Delete commit history along with sensitive data

README.md

@@ -0,0 +1,251 @@
+*TODO: Files with sensitive data; move to Vault*
+```
+# line 6-8: services/Guacamole/configMap_Guacamole.yml
+```
+
+# Kubernetes.K3s.installLog
+*3 VM's provisioned with Ubuntu Server 18.04*
+
+## K3s cluster 
+On first node:
+```  
+curl -sfL https://get.k3s.io | sh -s - --no-deploy traefik
+cat /var/lib/rancher/k3s/server/token
+kubectl config view --raw
+```
+On subsequent nodes:
+```
+curl -sfL https://get.k3s.io | K3S_URL=https://<fqdn or ip>:6443 K3S_TOKEN=<value from master> sh -
+```
+
+Install Rancher's [System Upgrade Controller](https://rancher.com/docs/k3s/latest/en/upgrades/automated/):
+```
+kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/download/v0.4.0/system-upgrade-controller.yaml
+```
+Apply a [server (master node)](https://code.spamasaurus.com/djpbessems/Kubernetes.K3s.installLog/src/branch/master/system/UpgradeController/plan-Server.yml) and [agent (worker node)](https://code.spamasaurus.com/djpbessems/Kubernetes.K3s.installLog/src/branch/master/system/UpgradeController/plan-Agent.yml) plan:
+```
+kubectl apply -f system/UpgradeController/plan-Server.yml -f system/UpgradeController/plan-Agent.yml
+```
+
+### 1) Persistent storage
+
+SMB (CIFS) `FlexVolume`:
+```
+curl -Ls https://github.com/juliohm1978/kubernetes-cifs-volumedriver/blob/master/install.yaml -o storage/flexVolSMB/daemonSet-flexVolSMB.yml
+```
+Override drivername to something more sensible (see [storage/flexVolSMB/daemonSet-flexVolSMB.yml](https://code.spamasaurus.com/djpbessems/Kubernetes.K3s.installLog/src/branch/master/storage/flexVolSMB/daemonSet-flexVolSMB.yml))
+```
+spec:
+  template:
+    spec:
+      containers:
+        - image: juliohm/kubernetes-cifs-volumedriver-installer:2.0
+          ...
+          env:
+            - name: VENDOR
+              value: mount
+            - name: DRIVER
+              value: smb
+          ...
+```
+Perform installation:
+```
+kubectl apply -f storage/flexVolSMB/daemonSet-flexVolSMB.yml
+```
+Wait for installation to complete (check logs of all installer-pods), then delete `daemonSet`:
+```
+kubectl delete -f storage/flexVolSMB/daemonSet-flexVolSMB.yml
+```
+Store credentials in `secret`:
+```
+kubectl create secret generic --type=mount/smb smb-secret --from-literal=username=<<omitted>> --from-literal=password=<<omitted>>
+```
+---
+*Optional*  
+Install [Longhorn](https://code.spamasaurus.com/djpbessems/Kubernetes.K3s.installLog/src/branch/master/storage/Longhorn/README.md) for block storage with NFS-backed backup schedules.
+
+### 2) Ingress Controller
+##### 2.1) Create `configMap`, `secret` and `persistentVolumeClaim`
+The `configMap` contains Traefik's static and dynamic config:
+```
+kubectl apply -f ingress/Traefik2.x/configMap_traefik.yml
+```
+
+The `secret` contains credentials for Cloudflare's API:
+```
+kubectl create secret generic traefik-cloudflare --from-literal=CF_API_EMAIL=<<omitted>> --from-literal=CF_API_KEY=<<omitted>> --namespace kube-system
+```
+
+The `persistentVolumeClaim` will contain `/data/acme.json` (referenced as `existingClaim`):
+```
+kubectl apply -f ingress/Traefik2.x/pvc_traefik.yml
+```
+##### 2.2) Install Helm Chart
+See [Traefik 2.x Helm Chart](https://github.com/containous/traefik-helm-chart):
+```
+helm repo add traefik https://containous.github.io/traefik-helm-chart
+helm repo update
+helm install traefik traefik/traefik --namespace kube-system --values=ingress/Traefik2.x/chart-values.yml
+```
+##### 2.3) Replace `IngressRoute` for Traefik's dashboard:
+```
+kubectl apply -f ingress/Traefik2.x/ingressRoute-Traefik.yaml
+kubectl delete ingressroute traefik-dashboard --namespace kube-system
+```
+
+### 3) Secret management
+*Perform these steps **after** configuring persistent storage **and** ingress*  
+##### 3.1) Create `persistentVolume` and `ingressRoute`
+*Requires specifying a `uid` & `gid` in the flexvolSMB-`persistentVolume`*  
+```
+kubectl apply -f services/Vault/persistentVolume-Vault.yml
+kubectl apply -f services/Vault/ingressRoute-Vault.yml
+```
+##### 3.2) Install Helm Chart
+See [HashiCorp Vault](https://www.vaultproject.io/docs/platform/k8s/helm/run):  
+```
+kubectl create namespace vault
+helm repo add hashicorp https://helm.releases.hashicorp.com
+helm repo update
+helm install vault hashicorp/vault --namespace vault --values=services/Vault/chart-values.yml
+```
+Configure Vault for use;
+- Enable Kubernetes authentication (see https://www.vaultproject.io/api-docs/auth/kubernetes)
+- Store basic access policy template
+- Enable `kv`-engine
+```
+# kubectl exec -n vault -it vault-0 -- sh
+
+vault auth enable kubernetes
+vault write auth/kubernetes/config \
+   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
+   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+
+cat <<EOF > /home/vault/app-policy.hcl
+path "secret*" {
+  capabilities = ["read"]
+}
+EOF
+
+vault secrets enable -path=secret -version=2 kv
+```
+### 4) Services
+##### 4.1) [Adminer](https://www.adminer.org/)    <small>(SQL management)</small>
+```
+kubectl apply -f services/Adminer/configMap_Adminer.yml
+kubectl apply -f services/Adminer/deploy_Adminer.yml
+```
+Vault configuration:
+```
+vault kv put secret/adminer \
+  sqlitepw=<value>
+vault write auth/kubernetes/role/adminer \
+  bound_service_account_names=adminer \
+  bound_service_account_namespaces=default \
+  policies=adminer \
+  ttl=1h
+vault policy write adminer /home/vault/app-policy.hcl
+```
+##### 4.2) [Bitwarden_rs](https://github.com/dani-garcia/bitwarden_rs)    <small>(password manager)</small>
+*Requires [mount.cifs](https://linux.die.net/man/8/mount.cifs)' option `nobrl`*
+```
+kubectl apply -f services/Bitwarden/deployment_Bitwarden.yml
+```
+Vault configuration:
+```
+vault kv put secret/bitwarden \
+  admintoken=<value> \
+  yubicoclientid=<value> \
+  yubicosecretkey=<value>
+vault write auth/kubernetes/role/bitwarden \
+  bound_service_account_names=bitwarden \
+  bound_service_account_namespaces=default \
+  policies=bitwarden \
+  ttl=1h
+vault policy write bitwarden /home/vault/app-policy.hcl
+```
+##### 4.3) [DroneCI](https://drone.io/)    <small>(contineous delivery)</small>
+```
+kubectl apply -f services/DroneCI/deployment_DroneCI.yml
+```
+Vault configuration:
+```
+vault kv put secret/drone \
+  rpcsecret=<value> \
+  giteaclientid=<value> \
+  giteaclientsecret=<value>
+vault write auth/kubernetes/role/drone \
+  bound_service_account_names=drone \
+  bound_service_account_namespaces=default \
+  policies=drone \
+  ttl=1h
+vault policy write drone /home/vault/app-policy.hcl
+```
+##### 4.4) [Gitea](https://gitea.io/)    <small>(git repository)</small>
+```
+kubectl apply -f services/Gitea/deployment_Gitea.yml
+```
+##### 4.5) [Gotify](https://gotify.net/)    <small>(notifications)</small>
+```
+kubectl apply -f services/Gotify/deploy_Gotify.yml
+```
+##### 4.6) [Guacamole](https://guacamole.apache.org/doc/gug/guacamole-docker.html)    <small>(remote desktop gateway)</small>
+*Requires specifying a `uid` & `gid` in both the `securityContext` of the MySQL container and the `persistentVolume`*
+```
+kubectl apply -f services/Guacamole/configMap_Guacamole.yml
+kubectl apply -f services/Guacamole/deployment_Guacamole.yml
+```
+Wait for the included containers to start, then perform the following commands to initialize the database:
+```
+kubectl exec -i guacamole-<pod-id> --container guacamole -- /opt/guacamole/bin/initdb.sh --mysql > initdb.sql
+kubectl exec -i guacamole-<pod-id> --container mysql -- mysql -uguacamole -pguacamole guacamole < initdb.sql
+kubectl rollout restart deployment guacamole
+```
+##### 4.7) [Harbor](https://goharbor.io/)    <small>(container image registry)</small>
+Create `ingressRoute` and `persistentVolumeClaim`
+```
+kubectl apply -f services/Harbor/ingressRoute-Harbor.yml
+kubectl apply -f services/Harbor/persistentVolumeClaim_Harbor.yml
+```
+Install Helm chart
+```
+kubectl create namespace harbor
+helm repo add harbor https://helm.goharbor.io
+helm repo update
+helm install harbor harbor/harbor --namespace harbor --values=services/Harbor/chart-values.yml
+```
+
+##### 4.8) [Lighttpd](https://www.lighttpd.net/)    <small>(webserver)</small>
+*Serves various semi-containerized websites; respective webcontent is stored on fileshare*  
+```
+kubectl apply -f services/Lighttpd/configMap_lighttpd.yml
+kubectl apply -f services/Lighttpd/deploy_Lighttpd.yml
+kubectl apply -f services/Lighttpd/cronJob-Spotweb.yml
+```
+##### 4.9) [Shaarli](https://github.com/shaarli/Shaarli)    <small>(bookmarks/notes)</small>
+```
+kubectl apply -f services/Shaarli/deploy_Shaarli.yml
+```
+##### 4.10) [Theia](https://theia-ide.org/)    <small>(web IDE)</small>
+```
+kubectl apply -f services/Theia/deploy_Theia.yml
+```
+##### 4.11) [Traefik-Certs-Dumper](https://github.com/ldez/traefik-certs-dumper)    <small>(certificate tooling)</small>
+```
+kubectl apply -f services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml
+```
+##### 4.12) External `Endpoint`s
+###### 4.12.1) NZBHydra, Plex, Radarr, SABnzbd & Sonarr    <small>(automated media management)</small>
+*Running externally, due to connectivity requirements*
+```
+kubectl apply -f services/PVR/deploy-PVR.yml
+```
+### 5) Miscellaneous
+*Various notes/useful links*  
+
+* Replacement for [not-yet-deprecated](https://github.com/kubernetes/kubectl/issues/151) `kubectl get all -A`:
+
+      
+      kubectl get $(kubectl api-resources --verbs=list -o name | paste -sd, -) --ignore-not-found --all-namespaces
+* ...

ingress/Traefik2.x/chart-values.yml

@@ -0,0 +1,44 @@
+ports:
+  web:
+#    port: 80
+#    exposedPort: 80
+    redirectTo: websecure
+#  websecure:
+#    port: 443
+#    exposedPort: 443
+
+volumes:
+  - name: traefik-configmap
+    mountPath: /etc/traefik
+    type: configMap
+
+persistence:
+  enabled: true
+  accessMode: ReadWriteMany
+  path: /data
+  existingClaim: "traefik"
+#  size: 1Gi
+#  subPath: 'acme.json'
+
+env:
+  - name: CF_API_EMAIL
+    valueFrom: 
+      secretKeyRef:
+        name: traefik-cloudflare
+        key: CF_API_EMAIL
+  - name: CF_API_KEY
+    valueFrom: 
+      secretKeyRef:
+        name: traefik-cloudflare
+        key: CF_API_KEY
+
+securityContext:
+  capabilities:
+    drop: []
+  readOnlyRootFilesystem: true
+  runAsGroup: 0
+  runAsNonRoot: false
+  runAsUser: 0
+
+podSecurityContext:
+  fsGroup: 0

ingress/Traefik2.x/configMap_traefik.yml

@@ -0,0 +1,112 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: traefik-configmap
+  namespace: kube-system
+data:
+  traefik.yml: |
+    global:
+      checkNewVersion: true
+      sendAnonymousUsage: true
+    entryPoints:
+      web:
+        address: :8000
+      websecure:
+        address: :8443
+        forwardedHeaders:
+          insecure: true
+        http:
+          tls:
+            options: defaults@file
+            certResolver: default
+            domains:
+              - main: '*.spamasaurus.com'
+                sans:
+                  - 'spamasaurus.com'
+              - main: '*.bessems.com'
+                sans:
+                  - 'bessems.com'
+              - main: '*.bessems.eu'
+                sans:
+                  - 'bessems.eu'
+              - main: '*.gabaldon.eu'
+                sans:
+                  - 'gabaldon.eu'
+              - main: '*.gabaldon.nl'
+                sans:
+                  - 'gabaldon.nl'
+              - main: '*.itch.fyi'
+                sans:
+                  - 'itch.fyi'
+    #      trustedIPs:
+    #        - "127.0.0.0/8"
+    #        - "192.168.5.0/24"
+    #        - "192.168.11.0/24"
+      ssh:
+        address: :2222
+      traefik:
+        address: :9000
+    providers:
+      file:
+        filename: /etc/traefik/dynamic.yml
+      kubernetesCRD: {}
+    api:
+      dashboard: true
+    ping: {}
+    #accessLog: {}
+    log:
+      level: INFO
+    #  level: DEBUG
+    certificatesResolvers:
+      default:
+        acme:
+          email: letsencrypt.org.danny@spamasaurus.com
+          storage: /data/acme.json
+          dnsChallenge:
+            provider: cloudflare
+            delayBeforeCheck: 5m0s
+            resolvers:
+            - 1.1.1.1:53
+            - 1.0.0.1:53
+  dynamic.yml: |
+    http:
+      middlewares:
+        force-tls:
+          redirectScheme:
+            scheme: https
+        2fa-authentication:
+          forwardAuth:
+            address: "https://auth.spamasaurus.com/api/verify?rd=https://auth.spamasaurus.com/"
+            trustForwardHeader: true
+        security-headers:
+          headers:
+            forceSTSHeader: true
+            stsSeconds: 315360000
+            stsIncludeSubdomains: true
+            stsPreload: true
+      routers:
+        force-tls:
+          entryPoints:
+            - "web"
+          rule: "HostRegexp(`{any:.+}`)"
+          middlewares:
+            - "force-tls"
+          service: noop@internal
+    tls:
+      options:
+        defaults:
+          minVersion: VersionTLS12
+          sniStrict: true
+          curvePreferences:
+            - secp521r1
+            - secp384r1
+          cipherSuites:
+            - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+            - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+            - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+            - TLS_AES_128_GCM_SHA256
+            - TLS_AES_256_GCM_SHA384
+            - TLS_CHACHA20_POLY1305_SHA256
+            - TLS_FALLBACK_SCSV

ingress/Traefik2.x/ingressRoute_traefik.yaml

@@ -0,0 +1,25 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`ingress.spamasaurus.com`)
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService
+      middlewares:
+        - name: 2fa-authentication@file
+        - name: security-headers@file
+  tls:
+    certResolver: default
+    options:
+      name: defaults@file
+    domains:
+    - main: '*.spamasaurus.com'
+      sans:
+      - 'spamasaurus.com'

ingress/Traefik2.x/pvc_traefik.yml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-traefik-data
+  namespace: kube-system
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-traefik-data
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+      namespace: default
+    options:
+      opts: domain=bessems.eu,file_mode=0600,dir_mode=0600,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/traefik/data
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-traefik-data
+  resources:
+    requests:
+      storage: 1Gi

services/Adminer/configMap_Adminer.yml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: configmap-adminer-conf
+data:
+  login-password-less.php: |
+    <?php
+      require_once('plugins/login-password-less.php');
+
+      /** Set allowed password
+      * @param string result of password_hash
+      */
+      return new AdminerLoginPasswordLess(
+        $password_hash = password_hash(rtrim(file_get_contents('/vault/secrets/sqlitepw')), PASSWORD_DEFAULT)
+      );
+    ?>

services/Adminer/deploy-Adminer.yml

@@ -0,0 +1,112 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: adminer
+spec:
+  ports:
+    - protocol: TCP
+      name: web
+      port: 8080
+  selector:
+    app: adminer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: adminer
+  labels:
+    app: adminer
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: adminer
+  template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-inject-secret-sqlitepw: "secret/adminer"
+        vault.hashicorp.com/role: "adminer"
+        vault.hashicorp.com/agent-inject-template-sqlitepw: |
+          {{ with secret "secret/adminer" -}}
+            {{ .Data.data.sqlitepw }}
+          {{- end }}
+      labels:
+        app: adminer
+    spec:
+      serviceAccountName: adminer
+      containers:
+      - name: adminer
+        image: adminer
+        ports:
+          - name: web
+            containerPort: 8080
+        volumeMounts:
+        - mountPath: /mnt/websites
+          name: flexvolsmb-adminer-websites
+        - name: configmap-adminer-conf
+          mountPath: /var/www/html/plugins-enabled/login-password-less.php
+          subPath: login-password-less.php
+      volumes:
+      - name: flexvolsmb-adminer-websites
+        persistentVolumeClaim:
+          claimName: flexvolsmb-adminer-websites
+      - name: configmap-adminer-conf
+        configMap:
+          name: configmap-adminer-conf
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: adminer
+  labels:
+    app: adminer
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: adminer
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`sql.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: adminer
+      port: 8080
+    middlewares:
+      - name: 2fa-authentication@file
+      - name: security-headers@file
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-adminer-websites
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-adminer-websites
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/lighttpd/websites
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-adminer-websites
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-adminer-websites
+  resources:
+    requests:
+      storage: 1Gi

services/Authelia/deploy-Authelia.yml

@@ -0,0 +1,142 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authelia
+  labels:
+    app: authelia
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authelia
+  template:
+    metadata:
+      labels:
+        app: authelia
+    spec:
+      containers:
+      - name: authelia
+        image: authelia/authelia
+        env:
+        - name: TZ
+          value: Europe/Amsterdam
+        ports:
+          - name: web
+            containerPort: 9091
+        volumeMounts:
+        - name: flexvolsmb-authelia-conf
+          mountPath: /config
+      - name: redis
+        image: redis:alpine
+        args:
+          - redis-server
+          - --requirepass authelia
+          - --appendonly yes
+        ports:
+          - name: redis
+            containerPort: 6379
+        volumeMounts:
+        - name: flexvolsmb-authelia-redis
+          mountPath: /data
+      volumes:
+      - name: flexvolsmb-authelia-conf
+        persistentVolumeClaim:
+          claimName: flexvolsmb-authelia-conf
+      - name: flexvolsmb-authelia-redis
+        persistentVolumeClaim:
+          claimName: flexvolsmb-authelia-redis
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: authelia
+spec:
+  ports:
+    - protocol: TCP
+      name: web
+      port: 9091
+    - protocol: TCP
+      name: redis
+      port: 6379
+  selector:
+    app: authelia
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authelia
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`auth.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: authelia
+      port: 9091
+    middlewares:
+      - name: security-headers@file
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-authelia-conf
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-authelia-conf
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0600,dir_mode=0600,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/authelia/conf
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-authelia-conf
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-authelia-conf
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-authelia-redis
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-authelia-redis
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,uid=999,gid=1000,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/authelia/redis
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-authelia-redis
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-authelia-redis
+  resources:
+    requests:
+      storage: 1Gi

services/Bitwarden/deployment_Bitwarden.yml

@@ -0,0 +1,135 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: bitwarden
+spec:
+  ports:
+    - protocol: TCP
+      name: ui
+      port: 8080
+    - protocol: TCP
+      name: websocket
+      port: 3012
+  selector:
+    app: bitwarden
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bitwarden
+  labels:
+    app: bitwarden
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bitwarden
+  template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-inject-secret-bitwarden: "secret/bitwarden"
+        vault.hashicorp.com/role: "bitwarden"
+        vault.hashicorp.com/agent-inject-template-bitwarden: |
+          {{ with secret "secret/bitwarden" -}}
+            export ADMIN_TOKEN="{{ .Data.data.admintoken }}"
+            export YUBICO_CLIENT_ID="{{ .Data.data.yubicoclientid }}"
+            export YUBICO_SECRET_KEY="{{ .Data.data.yubicosecretkey }}"
+          {{- end }}
+      labels:
+        app: bitwarden
+    spec:
+      serviceAccountName: bitwarden
+      containers:
+      - name: bitwarden
+        image: bitwardenrs/server
+        args: ["sh", "-c", ". /vault/secrets/bitwarden && /start.sh"]
+        env:
+        - name: ENABLE_DB_WAL
+          value: "false"
+        - name: ROCKET_PORT
+          value: "8080"
+        - name: SIGNUPS_ALLOWED
+          value: "false"
+        - name: WEBSOCKET_ENABLED
+          value: "true"
+        - name: WEBSOCKET_PORT
+          value: "3012"
+        - name: LOG_LEVEL
+          value: "debug"
+        - name: EXTENDED_LOGGING
+          value: "true"
+        ports:
+          - name: ui
+            containerPort: 8080
+          - name: websocket
+            containerPort: 3012
+        volumeMounts:
+        - mountPath: /data
+          name: flexvolsmb-bitwarden-data
+      volumes:
+      - name: flexvolsmb-bitwarden-data
+        persistentVolumeClaim:
+          claimName: flexvolsmb-bitwarden-data
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: bitwarden
+  labels:
+    app: bitwarden
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: bitwarden
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`vault.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: bitwarden
+      port: 8080
+    middlewares:
+      - name: security-headers@file
+  - match: Host(`vault.spamasaurus.com`) && Path(`/notifications/hub`)
+    kind: Rule
+    services:
+    - name: bitwarden
+      port: 3012
+    middlewares:
+      - name: security-headers@file
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-bitwarden-data
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-bitwarden-data
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/bitwarden/data
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-bitwarden-data
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-bitwarden-data
+  resources:
+    requests:
+      storage: 1Gi

services/DDclient/deploy-DDclient.yml

@@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ddclient
+  labels:
+    app: ddclient
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ddclient
+  template:
+    metadata:
+      labels:
+        app: ddclient
+    spec:
+      containers:
+      - name: ddclient
+        image: linuxserver/ddclient
+        volumeMounts:
+        - mountPath: /config
+          name: ddclient-secret
+      volumes:
+      - name: ddclient-secret
+        secret:
+          secretName: ddclient-secret

services/DDclient/secret-DDclient.yml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ddclient-secret
+  labels:
+    app: ddclient
+stringData:
+  ddclient.conf: |
+    daemon=300
+    syslog=yes
+    protocol=cloudflare
+    use=web
+    web=https://domains.google.com/checkip
+    ssl=yes
+    ttl=1
+    login=cloudflare.com.danny@spamasaurus.com
+    password=9ec5ad8d1e8c6240c5488bb61b7bcd7bdc0fc
+
+    zone=bessems.com
+    bessems.com
+
+    zone=bessems.eu
+    bessems.eu,deschakel.bessems.eu
+
+    zone=gabaldon.eu
+    gabaldon.eu
+
+    zone=gabaldon.nl
+    gabaldon.nl
+
+    zone=itch.fyi
+    itch.fyi
+
+    zone=spamasaurus.com
+    spamasaurus.com

services/DroneCI/deployment_DroneCI.yml

@@ -0,0 +1,175 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: drone
+spec:
+  ports:
+    - protocol: TCP
+      name: ui
+      port: 80
+  selector:
+    app: drone
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone
+  labels:
+    app: drone
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: drone
+  template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-inject-secret-drone: "secret/drone"
+        vault.hashicorp.com/role: "drone"
+        vault.hashicorp.com/agent-inject-template-drone: |
+          {{ with secret "secret/drone" -}}
+            export DRONE_RPC_SECRET="{{ .Data.data.rpcsecret }}"
+            export DRONE_GITEA_CLIENT_ID="{{ .Data.data.giteaclientid }}"
+            export DRONE_GITEA_CLIENT_SECRET="{{ .Data.data.giteaclientsecret }}"
+          {{- end }}
+      labels:
+        app: drone
+    spec:
+#      serviceAccountName: drone
+      containers:
+      - name: drone
+        image: drone/drone
+        command: ["sh", "-c", ". /vault/secrets/drone && /bin/drone-server"]
+        env:
+        - name: DRONE_SERVER_PROTO
+          value: 'https'
+        - name: DRONE_SERVER_HOST
+          value: 'ci.spamasaurus.com'
+        - name: DRONE_SERVER_PORT
+          value: ':80'
+        - name: DRONE_TLS_AUTOCERT
+          value: 'false'
+        - name: DRONE_GITEA_SERVER
+          value: 'https://code.spamasaurus.com'
+#        - name: DRONE_LOGS_DEBUG
+#          value: 'true'
+        - name: DRONE_GIT_ALWAYS_AUTH
+          value: 'false'
+        - name: DRONE_AGENTS_ENABLED
+          value: 'true'
+        ports:
+          - name: ui
+            containerPort: 80
+        volumeMounts:
+        - mountPath: /data
+          name: flexvolsmb-drone-data
+      - name: drone-runner
+        image: drone/drone-runner-kube:latest
+        command: ["sh", "-c", ". /vault/secrets/drone && /bin/drone-runner-kube"]
+        ports:
+        - containerPort: 3000
+        env:
+        - name: DRONE_RPC_HOST
+          value: 'ci.spamasaurus.com'
+        - name: DRONE_RPC_PROTO
+          value: 'https'
+      volumes:
+      - name: flexvolsmb-drone-data
+        persistentVolumeClaim:
+          claimName: flexvolsmb-drone-data
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: drone
+  labels:
+    app: drone
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: drone
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`ci.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: drone
+      port: 80
+    middlewares:
+      - name: security-headers@file
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-drone-data
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-drone-data
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/drone/data
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-drone-data
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-drone-data
+  resources:
+    requests:
+      storage: 1Gi
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: default
+  name: drone
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/log
+    verbs:
+      - get
+      - create
+      - delete
+      - list
+      - watch
+      - update
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: drone
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: default
+roleRef:
+  kind: Role
+  name: drone
+  apiGroup: rbac.authorization.k8s.io

services/Gitea/deployment_Gitea.yml

@@ -0,0 +1,160 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea
+spec:
+  ports:
+    - protocol: TCP
+      name: ui
+      port: 3000
+    - protocol: TCP
+      name: ssh
+      port: 22
+      targetPort: ssh
+  selector:
+    app: gitea
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea
+  labels:
+    app: gitea
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea
+  template:
+    metadata:
+      labels:
+        app: gitea
+    spec:
+      containers:
+      - name: gitea
+        image: gitea/gitea:1
+        env:
+        - name: DB_TYPE
+          value: 'sqlite3'
+        - name: ROOT_URL
+          value: 'https://code.spamasaurus.com'
+        - name: USER_UID
+          value: "1000"
+        - name: USER_GID
+          value: "1000"
+        ports:
+          - name: ui
+            containerPort: 3000
+          - name: ssh
+            containerPort: 22
+        volumeMounts:
+        - mountPath: /data
+          name: flexvolsmb-gitea-data
+        - mountPath: /data/ssh
+          name: flexvolsmb-gitea-ssh
+          subPath: ssh
+#      securityContext:
+#        runAsUser: 1000
+#        runAsGroup: 1000
+#        fsGroup: 1000
+      volumes:
+      - name: flexvolsmb-gitea-data
+        persistentVolumeClaim:
+          claimName: flexvolsmb-gitea-data
+      - name: flexvolsmb-gitea-ssh
+        persistentVolumeClaim:
+          claimName: flexvolsmb-gitea-ssh
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`code.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: gitea
+      port: 3000
+    middlewares:
+      - name: security-headers@file
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: gitea
+spec:
+  entryPoints:
+    - ssh
+  routes:
+  - match: HostSNI(`*`)
+    kind: Rule
+    services:
+    - name: gitea
+      port: 22
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-gitea-data
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-gitea-data
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,uid=1000,gid=1000,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/gitea/data
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-gitea-data
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-gitea-data
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-gitea-ssh
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-gitea-ssh
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0600,dir_mode=0600,iocharset=utf8
+      server: 192.168.11.225
+      share: /K3s.Volumes/gitea/ssh
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-gitea-ssh
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-gitea-ssh
+  resources:
+    requests:
+      storage: 1Gi

services/Gotify/deploy-Gotify.yml

@@ -0,0 +1,89 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gotify
+spec:
+  ports:
+    - protocol: TCP
+      name: web
+      port: 80
+  selector:
+    app: gotify
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gotify
+  labels:
+    app: gotify
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gotify
+  template:
+    metadata:
+      labels:
+        app: gotify
+    spec:
+      containers:
+      - name: gotify
+        image: gotify/server
+        ports:
+          - name: web
+            containerPort: 80
+        volumeMounts:
+        - mountPath: /app/data
+          name: flexvolsmb-gotify-data
+      volumes:
+      - name: flexvolsmb-gotify-data
+        persistentVolumeClaim:
+          claimName: flexvolsmb-gotify-data
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gotify
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`notify.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: gotify
+      port: 80
+    middlewares:
+      - name: security-headers@file
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-gotify-data
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-gotify-data
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/gotify/data
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-gotify-data
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-gotify-data
+  resources:
+    requests:
+      storage: 1Gi

services/Guacamole/configMap_Guacamole.yml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: configmap-guacamole-mysql-conf
+data:
+  MYSQL_DATABASE: 'guacamole'
+  MYSQL_PASSWORD: 'guacamole'
+  MYSQL_USER: 'guacamole'

services/Guacamole/deployment_Guacamole.yml

@@ -0,0 +1,175 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: guacamole
+spec:
+  ports:
+    - protocol: TCP
+      name: ui
+      port: 8080
+    - protocol: TCP
+      name: proxy
+      port: 4822
+    - protocol: TCP
+      name: db
+      port: 3306
+  selector:
+    app: guacamole
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: guacamole
+  labels:
+    app: guacamole
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: guacamole
+  template:
+    metadata:
+      labels:
+        app: guacamole
+    spec:
+      hostname: guacamole
+      containers:
+      - name: guacamole
+        image: guacamole/guacamole
+        env:
+        - name: GUACD_HOSTNAME
+          value: 'guacamole.default.svc.cluster.local'
+        - name: MYSQL_HOSTNAME
+          value: 'guacamole.default.svc.cluster.local'
+        - name: GUACAMOLE_HOME
+          value: '/etc/guacamole'
+        envFrom:
+        - configMapRef:
+            name: configmap-guacamole-mysql-conf
+        volumeMounts:
+        - name: flexvolsmb-guacamole-home
+          mountPath: /etc/guacamole
+        ports:
+          - name: ui
+            containerPort: 8080
+      - name: guacd
+        image: guacamole/guacd
+        env:
+        - name: GUACD_LOG_LEVEL
+          value: 'debug'
+        ports:
+          - name: proxy
+            containerPort: 4822
+      - name: mysql
+        image: mysql:latest
+        securityContext:
+          runAsUser: 999
+          runAsGroup: 999
+        env:
+        - name: MYSQL_RANDOM_ROOT_PASSWORD
+          value: 'true'
+        envFrom:
+        - configMapRef:
+            name: configmap-guacamole-mysql-conf
+        volumeMounts:
+        - name: flexvolsmb-guacamole-db
+          mountPath: /var/lib/mysql
+        ports:
+          - name: db
+            containerPort: 3306
+      volumes:
+      - name: flexvolsmb-guacamole-db
+        persistentVolumeClaim:
+          claimName: flexvolsmb-guacamole-db
+      - name: flexvolsmb-guacamole-home
+        persistentVolumeClaim:
+          claimName: flexvolsmb-guacamole-home
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: prepend-path-guacamole
+spec:
+  addPrefix:
+    prefix: /guacamole
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: guacamole
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`remote.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: guacamole
+      port: 8080
+    middlewares:
+      - name: prepend-path-guacamole
+      - name: security-headers@file
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-guacamole-db
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-guacamole-db
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0755,dir_mode=0755,uid=999,gid=999,iocharset=utf8
+      server: 192.168.11.225
+      share: /K3s.Volumes/guacamole/db
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-guacamole-db
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-guacamole-db
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-guacamole-home
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-guacamole-home
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0755,dir_mode=0755,uid=999,gid=999,iocharset=utf8
+      server: 192.168.11.225
+      share: /K3s.Volumes/guacamole/home
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-guacamole-home
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-guacamole-home
+  resources:
+    requests:
+      storage: 1Gi

services/Harbor/chart-values.yml

@@ -0,0 +1,42 @@
+expose:
+  ingress:
+    hosts:
+      core: registry.spamasaurus.com
+      notary: notary.spamasaurus.com
+
+externalURL: https://registry.spamasaurus.com
+
+persistence:
+  enabled: true
+  resourcePolicy: "keep"
+  persistentVolumeClaim:
+    registry:
+      existingClaim: "flexvolsmb-harbor-registry"
+      storageClass: "-"
+      accessMode: ReadWriteMany
+      size: 5Gi
+    chartmuseum:
+      existingClaim: "flexvolsmb-harbor-chartmuseum"
+      storageClass: "-"
+      accessMode: ReadWriteMany
+      size: 5Gi
+    jobservice:
+      existingClaim: "flexvolsmb-harbor-jobservice"
+      storageClass: "-"
+      accessMode: ReadWriteMany
+      size: 1Gi
+    database:
+      existingClaim: "flexvolsmb-harbor-database"
+      storageClass: "-"
+      accessMode: ReadWriteMany
+      size: 1Gi
+    redis:
+      existingClaim: "flexvolsmb-harbor-redis"
+      storageClass: "-"
+      accessMode: ReadWriteMany
+      size: 1Gi
+    trivy:
+      existingClaim: "flexvolsmb-harbor-trivy"
+      storageClass: "-"
+      accessMode: ReadWriteMany
+      size: 1Gi

services/Harbor/ingressRoute-Harbor.yml

@@ -0,0 +1,33 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: harbor
+  namespace: harbor
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`registry.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: harbor-harbor-portal
+      namespace: harbor
+      port: 80
+    middlewares:
+      - name: security-headers@file
+  - match: Host(`registry.spamasaurus.com`) && PathPrefix(`/api/`, `/service/`, `/v2/`, `/chartrepo/`, `/c/`)
+    kind: Rule
+    services:
+    - name: harbor-harbor-core
+      namespace: harbor
+      port: 80
+    middlewares:
+      - name: security-headers@file
+  - match: Host(`notary.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: harbor-harbor-notary-server
+      namespace: harbor
+      port: 4443
+    middlewares:
+      - name: security-headers@file

services/Harbor/persistentVolumeClaim_Harbor.yml

@@ -0,0 +1,204 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-harbor-chartmuseum
+  namespace: harbor
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-harbor-chartmuseum
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+      namespace: default
+    options:
+      opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,uid=999,gid=999,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/harbor/chartmuseum
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-harbor-chartmuseum
+  namespace: harbor
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-harbor-chartmuseum
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-harbor-database
+  namespace: harbor
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-harbor-database
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+      namespace: default
+    options:
+      opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,uid=999,gid=999,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/harbor/database
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-harbor-database
+  namespace: harbor
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-harbor-database
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-harbor-jobservice
+  namespace: harbor
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-harbor-jobservice
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+      namespace: default
+    options:
+      opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,uid=10000,gid=10000,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/harbor/jobservice
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-harbor-jobservice
+  namespace: harbor
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-harbor-jobservice
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-harbor-redis
+  namespace: harbor
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-harbor-redis
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+      namespace: default
+    options:
+      opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/harbor/redis
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-harbor-redis
+  namespace: harbor
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-harbor-redis
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-harbor-registry
+  namespace: harbor
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-harbor-registry
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+      namespace: default
+    options:
+      opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,uid=10000,gid=10000,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/harbor/registry
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-harbor-registry
+  namespace: harbor
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-harbor-registry
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-harbor-trivy
+  namespace: harbor
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-harbor-trivy
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+      namespace: default
+    options:
+      opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,uid=10000,gid=10000,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/harbor/trivy
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-harbor-trivy
+  namespace: harbor
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-harbor-trivy
+  resources:
+    requests:
+      storage: 10Gi
+

services/Lighttpd/configMap_lighttpd.yml

@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: configmap-lighttpd-conf
+data:
+  lighttpd.conf: |
+    server.modules = (
+        "mod_access",
+        "mod_alias",
+        "mod_compress",
+        "mod_redirect",
+        "mod_rewrite",
+    )
+
+    server.document-root        = "/var/www/html"
+    server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
+    server.errorlog             = "/var/log/lighttpd/error.log"
+    server.pid-file             = "/var/run/lighttpd.pid"
+    server.username             = "www-data"
+    server.groupname            = "www-data"
+    server.port                 = 8080
+
+    index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
+    url.access-deny             = ( "~", ".inc" )
+    static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
+
+    compress.cache-dir          = "/var/cache/lighttpd/compress/"
+    compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )
+
+    include_shell "/usr/share/lighttpd/create-mime.assign.pl"
+    include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
+    include_shell "cat /etc/lighttpd/vhosts.d/*.conf"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: configmap-lighttpd-vhosts
+data:
+  bessems.com.conf: |
+    $HTTP["host"] =~ "^bessems\.(com|eu)$" {
+      server.document-root = "/var/www/bessems.com/"
+    }
+  gabaldon.eu.conf: |
+    $HTTP["host"] =~ "^gabaldon\.(eu|nl)$" {
+      server.document-root = "/var/www/gabaldon.eu/"
+    }
+  sn.itch.fyi.conf: |
+    $HTTP["host"] == "sn.itch.fyi" {
+      server.document-root = "/var/www/sn.itch.fyi/"
+
+      index-file.names += ("/_h5ai/public/index.php")
+    }
+  spamasaurus.com.conf: |
+    $HTTP["host"] == "spamasaurus.com" {
+      server.document-root = "/var/www/spamasaurus.com/public"
+     }
+  sw.itch.fyi.conf: |
+    $HTTP["host"] == "sw.itch.fyi" {
+      server.document-root = "/var/www/sw.itch.fyi/"
+
+      url.rewrite-once = (
+        "^/api\?(.*)" => "index.php?page=newznabapi&$1"
+      )
+    }

services/Lighttpd/cronJob-Spotweb.yml

@@ -0,0 +1,26 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: cronjob-spotweb-retrievearticles
+spec:
+  schedule: "0 * * * *"
+  successfulJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: php-retrievearticles
+            image: php:7.4-cli
+            workingDir: /var/www/sw.itch.fyi
+            args:
+            - php
+            - /var/www/sw.itch.fyi/retrieve.php
+            volumeMounts:
+            - name: flexvolsmb-lighttpd-websites
+              mountPath: /var/www/
+          volumes:
+          - name: flexvolsmb-lighttpd-websites
+            persistentVolumeClaim:
+              claimName: flexvolsmb-lighttpd-websites
+          restartPolicy: OnFailure

services/Lighttpd/deploy-Lighttpd.yml

@@ -0,0 +1,137 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: lighttpd
+spec:
+  ports:
+    - protocol: TCP
+      name: web
+      port: 8080
+  selector:
+    app: lighttpd
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: lighttpd
+  labels:
+    app: lighttpd
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: lighttpd
+  template:
+    metadata:
+      labels:
+        app: lighttpd
+    spec:
+      containers:
+      - name: lighttpd-php-pwsh
+        image: djpbessems/lighttpd-php-powershell
+        ports:
+          - name: web
+            containerPort: 8080
+        volumeMounts:
+        - name: configmap-lighttpd-conf
+          mountPath: /etc/lighttpd/lighttpd.conf
+          subPath: lighttpd.conf
+        - name: configmap-lighttpd-vhosts
+          mountPath: /etc/lighttpd/vhosts.d
+        - name: flexvolsmb-lighttpd-data
+          mountPath: /data/scripts
+        - name: flexvolsmb-lighttpd-websites
+          mountPath: /var/www/
+      volumes:
+      - name: configmap-lighttpd-conf
+        configMap:
+          name: configmap-lighttpd-conf
+      - name: configmap-lighttpd-vhosts
+        configMap:
+          name: configmap-lighttpd-vhosts
+      - name: flexvolsmb-lighttpd-data
+        persistentVolumeClaim:
+          claimName: flexvolsmb-lighttpd-data
+      - name: flexvolsmb-lighttpd-websites
+        persistentVolumeClaim:
+          claimName: flexvolsmb-lighttpd-websites
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: lighttpd
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`bessems.com`) || Host(`bessems.eu`) || Host(`gabaldon.eu`) || Host(`gabaldon.nl`) || Host(`sn.itch.fyi`) || Host(`sw.itch.fyi`) || Host(`spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: lighttpd
+      port: 8080
+    middlewares:
+    - name: security-headers@file
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-lighttpd-data
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-lighttpd-data
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
+      server: 192.168.11.225
+      share: /K3s.Volumes/lighttpd/data
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-lighttpd-websites
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-lighttpd-websites
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/lighttpd/websites
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-lighttpd-data
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-lighttpd-data
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-lighttpd-websites
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-lighttpd-websites
+  resources:
+    requests:
+      storage: 1Gi

services/PVR/WIP/deploy-NZBHydra.yml

@@ -0,0 +1,110 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nzbhydra
+  namespace: pvr
+spec:
+  type: NodePort
+  ports:
+    - protocol: TCP
+      name: web
+      port: 5076
+      nodePort: 30010
+  selector:
+    app: nzbhydra
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nzbhydra
+  namespace: pvr
+  labels:
+    app: nzbhydra
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nzbhydra
+  template:
+    metadata:
+      labels:
+        app: nzbhydra
+    spec:
+      containers:
+      - name: nzbhydra
+        image: linuxserver/nzbhydra2
+        ports:
+          - name: web
+            containerPort: 5076
+        volumeMounts:
+        - mountPath: /config
+          name: flexvolsmb-nzbhydra-config
+        - mountPath: /downloads
+          name: flexvolsmb-pvr-downloads
+          subPath: downloads
+      volumes:
+      - name: flexvolsmb-nzbhydra-config
+        persistentVolumeClaim:
+          claimName: flexvolsmb-nzbhydra-config
+      - name: flexvolsmb-pvr-downloads
+        persistentVolumeClaim:
+          claimName: flexvolsmb-pvr-downloads
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nzbhydra
+  namespace: pvr
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`index.pvr.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: nzbhydra
+      port: 5076
+    middlewares:
+      - name: ldap-authentication@file
+      - name: security-headers@file
+  tls:
+    options:
+      name: defaults@file
+    certResolver: default
+    domains:
+    - main: '*.pvr.spamasaurus.com'
+      sans:
+        - 'pvr.spamasaurus.com'
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-nzbhydra-config
+  namespace: pvr
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-nzbhydra-config
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
+      server: 192.168.11.225
+      share: /K3s.Volumes/nzbhydra/config
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-nzbhydra-config
+  namespace: pvr
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-nzbhydra-config
+  resources:
+    requests:
+      storage: 1Gi

services/PVR/WIP/deploy-Radarr.yml

@@ -0,0 +1,115 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: radarr
+  namespace: pvr
+spec:
+  type: NodePort
+  ports:
+    - protocol: TCP
+      name: web
+      port: 7878
+      nodePort: 30020
+  selector:
+    app: radarr
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: radarr
+  namespace: pvr
+  labels:
+    app: radarr
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: radarr
+  template:
+    metadata:
+      labels:
+        app: radarr
+    spec:
+      containers:
+      - name: radarr
+        image: linuxserver/radarr
+        ports:
+          - name: web
+            containerPort: 7878
+        volumeMounts:
+        - mountPath: /config
+          name: flexvolsmb-radarr-config
+        - mountPath: /movies
+          name: flexvolsmb-pvr-movies
+        - mountPath: /downloads
+          name: flexvolsmb-pvr-downloads
+          subPath: downloads
+      volumes:
+      - name: flexvolsmb-radarr-config
+        persistentVolumeClaim:
+          claimName: flexvolsmb-radarr-config
+      - name: flexvolsmb-pvr-movies
+        persistentVolumeClaim:
+          claimName: flexvolsmb-pvr-movies
+      - name: flexvolsmb-pvr-downloads
+        persistentVolumeClaim:
+          claimName: flexvolsmb-pvr-downloads
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: radarr
+  namespace: pvr
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`movies.pvr.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: radarr
+      port: 7878
+    middlewares:
+      - name: ldap-authentication@file
+      - name: security-headers@file
+  tls:
+    options:
+      name: defaults@file
+    certResolver: default
+    domains:
+    - main: '*.pvr.spamasaurus.com'
+      sans:
+        - 'pvr.spamasaurus.com'
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-radarr-config
+  namespace: pvr
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-radarr-config
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
+      server: 192.168.11.225
+      share: /K3s.Volumes/radarr/config
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-radarr-config
+  namespace: pvr
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-radarr-config
+  resources:
+    requests:
+      storage: 1Gi

services/PVR/WIP/deploy-SABnzbd.yml

@@ -0,0 +1,113 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: sabnzbd
+  namespace: pvr
+spec:
+  type: NodePort
+  ports:
+    - protocol: TCP
+      name: web
+      port: 8080
+      nodePort: 30030
+  selector:
+    app: sabnzbd
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sabnzbd
+  namespace: pvr
+  labels:
+    app: sabnzbd
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sabnzbd
+  template:
+    metadata:
+      labels:
+        app: sabnzbd
+    spec:
+      containers:
+      - name: sabnzbd
+        image: linuxserver/sabnzbd
+        ports:
+          - name: web
+            containerPort: 8080
+        volumeMounts:
+        - mountPath: /config
+          name: flexvolsmb-sabnzbd-config
+        - mountPath: /downloads
+          name: flexvolsmb-pvr-downloads
+          subPath: downloads
+        - mountPath: /incomplete-downloads
+          name: flexvolsmb-pvr-downloads
+          subPath: incomplete-downloads
+      volumes:
+      - name: flexvolsmb-sabnzbd-config
+        persistentVolumeClaim:
+          claimName: flexvolsmb-sabnzbd-config
+      - name: flexvolsmb-pvr-downloads
+        persistentVolumeClaim:
+          claimName: flexvolsmb-pvr-downloads
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: sabnzbd
+  namespace: pvr
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`download.pvr.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: sabnzbd
+      port: 8080
+    middlewares:
+      - name: ldap-authentication@file
+      - name: security-headers@file
+  tls:
+    options:
+      name: defaults@file
+    certResolver: default
+    domains:
+    - main: '*.pvr.spamasaurus.com'
+      sans:
+        - 'pvr.spamasaurus.com'
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-sabnzbd-config
+  namespace: pvr
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-sabnzbd-config
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,uid=911,gid=911,iocharset=utf8
+      server: 192.168.11.225
+      share: /K3s.Volumes/sabnzbd/config
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-sabnzbd-config
+  namespace: pvr
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-sabnzbd-config
+  resources:
+    requests:
+      storage: 1Gi

services/PVR/WIP/deploy-Sonarr.yml

@@ -0,0 +1,115 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: sonarr
+  namespace: pvr
+spec:
+  type: NodePort
+  ports:
+    - protocol: TCP
+      name: web
+      port: 8989
+      nodePort: 30040
+  selector:
+    app: sonarr
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sonarr
+  namespace: pvr
+  labels:
+    app: sonarr
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sonarr
+  template:
+    metadata:
+      labels:
+        app: sonarr
+    spec:
+      containers:
+      - name: sonarr
+        image: linuxserver/sonarr:preview
+        ports:
+          - name: web
+            containerPort: 8989
+        volumeMounts:
+        - mountPath: /config
+          name: flexvolsmb-sonarr-config
+        - mountPath: /tv
+          name: flexvolsmb-pvr-series
+        - mountPath: /downloads
+          name: flexvolsmb-pvr-downloads
+          subPath: downloads
+      volumes:
+      - name: flexvolsmb-sonarr-config
+        persistentVolumeClaim:
+          claimName: flexvolsmb-sonarr-config
+      - name: flexvolsmb-pvr-series
+        persistentVolumeClaim:
+          claimName: flexvolsmb-pvr-series
+      - name: flexvolsmb-pvr-downloads
+        persistentVolumeClaim:
+          claimName: flexvolsmb-pvr-downloads
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: sonarr
+  namespace: pvr
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`series.pvr.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: sonarr
+      port: 8989
+    middlewares:
+      - name: ldap-authentication@file
+      - name: security-headers@file
+  tls:
+    options:
+      name: defaults@file
+    certResolver: default
+    domains:
+    - main: '*.pvr.spamasaurus.com'
+      sans:
+        - 'pvr.spamasaurus.com'
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-sonarr-config
+  namespace: pvr
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-sonarr-config
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,uid=1000,gid=1000,iocharset=utf8
+      server: 192.168.11.225
+      share: /K3s.Volumes/sonarr/config
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-sonarr-config
+  namespace: pvr
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-sonarr-config
+  resources:
+    requests:
+      storage: 1Gi

services/PVR/WIP/persistentVolumeClaim_shared.yml

@@ -0,0 +1,98 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-pvr-downloads
+  namespace: pvr
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-pvr-downloads
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,cache=none
+      server: 192.168.11.225
+      share: /Volatile/downloads
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-pvr-downloads
+  namespace: pvr
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-pvr-downloads
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-pvr-movies
+  namespace: pvr
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-pvr-movies
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,cache=none
+      server: 192.168.11.225
+      share: /Public/Video's/Films
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-pvr-movies
+  namespace: pvr
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-pvr-movies
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-pvr-series
+  namespace: pvr
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-pvr-series
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,cache=none
+      server: 192.168.11.225
+      share: /Public/Video's/Series
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-pvr-series
+  namespace: pvr
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-pvr-series
+  resources:
+    requests:
+      storage: 1Gi

services/PVR/deploy-PVR.yml

@@ -0,0 +1,147 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nzbhydra
+spec:
+  ports:
+    - protocol: TCP
+      port: 5076
+      targetPort: 5076
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: nzbhydra
+subsets:
+  - addresses:
+      - ip: 192.168.11.242
+    ports:
+      - port: 5076
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nzbhydra
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`index.pvr.spamasaurus.com`)
+    kind: Rule
+    services:
+      - name: nzbhydra
+        port: 5076
+    middlewares:
+      - name: 2fa-authentication@file
+      - name: security-headers@file
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: radarr
+spec:
+  ports:
+    - protocol: TCP
+      port: 7878
+      targetPort: 7878
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: radarr
+subsets:
+  - addresses:
+      - ip: 192.168.11.242
+    ports:
+      - port: 7878
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: radarr
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`movies.pvr.spamasaurus.com`)
+    kind: Rule
+    services:
+      - name: radarr
+        port: 7878
+    middlewares:
+      - name: 2fa-authentication@file
+      - name: security-headers@file
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: sabnzbd
+spec:
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 8080
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: sabnzbd
+subsets:
+  - addresses:
+      - ip: 192.168.11.242
+    ports:
+      - port: 8080
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: sabnzbd
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`download.pvr.spamasaurus.com`)
+    kind: Rule
+    services:
+      - name: sabnzbd
+        port: 8080
+    middlewares:
+      - name: 2fa-authentication@file
+      - name: security-headers@file
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: sonarr
+spec:
+  ports:
+    - protocol: TCP
+      port: 8989
+      targetPort: 8989
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: sonarr
+subsets:
+  - addresses:
+      - ip: 192.168.11.242
+    ports:
+      - port: 8989
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: sonarr
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`series.pvr.spamasaurus.com`)
+    kind: Rule
+    services:
+      - name: sonarr
+        port: 8989
+    middlewares:
+      - name: 2fa-authentication@file
+      - name: security-headers@file

services/Shaarli/deploy-Shaarli.yml

@@ -0,0 +1,134 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: shaarli
+spec:
+  ports:
+    - protocol: TCP
+      name: web
+      port: 80
+  selector:
+    app: shaarli
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: shaarli
+  labels:
+    app: shaarli
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: shaarli
+  template:
+    metadata:
+      labels:
+        app: shaarli
+    spec:
+      containers:
+      - name: shaarli
+        image: shaarli/shaarli
+        ports:
+          - name: web
+            containerPort: 80
+        volumeMounts:
+        - mountPath: /var/www/shaarli/cache
+          name: flexvolsmb-shaarli-cache
+        - mountPath: /var/www/shaarli/data
+          name: flexvolsmb-shaarli-data
+      volumes:
+      - name: flexvolsmb-shaarli-cache
+        persistentVolumeClaim:
+          claimName: flexvolsmb-shaarli-cache
+      - name: flexvolsmb-shaarli-data
+        persistentVolumeClaim:
+          claimName: flexvolsmb-shaarli-data
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: shaarli
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`p.itch.fyi`)
+    kind: Rule
+    services:
+    - name: shaarli
+      port: 80
+    middlewares:
+    - name: security-headers@file
+#  tls:
+#    options:
+#      name: defaults@file
+#    certResolver: default
+#    domains:
+#    - main: '*.itch.fyi'
+#      sans:
+#        - 'itch.fyi'
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-shaarli-cache
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-shaarli-cache
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
+      server: 192.168.11.225
+      share: /K3s.Volumes/shaarli/cache
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-shaarli-data
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-shaarli-data
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
+      server: 192.168.11.225
+      share: /K3s.Volumes/shaarli/data
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-shaarli-cache
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-shaarli-cache
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-shaarli-data
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-shaarli-data
+  resources:
+    requests:
+      storage: 1Gi

services/Theia/deploy-Theia.yml

@@ -0,0 +1,132 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: theia
+spec:
+  ports:
+    - protocol: TCP
+      name: web
+      port: 3000
+  selector:
+    app: theia
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: theia
+  labels:
+    app: theia
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: theia
+  template:
+    metadata:
+      labels:
+        app: theia
+    spec:
+      containers:
+      - name: theia
+        image: theiaide/theia-full
+        ports:
+          - name: web
+            containerPort: 3000
+        volumeMounts:
+        - mountPath: /home/project/websites
+          name: flexvolsmb-theia-websites
+        - mountPath: /home/project
+          name: flexvolsmb-theia-workspace
+      volumes:
+      - name: flexvolsmb-theia-websites
+        persistentVolumeClaim:
+          claimName: flexvolsmb-theia-websites
+      - name: flexvolsmb-theia-workspace
+        persistentVolumeClaim:
+          claimName: flexvolsmb-theia-workspace
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: theia
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`ide.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: theia
+      port: 3000
+    middlewares:
+      - name: security-headers@file
+      - name: 2fa-authentication@file
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-theia-websites
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-theia-websites
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+#      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
+      server: 192.168.11.225
+      share: /K3s.Volumes/lighttpd/websites
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-theia-websites
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-theia-websites
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-theia-workspace
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-theia-workspace
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
+      server: 192.168.11.225
+      share: /K3s.Volumes/theia/workspace
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-theia-workspace
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-theia-workspace
+  resources:
+    requests:
+      storage: 1Gi

services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml

@@ -0,0 +1,104 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: traefik-certs-dumper
+  labels:
+    app: traefik-certs-dumper
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik-certs-dumper
+  template:
+    metadata:
+      labels:
+        app: traefik-certs-dumper
+    spec:
+      containers:
+      - name: traefik-certs-dumper
+        image: ldez/traefik-certs-dumper:latest-amd64
+        command: ['traefik-certs-dumper', 'file']
+        args: 
+        - --watch
+        - --version=v2
+        - --source=/data/source/acme.json
+        - --dest=/data/export/
+        - --domain-subdir
+        volumeMounts:
+        - mountPath: /data/source/acme.json
+          name: flexvolsmb-traefikcertsdumper-acmejson
+          subPath: acme.json
+          readOnly: true
+        - mountPath: /data/export
+          name: flexvolsmb-traefikcertsdumper-export
+      volumes:
+      - name: flexvolsmb-traefikcertsdumper-acmejson
+        persistentVolumeClaim:
+          claimName: flexvolsmb-traefikcertsdumper-acmejson
+      - name: flexvolsmb-traefikcertsdumper-export
+        persistentVolumeClaim:
+          claimName: flexvolsmb-traefikcertsdumper-export
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-traefikcertsdumper-acmejson
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-traefikcertsdumper-acmejson
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0600,dir_mode=0600,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/traefik/data
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-traefikcertsdumper-acmejson
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-traefikcertsdumper-acmejson
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-traefikcertsdumper-export
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-traefikcertsdumper-export
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/traefikcertsdumper/export
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-traefikcertsdumper-export
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-traefikcertsdumper-export
+  resources:
+    requests:
+      storage: 1Gi

services/Vault/chart-values.yml

@@ -0,0 +1,10 @@
+server:
+  dataStorage:
+    enabled: true
+    size: 1Gi
+    storageClass: flexvolsmb-vault-data
+    accessMode: ReadWriteMany
+  priorityClassName: system-cluster-critical
+
+ui:
+  enabled: true

services/Vault/ingressRoute_Vault.yaml

@@ -0,0 +1,18 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: vault
+  namespace: vault
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`secure.spamasaurus.com`)
+      kind: Rule
+      services:
+        - name: vault
+          namespace: vault
+          port: 8200
+      middlewares:
+#        - name: ldap-authentication@file
+        - name: security-headers@file

services/Vault/persistentVolume_Vault.yml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-vault-data
+  namespace: vault
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-vault-data
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+      namespace: default
+    options:
+      opts: domain=bessems.eu,file_mode=0755,dir_mode=0755,uid=100,gid=1000,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/vault/data
+---
+#apiVersion: v1
+#kind: PersistentVolumeClaim
+#metadata:
+#  name: data-vault-0
+#  namespace: vault
+#spec:
+#  accessModes:
+#    - ReadWriteMany
+#  storageClassName: flexvolsmb-vault-data
+#  resources:
+#    requests:
+#      storage: 1Gi

storage/Longhorn/README.md

@@ -0,0 +1,32 @@
+### Persistent Storage
+Manifest for [Longhorn](https://github.com/longhorn/longhorn):
+```
+curl -Ls https://raw.githubusercontent.com/longhorn/longhorn/master/deploy/longhorn.yaml -o storage/Longhorn/deploy-Longhorn.yaml
+sed -e 's/LoadBalancer/ClusterIP/' -i storage/Longhorn/deploy-Longhorn.yaml
+kubectl apply -f storage/Longhorn/deploy-Longhorn.yaml
+```
+##### `IngressRoute` for Longhorn's dashboard:
+```
+kubectl apply -f storage/Longhorn/ingressRoute-Longhorn.yaml
+```
+##### `storageClass` with backup schedule:
+After specifying a NFS backup target (syntax: `nfs://servername:/path/to/share`) through Longhorn's dashboard, create a new `storageClass` with backup schedule:
+```
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: longhorn-dailybackup
+provisioner: driver.longhorn.io
+allowVolumeExpansion: true
+parameters:
+  numberOfReplicas: "3"
+  staleReplicaTimeout: "2880"
+  fromBackup: ""
+  recurringJobs: '[{"name":"backup", "task":"backup", "cron":"0 0 * * *", "retain":14}]'
+```
+Then make this the new default `storageClass`:
+```
+kubectl patch storageclass longhorn-dailybackup -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+kubectl patch storageclass local-path -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+kubectl delete storageclass longhorn
+```

storage/Longhorn/deploy-Longhorn.yml

@@ -0,0 +1,431 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: longhorn-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: longhorn-service-account
+  namespace: longhorn-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: longhorn-role
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - "*"
+- apiGroups: [""]
+  resources: ["pods", "events", "persistentvolumes", "persistentvolumeclaims", "nodes", "proxy/nodes", "pods/log", "secrets", "services", "endpoints", "configmaps"]
+  verbs: ["*"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets", "statefulsets", "deployments"]
+  verbs: ["*"]
+- apiGroups: ["batch"]
+  resources: ["jobs", "cronjobs"]
+  verbs: ["*"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["storageclasses", "volumeattachments", "csinodes", "csidrivers"]
+  verbs: ["*"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]
+- apiGroups: ["longhorn.io"]
+  resources: ["volumes", "volumes/status", "engines", "engines/status", "replicas", "replicas/status", "settings",
+              "engineimages", "engineimages/status", "nodes", "nodes/status", "instancemanagers", "instancemanagers/status"]
+  verbs: ["*"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["*"]
+# to be removed after v0.7.0
+- apiGroups: ["longhorn.rancher.io"]
+  resources: ["volumes", "engines", "replicas", "settings", "engineimages", "nodes", "instancemanagers"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: longhorn-bind
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: longhorn-role
+subjects:
+- kind: ServiceAccount
+  name: longhorn-service-account
+  namespace: longhorn-system
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    longhorn-manager: Engine
+  name: engines.longhorn.io
+spec:
+  group: longhorn.io
+  names:
+    kind: Engine
+    listKind: EngineList
+    plural: engines
+    shortNames:
+    - lhe
+    singular: engine
+  scope: Namespaced
+  version: v1beta1
+  subresources:
+    status: {}
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    longhorn-manager: Replica
+  name: replicas.longhorn.io
+spec:
+  group: longhorn.io
+  names:
+    kind: Replica
+    listKind: ReplicaList
+    plural: replicas
+    shortNames:
+    - lhr
+    singular: replica
+  scope: Namespaced
+  version: v1beta1
+  subresources:
+    status: {}
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    longhorn-manager: Setting
+  name: settings.longhorn.io
+spec:
+  group: longhorn.io
+  names:
+    kind: Setting
+    listKind: SettingList
+    plural: settings
+    shortNames:
+    - lhs
+    singular: setting
+  scope: Namespaced
+  version: v1beta1
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    longhorn-manager: Volume
+  name: volumes.longhorn.io
+spec:
+  group: longhorn.io
+  names:
+    kind: Volume
+    listKind: VolumeList
+    plural: volumes
+    shortNames:
+    - lhv
+    singular: volume
+  scope: Namespaced
+  version: v1beta1
+  subresources:
+    status: {}
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    longhorn-manager: EngineImage
+  name: engineimages.longhorn.io
+spec:
+  group: longhorn.io
+  names:
+    kind: EngineImage
+    listKind: EngineImageList
+    plural: engineimages
+    shortNames:
+    - lhei
+    singular: engineimage
+  scope: Namespaced
+  version: v1beta1
+  subresources:
+    status: {}
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    longhorn-manager: Node
+  name: nodes.longhorn.io
+spec:
+  group: longhorn.io
+  names:
+    kind: Node
+    listKind: NodeList
+    plural: nodes
+    shortNames:
+    - lhn
+    singular: node
+  scope: Namespaced
+  version: v1beta1
+  subresources:
+    status: {}
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    longhorn-manager: InstanceManager
+  name: instancemanagers.longhorn.io
+spec:
+  group: longhorn.io
+  names:
+    kind: InstanceManager
+    listKind: InstanceManagerList
+    plural: instancemanagers
+    shortNames:
+    - lhim
+    singular: instancemanager
+  scope: Namespaced
+  version: v1beta1
+  subresources:
+    status: {}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: longhorn-default-setting
+  namespace: longhorn-system
+data:
+  default-setting.yaml: |-
+    backup-target:
+    backup-target-credential-secret:
+    create-default-disk-labeled-nodes:
+    default-data-path:
+    replica-soft-anti-affinity:
+    storage-over-provisioning-percentage:
+    storage-minimal-available-percentage:
+    upgrade-checker:
+    default-replica-count:
+    guaranteed-engine-cpu:
+    default-longhorn-static-storage-class:
+    backupstore-poll-interval:
+    taint-toleration:
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: longhorn-manager
+  name: longhorn-manager
+  namespace: longhorn-system
+spec:
+  selector:
+    matchLabels:
+      app: longhorn-manager
+  template:
+    metadata:
+      labels:
+        app: longhorn-manager
+    spec:
+      containers:
+      - name: longhorn-manager
+        image: longhornio/longhorn-manager:v0.7.0
+        imagePullPolicy: Always
+        securityContext:
+          privileged: true
+        command:
+        - longhorn-manager
+        - -d
+        - daemon
+        - --engine-image
+        - longhornio/longhorn-engine:v0.7.0
+        - --manager-image
+        - longhornio/longhorn-manager:v0.7.0
+        - --service-account
+        - longhorn-service-account
+        ports:
+        - containerPort: 9500
+        volumeMounts:
+        - name: dev
+          mountPath: /host/dev/
+        - name: proc
+          mountPath: /host/proc/
+        - name: varrun
+          mountPath: /var/run/
+        - name: longhorn
+          mountPath: /var/lib/rancher/longhorn/
+          mountPropagation: Bidirectional
+        - name: longhorn-default-setting
+          mountPath: /var/lib/longhorn-setting/
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        # Should be: mount path of the volume longhorn-default-setting + the key of the configmap data in 04-default-setting.yaml
+        - name: DEFAULT_SETTING_PATH
+          value: /var/lib/longhorn-setting/default-setting.yaml
+      volumes:
+      - name: dev
+        hostPath:
+          path: /dev/
+      - name: proc
+        hostPath:
+          path: /proc/
+      - name: varrun
+        hostPath:
+          path: /var/run/
+      - name: longhorn
+        hostPath:
+          path: /var/lib/rancher/longhorn/
+      - name: longhorn-default-setting
+        configMap:
+          name: longhorn-default-setting
+      serviceAccountName: longhorn-service-account
+---
+kind: Service
+apiVersion: v1
+metadata:
+  labels:
+    app: longhorn-manager
+  name: longhorn-backend
+  namespace: longhorn-system
+spec:
+  selector:
+    app: longhorn-manager
+  ports:
+  - port: 9500
+    targetPort: 9500
+  sessionAffinity: ClientIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: longhorn-ui
+  name: longhorn-ui
+  namespace: longhorn-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: longhorn-ui
+  template:
+    metadata:
+      labels:
+        app: longhorn-ui
+    spec:
+      containers:
+      - name: longhorn-ui
+        image: longhornio/longhorn-ui:v0.7.0
+        ports:
+        - containerPort: 8000
+        env:
+          - name: LONGHORN_MANAGER_IP
+            value: "http://longhorn-backend:9500"
+      serviceAccountName: longhorn-service-account
+---
+kind: Service
+apiVersion: v1
+metadata:
+  labels:
+    app: longhorn-ui
+  name: longhorn-frontend
+  namespace: longhorn-system
+spec:
+  selector:
+    app: longhorn-ui
+  ports:
+  - port: 80
+    targetPort: 8000
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: longhorn-driver-deployer
+  namespace: longhorn-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: longhorn-driver-deployer
+  template:
+    metadata:
+      labels:
+        app: longhorn-driver-deployer
+    spec:
+      initContainers:
+        - name: wait-longhorn-manager
+          image: longhornio/longhorn-manager:v0.7.0
+          command: ['sh', '-c', 'while [ $(curl -m 1 -s -o /dev/null -w "%{http_code}" http://longhorn-backend:9500/v1) != "200" ]; do echo waiting; sleep 2; done']
+      containers:
+        - name: longhorn-driver-deployer
+          image: longhornio/longhorn-manager:v0.7.0
+          imagePullPolicy: Always
+          command:
+          - longhorn-manager
+          - -d
+          - deploy-driver
+          - --manager-image
+          - longhornio/longhorn-manager:v0.7.0
+          - --manager-url
+          - http://longhorn-backend:9500/v1
+          # manually set root directory for csi
+          #- --kubelet-root-dir
+          #- /var/lib/rancher/k3s/agent/kubelet
+          # manually specify number of CSI attacher replicas
+          #- --csi-attacher-replica-count
+          #- "3"
+          # manually specify number of CSI provisioner replicas
+          #- --csi-provisioner-replica-count
+          #- "3"
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.serviceAccountName
+      serviceAccountName: longhorn-service-account
+---
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: longhorn
+provisioner: driver.longhorn.io
+parameters:
+  numberOfReplicas: "3"
+  staleReplicaTimeout: "2880" # 48 hours in minutes
+  fromBackup: ""
+#  diskSelector: "ssd,fast"
+#  nodeSelector: "storage,fast"
+#  recurringJobs: '[{"name":"snap", "task":"snapshot", "cron":"*/1 * * * *", "retain":1},
+#                   {"name":"backup", "task":"backup", "cron":"*/2 * * * *", "retain":1,
+#                    "labels": {"interval":"2m"}}]'
+---

storage/Longhorn/ingressRoute_longhorn-dashboard.yml

@@ -0,0 +1,23 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: longhorn-dashboard
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`storage.k3s.spamasaurus.com`)
+      kind: Rule
+      services:
+        - name: longhorn-frontend
+          port: 80
+          namespace: longhorn-system
+  tls:
+    options:
+      name: default
+    certResolver: default
+    domains:
+    - main: '*.k3s.spamasaurus.com'
+      sans:
+      - 'k3s.spamasaurus.com'

storage/flexVolSMB/daemonSet-flexVolSMB.yml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: juliohm-cifs-volumedriver-installer
+spec:
+  selector:
+    matchLabels:
+      app: juliohm-cifs-volumedriver-installer
+  template:
+    metadata:
+      name: juliohm-cifs-volumedriver-installer
+      labels:
+        app: juliohm-cifs-volumedriver-installer
+    spec:
+      containers:
+        - image: juliohm/kubernetes-cifs-volumedriver-installer:2.0
+          name: flex-deploy
+          imagePullPolicy: Always
+          env:
+            - name: VENDOR
+              value: mount
+            - name: DRIVER
+              value: smb
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - mountPath: /flexmnt
+              name: flexvolume-mount
+      volumes:
+        - name: flexvolume-mount
+          hostPath:
+            path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/

system/RolloutRestart/cronjob-RolloutRestart.yml

@@ -0,0 +1,56 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubectl-rolloutrestart
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubectl-rolloutrestart
+  namespace: default
+rules:
+  - apiGroups: ["apps", "extensions"]
+    resources: ["deployments"]
+#    verbs: ["get", "patch", "list", "watch"]
+    verbs: ["get", "list", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kubectl-rolloutrestart
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubectl-rolloutrestart
+subjects:
+  - kind: ServiceAccount
+    name: kubectl-rolloutrestart
+    namespace: default
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: kubectl-rolloutrestart
+  namespace: default
+spec:
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 1
+  successfulJobsHistoryLimit: 1
+  schedule: '30 2 * * *'
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      activeDeadlineSeconds: 600
+      template:
+        spec:
+          serviceAccountName: kubectl-rolloutrestart
+          restartPolicy: Never
+          containers:
+            - name: kubectl
+              image: bitnami/kubectl
+              command:
+                - 'bash'
+                - '-c'
+                - 'for deploy in `kubectl get deployments | cut -d " " -f 1`; do kubectl rollout restart deployment $deploy; done'

system/UpgradeController/plan-Agent.yml

@@ -0,0 +1,21 @@
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: agent-plan
+  namespace: system-upgrade
+spec:
+  concurrency: 1
+  cordon: true
+  nodeSelector:
+    matchExpressions:
+    - key: node-role.kubernetes.io/master
+      operator: DoesNotExist
+  prepare:
+    args:
+    - prepare
+    - server-plan
+    image: rancher/k3s-upgrade:v1.18.6-k3s1
+  serviceAccountName: system-upgrade
+  upgrade:
+    image: rancher/k3s-upgrade
+  channel: https://update.k3s.io/v1-release/channels/stable

system/UpgradeController/plan-Server.yml

@@ -0,0 +1,18 @@
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: server-plan
+  namespace: system-upgrade
+spec:
+  concurrency: 1
+  cordon: true
+  nodeSelector:
+    matchExpressions:
+    - key: node-role.kubernetes.io/master
+      operator: In
+      values:
+      - "true"
+  serviceAccountName: system-upgrade
+  upgrade:
+    image: rancher/k3s-upgrade
+  channel: https://update.k3s.io/v1-release/channels/stable