Update deploy/deluge/deluge-deploy.yaml

Reviewed-on: #3

.gitignore

@@ -0,0 +1 @@
+**/secret.yaml

deploy/deluge/deluge-deploy.yaml

@@ -13,9 +13,16 @@ spec:
       labels:
         app: deluge
     spec:
+      securityContext:
+        runAsUser: 0
       containers:
         - name: deluge
-          image: lscr.io/linuxserver/deluge:latest
+          image: bottledpills/deluge-openvpn:v1.7
+          securityContext:
+            privileged: true  # Often required for TUN/TAP devices
+            capabilities:
+              add:
+                - NET_ADMIN
           ports:
             - containerPort: 8112
               protocol: TCP
@@ -26,19 +33,31 @@ spec:
             - containerPort: 58846
               protocol: TCP
           env:
-            - name: PUID
-              value: "1000"
-            - name: PGID
-              value: "1000"
             - name: TZ
               value: Etc/UTC
             - name: DELUGE_LOGLEVEL
               value: "error"
+            - name: OPENVPN_PROVIDER
+              value: "nordvpn"
+            - name: OPENVPN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: nordvpn-credentials
+                  key: username
+            - name: OPENVPN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: nordvpn-credentials
+                  key: password
+            - name: LOCAL_NETWORK
+              value: "10.10.10.0/24,10.244.0.0/24"
           volumeMounts:
             - name: config
               mountPath: /config
             - name: downloads
-              mountPath: /downloads
+              mountPath: /download
+            - name: dev-net-tun
+              mountPath: /dev/net/tun
       volumes:
         - name: config
           persistentVolumeClaim:
@@ -46,3 +65,7 @@ spec:
         - name: downloads
           persistentVolumeClaim:
             claimName: deluge-downloads
+        - name: dev-net-tun
+          hostPath:
+            path: /dev/net/tun
+            type: CharDevice

deploy/drone/drone-rbac.yaml

@@ -0,0 +1,26 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: drone
+  name: drone
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "delete"]
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "create", "delete", "list", "watch", "update"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: drone
+  namespace: drone
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: drone
+roleRef:
+  kind: Role
+  name: drone
+  apiGroup: rbac.authorization.k8s.io

deploy/drone/drone-runner-amd64.yaml

@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone-runner-amd64
+  namespace: drone
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: drone-runner-amd64
+  template:
+    metadata:
+      labels:
+        app: drone-runner-amd64
+    spec:
+      nodeSelector:
+        kubernetes.io/arch: "amd64"
+      containers:
+        - name: drone-runner-amd64
+          image: drone/drone-runner-kube:latest
+          imagePullPolicy: Always
+          env:
+            - name: DRONE_RPC_HOST
+              value: "drone.beatrice.wtf"
+            - name: DRONE_RPC_PROTO
+              value: "https"
+            - name: DRONE_RPC_SECRET
+              value: "26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8"
+            - name: DRONE_RUNNER_CAPACITY
+              value: "3"
+            - name: DRONE_DEBUG
+              value: "true"
+            - name: DRONE_NAMESPACE_DEFAULT
+              value: "drone"
+            - name: DRONE_NODE_SELECTOR_DEFAULT
+              value: "kubernetes.io/arch:amd64"

deploy/drone/drone-runner-arm64.yaml

@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone-runner-arm64
+  namespace: drone
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: drone-runner-arm64
+  template:
+    metadata:
+      labels:
+        app: drone-runner-arm64
+    spec:
+      nodeSelector:
+        kubernetes.io/arch: "arm64"
+      containers:
+        - name: drone-runner-arm64
+          image: drone/drone-runner-kube:latest
+          imagePullPolicy: Always
+          env:
+            - name: DRONE_RPC_HOST
+              value: "drone.beatrice.wtf"
+            - name: DRONE_RPC_PROTO
+              value: "https"
+            - name: DRONE_RPC_SECRET
+              value: "26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8"
+            - name: DRONE_RUNNER_CAPACITY
+              value: "3"
+            - name: DRONE_DEBUG
+              value: "true"
+            - name: DRONE_NAMESPACE_DEFAULT
+              value: "drone"
+            - name: DRONE_NODE_SELECTOR_DEFAULT
+              value: "kubernetes.io/arch:arm64"

deploy/drone/drone-runner.yaml

@@ -1,46 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: drone-runner
-  namespace: drone
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      name: drone-runner
-  template:
-    metadata:
-      labels:
-        name: drone-runner
-    spec:
-      containers:
-        - name: drone-runner
-          image: drone/drone-runner-kube:latest
-          imagePullPolicy: Always
-          ports:
-          - containerPort: 3000
-          env:
-            - name: "DRONE_RPC_HOST"
-              value: "drone.beatrice.wtf"
-            - name: "DRONE_RPC_PROTO"
-              value: "https"
-            - name: "DRONE_RPC_SECRET"
-              value: "26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8"
-            - name: "DRONE_RUNNER_CAPACITY"
-              value: "5"
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: drone-runner
-  namespace: drone
-  labels:
-    name: drone-runner
-spec:
-  type: ClusterIP
-  ports:
-    - protocol: TCP
-      port: 3000
-      targetPort: 3000
-  selector:
-    name: drone-runner

deploy/drone/drone-server.yaml

@@ -19,23 +19,29 @@ spec:
           imagePullPolicy: Always
           env:
             - name: "DRONE_GITEA_CLIENT_ID"
-              value: e6a4fb3b-e6b1-43dd-8f45-4def94742609
+              value: "e6a4fb3b-e6b1-43dd-8f45-4def94742609"
             - name: "DRONE_GITEA_CLIENT_SECRET"
-              value: gto_4ggtzkrukdzsmheoa2b4wz5cza2jif6gpf7wunbrtxa74senlykq
+              value: "gto_4ggtzkrukdzsmheoa2b4wz5cza2jif6gpf7wunbrtxa74senlykq"
             - name: "DRONE_GITEA_SERVER"
-              value: https://git.beatrice.wtf
+              value: "https://git.beatrice.wtf"
             - name: "DRONE_GIT_ALWAYS_AUTH"
               value: "false"
             - name: "DRONE_RPC_SECRET"
-              value: 26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8
+              value: "26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8"
             - name: "DRONE_WEBHOOK_SECRET"
-              value: 9329e50de8f250dc3c997571f395d09e
+              value: "9329e50de8f250dc3c997571f395d09e"
             - name: "DRONE_SERVER_HOST"
-              value: drone.beatrice.wtf
+              value: "drone.beatrice.wtf"
             - name: "DRONE_SERVER_PROTO"
-              value: https
+              value: "https"
             - name: "DRONE_SERVER_PORT"
-              value: :80
+              value: ":80"
+            - name: "DRONE_SERVER_BUILD_LIMIT"
+              value: "9"
+            - name: "DRONE_ALLOW_PRIVILEGED"
+              value: "true"
+            - name: "DRONE_LOGS_DEBUG"
+              value: "true"
           volumeMounts:
             - mountPath: /var/lib/drone
               name: drone-lib

deploy/drone/kustomization.yaml

@@ -1,5 +1,7 @@
 resources:
+  - drone-rbac.yaml
   - drone-server.yaml
-  - drone-runner.yaml
+  - drone-runner-arm64.yaml
+  - drone-runner-amd64.yaml
   - drone-ingress.yaml
   - drone-pvc.yaml

deploy/jellyfin/media-storage.yaml

@@ -24,4 +24,4 @@ spec:
     - ReadWriteMany
   resources:
     requests:
-      storage: 500Gi
+      storage: 1050Gi

deploy/longhorn/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - longhorn-ingress.yaml
-  - oauth2-proxy-longhorn-svc.yaml
-  - oauth2-proxy-longhorn.yaml

deploy/longhorn/longhorn-dashboard.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: longhorn-dashboard
+  namespace: longhorn-system
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
+    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
+spec:
+  tls:
+    - hosts:
+        - longhorn.panic.haus
+      secretName: longhorn-tls
+  rules:
+    - host: longhorn.panic.haus
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: longhorn-frontend
+                port:
+                  number: 80
+

deploy/longhorn/longhorn-ingress.yaml

@@ -6,28 +6,28 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: "nginx"
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    nginx.ingress.kubernetes.io/auth-url: "https://longhorn.panic.haus/oauth2/auth"
-    nginx.ingress.kubernetes.io/auth-signin: "https://longhorn.panic.haus/oauth2/start?rd=$scheme://$host$request_uri"
+    nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy-service.longhorn-system.svc.cluster.local:4180/oauth2/auth"
+    nginx.ingress.kubernetes.io/auth-signin: "https://longhorn.panic.haus/oauth2/start?rd=$escaped_request_uri"
 spec:
   tls:
-  - hosts:
-    - longhorn.panic.haus
-    secretName: longhorn-tls
+    - hosts:
+        - longhorn.panic.haus
+      secretName: longhorn-tls
   rules:
-  - host: longhorn.panic.haus
-    http:
-      paths:
-      - path: /oauth2
-        pathType: Prefix
-        backend:
-          service:
-            name: oauth2-proxy
-            port:
-              number: 4180
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: longhorn-frontend
-            port:
-              number: 80
+    - host: longhorn.panic.haus
+      http:
+        paths:
+          - path: /oauth2
+            pathType: Prefix
+            backend:
+              service:
+                name: oauth2-proxy-longhorn-service
+                port:
+                  number: 4180
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: longhorn-frontend
+                port:
+                  number: 80

deploy/longhorn/oauth2-proxy-longhorn-ingress.yaml

@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: oauth2-proxy-longhorn-ingress
+  namespace: longhorn-system
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  rules:
+    - host: longhorn.panic.haus
+      http:
+        paths:
+          - path: /oauth2
+            pathType: Prefix
+            backend:
+              service:
+                name: oauth2-proxy-longhorn-service
+                port:
+                  number: 4180

deploy/longhorn/oauth2-proxy-longhorn-svc.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: oauth2-proxy-longhorn
+  name: oauth2-proxy-longhorn-service
   namespace: longhorn-system
 spec:
   ports:
@@ -10,4 +10,4 @@ spec:
     protocol: TCP
     name: http
   selector:
-    app: oauth2-proxy-longhorn
+    app: oauth2-proxy-longhorn

deploy/longhorn/oauth2-proxy-longhorn.yaml

@@ -14,23 +14,23 @@ spec:
         app: oauth2-proxy-longhorn
     spec:
       containers:
-      - name: oauth2-proxy
+      - name: oauth2-proxy-longhorn
         image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1
         args:
           - --provider=keycloak
           - --client-id=longhorn
           - --client-secret=0U2QuP1QMAXln8bzwJ3aJMIvaH9t2QvJ
           - --cookie-secret=lDE7du7SlDuG1UySIZUhcHfuk5HlgFlgDWdHD_PQ9UI=
-          - --oidc-issuer-url=https://sso.beatrice.wtf/realms/panic-haus
+          - --oidc-issuer-url=https://sso.beatrice.wtf/auth/realms/panic-haus
           - --cookie-domain=longhorn.panic.haus
           - --email-domain=*
           - --http-address=0.0.0.0:4180
           - --redirect-url=https://longhorn.panic.haus/oauth2/callback
           -  --upstream=http://longhorn-frontend.longhorn-system.svc.cluster.local:80
           - --scope=openid
-          - --login-url=https://sso.beatrice.wtf/realms/panic-haus/protocol/openid-connect/auth
-          - --validate-url=https://sso.beatrice.wtf/realms/panic-haus/protocol/openid-connect/userinfo
-          - --redeem-url=https://sso.beatrice.wtf/realms/panic-haus/protocol/openid-connect/token
+          - --login-url=https://sso.beatrice.wtf/auth/realms/panic-haus/protocol/openid-connect/auth
+          - --validate-url=https://sso.beatrice.wtf/auth/realms/panic-haus/protocol/openid-connect/userinfo
+          - --redeem-url=https://sso.beatrice.wtf/auth/realms/panic-haus/protocol/openid-connect/token
           - --skip-auth-regex=^(?:https?:\/\/)?longhorn\.panic\.haus\/(favicon\.ico|.*\.(?:js|css)(\.map)?)$|^\/(favicon\.ico|.*\.(?:js|css)(\.map)?)$
         ports:
           - name: http

deploy/plane-ce/kustomization.yaml

@@ -0,0 +1,24 @@
+namespace: plane-ce
+
+helmCharts:
+  - name: plane-ce
+    repo: https://helm.plane.so/
+    version: 1.1.0
+    releaseName: plane-app
+    valuesInline:
+      planeVersion: stable
+      postgres:
+        local_setup: false
+        servicePort: 5432
+      env:
+        pgdb_remote_url: postgresql://plane:w20t4g8h244ivjz0kef1hi10@postgres-base-rw.postgres.svc.cluster.local:5432/plane_db
+      certManager: true
+      ingress:
+        ingressClass: nginx
+        tls: true
+        appHost: plane.panic.haus
+        minioHost: minio.plane.panic.haus
+        rabbitmqHost: plane-app-rabbitmq
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+          nginx.ingress.kubernetes.io/ssl-redirect: "true"

deploy/renovate/cronjob.yaml

@@ -0,0 +1,23 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: renovate
+  namespace: renovate
+spec:
+  schedule: '@hourly'
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: renovate
+              # Update the image if needed
+              image: renovate/renovate:39.211
+              env:
+                - name: LOG_LEVEL
+                  value: debug
+              envFrom:
+                - secretRef:
+                    name: renovate-env
+          restartPolicy: Never

deploy/renovate/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cronjob.yaml

renovate.json

@@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}