feat: Re-enable apps

2025-02-10 20:47:03 -08:00 · 2025-02-10 20:47:03 -08:00 · 44a8b44b45
commit 44a8b44b45
parent 59e41339e6
23 changed files with 302 additions and 45 deletions
--- a/docker/compose/gitea/docker-compose.yml
+++ b/docker/compose/gitea/docker-compose.yml
@ -9,6 +9,7 @@ networks:
 services:
  gitea:
    image: docker.io/gitea/gitea:1.23.1
    container_name: gitea
    environment:
      - USER_UID=1002
      - USER_GID=1002
--- a/docker/compose/media/docker-compose.yml
+++ b/docker/compose/media/docker-compose.yml
@ -16,6 +16,7 @@ volumes:
 services:
  transmission-openvpn:
    image: haugene/transmission-openvpn:5.3.1
    container_name: transmission-openvpn
    cap_add:
      - NET_ADMIN
    networks:
@ -63,6 +64,7 @@ services:
  prowlarr:
    image: lscr.io/linuxserver/prowlarr:1.30.2
    container_name: prowlarr
    environment:
      - PUID=${PUID:-8796}
      - PGID=${PGID:-3005}
@ -91,6 +93,7 @@ services:
  radarr:
    image: lscr.io/linuxserver/radarr:5.18.4
    container_name: radarr
    environment:
      - PUID=${PUID:-8796}
      - PGID=${PGID:-3005}
@ -124,6 +127,7 @@ services:
  sonarr:
    image: lscr.io/linuxserver/sonarr:4.0.12
    container_name: sonarr
    environment:
      - PUID=${PUID:-8796}
      - PGID=${PGID:-3005}
@ -156,6 +160,7 @@ services:
  flaresolverr:
    image: ghcr.io/flaresolverr/flaresolverr:v3.3.21
    container_name: flaresolverr
    environment:
      - LOG_LEVEL=${FLARESOLVERR_LOG_LEVEL:-info}
      - LOG_HTML=${FLARESOLVERR_LOG_HTML:-false}
@ -177,6 +182,7 @@ services:
  jellyseerr:
    image: fallenbagel/jellyseerr:2.3.0
    container_name: jellyseerr
    environment:
      # - LOG_LEVEL=debug
      - TZ=America/Vancouver
@ -212,6 +218,7 @@ services:
  wizarr:
    image: tonyd33/wizarr
    container_name: wizarr
    environment:
      # This is intentionally not WIZARR_HOST. I'm still in the process of
      # migrating everything into mnke.org domain.
--- a/docker/compose/portainer/docker-compose.yml
+++ b/docker/compose/portainer/docker-compose.yml
@ -7,6 +7,7 @@ networks:
 services:
  agent:
    image: portainer/agent:2.16.2
    container_name: agent
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /mnt/docker/docker-root/volumes:/var/lib/docker/volumes
@ -20,6 +21,7 @@ services:
  portainer:
    image: portainer/portainer-ce:2.21.5
    container_name: portainer
    command: -H tcp://agent:9001 --tlsskipverify --bind :9000 --tunnel-port 8000 --admin-password ${PORTAINER_HTPASSWD}
    ports:
      - "9000:9000"
--- a/docker/compose/traefik/docker-compose.yml
+++ b/docker/compose/traefik/docker-compose.yml
@ -7,6 +7,7 @@ networks:
 services:
  traefik:
    image: traefik:v3.3
    container_name: traefik
    # This seems to be needed to solve the DNS challenge. Otherwise our own
    # DNS server is used, which isn't correctly configured to allow checking
    # the DNS entries have been propagated
--- a/k8s/apps/external-reverse-proxies/codegen/config/config.yaml
+++ b/k8s/apps/external-reverse-proxies/codegen/config/config.yaml
@ -0,0 +1,17 @@
 x-jellyfin: &jellyfin
  upstream_host: jellyfin.home.mnke.org
  upstream_port: 8096
  pass_host_header: false
 proxies:
  - <<: *jellyfin
    service_name: jellyfin-mnke
    tls_secret_name: wildcard-mnke-org-tls
    listen_hosts:
      - media.mnke.org
      - jellyfin.mnke.org
  - <<: *jellyfin
    service_name: jellyfin-tonydu
    tls_secret_name: wildcard-tonydu-me-tls
    listen_host: media.tonydu.me
--- a/k8s/apps/external-reverse-proxies/codegen/generator.py
+++ b/k8s/apps/external-reverse-proxies/codegen/generator.py
@ -0,0 +1,89 @@
 from argparse import ArgumentParser
 from sys import stderr
 from jinja2 import Template
 from os import path
 from yaml import safe_load
 def load_config(config_path):
    file = open(config_path, 'r')
    config = safe_load(file.read())
    file.close()
    return config
 def load_proxy_template(template_path):
    file = open(template_path, 'r')
    template = Template(file.read())
    file.close()
    return template
 def write_file(filename, content, dry_run):
    if dry_run:
        print(f'### Would generate {filename} ###', file=stderr)
        print(content, file=stderr)
    else:
        with open(filename, 'w') as f:
            f.write(content)
 kustomize_template = Template('''---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  {%- for filename in filenames %}
  - {{ filename }}
  {%- endfor %}
 ''')
 def main(args):
    dry_run = args.dry_run
    config_path = args.config
    template_path = args.template
    output_path = args.output
    template = load_proxy_template(template_path)
    config = load_config(config_path)
    if config is None:
        print(f'Config at {config_path} is invalid', file=stderr)
        exit(1)
    filenames = []
    for proxy in config['proxies']:
        listen_hosts = proxy.get('listen_hosts', [proxy.get('listen_host', None)])
        content = template.render(proxy, listen_hosts=listen_hosts)
        generated_filename = path.join(output_path, proxy['service_name']) + ".yaml"
        filenames.append(path.basename(generated_filename))
        write_file(generated_filename, content, dry_run)
    kustomize_filename = path.join(output_path, 'kustomize.yaml')
    kustomize_content = kustomize_template.render(filenames=filenames)
    write_file(kustomize_filename, kustomize_content, dry_run)
 if __name__ == '__main__':
    default_config_path = path.join(path.dirname(__file__), 'config', 'config.yaml')
    default_template_path = path.join(path.dirname(__file__), 'templates', 'proxy.yaml.j2')
    default_output_path = path.normpath(path.join(path.dirname(__file__), '..', 'generated'))
    parser = ArgumentParser(
            prog='External Reverse Proxy Generator',
            description='Generate reverse proxy manifests',
            )
    parser.add_argument(
            '-n',
            '--dry-run',
            action='store_true',
            help='Print generated manifests instead of writing them to disk'
            )
    parser.add_argument(
            '-k',
            '--skip-kustomize',
            action='store_true',
            help='Skip generation of kustomization.yaml file'
            )
    parser.add_argument('-c', '--config', help='Path to config file', default=default_config_path)
    parser.add_argument('-t', '--template', help='Path to proxy template file', default=default_template_path)
    parser.add_argument('-o', '--output', help='Output directory', default=default_output_path)
    args=parser.parse_args()
    main(args)
--- a/k8s/apps/external-reverse-proxies/codegen/templates/proxy.yaml.j2
+++ b/k8s/apps/external-reverse-proxies/codegen/templates/proxy.yaml.j2
@ -0,0 +1,38 @@
 ---
 # This file was automatically generated. Do not modify.
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ service_name }}-external
  namespace: default
 spec:
  type: ExternalName
  externalName: {{ upstream_host }}
  ports:
    - name: {{ service_name }}-external
      port: {{ upstream_port }}
      targetPort: {{ upstream_port }}
 ---
 # This file was automatically generated. Do not modify.
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: {{ service_name }}-external
  namespace: default
 spec:
  entryPoints:
    - websecure
  routes:
  {%- for listen_host in listen_hosts %}
    - match: Host(`{{ listen_host }}`)
      kind: Rule
      services:
        - kind: Service
          name: {{ service_name }}-external
          port: {{ upstream_port }}
          passHostHeader: {{ pass_host_header }}
  {%- endfor %}
  tls:
    secretName: {{ tls_secret_name }}
--- a/k8s/apps/external-reverse-proxies/generated/jellyfin-mnke.yaml
+++ b/k8s/apps/external-reverse-proxies/generated/jellyfin-mnke.yaml
@ -0,0 +1,40 @@
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: jellyfin-mnke-external
  namespace: default
 spec:
  type: ExternalName
  externalName: jellyfin.home.mnke.org
  ports:
    - name: jellyfin-mnke-external
      port: 8096
      targetPort: 8096
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: jellyfin-mnke-external
  namespace: default
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`media.mnke.org`)
      kind: Rule
      services:
        - kind: Service
          name: jellyfin-mnke-external
          port: 8096
          passHostHeader: False
    - match: Host(`jellyfin.mnke.org`)
      kind: Rule
      services:
        - kind: Service
          name: jellyfin-mnke-external
          port: 8096
          passHostHeader: False
  tls:
    secretName: wildcard-mnke-org-tls
--- a/k8s/apps/external-reverse-proxies/generated/jellyfin-tonydu.yaml
+++ b/k8s/apps/external-reverse-proxies/generated/jellyfin-tonydu.yaml
@ -0,0 +1,33 @@
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: jellyfin-tonydu-external
  namespace: default
 spec:
  type: ExternalName
  externalName: jellyfin.home.mnke.org
  ports:
    - name: jellyfin-tonydu-external
      port: 8096
      targetPort: 8096
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: jellyfin-tonydu-external
  namespace: default
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`media.tonydu.me`)
      kind: Rule
      services:
        - kind: Service
          name: jellyfin-tonydu-external
          port: 8096
          passHostHeader: False
  tls:
    secretName: wildcard-tonydu-me-tls
--- a/k8s/apps/external-reverse-proxies/generated/kustomize.yaml
+++ b/k8s/apps/external-reverse-proxies/generated/kustomize.yaml
@ -0,0 +1,6 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - jellyfin-mnke.yaml
  - jellyfin-tonydu.yaml
--- a/k8s/apps/external-reverse-proxies/kustomization.yaml
+++ b/k8s/apps/external-reverse-proxies/kustomization.yaml
@ -0,0 +1,6 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - generated
  - middlewares
--- a/k8s/apps/ghost/kustomization.yaml
+++ b/k8s/apps/ghost/kustomization.yaml
@ -2,7 +2,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - secret.yaml
  - release.yaml
--- a/k8s/apps/ghost/namespace.yaml
+++ b/k8s/apps/ghost/namespace.yaml
@ -1,6 +0,0 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: ghost
--- a/k8s/apps/ghost/release.yaml
+++ b/k8s/apps/ghost/release.yaml
@ -3,9 +3,11 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: ghost
-  namespace: ghost
+  namespace: default
 spec:
-  interval: 1m
+  interval: 10m
  releaseName: ghost
  targetNamespace: default
  chart:
    spec:
      chart: ghost
@ -29,9 +31,18 @@ spec:
      annotations:
        cert-manager.io/cluster-issuer: le-cf-issuer
        kubernetes.io/ingress.class: traefik
-      # ingressClassName: traefik
+      ingressClassName: traefik
      hostname: blog.mnke.org
-      # tls: true
+      tls: true
      # Ugh, this doesn't use the wildcard cert I set up! I don't want to
      # experiment with this at this point because of how finnicky this chart
      # has been. I feel like if I touch this chart the wrong way, it'll just
      # break.
      # extraTls:
        # - hosts:
            # - blog.mnke.org
          # secretName: wildcard-mnke-org-tls
    allowEmptyPassword: false
    ghostEmail: tonydu121@hotmail.com
--- a/k8s/apps/ghost/secret.yaml
+++ b/k8s/apps/ghost/secret.yaml
@ -3,7 +3,7 @@ apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: ghost-db-creds
-  namespace: ghost
+  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
@ -22,7 +22,7 @@ apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: ghost-creds
-  namespace: ghost
+  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
--- a/k8s/apps/kustomization.yaml
+++ b/k8s/apps/kustomization.yaml
@ -1,8 +1,7 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - common
  # - kube-prometheus-stack
  - uptime-kuma
  # - rancher
  - ghost
--- a/k8s/apps/uptime-kuma/kustomization.yaml
+++ b/k8s/apps/uptime-kuma/kustomization.yaml
@ -2,7 +2,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - repository.yaml
  - release.yaml
--- a/k8s/apps/uptime-kuma/namespace.yaml
+++ b/k8s/apps/uptime-kuma/namespace.yaml
@ -1,6 +0,0 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: uptime-kuma
--- a/k8s/apps/uptime-kuma/release.yaml
+++ b/k8s/apps/uptime-kuma/release.yaml
@ -3,9 +3,11 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: uptime-kuma
-  namespace: uptime-kuma
+  namespace: default
 spec:
  interval: 10m0s
  releaseName: uptime-kuma
  targetNamespace: default
  chart:
    spec:
      chart: uptime-kuma
@ -13,7 +15,7 @@ spec:
      sourceRef:
        kind: HelmRepository
        name: uptime-kuma
-        namespace: uptime-kuma
+        namespace: flux-system
  values:
    ingress:
      enabled: true
@ -25,6 +27,15 @@ spec:
          paths:
            - path: /
              pathType: ImplementationSpecific
        - host: uptime.mnke.org
          paths:
            - path: /
              pathType: ImplementationSpecific
      tls:
        - hosts:
            - uptime.dolo.mnke.org
            - uptime.mnke.org
          secretName: wildcard-mnke-org-tls
    resources:
      limits:
        cpu: 200m
--- a/k8s/apps/uptime-kuma/repository.yaml
+++ b/k8s/apps/uptime-kuma/repository.yaml
@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: uptime-kuma
-  namespace: uptime-kuma
+  namespace: flux-system
 spec:
  interval: 10m0s
  url: https://helm.irsigler.cloud
--- a/k8s/clusters/dolo/apps.yaml
+++ b/k8s/clusters/dolo/apps.yaml
@ -1,18 +1,18 @@
-# ---
+---
-# apiVersion: kustomize.toolkit.fluxcd.io/v1
+apiVersion: kustomize.toolkit.fluxcd.io/v1
-# kind: Kustomization
+kind: Kustomization
-# metadata:
+metadata:
-  # name: apps
+  name: apps
-  # namespace: flux-system
+  namespace: flux-system
-# spec:
+spec:
-  # interval: 10m0s
+  interval: 10m0s
-  # retryInterval: 30s
+  retryInterval: 30s
-  # dependsOn:
+  dependsOn:
-    # - name: infrastructure
+    - name: infrastructure
-  # sourceRef:
+  sourceRef:
-    # kind: GitRepository
+    kind: GitRepository
-    # name: flux-system
+    name: flux-system
-  # path: ./k8s/apps
+  path: ./k8s/apps
-  # prune: true
+  prune: true
-  # wait: true
+  wait: true
-  # timeout: 5m0s
+  timeout: 5m0s
--- a/k8s/infrastructure/controllers/loki/release.yaml
+++ b/k8s/infrastructure/controllers/loki/release.yaml
@ -51,7 +51,7 @@ spec:
    minio:
      enabled: true
      persistence:
-        size: 8Gi
+        size: 4Gi
      rootUser: root
      # rootPassword: ''
@ -59,14 +59,24 @@ spec:
    singleBinary:
      replicas: 1
      persistence:
        enabled: true
        size: 4Gi
        storageClass: longhorn
    # Zero out replica counts of other deployment modes
    backend:
      replicas: 0
      persistence:
        size: 1Mi
    read:
      replicas: 0
      persistence:
        size: 1Mi
    write:
      replicas: 0
      persistence:
        size: 1Mi
    # Turn this for debugging
    lokiCanary:
--- a/k8s/infrastructure/crds/traefik.yaml
+++ b/k8s/infrastructure/crds/traefik.yaml
@ -6,7 +6,7 @@ metadata:
  name: traefik
  namespace: flux-system
 spec:
-  interval: 1m
+  interval: 10m
  url: https://helm.traefik.io/traefik
 ---