nold/hive-apps
1
0
Fork 0
mirror of https://github.com/nold360/hive-apps synced 2025-02-06 07:22:49 +00:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

base: nold:cb7389db68b23e3f2d24c0be6c614c8e7f83fe3b
Branches Tags
nold:main
nold:renovate/argo-cd-7.x
nold:renovate/crowdsec-0.x
nold:renovate/koenkk-zigbee2mqtt-2.x
nold:renovate/tccr.io-truecharts-heimdall-23.x
nold:renovate/authentik-2024.x
nold:renovate/falco-4.x
nold:renovate/ghcr.io-fluxcd-helm-controller-1.x
nold:renovate/docker.io-bitnami-postgresql-16.x
nold:renovate/core-2.x
nold:renovate/fluxcd-flux2-2.x
nold:renovate/crowdsec-0.11.x
nold:renovate/core-2.7.x
nold:revert-2430-renovate/cert-manager-1.15.x
nold:revert-1782-renovate/quay.io-cilium-operator-1.x
nold:revert-1765-renovate/quay.io-cilium-hubble-relay-1.x
nold:revert-1768-renovate/quay.io-cilium-operator-1.x
nold:revert-1685-renovate/quay.io-cilium-cilium-ci-1.x
nold:revert-1611-renovate/quay.io-metallb-speaker-0.13.x
nold:revert-1571-renovate/cloudnative-pg-0.x
nold:flux
..
compare: nold:95b34f44900e5608144e067b3f5c63a35547871a
Branches Tags
nold:renovate/argo-cd-7.x
nold:renovate/crowdsec-0.x
nold:renovate/koenkk-zigbee2mqtt-2.x
nold:renovate/tccr.io-truecharts-heimdall-23.x
nold:renovate/authentik-2024.x
nold:main
nold:renovate/falco-4.x
nold:renovate/ghcr.io-fluxcd-helm-controller-1.x
nold:renovate/docker.io-bitnami-postgresql-16.x
nold:renovate/core-2.x
nold:renovate/fluxcd-flux2-2.x
nold:renovate/crowdsec-0.11.x
nold:renovate/core-2.7.x
nold:revert-2430-renovate/cert-manager-1.15.x
nold:revert-1782-renovate/quay.io-cilium-operator-1.x
nold:revert-1765-renovate/quay.io-cilium-hubble-relay-1.x
nold:revert-1768-renovate/quay.io-cilium-operator-1.x
nold:revert-1685-renovate/quay.io-cilium-cilium-ci-1.x
nold:revert-1611-renovate/quay.io-metallb-speaker-0.13.x
nold:revert-1571-renovate/cloudnative-pg-0.x
nold:flux

1 commit
cb7389db68 ... 95b34f4490

Author SHA1 Message Date
renovate[bot]
95b34f4490
chore(deps): update docker image docker.io/bitnami/postgresql to v16.2.0 2024-02-18 06:34:31 +00:00
79 changed files with 2360 additions and 1393 deletions
Show stats Expand all files Collapse all files

2
.archive/crowdsec/project.yml
View file

@ -5,4 +5,4 @@ apps:
- name: crowdsec
repoURL: https://crowdsecurity.github.io/helm-charts
chart: crowdsec
targetRevision: 0.11.0
targetRevision: 0.9.12

2
.archive/neuvector/project.yml
View file

@ -5,4 +5,4 @@ apps:
- name: core
repoURL: https://neuvector.github.io/neuvector-helm/
chart: core
targetRevision: 2.7.7
targetRevision: 2.7.3

6
bootstrap/flux-system/gotk-components.yaml
View file

@ -3563,7 +3563,7 @@ spec:
fieldPath: metadata.namespace
- name: TUF_ROOT
value: /tmp/.sigstore
image: ghcr.io/fluxcd/source-controller:v1.4.1
image: ghcr.io/fluxcd/source-controller:v1.2.4
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@ -5299,7 +5299,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: ghcr.io/fluxcd/kustomize-controller:v1.4.0
image: ghcr.io/fluxcd/kustomize-controller:v1.2.2
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@ -7975,7 +7975,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: ghcr.io/fluxcd/notification-controller:v1.4.0
image: ghcr.io/fluxcd/notification-controller:v1.2.4
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:

2
projects/adguard/values/adguard.yaml
View file

@ -1,6 +1,6 @@
image:
repository: adguard/adguardhome
tag: v0.107.53
tag: v0.107.44
env:
TZ: Europe/Amsterdam

26
projects/ai/project.yaml
View file

@ -3,34 +3,16 @@ config:
apps:
- name: localai
# repoURL: https://go-skynet.github.io/helm-charts
# chart: local-ai
# targetRevision: 3.1.0
repoURL: https://github.com/nold360/localai-charts.git
path: charts/local-ai
targetRevision: feat/envsecret
secrets:
- name: localai
keys:
- hf-token
repoURL: https://go-skynet.github.io/helm-charts
chart: local-ai
targetRevision: 3.1.0
- name: anythingllm
repo: bjw-s
chart: app-template
targetRevision: 2.4.0
# - name: flowise
# repo: bjw-s
# chart: app-template
# targetRevision: 2.4.0
# - name: big-agi
# repo: bjw-s
# chart: app-template
# targetRevision: 2.4.0
- name: browserless
namespace: browserless
- name: flowise
repo: bjw-s
chart: app-template
targetRevision: 2.4.0

5
projects/ai/values/anythingllm.yml
View file

@ -5,7 +5,6 @@ controllers:
image:
repository: mintplexlabs/anythingllm
tag: master
pullPolicy: Always
env:
STORAGE_DIR: /app/server/storage
@ -18,7 +17,7 @@ controllers:
######## LLM API SElECTION ################
LLM_PROVIDER: 'localai'
LOCAL_AI_BASE_PATH: 'http://localai-local-ai.ai.svc.cluster.local/v1'
LOCAL_AI_MODEL_PREF: main
LOCAL_AI_MODEL_PREF: 'thebloke__dolphin-2.2.1-mistral-7b-gguf__dolphin-2.2.1-mistral-7b.q5_k_m.gguf'
LOCAL_AI_MODEL_TOKEN_LIMIT: 1024
# LOCAL_AI_API_KEY="sk-123abc"
@ -30,8 +29,6 @@ controllers:
######## Vector Database Selection ########
VECTOR_DB: "lancedb"
DISABLE_TELEMETRY: "true"
ingress:
main:
annotations:

84
projects/ai/values/bibot.yml
View file

@ -1,84 +0,0 @@
controllers:
# main agent
main:
containers:
main:
image:
repository: reg.dc/bi
tag: latest
pullPolicy: Always
env:
BIBOT_CONFIG: /config/bibot.yml
BIBOT_KAFKA__BROKER: kafka://bi-cluster-kafka-bootstrap:9092
PHOENIX_COLLECTOR_ENDPOINT: http://phoenix.phoenix.svc.cluster.local:6006
PHOENIX_PROJECT_NAME: bi
command: ["python3"]
args: ["/app/bi/agents/main/app.py", "worker", "-l", "info"]
controller:
containers:
main:
image:
repository: reg.dc/bi
tag: latest
pullPolicy: Always
env:
BIBOT_CONFIG: /config/bibot.yml
BIBOT_KAFKA__BROKER: kafka://bi-cluster-kafka-bootstrap:9092
command: ["python3"]
args: ["/app/bi/controller.py", "worker", "-l", "info"]
discord:
containers:
main:
image:
repository: reg.dc/bi
tag: latest
pullPolicy: Always
command: ["python3"]
args: ["/app/bi/connectors/discord/app.py", "worker", "-l", "info"]
env:
BIBOT_KAFKA__BROKER: bi-cluster-kafka-bootstrap:9092
OPENAI_API_KEY: fake
BIBOT_DISCORD__TOKEN:
valueFrom:
secretKeyRef:
name: bibot
key: discord-token
## Prod:
BIBOT_DISCORD__CHANNELS: "1216440541064200192"
# Dev:
# BIBOT_DISCORD_CHANNELS: "1217418069693960223"
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
persistence:
secret:
name: bibot
enabled: true
type: secret
config:
name: bibot-config
enabled: true
type: configMap
data:
size: 10Gi
type: persistentVolumeClaim
accessMode: ReadWriteOnce
# service:
# main:
# controller: main
# ports:
# http:
# port: 8000
# type: ClusterIP

60
projects/ai/values/big-agi.yml
View file

@ -1,60 +0,0 @@
controllers:
main:
containers:
main:
image:
repository: ghcr.io/enricoros/big-agi
tag: latest
pullPolicy: Always
command: [ "next", "start", "-p", "3001" ]
env:
PUPPETEER_WSS_ENDPOINT: ws://browserless.browserless.svc.cluster.local:3000
# ANTHROPIC_API_HOST: ""
# ANTHROPIC_API_KEY: ""
# ELEVENLABS_API_HOST: ""
# ELEVENLABS_API_KEY: ""
# ELEVENLABS_VOICE_ID: ""
# GOOGLE_CLOUD_API_KEY: ""
# GOOGLE_CSE_ID: ""
# HELICONE_API_KEY: ""
# OPENAI_API_HOST: "http://localai-local-ai.ai.svc.cluster.local/v1"
LOCALAI_API_HOST: "http://localai-local-ai.ai.svc.cluster.local"
# OPENAI_API_KEY: "sk-xxxxxxxxxxxx"
# OPENAI_API_ORG_ID: ""
# PRODIA_API_KEY: ""
ingress:
main:
annotations:
cert-manager.io/cluster-issuer: vault-issuer
enabled: true
hosts:
- host: bigagi.dc
paths:
- path: /
service:
name: main
port: http
tls:
- hosts:
- bigagi.dc
secretName: bigagi-tls
persistence:
data:
accessMode: ReadWriteOnce
enabled: false
readOnly: false
size: 10Gi
type: persistentVolumeClaim
securityContext:
privileged: false
service:
main:
ports:
http:
enabled: true
port: 3001
type: ClusterIP

40
projects/ai/values/browserless.yml
View file

@ -1,40 +0,0 @@
controllers:
main:
containers:
main:
image:
repository: browserless/chrome
tag: latest
pullPolicy: Always
env:
MAX_CONCURRENT_SESSIONS: 10
ingress:
main:
annotations:
cert-manager.io/cluster-issuer: vault-issuer
enabled: true
hosts:
- host: browserless.dc
paths:
- path: /
service:
name: main
port: http
tls:
- hosts:
- browserless.dc
secretName: browserless-tls
securityContext:
privileged: false
service:
main:
ports:
http:
enabled: true
port: 3000
type: ClusterIP

2
projects/ai/values/flowise.yml
View file

@ -4,7 +4,7 @@ controllers:
main:
image:
repository: flowiseai/flowise
tag: 1.8.4
tag: 1.5.0
command:
- flowise
- start

56
projects/ai/values/localai.yaml
View file

@ -1,29 +1,18 @@
replicaCount: 1
deployment:
image:
repository: quay.io/go-skynet/local-ai
#tag: latest-aio-gpu-nvidia-cuda-12
tag: v2.22.0-cublas-cuda12-ffmpeg
pullPolicy: Always
runtimeClassName: nvidia
image: quay.io/go-skynet/local-ai:master-ffmpeg-core
env:
threads: 16
context_size: 4096
context_size: 2048
DEBUG: "true"
#
# SINGLE_ACTIVE_BACKEND: "true"
# PYTHON_GRPC_MAX_WORKERS: "1"
# LLAMACPP_PARALLEL: "1"
# PARALLEL_REQUESTS: "false"
## Specify a different bind address (defaults to ":8080")
# ADDRESS=127.0.0.1:8080
## Define galleries.
## models will to install will be visible in `/models/available`
#GALLERIES: '[{"name":"model-gallery", "url":"github:go-skynet/model-gallery/index.yaml"}, {"url": "github:go-skynet/model-gallery/huggingface.yaml","name":"huggingface"}]'
GALLERIES: '[{"name":"model-gallery", "url":"github:go-skynet/model-gallery/index.yaml"}, {"url": "github:go-skynet/model-gallery/huggingface.yaml","name":"huggingface"}]'
## Default path for models
#MODELS_PATH=/models
@ -57,14 +46,6 @@ deployment:
# UPLOAD_LIMIT
# HUGGINGFACEHUB_API_TOKEN=Token here
# Inject Secrets into Environment:
secretEnv:
- name: HF_TOKEN
valueFrom:
secretKeyRef:
name: localai
key: hf-token
modelsPath: "/models"
download_model:
@ -73,6 +54,9 @@ deployment:
prompt_templates:
# To use cloud provided (eg AWS) image, provide it like: 1234356789.dkr.ecr.us-REGION-X.amazonaws.com/busybox
image: busybox
pullPolicy: Always
imagePullSecrets: []
# - name: secret-names
resources:
requests:
@ -96,25 +80,17 @@ models:
# The list of URLs to download models from
# Note: the name of the file will be the name of the loaded model
list: []
# - url: "https://gpt4all.io/models/ggml-gpt4all-j.bin"
list:
- url: "https://gpt4all.io/models/ggml-gpt4all-j.bin"
# basicAuth: base64EncodedCredentials
persistence:
models:
enabled: true
annotations: {}
storageClass: ssd
accessModes: ReadWriteOnce
size: 100Gi
globalMount: /models
output:
enabled: false
annotations: {}
storageClass: ssd
accessModes: ReadWriteOnce
size: 100Gi
globalMount: /tmp/generated
persistence:
pvc:
enabled: true
size: 100Gi
accessModes:
- ReadWriteOnce
storageClass: "ssd"
service:
type: ClusterIP
@ -139,3 +115,5 @@ ingress:
hosts:
- ai.dc
image:
pullPolicy: IfNotPresent

49
projects/ai/values/qdrant.yml
View file

@ -1,49 +0,0 @@
image:
repository: docker.io/qdrant/qdrant
pullPolicy: IfNotPresent
tag: "v1.12.1"
useUnprivilegedImage: true
env:
- name: QDRANT__TELEMETRY_DISABLED
value: "true"
ingress:
enabled: false
ingressClassName: ""
additionalLabels: {}
annotations: {}
# kubernetes.io/ingress.class: alb
hosts:
- host: example-domain.com
paths:
- path: /
pathType: Prefix
servicePort: 6333
tls: []
# - hosts:
# - example-domain.com
# secretName: tls-secret-name
updateVolumeFsOwnership: false
persistence:
accessModes: ["ReadWriteOnce"]
size: 10Gi
storageClassName: ssd
# modification example for configuration to overwrite defaults
config:
cluster:
enabled: false
# api key for authentication at qdrant
# false: no api key will be configured
# true: an api key will be auto-generated
# string: the given string will be set as an apikey
apiKey: true
# read-only api key for authentication at qdrant
# false: no read-only api key will be configured
# true: an read-only api key will be auto-generated
# string: the given string will be set as a read-only apikey
readOnlyApiKey: true

4
projects/argocd/values/argocd.yaml
View file

@ -8,7 +8,7 @@ installCRDs: true
global:
image:
repository: quay.io/argoproj/argocd
tag: v2.12.6
tag: v2.10.1
# imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 999
@ -176,7 +176,7 @@ repoServer:
initContainers:
- name: copy-cmp-server
image: quay.io/argoproj/argocd:v2.12.6
image: quay.io/argoproj/argocd:v2.10.1
command:
- cp
- -n

14
projects/arrstack/project.yaml
View file

@ -61,3 +61,17 @@ apps:
- noRoot
- tmpdirs
- ingress-internal
- name: unpackerr
chart: unpackerr
targetRevision: 5.1.0
include:
- noRoot
- tmpdirs
- ingress-internal
secrets:
- name: unpackerr-config
keys:
- UN_LIDARR_0_API_KEY
- UN_RADARR_0_API_KEY
- UN_SONARR_0_API_KEY

2
projects/arrstack/values/bazarr.yaml
View file

@ -1,6 +1,6 @@
image:
repository: ghcr.io/onedr0p/bazarr
tag: 1.4.5
tag: 1.4.1
ingress:
main:

2
projects/arrstack/values/lidarr.yaml
View file

@ -1,6 +1,6 @@
image:
repository: ghcr.io/onedr0p/lidarr
tag: 2.4.3.4248
tag: 2.1.7.4030
ingress:
main:

2
projects/arrstack/values/ombi.yaml
View file

@ -1,6 +1,6 @@
image:
repository: ghcr.io/linuxserver/ombi
tag: 4.44.1
tag: 4.43.5
ingress:
main:

4
projects/arrstack/values/prowlarr.yaml
View file

@ -9,7 +9,7 @@ image:
# -- image repository
repository: ghcr.io/onedr0p/prowlarr-develop
# @default -- chart.appVersion
tag: "1.25"
tag: "1.13"
# -- image pull policy
pullPolicy: IfNotPresent
@ -80,7 +80,7 @@ metrics:
# -- image repository
repository: ghcr.io/onedr0p/exportarr
# -- image tag
tag: v2.0.1
tag: v1.6.1
# -- image pull policy
pullPolicy: IfNotPresent
env:

2
projects/arrstack/values/radarr.yaml
View file

@ -1,6 +1,6 @@
image:
repository: ghcr.io/onedr0p/radarr
tag: 5.12.2.9335
tag: 5.2.6.8376
env:
UMASK: "002"

2
projects/arrstack/values/sonarr.yaml
View file

@ -1,6 +1,6 @@
image:
repository: ghcr.io/onedr0p/sonarr
tag: 4.0.9.2244
tag: 4.0.1.929
securityContext:
privileged: true

0
.archive/auth/manifests/postgre.yaml → projects/auth/manifests/postgre.yaml
View file

0
.archive/auth/project.yml → projects/auth/project.yml
View file

0
.archive/auth/values/authentik.yaml → projects/auth/values/authentik.yaml
View file

139
projects/bi/manifests/kafka.yml
View file

@ -1,139 +0,0 @@
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
name: bi-cluster
namespace: bi
spec:
kafka:
version: 3.7.0
replicas: 1
listeners:
- name: plain
port: 9092
type: internal
tls: false
- name: tls
port: 9093
type: internal
tls: true
config:
offsets.topic.replication.factor: 1
transaction.state.log.replication.factor: 1
transaction.state.log.min.isr: 1
default.replication.factor: 1
min.insync.replicas: 1
inter.broker.protocol.version: "3.7"
storage:
type: jbod
volumes:
- id: 0
type: persistent-claim
size: 100Gi
deleteClaim: false
zookeeper:
replicas: 1
storage:
type: persistent-claim
size: 100Gi
deleteClaim: false
entityOperator:
topicOperator: {}
userOperator: {}
---
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
name: bi-input
namespace: bi
labels:
strimzi.io/cluster: bi-cluster
spec:
partitions: 1
replicas: 1
config:
retention.ms: 7200000
segment.bytes: 1073741824
---
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
name: bi-output
namespace: bi
labels:
strimzi.io/cluster: bi-cluster
spec:
partitions: 1
replicas: 1
config:
retention.ms: 7200000
segment.bytes: 1073741824
---
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
name: agent-registry
namespace: bi
labels:
strimzi.io/cluster: bi-cluster
spec:
partitions: 24
replicas: 1
config:
retention.ms: 7200000
segment.bytes: 1073741824
---
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
name: agent-main-input
namespace: bi
labels:
strimzi.io/cluster: bi-cluster
spec:
partitions: 1
replicas: 1
config:
retention.ms: 7200000
segment.bytes: 1073741824
---
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
name: discord-input
namespace: bi
labels:
strimzi.io/cluster: bi-cluster
spec:
partitions: 1
replicas: 1
config:
retention.ms: 7200000
segment.bytes: 1073741824
---
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
name: agent-researcher-input
namespace: bi
labels:
strimzi.io/cluster: bi-cluster
spec:
partitions: 1
replicas: 1
config:
retention.ms: 7200000
segment.bytes: 1073741824
---
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
name: agent-researcher-config
namespace: bi
labels:
strimzi.io/cluster: bi-cluster
spec:
partitions: 1
replicas: 1
config:
retention.ms: 7200000
segment.bytes: 1073741824

22
projects/bi/manifests/mongo.yml
View file

@ -1,22 +0,0 @@
---
apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
name: bi-mongo
namespace: bi
spec:
members: 1
type: ReplicaSet
version: "6.0.5"
security:
authentication:
modes: ["SCRAM"]
users:
- name: bi
db: bi
passwordSecretRef:
name: bi-mongo-password
roles:
- name: dbOwner
db: bi
scramCredentialsSecretName: bi

33
projects/bi/project.yaml
View file

@ -1,33 +0,0 @@
config:
description: Bi Agent Framework
apps:
- name: bi
namespace: bi
repo: bjw-s
chart: app-template
targetRevision: 3.2.1
secrets:
- name: bibot
keys:
- discord-token
- ombi-api-key
- prompt-template
- instruct-template
- OPENWEATHERMAP_API_KEY
ignoreDiff:
- group: apps
kind: Deployment
jsonPointers:
- /spec/replicas
# - name: mongo-express
# repoURL: https://cowboysysop.github.io/charts/
# chart: mongo-express
# targetRevision: 6.5.2
# secrets:
# - name: mongo-express
# keys:
# - mongodb-admin-password
# - site-cookie-secret
# - site-session-secret

182
projects/bi/values/bi.yml
View file

@ -1,182 +0,0 @@
controllers:
# main agent
main:
containers:
main:
image:
repository: reg.dc/bi
tag: latest
pullPolicy: Always
env:
BIBOT_CONFIG: /config/bibot.yml
BIBOT_KAFKA__BROKER: kafka://bi-cluster-kafka-bootstrap:9092
BIBOT_MONGODB__URI: mongodb://bi-mongo-svc:27017/
BIBOT_MONGODB__USER:
valueFrom:
secretKeyRef:
name: bi-mongo-bi-bi
key: username
BIBOT_MONGODB__PASSWORD:
valueFrom:
secretKeyRef:
name: bi-mongo-bi-bi
key: password
PHOENIX_COLLECTOR_ENDPOINT: http://phoenix.phoenix.svc.cluster.local:6006
PHOENIX_PROJECT_NAME: bi
command: ["python3"]
args: ["/app/bi/agents/main/app.py", "worker", "-l", "info"]
controller:
containers:
main:
image:
repository: reg.dc/bi
tag: latest
pullPolicy: Always
env:
BIBOT_CONFIG: /config/bibot.yml
BIBOT_KAFKA__BROKER: kafka://bi-cluster-kafka-bootstrap:9092
BIBOT_MONGODB__URI: mongodb://bi-mongo-svc:27017/
BIBOT_MONGODB__USER:
valueFrom:
secretKeyRef:
name: bi-mongo-bi-bi
key: username
BIBOT_MONGODB__PASSWORD:
valueFrom:
secretKeyRef:
name: bi-mongo-bi-bi
key: password
command: ["python3"]
args: ["/app/bi/controller.py", "worker", "-l", "info"]
discord:
containers:
main:
image:
repository: reg.dc/bi
tag: latest
pullPolicy: Always
command: ["python3"]
args: ["/app/bi/connectors/discord/app.py", "worker", "-l", "info"]
env:
BIBOT_KAFKA__BROKER: bi-cluster-kafka-bootstrap:9092
BIBOT_MONGODB__URI: mongodb://bi-mongo-svc:27017/
BIBOT_MONGODB__USER:
valueFrom:
secretKeyRef:
name: bi-mongo-bi-bi
key: username
BIBOT_MONGODB__PASSWORD:
valueFrom:
secretKeyRef:
name: bi-mongo-bi-bi
key: password
OPENAI_API_KEY: fake
BIBOT_DISCORD__TOKEN:
valueFrom:
secretKeyRef:
name: bibot
key: discord-token
## Prod:
BIBOT_DISCORD__CHANNELS: "1216440541064200192"
# Dev:
# BIBOT_DISCORD_CHANNELS: "1217418069693960223"
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
researcher:
containers:
main:
image:
repository: reg.dc/bi
tag: latest
pullPolicy: Always
env:
BIBOT_CONFIG: /config/bibot.yml
BIBOT_OPENAI__TEMPERATURE: "0.0"
BIBOT_KAFKA__BROKER: kafka://bi-cluster-kafka-bootstrap:9092
BIBOT_MONGODB__URI: mongodb://bi-mongo-svc:27017/
BIBOT_MONGODB__USER:
valueFrom:
secretKeyRef:
name: bi-mongo-bi-bi
key: username
BIBOT_MONGODB__PASSWORD:
valueFrom:
secretKeyRef:
name: bi-mongo-bi-bi
key: password
OPENWEATHERMAP_API_KEY:
valueFrom:
secretKeyRef:
name: bibot
key: OPENWEATHERMAP_API_KEY
PHOENIX_COLLECTOR_ENDPOINT: http://phoenix.phoenix.svc.cluster.local:6006
PHOENIX_PROJECT_NAME: bi
command: ["python3"]
args: ["/app/bi/agents/researcher/app.py", "worker", "-l", "info"]
mongoui:
containers:
main:
image:
repository: ugleiton/mongo-gui
tag: latest
pullPolicy: Always
env:
MONGO_URL:
valueFrom:
secretKeyRef:
name: bi-mongo-bi-bi
key: connectionString.standardSrv
persistence:
secret:
name: bibot
enabled: true
type: secret
config:
name: bibot-config
enabled: true
type: configMap
data:
size: 10Gi
type: persistentVolumeClaim
accessMode: ReadWriteOnce
service:
main:
controller: mongoui
ports:
http:
port: 4321
type: ClusterIP
ingress:
main:
annotations:
cert-manager.io/cluster-issuer: vault-issuer
enabled: true
hosts:
- host: mongo.dc
paths:
- path: /
service:
# name: main
identifier: main
port: 4321
tls:
- hosts:
- mongo.dc
secretName: mongo-tls

50
projects/bi/values/mongo-express.yml
View file

@ -1,50 +0,0 @@
ingress:
enabled: true
ingressClassName: "ingress-internal"
pathType: ImplementationSpecific
annotations:
cert-manager.io/cluster-issuer: vault-issuer
hosts:
- host: mongo.dc
paths:
- /
tls:
- secretName: mongo-express-tls
hosts:
- mongo.dc
## @param mongodbServer MongoDB host name or IP address
mongodbServer: bi-mongo-svc.bi.svc.cluster.local
## @param mongodbPort MongoDB port
mongodbPort: 27017
## @param mongodbEnableAdmin Enable administrator access
mongodbEnableAdmin: true
## @param mongodbAdminUsername Administrator username
mongodbAdminUsername: admin
## @param mongodbAdminPassword Administrator password
# mongodbAdminPassword: ""
## @param siteBaseUrl Set the express baseUrl to ease mounting at a subdirectory
siteBaseUrl: /
## @param basicAuthUsername Mongo Express web login name
basicAuthUsername: ""
## @param basicAuthPassword Mongo Express web login password
basicAuthPassword: ""
## @param existingSecret Name of existing Secret to use
existingSecret: "mongo-express"
## @param existingSecretKeyMongodbAdminPassword Key in existing Secret that contains administrator password
# existingSecretKeyMongodbAdminPassword: bi-mongo-admin-admin
## @param existingSecretKeyMongodbAuthPassword Key in existing Secret that contains database password
# existingSecretKeyMongodbAuthPassword: bi-mongo-admin-admin

73
projects/core/manifests/cloudflare-ddns.yml
View file

@ -1,73 +0,0 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: cloudflare-ddns-gnu
namespace: core
spec:
schedule: "*/15 * * * *"
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
spec:
containers:
- name: cloudflare-ddns
image: mirioeggmann/cloudflare-ddns:v0.5.1
envFrom:
- secretRef:
name: cloudflare-ddns-gnu
restartPolicy: OnFailure
---
apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
annotations:
name: cloudflare-ddns-gnu
namespace: core
spec:
keys:
- API_TOKEN
- NAME
- RECORD_ID
- ZONE_ID
- PROXIED
path: heqet/core/cloudflare-ddns-gnu
type: Opaque
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: cloudflare-ddns-nold
namespace: core
spec:
schedule: "*/15 * * * *"
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
spec:
containers:
- name: cloudflare-ddns
image: mirioeggmann/cloudflare-ddns:v0.5.1
envFrom:
- secretRef:
name: cloudflare-ddns-nold
restartPolicy: OnFailure
---
apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
annotations:
name: cloudflare-ddns-nold
namespace: core
spec:
keys:
- API_TOKEN
- NAME
- RECORD_ID
- ZONE_ID
- PROXIED
path: heqet/core/cloudflare-ddns-nold
type: Opaque

19
projects/core/project.yml
View file

@ -42,40 +42,29 @@ apps:
namespace: ingress-internal
repoURL: https://kubernetes.github.io/ingress-nginx
chart: ingress-nginx
targetRevision: 4.11.1
targetRevision: 4.9.1
syncWave: '0'
- name: cilium
existingNamespace: kube-system
repoURL: https://helm.cilium.io
chart: cilium
targetRevision: 1.15.9
targetRevision: 1.15.1
- name: external-dns
repoURL: https://kubernetes-sigs.github.io/external-dns
chart: external-dns
targetRevision: 1.14.5
targetRevision: 1.14.3
secrets:
- name: cloudflare-api
keys:
- CF_API_TOKEN
- name: external-dns-adguard
repoURL: https://kubernetes-sigs.github.io/external-dns
chart: external-dns
targetRevision: 1.14.5
secrets:
- name: adguard-config
keys:
- ADGUARD_URL
- ADGUARD_USER
- ADGUARD_PASSWORD
- name: cert-manager
namespace: cert-manager
repoURL: https://charts.jetstack.io
chart: cert-manager
targetRevision: v1.15.3
targetRevision: v1.14.2
secrets:
- name: cert-manager-vault-approle
keys:

8
projects/core/values/cert-manager.yaml
View file

@ -23,13 +23,7 @@ global:
# Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
logLevel: 2
leaderElection:
namespace: "cert-manager"
crds:
enabled: true
installCRDs: true
replicaCount: 1
strategy:

104
projects/core/values/external-dns-adguard.yaml
View file

@ -1,104 +0,0 @@
# Default values for external-dns.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
image:
repository: registry.k8s.io/external-dns/external-dns
tag: "v0.15.0"
pullPolicy: IfNotPresent
shareProcessNamespace: false
podSecurityContext:
fsGroup: 65534
securityContext:
runAsNonRoot: true
runAsUser: 65534
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
# Defaults to `ClusterFirst`.
# Valid values are: `ClusterFirstWithHostNet`, `ClusterFirst`, `Default` or `None`.
dnsPolicy:
serviceMonitor:
enabled: false
additionalLabels: {}
interval: 1m
scrapeTimeout: 10s
resources:
limits:
memory: 50Mi
cpu: 200m
requests:
memory: 50Mi
cpu: 10m
logLevel: info
logFormat: text
interval: 1m
triggerLoopOnEvent: false
sources:
- ingress
# - service
policy: upsert-only
registry: txt
txtOwnerId: ""
txtPrefix: ""
txtSuffix: ""
domainFilters:
- dc
#extraArgs:
deploymentStrategy:
type: Recreate
provider:
name: webhook
webhook:
image:
repository: ghcr.io/muhlba91/external-dns-provider-adguard
tag: latest
livenessProbe:
httpGet:
path: /healthz
port: 8888
initialDelaySeconds: 10
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /healthz
port: 8888
initialDelaySeconds: 10
timeoutSeconds: 5
env:
- name: LOG_LEVEL
value: debug
- name: ADGUARD_URL
valueFrom:
secretKeyRef:
name: adguard-config
key: ADGUARD_URL
- name: ADGUARD_USER
valueFrom:
secretKeyRef:
name: adguard-config
key: ADGUARD_USER
- name: ADGUARD_PASSWORD
valueFrom:
secretKeyRef:
name: adguard-config
key: ADGUARD_PASSWORD
- name: SERVER_HOST
value: "0.0.0.0"
- name: DRY_RUN
value: "false"

4
projects/core/values/external-dns.yaml
View file

@ -3,8 +3,8 @@
# Declare variables to be passed into your templates.
image:
repository: registry.k8s.io/external-dns/external-dns
tag: "v0.15.0"
repository: k8s.gcr.io/external-dns/external-dns
tag: "v0.13.4"
pullPolicy: IfNotPresent
shareProcessNamespace: false

2
projects/crossplane/project.yml
View file

@ -6,7 +6,7 @@ apps:
- name: crossplane
repoURL: https://charts.crossplane.io/stable
chart: crossplane
targetRevision: 1.16.0
targetRevision: 1.14.5
secrets:
- name: terraform
keys:

2
projects/downloader/values/qbittorrent.yaml
View file

@ -1,7 +1,7 @@
---
image:
repository: ghcr.io/onedr0p/qbittorrent
tag: 4.6.7
tag: 4.6.3
ingress:
main:

2
projects/forgejo/values/forgejo.yml
View file

@ -13,7 +13,7 @@ strategy:
image:
registry: codeberg.org
repository: forgejo/forgejo
tag: "7.0"
tag: "1.21"
rootless: true
podSecurityContext:

2
projects/forgejo/values/gitea.yaml
View file

@ -3,7 +3,7 @@ image:
registry: "codeberg.org"
repository: forgejo/forgejo
# Overrides the image tag whose default is the chart appVersion.
tag: "1.21.11-0"
tag: "1.21.5-0"
pullPolicy: Always
rootless: true

21
projects/grafana/project.yml
View file

@ -5,17 +5,26 @@ apps:
- name: kube-prometheus-stack
repoURL: https://prometheus-community.github.io/helm-charts
chart: kube-prometheus-stack
targetRevision: 60.5.0
targetRevision: 55.11.0
secrets:
- name: grafana
keys:
- admin-password
- admin-user
helm:
skipCrds: true
- name: kube-prometheus-crds
repoURL: https://github.com/prometheus-community/helm-charts.git
path: charts/kube-prometheus-stack/crds/
targetRevision: kube-prometheus-stack-46.8.0
directory:
recurse: true
syncPolicy:
syncOptions:
- ServerSideApply=true
- Replace=true
# - name: loki-stack
# repoURL: https://grafana.github.io/helm-charts
# chart: loki-stack
# targetRevision: 2.10.2
- name: loki-stack
repoURL: https://grafana.github.io/helm-charts
chart: loki-stack
targetRevision: 2.10.1

1858
projects/grafana/values/kube-prometheus-stack.yaml
View file

File diff suppressed because it is too large Load diff

2
projects/grafana/values/loki-stack.yaml
View file

@ -2,7 +2,7 @@ loki:
enabled: true
image:
repository: grafana/loki
tag: 3.2.1
tag: 2.9.4
promtail:
enabled: true

4
projects/grafana/values/prometheus.yaml
View file

@ -8,7 +8,7 @@ nodeExporter:
enabled: true
image:
repository: quay.io/prometheus/node-exporter
tag: v1.8.2
tag: v1.7.0
hostNetwork: true
hostPID: true
@ -24,7 +24,7 @@ server:
enabled: true
image:
repository: quay.io/prometheus/prometheus
tag: v2.54.1
tag: v2.49.1
strategy:
type: Recreate

2
projects/homeassistant/values/homeassistant.yaml
View file

@ -4,7 +4,7 @@ controllers:
main:
image:
repository: homeassistant/home-assistant
tag: "2024.10"
tag: "2024.2"
env:
TZ: Europe/Berlin

2
projects/homeassistant/values/influx.yaml
View file

@ -1,6 +1,6 @@
image:
repository: influxdb
tag: 2.7.10-alpine
tag: 2.7.5-alpine
pullPolicy: IfNotPresent
## If specified, use these secrets to access the images
# pullSecrets:

2
projects/homeassistant/values/nodered.yaml
View file

@ -172,7 +172,7 @@ sidecar:
# -- The image repository to pull from
repository: kiwigrid/k8s-sidecar
# -- The image tag to pull, default: `1.23.1`
tag: 1.28.0
tag: 1.25.4
# -- The image pull policy, default: `IfNotPresent`
pullPolicy: IfNotPresent
# -- The extra volume mounts for the sidecar

2
projects/homeassistant/values/wmbusmeters.yml
View file

@ -33,7 +33,7 @@ configMaps:
format=json
logfile=/dev/stdout
donotprobe=/dev/ttyACM0
shell=/usr/bin/mosquitto_pub -h 192.168.1.20 -t wmbusmeters/"$METER_ID" -m "$METER_JSON"
shell=/usr/bin/mosquitto_pub -h mqtt.lan -t wmbusmeters/"$METER_ID" -m "$METER_JSON"
ignoreduplicates=false
meters:

2
projects/homer/project.yml
View file

@ -4,7 +4,7 @@ apps:
- name: homer
repoURL: https://djjudas21.github.io/charts
chart: homer
targetRevision: 8.1.12
targetRevision: 8.1.9
include:
- ingress-internal
- noRoot

2
projects/homer/values/homer.yml
View file

@ -1,6 +1,6 @@
image:
repository: b4bz/homer
tag: v24.10.1
tag: v23.10.1
initContainers:
clone-assets:

2
projects/ingress-external/project.yml
View file

@ -13,5 +13,5 @@ apps:
- name: ingress-external
repoURL: https://kubernetes.github.io/ingress-nginx
chart: ingress-nginx
targetRevision: 4.11.1
targetRevision: 4.9.1
syncWave: '0'

2
projects/mqtt/values/mosquitto.yaml
View file

@ -1,6 +1,6 @@
image:
repository: eclipse-mosquitto
tag: 2.0.20
tag: 2.0.18
service:
main:

2
projects/mqtt/values/zigbee2mqtt.yaml
View file

@ -1,6 +1,6 @@
image:
repository: koenkk/zigbee2mqtt
tag: 1.40.2
tag: 1.35.3
service:
main:

6
projects/music/project.yaml
View file

@ -1,11 +1,5 @@
config:
desc: Music Streaming
networkPolicy:
groups:
- internet
labels:
environment: external
apps:
- name: navidrome

22
projects/music/values/navidrome.yaml
View file

@ -1,6 +1,6 @@
image:
repository: ghcr.io/navidrome/navidrome
tag: 0.53.3
tag: 0.51.1
env:
TZ: "Europe/Amsterdam"
@ -26,26 +26,20 @@ service:
ingress:
main:
enabled: true
ingressClassName: "ingress-external"
labels:
environment: external
ingressClassName: "ingress-internal"
annotations:
#cert-manager.io/cluster-issuer: vault-issuer
nginx.ingress.kubernetes.io/proxy-body-size: 20G
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt
external-dns.alpha.kubernetes.io/hostname: music.nold.in
external-dns.alpha.kubernetes.io/target: nold.in
external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
cert-manager.io/cluster-issuer: vault-issuer
traefik.ingress.kubernetes.io/router.tls: 'true'
hosts:
- host: music.nold.in
- host: music.dc
paths:
- path: /
pathType: Prefix
tls:
- secretName: music-ext-tls
- secretName: music-tls
hosts:
- music.nold.in
- music.dc
podSecurityContext:
runAsUser: 568

10
projects/nextcloud/project.yaml
View file

@ -5,16 +5,18 @@ config:
- internet
rules:
- allow-minio
- allow-localai
labels:
environment: external
apps:
- name: nextcloud
repoURL: https://nextcloud.github.io/helm
chart: nextcloud
targetRevision: 5.2.0
#repoURL: https://nextcloud.github.io/helm
#chart: nextcloud
#targetRevision: 3.1.0
repoURL: https://github.com/Nold360/nextcloud-helm
targetRevision: f/multifix
path: charts/nextcloud
secrets:
- name: nextcloud-user
keys:

36
projects/nextcloud/values/nextcloud.yaml
View file

@ -1,9 +1,9 @@
image:
tag: 29-fpm
tag: 25-fpm
pullPolicy: Always
nextcloud:
host: share.nold.in
host: share.gnu.one
extraEnv:
- name: HTTP_PROXY
value: http://proxy-squid.proxy.svc.cluster.local:3128
@ -76,43 +76,17 @@ ingress:
cert-manager.io/cluster-issuer: letsencrypt
traefik.ingress.kubernetes.io/router.tls: 'true'
kubernetes.io/ingress.class: ingress-external
external-dns.alpha.kubernetes.io/hostname: share.nold.in
external-dns.alpha.kubernetes.io/target: nold.in
external-dns.alpha.kubernetes.io/hostname: share.gnu.one
external-dns.alpha.kubernetes.io/target: gnu.one
external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
nginx.ingress.kubernetes.io/server-snippet: |-
server_tokens off;
proxy_hide_header X-Powered-By;
rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
deny all;
}
tls:
- secretName: nextcloud-tls
hosts:
- share.nold.in
- share.gnu.one
nginx:
enabled: true
containerPort: 8080
cronjob:
enabled: false

2
projects/octoprint/chart/values.yaml
View file

@ -9,7 +9,7 @@ image:
# -- image repository
repository: octoprint/octoprint
# -- image tag
tag: 1.10.2-minimal
tag: 1.9.3-minimal
# -- image pull policy
pullPolicy: IfNotPresent

14
projects/ovos/lai.sh Normal file
View file

@ -0,0 +1,14 @@
LOCALAI=https://ai.dc
if [ "$1" == "search" ] ; then
curl ${LOCALAI}/models/available | jq ".[] | select(.name | contains(\"${2}\")) | .name"
elif [ "$1" == "apply" ] ; then
STATUS_URL=$(curl -q $LOCALAI/models/apply -H "Content-Type: application/json" -d "{ \"id\": \"${2}\" }" | jq -r .status)
STATUS=$(curl -q $STATUS_URL | jq -r .message)
while [ "$STATUS" != "completed" ] ; do
STATUS=$(curl -q $STATUS_URL | jq -r .message)
echo $STATUS
sleep 5
done
elif [ "$1" == "list" ] ; then
curl -q $LOCALAI/models | jq .
fi

13
projects/ovos/project.yaml Normal file
View file

@ -0,0 +1,13 @@
config:
description: OpenVoice OS Services
apps:
- name: ovos-tts-server
repo: bjw-s
chart: app-template
targetRevision: 2.4.0
- name: ovos-stt-server
repo: bjw-s
chart: app-template
targetRevision: 2.4.0

68
projects/ovos/values/ovos-stt-server.yml Normal file
View file

@ -0,0 +1,68 @@
controllers:
main:
containers:
main:
image:
repository: smartgic/ovos-stt-server-fasterwhisper
tag: alpha
pullPolicy: Always
env:
## VECTOR_DB: "lancedb"
ingress:
main:
enabled: true
annotations:
cert-manager.io/cluster-issuer: vault-issuer
hosts:
- host: ovos-stt-server.dc
paths:
- path: /
service:
name: main
port: http
tls:
- hosts:
- ovos-stt-server.dc
secretName: ovos-stt-server-tls
configMaps:
config:
enabled: true
data:
mycroft.conf: |
{
"stt": {
"module": "ovos-stt-plugin-fasterwhisper",
"ovos-stt-plugin-fasterwhisper": {
"model": "medium",
"cpu_threads": 8
}
}
}
persistence:
config:
type: configMap
enabled: true
name: ovos-stt-server-config
advancedMounts:
main:
main:
- path: /home/ovos/.config/mycroft/mycroft.conf
readOnly: true
subPath: mycroft.conf
securityContext:
privileged: false
service:
main:
ports:
http:
enabled: true
port: 8080
type: ClusterIP

75
projects/ovos/values/ovos-tts-server.yml Normal file
View file

@ -0,0 +1,75 @@
controllers:
main:
containers:
main:
image:
repository: docker.io/smartgic/ovos-tts-server-piper
tag: alpha
pullPolicy: Always
env:
# GID='1000'
ingress:
main:
annotations:
cert-manager.io/cluster-issuer: vault-issuer
enabled: true
hosts:
- host: ovos-tts-server.dc
paths:
- path: /
service:
name: main
port: http
tls:
- hosts:
- ovos-tts-server.dc
secretName: ovos-tts-server-tls
configMaps:
config:
enabled: true
data:
mycroft.conf: |
{
"tts": {
"module": "ovos-tts-plugin-piper",
"ovos-tts-plugin-piper": {
"model": "alan-low"
}
}
}
persistence:
data:
type: persistentVolumeClaim
enabled: true
size: 2Gi
storageClass: ssd
accessMode: ReadWriteOnce
globalMounts:
- path: /home/ovos/.local/share/piper_tts
config:
type: configMap
enabled: true
name: ovos-tts-server-config
advancedMounts:
main:
main:
- path: /home/ovos/.config/mycroft/mycroft.conf
readOnly: true
subPath: mycroft.conf
securityContext:
privileged: false
service:
main:
ports:
http:
enabled: true
port: 9666
type: ClusterIP

2
projects/paperless/values/paperless.yml
View file

@ -15,7 +15,7 @@ ingress:
- paperless.dc
image:
repository: ghcr.io/paperless-ngx/paperless-ngx
tag: 2.12.1
tag: 2.5.3
pullPolicy: IfNotPresent
# -- See the following files for additional environment variables:

85
projects/searxng/manifests/config.yml
View file

@ -1,85 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: searxng-config
namespace: searxng
data:
settings.yml: |
---
use_default_settings:
engines:
remove:
- soundcloud
server:
limiter: false
image_proxy: false
search:
default_lang: en
formats:
- html
- json
# autocomplete: google
general:
instance_name: HiveSearch
ui:
static_use_hash: true
default_theme: simple
theme_args:
simple_style: dark
infinite_scroll: true
results_on_new_tab: true
enabled_plugins:
- Basic Calculator
- Hash plugin
- Hostname replace
- Open Access DOI rewrite
- Self Informations
- Tracker URL remover
- Unit converter plugin
hostname_replace:
(www\.)?reddit\.com$: redlib.rostvik.site
limiter.toml: |
[real_ip]
# Number of values to trust for X-Forwarded-For.
x_for = 1
# The prefix defines the number of leading bits in an address that are compared
# to determine whether or not an address is part of a (client) network.
ipv4_prefix = 32
ipv6_prefix = 48
[botdetection.ip_limit]
# To get unlimited access in a local network, by default link-lokal addresses
# (networks) are not monitored by the ip_limit
filter_link_local = true
# activate link_token method in the ip_limit method
link_token = false
[botdetection.ip_lists]
# In the limiter, the ip_lists method has priority over all other methods -> if
# an IP is in the pass_ip list, it has unrestricted access and it is also not
# checked if e.g. the "user agent" suggests a bot (e.g. curl).
block_ip = [
]
pass_ip = [
'10.0.0.0/24', # IPv4 private network
]
# Activate passlist of (hardcoded) IPs from the SearXNG organization,
# e.g. `check.searx.space`.
pass_searxng_org = false

13
projects/searxng/project.yaml
View file

@ -1,13 +0,0 @@
config:
description: Local Meta Search
apps:
- name: searxng
repo: bjw-s
chart: app-template
targetRevision: 3.2.1
secrets:
- name: searxng
keys:
- SEARXNG_SECRET

97
projects/searxng/values/searxng.yml
View file

@ -1,97 +0,0 @@
controllers:
app:
replicas: 1
strategy: RollingUpdate
containers:
app:
image:
repository: searxng/searxng
tag: 2024.5.16-2f2d93b29
env:
BASE_URL: https://search.dc
AUTOCOMPLETE: "false"
INSTANCE_NAME: "HiveSearch"
envFrom:
- secretRef:
name: searxng
# probes:
# liveness:
# enabled: true
# custom: true
# spec:
# httpGet:
# path: /stats
# port: 8080
# initialDelaySeconds: 0
# periodSeconds: 10
# timeoutSeconds: 1
# failureThreshold: 3
# readiness:
# enabled: true
# custom: true
# spec:
# httpGet:
# path: /stats
# port: 8080
# initialDelaySeconds: 0
# periodSeconds: 10
# timeoutSeconds: 1
# failureThreshold: 3
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
capabilities:
drop:
- ALL
add:
- CHOWN
- SETGID
- SETUID
- DAC_OVERRIDE
resources:
requests:
cpu: 10m
limits:
memory: 3Gi
service:
app:
controller: app
ports:
http:
port: 8080
persistence:
config:
type: configMap
name: searxng-config
advancedMounts:
app:
app:
- path: /etc/searxng/settings.yml
subPath: settings.yml
readOnly: true
- path: /etc/searxng/limiter.toml
subPath: limiter.toml
readOnly: true
ingress:
app:
# className: ingress-internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
hosts:
- host: search.dc
paths:
- path: /
service:
identifier: app
port: http
tls:
- hosts:
- search.dc
secretName: searxng-tls

18
projects/services/project.yml
View file

@ -11,7 +11,7 @@ apps:
namespace: s3
repoURL: https://charts.min.io
chart: minio
targetRevision: 5.2.0
targetRevision: 5.0.15
secrets:
- name: minio-root
keys:
@ -22,22 +22,10 @@ apps:
namespace: cnpg-system
repoURL: https://cloudnative-pg.github.io/charts
chart: cloudnative-pg
targetRevision: 0.21.6
targetRevision: 0.20.1
- name: redis-operator
repoURL: https://ot-container-kit.github.io/helm-charts
namespace: redis-operator
chart: redis-operator
targetRevision: 0.16.4
- name: kafka-operator
repoURL: https://strimzi.io/charts
namespace: kafka-operator
chart: strimzi-kafka-operator
targetRevision: 0.41.0
- name: mongodb-operator
repoURL: https://mongodb.github.io/helm-charts
namespace: mongodb-operator
chart: community-operator
targetRevision: 0.10.0
targetRevision: 0.15.9

1
projects/services/values/kafka-operator.yml
View file

@ -1 +0,0 @@
watchAnyNamespace: true

19
projects/services/values/mongodb-operator.yml
View file

@ -1,19 +0,0 @@
operator:
watchNamespace: "*"
resources:
limits:
cpu: 1100m
memory: 1Gi
requests:
cpu: 100m
memory: 100Mi
replicas: 1
podSecurityContext:
runAsNonRoot: true
runAsUser: 2000
securityContext: {}
community-operator-crds:
enabled: true

50
projects/services/values/redis-operator.yaml
View file

@ -4,37 +4,67 @@
# Name of the image repository to pull the container image from.
image:
repository: ghcr.io/ot-container-kit/redis-operator/redis-operator
repository: quay.io/spotahome/redis-operator
pullPolicy: IfNotPresent
#tag: v1.2.4
tag: v1.2.4
imageCredentials:
create: false
registry: url.private.registry
username: someone
password: somepassword
email: someone@example.com
# Use exists secrets in namespace
existsSecrets:
- registrysecret
updateStrategy:
type: RollingUpdate
replicas: 1
# A name in place of the chart name for `app:` labels.
nameOverride: ""
# A name to substitute for the full names of resources.
fullnameOverride: ""
serviceAccount:
# Enable service account creation.
create: true
# Annotations to be added to the service account.
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
service:
type: ClusterIP
port: 9710
container:
port: 9710
# Container [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container).
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) for details.
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
# Container resource [requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) for details.
# @default -- No requests or limits.
resources:
requests:
cpu: 10m
memory: 16Mi
limits:
cpu: 500m
memory: 500Mi
certificate:
secretName: redis-operator-tls
certmanager:
enabled: false
cpu: 100m
memory: 128Mi
### Monitoring
###############
monitoring:
# Enable Prometheus PodMonitor to monitor the operator.
enabled: false

13
projects/speech/project.yaml Normal file
View file

@ -0,0 +1,13 @@
config:
description: STT & TTS Services
apps:
- name: whisper
repo: bjw-s
chart: app-template
targetRevision: 1.5.0
- name: piper
repo: bjw-s
chart: app-template
targetRevision: 1.5.0

55
projects/speech/values/piper.yaml Normal file
View file

@ -0,0 +1,55 @@
image:
repository: rhasspy/wyoming-piper
tag: latest
pullPolicy: Always
args:
- --voice
# - en-US-danny-low
- en-us-lessac-low
service:
main:
type: ClusterIP
# externalTrafficPolicy: Local
# annotations:
# metallb.universe.tf/allow-shared-ip: iot
# metallb.universe.tf/address-pool: iot
ports:
http:
enabled: false
tcp:
enabled: true
port: 10200
protocol: TCP
primary: true
persistence:
data:
enabled: true
type: pvc
mountPath: /data
accessMode: ReadWriteOnce
storageClass: ssd
size: 10Gi
tmp:
enabled: true
type: emptyDir
mountPath: /tmp
podSecurityContext:
runAsUser: 1001
runAsGroup: 10000
fsGroup: 10000
securityContext:
runAsUser: 1001
runAsGroup: 10000
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL

55
projects/speech/values/whisper.yaml Normal file
View file

@ -0,0 +1,55 @@
image:
repository: rhasspy/wyoming-whisper
tag: latest
pullPolicy: Always
args:
- --model
# - medium-int8
- small-int8
- --language
- en
env:
OMP_NUM_THREADS: "8"
service:
main:
type: LoadBalancer
externalTrafficPolicy: Local
annotations:
metallb.universe.tf/allow-shared-ip: iot
metallb.universe.tf/address-pool: iot
ports:
http:
enabled: false
tcp:
enabled: true
port: 10300
protocol: TCP
primary: true
persistence:
data:
enabled: true
type: pvc
mountPath: /data
accessMode: ReadWriteOnce
storageClass: ssd
size: 10Gi
podSecurityContext:
runAsUser: 1001
runAsGroup: 10000
fsGroup: 10000
securityContext:
runAsUser: 1001
runAsGroup: 10000
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL

4
projects/vault/project.yml
View file

@ -5,7 +5,7 @@ apps:
- name: vault
repoURL: https://helm.releases.hashicorp.com
chart: vault
targetRevision: 0.28.1
targetRevision: 0.27.0
syncWave: '-3'
ignoreDiff:
- group: "*"
@ -18,5 +18,5 @@ apps:
namespace: vault-secrets-operator
repoURL: https://ricoberger.github.io/helm-charts
chart: vault-secrets-operator
targetRevision: 2.5.10
targetRevision: 2.5.6
syncWave: '-2'

4
projects/vault/values/vault.yaml
View file

@ -5,13 +5,13 @@ global:
enable: false
injector:
enabled: false
enabled: true
server:
enabled: true
image:
repository: "hashicorp/vault"
tag: "1.18.0"
tag: "1.15.5"
auditStorage:
accessMode: ReadWriteOnce
annotations: {}

16
projects/woodpecker/manifests/netpol.yaml
View file

@ -1,16 +0,0 @@
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: allow-kubeapi
namespace: woodpecker
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: agent
egress:
- toEntities:
- kube-apiserver
- toPorts:
- ports:
- port: "6443"
protocol: TCP

9
projects/woodpecker/project.yml
View file

@ -6,8 +6,6 @@ config:
networkPolicy:
groups:
- internet
rules:
- allow-agent
labels:
environment: external
@ -15,7 +13,7 @@ config:
apps:
- name: woodpecker-server
path: charts/woodpecker/charts/server
path: charts/server
secrets:
- name: github-oauth
keys:
@ -26,11 +24,8 @@ apps:
- WOODPECKER_AGENT_SECRET
- name: woodpecker-agent
path: charts/woodpecker/charts/agent
namespace: woodpecker-agent
networkPolicy:
rules:
- allow-agent
path: charts/agent
secrets:
- name: woodpecker-secret
fromApp: woodpecker-server

45
projects/woodpecker/values/woodpecker-agent.yaml Normal file
View file

@ -0,0 +1,45 @@
replicaCount: 2
image:
registry: docker.io
repository: woodpeckerci/woodpecker-agent
pullPolicy: Always
tag: "next"
env:
WOODPECKER_SERVER: "woodpecker-server.woodpecker.svc.cluster.local:9000"
WOODPECKER_BACKEND: kubernetes
WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker-agent
WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "ssd"
WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 1G
WOODPECKER_BACKEND_K8S_STORAGE_RWX: false
dind:
enabled: false
extraSecretNamesForEnvFrom:
- woodpecker-secret
serviceAccount:
create: true
rbac:
create: true
podSecurityContext:
fsGroup: 2000
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
resources:
limits:
cpu: 4000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi

56
projects/woodpecker/values/woodpecker-agent.yml
View file

@ -1,56 +0,0 @@
# -- The number of replicas for the deployment
replicaCount: 2
image:
registry: docker.io
repository: woodpeckerci/woodpecker-agent
pullPolicy: Always
tag: 'next'
env:
# -- Add the environment variables for the agent component
WOODPECKER_SERVER: 'woodpecker-server.woodpecker.svc.cluster.local:9000'
WOODPECKER_BACKEND: kubernetes
WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker-agent
WOODPECKER_BACKEND_K8S_STORAGE_CLASS: 'ssd'
WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 10G
WOODPECKER_BACKEND_K8S_STORAGE_RWX: false
WOODPECKER_BACKEND_K8S_POD_LABELS: ''
WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: ''
WOODPECKER_CONNECT_RETRY_COUNT: '1'
# -- Add extra secret that is contains environment variables
extraSecretNamesForEnvFrom:
- woodpecker-secret
persistence:
enabled: true
size: 1Gi
storageClass: 'ssd'
accessModes:
- ReadWriteOnce
# -- Add pod security context
podSecurityContext:
runAsUser: 1000
runAsGroup: 2000
fsGroup: 2000
# -- Add security context
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 2000
# -- Specifies the resources for the agent component
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 10Mi

31
projects/woodpecker/values/woodpecker-server.yml → projects/woodpecker/values/woodpecker-server.yaml
View file

@ -1,16 +1,15 @@
statefulSet:
replicaCount: 1
updateStrategy:
type: RollingUpdate
replicaCount: 1
image:
registry: docker.io
repository: woodpeckerci/woodpecker-server
pullPolicy: Always
tag: 'next'
# Overrides the image tag whose default is the chart appVersion.
tag: "next"
dind:
enabled: false
# -- Add environment variables for the server component
env:
WOODPECKER_OPEN: "false"
WOODPECKER_ADMIN: "Nold360"
@ -26,20 +25,15 @@ env:
no_proxy: localhost,.cluster.local,10.43.0.1
# -- Add extra environment variables from the secrets list
extraSecretNamesForEnvFrom:
- woodpecker-secret
- github-oauth
# -- Create a generic secret to store things in, e.g. env values
secrets:
- name: woodpecker-store
- github-oauth
- woodpecker-secret
persistentVolume:
enabled: true
size: 10Gi
mountPath: '/var/lib/woodpecker'
storageClass: ''
mountPath: "/var/lib/woodpecker"
storageClass: "local-path"
podSecurityContext:
fsGroup: 2000
@ -52,6 +46,10 @@ securityContext:
runAsNonRoot: true
runAsUser: 1000
service:
type: ClusterIP
port: 80
ingress:
enabled: true
ingressClassName: ingress-external
@ -74,7 +72,6 @@ ingress:
hosts:
- ci.nold.in
# -- Specifies the ressources for the server component
resources:
limits:
cpu: 500m

2
projects/workflows/project.yml
View file

@ -5,7 +5,7 @@ apps:
- name: argo-workflows
repoURL: https://argoproj.github.io/argo-helm
chart: argo-workflows
targetRevision: 0.41.11
targetRevision: 0.40.11
# secrets:
# - name: argocd-secret
# keys:

19
resources/networkpolicy.yml
View file

@ -141,22 +141,3 @@ networkPolicy:
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/project: argocd
# Allow access to internet proxy
allow-localai:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 80
protocol: TCP
- port: 8080
protocol: TCP
to:
- podSelector:
matchLabels:
app.kubernetes.io/name: local-ai
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/project: ai