc/traefik
type: configMap
persistence:
enabled: true
accessMode: ReadWriteMany
path: /data
existingClaim: "traefik"
# size: 1Gi
# subPath: 'acme.json'
env:
- name: CF_API_EMAIL
valueFrom:
secretKeyRef:
name: traefik-cloudflare
key: CF_API_EMAIL
- name: CF_API_KEY
valueFrom:
secretKeyRef:
name: traefik-cloudflare
key: CF_API_KEY
securityContext:
capabilities:
drop: []
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
podSecurityContext:
fsGroup: 0

112
ingress/Traefik2.x/configMap_traefik.yml Normal file
View File

@ -0,0 +1,112 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-configmap
namespace: kube-system
data:
traefik.yml: |
global:
checkNewVersion: true
sendAnonymousUsage: true
entryPoints:
web:
address: :8000
websecure:
address: :8443
forwardedHeaders:
insecure: true
http:
tls:
options: defaults@file
certResolver: default
domains:
- main: '*.spamasaurus.com'
sans:
- 'spamasaurus.com'
- main: '*.bessems.com'
sans:
- 'bessems.com'
- main: '*.bessems.eu'
sans:
- 'bessems.eu'
- main: '*.gabaldon.eu'
sans:
- 'gabaldon.eu'
- main: '*.gabaldon.nl'
sans:
- 'gabaldon.nl'
- main: '*.itch.fyi'
sans:
- 'itch.fyi'
# trustedIPs:
# - "127.0.0.0/8"
# - "192.168.5.0/24"
# - "192.168.11.0/24"
ssh:
address: :2222
traefik:
address: :9000
providers:
file:
filename: /etc/traefik/dynamic.yml
kubernetesCRD: {}
api:
dashboard: true
ping: {}
#accessLog: {}
log:
level: INFO
# level: DEBUG
certificatesResolvers:
default:
acme:
email: letsencrypt.org.danny@spamasaurus.com
storage: /data/acme.json
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 5m0s
resolvers:
- 1.1.1.1:53
- 1.0.0.1:53
dynamic.yml: |
http:
middlewares:
force-tls:
redirectScheme:
scheme: https
2fa-authentication:
forwardAuth:
address: "https://auth.spamasaurus.com/api/verify?rd=https://auth.spamasaurus.com/"
trustForwardHeader: true
security-headers:
headers:
forceSTSHeader: true
stsSeconds: 315360000
stsIncludeSubdomains: true
stsPreload: true
routers:
force-tls:
entryPoints:
- "web"
rule: "HostRegexp(`{any:.+}`)"
middlewares:
- "force-tls"
service: noop@internal
tls:
options:
defaults:
minVersion: VersionTLS12
sniStrict: true
curvePreferences:
- secp521r1
- secp384r1
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV

25
ingress/Traefik2.x/ingressRoute_traefik.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`ingress.spamasaurus.com`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: 2fa-authentication@file
- name: security-headers@file
tls:
certResolver: default
options:
name: defaults@file
domains:
- main: '*.spamasaurus.com'
sans:
- 'spamasaurus.com'

33
ingress/Traefik2.x/pvc_traefik.yml Normal file
View File

@ -0,0 +1,33 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-traefik-data
namespace: kube-system
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-traefik-data
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
namespace: default
options:
opts: domain=bessems.eu,file_mode=0600,dir_mode=0600,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/traefik/data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: traefik
namespace: kube-system
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-traefik-data
resources:
requests:
storage: 1Gi

16
services/Adminer/configMap_Adminer.yml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: configmap-adminer-conf
data:
login-password-less.php: |
<?php
require_once('plugins/login-password-less.php');
/** Set allowed password
* @param string result of password_hash
*/
return new AdminerLoginPasswordLess(
$password_hash = password_hash(rtrim(file_get_contents('/vault/secrets/sqlitepw')), PASSWORD_DEFAULT)
);
?>

112
services/Adminer/deploy-Adminer.yml Normal file
View File

@ -0,0 +1,112 @@
apiVersion: v1
kind: Service
metadata:
name: adminer
spec:
ports:
- protocol: TCP
name: web
port: 8080
selector:
app: adminer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: adminer
labels:
app: adminer
spec:
replicas: 1
selector:
matchLabels:
app: adminer
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-sqlitepw: "secret/adminer"
vault.hashicorp.com/role: "adminer"
vault.hashicorp.com/agent-inject-template-sqlitepw: |
{{ with secret "secret/adminer" -}}
{{ .Data.data.sqlitepw }}
{{- end }}
labels:
app: adminer
spec:
serviceAccountName: adminer
containers:
- name: adminer
image: adminer
ports:
- name: web
containerPort: 8080
volumeMounts:
- mountPath: /mnt/websites
name: flexvolsmb-adminer-websites
- name: configmap-adminer-conf
mountPath: /var/www/html/plugins-enabled/login-password-less.php
subPath: login-password-less.php
volumes:
- name: flexvolsmb-adminer-websites
persistentVolumeClaim:
claimName: flexvolsmb-adminer-websites
- name: configmap-adminer-conf
configMap:
name: configmap-adminer-conf
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: adminer
labels:
app: adminer
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: adminer
spec:
entryPoints:
- websecure
routes:
- match: Host(`sql.spamasaurus.com`)
kind: Rule
services:
- name: adminer
port: 8080
middlewares:
- name: 2fa-authentication@file
- name: security-headers@file
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-adminer-websites
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-adminer-websites
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/lighttpd/websites
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-adminer-websites
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-adminer-websites
resources:
requests:
storage: 1Gi

142
services/Authelia/deploy-Authelia.yml Normal file
View File

@ -0,0 +1,142 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: authelia
labels:
app: authelia
spec:
replicas: 1
selector:
matchLabels:
app: authelia
template:
metadata:
labels:
app: authelia
spec:
containers:
- name: authelia
image: authelia/authelia
env:
- name: TZ
value: Europe/Amsterdam
ports:
- name: web
containerPort: 9091
volumeMounts:
- name: flexvolsmb-authelia-conf
mountPath: /config
- name: redis
image: redis:alpine
args:
- redis-server
- --requirepass authelia
- --appendonly yes
ports:
- name: redis
containerPort: 6379
volumeMounts:
- name: flexvolsmb-authelia-redis
mountPath: /data
volumes:
- name: flexvolsmb-authelia-conf
persistentVolumeClaim:
claimName: flexvolsmb-authelia-conf
- name: flexvolsmb-authelia-redis
persistentVolumeClaim:
claimName: flexvolsmb-authelia-redis
---
apiVersion: v1
kind: Service
metadata:
name: authelia
spec:
ports:
- protocol: TCP
name: web
port: 9091
- protocol: TCP
name: redis
port: 6379
selector:
app: authelia
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: authelia
spec:
entryPoints:
- websecure
routes:
- match: Host(`auth.spamasaurus.com`)
kind: Rule
services:
- name: authelia
port: 9091
middlewares:
- name: security-headers@file
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-authelia-conf
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-authelia-conf
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0600,dir_mode=0600,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/authelia/conf
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-authelia-conf
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-authelia-conf
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-authelia-redis
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-authelia-redis
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,uid=999,gid=1000,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/authelia/redis
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-authelia-redis
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-authelia-redis
resources:
requests:
storage: 1Gi

135
services/Bitwarden/deployment_Bitwarden.yml Normal file
View File

@ -0,0 +1,135 @@
apiVersion: v1
kind: Service
metadata:
name: bitwarden
spec:
ports:
- protocol: TCP
name: ui
port: 8080
- protocol: TCP
name: websocket
port: 3012
selector:
app: bitwarden
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: bitwarden
labels:
app: bitwarden
spec:
replicas: 1
selector:
matchLabels:
app: bitwarden
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-bitwarden: "secret/bitwarden"
vault.hashicorp.com/role: "bitwarden"
vault.hashicorp.com/agent-inject-template-bitwarden: |
{{ with secret "secret/bitwarden" -}}
export ADMIN_TOKEN="{{ .Data.data.admintoken }}"
export YUBICO_CLIENT_ID="{{ .Data.data.yubicoclientid }}"
export YUBICO_SECRET_KEY="{{ .Data.data.yubicosecretkey }}"
{{- end }}
labels:
app: bitwarden
spec:
serviceAccountName: bitwarden
containers:
- name: bitwarden
image: bitwardenrs/server
args: ["sh", "-c", ". /vault/secrets/bitwarden && /start.sh"]
env:
- name: ENABLE_DB_WAL
value: "false"
- name: ROCKET_PORT
value: "8080"
- name: SIGNUPS_ALLOWED
value: "false"
- name: WEBSOCKET_ENABLED
value: "true"
- name: WEBSOCKET_PORT
value: "3012"
- name: LOG_LEVEL
value: "debug"
- name: EXTENDED_LOGGING
value: "true"
ports:
- name: ui
containerPort: 8080
- name: websocket
containerPort: 3012
volumeMounts:
- mountPath: /data
name: flexvolsmb-bitwarden-data
volumes:
- name: flexvolsmb-bitwarden-data
persistentVolumeClaim:
claimName: flexvolsmb-bitwarden-data
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bitwarden
labels:
app: bitwarden
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: bitwarden
spec:
entryPoints:
- websecure
routes:
- match: Host(`vault.spamasaurus.com`)
kind: Rule
services:
- name: bitwarden
port: 8080
middlewares:
- name: security-headers@file
- match: Host(`vault.spamasaurus.com`) && Path(`/notifications/hub`)
kind: Rule
services:
- name: bitwarden
port: 3012
middlewares:
- name: security-headers@file
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-bitwarden-data
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-bitwarden-data
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/bitwarden/data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-bitwarden-data
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-bitwarden-data
resources:
requests:
storage: 1Gi

26
services/DDclient/deploy-DDclient.yml Normal file
View File

@ -0,0 +1,26 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: ddclient
labels:
app: ddclient
spec:
replicas: 1
selector:
matchLabels:
app: ddclient
template:
metadata:
labels:
app: ddclient
spec:
containers:
- name: ddclient
image: linuxserver/ddclient
volumeMounts:
- mountPath: /config
name: ddclient-secret
volumes:
- name: ddclient-secret
secret:
secretName: ddclient-secret

35
services/DDclient/secret-DDclient.yml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: v1
kind: Secret
metadata:
name: ddclient-secret
labels:
app: ddclient
stringData:
ddclient.conf: |
daemon=300
syslog=yes
protocol=cloudflare
use=web
web=https://domains.google.com/checkip
ssl=yes
ttl=1
login=cloudflare.com.danny@spamasaurus.com
password=9ec5ad8d1e8c6240c5488bb61b7bcd7bdc0fc
zone=bessems.com
bessems.com
zone=bessems.eu
bessems.eu,deschakel.bessems.eu
zone=gabaldon.eu
gabaldon.eu
zone=gabaldon.nl
gabaldon.nl
zone=itch.fyi
itch.fyi
zone=spamasaurus.com
spamasaurus.com

175
services/DroneCI/deployment_DroneCI.yml Normal file
View File

@ -0,0 +1,175 @@
apiVersion: v1
kind: Service
metadata:
name: drone
spec:
ports:
- protocol: TCP
name: ui
port: 80
selector:
app: drone
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: drone
labels:
app: drone
spec:
replicas: 1
selector:
matchLabels:
app: drone
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-drone: "secret/drone"
vault.hashicorp.com/role: "drone"
vault.hashicorp.com/agent-inject-template-drone: |
{{ with secret "secret/drone" -}}
export DRONE_RPC_SECRET="{{ .Data.data.rpcsecret }}"
export DRONE_GITEA_CLIENT_ID="{{ .Data.data.giteaclientid }}"
export DRONE_GITEA_CLIENT_SECRET="{{ .Data.data.giteaclientsecret }}"
{{- end }}
labels:
app: drone
spec:
# serviceAccountName: drone
containers:
- name: drone
image: drone/drone
command: ["sh", "-c", ". /vault/secrets/drone && /bin/drone-server"]
env:
- name: DRONE_SERVER_PROTO
value: 'https'
- name: DRONE_SERVER_HOST
value: 'ci.spamasaurus.com'
- name: DRONE_SERVER_PORT
value: ':80'
- name: DRONE_TLS_AUTOCERT
value: 'false'
- name: DRONE_GITEA_SERVER
value: 'https://code.spamasaurus.com'
# - name: DRONE_LOGS_DEBUG
# value: 'true'
- name: DRONE_GIT_ALWAYS_AUTH
value: 'false'
- name: DRONE_AGENTS_ENABLED
value: 'true'
ports:
- name: ui
containerPort: 80
volumeMounts:
- mountPath: /data
name: flexvolsmb-drone-data
- name: drone-runner
image: drone/drone-runner-kube:latest
command: ["sh", "-c", ". /vault/secrets/drone && /bin/drone-runner-kube"]
ports:
- containerPort: 3000
env:
- name: DRONE_RPC_HOST
value: 'ci.spamasaurus.com'
- name: DRONE_RPC_PROTO
value: 'https'
volumes:
- name: flexvolsmb-drone-data
persistentVolumeClaim:
claimName: flexvolsmb-drone-data
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: drone
labels:
app: drone
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: drone
spec:
entryPoints:
- websecure
routes:
- match: Host(`ci.spamasaurus.com`)
kind: Rule
services:
- name: drone
port: 80
middlewares:
- name: security-headers@file
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-drone-data
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-drone-data
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/drone/data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-drone-data
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-drone-data
resources:
requests:
storage: 1Gi
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: drone
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- create
- delete
- list
- watch
- update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: drone
namespace: default
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: Role
name: drone
apiGroup: rbac.authorization.k8s.io

160
services/Gitea/deployment_Gitea.yml Normal file
View File

@ -0,0 +1,160 @@
apiVersion: v1
kind: Service
metadata:
name: gitea
spec:
ports:
- protocol: TCP
name: ui
port: 3000
- protocol: TCP
name: ssh
port: 22
targetPort: ssh
selector:
app: gitea
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea
labels:
app: gitea
spec:
replicas: 1
selector:
matchLabels:
app: gitea
template:
metadata:
labels:
app: gitea
spec:
containers:
- name: gitea
image: gitea/gitea:1
env:
- name: DB_TYPE
value: 'sqlite3'
- name: ROOT_URL
value: 'https://code.spamasaurus.com'
- name: USER_UID
value: "1000"
- name: USER_GID
value: "1000"
ports:
- name: ui
containerPort: 3000
- name: ssh
containerPort: 22
volumeMounts:
- mountPath: /data
name: flexvolsmb-gitea-data
- mountPath: /data/ssh
name: flexvolsmb-gitea-ssh
subPath: ssh
# securityContext:
# runAsUser: 1000
# runAsGroup: 1000
# fsGroup: 1000
volumes:
- name: flexvolsmb-gitea-data
persistentVolumeClaim:
claimName: flexvolsmb-gitea-data
- name: flexvolsmb-gitea-ssh
persistentVolumeClaim:
claimName: flexvolsmb-gitea-ssh
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: gitea
spec:
entryPoints:
- websecure
routes:
- match: Host(`code.spamasaurus.com`)
kind: Rule
services:
- name: gitea
port: 3000
middlewares:
- name: security-headers@file
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: gitea
spec:
entryPoints:
- ssh
routes:
- match: HostSNI(`*`)
kind: Rule
services:
- name: gitea
port: 22
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-gitea-data
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-gitea-data
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,uid=1000,gid=1000,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/gitea/data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-gitea-data
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-gitea-data
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-gitea-ssh
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-gitea-ssh
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0600,dir_mode=0600,iocharset=utf8
server: 192.168.11.225
share: /K3s.Volumes/gitea/ssh
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-gitea-ssh
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-gitea-ssh
resources:
requests:
storage: 1Gi

89
services/Gotify/deploy-Gotify.yml Normal file
View File

@ -0,0 +1,89 @@
apiVersion: v1
kind: Service
metadata:
name: gotify
spec:
ports:
- protocol: TCP
name: web
port: 80
selector:
app: gotify
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gotify
labels:
app: gotify
spec:
replicas: 1
selector:
matchLabels:
app: gotify
template:
metadata:
labels:
app: gotify
spec:
containers:
- name: gotify
image: gotify/server
ports:
- name: web
containerPort: 80
volumeMounts:
- mountPath: /app/data
name: flexvolsmb-gotify-data
volumes:
- name: flexvolsmb-gotify-data
persistentVolumeClaim:
claimName: flexvolsmb-gotify-data
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: gotify
spec:
entryPoints:
- websecure
routes:
- match: Host(`notify.spamasaurus.com`)
kind: Rule
services:
- name: gotify
port: 80
middlewares:
- name: security-headers@file
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-gotify-data
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-gotify-data
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/gotify/data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-gotify-data
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-gotify-data
resources:
requests:
storage: 1Gi

8
services/Guacamole/configMap_Guacamole.yml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: configmap-guacamole-mysql-conf
data:
MYSQL_DATABASE: 'guacamole'
MYSQL_PASSWORD: 'guacamole'
MYSQL_USER: 'guacamole'

175
services/Guacamole/deployment_Guacamole.yml Normal file
View File

@ -0,0 +1,175 @@
apiVersion: v1
kind: Service
metadata:
name: guacamole
spec:
ports:
- protocol: TCP
name: ui
port: 8080
- protocol: TCP
name: proxy
port: 4822
- protocol: TCP
name: db
port: 3306
selector:
app: guacamole
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: guacamole
labels:
app: guacamole
spec:
replicas: 1
selector:
matchLabels:
app: guacamole
template:
metadata:
labels:
app: guacamole
spec:
hostname: guacamole
containers:
- name: guacamole
image: guacamole/guacamole
env:
- name: GUACD_HOSTNAME
value: 'guacamole.default.svc.cluster.local'
- name: MYSQL_HOSTNAME
value: 'guacamole.default.svc.cluster.local'
- name: GUACAMOLE_HOME
value: '/etc/guacamole'
envFrom:
- configMapRef:
name: configmap-guacamole-mysql-conf
volumeMounts:
- name: flexvolsmb-guacamole-home
mountPath: /etc/guacamole
ports:
- name: ui
containerPort: 8080
- name: guacd
image: guacamole/guacd
env:
- name: GUACD_LOG_LEVEL
value: 'debug'
ports:
- name: proxy
containerPort: 4822
- name: mysql
image: mysql:latest
securityContext:
runAsUser: 999
runAsGroup: 999
env:
- name: MYSQL_RANDOM_ROOT_PASSWORD
value: 'true'
envFrom:
- configMapRef:
name: configmap-guacamole-mysql-conf
volumeMounts:
- name: flexvolsmb-guacamole-db
mountPath: /var/lib/mysql
ports:
- name: db
containerPort: 3306
volumes:
- name: flexvolsmb-guacamole-db
persistentVolumeClaim:
claimName: flexvolsmb-guacamole-db
- name: flexvolsmb-guacamole-home
persistentVolumeClaim:
claimName: flexvolsmb-guacamole-home
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: prepend-path-guacamole
spec:
addPrefix:
prefix: /guacamole
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: guacamole
spec:
entryPoints:
- websecure
routes:
- match: Host(`remote.spamasaurus.com`)
kind: Rule
services:
- name: guacamole
port: 8080
middlewares:
- name: prepend-path-guacamole
- name: security-headers@file
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-guacamole-db
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-guacamole-db
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0755,dir_mode=0755,uid=999,gid=999,iocharset=utf8
server: 192.168.11.225
share: /K3s.Volumes/guacamole/db
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-guacamole-db
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-guacamole-db
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-guacamole-home
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-guacamole-home
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0755,dir_mode=0755,uid=999,gid=999,iocharset=utf8
server: 192.168.11.225
share: /K3s.Volumes/guacamole/home
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-guacamole-home
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-guacamole-home
resources:
requests:
storage: 1Gi

42
services/Harbor/chart-values.yml Normal file
View File

@ -0,0 +1,42 @@
expose:
ingress:
hosts:
core: registry.spamasaurus.com
notary: notary.spamasaurus.com
externalURL: https://registry.spamasaurus.com
persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
existingClaim: "flexvolsmb-harbor-registry"
storageClass: "-"
accessMode: ReadWriteMany
size: 5Gi
chartmuseum:
existingClaim: "flexvolsmb-harbor-chartmuseum"
storageClass: "-"
accessMode: ReadWriteMany
size: 5Gi
jobservice:
existingClaim: "flexvolsmb-harbor-jobservice"
storageClass: "-"
accessMode: ReadWriteMany
size: 1Gi
database:
existingClaim: "flexvolsmb-harbor-database"
storageClass: "-"
accessMode: ReadWriteMany
size: 1Gi
redis:
existingClaim: "flexvolsmb-harbor-redis"
storageClass: "-"
accessMode: ReadWriteMany
size: 1Gi
trivy:
existingClaim: "flexvolsmb-harbor-trivy"
storageClass: "-"
accessMode: ReadWriteMany
size: 1Gi

33
services/Harbor/ingressRoute-Harbor.yml Normal file
View File

@ -0,0 +1,33 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: harbor
namespace: harbor
spec:
entryPoints:
- websecure
routes:
- match: Host(`registry.spamasaurus.com`)
kind: Rule
services:
- name: harbor-harbor-portal
namespace: harbor
port: 80
middlewares:
- name: security-headers@file
- match: Host(`registry.spamasaurus.com`) && PathPrefix(`/api/`, `/service/`, `/v2/`, `/chartrepo/`, `/c/`)
kind: Rule
services:
- name: harbor-harbor-core
namespace: harbor
port: 80
middlewares:
- name: security-headers@file
- match: Host(`notary.spamasaurus.com`)
kind: Rule
services:
- name: harbor-harbor-notary-server
namespace: harbor
port: 4443
middlewares:
- name: security-headers@file

204
services/Harbor/persistentVolumeClaim_Harbor.yml Normal file
View File

@ -0,0 +1,204 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-harbor-chartmuseum
namespace: harbor
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-harbor-chartmuseum
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
namespace: default
options:
opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,uid=999,gid=999,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/harbor/chartmuseum
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-harbor-chartmuseum
namespace: harbor
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-harbor-chartmuseum
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-harbor-database
namespace: harbor
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-harbor-database
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
namespace: default
options:
opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,uid=999,gid=999,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/harbor/database
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-harbor-database
namespace: harbor
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-harbor-database
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-harbor-jobservice
namespace: harbor
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-harbor-jobservice
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
namespace: default
options:
opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,uid=10000,gid=10000,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/harbor/jobservice
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-harbor-jobservice
namespace: harbor
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-harbor-jobservice
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-harbor-redis
namespace: harbor
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-harbor-redis
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
namespace: default
options:
opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/harbor/redis
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-harbor-redis
namespace: harbor
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-harbor-redis
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-harbor-registry
namespace: harbor
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-harbor-registry
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
namespace: default
options:
opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,uid=10000,gid=10000,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/harbor/registry
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-harbor-registry
namespace: harbor
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-harbor-registry
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-harbor-trivy
namespace: harbor
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-harbor-trivy
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
namespace: default
options:
opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,uid=10000,gid=10000,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/harbor/trivy
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-harbor-trivy
namespace: harbor
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-harbor-trivy
resources:
requests:
storage: 10Gi

64
services/Lighttpd/configMap_lighttpd.yml Normal file
View File

@ -0,0 +1,64 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: configmap-lighttpd-conf
data:
lighttpd.conf: |
server.modules = (
"mod_access",
"mod_alias",
"mod_compress",
"mod_redirect",
"mod_rewrite",
)
server.document-root = "/var/www/html"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
server.port = 8080
index-file.names = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" )
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
include_shell "cat /etc/lighttpd/vhosts.d/*.conf"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: configmap-lighttpd-vhosts
data:
bessems.com.conf: |
$HTTP["host"] =~ "^bessems\.(com|eu)$" {
server.document-root = "/var/www/bessems.com/"
}
gabaldon.eu.conf: |
$HTTP["host"] =~ "^gabaldon\.(eu|nl)$" {
server.document-root = "/var/www/gabaldon.eu/"
}
sn.itch.fyi.conf: |
$HTTP["host"] == "sn.itch.fyi" {
server.document-root = "/var/www/sn.itch.fyi/"
index-file.names += ("/_h5ai/public/index.php")
}
spamasaurus.com.conf: |
$HTTP["host"] == "spamasaurus.com" {
server.document-root = "/var/www/spamasaurus.com/public"
}
sw.itch.fyi.conf: |
$HTTP["host"] == "sw.itch.fyi" {
server.document-root = "/var/www/sw.itch.fyi/"
url.rewrite-once = (
"^/api\?(.*)" => "index.php?page=newznabapi&$1"
)
}

26
services/Lighttpd/cronJob-Spotweb.yml Normal file
View File

@ -0,0 +1,26 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: cronjob-spotweb-retrievearticles
spec:
schedule: "0 * * * *"
successfulJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
containers:
- name: php-retrievearticles
image: php:7.4-cli
workingDir: /var/www/sw.itch.fyi
args:
- php
- /var/www/sw.itch.fyi/retrieve.php
volumeMounts:
- name: flexvolsmb-lighttpd-websites
mountPath: /var/www/
volumes:
- name: flexvolsmb-lighttpd-websites
persistentVolumeClaim:
claimName: flexvolsmb-lighttpd-websites
restartPolicy: OnFailure

137
services/Lighttpd/deploy-Lighttpd.yml Normal file
View File

@ -0,0 +1,137 @@
apiVersion: v1
kind: Service
metadata:
name: lighttpd
spec:
ports:
- protocol: TCP
name: web
port: 8080
selector:
app: lighttpd
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: lighttpd
labels:
app: lighttpd
spec:
replicas: 1
selector:
matchLabels:
app: lighttpd
template:
metadata:
labels:
app: lighttpd
spec:
containers:
- name: lighttpd-php-pwsh
image: djpbessems/lighttpd-php-powershell
ports:
- name: web
containerPort: 8080
volumeMounts:
- name: configmap-lighttpd-conf
mountPath: /etc/lighttpd/lighttpd.conf
subPath: lighttpd.conf
- name: configmap-lighttpd-vhosts
mountPath: /etc/lighttpd/vhosts.d
- name: flexvolsmb-lighttpd-data
mountPath: /data/scripts
- name: flexvolsmb-lighttpd-websites
mountPath: /var/www/
volumes:
- name: configmap-lighttpd-conf
configMap:
name: configmap-lighttpd-conf
- name: configmap-lighttpd-vhosts
configMap:
name: configmap-lighttpd-vhosts
- name: flexvolsmb-lighttpd-data
persistentVolumeClaim:
claimName: flexvolsmb-lighttpd-data
- name: flexvolsmb-lighttpd-websites
persistentVolumeClaim:
claimName: flexvolsmb-lighttpd-websites
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: lighttpd
spec:
entryPoints:
- websecure
routes:
- match: Host(`bessems.com`) || Host(`bessems.eu`) || Host(`gabaldon.eu`) || Host(`gabaldon.nl`) || Host(`sn.itch.fyi`) || Host(`sw.itch.fyi`) || Host(`spamasaurus.com`)
kind: Rule
services:
- name: lighttpd
port: 8080
middlewares:
- name: security-headers@file
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-lighttpd-data
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-lighttpd-data
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
server: 192.168.11.225
share: /K3s.Volumes/lighttpd/data
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-lighttpd-websites
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-lighttpd-websites
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/lighttpd/websites
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-lighttpd-data
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-lighttpd-data
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-lighttpd-websites
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-lighttpd-websites
resources:
requests:
storage: 1Gi

110
services/PVR/WIP/deploy-NZBHydra.yml Normal file
View File

@ -0,0 +1,110 @@
apiVersion: v1
kind: Service
metadata:
name: nzbhydra
namespace: pvr
spec:
type: NodePort
ports:
- protocol: TCP
name: web
port: 5076
nodePort: 30010
selector:
app: nzbhydra
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nzbhydra
namespace: pvr
labels:
app: nzbhydra
spec:
replicas: 1
selector:
matchLabels:
app: nzbhydra
template:
metadata:
labels:
app: nzbhydra
spec:
containers:
- name: nzbhydra
image: linuxserver/nzbhydra2
ports:
- name: web
containerPort: 5076
volumeMounts:
- mountPath: /config
name: flexvolsmb-nzbhydra-config
- mountPath: /downloads
name: flexvolsmb-pvr-downloads
subPath: downloads
volumes:
- name: flexvolsmb-nzbhydra-config
persistentVolumeClaim:
claimName: flexvolsmb-nzbhydra-config
- name: flexvolsmb-pvr-downloads
persistentVolumeClaim:
claimName: flexvolsmb-pvr-downloads
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nzbhydra
namespace: pvr
spec:
entryPoints:
- websecure
routes:
- match: Host(`index.pvr.spamasaurus.com`)
kind: Rule
services:
- name: nzbhydra
port: 5076
middlewares:
- name: ldap-authentication@file
- name: security-headers@file
tls:
options:
name: defaults@file
certResolver: default
domains:
- main: '*.pvr.spamasaurus.com'
sans:
- 'pvr.spamasaurus.com'
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-nzbhydra-config
namespace: pvr
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-nzbhydra-config
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
server: 192.168.11.225
share: /K3s.Volumes/nzbhydra/config
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-nzbhydra-config
namespace: pvr
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-nzbhydra-config
resources:
requests:
storage: 1Gi

115
services/PVR/WIP/deploy-Radarr.yml Normal file
View File

@ -0,0 +1,115 @@
apiVersion: v1
kind: Service
metadata:
name: radarr
namespace: pvr
spec:
type: NodePort
ports:
- protocol: TCP
name: web
port: 7878
nodePort: 30020
selector:
app: radarr
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: radarr
namespace: pvr
labels:
app: radarr
spec:
replicas: 1
selector:
matchLabels:
app: radarr
template:
metadata:
labels:
app: radarr
spec:
containers:
- name: radarr
image: linuxserver/radarr
ports:
- name: web
containerPort: 7878
volumeMounts:
- mountPath: /config
name: flexvolsmb-radarr-config
- mountPath: /movies
name: flexvolsmb-pvr-movies
- mountPath: /downloads
name: flexvolsmb-pvr-downloads
subPath: downloads
volumes:
- name: flexvolsmb-radarr-config
persistentVolumeClaim:
claimName: flexvolsmb-radarr-config
- name: flexvolsmb-pvr-movies
persistentVolumeClaim:
claimName: flexvolsmb-pvr-movies
- name: flexvolsmb-pvr-downloads
persistentVolumeClaim:
claimName: flexvolsmb-pvr-downloads
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: radarr
namespace: pvr
spec:
entryPoints:
- websecure
routes:
- match: Host(`movies.pvr.spamasaurus.com`)
kind: Rule
services:
- name: radarr
port: 7878
middlewares:
- name: ldap-authentication@file
- name: security-headers@file
tls:
options:
name: defaults@file
certResolver: default
domains:
- main: '*.pvr.spamasaurus.com'
sans:
- 'pvr.spamasaurus.com'
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-radarr-config
namespace: pvr
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-radarr-config
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
server: 192.168.11.225
share: /K3s.Volumes/radarr/config
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-radarr-config
namespace: pvr
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-radarr-config
resources:
requests:
storage: 1Gi

113
services/PVR/WIP/deploy-SABnzbd.yml Normal file
View File

@ -0,0 +1,113 @@
apiVersion: v1
kind: Service
metadata:
name: sabnzbd
namespace: pvr
spec:
type: NodePort
ports:
- protocol: TCP
name: web
port: 8080
nodePort: 30030
selector:
app: sabnzbd
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sabnzbd
namespace: pvr
labels:
app: sabnzbd
spec:
replicas: 1
selector:
matchLabels:
app: sabnzbd
template:
metadata:
labels:
app: sabnzbd
spec:
containers:
- name: sabnzbd
image: linuxserver/sabnzbd
ports:
- name: web
containerPort: 8080
volumeMounts:
- mountPath: /config
name: flexvolsmb-sabnzbd-config
- mountPath: /downloads
name: flexvolsmb-pvr-downloads
subPath: downloads
- mountPath: /incomplete-downloads
name: flexvolsmb-pvr-downloads
subPath: incomplete-downloads
volumes:
- name: flexvolsmb-sabnzbd-config
persistentVolumeClaim:
claimName: flexvolsmb-sabnzbd-config
- name: flexvolsmb-pvr-downloads
persistentVolumeClaim:
claimName: flexvolsmb-pvr-downloads
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: sabnzbd
namespace: pvr
spec:
entryPoints:
- websecure
routes:
- match: Host(`download.pvr.spamasaurus.com`)
kind: Rule
services:
- name: sabnzbd
port: 8080
middlewares:
- name: ldap-authentication@file
- name: security-headers@file
tls:
options:
name: defaults@file
certResolver: default
domains:
- main: '*.pvr.spamasaurus.com'
sans:
- 'pvr.spamasaurus.com'
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-sabnzbd-config
namespace: pvr
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-sabnzbd-config
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,uid=911,gid=911,iocharset=utf8
server: 192.168.11.225
share: /K3s.Volumes/sabnzbd/config
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-sabnzbd-config
namespace: pvr
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-sabnzbd-config
resources:
requests:
storage: 1Gi

115
services/PVR/WIP/deploy-Sonarr.yml Normal file
View File

@ -0,0 +1,115 @@
apiVersion: v1
kind: Service
metadata:
name: sonarr
namespace: pvr
spec:
type: NodePort
ports:
- protocol: TCP
name: web
port: 8989
nodePort: 30040
selector:
app: sonarr
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sonarr
namespace: pvr
labels:
app: sonarr
spec:
replicas: 1
selector:
matchLabels:
app: sonarr
template:
metadata:
labels:
app: sonarr
spec:
containers:
- name: sonarr
image: linuxserver/sonarr:preview
ports:
- name: web
containerPort: 8989
volumeMounts:
- mountPath: /config
name: flexvolsmb-sonarr-config
- mountPath: /tv
name: flexvolsmb-pvr-series
- mountPath: /downloads
name: flexvolsmb-pvr-downloads
subPath: downloads
volumes:
- name: flexvolsmb-sonarr-config
persistentVolumeClaim:
claimName: flexvolsmb-sonarr-config
- name: flexvolsmb-pvr-series
persistentVolumeClaim:
claimName: flexvolsmb-pvr-series
- name: flexvolsmb-pvr-downloads
persistentVolumeClaim:
claimName: flexvolsmb-pvr-downloads
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: sonarr
namespace: pvr
spec:
entryPoints:
- websecure
routes:
- match: Host(`series.pvr.spamasaurus.com`)
kind: Rule
services:
- name: sonarr
port: 8989
middlewares:
- name: ldap-authentication@file
- name: security-headers@file
tls:
options:
name: defaults@file
certResolver: default
domains:
- main: '*.pvr.spamasaurus.com'
sans:
- 'pvr.spamasaurus.com'
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-sonarr-config
namespace: pvr
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-sonarr-config
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,uid=1000,gid=1000,iocharset=utf8
server: 192.168.11.225
share: /K3s.Volumes/sonarr/config
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-sonarr-config
namespace: pvr
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-sonarr-config
resources:
requests:
storage: 1Gi

98
services/PVR/WIP/persistentVolumeClaim_shared.yml Normal file
View File

@ -0,0 +1,98 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-pvr-downloads
namespace: pvr
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-pvr-downloads
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,cache=none
server: 192.168.11.225
share: /Volatile/downloads
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-pvr-downloads
namespace: pvr
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-pvr-downloads
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-pvr-movies
namespace: pvr
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-pvr-movies
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,cache=none
server: 192.168.11.225
share: /Public/Video's/Films
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-pvr-movies
namespace: pvr
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-pvr-movies
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-pvr-series
namespace: pvr
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-pvr-series
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,cache=none
server: 192.168.11.225
share: /Public/Video's/Series
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-pvr-series
namespace: pvr
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-pvr-series
resources:
requests:
storage: 1Gi

147
services/PVR/deploy-PVR.yml Normal file
View File

@ -0,0 +1,147 @@
apiVersion: v1
kind: Service
metadata:
name: nzbhydra
spec:
ports:
- protocol: TCP
port: 5076
targetPort: 5076
---
apiVersion: v1
kind: Endpoints
metadata:
name: nzbhydra
subsets:
- addresses:
- ip: 192.168.11.242
ports:
- port: 5076
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nzbhydra
spec:
entryPoints:
- websecure
routes:
- match: Host(`index.pvr.spamasaurus.com`)
kind: Rule
services:
- name: nzbhydra
port: 5076
middlewares:
- name: 2fa-authentication@file
- name: security-headers@file
---
apiVersion: v1
kind: Service
metadata:
name: radarr
spec:
ports:
- protocol: TCP
port: 7878
targetPort: 7878
---
apiVersion: v1
kind: Endpoints
metadata:
name: radarr
subsets:
- addresses:
- ip: 192.168.11.242
ports:
- port: 7878
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: radarr
spec:
entryPoints:
- websecure
routes:
- match: Host(`movies.pvr.spamasaurus.com`)
kind: Rule
services:
- name: radarr
port: 7878
middlewares:
- name: 2fa-authentication@file
- name: security-headers@file
---
apiVersion: v1
kind: Service
metadata:
name: sabnzbd
spec:
ports:
- protocol: TCP
port: 8080
targetPort: 8080
---
apiVersion: v1
kind: Endpoints
metadata:
name: sabnzbd
subsets:
- addresses:
- ip: 192.168.11.242
ports:
- port: 8080
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: sabnzbd
spec:
entryPoints:
- websecure
routes:
- match: Host(`download.pvr.spamasaurus.com`)
kind: Rule
services:
- name: sabnzbd
port: 8080
middlewares:
- name: 2fa-authentication@file
- name: security-headers@file
---
apiVersion: v1
kind: Service
metadata:
name: sonarr
spec:
ports:
- protocol: TCP
port: 8989
targetPort: 8989
---
apiVersion: v1
kind: Endpoints
metadata:
name: sonarr
subsets:
- addresses:
- ip: 192.168.11.242
ports:
- port: 8989
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: sonarr
spec:
entryPoints:
- websecure
routes:
- match: Host(`series.pvr.spamasaurus.com`)
kind: Rule
services:
- name: sonarr
port: 8989
middlewares:
- name: 2fa-authentication@file
- name: security-headers@file

134
services/Shaarli/deploy-Shaarli.yml Normal file
View File

@ -0,0 +1,134 @@
apiVersion: v1
kind: Service
metadata:
name: shaarli
spec:
ports:
- protocol: TCP
name: web
port: 80
selector:
app: shaarli
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: shaarli
labels:
app: shaarli
spec:
replicas: 1
selector:
matchLabels:
app: shaarli
template:
metadata:
labels:
app: shaarli
spec:
containers:
- name: shaarli
image: shaarli/shaarli
ports:
- name: web
containerPort: 80
volumeMounts:
- mountPath: /var/www/shaarli/cache
name: flexvolsmb-shaarli-cache
- mountPath: /var/www/shaarli/data
name: flexvolsmb-shaarli-data
volumes:
- name: flexvolsmb-shaarli-cache
persistentVolumeClaim:
claimName: flexvolsmb-shaarli-cache
- name: flexvolsmb-shaarli-data
persistentVolumeClaim:
claimName: flexvolsmb-shaarli-data
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: shaarli
spec:
entryPoints:
- websecure
routes:
- match: Host(`p.itch.fyi`)
kind: Rule
services:
- name: shaarli
port: 80
middlewares:
- name: security-headers@file
# tls:
# options:
# name: defaults@file
# certResolver: default
# domains:
# - main: '*.itch.fyi'
# sans:
# - 'itch.fyi'
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-shaarli-cache
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-shaarli-cache
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
server: 192.168.11.225
share: /K3s.Volumes/shaarli/cache
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-shaarli-data
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-shaarli-data
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
server: 192.168.11.225
share: /K3s.Volumes/shaarli/data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-shaarli-cache
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-shaarli-cache
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-shaarli-data
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-shaarli-data
resources:
requests:
storage: 1Gi

132
services/Theia/deploy-Theia.yml Normal file
View File

@ -0,0 +1,132 @@
apiVersion: v1
kind: Service
metadata:
name: theia
spec:
ports:
- protocol: TCP
name: web
port: 3000
selector:
app: theia
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: theia
labels:
app: theia
spec:
replicas: 1
selector:
matchLabels:
app: theia
template:
metadata:
labels:
app: theia
spec:
containers:
- name: theia
image: theiaide/theia-full
ports:
- name: web
containerPort: 3000
volumeMounts:
- mountPath: /home/project/websites
name: flexvolsmb-theia-websites
- mountPath: /home/project
name: flexvolsmb-theia-workspace
volumes:
- name: flexvolsmb-theia-websites
persistentVolumeClaim:
claimName: flexvolsmb-theia-websites
- name: flexvolsmb-theia-workspace
persistentVolumeClaim:
claimName: flexvolsmb-theia-workspace
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: theia
spec:
entryPoints:
- websecure
routes:
- match: Host(`ide.spamasaurus.com`)
kind: Rule
services:
- name: theia
port: 3000
middlewares:
- name: security-headers@file
- name: 2fa-authentication@file
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-theia-websites
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-theia-websites
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
# opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
server: 192.168.11.225
share: /K3s.Volumes/lighttpd/websites
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-theia-websites
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-theia-websites
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-theia-workspace
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-theia-workspace
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
server: 192.168.11.225
share: /K3s.Volumes/theia/workspace
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-theia-workspace
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-theia-workspace
resources:
requests:
storage: 1Gi

104
services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml Normal file
View File

@ -0,0 +1,104 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-certs-dumper
labels:
app: traefik-certs-dumper
spec:
replicas: 1
selector:
matchLabels:
app: traefik-certs-dumper
template:
metadata:
labels:
app: traefik-certs-dumper
spec:
containers:
- name: traefik-certs-dumper
image: ldez/traefik-certs-dumper:latest-amd64
command: ['traefik-certs-dumper', 'file']
args:
- --watch
- --version=v2
- --source=/data/source/acme.json
- --dest=/data/export/
- --domain-subdir
volumeMounts:
- mountPath: /data/source/acme.json
name: flexvolsmb-traefikcertsdumper-acmejson
subPath: acme.json
readOnly: true
- mountPath: /data/export
name: flexvolsmb-traefikcertsdumper-export
volumes:
- name: flexvolsmb-traefikcertsdumper-acmejson
persistentVolumeClaim:
claimName: flexvolsmb-traefikcertsdumper-acmejson
- name: flexvolsmb-traefikcertsdumper-export
persistentVolumeClaim:
claimName: flexvolsmb-traefikcertsdumper-export
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-traefikcertsdumper-acmejson
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-traefikcertsdumper-acmejson
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0600,dir_mode=0600,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/traefik/data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-traefikcertsdumper-acmejson
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-traefikcertsdumper-acmejson
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-traefikcertsdumper-export
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-traefikcertsdumper-export
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/traefikcertsdumper/export
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-traefikcertsdumper-export
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-traefikcertsdumper-export
resources:
requests:
storage: 1Gi

10
services/Vault/chart-values.yml Normal file
View File

@ -0,0 +1,10 @@
server:
dataStorage:
enabled: true
size: 1Gi
storageClass: flexvolsmb-vault-data
accessMode: ReadWriteMany
priorityClassName: system-cluster-critical
ui:
enabled: true

18
services/Vault/ingressRoute_Vault.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: vault
namespace: vault
spec:
entryPoints:
- websecure
routes:
- match: Host(`secure.spamasaurus.com`)
kind: Rule
services:
- name: vault
namespace: vault
port: 8200
middlewares:
# - name: ldap-authentication@file
- name: security-headers@file

33
services/Vault/persistentVolume_Vault.yml Normal file
View File

@ -0,0 +1,33 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-vault-data
namespace: vault
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-vault-data
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
namespace: default
options:
opts: domain=bessems.eu,file_mode=0755,dir_mode=0755,uid=100,gid=1000,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/vault/data
---
#apiVersion: v1
#kind: PersistentVolumeClaim
#metadata:
# name: data-vault-0
# namespace: vault
#spec:
# accessModes:
# - ReadWriteMany
# storageClassName: flexvolsmb-vault-data
# resources:
# requests:
# storage: 1Gi

32
storage/Longhorn/README.md Normal file
View File

@ -0,0 +1,32 @@
### Persistent Storage
Manifest for [Longhorn](https://github.com/longhorn/longhorn):
```
curl -Ls https://raw.githubusercontent.com/longhorn/longhorn/master/deploy/longhorn.yaml -o storage/Longhorn/deploy-Longhorn.yaml
sed -e 's/LoadBalancer/ClusterIP/' -i storage/Longhorn/deploy-Longhorn.yaml
kubectl apply -f storage/Longhorn/deploy-Longhorn.yaml
```
##### `IngressRoute` for Longhorn's dashboard:
```
kubectl apply -f storage/Longhorn/ingressRoute-Longhorn.yaml
```
##### `storageClass` with backup schedule:
After specifying a NFS backup target (syntax: `nfs://servername:/path/to/share`) through Longhorn's dashboard, create a new `storageClass` with backup schedule:
```
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: longhorn-dailybackup
provisioner: driver.longhorn.io
allowVolumeExpansion: true
parameters:
numberOfReplicas: "3"
staleReplicaTimeout: "2880"
fromBackup: ""
recurringJobs: '[{"name":"backup", "task":"backup", "cron":"0 0 * * *", "retain":14}]'
```
Then make this the new default `storageClass`:
```
kubectl patch storageclass longhorn-dailybackup -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
kubectl patch storageclass local-path -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
kubectl delete storageclass longhorn
```

431
storage/Longhorn/deploy-Longhorn.yml Normal file
View File

@ -0,0 +1,431 @@
apiVersion: v1
kind: Namespace
metadata:
name: longhorn-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: longhorn-service-account
namespace: longhorn-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: longhorn-role
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- "*"
- apiGroups: [""]
resources: ["pods", "events", "persistentvolumes", "persistentvolumeclaims", "nodes", "proxy/nodes", "pods/log", "secrets", "services", "endpoints", "configmaps"]
verbs: ["*"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources: ["daemonsets", "statefulsets", "deployments"]
verbs: ["*"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["*"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses", "volumeattachments", "csinodes", "csidrivers"]
verbs: ["*"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
- apiGroups: ["longhorn.io"]
resources: ["volumes", "volumes/status", "engines", "engines/status", "replicas", "replicas/status", "settings",
"engineimages", "engineimages/status", "nodes", "nodes/status", "instancemanagers", "instancemanagers/status"]
verbs: ["*"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["*"]
# to be removed after v0.7.0
- apiGroups: ["longhorn.rancher.io"]
resources: ["volumes", "engines", "replicas", "settings", "engineimages", "nodes", "instancemanagers"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: longhorn-bind
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: longhorn-role
subjects:
- kind: ServiceAccount
name: longhorn-service-account
namespace: longhorn-system
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
longhorn-manager: Engine
name: engines.longhorn.io
spec:
group: longhorn.io
names:
kind: Engine
listKind: EngineList
plural: engines
shortNames:
- lhe
singular: engine
scope: Namespaced
version: v1beta1
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
longhorn-manager: Replica
name: replicas.longhorn.io
spec:
group: longhorn.io
names:
kind: Replica
listKind: ReplicaList
plural: replicas
shortNames:
- lhr
singular: replica
scope: Namespaced
version: v1beta1
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
longhorn-manager: Setting
name: settings.longhorn.io
spec:
group: longhorn.io
names:
kind: Setting
listKind: SettingList
plural: settings
shortNames:
- lhs
singular: setting
scope: Namespaced
version: v1beta1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
longhorn-manager: Volume
name: volumes.longhorn.io
spec:
group: longhorn.io
names:
kind: Volume
listKind: VolumeList
plural: volumes
shortNames:
- lhv
singular: volume
scope: Namespaced
version: v1beta1
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
longhorn-manager: EngineImage
name: engineimages.longhorn.io
spec:
group: longhorn.io
names:
kind: EngineImage
listKind: EngineImageList
plural: engineimages
shortNames:
- lhei
singular: engineimage
scope: Namespaced
version: v1beta1
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
longhorn-manager: Node
name: nodes.longhorn.io
spec:
group: longhorn.io
names:
kind: Node
listKind: NodeList
plural: nodes
shortNames:
- lhn
singular: node
scope: Namespaced
version: v1beta1
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
longhorn-manager: InstanceManager
name: instancemanagers.longhorn.io
spec:
group: longhorn.io
names:
kind: InstanceManager
listKind: InstanceManagerList
plural: instancemanagers
shortNames:
- lhim
singular: instancemanager
scope: Namespaced
version: v1beta1
subresources:
status: {}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: longhorn-default-setting
namespace: longhorn-system
data:
default-setting.yaml: |-
backup-target:
backup-target-credential-secret:
create-default-disk-labeled-nodes:
default-data-path:
replica-soft-anti-affinity:
storage-over-provisioning-percentage:
storage-minimal-available-percentage:
upgrade-checker:
default-replica-count:
guaranteed-engine-cpu:
default-longhorn-static-storage-class:
backupstore-poll-interval:
taint-toleration:
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: longhorn-manager
name: longhorn-manager
namespace: longhorn-system
spec:
selector:
matchLabels:
app: longhorn-manager
template:
metadata:
labels:
app: longhorn-manager
spec:
containers:
- name: longhorn-manager
image: longhornio/longhorn-manager:v0.7.0
imagePullPolicy: Always
securityContext:
privileged: true
command:
- longhorn-manager
- -d
- daemon
- --engine-image
- longhornio/longhorn-engine:v0.7.0
- --manager-image
- longhornio/longhorn-manager:v0.7.0
- --service-account
- longhorn-service-account
ports:
- containerPort: 9500
volumeMounts:
- name: dev
mountPath: /host/dev/
- name: proc
mountPath: /host/proc/
- name: varrun
mountPath: /var/run/
- name: longhorn
mountPath: /var/lib/rancher/longhorn/
mountPropagation: Bidirectional
- name: longhorn-default-setting
mountPath: /var/lib/longhorn-setting/
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# Should be: mount path of the volume longhorn-default-setting + the key of the configmap data in 04-default-setting.yaml
- name: DEFAULT_SETTING_PATH
value: /var/lib/longhorn-setting/default-setting.yaml
volumes:
- name: dev
hostPath:
path: /dev/
- name: proc
hostPath:
path: /proc/
- name: varrun
hostPath:
path: /var/run/
- name: longhorn
hostPath:
path: /var/lib/rancher/longhorn/
- name: longhorn-default-setting
configMap:
name: longhorn-default-setting
serviceAccountName: longhorn-service-account
---
kind: Service
apiVersion: v1
metadata:
labels:
app: longhorn-manager
name: longhorn-backend
namespace: longhorn-system
spec:
selector:
app: longhorn-manager
ports:
- port: 9500
targetPort: 9500
sessionAffinity: ClientIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: longhorn-ui
name: longhorn-ui
namespace: longhorn-system
spec:
replicas: 1
selector:
matchLabels:
app: longhorn-ui
template:
metadata:
labels:
app: longhorn-ui
spec:
containers:
- name: longhorn-ui
image: longhornio/longhorn-ui:v0.7.0
ports:
- containerPort: 8000
env:
- name: LONGHORN_MANAGER_IP
value: "http://longhorn-backend:9500"
serviceAccountName: longhorn-service-account
---
kind: Service
apiVersion: v1
metadata:
labels:
app: longhorn-ui
name: longhorn-frontend
namespace: longhorn-system
spec:
selector:
app: longhorn-ui
ports:
- port: 80
targetPort: 8000
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: longhorn-driver-deployer
namespace: longhorn-system
spec:
replicas: 1
selector:
matchLabels:
app: longhorn-driver-deployer
template:
metadata:
labels:
app: longhorn-driver-deployer
spec:
initContainers:
- name: wait-longhorn-manager
image: longhornio/longhorn-manager:v0.7.0
command: ['sh', '-c', 'while [ $(curl -m 1 -s -o /dev/null -w "%{http_code}" http://longhorn-backend:9500/v1) != "200" ]; do echo waiting; sleep 2; done']
containers:
- name: longhorn-driver-deployer
image: longhornio/longhorn-manager:v0.7.0
imagePullPolicy: Always
command:
- longhorn-manager
- -d
- deploy-driver
- --manager-image
- longhornio/longhorn-manager:v0.7.0
- --manager-url
- http://longhorn-backend:9500/v1
# manually set root directory for csi
#- --kubelet-root-dir
#- /var/lib/rancher/k3s/agent/kubelet
# manually specify number of CSI attacher replicas
#- --csi-attacher-replica-count
#- "3"
# manually specify number of CSI provisioner replicas
#- --csi-provisioner-replica-count
#- "3"
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
serviceAccountName: longhorn-service-account
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: longhorn
provisioner: driver.longhorn.io
parameters:
numberOfReplicas: "3"
staleReplicaTimeout: "2880" # 48 hours in minutes
fromBackup: ""
# diskSelector: "ssd,fast"
# nodeSelector: "storage,fast"
# recurringJobs: '[{"name":"snap", "task":"snapshot", "cron":"*/1 * * * *", "retain":1},
# {"name":"backup", "task":"backup", "cron":"*/2 * * * *", "retain":1,
# "labels": {"interval":"2m"}}]'
---

23
storage/Longhorn/ingressRoute_longhorn-dashboard.yml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: longhorn-dashboard
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`storage.k3s.spamasaurus.com`)
kind: Rule
services:
- name: longhorn-frontend
port: 80
namespace: longhorn-system
tls:
options:
name: default
certResolver: default
domains:
- main: '*.k3s.spamasaurus.com'
sans:
- 'k3s.spamasaurus.com'

32
storage/flexVolSMB/daemonSet-flexVolSMB.yml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: juliohm-cifs-volumedriver-installer
spec:
selector:
matchLabels:
app: juliohm-cifs-volumedriver-installer
template:
metadata:
name: juliohm-cifs-volumedriver-installer
labels:
app: juliohm-cifs-volumedriver-installer
spec:
containers:
- image: juliohm/kubernetes-cifs-volumedriver-installer:2.0
name: flex-deploy
imagePullPolicy: Always
env:
- name: VENDOR
value: mount
- name: DRIVER
value: smb
securityContext:
privileged: true
volumeMounts:
- mountPath: /flexmnt
name: flexvolume-mount
volumes:
- name: flexvolume-mount
hostPath:
path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/

56
system/RolloutRestart/cronjob-RolloutRestart.yml Normal file
View File

@ -0,0 +1,56 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubectl-rolloutrestart
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubectl-rolloutrestart
namespace: default
rules:
- apiGroups: ["apps", "extensions"]
resources: ["deployments"]
# verbs: ["get", "patch", "list", "watch"]
verbs: ["get", "list", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubectl-rolloutrestart
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubectl-rolloutrestart
subjects:
- kind: ServiceAccount
name: kubectl-rolloutrestart
namespace: default
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: kubectl-rolloutrestart
namespace: default
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 1
successfulJobsHistoryLimit: 1
schedule: '30 2 * * *'
jobTemplate:
spec:
backoffLimit: 2
activeDeadlineSeconds: 600
template:
spec:
serviceAccountName: kubectl-rolloutrestart
restartPolicy: Never
containers:
- name: kubectl
image: bitnami/kubectl
command:
- 'bash'
- '-c'
- 'for deploy in `kubectl get deployments | cut -d " " -f 1`; do kubectl rollout restart deployment $deploy; done'

21
system/UpgradeController/plan-Agent.yml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: upgrade.cattle.io/v1
kind: Plan
metadata:
name: agent-plan
namespace: system-upgrade
spec:
concurrency: 1
cordon: true
nodeSelector:
matchExpressions:
- key: node-role.kubernetes.io/master
operator: DoesNotExist
prepare:
args:
- prepare
- server-plan
image: rancher/k3s-upgrade:v1.18.6-k3s1
serviceAccountName: system-upgrade
upgrade:
image: rancher/k3s-upgrade
channel: https://update.k3s.io/v1-release/channels/stable

18
system/UpgradeController/plan-Server.yml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: upgrade.cattle.io/v1
kind: Plan
metadata:
name: server-plan
namespace: system-upgrade
spec:
concurrency: 1
cordon: true
nodeSelector:
matchExpressions:
- key: node-role.kubernetes.io/master
operator: In
values:
- "true"
serviceAccountName: system-upgrade
upgrade:
image: rancher/k3s-upgrade
channel: https://update.k3s.io/v1-release/channels/stable