Update deploy/deluge/deluge-deploy.yaml

Reviewed-on: #3

.gitignore

@@ -0,0 +1 @@
+**/secret.yaml

deploy/deluge/deluge-deploy.yaml

@@ -13,9 +13,16 @@ spec:
       labels:
         app: deluge
     spec:
+      securityContext:
+        runAsUser: 0
       containers:
         - name: deluge
-          image: lscr.io/linuxserver/deluge:latest
+          image: bottledpills/deluge-openvpn:v1.7
+          securityContext:
+            privileged: true  # Often required for TUN/TAP devices
+            capabilities:
+              add:
+                - NET_ADMIN
           ports:
             - containerPort: 8112
               protocol: TCP
@@ -26,19 +33,31 @@ spec:
             - containerPort: 58846
               protocol: TCP
           env:
-            - name: PUID
-              value: "1000"
-            - name: PGID
-              value: "1000"
             - name: TZ
               value: Etc/UTC
             - name: DELUGE_LOGLEVEL
               value: "error"
+            - name: OPENVPN_PROVIDER
+              value: "nordvpn"
+            - name: OPENVPN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: nordvpn-credentials
+                  key: username
+            - name: OPENVPN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: nordvpn-credentials
+                  key: password
+            - name: LOCAL_NETWORK
+              value: "10.10.10.0/24,10.244.0.0/24"
           volumeMounts:
             - name: config
               mountPath: /config
             - name: downloads
-              mountPath: /downloads
+              mountPath: /download
+            - name: dev-net-tun
+              mountPath: /dev/net/tun
       volumes:
         - name: config
           persistentVolumeClaim:
@@ -46,3 +65,7 @@ spec:
         - name: downloads
           persistentVolumeClaim:
             claimName: deluge-downloads
+        - name: dev-net-tun
+          hostPath:
+            path: /dev/net/tun
+            type: CharDevice

deploy/drone/drone-rbac.yaml

@@ -0,0 +1,26 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: drone
+  name: drone
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "delete"]
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "create", "delete", "list", "watch", "update"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: drone
+  namespace: drone
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: drone
+roleRef:
+  kind: Role
+  name: drone
+  apiGroup: rbac.authorization.k8s.io

deploy/drone/drone-runner-amd64.yaml

@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone-runner-amd64
+  namespace: drone
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: drone-runner-amd64
+  template:
+    metadata:
+      labels:
+        app: drone-runner-amd64
+    spec:
+      nodeSelector:
+        kubernetes.io/arch: "amd64"
+      containers:
+        - name: drone-runner-amd64
+          image: drone/drone-runner-kube:latest
+          imagePullPolicy: Always
+          env:
+            - name: DRONE_RPC_HOST
+              value: "drone.beatrice.wtf"
+            - name: DRONE_RPC_PROTO
+              value: "https"
+            - name: DRONE_RPC_SECRET
+              value: "26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8"
+            - name: DRONE_RUNNER_CAPACITY
+              value: "3"
+            - name: DRONE_DEBUG
+              value: "true"
+            - name: DRONE_NAMESPACE_DEFAULT
+              value: "drone"
+            - name: DRONE_NODE_SELECTOR_DEFAULT
+              value: "kubernetes.io/arch:amd64"

deploy/drone/drone-runner-arm64.yaml

@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone-runner-arm64
+  namespace: drone
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: drone-runner-arm64
+  template:
+    metadata:
+      labels:
+        app: drone-runner-arm64
+    spec:
+      nodeSelector:
+        kubernetes.io/arch: "arm64"
+      containers:
+        - name: drone-runner-arm64
+          image: drone/drone-runner-kube:latest
+          imagePullPolicy: Always
+          env:
+            - name: DRONE_RPC_HOST
+              value: "drone.beatrice.wtf"
+            - name: DRONE_RPC_PROTO
+              value: "https"
+            - name: DRONE_RPC_SECRET
+              value: "26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8"
+            - name: DRONE_RUNNER_CAPACITY
+              value: "3"
+            - name: DRONE_DEBUG
+              value: "true"
+            - name: DRONE_NAMESPACE_DEFAULT
+              value: "drone"
+            - name: DRONE_NODE_SELECTOR_DEFAULT
+              value: "kubernetes.io/arch:arm64"

deploy/drone/drone-runner.yaml

@@ -1,46 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: drone-runner
-  namespace: drone
-spec:
-  replicas: 3
-  selector:
-    matchLabels:
-      name: drone-runner
-  template:
-    metadata:
-      labels:
-        name: drone-runner
-    spec:
-      containers:
-        - name: drone-runner
-          image: drone/drone-runner-kube:latest
-          imagePullPolicy: Always
-          ports:
-          - containerPort: 3000
-          env:
-            - name: "DRONE_RPC_HOST"
-              value: "drone.beatrice.wtf"
-            - name: "DRONE_RPC_PROTO"
-              value: "https"
-            - name: "DRONE_RPC_SECRET"
-              value: "26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8"
-            - name: "DRONE_RUNNER_CAPACITY"
-              value: "3"
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: drone-runner
-  namespace: drone
-  labels:
-    name: drone-runner
-spec:
-  type: ClusterIP
-  ports:
-    - protocol: TCP
-      port: 3000
-      targetPort: 3000
-  selector:
-    name: drone-runner

deploy/drone/drone-server.yaml

@@ -19,23 +19,29 @@ spec:
           imagePullPolicy: Always
           env:
             - name: "DRONE_GITEA_CLIENT_ID"
-              value: e6a4fb3b-e6b1-43dd-8f45-4def94742609
+              value: "e6a4fb3b-e6b1-43dd-8f45-4def94742609"
             - name: "DRONE_GITEA_CLIENT_SECRET"
-              value: gto_4ggtzkrukdzsmheoa2b4wz5cza2jif6gpf7wunbrtxa74senlykq
+              value: "gto_4ggtzkrukdzsmheoa2b4wz5cza2jif6gpf7wunbrtxa74senlykq"
             - name: "DRONE_GITEA_SERVER"
-              value: https://git.beatrice.wtf
+              value: "https://git.beatrice.wtf"
             - name: "DRONE_GIT_ALWAYS_AUTH"
               value: "false"
             - name: "DRONE_RPC_SECRET"
-              value: 26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8
+              value: "26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8"
             - name: "DRONE_WEBHOOK_SECRET"
-              value: 9329e50de8f250dc3c997571f395d09e
+              value: "9329e50de8f250dc3c997571f395d09e"
             - name: "DRONE_SERVER_HOST"
-              value: drone.beatrice.wtf
+              value: "drone.beatrice.wtf"
             - name: "DRONE_SERVER_PROTO"
-              value: https
+              value: "https"
             - name: "DRONE_SERVER_PORT"
-              value: :80
+              value: ":80"
+            - name: "DRONE_SERVER_BUILD_LIMIT"
+              value: "9"
+            - name: "DRONE_ALLOW_PRIVILEGED"
+              value: "true"
+            - name: "DRONE_LOGS_DEBUG"
+              value: "true"
           volumeMounts:
             - mountPath: /var/lib/drone
               name: drone-lib

deploy/drone/kustomization.yaml

@@ -1,5 +1,7 @@
 resources:
+  - drone-rbac.yaml
   - drone-server.yaml
-  - drone-runner.yaml
+  - drone-runner-arm64.yaml
+  - drone-runner-amd64.yaml
   - drone-ingress.yaml
   - drone-pvc.yaml

deploy/jellyfin/media-storage.yaml

@@ -24,4 +24,4 @@ spec:
     - ReadWriteMany
   resources:
     requests:
-      storage: 500Gi
+      storage: 1050Gi

deploy/plane-ce/kustomization.yaml

@@ -0,0 +1,24 @@
+namespace: plane-ce
+
+helmCharts:
+  - name: plane-ce
+    repo: https://helm.plane.so/
+    version: 1.1.0
+    releaseName: plane-app
+    valuesInline:
+      planeVersion: stable
+      postgres:
+        local_setup: false
+        servicePort: 5432
+      env:
+        pgdb_remote_url: postgresql://plane:w20t4g8h244ivjz0kef1hi10@postgres-base-rw.postgres.svc.cluster.local:5432/plane_db
+      certManager: true
+      ingress:
+        ingressClass: nginx
+        tls: true
+        appHost: plane.panic.haus
+        minioHost: minio.plane.panic.haus
+        rabbitmqHost: plane-app-rabbitmq
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+          nginx.ingress.kubernetes.io/ssl-redirect: "true"

deploy/renovate/cronjob.yaml

@@ -0,0 +1,23 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: renovate
+  namespace: renovate
+spec:
+  schedule: '@hourly'
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: renovate
+              # Update the image if needed
+              image: renovate/renovate:39.211
+              env:
+                - name: LOG_LEVEL
+                  value: debug
+              envFrom:
+                - secretRef:
+                    name: renovate-env
+          restartPolicy: Never

deploy/renovate/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cronjob.yaml

renovate.json

@@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}