arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity

Pulling out more config, secrets
All checks were successful
Lint / lint (push) Successful in 38s
Details

Browse source
This commit is contained in:
Gabriel Simmer 2024-07-07 00:33:01 +01:00
parent 7ac99af974
commit 25d061877c
Signed by: arch
SSH key fingerprint: SHA256:m3OEcdtrnBpMX+2BDGh/byv3hrCekCLzDYMdvGEKPPQ
24 changed files with 557 additions and 155 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.gitignore vendored
View file

@ -43,4 +43,6 @@ result
.direnv/ .direnv/
.env .env
plan.out plan.out
config.tf.json config.tf.json
**/charts

15
kubernetes/atuin/VaultStaticSecret-postgres-atuin.yaml
View file

@ -1,14 +1,21 @@
apiVersion: secrets.hashicorp.com/v1beta1 apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret kind: VaultDynamicSecret
metadata: metadata:
name: postgres-atuin name: postgres-atuin
namespace: atuin namespace: atuin
spec: spec:
allowStaticCreds: true
destination: destination:
create: true create: true
name: postgres-atuin name: postgres-atuin
mount: kv transformation:
path: atuin/postgres-atuin templates:
ATUIN_DB_URI:
text: postgres://{{ .Secrets.username }}:{{ .Secrets.password }}@192.168.50.236/atuin
mount: database
path: static-creds/atuin
refreshAfter: 30s refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault vaultAuthRef: vault
rolloutRestartTargets:
- name: atuin
kind: Deployment

11
kubernetes/atuin/deployment.yaml
View file

@ -19,18 +19,17 @@ spec:
- server - server
- start - start
env: env:
- name: ATUIN_DB_URI
valueFrom:
secretKeyRef:
name: postgres-atuin
key: uri
optional: false
- name: ATUIN_HOST - name: ATUIN_HOST
value: 0.0.0.0 value: 0.0.0.0
- name: ATUIN_PORT - name: ATUIN_PORT
value: "8888" value: "8888"
- name: ATUIN_OPEN_REGISTRATION - name: ATUIN_OPEN_REGISTRATION
value: "false" value: "false"
- name: RUST_LOG
value: "info,atuin_server=debug"
envFrom:
- secretRef:
name: postgres-atuin
image: ghcr.io/atuinsh/atuin:v18.2.0 image: ghcr.io/atuinsh/atuin:v18.2.0
name: atuin name: atuin
ports: ports:

40
kubernetes/cloudflare/cloudflared.yml → kubernetes/cloudflare/cloudflared.yaml
View file

@ -81,43 +81,3 @@ spec:
podMetricsEndpoints: podMetricsEndpoints:
- port: metrics - port: metrics
interval: 30s interval: 30s
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cloudflared
namespace: cloudflare
data:
config.yaml: |
tunnel: new-homelab
credentials-file: /etc/cloudflared/creds/credentials.json
metrics: 0.0.0.0:2000
no-autoupdate: true
warp-routing:
enabled: true
ingress:
- hostname: photos.gmem.ca
service: https://homelab.gmem.ca
- hostname: pw.gmem.ca
service: https://homelab.gmem.ca
- hostname: authentik.gmem.ca
service: https://homelab.gmem.ca
- hostname: nitter.gmem.ca
service: https://homelab.gmem.ca
- hostname: git.gmem.ca
service: https://homelab.gmem.ca
- hostname: proxmox.gmem.ca
service: https://homelab.gmem.ca
- hostname: tokyo.gmem.ca
service: https://homelab.gmem.ca
- hostname: ibiza.gmem.ca
service: https://homelab.gmem.ca
- hostname: chat.gmem.ca
service: https://homelab.gmem.ca
- hostname: paste.gmem.ca
service: https://homelab.gmem.ca
- hostname: e6.gmem.ca
service: https://homelab.gmem.ca
- hostname: minecraft-invites.gmem.ca
service: https://homelab.gmem.ca
- service: http_status:404

32
kubernetes/cloudflare/config.yaml Normal file
View file

@ -0,0 +1,32 @@
tunnel: new-homelab
credentials-file: /etc/cloudflared/creds/credentials.json
metrics: 0.0.0.0:2000
no-autoupdate: true
warp-routing:
enabled: true
ingress:
- hostname: photos.gmem.ca
service: https://homelab.gmem.ca
- hostname: pw.gmem.ca
service: https://homelab.gmem.ca
- hostname: authentik.gmem.ca
service: https://homelab.gmem.ca
- hostname: nitter.gmem.ca
service: https://homelab.gmem.ca
- hostname: git.gmem.ca
service: https://homelab.gmem.ca
- hostname: proxmox.gmem.ca
service: https://homelab.gmem.ca
- hostname: tokyo.gmem.ca
service: https://homelab.gmem.ca
- hostname: ibiza.gmem.ca
service: https://homelab.gmem.ca
- hostname: chat.gmem.ca
service: https://homelab.gmem.ca
- hostname: paste.gmem.ca
service: https://homelab.gmem.ca
- hostname: e6.gmem.ca
service: https://homelab.gmem.ca
- hostname: minecraft-invites.gmem.ca
service: https://homelab.gmem.ca
- service: http_status:404

21
kubernetes/cloudflare/kustomization.yaml
View file

@ -1,4 +1,18 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cloudflare
resources:
- cloudflared.yaml
- VaultAuth.yaml
- VaultStaticSecret-tunnel-credentials.yaml
- VaultStaticSecret-cloudflare-exporter.yaml
configMapGenerator:
- name: cloudflared
files:
- config.yaml
helmCharts: helmCharts:
- kubeVersion: '1.30' - kubeVersion: '1.30'
name: cloudflare-exporter name: cloudflare-exporter
@ -13,10 +27,3 @@ helmCharts:
labels: labels:
release: prometheus release: prometheus
version: 0.2.1 version: 0.2.1
kind: Kustomization
namespace: cloudflare
resources:
- cloudflared.yml
- VaultAuth.yaml
- VaultStaticSecret-tunnel-credentials.yaml
- VaultStaticSecret-cloudflare-exporter.yaml

7
kubernetes/irc/Deployment-soju.yaml
View file

@ -20,10 +20,7 @@ spec:
containers: containers:
- env: - env:
- name: PGDATABASE - name: PGDATABASE
valueFrom: value: soju
secretKeyRef:
key: dbname
name: postgres-soju
- name: PGHOST - name: PGHOST
value: 192.168.50.236 value: 192.168.50.236
- name: PGPASSWORD - name: PGPASSWORD
@ -34,7 +31,7 @@ spec:
- name: PGUSER - name: PGUSER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: user key: username
name: postgres-soju name: postgres-soju
image: git.gmem.ca/arch/soju:s3 image: git.gmem.ca/arch/soju:s3
imagePullPolicy: Always imagePullPolicy: Always

14
kubernetes/irc/VaultStaticSecret-postgres-soju.yaml
View file

@ -1,14 +1,18 @@
apiVersion: secrets.hashicorp.com/v1beta1 apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret kind: VaultDynamicSecret
metadata: metadata:
name: postgres-soju name: postgres-soju
namespace: irc namespace: soju
spec: spec:
allowStaticCreds: true
destination: destination:
create: true create: true
name: postgres-soju name: postgres-soju
mount: kv transformation:
path: irc/postgres-soju mount: database
path: static-creds/soju
refreshAfter: 30s refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault vaultAuthRef: vault
rolloutRestartTargets:
- name: soju
kind: Deployment

238
kubernetes/jellyseerr/ConfigMap-jellyseerr.yaml Normal file
View file

@ -0,0 +1,238 @@
apiVersion: v1
data:
DB_HOST: 192.168.50.236
DB_TYPE: postgres
DB_USER: jellyseerr
settings.json: |
{
"clientId": "a54f0b33-d4d3-4c23-962f-8cd912e9c19d",
"vapidPrivate": "j85uoYz8PoOdcFsZ15ePwqpJ2CqSB5BM_9wrdzDR2Oc",
"vapidPublic": "BCohD75wkSzbTF4WTLCWgQc7gstxaXVOlZ1SSjsGnloqsjdSrMr3FG_pM6l4YkiC710yhKRxtdIeD3BWLlU2YGY",
"main": {
"apiKey": "MTcxNDMxNzE2NDkyMGMyODczOWFkLWY2OTgtNGZmYy04NmUzLTg0YjVkZjhhNTQ5NA==",
"applicationTitle": "Jellyseerr",
"applicationUrl": "",
"csrfProtection": false,
"cacheImages": false,
"defaultPermissions": 32,
"defaultQuotas": {
"movie": {},
"tv": {}
},
"hideAvailable": false,
"localLogin": true,
"newPlexLogin": true,
"region": "",
"originalLanguage": "",
"trustProxy": false,
"mediaServerType": 1,
"partialRequestsEnabled": true,
"locale": "en"
},
"plex": {
"name": "vancouver",
"ip": "192-168-50-229.9fbcf035272d41dfa381c69090233d0c.plex.direct",
"port": 32400,
"useSsl": true,
"libraries": [
{
"id": "1",
"name": "Movies",
"enabled": true,
"type": "movie",
"lastScan": 1714317300613
},
{
"id": "2",
"name": "TV Shows",
"enabled": true,
"type": "show",
"lastScan": 1714317300676
}
],
"machineId": "b719ba766ebd77c763e95b5a9ae3cb818f7da290"
},
"jellyfin": {
"name": "",
"hostname": "",
"externalHostname": "",
"jellyfinForgotPasswordUrl": "",
"libraries": [],
"serverId": ""
},
"tautulli": {},
"radarr": [
{
"name": "Radarr",
"hostname": "192.168.50.187",
"port": 7878,
"apiKey": "2818686b8ed44f878bd964512fc6a183",
"useSsl": false,
"baseUrl": "",
"activeProfileId": 4,
"activeProfileName": "HD-1080p",
"activeDirectory": "/media/movies",
"is4k": false,
"minimumAvailability": "released",
"tags": [],
"isDefault": true,
"syncEnabled": false,
"preventSearch": false,
"tagRequests": true,
"id": 0
}
],
"sonarr": [
{
"name": "Sonarr",
"hostname": "192.168.50.187",
"port": 8989,
"apiKey": "5d8fa991e831479f97dd03cc7532a697",
"useSsl": false,
"baseUrl": "",
"activeProfileId": 4,
"activeLanguageProfileId": 1,
"activeProfileName": "HD-1080p",
"activeDirectory": "/media/tvshows",
"tags": [],
"animeTags": [],
"is4k": false,
"isDefault": true,
"enableSeasonFolders": false,
"syncEnabled": false,
"preventSearch": false,
"tagRequests": true,
"id": 0
}
],
"public": {
"initialized": true
},
"notifications": {
"agents": {
"email": {
"enabled": false,
"options": {
"userEmailRequired": false,
"emailFrom": "",
"smtpHost": "",
"smtpPort": 587,
"secure": false,
"ignoreTls": false,
"requireTls": false,
"allowSelfSigned": false,
"senderName": "Jellyseerr"
}
},
"discord": {
"enabled": false,
"types": 0,
"options": {
"webhookUrl": "",
"enableMentions": true
}
},
"lunasea": {
"enabled": false,
"types": 0,
"options": {
"webhookUrl": ""
}
},
"slack": {
"enabled": false,
"types": 0,
"options": {
"webhookUrl": ""
}
},
"telegram": {
"enabled": false,
"types": 0,
"options": {
"botAPI": "",
"chatId": "",
"sendSilently": false
}
},
"pushbullet": {
"enabled": false,
"types": 0,
"options": {
"accessToken": ""
}
},
"pushover": {
"enabled": false,
"types": 0,
"options": {
"accessToken": "",
"userToken": "",
"sound": ""
}
},
"webhook": {
"enabled": false,
"types": 0,
"options": {
"webhookUrl": "",
"jsonPayload": "IntcbiAgXCJub3RpZmljYXRpb25fdHlwZVwiOiBcInt7bm90aWZpY2F0aW9uX3R5cGV9fVwiLFxuICBcImV2ZW50XCI6IFwie3tldmVudH19XCIsXG4gIFwic3ViamVjdFwiOiBcInt7c3ViamVjdH19XCIsXG4gIFwibWVzc2FnZVwiOiBcInt7bWVzc2FnZX19XCIsXG4gIFwiaW1hZ2VcIjogXCJ7e2ltYWdlfX1cIixcbiAgXCJ7e21lZGlhfX1cIjoge1xuICAgIFwibWVkaWFfdHlwZVwiOiBcInt7bWVkaWFfdHlwZX19XCIsXG4gICAgXCJ0bWRiSWRcIjogXCJ7e21lZGlhX3RtZGJpZH19XCIsXG4gICAgXCJ0dmRiSWRcIjogXCJ7e21lZGlhX3R2ZGJpZH19XCIsXG4gICAgXCJzdGF0dXNcIjogXCJ7e21lZGlhX3N0YXR1c319XCIsXG4gICAgXCJzdGF0dXM0a1wiOiBcInt7bWVkaWFfc3RhdHVzNGt9fVwiXG4gIH0sXG4gIFwie3tyZXF1ZXN0fX1cIjoge1xuICAgIFwicmVxdWVzdF9pZFwiOiBcInt7cmVxdWVzdF9pZH19XCIsXG4gICAgXCJyZXF1ZXN0ZWRCeV9lbWFpbFwiOiBcInt7cmVxdWVzdGVkQnlfZW1haWx9fVwiLFxuICAgIFwicmVxdWVzdGVkQnlfdXNlcm5hbWVcIjogXCJ7e3JlcXVlc3RlZEJ5X3VzZXJuYW1lfX1cIixcbiAgICBcInJlcXVlc3RlZEJ5X2F2YXRhclwiOiBcInt7cmVxdWVzdGVkQnlfYXZhdGFyfX1cIixcbiAgICBcInJlcXVlc3RlZEJ5X3NldHRpbmdzX2Rpc2NvcmRJZFwiOiBcInt7cmVxdWVzdGVkQnlfc2V0dGluZ3NfZGlzY29yZElkfX1cIixcbiAgICBcInJlcXVlc3RlZEJ5X3NldHRpbmdzX3RlbGVncmFtQ2hhdElkXCI6IFwie3tyZXF1ZXN0ZWRCeV9zZXR0aW5nc190ZWxlZ3JhbUNoYXRJZH19XCJcbiAgfSxcbiAgXCJ7e2lzc3VlfX1cIjoge1xuICAgIFwiaXNzdWVfaWRcIjogXCJ7e2lzc3VlX2lkfX1cIixcbiAgICBcImlzc3VlX3R5cGVcIjogXCJ7e2lzc3VlX3R5cGV9fVwiLFxuICAgIFwiaXNzdWVfc3RhdHVzXCI6IFwie3tpc3N1ZV9zdGF0dXN9fVwiLFxuICAgIFwicmVwb3J0ZWRCeV9lbWFpbFwiOiBcInt7cmVwb3J0ZWRCeV9lbWFpbH19XCIsXG4gICAgXCJyZXBvcnRlZEJ5X3VzZXJuYW1lXCI6IFwie3tyZXBvcnRlZEJ5X3VzZXJuYW1lfX1cIixcbiAgICBcInJlcG9ydGVkQnlfYXZhdGFyXCI6IFwie3tyZXBvcnRlZEJ5X2F2YXRhcn19XCIsXG4gICAgXCJyZXBvcnRlZEJ5X3NldHRpbmdzX2Rpc2NvcmRJZFwiOiBcInt7cmVwb3J0ZWRCeV9zZXR0aW5nc19kaXNjb3JkSWR9fVwiLFxuICAgIFwicmVwb3J0ZWRCeV9zZXR0aW5nc190ZWxlZ3JhbUNoYXRJZFwiOiBcInt7cmVwb3J0ZWRCeV9zZXR0aW5nc190ZWxlZ3JhbUNoYXRJZH19XCJcbiAgfSxcbiAgXCJ7e2NvbW1lbnR9fVwiOiB7XG4gICAgXCJjb21tZW50X21lc3NhZ2VcIjogXCJ7e2NvbW1lbnRfbWVzc2FnZX19XCIsXG4gICAgXCJjb21tZW50ZWRCeV9lbWFpbFwiOiBcInt7Y29tbWVudGVkQnlfZW1haWx9fVwiLFxuICAgIFwiY29tbWVudGVkQnlfdXNlcm5hbWVcIjogXCJ7e2NvbW1lbnRlZEJ5X3VzZXJuYW1lfX1cIixcbiAgICBcImNvbW1lbnRlZEJ5X2F2YXRhclwiOiBcInt7Y29tbWVudGVkQnlfYXZhdGFyfX1cIixcbiAgICBcImNvbW1lbnRlZEJ5X3NldHRpbmdzX2Rpc2NvcmRJZFwiOiBcInt7Y29tbWVudGVkQnlfc2V0dGluZ3NfZGlzY29yZElkfX1cIixcbiAgICBcImNvbW1lbnRlZEJ5X3NldHRpbmdzX3RlbGVncmFtQ2hhdElkXCI6IFwie3tjb21tZW50ZWRCeV9zZXR0aW5nc190ZWxlZ3JhbUNoYXRJZH19XCJcbiAgfSxcbiAgXCJ7e2V4dHJhfX1cIjogW11cbn0i"
}
},
"webpush": {
"enabled": false,
"options": {}
},
"gotify": {
"enabled": false,
"types": 0,
"options": {
"url": "",
"token": ""
}
}
}
},
"jobs": {
"plex-recently-added-scan": {
"schedule": "0 */5 * * * *"
},
"plex-full-scan": {
"schedule": "0 0 3 * * *"
},
"plex-watchlist-sync": {
"schedule": "0 */10 * * * *"
},
"radarr-scan": {
"schedule": "0 0 4 * * *"
},
"sonarr-scan": {
"schedule": "0 30 4 * * *"
},
"availability-sync": {
"schedule": "0 0 5 * * *"
},
"download-sync": {
"schedule": "0 * * * * *"
},
"download-sync-reset": {
"schedule": "0 0 1 * * *"
},
"jellyfin-recently-added-scan": {
"schedule": "0 */5 * * * *"
},
"jellyfin-full-scan": {
"schedule": "0 0 3 * * *"
},
"image-cache-cleanup": {
"schedule": "0 0 5 * * *"
}
}
}
kind: ConfigMap
metadata:
creationTimestamp: "2024-05-02T22:13:49Z"
name: jellyseerr
namespace: jellyseerr
resourceVersion: "6982"
uid: 00bf4e51-4a34-46b5-8e5c-1bdd957f5bb5

1
kubernetes/jellyseerr/kustomization.yaml
View file

@ -6,3 +6,4 @@ resources:
- Ingress-jellyseerr.yaml - Ingress-jellyseerr.yaml
- VaultAuth.yaml - VaultAuth.yaml
- VaultStaticSecret-jellyseerr.yaml - VaultStaticSecret-jellyseerr.yaml
- ConfigMap-jellyseerr.yaml

8
kubernetes/nitter/ConfigMap-nitter-bot.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v1
data:
NITTER_EXTERNAL_URL: https://nitter.gmem.ca
NITTER_URL: http://nitter:8080
kind: ConfigMap
metadata:
name: nitter-bot
namespace: nitter

103
kubernetes/nitter/ConfigMap-nitter.yaml Normal file
View file

@ -0,0 +1,103 @@
apiVersion: v1
data:
nitter-ro.conf: |
[Server]
hostname = "nitter.gmem.ca" # for generating links, change this to your own domain/ip
title = "nitter.gmem.ca"
address = "0.0.0.0"
port = 8081
https = false # disable to enable cookies when not using https
httpMaxConnections = 100
staticDir = "./public"
readOnly = true
[Cache]
listMinutes = 240 # how long to cache list info (not the tweets, so keep it high)
rssMinutes = 10 # how long to cache rss queries
redisHost = "nitter-redis-master" # Change to "nitter-redis" if using docker-compose
redisPort = 6379
redisPassword = ""
redisConnections = 20 # minimum open connections in pool
redisMaxConnections = 30
# new connections are opened when none are available, but if the pool size
# goes above this, they're closed when released. don't worry about this unless
# you receive tons of requests per second
[Config]
hmacKey = "66c3d14a0576c2c0fb723a2193f8f7a49f8f70a87c4e3b5b278cafa988cd3df25f92dc6d59fe2e44ca0316f850df4d42849833ebd3fbf2dba07479b20ebb543e" # random key for cryptographic signing of video urls
base64Media = false # use base64 encoding for proxied media urls
enableRSS = true # set this to false to disable RSS feeds
enableDebug = false # enable request logs and debug endpoints (/.tokens)
proxy = "" # http/https url, SOCKS proxies are not supported
proxyAuth = ""
tokenCount = 10
# minimum amount of usable tokens. tokens are used to authorize API requests,
# but they expire after ~1 hour, and have a limit of 500 requests per endpoint.
# the limits reset every 15 minutes, and the pool is filled up so there's
# always at least `tokenCount` usable tokens. only increase this if you receive
# major bursts all the time and don't have a rate limiting setup via e.g. nginx
# cookieHeader = "ct0=a5239634ecfbbdfe8c4826016062b7c1d3f5db7f5ccf45898d854739541810865323f2535c504bcd4f3907ee888379b02871a4fa78abace77c6f155c515740e99fb8add35bcd38ac534927e6c5744ba2; auth_token=cd6e00f611df987100a886885b019a3c6b575c97" # authentication cookie of a logged in account, required for the likes tab and NSFW content
# xCsrfToken = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # required for the likes tab and NSFW content
# Change default preferences here, see src/prefs_impl.nim for a complete list
[Preferences]
theme = "Nitter"
replaceTwitter = "nitter.gmem.ca"
replaceYouTube = "piped.video"
replaceReddit = "teddit.net"
proxyVideos = false
hlsPlayback = true
infiniteScroll = true
nitter.conf: |
[Server]
hostname = "nitter.gmem.ca" # for generating links, change this to your own domain/ip
title = "nitter.gmem.ca"
address = "0.0.0.0"
port = 8080
https = false # disable to enable cookies when not using https
httpMaxConnections = 100
staticDir = "./public"
[Cache]
listMinutes = 240 # how long to cache list info (not the tweets, so keep it high)
rssMinutes = 10 # how long to cache rss queries
redisHost = "nitter-redis-master" # Change to "nitter-redis" if using docker-compose
redisPort = 6379
redisPassword = ""
redisConnections = 20 # minimum open connections in pool
redisMaxConnections = 30
# new connections are opened when none are available, but if the pool size
# goes above this, they're closed when released. don't worry about this unless
# you receive tons of requests per second
[Config]
hmacKey = "66c3d14a0576c2c0fb723a2193f8f7a49f8f70a87c4e3b5b278cafa988cd3df25f92dc6d59fe2e44ca0316f850df4d42849833ebd3fbf2dba07479b20ebb543e" # random key for cryptographic signing of video urls
base64Media = false # use base64 encoding for proxied media urls
enableRSS = true # set this to false to disable RSS feeds
enableDebug = false # enable request logs and debug endpoints (/.tokens)
proxy = "" # http/https url, SOCKS proxies are not supported
proxyAuth = ""
tokenCount = 10
# minimum amount of usable tokens. tokens are used to authorize API requests,
# but they expire after ~1 hour, and have a limit of 500 requests per endpoint.
# the limits reset every 15 minutes, and the pool is filled up so there's
# always at least `tokenCount` usable tokens. only increase this if you receive
# major bursts all the time and don't have a rate limiting setup via e.g. nginx
# cookieHeader = "ct0=a5239634ecfbbdfe8c4826016062b7c1d3f5db7f5ccf45898d854739541810865323f2535c504bcd4f3907ee888379b02871a4fa78abace77c6f155c515740e99fb8add35bcd38ac534927e6c5744ba2; auth_token=cd6e00f611df987100a886885b019a3c6b575c97" # authentication cookie of a logged in account, required for the likes tab and NSFW content
# xCsrfToken = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # required for the likes tab and NSFW content
# Change default preferences here, see src/prefs_impl.nim for a complete list
[Preferences]
theme = "Nitter"
replaceTwitter = "nitter.gmem.ca"
replaceYouTube = "piped.gmem.ca"
replaceReddit = "red.gmem.ca"
proxyVideos = false
hlsPlayback = true
infiniteScroll = true
kind: ConfigMap
metadata:
name: nitter
namespace: nitter

2
kubernetes/nitter/kustomization.yaml
View file

@ -11,6 +11,8 @@ resources:
- VaultAuth.yaml - VaultAuth.yaml
- VaultStaticSecret-nitter-bot.yaml - VaultStaticSecret-nitter-bot.yaml
- VaultStaticSecret-nitter.yaml - VaultStaticSecret-nitter.yaml
- ConfigMap-nitter.yaml
- ConfigMap-nitter-bot.yaml
helmCharts: helmCharts:
- name: redis - name: redis

29
kubernetes/searxng/ConfigMap-searxng-3e1ca337d7.yaml
View file

@ -1,29 +0,0 @@
apiVersion: v1
data:
limiter.toml: '# This configuration file updates the default configuration file
# See https://github.com/searxng/searxng/blob/master/searx/botdetection/limiter.toml
[botdetection.ip_limit]
# activate link_token method in the ip_limit method
link_token = true
'
settings.yml: "use_default_settings: true\nserver:\n image_proxy: true\n http_protocol_version:\
\ \"1.1\"\n method: \"GET\"\nui:\n static_use_hash: true\nredis:\n url: redis://searxng-redis-master:6379/0\n\
general:\n instance_name: search.gmem.ca\nhostname_replace:\n '(.*\\.)?youtube\\\
.com$': 'piped.gmem.ca'\n '(.*\\.)?youtu\\.be$': 'piped.gmem.ca'\n '(.*\\.)?youtube-noocookie\\\
.com$': 'piped.gmem.ca'\n '(www\\.)?twitter\\.com$': 'nitter.gmem.ca'\n '(www\\\
.)?x\\.com$': 'nitter.gmem.ca'\n '(.*\\.)?reddit\\.com$': 'red.gmem.ca'\n"
kind: ConfigMap
metadata:
annotations:
kubenix/k8s-version: '1.30'
kubenix/project-name: kubenix
labels:
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
name: searxng-3e1ca337d7
namespace: searxng

2
kubernetes/searxng/Deployment-searxng.yaml
View file

@ -42,5 +42,5 @@ spec:
subPath: limiter.toml subPath: limiter.toml
volumes: volumes:
- configMap: - configMap:
name: searxng-3e1ca337d7 name: searxng
name: config name: config

14
kubernetes/searxng/kustomization.yaml
View file

@ -1,4 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: searxng
helmCharts: helmCharts:
- name: redis - name: redis
releaseName: searxng-redis releaseName: searxng-redis
@ -12,12 +16,16 @@ helmCharts:
repository: redict repository: redict
tag: 7.3-compat tag: 7.3-compat
version: 18.6.1 version: 18.6.1
kind: Kustomization
namespace: searxng
resources: resources:
- ConfigMap-searxng-3e1ca337d7.yaml
- Deployment-searxng.yaml - Deployment-searxng.yaml
- Service-searxng.yaml - Service-searxng.yaml
- Ingress-searxng.yaml - Ingress-searxng.yaml
- VaultAuth.yaml - VaultAuth.yaml
- VaultStaticSecret-searxng.yaml - VaultStaticSecret-searxng.yaml
configMapGenerator:
- name: searxng
files:
- limiter.toml
- settings.yml

6
kubernetes/searxng/limiter.toml Normal file
View file

@ -0,0 +1,6 @@
# This configuration file updates the default configuration file
# See https://github.com/searxng/searxng/blob/master/searx/botdetection/limiter.toml
[botdetection.ip_limit]
# activate link_token method in the ip_limit method
link_token = true

19
kubernetes/searxng/settings.yml Normal file
View file

@ -0,0 +1,19 @@
use_default_settings: true
server:
image_proxy: true
http_protocol_version: "1.1"
method: "GET"
ui:
static_use_hash: true
redis:
url: redis://searxng-redis-master:6379/0
general:
instance_name: search.gmem.ca
hostnames:
replace:
'(.*\.)?youtube\.com$': 'piped.gmem.ca'
'(.*\.)?youtube\.com$': 'piped.gmem.ca'
'(.*\.)?youtube-noocookie.com$': 'piped.gmem.ca'
'(.*\.)?twitter.com$': 'nitter.gmem.ca'
'(.*\.)?x.com$': 'nitter.gmem.ca'
'(.*\.)?reddit.com$': 'red.gmem.ca'

22
kubernetes/vaultwarden/VaultStaticSecret-vaultwarden.yaml
View file

@ -12,3 +12,25 @@ spec:
refreshAfter: 30s refreshAfter: 30s
type: kv-v2 type: kv-v2
vaultAuthRef: vault vaultAuthRef: vault
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: postgres-vaultwarden
namespace: vaultwarden
spec:
allowStaticCreds: true
destination:
create: true
name: postgres-vaultwarden
transformation:
templates:
DATABASE_URL:
text: postgres://{{ .Secrets.username }}:{{ .Secrets.password }}@192.168.50.236/vaultwarden
mount: database
path: static-creds/vaultwarden
refreshAfter: 30s
vaultAuthRef: vault
rolloutRestartTargets:
- name: vaultwarden
kind: Deployment

57
kubernetes/vaultwarden/deployment.yaml
View file

@ -16,10 +16,6 @@ spec:
volumes: volumes:
- name: data-dir - name: data-dir
emptyDir: {} emptyDir: {}
- name: rsa-keys
secret:
secretName: vaultwarden-rsa
defaultMode: 0644
containers: containers:
- name: vaultwarden - name: vaultwarden
image: vaultwarden/server:testing image: vaultwarden/server:testing
@ -34,8 +30,10 @@ spec:
envFrom: envFrom:
- secretRef: - secretRef:
name: vaultwarden name: vaultwarden
- secretRef:
name: postgres-vaultwarden
- configMapRef: - configMapRef:
name: vaultwarden-env name: vaultwarden
env: env:
- name: LOG_LEVEL - name: LOG_LEVEL
value: debug value: debug
@ -43,9 +41,6 @@ spec:
- containerPort: 80 - containerPort: 80
name: web name: web
volumeMounts: volumeMounts:
- name: rsa-keys
mountPath: /data/keys
readOnly: true
- name: data-dir - name: data-dir
mountPath: /data mountPath: /data
--- ---
@ -87,49 +82,3 @@ spec:
name: vaultwarden name: vaultwarden
port: port:
number: 80 number: 80
---
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: vaultwarden
namespace: vaultwarden
spec:
hostAPI: http://infisical:8080
resyncInterval: 10
authentication:
kubernetesAuth:
identityId: 68d1f432-7b0a-4e4a-b439-acbbbc160f1e
serviceAccountRef:
name: infisical-auth
namespace: infisical
secretsScope:
projectSlug: kubernetes-homelab-dp67
envSlug: prod
secretsPath: "/vaultwarden"
managedSecretReference:
secretName: vaultwarden
secretNamespace: vaultwarden
creationPolicy: "Owner"
---
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: vaultwarden-rsa
namespace: vaultwarden
spec:
hostAPI: http://infisical:8080
resyncInterval: 10
authentication:
kubernetesAuth:
identityId: 68d1f432-7b0a-4e4a-b439-acbbbc160f1e
serviceAccountRef:
name: infisical-auth
namespace: infisical
secretsScope:
projectSlug: kubernetes-homelab-dp67
envSlug: prod
secretsPath: "/vaultwarden/keys"
managedSecretReference:
secretName: vaultwarden-rsa
secretNamespace: vaultwarden
creationPolicy: "Owner"

8
kubernetes/vaultwarden/kustomization.yaml
View file

@ -1,6 +1,14 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: vaultwarden
resources: resources:
- VaultAuth.yaml - VaultAuth.yaml
- VaultStaticSecret-vaultwarden.yaml - VaultStaticSecret-vaultwarden.yaml
- deployment.yaml - deployment.yaml
configMapGenerator:
- name: vaultwarden
envs:
- vaultwarden.env

15
kubernetes/vaultwarden/vaultwarden.env Normal file
View file

@ -0,0 +1,15 @@
DOMAIN=https://pw.gmem.ca
ENABLE_WEBSOCKET=true
EXTENDED_LOGGING=true
IP_HEADER=X-Real-IP
LOG_LEVEL=error
PUSH_ENABLED=true
PUSH_IDENTITY_URI=https://identity.bitwarden.eu
PUSH_RELAY_URI=https://push.bitwarden.eu
RSA_KEY_FILENAME=/data/rsa_key
SIGNUPS_ALLOWED=false
SIGNUPS_VERIFY=true
SMTP_FROM=vaultwarden@gmem.ca
SMTP_FROM_NAME=Arch's Vault
SMTP_PORT=465
SMTP_SECURITY=force_tls

36
kubernetes/vrchat/config.toml Normal file
View file

@ -0,0 +1,36 @@
[groups.waterwolf]
id = "grp_41df2df4-be4e-4a4e-be5e-eabb1425c4e5"
vrcdn = "waterwolf"
[groups.vibenight]
id = "grp_8cf1101a-e75d-4e80-b5d5-c5ba2916cce8"
vrcdn = "vibenight"
[groups.vibenight-roxy]
id = ""
vrcdn = "roxyreee"
[groups.zrave]
id = "grp_f65e9e2e-c2a4-46af-a787-0e7c5d6be03c"
vrcdn = "furxmas"
[groups.eufuria]
id = "grp_47c07467-c09a-4354-bba2-31e103b3c934"
vrcdn = "technicallysane"
[groups.waterwolf-nullreff]
id = ""
vrcdn = "nullreff"
[groups.con-vr-portals]
id = "grp_dcddb898-14bf-41ab-8c3e-e874847be6c9"
#[groups.furality]
#id = "grp_210dbc09-c3da-4ebb-b641-73c99ce2619b"
#vrcdn = "furalityvrcdn"
[worlds]
"becki" = "wrld_e3a45ec6-a319-42af-b68d-f82f47bddef3"
"foxxcon" = "wrld_27806231-964b-4fbe-add8-10bf14be8071"
"becki v2" = "wrld_74f11f39-9064-4d03-93e9-2141f4a60147"

8
kubernetes/vrchat/kustomization.yaml
View file

@ -1,7 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: vrchat
resources: resources:
- Deployment-vrchat-prometheus-adapter.yaml - Deployment-vrchat-prometheus-adapter.yaml
- Service-vrchat-prometheus-adapter.yaml - Service-vrchat-prometheus-adapter.yaml
- ServiceMonitor-vrchat-prometheus-adapter.yaml - ServiceMonitor-vrchat-prometheus-adapter.yaml
- VaultAuth.yaml - VaultAuth.yaml
configMapGenerator:
- name: vrchat-prometheus-adapter
files:
- config.toml