alex/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: alex:a93b432adf1ff8991c7ec43d678ae9bf19316f5e
Branches Tags
alex:main
...
compare: alex:fb0376e0b98fe1938721a82eb9f4c099beb01f38
Branches Tags
alex:main

60 Commits
a93b432adf ... fb0376e0b9

Author SHA1 Message Date
Alex Mickelson
fb0376e0b9 home videos
Some checks failed
Apply Kuberentes Configs / update-repo (push) Has been cancelled
Details
Apply Kuberentes Configs / update-infrastructure (push) Has been cancelled
Details
Update home server containers / update-repo (push) Failing after 0s
Details
Update home server containers / update-infrastructure (push) Has been skipped
Details
2026-01-24 15:36:48 -07:00
Alex Mickelson
5a7679d53d gitea with a runner 2026-01-24 15:35:39 -07:00
Alex Mickelson
653200201f updates 2026-01-24 14:54:10 -07:00
Alex Mickelson
a8668c325d kubectl 2026-01-24 14:22:55 -07:00
Alex Mickelson
eb6c9e7b10 firewall chanegs, kube changes 2026-01-24 14:18:13 -07:00
Alex Mickelson
adc40a0ab3 url change 2026-01-24 13:07:27 -07:00
Alex Mickelson
4ebc3e93c2 Merge branch 'main' of github.com:alexmickelson/infrastructure 2026-01-24 12:47:43 -07:00
Alex Mickelson
20358f4e3b updates 2026-01-24 12:47:39 -07:00
Alex Mickelson
d58661ebd4 trying 2026-01-23 14:34:13 -07:00
Alex Mickelson
fdd7420fdb Merge branch 'main' of github.com:alexmickelson/infrastructure 2026-01-22 14:10:58 -07:00
Alex Mickelson
929d32724f lfs 2026-01-22 14:07:56 -07:00
Alex Mickelson
4d49f57aa2 amd 2026-01-16 14:50:23 -07:00
Alex Mickelson
86bf7971b2 updates 2026-01-10 16:20:16 -07:00
Alex Mickelson
dadabdb1bb adb stuff 2026-01-10 14:44:40 -07:00
Alex Mickelson
293ec63b75 testing 2026-01-08 10:05:48 -07:00
Alex Mickelson
88c1b9eb68 ghostty configs 2026-01-07 20:10:20 -07:00
Alex Mickelson
f8f793fea3 ghostty home 2026-01-07 19:57:58 -07:00
Alex Mickelson
7766fd10b9 zen stuff 2026-01-07 15:03:37 -07:00
Alex Mickelson
409074f3bf k3s 2026-01-07 11:56:57 -07:00
Alex Mickelson
ec0b25779f ghostty 2026-01-07 11:49:25 -07:00
Alex Mickelson
096d8c7a3e updates 2026-01-07 09:17:19 -07:00
Alex Mickelson
909c72a310 ghostty config 2026-01-06 14:25:41 -07:00
Alex Mickelson
ee632f7ea9 updates 2026-01-06 12:32:17 -07:00
Alex Mickelson
b527582b9d zip 2026-01-05 22:53:52 -07:00
Alex Mickelson
7e5ff0be42 yubal 2026-01-05 19:51:45 -07:00
Alex Mickelson
8019972d36 no metatube 2026-01-05 19:50:29 -07:00
Alex Mickelson
2bfe7ddbc2 Merge branch 'main' of github.com:alexmickelson/infrastructure 2026-01-05 19:43:36 -07:00
Alex Mickelson
ccad019fdc metatube 2026-01-05 19:43:31 -07:00
Alex Mickelson
7d901d47da updates 2026-01-05 16:04:41 -07:00
Alex Mickelson
2dd792206b nexusmods 2026-01-04 18:44:05 -07:00
Alex Mickelson
7afbdaa5d9 fwupd 2026-01-04 16:50:04 -07:00
Alex Mickelson
9c13eaf3b3 Merge branch 'main' of github.com:alexmickelson/infrastructure 2026-01-03 19:34:33 -07:00
Alex Mickelson
d12f4f87f8 updates 2026-01-03 19:34:23 -07:00
Alex Mickelson
64fd6707d5 updates 2026-01-03 12:59:00 -07:00
Alex Mickelson
661d781e78 updated note 2026-01-02 17:54:22 -07:00
Alex Mickelson
0b798efb68 working helm config 2026-01-02 17:50:38 -07:00
Alex Mickelson
97ac6d224b refactoring proxy ingress to use endpointslice 2026-01-02 16:29:49 -07:00
Alex Mickelson
dae82f8971 helm ingress noted 2026-01-02 16:23:03 -07:00
Alex Mickelson
84340e86cd send to jellyfin 2026-01-02 16:19:36 -07:00
Alex Mickelson
bd04e3a2d1 send to jellyfin 2026-01-02 16:18:22 -07:00
Alex Mickelson
b765566f94 helm ingress noted 2026-01-02 16:13:45 -07:00
Alex Mickelson
34d9be2c20 helm stuff 2026-01-02 16:03:20 -07:00
Alex Mickelson
52718cc43b helm stuff 2026-01-02 16:02:05 -07:00
Alex Mickelson
b882fe4a20 helm stuff 2026-01-02 16:00:31 -07:00
Alex Mickelson
3b8e6410ef copilot ingress 2026-01-02 15:36:40 -07:00
Alex Mickelson
e5d7725ced ingressclass 2026-01-02 14:34:19 -07:00
Alex Mickelson
bc803bd624 paths 2026-01-02 14:31:32 -07:00
Alex Mickelson
de71f8ec2a env 2026-01-02 14:09:50 -07:00
Alex Mickelson
5197568e43 amature mispell 2026-01-02 14:06:18 -07:00
Alex Mickelson
6c88dd243d pathing 2026-01-02 14:05:29 -07:00
Alex Mickelson
00ffb6dfbc zfs 2026-01-02 14:03:02 -07:00
Alex Mickelson
d29c5edf47 kubeclt for runner 2026-01-02 14:00:48 -07:00
Alex Mickelson
094aa7efd2 changes 2026-01-02 13:57:00 -07:00
Alex Mickelson
e0093b0e53 changes 2025-12-31 10:02:57 -07:00
Alex Mickelson
2ab9f380ae vars 2025-12-19 16:23:16 -07:00
Alex Mickelson
385a18445b ovmf 2025-12-19 16:20:03 -07:00
Alex Mickelson
508e1c8a11 ovmf 2025-12-19 16:19:19 -07:00
Alex Mickelson
1d8d287a1e ovmf 2025-12-19 16:09:03 -07:00
Alex Mickelson
c9ecf78f73 Merge branch 'main' of github.com:alexmickelson/infrastructure 2025-12-19 15:46:14 -07:00
Alex Mickelson
a5855d61c9 bluetui 2025-12-19 15:46:08 -07:00
36 changed files with 710 additions and 1048 deletions
Expand all files Collapse all files

36
.github/workflows/apply-kubernetes.yml vendored Normal file
View File

@@ -0,0 +1,36 @@
name: Apply Kuberentes Configs
on: [push, workflow_dispatch]
jobs:
update-repo:
runs-on: [home-server]
steps:
- name: checkout repo
working-directory: /home/github/infrastructure
run: |
if [ -d "infrastructure" ]; then
cd infrastructure
echo "Infrastructure folder exists. Resetting to the most recent commit."
git reset --hard HEAD
git pull https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} $(git rev-parse --abbrev-ref HEAD)
else
git clone https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git
fi
update-infrastructure:
runs-on: [home-server]
needs: update-repo
steps:
- name: update home server containers
env:
KUBECONFIG: /home/github/.kube/config
MY_GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }}
HOMEASSISTANT_TOKEN: ${{ secrets.HOMEASSISTANT_TOKEN }}
GRAFANA_PASSWORD: ${{ secrets.GRAFANA_PASSWORD }}
CLOUDFLARE_CONFIG: ${{ secrets.CLOUDFLARE_CONFIG }}
COPILOT_TOKEN: ${{ secrets.COPILOT_TOKEN }}
working-directory: /home/github/infrastructure/infrastructure
run: |
# kubectl apply -f kubernetes/ingress
kubectl apply -f kubernetes/proxy-ingress
kubectl annotate ingressclass nginx \
ingressclass.kubernetes.io/is-default-class="true" --overwrite

6
.github/workflows/beets-sync.yml vendored
View File

@@ -1,8 +1,8 @@
name: Beets
on:
schedule:
# Run 4 times a day: 6am, 12pm, 6pm, 12am UTC
- cron: '0 6,12,18,0 * * *'
# schedule:
# # Run 4 times a day: 6am, 12pm, 6pm, 12am UTC
# - cron: '0 6,12,18,0 * * *'
workflow_dispatch: # Allow manual trigger
jobs:

4
README.md
View File

@@ -1,6 +1,10 @@
![home server update](https://github.com/alexmickelson/infrastructure/actions/workflows/update-home-server.yml/badge.svg)
[![ZFS Backup](https://github.com/alexmickelson/infrastructure/actions/workflows/backup-zfs.yml/badge.svg)](https://github.com/alexmickelson/infrastructure/actions/workflows/backup-zfs.yml)
[![Manage Jellyfin Playlists](https://github.com/alexmickelson/infrastructure/actions/workflows/update-playlist.yml/badge.svg)](https://github.com/alexmickelson/infrastructure/actions/workflows/update-playlist.yml)

57
home-server/docker-compose.yml
View File

@@ -10,6 +10,7 @@ services:
- /data/media/music/tagged:/music
- /data/media/movies:/movies
- /data/media/tvshows:/tvshows
- /data/nextcloud/html/data/alex/files/Documents/home-video:/home-videos:ro
restart: "unless-stopped"
group_add:
- "303" # getent group render | cut -d: -f3
@@ -183,33 +184,33 @@ services:
# - 0.0.0.0:9162:9162
# docker run -it --rm -p 9162:9162 --net=host sfudeus/apcupsd_exporter:master_1.19
reverse-proxy:
image: ghcr.io/linuxserver/swag
container_name: reverse-proxy
restart: unless-stopped
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=America/Denver
- URL=alexmickelson.guru
- SUBDOMAINS=wildcard
- VALIDATION=dns
- DNSPLUGIN=cloudflare
volumes:
- ./nginx.conf:/config/nginx/site-confs/default.conf
- /data/swag:/config
- /data/cloudflare/cloudflare.ini:/config/dns-conf/cloudflare.ini
ports:
- 0.0.0.0:80:80
- 0.0.0.0:443:443
# - 0.0.0.0:7080:80
# - 0.0.0.0:7443:443
extra_hosts:
- host.docker.internal:host-gateway
networks:
- proxy
# reverse-proxy:
# image: ghcr.io/linuxserver/swag
# container_name: reverse-proxy
# restart: unless-stopped
# cap_add:
# - NET_ADMIN
# environment:
# - PUID=1000
# - PGID=1000
# - TZ=America/Denver
# - URL=alexmickelson.guru
# - SUBDOMAINS=wildcard
# - VALIDATION=dns
# - DNSPLUGIN=cloudflare
# volumes:
# - ./nginx.conf:/config/nginx/site-confs/default.conf
# - /data/swag:/config
# - /data/cloudflare/cloudflare.ini:/config/dns-conf/cloudflare.ini
# ports:
# - 0.0.0.0:80:80
# - 0.0.0.0:443:443
# # - 0.0.0.0:7080:80
# # - 0.0.0.0:7443:443
# extra_hosts:
# - host.docker.internal:host-gateway
# networks:
# - proxy
audiobookshelf:
@@ -220,7 +221,6 @@ services:
volumes:
- /data/media/audiobooks:/audiobooks
- /data/media/audiobooks-libation:/audiobooks-libation
# - </path/to/podcasts>:/podcasts
- /data/audiobookshelf/config:/config
- /data/audiobookshelf/metadata:/metadata
networks:
@@ -262,6 +262,7 @@ services:
environment:
- SEARXNG_BASE_URL=http://server.alexmickelson.guru:4446/
restart: unless-stopped
networks:
proxy:
name: proxy

12
home-server/nginx.conf
View File

@@ -55,18 +55,6 @@ server {
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name plex.alexmickelson.guru;
location / {
proxy_pass http://host.docker.internal:32400;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;

6
kubernetes/gitea/0-namespace.yml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: gitea
labels:
name: gitea

4
kubernetes/gitea/db.yml
View File

@@ -1,7 +1,7 @@
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: projects
namespace: gitea
name: gitea-db
spec:
replicas: 1
@@ -38,7 +38,7 @@ apiVersion: v1
kind: Service
metadata:
name: gitea-db-svc
namespace: projects
namespace: gitea
labels:
app: gitea-db
spec:

59
kubernetes/gitea/runner.yml Normal file
View File

@@ -0,0 +1,59 @@
# apiVersion: v1
# kind: Secret
# metadata:
# name: gitea-runner-secret
# namespace: gitea
# type: Opaque
# stringData:
# RUNNER_TOKEN: "<REPLACE_WITH_GITEA_RUNNER_TOKEN>"
# kubectl create secret generic gitea-runner-secret \
# --namespace gitea \
# --from-literal=RUNNER_TOKEN=<REPLACE_WITH_GITEA_RUNNER_TOKEN>
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea-actions-runner
namespace: gitea
spec:
replicas: 1
selector:
matchLabels:
app: gitea-actions-runner
template:
metadata:
labels:
app: gitea-actions-runner
spec:
containers:
- name: runner
image: gitea/act_runner:latest
env:
- name: GITEA_INSTANCE_URL
value: "https://git.alexmickelson.guru"
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: gitea-runner-secret
key: RUNNER_TOKEN
- name: GITEA_RUNNER_NAME
value: kubernetes-runner
- name: GITEA_RUNNER_LABELS
value: "docker,kubernetes"
- name: DOCKER_HOST
value: "unix:///var/run/docker.sock"
# - name: GITEA_RUNNER_EPHEMERAL
# value: "1"
volumeMounts:
- name: docker-sock
mountPath: /var/run/docker.sock
- name: runner-data
mountPath: /data
volumes:
- name: docker-sock
hostPath:
path: /var/run/docker.sock
- name: runner-data
emptyDir: {}

47
kubernetes/gitea/web.yml
View File

@@ -2,7 +2,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea-web
namespace: projects
namespace: gitea
spec:
replicas: 1
selector:
@@ -15,7 +15,7 @@ spec:
spec:
containers:
- name: gitea
image: docker.io/gitea/gitea:1.23
image: docker.io/gitea/gitea:1.25
ports:
- containerPort: 3000
- containerPort: 22
@@ -34,6 +34,18 @@ spec:
value: "gitea"
- name: GITEA__database__PASSWD
value: wauiofnasufnweaiufbsdklfjb23456
- name: GITEA__server__ROOT_URL
value: "https://git.alexmickelson.guru/"
- name: GITEA__server__SSH_DOMAIN
value: "gitea-gitea-web-svc.beefalo-newton.ts.net"
- name: GITEA__server__SSH_PORT
value: "22"
- name: GITEA__service__DISABLE_REGISTRATION
value: "true"
- name: GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION
value: "false"
- name: GITEA__openid__ENABLE_OPENID_SIGNUP
value: "false"
volumeMounts:
- name: gitea-data
mountPath: /data
@@ -60,7 +72,7 @@ apiVersion: v1
kind: Service
metadata:
name: gitea-web-svc
namespace: projects
namespace: gitea
annotations:
tailscale.com/expose: "true" # exposes IP directly
spec:
@@ -79,22 +91,23 @@ apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea
namespace: projects
namespace: gitea
annotations:
cert-manager.io/cluster-issuer: cloudflare-issuer # not really working with tailscale
cert-manager.io/cluster-issuer: cloudflare-issuer
spec:
ingressClassName: tailscale
ingressClassName: nginx
tls:
- hosts:
- gitea.alexmickelson.guru
secretName: gitea-tls-cert
- hosts:
- git.alexmickelson.guru
secretName: git-tls-cert2
rules:
- http:
- host: git.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea-web-svc
port:
number: 3000
- path: /
pathType: Prefix
backend:
service:
name: gitea-web-svc
port:
number: 3000

782
kubernetes/ingress/ingress-nginx.yml
View File

@@ -1,782 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- ingress-nginx-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "false"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-controller
namespace: ingress-nginx
data:
allow-snippet-annotations: "true"
# http-snippet: |
# proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=static-cache:2m max_size=100m inactive=7d use_temp_path=off;
# proxy_cache_key $scheme$proxy_host$request_uri;
# proxy_cache_lock on;
# proxy_cache_use_stale updating;
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
# ---
# apiVersion: apps/v1
# kind: Deployment
# metadata:
# labels:
# app.kubernetes.io/component: controller
# app.kubernetes.io/instance: ingress-nginx
# app.kubernetes.io/name: ingress-nginx
# app.kubernetes.io/part-of: ingress-nginx
# app.kubernetes.io/version: 1.10.0
# name: ingress-nginx-controller
# namespace: ingress-nginx
# spec:
# minReadySeconds: 0
# revisionHistoryLimit: 10
# selector:
# matchLabels:
# app.kubernetes.io/component: controller
# app.kubernetes.io/instance: ingress-nginx
# app.kubernetes.io/name: ingress-nginx
# strategy:
# rollingUpdate:
# maxUnavailable: 1
# type: RollingUpdate
# template:
# metadata:
# labels:
# app.kubernetes.io/component: controller
# app.kubernetes.io/instance: ingress-nginx
# app.kubernetes.io/name: ingress-nginx
# app.kubernetes.io/part-of: ingress-nginx
# app.kubernetes.io/version: 1.10.0
# spec:
# hostNetwork: true
# containers:
# - args:
# - /nginx-ingress-controller
# - --election-id=ingress-nginx-leader
# - --controller-class=k8s.io/ingress-nginx
# - --ingress-class=nginx
# - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
# - --validating-webhook=:8443
# - --validating-webhook-certificate=/usr/local/certificates/cert
# - --validating-webhook-key=/usr/local/certificates/key
# - --enable-metrics=false
# env:
# - name: POD_NAME
# valueFrom:
# fieldRef:
# fieldPath: metadata.name
# - name: POD_NAMESPACE
# valueFrom:
# fieldRef:
# fieldPath: metadata.namespace
# - name: LD_PRELOAD
# value: /usr/local/lib/libmimalloc.so
# image: registry.k8s.io/ingress-nginx/controller:v1.10.0@sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c
# imagePullPolicy: IfNotPresent
# lifecycle:
# preStop:
# exec:
# command:
# - /wait-shutdown
# livenessProbe:
# failureThreshold: 5
# httpGet:
# path: /healthz
# port: 10254
# scheme: HTTP
# initialDelaySeconds: 10
# periodSeconds: 10
# successThreshold: 1
# timeoutSeconds: 1
# name: controller
# ports:
# - containerPort: 80
# name: http
# protocol: TCP
# - containerPort: 443
# name: https
# protocol: TCP
# - containerPort: 8443
# name: webhook
# protocol: TCP
# readinessProbe:
# failureThreshold: 3
# httpGet:
# path: /healthz
# port: 10254
# scheme: HTTP
# initialDelaySeconds: 10
# periodSeconds: 10
# successThreshold: 1
# timeoutSeconds: 1
# resources:
# requests:
# cpu: 100m
# memory: 90Mi
# securityContext:
# allowPrivilegeEscalation: false
# capabilities:
# add:
# - NET_BIND_SERVICE
# drop:
# - ALL
# readOnlyRootFilesystem: false
# runAsNonRoot: true
# runAsUser: 101
# seccompProfile:
# type: RuntimeDefault
# volumeMounts:
# - mountPath: /usr/local/certificates/
# name: webhook-cert
# readOnly: true
# dnsPolicy: ClusterFirst
# nodeSelector:
# kubernetes.io/os: linux
# serviceAccountName: ingress-nginx
# terminationGracePeriodSeconds: 300
# volumes:
# - name: webhook-cert
# secret:
# secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.0@sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
spec:
hostNetwork: true
containers:
- args:
- /nginx-ingress-controller
- --election-id=ingress-nginx-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --enable-metrics=false
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.10.0@sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
# kubernetes.io/hostname: alex-office2
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.0@sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

9
kubernetes/jellyfin/deployment.yml
View File

@@ -13,13 +13,18 @@ spec:
labels:
app: jellyfin
spec:
hostNetwork: true
containers:
- name: jellyfin
image: jellyfin/jellyfin
securityContext:
runAsUser: 1000
runAsGroup: 1000
supplementalGroups:
- 303 # render group for GPU access
volumeMounts:
- name: dri-device
mountPath: /dev/dri/renderD128
- name: config-volume
mountPath: /config
- name: cache-volume
@@ -52,4 +57,8 @@ spec:
- name: tvshows-volume
hostPath:
path: /data/jellyfin/tvshows
- name: dri-device
hostPath:
path: /dev/dri/renderD128
type: CharDevice
restartPolicy: Always

28
kubernetes/jellyfin/ingress.yml
View File

@@ -1,14 +1,14 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jellyfin-ingress
namespace: projects
spec:
rules:
- host: jellyfin.alexmickelson.guru
http:
paths:
- path: /
backend:
service: jellyfin
port: 8096
# apiVersion: networking.k8s.io/v1
# kind: Ingress
# metadata:
# name: jellyfin-ingress
# namespace: projects
# spec:
# rules:
# - host: jellyfin.alexmickelson.guru
# http:
# paths:
# - path: /
# backend:
# service: jellyfin
# port: 8096

16
kubernetes/jellyfin/service.yml
View File

@@ -10,4 +10,18 @@ spec:
- protocol: TCP
port: 8096
targetPort: 8096
type: ClusterIP
nodePort: 30096
type: NodePort
# apiVersion: v1
# kind: Service
# metadata:
# name: jellyfin
# namespace: projects
# spec:
# selector:
# app: jellyfin
# ports:
# - protocol: TCP
# port: 8096
# targetPort: 8096
# type: ClusterIP

28
kubernetes/proxy-ingress/audiobook-proxy-ingress.yml
View File

@@ -19,15 +19,35 @@ spec:
pathType: Prefix
backend:
service:
name: audiobookshelf-service
name: audiobookshelf
port:
number: 13378
---
apiVersion: v1
kind: Service
metadata:
name: audiobookshelf-service
name: audiobookshelf
namespace: projects
spec:
type: ExternalName
externalName: 100.122.128.107
ports:
- port: 13378
targetPort: 13378
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: audiobookshelf
namespace: projects
labels:
kubernetes.io/service-name: audiobookshelf
addressType: IPv4
ports:
- name: http
port: 13378
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

53
kubernetes/proxy-ingress/copilot-proxy-ingress.yml Normal file
View File

@@ -0,0 +1,53 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: copilot-ingress
namespace: projects
annotations:
cert-manager.io/cluster-issuer: cloudflare-issuer
spec:
ingressClassName: nginx
tls:
- hosts:
- copilot.alexmickelson.guru
secretName: copilot-tls-cert
rules:
- host: copilot.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: copilot
port:
number: 4444
---
apiVersion: v1
kind: Service
metadata:
name: copilot
namespace: projects
spec:
ports:
- port: 4444
targetPort: 4444
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: copilot
namespace: projects
labels:
kubernetes.io/service-name: copilot
addressType: IPv4
ports:
- name: http
port: 4444
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

28
kubernetes/proxy-ingress/grafana-proxy-ingress.yml
View File

@@ -19,15 +19,35 @@ spec:
pathType: Prefix
backend:
service:
name: grafana-service
name: grafana
port:
number: 3000
---
apiVersion: v1
kind: Service
metadata:
name: grafana-service
name: grafana
namespace: projects
spec:
type: ExternalName
externalName: 100.122.128.107
ports:
- port: 3000
targetPort: 3000
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: grafana
namespace: projects
labels:
kubernetes.io/service-name: grafana
addressType: IPv4
ports:
- name: http
port: 3000
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

28
kubernetes/proxy-ingress/ha-proxy-ingress.yml
View File

@@ -19,15 +19,35 @@ spec:
pathType: Prefix
backend:
service:
name: home-assistant-service
name: home-assistant
port:
number: 8123
---
apiVersion: v1
kind: Service
metadata:
name: home-assistant-service
name: home-assistant
namespace: projects
spec:
type: ExternalName
externalName: 100.122.128.107
ports:
- port: 8123
targetPort: 8123
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: home-assistant
namespace: projects
labels:
kubernetes.io/service-name: home-assistant
addressType: IPv4
ports:
- name: http
port: 8123
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

52
kubernetes/proxy-ingress/homepage-proxy-ingress.yml
View File

@@ -8,26 +8,46 @@ metadata:
spec:
ingressClassName: nginx
tls:
- hosts:
- home.alexmickelson.guru
secretName: home-tls-cert
- hosts:
- home.alexmickelson.guru
secretName: home-tls-cert
rules:
- host: home.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: homepage-service
port:
number: 3001
- host: home.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: homepage
port:
number: 3001
---
apiVersion: v1
kind: Service
metadata:
name: homepage-service
name: homepage
namespace: projects
spec:
type: ExternalName
externalName: 100.122.128.107
ports:
- port: 3001
targetPort: 3001
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: homepage
namespace: projects
labels:
kubernetes.io/service-name: homepage
addressType: IPv4
ports:
- name: http
port: 3001
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

52
kubernetes/proxy-ingress/immich-proxy-ingress.yml
View File

@@ -12,26 +12,46 @@ metadata:
spec:
ingressClassName: nginx
tls:
- hosts:
- photos.alexmickelson.guru
secretName: immich-tls-cert
- hosts:
- photos.alexmickelson.guru
secretName: immich-tls-cert
rules:
- host: photos.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: immich-service
port:
number: 2283
- host: photos.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: immich
port:
number: 2283
---
apiVersion: v1
kind: Service
metadata:
name: immich-service
name: immich
namespace: projects
spec:
type: ExternalName
externalName: 100.122.128.107
ports:
- port: 2283
targetPort: 2283
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: immich
namespace: projects
labels:
kubernetes.io/service-name: immich
addressType: IPv4
ports:
- name: http
port: 2283
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

52
kubernetes/proxy-ingress/jellyfin-proxy-ingress.yml
View File

@@ -8,26 +8,46 @@ metadata:
spec:
ingressClassName: nginx
tls:
- hosts:
- jellyfin.alexmickelson.guru
secretName: jellyfin-tls-cert
- hosts:
- jellyfin.alexmickelson.guru
secretName: jellyfin-tls-cert
rules:
- host: jellyfin.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jellyfin-service
port:
number: 8096
- host: jellyfin.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jellyfin
port:
number: 8096
---
apiVersion: v1
kind: Service
metadata:
name: jellyfin-service
name: jellyfin
namespace: projects
spec:
type: ExternalName
externalName: 100.122.128.107
ports:
- port: 8096
targetPort: 8096
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: jellyfin
namespace: projects
labels:
kubernetes.io/service-name: jellyfin
addressType: IPv4
ports:
- name: http
port: 8096
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

52
kubernetes/proxy-ingress/musicassistant-proxy-ingress.yml
View File

@@ -8,26 +8,46 @@ metadata:
spec:
ingressClassName: nginx
tls:
- hosts:
- sound.alexmickelson.guru
secretName: sound-tls-cert
- hosts:
- sound.alexmickelson.guru
secretName: sound-tls-cert
rules:
- host: sound.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: musicassistant-service
port:
number: 8095
- host: sound.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: musicassistant
port:
number: 8095
---
apiVersion: v1
kind: Service
metadata:
name: musicassistant-service
name: musicassistant
namespace: projects
spec:
type: ExternalName
externalName: 100.122.128.107
ports:
- port: 8095
targetPort: 8095
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: musicassistant
namespace: projects
labels:
kubernetes.io/service-name: musicassistant
addressType: IPv4
ports:
- name: http
port: 8095
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

60
kubernetes/proxy-ingress/nextcloud-proxy-ingress.yml
View File

@@ -7,39 +7,59 @@ metadata:
cert-manager.io/cluster-issuer: cloudflare-issuer
nginx.ingress.kubernetes.io/proxy-body-size: 51200m
nginx.ingress.kubernetes.io/server-snippet: |-
server_tokens off;
proxy_hide_header X-Powered-By;
server_tokens off;
proxy_hide_header X-Powered-By;
nginx.ingress.kubernetes.io/cors-allow-headers: X-Forwarded-For
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-buffer-size: 225m
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-request-buffering: "on"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "60"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
spec:
ingressClassName: nginx
tls:
- hosts:
- next.alexmickelson.guru
secretName: nextcloud-tls-cert
- hosts:
- next.alexmickelson.guru
secretName: nextcloud-tls-cert
rules:
- host: next.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nextcloud-service
port:
number: 9001
- host: next.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nextcloud
port:
number: 9001
---
apiVersion: v1
kind: Service
metadata:
name: nextcloud-service
name: nextcloud
namespace: projects
spec:
type: ExternalName
externalName: 100.122.128.107
ports:
- port: 9001
targetPort: 9001
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: nextcloud
namespace: projects
labels:
kubernetes.io/service-name: nextcloud
addressType: IPv4
ports:
- name: http
port: 9001
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

52
kubernetes/proxy-ingress/prometheus-proxy-ingress.yml
View File

@@ -8,26 +8,46 @@ metadata:
spec:
ingressClassName: nginx
tls:
- hosts:
- prometheus.alexmickelson.guru
secretName: prometheus-tls-cert
- hosts:
- prometheus.alexmickelson.guru
secretName: prometheus-tls-cert
rules:
- host: prometheus.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: prometheus-service
port:
number: 9091
- host: prometheus.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: prometheus
port:
number: 9091
---
apiVersion: v1
kind: Service
metadata:
name: prometheus-service
name: prometheus
namespace: projects
spec:
type: ExternalName
externalName: 100.122.128.107
ports:
- port: 9091
targetPort: 9091
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: prometheus
namespace: projects
labels:
kubernetes.io/service-name: prometheus
addressType: IPv4
ports:
- name: http
port: 9091
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

27
kubernetes/readme.md
View File

@@ -34,8 +34,33 @@ Currently clouflare domains cannot be CNAME'd to tailscale domains:
## Kubernetes ingress controller
I had to modify the base ingress to allow for use on 80 and 443. There should be a way to do this with helm, but I can never quite get it to work
<!-- I had to modify the base ingress to allow for use on 80 and 443. There should be a way to do this with helm, but I can never quite get it to work
this is the original: https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/baremetal/deploy.yaml
the `ingress-nginx-controller` was changed to a daemonset rather than an deployment
-->
ingress
```bash
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--create-namespace \
--set controller.kind=DaemonSet \
--set controller.hostPort.enabled=true \
--set controller.hostPort.ports.http=80 \
--set controller.hostPort.ports.https=443 \
--set controller.service.type=NodePort \
--set controller.allowSnippetAnnotations=true \
--set controller.config.annotations-risk-level=Critical \
--set controller.metrics.enabled=false \
--set controller.ingressClassResource.default=true
```
<!-- https://github.com/kubernetes/ingress-nginx/issues/12618 for why anotation risk needs to be critical-->

4
nix/ai-server-1.nix
View File

@@ -122,7 +122,7 @@
dbus
# protontricks stuff?
freetype
# freetype.bin
fontconfig
@@ -131,6 +131,8 @@
zlib
quickemu
git-lfs
];
programs.nix-ld.enable = true;

1
nix/ai-vm.nix
View File

@@ -72,6 +72,7 @@
git
tmux
vscode
zip
];
};
home-manager.users.alex = { pgks, ...}: {

61
nix/alex-desktop.nix
View File

@@ -9,8 +9,7 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "alex-desktop"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.hostName = "alex-desktop";
nix.settings.experimental-features = [ "nix-command" "flakes" ];
networking.networkmanager.enable = true;
@@ -50,8 +49,21 @@
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
wireplumber = {
enable = true;
extraConfig = {
"disable-x11" = {
"wireplumber.settings" = {
"support.x11" = false;
};
};
};
};
};
users.users.alex = {
isNormalUser = true;
description = "alex";
@@ -73,6 +85,7 @@
services.fwupd.enable = true;
hardware.enableAllFirmware = true;
hardware.firmware = with pkgs; [ linux-firmware ];
programs.nix-ld.enable = true;
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
@@ -91,7 +104,6 @@
mangohud
mlocate
wineWowPackages.stable
wine
(wine.override { wineBuild = "wine64"; })
@@ -99,20 +111,13 @@
wineWowPackages.staging
winetricks
wineWowPackages.waylandFull
# woeusb ntfs3g
# (lutris.override {
# extraLibraries = pkgs: [
# # List library dependencies here
# ];
# extraPkgs = pkgs: [
# # List package dependencies here
# ];
# })
mesa-gl-headers
mesa
driversi686Linux.mesa
mesa-demos
android-tools
];
services.tailscale.enable = true;
services.openssh.enable = true;
@@ -122,20 +127,6 @@
programs.fish.enable = true;
services.flatpak.enable = true;
hardware.steam-hardware.enable = true;
programs.adb.enable = true; # graphene
# programs.gamescope = {
# enable = true;
# capSysNice = true;
# };
# programs.gamemode.enable = true;
# programs.steam = {
# enable = true;
# gamescopeSession.enable = true;
# remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
# dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
# localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers
# };
networking.firewall.enable = false;
hardware.graphics = {
@@ -143,7 +134,6 @@
enable = true;
};
fileSystems."/steam-data" =
{
device = "/dev/disk/by-uuid/437358fd-b9e4-46e2-bd45-f6b368acaac1";
@@ -155,6 +145,21 @@
boot.zfs.extraPools = [ "data" "data2" ];
systemd.timers."nix-garbage-collect-weekly" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "weekly";
Persistent = true;
};
};
systemd.services."nix-garbage-collect-weekly" = {
serviceConfig = {
Type = "oneshot";
ExecStart = "/run/current-system/sw/bin/nix-collect-garbage --delete-older-than 7d";
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

6
nix/flakes/opencode/flake.lock generated
View File

@@ -20,11 +20,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1759520764,
"narHash": "sha256-jERdfBm1rQc9qAdPi1lMEv9inEl7kvvnXCst//ZD2Yc=",
"lastModified": 1767726775,
"narHash": "sha256-mpA/pevxXJzu/5rbdb7u0BzgEJCDDQd1EZ3oyyOo8VI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "bcbcd4e5a8cb24199859dd73e448494c8c7d55cb",
"rev": "f8ce89e3edbc488a5b17c559ad55f083282420e9",
"type": "github"
},
"original": {

1
nix/flakes/opencode/flake.nix
View File

@@ -19,6 +19,7 @@
};
models = {
"gpt-oss-120b" = { };
"devstral-123b" = { };
};
};
home = {

6
nix/home-manager/alex.home.nix
View File

@@ -29,6 +29,10 @@
programs.direnv = {
enable = true;
};
programs.ghostty = {
enable = true;
enableFishIntegration = true;
};
home.sessionVariables = {
EDITOR = "vim";
};
@@ -58,6 +62,8 @@ export DOTNET_WATCH_RESTART_ON_RUDE_EDIT=1
export DOTNET_CLI_TELEMETRY_OPTOUT=1
set -x LIBVIRT_DEFAULT_URI qemu:///system
alias blue="bluetui"
alias jelly="jellyfin-tui"
'';
};
home.file = {

10
nix/home-manager/desktop.home.nix
View File

@@ -20,11 +20,21 @@
ffmpeg
gh
bitwarden-desktop
jellyfin-tui
bluetui
nexusmods-app-unfree
];
programs.ghostty = {
enable = true;
enableFishIntegration = true;
settings = {
window-inherit-working-directory = "false";
theme = "Atom";
font-size = 14;
window-height = 30;
window-width = 100;
};
};
fonts.fontconfig.enable = true;

1
nix/home-manager/server.home.nix
View File

@@ -5,5 +5,6 @@
opencode
quickemu
tree
kubernetes-helm
];
}

48
nix/home-manager/work.home.nix
View File

@@ -2,6 +2,8 @@
let
opencodeFlake = builtins.getFlake (toString ../flakes/opencode);
monitorTuiFlake = builtins.getFlake (toString ../../monitors/monitor-tui-rs);
zenBrowserFlake = builtins.getFlake "github:youwen5/zen-browser-flake";
nixgl = import
(fetchTarball "https://github.com/nix-community/nixGL/archive/main.tar.gz")
{ };
@@ -50,16 +52,21 @@ in {
firefoxpwa
bluetui
#nixfmt-classic
opencodeFlake.packages.${system}.opencode
opencodeFlake.packages.${pkgs.stdenv.hostPlatform.system}.opencode
monitorTuiFlake.packages.${pkgs.stdenv.hostPlatform.system}.default
(config.lib.nixGL.wrap zenBrowserFlake.packages.${pkgs.stdenv.hostPlatform.system}.default)
bitwarden-desktop
wiremix
moonlight-qt
(config.lib.nixGL.wrap moonlight-qt)
nvtopPackages.amd
# jan
# texlivePackages.jetbrainsmono-otf
# nerd-fonts.fira-code
# dejavu_fonts
# vscode-fhs
# aider-chat-full
codex
];
fonts.fontconfig.enable = true;
programs.firefox = {
@@ -69,7 +76,17 @@ in {
};
programs.direnv = { enable = true; };
programs.ghostty = { enable = true; };
programs.ghostty = {
enable = true;
enableFishIntegration = true;
settings = {
window-inherit-working-directory = "false";
theme = "Atom";
font-size = "18";
window-height = "30";
window-width = "120";
};
};
programs.fish = {
enable = true;
shellInit = ''
@@ -106,6 +123,8 @@ in {
set -x LIBVIRT_DEFAULT_URI qemu:///system
set -x TERM xterm-256color # ghostty
source "$HOME/.cargo/env.fish"
export SSH_AUTH_SOCK=/home/alexm/.bitwarden-ssh-agent.sock # ssh agent
'';
};
@@ -193,6 +212,28 @@ in {
Terminal=false
Categories=Network;WebBrowser;
'';
".local/share/applications/zen-browser.desktop".text = ''
[Desktop Entry]
Version=1.0
Type=Application
Name=Zen Browser
Comment=A calmer Firefox-based browser
Exec=nixGLIntel zen
Icon=${zenBrowserFlake.packages.${pkgs.stdenv.hostPlatform.system}.default}/share/icons/hicolor/128x128/apps/zen.png
Terminal=false
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;
StartupWMClass=zen
Actions=new-window;new-private-window;
[Desktop Action new-window]
Name=Open a New Window
Exec=nixGLIntel zen --new-window
[Desktop Action new-private-window]
Name=Open a New Private Window
Exec=nixGLIntel zen --private-window
'';
};
home.sessionVariables = { EDITOR = "vim"; };
@@ -222,6 +263,5 @@ in {
package = pkgs.gnome-themes-extra;
};
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
}

41
nix/home-server.nix
View File

@@ -58,6 +58,9 @@
description = "github";
extraGroups = [ "docker" ];
shell = pkgs.fish;
packages = with pkgs; [
kubernetes-helm
];
};
users.users.alex = {
isNormalUser = true;
@@ -75,7 +78,7 @@
home-manager.useGlobalPkgs = true;
services.fwupd.enable = true;
systemd.timers."nix-garbage-collect-weekly" = {
systemd.timers."nix-garbage-collect-weekly" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "weekly";
@@ -167,13 +170,6 @@
package = pkgs.qemu_kvm;
runAsRoot = true;
swtpm.enable = true;
ovmf = {
enable = true;
packages = [ pkgs.OVMFFull.fd ];
# packages = [
# (pkgs.OVMF.override { secureBoot = true; tpmSupport = true; }).fd
# ];
};
};
};
networking.interfaces.enp5s0.useDHCP = true;
@@ -184,18 +180,13 @@
};
};
# not working yet, in theory simplifies xml for vm
# environment.etc."qemu/edk2-x86_64-secure-code.fd".source = "${pkgs.OVMF.fd}/FV/OVMF_CODE.secboot.fd";
# environment.etc."qemu/edk2-i386-vars.fd".source = "${pkgs.OVMF.fd}/FV/OVMF_VARS.fd";
# environment.etc."qemu/edk2-x86_64-secure-code.fd".source = "${pkgs.OVMF.fd}/FV/OVMF_CODE.secboot.fd";
# environment.etc."qemu/edk2-x86_64-secure-vars.fd".source = "${pkgs.OVMF.fd}/FV/OVMF_VARS.secboot.fd";
environment.etc = {
"qemu/edk2-x86_64-secure-code.fd".source =
lib.mkForce "${pkgs.OVMF.fd}/FV/OVMF_CODE.ms.fd";
lib.mkForce "${pkgs.OVMFFull.fd}/FV/OVMF_CODE.ms.fd";
"qemu/edk2-x86_64-secure-vars.fd".source =
lib.mkForce "${pkgs.OVMF.fd}/FV/OVMF_VARS.ms.fd";
lib.mkForce "${pkgs.OVMFFull.fd}/FV/OVMF_VARS.ms.fd";
"qemu/OVMF_VARS.fd".source =
lib.mkForce "${pkgs.OVMFFull.fd}/FV/OVMF_VARS.fd";
};
systemd.tmpfiles.rules = [
"d /var/lib/libvirt/qemu/nvram 0755 root root -"
@@ -209,7 +200,7 @@
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.forceImportRoot = false;
networking.hostId = "eafe9551";
boot.zfs.extraPools = [ "data-ssd" "backup" "vms" "vms-2" ];
boot.zfs.extraPools = [ "data-ssd" "backup" "vms-2" "vms-3" ];
services.sanoid = {
enable = true;
templates.production = {
@@ -266,7 +257,6 @@
tokenFile = "/data/runner/github-infrastructure-token.txt";
url = "https://github.com/alexmickelson/infrastructure";
extraLabels = [ "home-server" ];
#workDir = "/data/runner/infrastructure/";
replace = true;
serviceOverrides = {
ReadWritePaths = [
@@ -281,12 +271,8 @@
ProtectSystem = false;
PrivateMounts = false;
PrivateUsers = false;
#DynamicUser = true;
#NoNewPrivileges = false;
ProtectHome = false;
#RuntimeDirectoryPreserve = "yes";
Restart = lib.mkForce "always";
#RuntimeMaxSec = "7d";
};
extraPackages = with pkgs; [
docker
@@ -295,18 +281,13 @@
sanoid
mbuffer
lzop
kubectl
kubernetes-helm
];
};
};
# services.cron = {
# enable = true;
# systemCronJobs = [
# "*/5 * * * * root date >> /tmp/cron.log"
# ];
# };
networking.firewall.enable = false;
# networking.firewall.trustedInterfaces = [ "docker0" ];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions

10
nix/modules/k3s.nix
View File

@@ -6,17 +6,25 @@
enable = true;
role = "server";
extraFlags = toString [
# "--debug" # Optionally add additional args to k3s
"--disable=traefik"
"--node-ip=100.122.128.107"
"--bind-address 100.122.128.107"
"--node-external-ip 100.122.128.107"
"--tls-san 100.122.128.107"
# Disable disk-based evictions
"--kubelet-arg=eviction-hard="
"--kubelet-arg=eviction-soft="
"--kubelet-arg=eviction-soft-grace-period="
"--kubelet-arg=eviction-pressure-transition-period=0s"
];
serverAddr = "https://100.122.128.107:6443";
};
networking.firewall.allowedTCPPorts = [
443
80
10250
];
networking.firewall.allowedUDPPorts = [
443

3
nix/tv-computer.nix
View File

@@ -64,6 +64,7 @@
programs.firefox.enable = true;
nixpkgs.config.allowUnfree = true;
services.fwupd.enable = true;
environment.systemPackages = with pkgs; [
vim
@@ -101,6 +102,6 @@
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
system.stateVersion = "24.05"; # Did you read the comment?
system.stateVersion = "25.11"; # Did you read the comment?
}