Archives

archive/2022.07.bxl-k3s-pi/apps/cloud/mealie/app.yaml

@@ -0,0 +1,78 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mealie
+  namespace: cloud
+  labels:
+    app: mealie
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 0
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: mealie
+  template:
+    metadata:
+      labels:
+        app: mealie
+    spec:
+      containers:
+      - name: mealie
+        image: hkotel/mealie:latest
+        imagePullPolicy: IfNotPresent
+        envFrom:
+        - configMapRef:
+            name: mealie
+        - secretRef:
+            name: mealie
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mealie
+  namespace: cloud
+spec:
+  type: ClusterIP
+  selector:
+    app: mealie
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mealie
+  namespace: cloud
+  annotations:
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "cook.bhasher.com"
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+    nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
+    nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method request_method;
+    nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
+    nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method request_method;
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - cook.bhasher.com
+    secretName: mealie-tls
+  rules:
+  - host: cook.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: mealie
+            port:
+              number: 80

archive/2022.07.bxl-k3s-pi/apps/cloud/mealie/config.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mealie
+  namespace: cloud
+data:
+  DB_ENGINE: postgres
+  POSTGRES_USER: mealie
+  POSTGRES_SERVER: postgres.storage.svc.cluster.local
+  POSTGRES_PORT: "5432"
+  POSTGRES_DB: mealie
+  DEFAULT_GROUP: Home
+  BASE_URL: https://cook.bhasher.com
+  # LDAP_AUTH_ENABLED: true
+  # LDAP_SERVER_URL: ldap.idp.svc.cluster.local
+  # LDAP_BIND_TEMPLATE: uid={},ou=users,dc=bhasher,dc=com
+  # LDAP_ADMIN_FILTER: memberOf=cn=admin,ou=groups,dc=bhasher,dc=com
+  

archive/2022.07.bxl-k3s-pi/apps/cloud/mealie/sealedsecret.yaml

@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: mealie
+  namespace: cloud
+spec:
+  encryptedData:
+    POSTGRES_PASSWORD: AgCxIpWXdnPhW3ncKCWD18Cur2lhUvGZJvq4NPXRNUJ1G7XXSIFNfMkm9QW4jVyIEqxNiIA6RqnAOdFrvQX4VmZJ6a5V0wab2P0si3liXuXJxHziqoy5qAhHB0/3J/4d2dps2eGrXYluEZbAZoX+RwLOUL/BD0rks4ZOYg9eJZ7ArQPMAAnRdGQK9CaEP3HU930k7AmbKEmFYkdSmGkftmrgI+1Rb4fOCQfYVdUHQWnX0RlNJfyZmpbSsoEbuxFbiYtyqj5ElazzjqlTRN8F1dJpkh9+BLB2zdCAfJxx0PMcFe07pdArAFqXUSXq7dZPC/B9e+UaoLDAJIiaOYVnriYpKC3XdNTtik4ikNA+TQ9r6N/zDGbcXpm531yrf1DT5zgeOlbBeW6n8RA248wIaLKUDAvyv7ZnCOrba70Kphr8jw0o4f/KB9xwDSZltgFpFc+e2rHNtUzIsrIHGyndb80BjIZ3LgJmRbQy6U0QSjOTtImDyJlDBtUysPDrriWKZE8LPXIuPigwV5PkBPYfVWmfF1LCfOhJH0nq1/StKHd9Y3w01CyZKA5sL5sRrMYy2cCUG88/3dMSSCH8qUTuoBUecWlJfbS3PqrM4qWNEB7MjhWN1tsakRKmeiaQDBf1iA0CW0pewQQUcZcffulVP8Oo4hwKQqJt5BhQsqLEUQZXPHPhdE6eXUiXRQ7CohUJ3EnydpAPn3zhl5kpQo3bDdMCg/ps4vfZk+hx4+q+ocNLUFnECp72QJ3H03wwUFuT0PKfUXnI79kT81NGN/raup2Z
+  template:
+    data: null
+    metadata:
+      creationTimestamp: null
+      name: mealie
+      namespace: cloud
+

archive/2022.07.bxl-k3s-pi/apps/cloud/nextcloud/app.yaml

@@ -0,0 +1,128 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cloud
+
+---
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud
+  namespace: cloud
+spec:
+  storageClassName: longhorn-static
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 25Gi
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nextcloud
+  namespace: cloud
+  labels:
+    app: nextcloud
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: nextcloud
+  template:
+    metadata:
+      labels:
+        app: nextcloud
+    spec:
+      affinity:
+        podAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                  - nextcloud
+              topologyKey: kubernetes.io/hostname
+            weight: 100
+      containers:
+      - name: nextcloud
+        image: nextcloud:latest
+        imagePullPolicy: IfNotPresent
+        envFrom:
+        - configMapRef:
+            name: nextcloud
+        - secretRef:
+            name: nextcloud
+        volumeMounts:
+        - name: nextcloud
+          mountPath: /var/www/html
+          readOnly: false
+        - name: configs-file
+          mountPath: /var/www/html/config/sso.config.php
+          subPath: sso.config.php
+          readOnly: true
+        - name: configs-file
+          mountPath: /var/www/html/config/custom.config.php
+          subPath: custom.config.php
+          readOnly: true
+      volumes:
+      - name: nextcloud
+        persistentVolumeClaim:
+          claimName: nextcloud
+      - name: configs-file
+        configMap:
+          name: nextcloud-configs-file
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: nextcloud
+  namespace: cloud
+spec:
+  type: ClusterIP
+  selector:
+    app: nextcloud
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nextcloud
+  namespace: cloud
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: 5G
+    nginx.ingress.kubernetes.io/client-body-buffer-size: 250M;
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "nextcloud.bhasher.com"
+spec:
+  ingressClassName: nginx-external
+  tls:
+  - hosts:
+    - nextcloud.bhasher.com
+    secretName: nextcloud-tls
+  rules:
+  - host: nextcloud.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: nextcloud
+            port:
+              number: 80

archive/2022.07.bxl-k3s-pi/apps/cloud/nextcloud/config.yaml

@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nextcloud
+  namespace: cloud
+data:
+  POSTGRES_HOST: postgres.storage.svc.cluster.local
+  POSTGRES_DB: nextcloud
+  POSTGRES_USER: nextcloud
+  NEXTCLOUD_ADMIN_USER: admin
+  NEXTCLOUD_TRUSTED_DOMAINS: nextcloud.bhasher.com
+  NEXTCLOUD_INIT_LOCK: "true"
+  REDIS_HOST: redis.storage.svc.cluster.local
+  SMTP_HOST: smtp.bhasher.com
+  SMTP_SECURE: ssl
+  SMTP_PORT: "465"
+  SMTP_NAME: no-reply@bhasher.com
+  MAIL_FROM_ADDRESS: "Nextcloud <no-reply@bhasher.com>"
+
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nextcloud-configs-file
+  namespace: cloud
+data:
+  sso.config.php: |
+    <?php
+    $CONFIG = array(
+      'oidc_login_proxy_ldap' => true,
+      'oidc_login_provider_url' => 'https://idp.bhasher.com',
+      'oidc_login_client_id' => 'nextcloud',
+      'oidc_login_client_secret' => (string) getenv('SSO_CLIENT_SECRET'),
+      'oidc_login_auto_redirect' => true,
+      'oidc_login_button_text' => 'Authelia',
+      'oidc_login_scope' => 'openid profile',
+      'oidc_login_tls_verify' => false,
+      'overwriteprotocol' => 'https',
+      'oidc_login_attributes' => array (
+        'ldap_uid' => 'preferred_username',
+      ),
+      'oidc_login_password_authentication' => true,
+    );
+  
+  custom.config.php: |
+    <?
+    $CONFIG = array(
+        'trashbin_retention_obligation' => 'auto, 7',
+    );

archive/2022.07.bxl-k3s-pi/apps/cloud/nextcloud/sealedsecret.yaml

@@ -0,0 +1,19 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: nextcloud
+  namespace: cloud
+spec:
+  encryptedData:
+    NEXTCLOUD_ADMIN_PASSWORD: AgCtQXeM5Jad8BsVy2ew27CUk7d1lEpL69C/rlcEsFPu1pp5Ap18yLS0t0OG/6iGsxNvQmrCQhui3ddEa1juKlw4yZ11IlPaZUSZVXzXMstkXLM8PU81152iD1P3MEun4r47K/P5KrgsEsZ9rLJRvwcrhm3OSuO+qSGsI3LIAG3cKD6xnZg97XEPGpRa+wcV1vCrb9ubz/UpZqCGKawfGI8fxFmfn7IqtVogQymc5s+JVkGYVLcMNI09P+OZuaFJN2zp3jJWgEEt1T8mNVNDZip1Mz+NyGkMx8f2n0PPkpBpK6Bz8sX1NFIsPY+Cu5XR450yf729xg9rH04/Fi3YL0H5D0RnIjTQzpfsraP9eXZ1DDSaIivlKS3yiX8VKUH7wa3ElYAJ72Tl4vCHKRL9vMFZeEmqL3qrDW0TnMcMfFBoD0pLy0Z/pP276+Te3Yxq8C9eCTinn60lfHG64OBJR6CCMPXqTn6RdHwhchXydLwYojccF/SU2sy2FGUrNHqWKeYv7/q4si9ke5lZJNJP05cjD0jBfcfzb9Qkc7Oi/ENF5OAU/KNwJnU52TL8DB1sl1JKyO2rZXhMfttqiSqAXKkgK0SmPQ3ii3F0kUPV0Zl5cAiEIXGXZOlyVDd6e/FfSzxfKjjBqA84EqfoU4j6zF0J+7CtP/DjZAhkMCDLYl1CTJt503xwdKzDhbWUzbXzcfHOSULqqpWyVyHTYMMvuzwrLQ8UZh9sK2ou5mMipRFP2MILwTGIRapqPmc2jLTP8PVr2zMvmLi4ayuo87nbeS1R
+    POSTGRES_PASSWORD: AgAoRw4D98hfPD2FXjmfCN9SOWaSp3YE8foWYUBdCHWK8kFkqZkdVZ//QAKKk5UXO/YOrQqEgUBgGvBhGME9Pm4HH0/9kT5P8Rpuqkf/xccYIdciebakUO5dua5fk7I7A/Ea6Sl7EDI5NNeyJeWOD09tTlga6WsM97Qp0Nu6MmDh3LE247jsDtLmEN0P0HhtjD5B9HTKYgP9E3P5YSdSvZf3CoTXawrD4y1XMspY50EvCMDbBahQ065VpFmzUnds6F1PrKHVmcYVCrkScZTjlCX3ybNSaDy7saGz7I7i3l1rtwr69KhqsJ1aj/KspDFKjf2awS6Z07Qk3tlbuudxS1nJXgcE9w8btERCHhFtJBdDaEGlg47EgEj52qENCXtqggtTfua2qn78uaJz/BDnOYfaJcpkYMjgbQXPlyUtyLVC9MpmYgwx4sztliyTkV7EF1u+qlfKik2U5zY5/XTlS7GN/7n+YNhx4NrZId5idC0LuvzpuPzw7P95S4Tw8OLkuk9SEgz7gXgefv6fGFNaFR+iqtjcosVqaMMJ7KUvoXKPJdaCQMwrN/BmRr5P/ZrX+PbhbMlA3A9r+d2eWFTsfyFBxBFQ46NYc1c1W9ahryxxbnxKHmzasXYciz9A8hS5wyVxHZAuGjHdJ1BlwzWcCy9w2LEUe+9SDSK+jyo5ppDVq/h4D8baOXKbc0gsRG7ukoaUvfcNjGR6SYEO4JMo6KAcYioPl/ONxLsQZEyqmhQF+wwQShQgdwaQHdJOjVPLiaqzYSUtU56r+v4xi/eoy2RG
+    SMTP_PASSWORD: AgBFkC/ZGhS0R4d0n81FfjiXggLCBP3wy+Dzto+z+YaCigcvCUYBQ1SL3UaVCEFZu/js8xYHTTELKC8YaO8LlGKL+/gCcCXC47ckGqmIiWWch4JZPMGBAsjILdN8n9HSAfHM667/9EvJMfMLcYbOv9z4EG0IamqYJUmedToRZx8rDGBv83SnoBK1daKAAPErvGyLvjXjGuMShPe0RCcFe/snHGKSvLdhnWVTHflbFmTCTIFZjR5U32hW5jW6H4co72N1zZcuqrwvdjve+Kie3weooxYTUwbZskV9zcfXyr97sif0ZAC6rIx4nYquJljHBJqi50sW3t/0SebjfVqu/UjTKuqQtoWXlmsd1JVxv1jzOqoCjS5XL+YxqU5OmJ3hEfowR/SMuMiIpU1+lR5mOPlbUCwUO2XTnk2/FeFCviJXyD2WfnsZhh8ipZpJtBExqWg4CMbcRJFIQUfCw8V4swjxVAVbYMWHPtcCpOP0vSsfimVMrru3r7yul835s+BCn3m8Gte07gsEC06it2u4DRiKB8jauHcoWeBfv7G8NyDvjCN0eNJ9YKvF9Dl5et5RG6kdaoUtIJ4KbV/6uNlimrpA7JomEbvfiDsBRXa1XV4jeimUFwVPSEdtXh4XG2Cy3u2YKXZv+LRVaSVwiMZy/pyo2G4rgshAWawjFeaBHv7hfhnxhSANF4FyyBa72ypWi33EwR9ZTQ1jMLucPqAXQfWMHzqyl3UERaE7sn/jzGGYxNz72wYDn2CGHHenPvKuvw9Uq5Ut2LoT5EVuenDKzeav
+    SSO_CLIENT_SECRET: AgAprcM5+VApsVAd8V/88tVwLj522DNSIJBaXNqRBDbaS0od7mFreoNZzDQbjmRIl/lBJ1Lu52XI0VUsNLbvjJVFcpPGMxpcYE+Zhyf3XItDX8nUELZDXMioY8f3u26NAhiOKEV9+NFy1ZhTAo4T+BAKwvmtdAkImbw7elWOT57I4uIna/I7nTaCp98L6raQQ4j/hwwr/5APHVjpyjjDEscGKKIkX0cE/ZLxeLUm1uf6JVreezrNgeE85GLj3CgPa5DvUrjL3kf3hEzWOGl0aEwpiHRrNGyQMfMW6UFz6DgWMki7xepH/nxvotabv3jT28cqO9GtsOiqAAQ286/zF0Nw9ux2V9kRJj/cH/1Jh/d/519JV+9yPGNNz1suM6m6XH+qmQg9kg0cx0ACXLHKqbSo+ZUYQ0EOJBaPIvfQaxKrZBCop1JlfOcpHLl2T2UXvnXZDhbgWa0LQoq+9QwVtnTxXJj2WBUJAlJqI7DE62glGhTbHgvij34AITLZKaizveuu3bc7eXYGeGb3FBRh3WTE5L+Tjlyk1Nt41L/1OpmubF0F9LguWUALeOeRxgK8wzFO39NZNFUYt9+ucBbtmr9mvl2LwdB+xXgFtA4Ma6rZGV4qh4KbPAsGMEJnw3r4FocilIvQdew1D79tYuG3qh4neXacbh0saUvf8NU5qJ4QNFHIt9X8yIKH9YX8u1w+3CwNbF3pbzjK/Jr/pV2WwThIEOAF5Pgla1F9CVoCIVrGW32opWMNifPidAcdgQq/KXtGdCATSXlJmCVhcRL7BewY
+  template:
+    data: null
+    metadata:
+      creationTimestamp: null
+      name: nextcloud
+      namespace: cloud
+

archive/2022.07.bxl-k3s-pi/apps/cloud/onlyoffice/app.yaml

@@ -0,0 +1,100 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: onlyoffice
+  namespace: cloud
+  labels:
+    app: onlyoffice
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: onlyoffice
+  template:
+    metadata:
+      labels:
+        app: onlyoffice
+    spec:
+      affinity:
+        podAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                  - onlyoffice
+              topologyKey: kubernetes.io/hostname
+            weight: 100
+      containers:
+      - name: onlyoffice
+        image: onlyoffice/documentserver:latest-arm64
+        imagePullPolicy: IfNotPresent
+        envFrom:
+        - configMapRef:
+            name: onlyoffice
+        - secretRef:
+            name: onlyoffice
+        ports:
+        - name: http
+          containerPort: 80
+        livenessProbe:
+          httpGet:
+            path: /
+            port: http
+          failureThreshold: 3
+          periodSeconds: 10
+        startupProbe:
+          httpGet:
+            path: /
+            port: http
+          failureThreshold: 30
+          periodSeconds: 10
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: onlyoffice
+  namespace: cloud
+spec:
+  type: ClusterIP
+  selector:
+    app: onlyoffice
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: onlyoffice
+  namespace: cloud
+  annotations:
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "onlyoffice.bhasher.com"
+spec:
+  ingressClassName: nginx-external
+  tls:
+  - hosts:
+    - onlyoffice.bhasher.com
+    secretName: onlyoffice-tls
+  rules:
+  - host: onlyoffice.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: onlyoffice
+            port:
+              number: 80

archive/2022.07.bxl-k3s-pi/apps/cloud/onlyoffice/config.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: onlyoffice
+  namespace: cloud
+data:
+  DB_TYPE: postgres
+  DB_HOST: postgres.storage.svc.cluster.local
+  DB_NAME: onlyoffice
+  DB_USER: onlyoffice
+  REDIS_SERVER_HOST: redis.storage.svc.cluster.local
+  USE_UNAUTHORIZED_STORAGE: "true"
+  JWT_ENABLED: "true"

archive/2022.07.bxl-k3s-pi/apps/cloud/onlyoffice/sealedsecret.yaml

@@ -0,0 +1,17 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: onlyoffice
+  namespace: cloud
+spec:
+  encryptedData:
+    DB_PWD: AgBhRL0jXlCFl5OSrZ6mFTAkFnp0EVthNKBlnfsnhUuOj418YnWM3VguImS56K+O9pQXQjQqxqmTZE7wergse74bCsgib31BG/ofycAUfuryDUerLu7UHzRuBlIwLqH+RSGhuIUpQUE8S5Iogsst0ia0kMIIOkaWhAQjCo65oXKKuqsSRiaykg16PCd2GIhdKgNqga8jJXweRXDT65zEMNinFBVOGWgr7qdoxtdzEwrHjou/E5pIztLeFlNL1WMIpngxK6ysHNNkqCy4PA6mOWYQicpx6axsQ0qYXo2feVw4AhMO9f+KWaI2aEAEkra2WGQcgaXapoKVZOyrChLLRZyi0yY7T3INnxRs89g+cQRd6qderAaOQREB31idEbsXpMeiHb72e4YCYlG2+fq2Rx7KW2v8qgHv144mXrFbkSG4f6JWJYytqB6jDYXNl88IpseUaT7fC+uwX7bL55iv+voW82KjaTCzggNfLAl8eM4GA2SbabCZybRfzek36tkwsS9IbtEYPLYbvCR9C8jdfaGUZIU6NJM9zU5UHRFh5YGIpVQ3+HwE6ykSXk5LLnjl0gGC47AuqW5SRQdyoxEl/PRB2VtrbeoYP6/u678owlzdRvFhVYxFc5f0eV/KuBEICbNfsQJCIo265zajL5p9gM8Tj/0lCPQmXxLyZV+S8u8JCof3gGm4vfkddvsYL/8Gc6pd1MGWnrHqJMweFgqIgRoId4Fif5Lu4dZZZoq9bamRn12bcVxHiX1QPc/k5Mo209PFK3S6bPHLQZv4RUml31ME
+    JWT_SECRET: AgCPe2MnQ1n0OWI68tnLpuV7stgeAuUtHB1WgrgXOzyTulGh9eXdShT/RQYijFdeU6GUbK6EiHc9GqV1b0H0aQvkh/rHnFzmqG8XhDs6/+OFKr/B8ZGH/DfGF1406yu6VIPLb8yBGuL1m7+gOvR0XworrQM5jthulEZVjy7PfVrX+lbMuZ64rLtSUZFxNL8sxucd/wEIk954n8rVPNHfwT+ohPCGiQ4OVwYMvQKbeKmne9a7qVDgIYnBG1XZys6WD5TtrMUnRnQIc6+F1wMZcPTBz5ic6WCpZuWwyn387Bjj411SixflHxBxI2FQwCGquY8TghNY31tVYJ5HAWQAmynBUpUxyo+cpPkdGslW1dRevHOQ1Ceq2T6dUN3r+BJKMi3elukRM0FSSjwmRT1ZSj1ljkYbDZYwERmBIZyxKxa5Pl9/GrXHTGlgqVz9DPq7bLx3e6ESIOIOTd2zvNVlin8V3JVjPjpgfhSn0cKj932hYSnvNkQ6rkHR9CqwZAR6mc7MpE3gRRCRLMxEwhAchLPkp/+P1naWeXRCusSkmw8GspIM3s43QVz07vEgD7Ssi1Y90koEt3F9aaedsy7JZyI5MnxQ8J3iNvHT/m4yTX1/6qvlYudwuqFbriiJH1psgHrdYHBwx5FkISQmT4bg3poRL8BcuBMTUrHnZ7A9Qma9cQoXIUYEg0P7yP1CJVJHhi+6Mcx4QtiZUtUlxcsVt+VFFL+ye5/Ov57DCN52bYhFPiv9BXELOWl2EHGurT8nz85lxzE/qVyl2VRI+lN6wvVA
+  template:
+    data: null
+    metadata:
+      creationTimestamp: null
+      name: onlyoffice
+      namespace: cloud
+

archive/2022.07.bxl-k3s-pi/apps/cron/init.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: crons

archive/2022.07.bxl-k3s-pi/apps/cron/ovh_dyndns.yaml

@@ -0,0 +1,79 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ovh-dyndns-config
+  namespace: crons
+data:
+  update_ovh.sh: |
+    #/bin/sh
+
+    #
+    # CONFIG
+    #
+
+    # HOST=${}
+    # LOGIN=${}
+    # PASSWORD=${}
+    CURRENT_DATE=`date +'%d/%m/%Y %H:%M:%S'`
+
+    #
+    # GET IP(s)
+    #
+
+    CURRENT_IP=`{
+    cat <<EOF ; sleep 1;
+    GET / HTTP/1.0
+    Host: www.ifconfig.io
+    User-Agent: curl
+    Referer: http://ifconfig.io
+
+    EOF
+    } | nc -vvv www.ifconfig.io 80 | tail -1`
+
+    #
+    # DO THE WORK
+    #
+    if [ -z $CURRENT_IP ]
+    then
+      echo "No IP retrieved"
+    else
+      echo "$DYNDNS_LOGIN:$DYNDNS_PASSWORD"
+      echo "https://www.ovh.com/nic/update?system=dyndns&hostname=$DYNDNS_HOST&myip=$CURRENT_IP"
+      curl --user "$DYNDNS_LOGIN:$DYNDNS_PASSWORD" "https://www.ovh.com/nic/update?system=dyndns&hostname=$DYNDNS_HOST&myip=$CURRENT_IP"
+      echo "$CURRENT_DATE"": IP updated to" "$CURRENT_IP"
+    fi
+---
+
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: ovh-dyndns
+  namespace: crons
+spec:
+  schedule: "0 * * * *"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          volumes:
+          - name: data
+            configMap:
+              name: ovh-dyndns-config
+          containers:
+          - name: ovh-dyndns
+            image: alpine:latest
+            imagePullPolicy: IfNotPresent
+            command:
+            - /bin/sh
+            - -c
+            - apk --no-cache add curl;/bin/sh /data/update_ovh.sh
+            envFrom:
+            - secretRef:
+                name: ovh-dyndns-creds
+            volumeMounts:
+            - name: data
+              mountPath: /data
+              readOnly: true
+          restartPolicy: OnFailure

archive/2022.07.bxl-k3s-pi/apps/cron/permis.yaml

@@ -0,0 +1,75 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: permis-config
+  namespace: crons
+data:
+  requirements.txt: |
+    requests==2.27.1
+  permis.py: |
+    import requests
+    from datetime import date
+    import os
+
+    token = os.getenv('TELEGRAM_TOKEN')
+    chat_id = os.getenv('TELEGRAM_ID')
+
+    assert token is not None, "Telegram token must be set"
+    assert chat_id is not None, "Telegram chat ID must be set"
+
+    base = 'https://rendezvous.permisconduire.be/api/frontend/v4/offers/'
+
+    str_to_date = lambda x: date(*[int(el) for el in x.split('-')])
+
+    afterDate = date(year=2022, month=6, day=10).strftime('%Y-%m-%d')
+    dates_url = base + f'_calendar?afterDate={afterDate}&size=42&sites=W3wn7&types=rQj2a'
+    rep = requests.get(dates_url).json()
+    dates = {el for el in {str_to_date(day['day']) for day in rep['days'] if day['hasOffer']} if el <= date(2022, 7, 20)}
+
+    if dates:
+      text = 'There are places for :\n - ' + '\n - '.join([el.strftime('%d/%m/%Y') for el in dates])
+
+      url = f'https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}&text={text}'
+
+      print(date.today().strftime('%Y-%m-%d'), requests.get(url).status_code)
+    else:
+      print(date.today().strftime('%Y-%m-%d'), "No places")
+
+---
+
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: permis
+  namespace: crons
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  schedule: "*/10 * * * *"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  suspend: true
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          volumes:
+          - name: app
+            configMap:
+              name: permis-config
+          containers:
+          - name: permis
+            image: python:3-slim-buster
+            imagePullPolicy: IfNotPresent
+            command:
+            - /bin/sh
+            - -c
+            - pip install --no-cache-dir -r /app/requirements.txt;python /app/permis.py
+            volumeMounts:
+            - name: app
+              mountPath: /app
+              readOnly: true
+            envFrom:
+            - secretRef:
+                name: telegram-k-creds
+          restartPolicy: OnFailure

archive/2022.07.bxl-k3s-pi/apps/cron/restou.yaml

@@ -0,0 +1,78 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: restou-config
+  namespace: crons
+data:
+  requirements.txt: |
+    requests==2.27.1
+    beautifulsoup4==4.10.0
+  restou.py: |
+    import requests
+    from bs4 import BeautifulSoup as bs
+    from datetime import datetime
+    import os
+
+    soup = bs(requests.get('https://uclouvain.be/fr/decouvrir/resto-u/le-galilee-self.html').text, features='html.parser')
+
+    contents = soup.find('div', {'class': 'bigcontenu'}).findAll('div', {'class': 'menus'})
+
+    result = ['Menu du jour:']
+
+    for item in contents[datetime.now().weekday()].findAll('div'):
+        try:
+            title = item.find('p', {'class': 'titre2'}).text.strip()
+            content = item.find('p', {'class': 'texte1'}).text.strip()
+        except:
+            continue
+        if title and content and content != '0':
+            result.append(f' - {title}: {content}')
+
+    token = os.getenv('TELEGRAM_TOKEN')
+    chat_id = os.getenv('TELEGRAM_ID')
+
+    assert token is not None, "Telegram token must be set"
+    assert chat_id is not None, "Telegram chat ID must be set"
+
+    text = '\n'.join(result)
+    url = f'https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}&text={text}'
+
+    print(url)
+
+    requests.get(url)
+
+---
+
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: restou
+  namespace: crons
+spec:
+  schedule: "30 11 * * 2,4"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          volumes:
+          - name: data
+            configMap:
+              name: restou-config
+          containers:
+          - name: restou
+            image: python:3-slim-buster
+            imagePullPolicy: IfNotPresent
+            command:
+            - /bin/sh
+            - -c
+            - pip install --no-cache-dir -r /data/requirements.txt;python /data/restou.py
+            envFrom:
+            - secretRef:
+                name: telegram-creds
+            volumeMounts:
+            - name: data
+              mountPath: /data
+              readOnly: true
+          restartPolicy: OnFailure

archive/2022.07.bxl-k3s-pi/apps/cron/sealedsecret-dyndns.yaml

@@ -0,0 +1,14 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: ovh-dyndns-creds
+  namespace: crons
+spec:
+  encryptedData:
+    DYNDNS_HOST: AgCJbz6Qd11HuDWQhY6pVMtiwek1P7c4BJB4dhcIASzVjUrNrhEaOzXNFCwemeZxcg+qWH5KmMD0eM0RdGypSewDWiJt/3TVpLNulQ3MBy/jmms3WUSRDM9Q8dypKbivrTxCiRlBurKthSjJtY+SG5vSIIGdL/vZUz90f8B+unS3lM1fEEhhwCf2fj59npA3jhlOuXSpfFgfx0Nc1dd7yVan/2PYplAjGX3OOVyHzqVm7G/vs6jcwn3FjY7xwLL/xcpqKle52uDAA1WZFpSDGOfJH6iNaGTzaE10GiFuhzrQPrdUcXPVg82FvhpuaRHcsbii7l+bmm1+kNwUXpfPX7UJEUBGD7M39CqogrRfa8UuyMNjt0Ie3wMrW6PBRbjGw7LZQxIV4ORADbKz7upmfiY8yPlzD7nsyaVlkhtjz6hdaidXV9eEqQydwDt8T0Nld6kTysrOf+WkCUChrmOV86EMLgP0KI2jnvr5vubITp3MFxSdrmWt43iqO+d+LUzZqPu4DYqKr42vGApksL9UmJFa2W7XUzWhZH3BHPPaYxyeDgvvxCcMXuVL1Pm1DNeZ55CB8eO6Q2DMyuoISypPkuZBtJYfOzpCUk44NaN4XUcCO3MAbGeISWpXHi/Dp3HdHWXt9f0Jn/cqteymojkIONUThlaS4NeoPqVm4FJ6PbBTb9Zi70QoY7Pd28Cj/z+nWT9450xvEFiza+Xbje/Owj8=
+    DYNDNS_LOGIN: AgC5CdZGoLFtaNVcO1tSpvfVFrgPJKKZHGkhEUUH2Cgoa5hX4sH3R5f8Y0uLIKAZrODJUNKNmC2Shq7iYERIZ90KGnQf4LcrN3e1O1nQyH5iIItoUYpRZCjgZ0d3VOH9ehRmaYxbBKdz5jOaoGknqCMnR7B3BFD5Gq4m1yXAiplGoARNhb+WCnjNfgjj0wrg4a4TpitHsFnNbNf23XaQu/WPUdvVByjN4hJ909f8I7tdveVMRul6AkFIuNS8WAOhJHCQNNSmDZXU/4T2PZXDs9/xztKwLM0JhTlMXRRT4WLqBFDi34PloxBgrv70qlrrJ7VoQkmj+0L49KOTASZ4uSaRwOCNhugoLDh0Rauw6BZfRS+8oLDmH9nRFrLX4j0HV+MIhNMp10ky3NintjMab1y/EmPSDHJFE5Cf+th8T0wt046apBQWhI9KZIYeg04sDAD+BnnWO8NG1PVz+fEmvFzni5FxCEz9auv35PGVns1IU4bQ1K5QnbV+IECC2u9G2aMQzyojGZ1ZvJlt0lrSDgjmF1zvDHXiwBOumJ6SsgHCcES3dOTDvChASnkWWExRnvR4QABOUN+Uhcf170JcXp71d9psovkS/0y57bz7CiQ3STlh0NpoVw2g8p7uQo1okoVN2NMlcsH+/up2Nw7Yd+gRIOFGnG1floYKAjrufzJIFjO6rZbrSkDvc0imJV9ySx9HFQqKcKS92oRhfawh/WY=
+    DYNDNS_PASSWORD: AgAHEJIn0hE2uho5a0S2Hw6meNcVz5BUbmFZErbxCJlkbyDwwCkTy8Hp3xdyT2iWIVRGbCQFWGonRCXqpCpo4bYQ+/5RprqA/8RixzM6VuzEzlRW90V0OBQ6XTpPK4Wy/A385+04gv9IzaLtQOq6LuRUOH2XROsGh3psA2m292BeWBoDV1EXpb2ImOwnEKSuJU5dBCPue+whuNi/4cALfBlW7nx8T7Vf+fgDEPOc96ICnwekRzL/LHQODOKjarUPU0EnFKg9WBJlfe5qpncj8wxpyDw9rYPZ/KCkdHPKJrK5+zw0GytYX+TzPOHeWKS/nDIBHSEFjDYfuA6M+lTsIoH14YyGr89HGKhK6A+sB9MMQZeEG2b6PlrYaTW/J5KPWlOnJAOiismqYX0SzFxVupoWlSSJtfmN37UNthoGFVdTWAa4fFMvGn13cjkJnGM7KgSotfNC8jbvgSiq4FEM7nMR9BUGmV5P+8bNG5XScTl5ocP3obiLbDvrcJsE55uQF2m54Mgl8YjLju6gWihdnyFDGH6rt/Tbno0w5l3a4NITBSOBw8y+VJ0iczBjKwjHHW7Dwb/HAjo4zjFI3WFbaVJc5prEqRx7IoeHbyEyU5qaecaS/vCxuNjpw7MT4iQj4f/JeNAtJvG6vqlXMfxDhb/ELTac9caR/vI/98/jWjsjyxLsNNY0QaLfMXHK08QL0FzxaxxnU5YcCh4AcjLBn/m7y4GfESZ4s6WJRzijBow=
+  template:
+    metadata:
+      name: ovh-dyndns-creds
+      namespace: crons

archive/2022.07.bxl-k3s-pi/apps/cron/sealedsecret-telegram-k.yaml

@@ -0,0 +1,14 @@
+
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: telegram-k-creds
+  namespace: crons
+spec:
+  encryptedData:
+    TELEGRAM_ID: AgDOgLMPt2YgazghTVOCdjkTMD/l2tPPOi0Cejfyqu7R8vVqjpRag6EFL6C/bB7TJbW2SLXdqDOpfUd5j/7sjFSJuMAi9ZY8aWvD5N0i1vJ+VTz8nuHTLhTKMhId5WYJbA3QElFcTvP9wqDZn1Cgm375yhAXsXwBZ4wENraMGMTesIJf3HxhvpgbQ+9u47HBIW1zfbuaOplusL0VGGDS1kU+e1rWsjBh+t29XS66HNb+NpiGO/0ZzlVLPxVTMbcxoQSIEsqUB43nQPbI0pcLzJzw0bKFezZwOlpkR/yWHrTV1+z8w5gPjPvsxEwgwhFhVxnjeXphh35HA8a7Je4uBOwjBhsP1UevJdWgzcGTHPNViQnywlDemwVL38MrAT79M0bOKy3ze3R3cSm8zNcCk0v9vVs2VqYu55ejobjbGwawR7k4r0p+vGLsn9KLwSrzGrq0vsGlElk8lW6fFqqFaijEkGbhJjMZOsCY30qHjGxQQaMUnZ+U+H9znnO8eivCg9gnz1kcmPrAUt5N/4o/K1mwjXl4dPV6TqD+4CS5JcAB1ds6jQ/Ru1qDPfjAxFs0u1rulTz1w0lV4i0o3DehWwVS6lESFA0ZlE4hSWlvsLVTV63JDtgaN2FsCLSHappvPz+RCmHrry+n4TCnvvM5CtRKU0/q3ylactzHn8oiIw/w0RNtwELY895suwWbgOHScJM0Rxhf0FUdIlyF
+    TELEGRAM_TOKEN: AgCKS3cDHu0OYFa2PEs2zRmbmDATt8G+wSIl1v3MHOHXH4uCyDVkmd8KdZ6n+vv9T9+MKCIABqDQozcHWdGaMBsYNmxGGC5B7gWpo9uwOWRyuDZEVlrsgC/PspaJ4hVBwNpjL5jVglwRIE0xrgf6fdjF7XJGmeugAv7v03mK8UX0VUh6KXMjKv7RSt+GnkDrFFCBI+VORYqpsrSR5/a9CnA6WrlTOS74umvraPbH+iypjN9pkp6KhGMr8id+GmQT++d9ZKJosornu7YS0lBvP79oqDp19xaO/pcBeAeDcsfTyE39meedyw4gk5BizDWklEWWuhBnHH+MKO8dSeLzzakNVmPoZCpTvT8K5Uh+fKInwVxVRJQZDRiwhDrR+h3icaTivZDsK4MQlQTx0DaZTULKio07eAEElU+eFZjV3E4//qqYB57d2YnMOfZFXN1BAXuAAcby5uDxIcU1s6iZOQz8cgdsa9aDTOilX2CgOEjkUqJHttV8iBDjqRO3jgYlciPCoH7KW6A3JH9R1pG4IdxRJg9eA3dX6IMc01HRqR5h5qSzpF6ZI1t/gLa6zX3Q8Je/xb1+6+HOJbZNS/07M3c0XRBBCh9t1XPHeixBLF7kNxh82gx/F6uOrjq9UF/FeONYaSBcqE6io1iwDT1bpfnjvlLohLuFxs6so4rLdxnhDX7XldLzgjAxxcvawzbseX7xRGYlCh7S2il4A8yPq6AeClbuWer3QcuXk1ejk+zz9QugZ5pATpnIojL08I1n
+  template:
+    metadata:
+      name: telegram-k-creds
+      namespace: crons

archive/2022.07.bxl-k3s-pi/apps/cron/sealedsecret-telegram.yaml

@@ -0,0 +1,13 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: telegram-creds
+  namespace: crons
+spec:
+  encryptedData:
+    TELEGRAM_ID: AgCSUvDgfxsJEhppeZbvGV8iQ7Qk0D0kbjZwaEdZ5A2lUfD2nSxuLHLK1psly9d1sAGO7VGak8YgAXQPsOYmoOZePd2u3c+9e7hLzciUhLQ142vlzhEaU0+H2MFfMn1VjIy/ipNjm6svocelf8SBGC78m0fSDRMmSh845tOxIsP2rr8q0lEnD8ydHEDpFwF6cVe6D3wizqIqaucWSy7XMloxviDtGpTa8FJZhUNMfc+xW+RFDlRJIv1ZMqS6rbbnrunEzqA3Mk5vmfbTRLKBxiERNg8em/1KEjrnvrTIgWy4VcSiyYcDXUR4uct9Gykfg4reapT/18Kpu0ICbULEeMdPFeMZN55f/yxbGD9k9ImKpzd0+pRCSBq3reyXv7kRNs08WCpuxmrMwf9zmHKWHNZV+YocyQZDdeBSLKrUv7Tk1GUTj3IVknsPc7hHIY6VYnqn0ApjTxzP2iQkt7ZxDzCW9htskaJy74jgfHW0R58YuBSra11Jezwxvk3+jiR28ZS2tnBuNZt6Zxi36TiZBoPYm8gDxZBuKKQZUl1ujd9j+4pfQ275QEyd67byFj1WlgUOelfaXLyqn6S87uNW3yRdkgo9c0vF1u4HvHfedKkJ1nqOtGpmeKq2ccmPysF38NapfGKsx8s4aLqKY2JTc2X5VeUwLtADpWdP1O2g2PmeMD0Lv/ehbU27FMbT3O/SXNudT+B8gsKlCcM7
+    TELEGRAM_TOKEN: AgBjqR1y124X1TAXplLp4NGfCLPT2fNkjG6PM/73MAeyVWyKHD5ScD/O2IDbS4LvnguTMs4C+5QKw8QRRbavon5hmMBn+iQqA1QYpObNSrWET+IQxJ0vp7W8l//PM3WIHsujxhWP7IJffmI45JoqZ1Jwx9Ca/9Hgp3wfy3DkdVvI+4Boe3UiAcOX23jLo9Ak9X4Iw7F8eH7Mf8JZHAB7jB7dSJFkBmBxUHfvSX3dTinASvbHtobSmbjDY7Ewf22RssZFpDfr/UOGDA8bEfDZMkZd+RQs8yKJJVEOmfu9i+sqDqLbEf5Mjw6DQ9Bfc2J6lH1tJzqrp7iPE2gqrkDFxgkNen3QBBUJPDJrs+N574qkuhtQL0GglhS24dk4GaoLZg46TZ6QMOoi4qYf9B8sz9LAe7jFpL2Y1Mpxh2S+ABZIPDhDRgFTLzD319gLHRzhJRv55AJfKOUZeJ6xs8Eilfr5PXBMzmwBxBAxFPBZSrAs9d2TxyahuDjt6xkkAbsOvX1iEpdCzJvadUcQv5OJFhDhMMLIeKeDIvcm7z0TOAVxC3biy/jyGqto1c3bvp1i0N4l+G2QJoHt9oOdoxTdnfmVJmwZsVeIL/S6dO42yA+EPctGwZ2wPSG5q9bnSR2ZbTQRE8tPBGle3+c+FdKvz5m7XPjsp3WDhSH8DZ9FXBl5znEX062cB9Af8u76v7SkjRMWzHB05rNa2bnhvOAx5CARa/jcax2XWRDSxArGyd1/mk4reu5lw7v28NksFKmR
+  template:
+    metadata:
+      name: telegram-creds
+      namespace: crons

archive/2022.07.bxl-k3s-pi/apps/cron/unibet.yaml

@@ -0,0 +1,104 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: unibet-pvc
+  namespace: crons
+spec:
+  storageClassName: longhorn-static
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100Mi
+
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: unibet-config
+  namespace: crons
+data:
+  requirements.txt: |
+    requests==2.27.1
+  unibet.py: |
+    #!/usr/bin/env python
+    # coding: utf-8
+
+    import requests
+    from datetime import datetime
+    import os
+    import json
+
+    def analyze_event(data):
+        return {
+            'time': data['event']['start'],
+            'homeTeam': data['event']['homeName'],
+            'awayTeam': data['event']['awayName'],
+            'odds': {d['criterion']['englishLabel']: {o['englishLabel'] + (' ' + str(o['line']) if 'line' in o else ''): o['odds']/1000 for o in d['outcomes']} for d in data['betOffers']}
+        }
+
+    competitions = [
+        'england/premier_league',
+        'belgium/jupiler_pro_league',
+        'france/ligue_1'
+    ]
+
+    for comp in competitions:
+        content = requests.get(f'https://fr-sports.unibet.be/sportsbook-feeds/views/filter/football/{comp}/matches').json()
+        res = []
+        for a in content['layout']['sections']:
+            try:
+                for b in a['widgets']:
+                    try:
+                        for c in b['matches']['events']:
+                            try:
+                                res.append(analyze_event(c))
+                            except:
+                                pass
+                    except:
+                        pass
+            except:
+                pass
+        os.makedirs(f'/data/records/{comp.replace("/","-")}', exist_ok=True)
+        with open(f'/data/records/{comp.replace("/","-")}/{datetime.now()}.rec', 'w') as file:
+            json.dump(res, file)
+
+---
+
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: unibet
+  namespace: crons
+spec:
+  schedule: "30 * * * *"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          volumes:
+          - name: app
+            configMap:
+              name: unibet-config
+          - name: data
+            persistentVolumeClaim:
+              claimName: unibet-pvc
+          containers:
+          - name: unibet
+            image: python:3-slim-buster
+            imagePullPolicy: IfNotPresent
+            command:
+            - /bin/sh
+            - -c
+            - pip install --no-cache-dir -r /app/requirements.txt;python /app/unibet.py
+            volumeMounts:
+            - name: app
+              mountPath: /app
+              readOnly: true
+            - name: data
+              mountPath: /data
+              readOnly: false
+          restartPolicy: OnFailure

archive/2022.07.bxl-k3s-pi/apps/external-endpoints/bazarr.yaml

@@ -0,0 +1,51 @@
+kind: Service
+apiVersion: v1
+metadata:
+ name: bazarr
+ namespace: external-endpoints
+spec:
+ type: ClusterIP
+ ports:
+ - port: 6767
+   targetPort: 6767
+
+---
+
+kind: Endpoints
+apiVersion: v1
+metadata:
+ name: bazarr
+ namespace: external-endpoints
+subsets:
+ - addresses:
+     - ip: 192.168.1.201
+   ports:
+     - port: 6767
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bazarr
+  namespace: external-endpoints
+  annotations:
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "bazarr.bhasher.com"
+spec:
+  ingressClassName: "nginx"
+  tls:
+  - hosts:
+    - bazarr.bhasher.com
+    secretName: bazarr-tls
+  rules:
+  - host: bazarr.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: bazarr
+            port:
+              number: 6767

archive/2022.07.bxl-k3s-pi/apps/external-endpoints/docker.yaml

@@ -0,0 +1,51 @@
+kind: Service
+apiVersion: v1
+metadata:
+ name: docker
+ namespace: external-endpoints
+spec:
+ type: ClusterIP
+ ports:
+ - port: 5000
+
+---
+
+kind: Endpoints
+apiVersion: v1
+metadata:
+ name: docker
+ namespace: external-endpoints
+subsets:
+ - addresses:
+     - ip: 192.168.1.201
+   ports:
+     - port: 5000
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: docker
+  namespace: external-endpoints
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: 500m
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "docker.bhasher.com"
+spec:
+  ingressClassName: "nginx"
+  tls:
+  - hosts:
+    - docker.bhasher.com
+    secretName: docker-tls
+  rules:
+  - host: docker.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: docker
+            port:
+              number: 5000

archive/2022.07.bxl-k3s-pi/apps/external-endpoints/init.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external-endpoints

archive/2022.07.bxl-k3s-pi/apps/external-endpoints/jellyfin.yaml

@@ -0,0 +1,51 @@
+kind: Service
+apiVersion: v1
+metadata:
+ name: jellyfin
+ namespace: external-endpoints
+spec:
+ type: ClusterIP
+ ports:
+ - port: 8096
+   targetPort: 8096
+
+---
+
+kind: Endpoints
+apiVersion: v1
+metadata:
+ name: jellyfin
+ namespace: external-endpoints
+subsets:
+ - addresses:
+     - ip: 192.168.1.201
+   ports:
+     - port: 8096
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jellyfin
+  namespace: external-endpoints
+  annotations:
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "jellyfin.bhasher.com"
+spec:
+  ingressClassName: "nginx-external"
+  tls:
+  - hosts:
+    - jellyfin.bhasher.com
+    secretName: jellyfin-tls
+  rules:
+  - host: jellyfin.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: jellyfin
+            port:
+              number: 8096

archive/2022.07.bxl-k3s-pi/apps/external-endpoints/sonarr.yaml

@@ -0,0 +1,51 @@
+kind: Service
+apiVersion: v1
+metadata:
+ name: sonarr
+ namespace: external-endpoints
+spec:
+ type: ClusterIP
+ ports:
+ - port: 8989
+   targetPort: 8989
+
+---
+
+kind: Endpoints
+apiVersion: v1
+metadata:
+ name: sonarr
+ namespace: external-endpoints
+subsets:
+ - addresses:
+     - ip: 192.168.1.201
+   ports:
+     - port: 8989
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: sonarr
+  namespace: external-endpoints
+  annotations:
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "sonarr.bhasher.com"
+spec:
+  ingressClassName: "nginx"
+  tls:
+  - hosts:
+    - sonarr.bhasher.com
+    secretName: sonarr-tls
+  rules:
+  - host: sonarr.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: sonarr
+            port:
+              number: 8989

archive/2022.07.bxl-k3s-pi/apps/git/app.yaml

@@ -0,0 +1,134 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea
+  namespace: git
+spec:
+  storageClassName: longhorn-static
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 5Gi
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea
+  namespace: git
+  labels:
+    app: gitea
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: gitea
+  template:
+    metadata:
+      labels:
+        app: gitea
+    spec:
+      volumes:
+      - name: gitea-data
+        persistentVolumeClaim:
+          claimName: gitea
+      - name: gitea-certs
+        secret:
+          secretName: gitea-certs
+      - name: gitea-config
+        configMap:
+          name: gitea-config
+      - name: ca
+        configMap:
+          name: ca
+      containers:
+      - name: gitea
+        image: gitea/gitea:latest
+        imagePullPolicy: IfNotPresent
+        envFrom:
+        - secretRef:
+            name: gitea-tokens
+        volumeMounts:
+        - name: gitea-data
+          mountPath: /data
+          readOnly: false
+        - name: ca
+          mountPath: /etc/ssl/certs/bhasherCA.pem
+          subPath: bhasherCA.pem
+          readOnly: true
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 3000
+          periodSeconds: 10
+          successThreshold: 1
+          failureThreshold: 10
+        startupProbe:
+          httpGet:
+            path: /
+            port: 3000
+          failureThreshold: 30
+          periodSeconds: 10
+      initContainers:
+      - name: init-config
+        image: busybox:latest
+        command: ['sh', '-c', 'mkdir -p /data/gitea/conf && cp /tmp/config/app.ini /data/gitea/conf/app.ini']
+        volumeMounts:
+        - name: gitea-data
+          mountPath: /data
+          readOnly: false
+        - name: gitea-config
+          mountPath: "/tmp/config"
+          readOnly: true
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea
+  namespace: git
+spec:
+  type: ClusterIP
+  selector:
+    app: gitea
+  ports:
+  - name: https
+    port: 3000
+    protocol: TCP
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea
+  namespace: git
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: 50m
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "git.bhasher.com"
+spec:
+  ingressClassName: nginx-external
+  tls:
+  - hosts:
+    - git.bhasher.com
+    secretName: gitea-tls
+  rules:
+  - host: git.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: gitea
+            port:
+              number: 3000

archive/2022.07.bxl-k3s-pi/apps/git/ca.yaml

@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ca
+  namespace: git
+data:
+  bhasherCA.pem : |
+    -----BEGIN CERTIFICATE-----
+    MIIKIzCCBgugAwIBAgIUSathEP5DGHryMtf1O98KMTUgZyIwDQYJKoZIhvcNAQEN
+    BQAwgZgxCzAJBgNVBAYTAkJFMRAwDgYDVQQIDAdCZWxnaXVtMQowCAYDVQQHDAEu
+    MRIwEAYDVQQKDAlCaGFzaGVyQ0ExEzARBgNVBAsMCkJoYXNoZXIgSVQxIzAhBgNV
+    BAMMGkJoYXNoZXJDQSBSb290IENlcnRpZmljYXRlMR0wGwYJKoZIhvcNAQkBFg5j
+    YUBiaGFzaGVyLmNvbTAeFw0yMjA0MjkyMzI2MzJaFw0zMjA0MjgyMzI2MzJaMIGY
+    MQswCQYDVQQGEwJCRTEQMA4GA1UECAwHQmVsZ2l1bTEKMAgGA1UEBwwBLjESMBAG
+    A1UECgwJQmhhc2hlckNBMRMwEQYDVQQLDApCaGFzaGVyIElUMSMwIQYDVQQDDBpC
+    aGFzaGVyQ0EgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqGSIb3DQEJARYOY2FAYmhh
+    c2hlci5jb20wggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIEAQCYcYWraaSp
+    2Tn+ic7zCPWg/Xy7C2KjL5tdRq4D09eZsnUnruTNvhEbXs+cgEj6u2UQ09jiNA2Z
+    7oYjpNrcr6Hit10n9H2Mpn4nTcYYrA/44Aa0yKY97v3vMM0+Q4/1LDrX96fpvegC
+    qn3VRJd8gHCmRIG4I74QpRdxB7DSkcc749NsyBOP7Hsicpwx9sXE5zBwxlTGBbvR
+    4v7HjaqxxaTqC7V6qTcjG2FjpkxMbZj7lVXyQik07UEnVV0zqAlnie2843d62xSv
+    2zQmyEwtnwvkrKnNKZIt+nELI3DmvHKW9hbB1lNz5zwfX+bwCudoKeXOpsAOY5Vj
+    oYNEDp6+oqPF9/+tqsXjFamC0boe898v6beT8PYNX+yAVc5cOfcgBkR4dupyXyZe
+    SyrGw29wmccyPqfADrr53PTn84kgvGRi0DGAH7VLd8eHbQ6kRuJtvspPXMBL6co9
+    qX3spVJWF00qt6IHrF0oYioCuibxlG/0Hnp0zvO4U9I0DosoVkAOlKjTXppjNDDZ
+    sHdHGkyX+OP868ht0JyTFarSQs6WVWvL6Gs6VCjuiFNwETxq9tYLmKN1IfcZf6Be
+    sVpKD2xISRiMtKsfwmE+1CfUACWqlvsB13vFjw8ZB4eOOUnuG/svvx17TY8J3SAW
+    iAzWnMECFGdJfcqepEln71J9gqO7HuuTiwofV967ruqCtxX7sOWG29xz3tB+JVW4
+    78e0RjOC9sIXF3840WVG8GDbvmFjs0O/ZnYBfNYXh+kNkgIriJa1jnpZ16yVARAs
+    D4RrQ1hg+aKcxe0nzxodnjJKECD7MRfxQPEHs/CAC50IhLj/Ez797SH6NSkvAGNz
+    fmtgYC61zUuKAttJhkzD7lEE5PlSXlif67J8dCbb/ie8qNQTJ4i9ijMoZD6hhieR
+    0NyRiMCGbyaQso7gRwbGxbIa4hp21Vi9XJj6q0U/90S2vBMdokZl+qmKktspxlCH
+    /O7YL3alEmEZxOVz78VpAu/0fHyFc1hCr6FVOmfrsCc2RIbdMGxbLZwAA9tP8R+u
+    CI/aVjxLNQTw6uSjeTekoNeWcXenNYM/REr96HEgvVcwytGX02wbHciulFi/NSyW
+    d5nCst0GhXWA8iQX/WKX1uQUPLoimJGLxUjAT8yVHXsE+otnoCumCrXsrQpMhvga
+    yWg2TLVSh7QvBnrs9JJNp6Z8vVGZuw/VcWxckFu2m7/eNLJc5+f/NXl6wVq0O1OG
+    NIVoqatD/yBl0NgBwQXqSR/PJ30C/bQTuYwTaTiWNGD7gLcGTW61S8EWqGCYdZLu
+    UkYDeafp1LzUyw1wOpxvnKVnMux+3lLceQubWSC4F6XqMCn/nYIMGnQ1Hs/zF/1G
+    7MKi96ZMLsrXAgMBAAGjYzBhMB0GA1UdDgQWBBSgDfvqI+DQCUiCtDfzU0jWjEDS
+    NTAfBgNVHSMEGDAWgBSgDfvqI+DQCUiCtDfzU0jWjEDSNTAPBgNVHRMBAf8EBTAD
+    AQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCBAEAcrmgBpzu4MQg
+    GLVLNghy+r/01V4fWGx7uyTkWrx0xtEyPUA0Sl1Pky3BNeA9ySfxVYzFPOOOKLLb
+    lsK22LF1bHx7yU8oTuJpgDluE5xK0bKfWqcnDQEwlKfkhJTUu1zO+e8c05oi68fS
+    EcMo/jLGWNuLMUhMQ/OGyaTUeZCXLulUfgWF/NyUDJPfZhPP+U68nXs0fdX7LMq8
+    uIOQlQEA/7Xo5Xz73AA0YimA8XxqhCZIoAhcLOE620sHzpiHlWJ/S1OnFzrUMSeG
+    xnOuXiOqsBklsW5b819UXLhOqKk5PnAoB+ZhoVG1HxoGTG9wQdq1/wpxNyWhYpDH
+    Tj0eLNs7Q7EwZaB6gtAvXDX6yC0/HQ3z6UnMzLViifaON9zC+ljBb63u7ZZ1qBXb
+    qF9Ub3/mgdHIhiy9iBY/JTMQxEZnLqPDwVgSnuwuoF0LYAzX3Tdba2K4wXIZHOtg
+    KVswHtsthGs25CUMfxUw1C0BgjQc8PX3+fWwBQG58ziww+rEwSl/8jxCriyA7mTc
+    nigyfQhMti00lHo+Se0KG9mbkFsgKQfHJ7uCXYVsRf0FM4tn08kRX22ubXD1UE+g
+    EZSWNmrNb+ZnVUQhAqylP5RFGaULPRstW1gKzF0gn5HKt6muz3fWIkKoY57xLphe
+    2XwJppNc02+l7RVb+oMIcRPBmKc7JB7i7dU5ctlae6iLeQnYIa1RZ9DCQhsUqvlk
+    7SHotC3PuXLT6haeF8MUBkt9Og3l+KcsgHhZJqOqeTO4x1wfnqeMvUHG6rsn/DEA
+    O+qu4CVVq+C73Xrl76kZpZkAk40Cw1DeRRObRXCnGuD+/eOGuoTHUXToiOQBnXx7
+    IfDPj+8G4ss3Wb4syH8hhKNn4TEHzHn3NCjKD9NWH0qWIqEnlrxYTkWpRckGMgN6
+    8lCKoH6JnIuLOELsXLey5qwEh8DrEG9+/6TZo1bxziE3+G1FmM/UuiZ4/sp/1rKS
+    nU6k3D3x5yjZbE1Eogq5JI47i/2J75x1uWUgIppYsaI1UvCX7Uux9r1PCMI7ixPz
+    GhS2wKt3jCGU6ulX5vnihDglQXAEP5V+JRcI0xsdEkdB/3lU963EwvFjldQHuJP3
+    I8emKNFl4lnDqloNo1xBqePoD9K0XJF8HHosvLxjUVhc98kmK8rlnGvjyL897KbG
+    chHUpmcOvehDStG9BecQJB7O6F3utebzetuAjBzdzfRVjLMJ9fP5z/py1RgTNk1Y
+    YH6NHOwUEDN1ojFI04z6gnHP8qHhDdCi4Dk9IRJ5zoTtHOpxfYF0EeoqJLOkBpxP
+    n7MKBI2FTJH22/b+YA12FYi9flBI85yHAJwtMvvh2kZssOAMKV0ccNG1EOD6v6dS
+    Pzrn2j0Zdg==
+    -----END CERTIFICATE-----

archive/2022.07.bxl-k3s-pi/apps/git/config.yaml

@@ -0,0 +1,275 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitea-config
+  namespace: git
+data:
+  app.ini: |
+    APP_NAME = Gitea Bhasher
+    RUN_MODE = prod
+    RUN_USER = git
+
+    [repository]
+    ROOT                        = /data/git/repositories
+    SCRIPT_TYPE                 = bash
+    DETECT_CHARSETS_ORDER       = defaults
+    FORCE_PRIVATE               = false
+    DEFAULT_PRIVATE             = public
+    DEFAULT_PUSH_CREATE_PRIVATE = false
+    MAX_CREATION_LIMIT          = -1
+    PREFERED_LICENSES           = MIT License
+    DISABLE_HTTP_GIT            = false
+    ENABLE_PUSH_CREATE_USER     = false
+    ENABLE_PUSH_CREATE_ORG      = false
+    DEFAULT_BRANCH              = master
+
+    [repository.local]
+    LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+    [repository.upload]
+    TEMP_PATH     = /data/gitea/uploads
+    FILE_MAX_SIZE = 25
+    MAX_FILES     = 100
+
+    [repository.signing]
+    SIGNING_KEY         = default
+    INITIAL_COMMIT      = always
+    DEFAULT_TRUST_MODEL = collaborator
+    WIKI                = parentsigned
+    CRUD_ACTIONS        = pubkey,parentsigned
+    MERGES              = pubkey,basesigned,comitssigned
+
+    [ui]
+    EXPLORE_PAGING_NUM      = 20
+    ISSUE_PAGING_NUM        = 20
+    MEMBERS_PAGING_NUM      = 20
+    FEED_PAGING_NUM         = 20
+    GRAPH_MAX_COMMIT_NUM    = 100
+    DEFAULT_THEME           = arc-green
+    SHOW_USER_EMAIL         = true
+    MAX_DISPLAY_FILE_SIZE   = 8388608
+    DEFAULT_SHOW_FULL_NAME  = true
+
+    [ui.meta]
+    AUTHOR      = Bhasher's git
+    DESCRIPTION = Custom git server based on gitea
+    KEYWORDS    = gitea,git,bhasher,self-hosted
+
+    [ui.csv]
+    MAX_FILE_SIZE = 8388608
+
+    [markdown]
+    ENABLE_HARD_LINE_BREAK_IN_COMMENTS  = true
+    ENABLE_HARD_LINE_BREAK_IN_DOCUMENTS = true
+    CUSTOM_URL_SCHEMES                  = git
+
+    [server]
+    APP_DATA_PATH           = /data/gitea
+    PROTOCOL                = http
+    DOMAIN                  = git.bhasher.com
+    HTTP_ADDR               = 0.0.0.0
+    HTTP_PORT               = 3000
+    UNIX_SOCKET_PERMISSION  = 660
+    ROOT_URL                = https://git.bhasher.com/
+    LOCAL_ROOT_URL          = http://127.0.0.1:3000/
+    DISABLE_SSH             = true
+    LFS_START_SERVER        = false
+    APP_DATA_PATH           = /data/gitea
+    OFFLINE_MODE            = false
+    LANDING_PAGE            = explore
+
+    [database]
+    DB_TYPE  = postgres
+    HOST     = postgres.storage.svc.cluster.local
+    NAME     = gitea
+    USER     = gitea
+    SCHEMA   = public
+    SSL_MODE = disable
+    LOG_SQL  = false
+
+    [indexer]
+    ISSUE_INDEXER_TYPE    = bleve
+    ISSUE_INDEXER_PATH    = /data/gitea/indexers/issues.bleve
+    REPO_INDEXER_ENABLED  = true
+    REPO_INDEXER_TYPE     = bleve
+    REPO_INDEXER_PATH     = /data/gitea/indexers/repos.bleve
+    MAX_FILE_SIZE         = 524288
+
+    [admin]
+    DEFAULT_EMAIL_NOTIFICATIONS   = enabled
+    DISABLE_REGULAR_ORG_CREATION  = false
+
+    [security]
+    INSTALL_LOCK                        = true
+    LOGIN_REMEMBER_DAYS                 = 7
+    REVERSE_PROXY_LIMIT                 = 1
+    DISABLE_GIT_HOOKS                   = true
+    DISABLE_WEBHOOKS                    = false
+    INTERNAL_TOKEN                      = azerty
+    REVERSE_PROXY_AUTHENTICATION_USER   = Remote-User
+    REVERSE_PROXY_AUTHENTICATION_EMAIL  = Remote-Email
+    REVERSE_PROXY_TRUSTED_PROXIES       = ingress-nginx-controller.ingress-nginx.svc.cluster.local
+
+    [openid]
+    ENABLE_OPENID_SIGNIN = false
+    ENABLE_OPENID_SIGNUP = false
+
+    [service]
+    DISABLE_REGISTRATION                          = true
+    REQUIRE_SIGNIN_VIEW                           = false
+    REGISTER_EMAIL_CONFIRM                        = false
+    ENABLE_NOTIFY_MAIL                            = true
+    ENABLE_BASIC_AUTHENTICATION                   = false
+    ENABLE_REVERSE_PROXY_AUTHENTICATION           = false  # true
+    ENABLE_REVERSE_PROXY_AUTO_REGISTRATION        = false
+    ENABLE_CAPTCHA                                = false
+    DEFAULT_KEEP_EMAIL_PRIVATE                    = false
+    DEFAULT_ALLOW_CREATE_ORGANIZATION             = true
+    DEFAULT_USER_IS_RESTRICTED                    = false
+    DEFAULT_ENABLE_DEPENDENCIES                   = true
+    ALLOW_CROSS_REPOSITORY_DEPENDENCIES           = true
+    ENABLE_USER_HEATMAP                           = true
+    DEFAULT_ENABLE_TIMETRACKING                   = true
+    DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME = true
+    SHOW_REGISTRATION_BUTTON                      = false
+    SHOW_MILESTONES_DASHBOARD_PAGE                = true
+    AUTO_WATCH_NEW_REPOS                          = true
+    DEFAULT_USER_VISIBILITY                       = public
+    ALLOWED_USER_VISIBILITY_MODES                 = public,limited
+    DEFAULT_ORG_VISIBILITY                        = public
+    DEFAULT_ORG_MEMBER_VISIBLE                    = true
+    ALLOW_ONLY_EXTERNAL_REGISTRATION              = true
+    NO_REPLY_ADDRESS                              = noreply.git.bhasher.com
+    VALID_SITE_URL_SCHEMES                        = https
+
+    [service.explore]
+    REQUIRE_SIGNIN_VIEW                           = false
+    DISABLE_USERS_PAGE                            = false
+
+    [webhook]
+    DELIVER_TIMEOUT   = 5
+    ALLOWED_HOST_LIST = *
+    SKIP_TLS_VERIFY   = false
+    
+    [mailer]
+    ENABLED             = true
+    FROM                = "Bhasher's gitea" <no-reply@bhasher.com>
+    MAILER_TYPE         = smtp
+    HOST                = bdubois.io:465
+    IS_TLS_ENABLED      = true
+    USER                = no-reply@bhasher.com
+    SEND_AS_PLAIN_TEXT  = false
+    SKIP_VERIFY         = true
+    SUBJECT_PREFIX      = [Gitea]
+
+    [cache]
+    ENABLED   = true
+    ADAPTER   = memory
+    ITEM_TTL  = 1h
+    
+    [cache.last_commit]
+    ENABLED       = true
+    ITEM_TTL      = 24h
+    COMMITS_COUNT = 100
+
+    [session]
+    PROVIDER          = memory
+    COOKIE_SECURE     = true
+    COOKIE_NAME       = sessid
+    SESSION_LIFE_TIME = 43200
+    SAME_SITE         = strict
+
+    [picture]
+    DISABLE_GRAVATAR                = false
+    GRAVATAR_SOURCE                 = gravatar
+    ENABLE_FEDERATED_AVATAR         = true
+    #AVATAR_STORAGE_TYPE             = default
+    AVATAR_UPLOAD_PATH              = /data/gitea/avatars
+    AVATAR_MAX_WIDTH                = 2048
+    AVATAR_MAX_HEIGHT               = 1536
+    AVATAR_MAX_FILE_SIZE            = 1048576
+    AVATAR_RENDERED_SIZE_FACTOR     = 5
+    #REPOSITORY_AVATAR_STORAGE_TYPE  = default
+    REPOSITORY_AVATAR_UPLOAD_PATH   = /data/gitea/repo-avatars
+    REPOSITORY_AVATAR_FALLBACK      = random
+    DISABLE_GRAVATAR                = false
+    ENABLE_FEDERATED_AVATAR         = true
+    REPO_INDEXER_EXCLUDE_VENDORED   = true
+
+    [attachment]
+    ENABLE        = true
+    ALLOWED_TYPES = .docx,.gif,.gz,.jpeg,.jpg,.mp4,.log,.pdf,.png,.pptx,.txt,.xlsx
+    MAX_SIZE      = 2
+    MAX_FILES     = 5
+    STORAGE_TYPE  = local
+    PATH          = /data/gitea/attachments
+
+    [log]
+    MODE      = console
+    LEVEL     = Warn
+    ROUTER    = console
+    ROOT_PATH = /data/gitea/log
+
+    [git]
+    PATH                          = 
+    DISABLE_DIFF_HIGHLIGHT        = false
+    MAX_GIT_DIFF_LINES            = 1000
+    MAX_GIT_DIFF_LINE_CHARACTERS  = 1000
+    MAX_GIT_DIFF_FILES            = 100
+    PULL_REQUEST_PUSH_MESSAGE     = true
+    VERBOSE_PUSH                  = true
+    VERBOSE_PUSH_DELAY            = 5
+    LARGE_OBJECT_THRESHOLD        = 1048576
+    DISABLE_PARTIAL_CLONE         = false
+
+    [git.timeout]
+    DEFAULT = 60
+    MIGRATE = 60
+    MIRROR  = 60
+    CLONE   = 60
+    PULL    = 60
+    GC      = 60
+
+    [metrics]
+    ENABLED = false
+
+    [api]
+    ENABLE_SWAGGER              = false
+    MAX_RESPONSE_ITEMS          = 50
+    DEFAULT_PAGING_NUM          = 20
+    DEFAULT_GIT_TREES_PER_PAGE  = 100
+    DEFAULT_MAX_BLOB_SIZE       = 1048576
+
+    [oauth2]
+    ENABLE                        = false
+
+    [i18n]
+    LANGS = en-US,de-DE,fr-FR,nl-NL,es-ES,it-IT,pt-PT
+    NAMES = English,Deutsch,Français,Nederlands,Español,Italiano,Portguês
+
+    [markup]
+    ENABLED = false
+
+    [time]
+    DEFAULT_UI_LOCATION = Europe/Paris
+
+    [migrations]
+    ALLOW_LOCALNETWORKS = true
+    SKIP_TLS_VERIFY     = true
+
+    [federation]
+    ENABLED = false
+
+    [packages]
+    ENABLED = true
+
+    [mirror]
+    ENABLED           = true
+    DISABLE_NEW_PULL  = false
+    DISABLE_NEW_PUSH  = false
+    DEFAULT_INTERVAL  = 1h
+    MIN_INTERVAL      = 15m
+
+    [other]
+    SHOW_FOOTER_TEMPLATE_LOAD_TIME  = false
+    SHOW_FOOTER_VERSION             = false

archive/2022.07.bxl-k3s-pi/apps/git/init.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: git

archive/2022.07.bxl-k3s-pi/apps/git/sealedsecret.yaml

@@ -0,0 +1,20 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: gitea-tokens
+  namespace: git
+spec:
+  encryptedData:
+    GITEA__database__PASSWD: AgCGUoM6CDCiUgmFlPCBSyYiqktHWfBeq6WM7JPO8w9jmFiiGYWp/nLgxLCHxgiZRJmZ6gMrLbH/0SfjwdtpbgJEELPfrEKbQF3WMhthvxr8AuxLP8rRT/ECH/AH9q372uA6n7JB/EfWHCJ1py1KSr5g+ZpB4sj4arYBKHV7A1VeWYailAGi9/aE1a916CG0M7zXhLjum7qlNAHmNainFvqfHYeO+DHtGo/dg7h/fCJ/vfPzEzbyzSUytOXNLNqJ6lScCgnqU10WOPQT1Kg+TkQH2xPNW7LEee9XtCOEHr92mHojdDayhEU3Cw+VJz0wbPg77egIbXGJ3ehJ6XX1eYAil1eBYcQWvIc+SU3fhXMDBojZhEJjkenhPVlde9/L8ahOzRa2eVok6qoVkkBtqXMvOp7PtTWmugjoFY+YFVWuTmLbxbYzQadtZFdi2Zr8l0qWObS7hhxWeK68Jk/3OI2bsXZl21mo78oyPA19x3fDetv1Oop31/z0iXfGoa8rMdDikBuEoOMMwspNxdJ1q+GW25LXJEJebcCwGJgJmZgVv6ap2qbRwyjpJQ7M08JSq4Y6DHe283+6YYte7SIYm32Q+m4k9LJbtaRNw5wpskFr2BWXWLX8P7/d/Idyeg3hNbXyjPdobnDGNoJCwJVwv1hBMOiYmEW3wOzY1i2isZeMCcW6CUVLyqcgkmJZeXeuRjyhPqblAr6NRfd5aB8E/LKncZGkTQEoFyG83kA4uqjpBpZHvBdstmyJiq86bvtk+Mk4hpVx0FzIVl+N3MgiQN+H
+    GITEA__mailer__PASSWD: AgCH3z9kwv8vJcIYJfjDYn7wm86ZSqpZo7fi80sTbqg3LeAsL/biH+fHkWjBWMvCJerCpf04yTIw7sh203xJP0xgEz1cZ2J6+lkl3r4/LZSt+zg/QzF+qSewNssZWJFq6KdNWzxaWWISs90ATjmQUgLNYgp+zX0GEdjwWzdphknB/K7omxYJcYhidCPFThc4nFGrNKiM1QFWhrGK3aiGX+ug6MaZqfF6ABx7WfWRkiLUIyvdKPgIxswbRdLSsjLjN+c75VWa8lD58GKz+a+JYuOVTFX61JtFSwTPW+U8Eb6Nw1OD0oOXjpFFqym54awqElh0avQadyWmMlM7Ste3hktq1L2v9T2hFDupfDHJ6tq38bkImE5jjTJa35XxGmt4nEjM+owDM0FIHotC2l92qJxWzT0QwOV5ARYjbWOQa2Y7LfCd7N4oU6jbnRDMLDwg/fr+v1ngu0Tcnjb+swPhROoTEoWvY5Vy+IAWBhYX3KLm57Gbuhybnorr28sABVNFmCNmNWO2RC0nEYZF7k/TQkQGgY2RC2OIifN0Gon6KYrK1rPr2kBTRgcHh22nc2MozKOQ2W0WuY8WuwXr/4kOkYns3W6zqzsRKpMB8nZDrjyPkKq8liHFpk4t7hia4OBKtjVv1U2A7TWvwVeOXG/Og+9wXehDnLal0gPBiUDs9zY5LI3w7muELzCiBUCglYFnAcN243iXR+GmbC1Xu98YTUYKcfrRE/Cw/x6UPSjHSKGcd3J/AHCzrfWe21xtmVAcpV+ZkUAfEOmcfMyz6qpr4/no
+    GITEA__metrics__TOKEN: AgBqc7HevQ/iFWczHYSV7pG6tS4IlcQd/tNuKS1UcMzTEKDAYOC0oHb57l3eYdXcN09pR3QPi4HfuMe0ST5ud9bZjm26cQQZnYmy+Mz1lQqTEfy5Fd0Mi1XKSLb1dJQ9Q21XtanKzohfRGcxb+UmOqiqs/b+uTm+UVsjBCj+x4eTGIS7vv+wpxBBtFX0aPUSe2aSNRigJFl1XbkbTD/YZVr2bmPvMEBCJloEmjqpGGfz6WpPH0355WeZj/jXNrJhdK30J7xwxi84x58m8Zijt1hLtcRiqQV3oH+jIQernjMjlCwr8upKwr1H4M4fhBUQdJdCzH7FlYmEJWDmSPOsxO6HJrX2LjzHhKTiKrc3qB74lumHeQIXGVwKEykdDAkWEkaqVHBYCBZ1rafxARbZRouDZUnRZy/3wWTWRiml3rc88jdNO8JNshTTkKmMhQCwbUs9bN0z0DAhBlhBvlc4hD0FKW34VuI9p9lRtzVn+KjdpwWvjvy/FSRdZ5F/YWJoMBfI05Trf0xiiJYEbWQOfnNi3kaVHV4ApizgYJBdCWyPRpG4F/Meip3UqczMyS7YdEuP+gCtJxRnI5FSJI9pIHsJViMvq2hq7/NrYRVV2C9uvC/I55dmsB+N8tIie1Zk1j8juWToDsxcoi/g16jWphWJQbjaYRGyjRWxa5pW6OVMeXFOOnSAGXBeM7tKl9hvJ/4I0nDgQBjOAajZsPmD3ES+nz/zOgmT05z923YdUEuAaOBxtvTNn2IZFsw2ROO9KRm225dAbh84Kj90KOsjdKLB
+    GITEA__security__INTERNAL_TOKEN: AgAGQAK+SPowj6jTmRw9TDn98mNVLkM32ABfypKGdjypMA9oM7zzLYzj5lOEqrj/e2t7R+rhvRLEv07qnZ/rq/U+FLVuXXqJ32E3MIhrpl6q4UOAGOu7obku8nQRmDhX+QTKYVI5GCzxnvIyA1wkr7Wg7VcTyHfJ4ruJPnwN7+vcQsq90gYAjJl+RxmJHrjY0aPhxf6BF1utD9ZdDcnURFJ/euKIJPAJc/AEhHz79cwQcwi/PxjIq1Rrcx1LzJ9yRhZQh0a996lFAFRlDlcV/BNejbVTbKTnSjaEkZoylO7GcYQag3tCrBXr+Zq52CaivSMufZvOHPoWWUDRrnUu/GIjGIXKcEFH9L8wR64VsbPozJInyMC7Miid4kBi3uJAyA4+e/sINmUDAHNkxHjK5XgqfmxQ1o14c9ZwsKDqaCT4ea+61MSfZ9PuUzz2zPzdlDz8LCfyp1U8Z2rbovqHfmCjxX6DKJa0EwEyqwGrC9VHBQNgptmAQF0GSJytFfoyXnsOVHHZ5PiNcoFSM00UB67e1799gbPG1C97j3iVGj/+ykNOz3pgdlTwUS6RHW3u6J9vANELylQMUlNu5VJ8PEUbS6alv6SQgxDPcTvS7wR3/6ssboyhW5buJm0K7o+4aoE7I+i9jCnkL6qQXrhldDUa6vNWJzsZPx2zfI8bXycfj6YqtBaZFr/Bibe3HzKm9X8rfCMfB2AIB+41N7ks2pAjdENbHnCtpmEp7UMRnyb+51bb3SzOog2Yz2fdENgtSF+iK8VTpTdNxncnDLiCQy0t
+    GITEA__server__LFS_JWT_SECRET: AgA0bU8405uKAOIOJYgmbGWKS2dGJWh//ACQdcvY2j1vU6tgG7OaDz5Y59TczX6KcfWeeapjABFRZ4OVKfO+t6GETLhSXAPC1UmcEQ6kbxNkhMkQtLWVPjJTYl61qmKNT1nJldPY8lNVfEL0NOpPhHSUD3lpNUIhZ7lL3+vkqSzF+d1NT8ehwXE4WlOLlnNVv+EiqyB+t/THFIw3xrdxGWD7MMJXThKU3C0Os3sG0UjuusCRuKlxsRh0NlZzMG2xkIBqXtqk8T+PJTYw/nHgT8Uekpp5yii6tDmjpaF+uS4wbUBh9R+YehHfRSkqV8s4XDkP5IunW0sTfGe9MlTww0TLe++h9gTi0zkrlkP7l5ilJU7pInsFkTWHLrQuI6CdOV3ATNx520GyNMA/rvednKHHgpHQzIf5gIfz9t44iwtlvzFCXaELOM8DgnuiX5lShVT8Th5E8BefVbMaEuNnLETz4wyQasnApJIXOWBNUmRgTo4kFPCqmzKGYuIP6/Gquj3GcqKI1AECk2z1Vd4ooSsXVzuX87+cwHokSjMODtgMpAw3HjlkO+Av1xDx6h++vh7SqrDYGATwdLsOAMDiXUzj7TJ/R31RwIcfveyFlSLeOZ6d32dzl07ddky2z/iGJnKArYWCMMVfnhhPi5AaCQ00Vtcj9R0hpos8gqqmwx9LJEzAq8LB5WH8eLV4hydrzCdq7tFkst67hr4E5JCbvbx8zg2Hq95v/WhJHNf8mcMx+0Vd7GQdY6owj101c2mUiq6cDkI7uwF4ylZ/Vn/7+jUO
+  template:
+    data: null
+    metadata:
+      creationTimestamp: null
+      name: gitea-tokens
+      namespace: git
+

archive/2022.07.bxl-k3s-pi/apps/hass/homeassistant.yaml

@@ -0,0 +1,179 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: hass
+  namespace: hass
+spec:
+  storageClassName: longhorn-static
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 500Mi
+
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: hass
+  namespace: hass
+data:
+  configuration.yaml: |
+    # Loads default set of integrations. Do not remove.
+    default_config:
+
+    http:
+      use_x_forwarded_for: true
+      trusted_proxies:
+        - 10.42.0.0/16
+
+    panel_iframe:
+      nodered:
+        title: 'Node-Red'
+        url: 'https://node-red.bhasher.com'
+        icon: mdi:sitemap
+        require_admin: true
+    
+    binary_sensor:
+      - platform: ping
+        host: 192.168.1.2
+        name: "Bhasher's Desktop"
+        count: 2
+        scan_interval: 30
+    
+    wake_on_lan:
+
+    switch:
+      - platform: wake_on_lan
+        name: "WOL Bhasher's Desktop"
+        mac: e0:d5:5e:08:3c:d4
+        broadcast_address: 192.168.1.255
+
+    recorder: !include recorder.yaml
+    automation: !include automations.yaml
+    script: !include scripts.yaml
+    scene: !include scenes.yaml
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: hass
+  name: hass
+  namespace: hass
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: hass
+  template:
+    metadata:
+      labels:
+        app: hass
+    spec:
+      affinity:
+        podAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                  - hass
+              topologyKey: kubernetes.io/hostname
+            weight: 100
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: hass
+      - name: config
+        configMap:
+          name: hass
+      - name: secrets
+        secret:
+          secretName: hass
+      containers:
+      - name: hass
+        image: homeassistant/home-assistant:latest
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - name: data
+          mountPath: "/config"
+        - name: config
+          mountPath: "/config/configuration.yaml"
+          subPath: "configuration.yaml"
+        - name: secrets
+          mountPath: "/config/recorder.yaml"
+          subPath: "recorder.yaml"
+        ports:
+        - name: http
+          containerPort: 8123
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /
+            port: http
+          failureThreshold: 2
+          periodSeconds: 10
+        startupProbe:
+          httpGet:
+            path: /
+            port: http
+          failureThreshold: 24
+          periodSeconds: 5
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: hass
+  namespace: hass
+spec:
+  type: ClusterIP
+  selector:
+    app: hass
+  ports:
+  - name: http
+    port: 8123
+    protocol: TCP
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hass
+  namespace: hass
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "hass.bhasher.com"
+    # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+    # nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
+    # #nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
+    # nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
+    # #nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
+spec:
+  tls:
+  - hosts:
+    - hass.bhasher.com
+    secretName: hass-tls
+  rules:
+  - host: hass.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: hass
+            port:
+              number: 8123

archive/2022.07.bxl-k3s-pi/apps/hass/init.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: hass

archive/2022.07.bxl-k3s-pi/apps/hass/mosquitto.yaml

@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mosquitto
+  namespace: hass
+data:
+  mosquitto.conf: |
+    # persistence true
+    # persistence_location /mosquitto/data
+      
+    listener 1883
+    allow_anonymous true
+
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mosquitto
+  namespace: hass
+  labels:
+    app: mosquitto
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: mosquitto
+  template:
+    metadata:
+      labels:
+        app: mosquitto
+    spec:
+      volumes:
+      - name: config
+        configMap:
+          name: mosquitto
+      containers:
+      - name: mosquitto
+        image: eclipse-mosquitto:latest
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - name: config
+          mountPath: /mosquitto/config/mosquitto.conf
+          subPath: mosquitto.conf
+          readOnly: true
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mosquitto
+  namespace: hass
+spec:
+  type: ClusterIP
+  ports:
+    - name: mqtt 
+      port: 1883
+      targetPort: 1883
+      protocol: TCP  
+  selector:
+    app: mosquitto

archive/2022.07.bxl-k3s-pi/apps/hass/nodered.yaml

@@ -0,0 +1,95 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: node-red
+  namespace: hass
+  labels:
+    app: node-red
+spec:
+  storageClassName: longhorn-static
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 100Mi
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: node-red
+  namespace: hass
+  labels:
+    app: node-red
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: node-red
+  template:
+    metadata:
+      labels:
+        app: node-red
+    spec:
+      containers:
+      - name:  node-red
+        image: nodered/node-red:latest
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: TZ
+          value: Europe/Paris
+        volumeMounts:
+        - name: data
+          mountPath: /data
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: node-red
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: node-red
+  namespace: hass
+spec:
+  type: ClusterIP
+  selector:
+    app: node-red
+  ports:
+  - name: http
+    port: 1880
+    protocol: TCP
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: node-red
+  namespace: hass
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "node-red.bhasher.com"
+    nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
+    nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
+spec:
+  tls:
+  - hosts:
+    - node-red.bhasher.com
+    secretName: node-red-tls
+  rules:
+  - host: node-red.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: node-red
+            port:
+              number: 1880

archive/2022.07.bxl-k3s-pi/apps/hass/sealedsecret.yaml

@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: hass
+  namespace: hass
+spec:
+  encryptedData:
+    recorder.yaml: AgBYJmg/HSCptRB+Yip1T0je3t/JFp9IQ3iHUFS3Mm68uwMsrSAugV4pcBFu27fZjmSbimLFSDo1itrQDq65kqxAny+Qk6rYZnHEQgxBy2z42j4Wt+ycwuGTJct7+HqluebL1UL+eDSPVHzcKhSnTjG0dewjGSaBz4a45/i5VeZQSXYe527LOimFzflyEcPR/qTHVFnmNPR92+shLs3paSajayXVMBbmaEkClq4KnSt9XlZ+rCLuCL1YxWq36Lq+Lt4APQsVJxi58tD8sy6QIU7EslxEGfoNqXKN6a+4SJtZzJXCDbkXmyuU2bbNlTQSn/3hV/O3uRxLyIG2uDJWXfuCxiPR7e6Q/kmGGy9Tl6H6srmYw83qAYQ6fsNy/siSIGN77tOCtVBW6ZeQ+UqQ5uzhWE6K9UJ2qn/WKkrZNWW7HnmpQwcNWDVpu2e1RrZJcWlyoFHL8jbtAWXnJftR5QYGXGybvxjb+Od9XmotCdlwc7FXErG1TISh23+EGA1TlxcxSclfbZ6gqHxOS4EIubJdi3BWOUVQzWkMXbg9fwJ7M9vdbHQpPALO1PUVBswH5fZ5cW9FzNU9sIFGeFm6JalKJMxnQtSILj1+GJLIdhQzxQa9DLP1Y86m0S2Dsqdo0KQW5vNCYPujt7QS3zFo0fQFHlEXN6TW83/4952wgszp15FH/JD0ftpV1BH/kaeLfd2OZ9QEVsGNpPxGCuDPJ8Eu8rd+TLRialES2xwDclS+/iMgMdhsN1TDyVCkjKNq1aH/5Nv8wh9Vtw8rZCp5CGRF2sLTCCJCF1Eer5DiGoWr1+unOZELC6vIMt06f2e2FyBZivwcC0KRxMq55NM3ou6evO7EOpMiKgBoqtfa9RhMs7Sdtgy7LcZIECaWnky3p9MVcIRN7Q==
+  template:
+    data: null
+    metadata:
+      creationTimestamp: null
+      name: hass
+      namespace: hass
+

archive/2022.07.bxl-k3s-pi/apps/hass/zigbee2mqtt.yaml

@@ -0,0 +1,96 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: zigbee2mqtt-pvc
+  namespace: hass
+spec:
+  storageClassName: longhorn-static
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100Mi
+
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: zigbee2mqtt
+  namespace: hass
+data:
+  configuration.yaml: |
+    homeassistant: true
+    permit_join: true
+    mqtt:
+      base_topic: zigbee2mqtt
+      server: mqtt://mosquitto.hass.svc.cluster.local
+    serial:
+      port: /dev/ttyACM0
+    devices:
+      '0x54ef441000367592':
+        friendly_name: WallSwitchOffice
+      '0x00158d00068b2c39':
+        friendly_name: MovementSensorDeskOffice
+      '0x00158d00067ca592':
+        friendly_name: MovementSensorShelfOffice
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: zigbee2mqtt
+  namespace: hass
+  labels:
+    app: zigbee2mqtt
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: zigbee2mqtt
+  template:
+    metadata:
+      labels:
+        app: zigbee2mqtt
+    spec:
+      nodeSelector:
+        zigbee: "true"
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: zigbee2mqtt-pvc
+      - name: config
+        configMap:
+          name: zigbee2mqtt
+      - name: udev
+        hostPath:
+          path: /run/udev
+      - name: ttyacm
+        hostPath:
+          path: /dev/ttyACM0
+      containers:
+      - name: zigbee2mqtt
+        image: koenkk/zigbee2mqtt:latest
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: TZ
+          value: Europe/Paris
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: data
+          mountPath: "/app/data"
+          readOnly: false
+        - name: config
+          mountPath: /app/configuration.yaml
+          subPath: configuration.yaml
+          readOnly: true
+        - name: udev
+          mountPath: /run/udev
+          readOnly: true
+        - name: ttyacm
+          mountPath: /dev/ttyACM0

archive/2022.07.bxl-k3s-pi/apps/jupyterhub/values.yaml

@@ -0,0 +1,54 @@
+singleuser:
+  defaultUrl: "/lab"
+  extraEnv:
+    JUPYTERHUB_SINGLEUSER_APP: "jupyter_server.serverapp.ServerApp"
+    EDITOR: "vim"
+  memory:
+    limit: 1G
+    guarantee: 100M
+  cpu:
+    limit: 1.
+    guarantee: 1.
+  storage:
+    dynamic:
+      storageClass: longhorn
+    capacity: 2Gi
+
+hub:
+  extraEnv:
+    OAUTH_TLS_VERIFY: "0"
+    OAUTH2_TLS_VERIFY: "0"
+  config:
+    Authenticator:
+      admin_users:
+        - bhasher
+    GenericOAuthenticator:
+      client_id: jupyterhub
+      client_secret: 8sbWBuDMmKIvcjfTQTg12f2ycRV3Y3Cy
+      oauth_callback_url: https://jupyter.bhasher.com/hub/oauth_callback
+      authorize_url: https://openid.bhasher.com/realms/external/protocol/openid-connect/auth
+      token_url: https://openid.bhasher.com/realms/external/protocol/openid-connect/token
+      userdata_url: https://openid.bhasher.com/realms/external/protocol/openid-connect/userinfo
+      login_service: OpenID
+      username_key: preferred_username
+      userdata_params:
+        state: state
+    JupyterHub:
+      authenticator_class: generic-oauth
+
+ingress:
+  enabled: true
+  hosts:
+    - jupyter.bhasher.com
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "jupyter.bhasher.com"
+  tls:
+  - hosts:
+    - jupyter.bhasher.com
+    secretName: jupyterhub-tls
+
+prePuller:
+  continuous:
+    enabled: false

archive/2022.07.bxl-k3s-pi/apps/media-server/radarr/app.yaml

@@ -0,0 +1,93 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: radarr
+  namespace: media-server
+  labels:
+    app: radarr
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 0
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: radarr
+  template:
+    metadata:
+      labels:
+        app: radarr
+    spec:
+      containers:
+      - name: radarr
+        image: lscr.io/linuxserver/radarr:latest
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - name: config
+          mountPath: /config/config.xml
+          subPath: config.xml
+          readOnly: true
+        # - name: movies
+        #   mountPath: /movies
+        #   subPath: movies
+        #   readOnly: false
+        # - name: movies
+        #   mountPath: /downloads
+        #   subPath: tmp
+      volumes:
+      - name: config
+        secret:
+          secretName: radarr
+      # - name: movies
+      #   nfs:
+      #     server: truenas.bhasher.com
+      #     path: /mnt/Main/local/movies
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: radarr
+  namespace: media-server
+spec:
+  type: ClusterIP
+  selector:
+    app: radarr
+  ports:
+  - name: http
+    port: 7878
+    protocol: TCP
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: radarr
+  namespace: media-server
+  annotations:
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "radarr.bhasher.com"
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+    nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
+    nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method request_method;
+    nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
+    nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method request_method;
+spec:
+  ingressClassName: nginx-external
+  tls:
+  - hosts:
+    - radarr.bhasher.com
+    secretName: radarr-tls
+  rules:
+  - host: radarr.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: radarr
+            port:
+              number: 7878

archive/2022.07.bxl-k3s-pi/apps/media-server/radarr/init.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: media-server

archive/2022.07.bxl-k3s-pi/apps/pihole/app.yaml

@@ -0,0 +1,232 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dns
+
+---
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pihole-pvc
+  namespace: dns
+spec:
+  storageClassName: longhorn-static
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+
+---
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: dnsmasq-pvc
+  namespace: dns
+spec:
+  storageClassName: longhorn-static
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pihole
+  namespace: dns
+  labels:
+    app: pihole
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: pihole
+  template:
+    metadata:
+      labels:
+        app: pihole
+        name: pihole
+    spec:
+      affinity:
+        podAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                  - pihole
+              topologyKey: kubernetes.io/hostname
+            weight: 100
+      containers:
+      - name: pihole
+        image: cbcrowe/pihole-unbound:latest
+        imagePullPolicy: IfNotPresent
+        envFrom:
+          - configMapRef:
+              name: pihole-configmap
+          - secretRef:
+              name: pihole-secret
+        ports:
+        - name: svc-53-udp
+          containerPort: 53
+          protocol: UDP
+        - name: svc-53-tcp
+          containerPort: 53
+          protocol: TCP  
+        - name: svc-ui
+          containerPort: 80
+          protocol: TCP
+        # livenessProbe:
+        #   httpGet:
+        #     port: svc-ui
+        #   initialDelaySeconds: 15
+        #   periodSeconds: 10
+        # readinessProbe:
+        #   httpGet:
+        #     port: svc-ui
+        #   initialDelaySeconds: 15
+        #   periodSeconds: 10
+        # startupProbe:
+        #   httpGet:
+        #     port: svc-ui
+        #   failureThreshold: 12
+        #   periodSeconds: 10
+        resources:
+          limits:
+            memory: "300Mi"
+            cpu: "250m"
+          requests:
+            memory: "50Mi"
+            cpu: "100m"
+        volumeMounts:
+        - name: pihole-etc
+          mountPath: "/etc/pihole"
+        - name: dnsmasq-etc
+          mountPath: "/etc/dnsmasq.d"
+        - name: unbound-conf
+          mountPath: "/etc/unbound/unbound.conf.d/pi-hole.conf"
+          subPath: "pi-hole.conf"
+          readOnly: true
+      volumes:
+      - name: pihole-etc
+        persistentVolumeClaim:
+          claimName: pihole-pvc
+      - name: dnsmasq-etc
+        persistentVolumeClaim:
+          claimName: dnsmasq-pvc
+      - name: unbound-conf
+        configMap:
+          name: unbound-conf
+
+---
+
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: pihole-pdb
+  namespace: dns
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app: pihole
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: pihole-ui-svc
+  namespace: dns
+spec:
+  selector:
+    app: pihole
+  type: ClusterIP
+  ports:
+  - port: 80
+    protocol: TCP
+    name: pihole-ui
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: pihole-tcp-svc
+  namespace: dns
+  annotations:
+    metallb.universe.tf/loadBalancerIPs: 192.168.1.211
+    metallb.universe.tf/allow-shared-ip: "pihole-192.168.1.211"
+spec:
+  selector:
+    app: pihole
+  type: LoadBalancer
+  externalTrafficPolicy: Cluster
+  ports:
+  - port: 53
+    targetPort: 53
+    protocol: TCP
+    name: pihole-dns-tcp
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: pihole-udp-svc
+  namespace: dns
+  annotations:
+    metallb.universe.tf/loadBalancerIPs: 192.168.1.211
+    metallb.universe.tf/allow-shared-ip: "pihole-192.168.1.211"
+spec:
+  selector:
+    app: pihole
+  type: LoadBalancer
+  externalTrafficPolicy: Cluster
+  ports:
+  - port: 53
+    targetPort: 53
+    protocol: UDP
+    name: pihole-dns-udp
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pihole
+  namespace: dns
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "pihole.bhasher.com"
+    nginx.ingress.kubernetes.io/app-root: /admin
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+    nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
+    nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
+    nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
+    nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
+spec:
+  tls:
+  - hosts:
+    - pihole.bhasher.com
+    secretName: pihole-tls
+  rules:
+  - host: pihole.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: pihole-ui-svc
+            port:
+              number: 80

archive/2022.07.bxl-k3s-pi/apps/pihole/config.yaml

@@ -0,0 +1,78 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pihole-configmap
+  namespace: dns
+data:
+  TZ: "Europe/Paris"
+  WEBTHEME: "default-dark"
+  REV_SERVER: "false"
+  PIHOLE_DNS_: "127.0.0.1#5335"
+  DNSSEC: "true"
+  DNSMASQ_LISTENING: "single"
+  FTLCONF_REPLY_ADDR4: "192.168.1.211"
+  FTLCONF_RATE_LIMIT: "0/0"
+
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: unbound-conf
+  namespace: dns
+data:
+  pi-hole.conf: |
+    remote-control:
+      control-enable: yes
+      control-interface: 127.0.0.1
+      control-port: 8953
+    
+    server:
+        # Conectivity
+        interface: 127.0.0.1  # Only for pi-hole
+        port: 5335
+        do-ip4: yes
+        do-udp: yes
+        do-tcp: yes
+        do-ip6: no
+        prefer-ip6: no
+
+        # Security
+        harden-glue: yes
+        harden-dnssec-stripped: yes
+        harden-referral-path: yes
+        use-caps-for-id: no
+        unwanted-reply-threshold: 10000000
+
+        # Performances
+        edns-buffer-size: 1232
+        prefetch: yes
+        prefetch-key: yes
+        num-threads: 1
+        so-rcvbuf: 1m
+        max-udp-size: 3072
+        cache-min-ttl: 3600
+        cache-max-ttl: 86400
+        msg-cache-slabs: 8
+        rrset-cache-slabs: 8
+        infra-cache-slabs: 8
+        key-cache-slabs: 8
+        rrset-cache-size: 256m
+        msg-cache-size: 128m
+        so-rcvbuf: 1m
+
+        # Privacy
+        hide-identity: yes
+        hide-version: yes
+        private-address: 192.168.0.0/16
+        private-address: 169.254.0.0/16
+        private-address: 172.16.0.0/12
+        private-address: 10.0.0.0/8
+        private-address: fd00::/8
+        private-address: fe80::/10
+
+        # Stats
+        verbosity: 0
+        statistics-interval: 0
+        extended-statistics: yes
+        statistics-cumulative: yes

archive/2022.07.bxl-k3s-pi/apps/pihole/sealedsecret.yaml

@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: pihole-secret
+  namespace: dns
+spec:
+  encryptedData:
+    WEBPASSWORD: AgAWmlAaATTKbTOvxZullfUsHISve/HYTLe4huk8ERxDM2hoOc5zZPDDZ/CGSj1aTrj7rb6+VuYbvM2v37CUxQ1mnNBQabHkz9Db89Q+ih/c9dbaXB3OeSWk2edLKXVHIV/G0/6AC2MYRJCHqcCOgbZdpAKUeYss6S/uSYPt9ebGhMZaV/8FUb4zLuSjCuN5dNnUTb1Sl7XaaR4vAwXTISHT7HvNh3mdT5OXnBgo3cG5FGblYkF0BP2Z7VEG2wxU6OZnkX5/DWCfBNmnAUbYnNzacfyE5whYsK5hLt2Cu5v9wftEDwVKTzYx3bX7/9TKgw3wTgrczQmTKSqCmico6ja1x/ouYaYVN+rNUw/9IAvXbFOy39K7JsmQMiPCdITHXOVO6SknVMsMVVT8u7T+dIDFaGsTvv19ith/hRSdnDFY55qVW+/9xhe+AFC8TYK1lc256+ReiVJrGNzH9UprCQQRE3rZTAcBealjdrU0xuKZQm2NrvJVgDjSxSNtvOhop7UR6iabyDvhOMAwQ2BqslKZN7BIoAisoWSWyysQPA3xYftpCJi0g+b4nrK8j86RtXln9GXxoZWGkA23YQg7wt8EyDXAlCFs6WRpyqUa1WZmrnRedZeswkWZBzizqSAnPANgPmu/Tm8jwW2D8RPSDxyq2tfdk21L/jrj4vQ4ty2LRV8PivisVkyH6l1p3IrgLDo=
+  template:
+    data: null
+    metadata:
+      creationTimestamp: null
+      name: pihole-secret
+      namespace: dns
+

archive/2022.07.bxl-k3s-pi/apps/portal/app.yaml

@@ -0,0 +1,116 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: portal
+
+---
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: heimdall-pvc
+  namespace: portal
+spec:
+  storageClassName: longhorn-static
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100Mi
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: heimdall
+  namespace: portal
+  labels:
+    app: heimdall
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: heimdall
+  template:
+    metadata:
+      labels:
+        app: heimdall
+    spec:
+      containers:
+      - name: heimdall
+        image: lscr.io/linuxserver/heimdall:latest
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: svc-ui
+          containerPort: 80
+          protocol: TCP
+        volumeMounts:
+        - name: heimdall
+          mountPath: /config
+        # - name: heimdall-config
+        #   mountPath: /config/www/.env
+        #   subPath: .env
+        # - name: heimdall-config
+        #   mountPath: /config/www/app.sqlite
+        #   subPath: empty.sqlite
+      volumes:
+      - name: heimdall
+        persistentVolumeClaim:
+          claimName: heimdall-pvc
+      # - name: heimdall-config
+      #   secret:
+      #     secretName: heimdall
+  
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: heimdall
+  namespace: portal
+spec:
+  type: ClusterIP
+  selector:
+    app: heimdall
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: heimdall
+  namespace: portal
+  annotations:
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "portal.bhasher.com"
+    nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
+    nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
+    nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
+    nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - portal.bhasher.com
+    secretName: portal-tls
+  rules:
+  - host: portal.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: heimdall
+            port:
+              number: 80

archive/2022.07.bxl-k3s-pi/apps/timesheet/app.yaml

@@ -0,0 +1,111 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: timesheet
+
+---
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: timesheet-pvc
+  namespace: timesheet
+spec:
+  storageClassName: longhorn-static
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100Mi
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: timesheet
+  namespace: timesheet
+  labels:
+    app: timesheet
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: timesheet
+  template:
+    metadata:
+      labels:
+        app: timesheet
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: node0
+      volumes:
+      - name: timesheet-data
+        persistentVolumeClaim:
+          claimName: timesheet-pvc
+      - name: timesheet-config
+        configMap:
+          name: timesheet-config
+      containers:
+      - name: timesheet
+        image: 192.168.1.201:8443/timesheet:latest
+        imagePullPolicy: Always
+        envFrom:
+        - configMapRef:
+            name: timesheet-config
+        volumeMounts:
+        - name: timesheet-data
+          mountPath: /data
+          readOnly: false
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: timesheet
+  namespace: timesheet
+spec:
+  type: ClusterIP
+  selector:
+    app: timesheet
+  ports:
+  - name: https
+    port: 8080
+    protocol: TCP
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: timesheet
+  namespace: timesheet
+  annotations:
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "timesheet.bhasher.com"
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+    nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
+    nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
+    nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
+    nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
+spec:
+  ingressClassName: "nginx"
+  tls:
+  - hosts:
+    - timesheet.bhasher.com
+    secretName: timesheet-tls
+  rules:
+  - host: timesheet.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: timesheet
+            port:
+              number: 8080

archive/2022.07.bxl-k3s-pi/apps/timesheet/config.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: timesheet-config
+  namespace: timesheet
+data:
+  TS_DB_PATH: "/data/timesheet.db"
+  TS_HOST: "0.0.0.0"
+  TS_PORT: "8080"

archive/2022.07.bxl-k3s-pi/apps/wiki/app.yaml

@@ -0,0 +1,104 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: wiki
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wikijs
+  namespace: wiki
+  labels:
+    app: wikijs
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: wikijs
+  template:
+    metadata:
+      labels:
+        app: wikijs
+    spec:
+      volumes:
+      - name: ca
+        configMap:
+          name: ca
+      containers:
+      - name: wikijs
+        image: ghcr.io/requarks/wiki:latest
+        imagePullPolicy: IfNotPresent
+        envFrom:
+        - configMapRef:
+            name: wikijs
+        - secretRef:
+            name: wikijs
+        volumeMounts: 
+        - name: ca
+          mountPath: /certs
+          readOnly: true
+        ports:
+        - name: http
+          containerPort: 3000
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: http
+          failureThreshold: 2
+          periodSeconds: 10
+        startupProbe:
+          httpGet:
+            path: /healthz
+            port: http
+          failureThreshold: 24
+          periodSeconds: 5
+    
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: wikijs
+  namespace: wiki
+spec:
+  type: ClusterIP
+  selector:
+    app: wikijs
+  ports:
+  - name: http
+    port: 3000
+    protocol: TCP
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: wikijs
+  namespace: wiki
+  annotations:
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "wiki.bhasher.com"
+spec:
+  ingressClassName: nginx-external
+  tls:
+  - hosts:
+    - wiki.bhasher.com
+    secretName: wikijs-tls
+  rules:
+  - host: wiki.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: wikijs
+            port:
+              number: 3000

archive/2022.07.bxl-k3s-pi/apps/wiki/ca.yaml

@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ca
+  namespace: wiki
+data:
+  bhasherCA.pem : |
+    -----BEGIN CERTIFICATE-----
+    MIIKIzCCBgugAwIBAgIUSathEP5DGHryMtf1O98KMTUgZyIwDQYJKoZIhvcNAQEN
+    BQAwgZgxCzAJBgNVBAYTAkJFMRAwDgYDVQQIDAdCZWxnaXVtMQowCAYDVQQHDAEu
+    MRIwEAYDVQQKDAlCaGFzaGVyQ0ExEzARBgNVBAsMCkJoYXNoZXIgSVQxIzAhBgNV
+    BAMMGkJoYXNoZXJDQSBSb290IENlcnRpZmljYXRlMR0wGwYJKoZIhvcNAQkBFg5j
+    YUBiaGFzaGVyLmNvbTAeFw0yMjA0MjkyMzI2MzJaFw0zMjA0MjgyMzI2MzJaMIGY
+    MQswCQYDVQQGEwJCRTEQMA4GA1UECAwHQmVsZ2l1bTEKMAgGA1UEBwwBLjESMBAG
+    A1UECgwJQmhhc2hlckNBMRMwEQYDVQQLDApCaGFzaGVyIElUMSMwIQYDVQQDDBpC
+    aGFzaGVyQ0EgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqGSIb3DQEJARYOY2FAYmhh
+    c2hlci5jb20wggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIEAQCYcYWraaSp
+    2Tn+ic7zCPWg/Xy7C2KjL5tdRq4D09eZsnUnruTNvhEbXs+cgEj6u2UQ09jiNA2Z
+    7oYjpNrcr6Hit10n9H2Mpn4nTcYYrA/44Aa0yKY97v3vMM0+Q4/1LDrX96fpvegC
+    qn3VRJd8gHCmRIG4I74QpRdxB7DSkcc749NsyBOP7Hsicpwx9sXE5zBwxlTGBbvR
+    4v7HjaqxxaTqC7V6qTcjG2FjpkxMbZj7lVXyQik07UEnVV0zqAlnie2843d62xSv
+    2zQmyEwtnwvkrKnNKZIt+nELI3DmvHKW9hbB1lNz5zwfX+bwCudoKeXOpsAOY5Vj
+    oYNEDp6+oqPF9/+tqsXjFamC0boe898v6beT8PYNX+yAVc5cOfcgBkR4dupyXyZe
+    SyrGw29wmccyPqfADrr53PTn84kgvGRi0DGAH7VLd8eHbQ6kRuJtvspPXMBL6co9
+    qX3spVJWF00qt6IHrF0oYioCuibxlG/0Hnp0zvO4U9I0DosoVkAOlKjTXppjNDDZ
+    sHdHGkyX+OP868ht0JyTFarSQs6WVWvL6Gs6VCjuiFNwETxq9tYLmKN1IfcZf6Be
+    sVpKD2xISRiMtKsfwmE+1CfUACWqlvsB13vFjw8ZB4eOOUnuG/svvx17TY8J3SAW
+    iAzWnMECFGdJfcqepEln71J9gqO7HuuTiwofV967ruqCtxX7sOWG29xz3tB+JVW4
+    78e0RjOC9sIXF3840WVG8GDbvmFjs0O/ZnYBfNYXh+kNkgIriJa1jnpZ16yVARAs
+    D4RrQ1hg+aKcxe0nzxodnjJKECD7MRfxQPEHs/CAC50IhLj/Ez797SH6NSkvAGNz
+    fmtgYC61zUuKAttJhkzD7lEE5PlSXlif67J8dCbb/ie8qNQTJ4i9ijMoZD6hhieR
+    0NyRiMCGbyaQso7gRwbGxbIa4hp21Vi9XJj6q0U/90S2vBMdokZl+qmKktspxlCH
+    /O7YL3alEmEZxOVz78VpAu/0fHyFc1hCr6FVOmfrsCc2RIbdMGxbLZwAA9tP8R+u
+    CI/aVjxLNQTw6uSjeTekoNeWcXenNYM/REr96HEgvVcwytGX02wbHciulFi/NSyW
+    d5nCst0GhXWA8iQX/WKX1uQUPLoimJGLxUjAT8yVHXsE+otnoCumCrXsrQpMhvga
+    yWg2TLVSh7QvBnrs9JJNp6Z8vVGZuw/VcWxckFu2m7/eNLJc5+f/NXl6wVq0O1OG
+    NIVoqatD/yBl0NgBwQXqSR/PJ30C/bQTuYwTaTiWNGD7gLcGTW61S8EWqGCYdZLu
+    UkYDeafp1LzUyw1wOpxvnKVnMux+3lLceQubWSC4F6XqMCn/nYIMGnQ1Hs/zF/1G
+    7MKi96ZMLsrXAgMBAAGjYzBhMB0GA1UdDgQWBBSgDfvqI+DQCUiCtDfzU0jWjEDS
+    NTAfBgNVHSMEGDAWgBSgDfvqI+DQCUiCtDfzU0jWjEDSNTAPBgNVHRMBAf8EBTAD
+    AQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCBAEAcrmgBpzu4MQg
+    GLVLNghy+r/01V4fWGx7uyTkWrx0xtEyPUA0Sl1Pky3BNeA9ySfxVYzFPOOOKLLb
+    lsK22LF1bHx7yU8oTuJpgDluE5xK0bKfWqcnDQEwlKfkhJTUu1zO+e8c05oi68fS
+    EcMo/jLGWNuLMUhMQ/OGyaTUeZCXLulUfgWF/NyUDJPfZhPP+U68nXs0fdX7LMq8
+    uIOQlQEA/7Xo5Xz73AA0YimA8XxqhCZIoAhcLOE620sHzpiHlWJ/S1OnFzrUMSeG
+    xnOuXiOqsBklsW5b819UXLhOqKk5PnAoB+ZhoVG1HxoGTG9wQdq1/wpxNyWhYpDH
+    Tj0eLNs7Q7EwZaB6gtAvXDX6yC0/HQ3z6UnMzLViifaON9zC+ljBb63u7ZZ1qBXb
+    qF9Ub3/mgdHIhiy9iBY/JTMQxEZnLqPDwVgSnuwuoF0LYAzX3Tdba2K4wXIZHOtg
+    KVswHtsthGs25CUMfxUw1C0BgjQc8PX3+fWwBQG58ziww+rEwSl/8jxCriyA7mTc
+    nigyfQhMti00lHo+Se0KG9mbkFsgKQfHJ7uCXYVsRf0FM4tn08kRX22ubXD1UE+g
+    EZSWNmrNb+ZnVUQhAqylP5RFGaULPRstW1gKzF0gn5HKt6muz3fWIkKoY57xLphe
+    2XwJppNc02+l7RVb+oMIcRPBmKc7JB7i7dU5ctlae6iLeQnYIa1RZ9DCQhsUqvlk
+    7SHotC3PuXLT6haeF8MUBkt9Og3l+KcsgHhZJqOqeTO4x1wfnqeMvUHG6rsn/DEA
+    O+qu4CVVq+C73Xrl76kZpZkAk40Cw1DeRRObRXCnGuD+/eOGuoTHUXToiOQBnXx7
+    IfDPj+8G4ss3Wb4syH8hhKNn4TEHzHn3NCjKD9NWH0qWIqEnlrxYTkWpRckGMgN6
+    8lCKoH6JnIuLOELsXLey5qwEh8DrEG9+/6TZo1bxziE3+G1FmM/UuiZ4/sp/1rKS
+    nU6k3D3x5yjZbE1Eogq5JI47i/2J75x1uWUgIppYsaI1UvCX7Uux9r1PCMI7ixPz
+    GhS2wKt3jCGU6ulX5vnihDglQXAEP5V+JRcI0xsdEkdB/3lU963EwvFjldQHuJP3
+    I8emKNFl4lnDqloNo1xBqePoD9K0XJF8HHosvLxjUVhc98kmK8rlnGvjyL897KbG
+    chHUpmcOvehDStG9BecQJB7O6F3utebzetuAjBzdzfRVjLMJ9fP5z/py1RgTNk1Y
+    YH6NHOwUEDN1ojFI04z6gnHP8qHhDdCi4Dk9IRJ5zoTtHOpxfYF0EeoqJLOkBpxP
+    n7MKBI2FTJH22/b+YA12FYi9flBI85yHAJwtMvvh2kZssOAMKV0ccNG1EOD6v6dS
+    Pzrn2j0Zdg==
+    -----END CERTIFICATE-----

archive/2022.07.bxl-k3s-pi/apps/wiki/config.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: wikijs
+  namespace: wiki
+data:
+  DB_TYPE: postgres
+  DB_HOST: postgres.storage.svc.cluster.local
+  DB_PORT: "5432"
+  DB_USER: wikijs
+  DB_NAME: wikijs
+  HA_ACTIVE: "true"
+  NODE_EXTRA_CA_CERTS: "/certs/bhasherCA.pem"

archive/2022.07.bxl-k3s-pi/apps/wiki/sealedsecret.yaml

@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: wikijs
+  namespace: wiki
+spec:
+  encryptedData:
+    DB_PASS: AgAmxq0znbcp/J6U599KIa1LLOBGrFSsAmBusC86oKhvvibXrZjSWGuCaRTLzNIvwDc6ObJayYvuxNuyVGppax+UD3E0s+nu5qGWSpwBS6y/uoTB3lSD2hrdfWEzS84/V/DQNQKLvTJySMBqmccL31CoHIvHOYgg/mPs5AslRvW3XBzWbqRNHvdOwECWVqD/p/HG4fYI+Tq87/9wBkDVxr7/w0bLEwWV2n5scYSjP2DxNBAIVrn74A7EYtRFBlleIDIKHfaSMx3AWUzKU7MhqO+YDP/NLB9jTiDF2adIpzPs4k6zMWdNXZTwUKK6PZWDoepOLJESyAx/iWt9EfGQphhKCzggFnzKTnBGwPc3RaYkBjmRE+Y0dZPVpKyC3IU4/cJXc5U9rCUqxv6B5ZBAmq8zYLIpMBTRlwFKz0s0j0B3Os9K04c63U5G51vfrDxYrqiAMeJZakkFwTVLOKWR0KpnAdFVcVlbL+lq/9Pdxl7DMnpdTD92tVqCppGvWpie3p6ZOPL8lcPjHTp+qgY+vg/gVhw/BSyWQz5nnspMwVqloh77WIIGOemBBziUAVom2CbROgaPPHl4dhXLj7NgminF6QOEPY0FA7d9YSvgKgiXkvTcwhwvJJQcKCB1S/ubBWGyUHYsnqoLwbsXtzfkun4rxhgRc6o4TlF/fhb59AMeeLjXiNPKNWdJbxB1ZRpQsz7M1fEOJbzshSp90ptodoqghLTEzJkUbnluXgHH15VIxU/VS9IvLLDUmZvNAQF+RdSmVrM44oRx3ND/kOvOYUcx
+  template:
+    data: null
+    metadata:
+      creationTimestamp: null
+      name: wikijs
+      namespace: wiki
+

archive/2022.07.bxl-k3s-pi/apps/wireguard/app.yaml

@@ -0,0 +1,121 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: wireguard
+
+---
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: wireguard
+  namespace: wireguard
+  labels:
+    app: wireguard
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  selector:
+    matchLabels:
+      app: wireguard
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        app: wireguard
+    spec:
+      topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
+        labelSelector:
+          matchLabels:
+            app: wireguard
+      restartPolicy: Always
+      initContainers:
+      - name: init
+        image: busybox:1.32.0
+        command:
+        - sh
+        - -c
+        - sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1
+        securityContext:
+          privileged: true
+          capabilities:
+            add:
+            - NET_ADMIN
+      containers:
+      - name: wireguard
+        image: masipcat/wireguard-go:latest
+        securityContext:
+          privileged: true
+          capabilities:
+            add:
+            - NET_ADMIN
+        ports:
+        - containerPort: 51820
+          protocol: UDP
+        command:
+        - sh
+        - -c
+        - /entrypoint.sh
+        env:
+        - name: LOG_LEVEL
+          value: info
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "150m"
+          limits:
+            memory: "128Mi"
+        volumeMounts:
+        - name: wireguard-config
+          mountPath: /etc/wireguard/wg0.key
+          subPath: wg0.key
+          readOnly: true
+        - name: wireguard-config
+          mountPath: /etc/wireguard/wg0.conf
+          subPath: wg0.conf
+          readOnly: true
+      volumes:
+      - name: wireguard-config
+        secret:
+          secretName: wireguard
+
+---
+
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: wg-pdb
+  namespace: wireguard
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app: wireguard
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: wireguard
+  namespace: wireguard
+  labels:
+    app: wireguard
+  annotations:
+    metallb.universe.tf/loadBalancerIPs: 192.168.1.210
+    metallb.universe.tf/allow-shared-ip: "management-192.168.1.210"
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Cluster
+  selector:
+    app: wireguard
+  ports:
+  - name: vpn
+    port: 51820
+    protocol: UDP

archive/2022.07.bxl-k3s-pi/argo/WIP/cron.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: cron
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/apps/cron/
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: cron
+    
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/WIP/jupyterhub.yaml

@@ -0,0 +1,29 @@
+# apiVersion: argoproj.io/v1alpha1
+# kind: Application
+# metadata:
+#   namespace: devops
+#   name: jupyterhub
+# spec:
+#   project: k3pi
+
+#   source:
+#     #chart: jupyterhub
+#     repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+#     path: services/apps/jupyterhub
+#     # repoURL: https://jupyterhub.github.io/helm-chart  # /index.yaml
+#     targetRevision: 1.2.0
+#     helm:
+#       valueFiles:
+#       - values.yaml
+#     #  releaseName: jupyterhub
+#     # repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+#     #targetRevision: HEAD
+#     # path: services/apps/jupyterhub/
+
+#   destination:
+#     server: https://kubernetes.default.svc
+#     namespace: jupyterhub
+
+#   syncPolicy:
+#     automated:
+#       prune: true

archive/2022.07.bxl-k3s-pi/argo/WIP/media-server.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: media-server
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/apps/media-server/
+    directory:
+      recurse: true
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: media-server
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/WIP/timesheet.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: timesheet
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/apps/timesheet/
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: timesheet
+
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/argo.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: argo
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/argo/
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: devops
+    
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/cert-manager.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: cert-manager
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/utils/cert-manager
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: cert-manager
+    
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/cloud.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: cloud
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/apps/cloud/
+    directory:
+      recurse: true
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: cloud
+    
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/devops.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: devops
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/utils/devops
+    directory:
+      recurse: true
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: devops
+    
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/external-endpoints.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: external-endpoints
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/apps/external-endpoints/
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: external-endpoints
+
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/git.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: git
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/apps/git/
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: git
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/hass.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: hass
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/apps/hass/
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: hass
+
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/idp.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: idp
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/utils/idp/
+    directory:
+      recurse: true
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: idp
+    
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/ingress-nginx.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: ingress-nginx
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/utils/ingress-nginx/
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: ingress-nginx
+    
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/longhorn.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: longhorn
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/utils/longhorn
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: longhorn-system
+    
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/metallb.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: metallb
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/utils/metallb/
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: metallb-system
+
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/monitoring.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: monitoring
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/utils/monitoring/
+    directory:
+      recurse: true
+      exclude: "custom-ressources/*"
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/pihole.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: pihole
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/apps/pihole/
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: dns
+
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/portal.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: portal
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/apps/portal/
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: portal
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/project.yaml

@@ -0,0 +1,15 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: k3pi
+  namespace: devops
+spec:
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'
+  destinations:
+    - name: '*'
+      namespace: '*'
+      server: 'https://kubernetes.default.svc'
+  sourceRepos:
+    - https://git.bhasher.com/Bhasher/K3Pi

archive/2022.07.bxl-k3s-pi/argo/sealed-secrets.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: sealed-secret
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/utils/sealed-secrets
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kube-system
+    
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/storage.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: storage
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/utils/storage/
+    directory:
+      recurse: true
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: storage
+
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/wiki.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: wiki
+  namespace: devops
+spec:
+  project: k3pi
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/apps/wiki/
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: wiki
+    
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/argo/wireguard.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: devops
+  name: wireguard
+spec:
+  project: k3pi
+
+  source:
+    repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
+    targetRevision: HEAD
+    path: services/apps/wireguard/
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: wireguard
+
+  syncPolicy:
+    automated:
+      prune: true

archive/2022.07.bxl-k3s-pi/utils/cert-manager/app.yaml

@@ -0,0 +1,349 @@
+# Copyright 2021 The cert-manager Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: bhasherca-k3s-issuer
+spec:
+  ca:
+    secretName: bhasherca-k3s-key-pair
+
+---
+
+# Source: cert-manager/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: cert-manager
+  namespace: "cert-manager"
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+spec:
+  type: ClusterIP
+  ports:
+  - protocol: TCP
+    port: 9402
+    name: tcp-prometheus-servicemonitor
+    targetPort: 9402
+  selector:
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+---
+# Source: cert-manager/templates/webhook-service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: cert-manager-webhook
+  namespace: "cert-manager"
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "webhook"
+    app.kubernetes.io/version: "v1.8.2"
+spec:
+  type: ClusterIP
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: "https"
+  selector:
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "webhook"
+---
+# Source: cert-manager/templates/cainjector-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-manager-cainjector
+  namespace: "cert-manager"
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "cainjector"
+    app.kubernetes.io/version: "v1.8.2"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: cainjector
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: "cainjector"
+  template:
+    metadata:
+      labels:
+        app: cainjector
+        app.kubernetes.io/name: cainjector
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/component: "cainjector"
+        app.kubernetes.io/version: "v1.8.2"
+    spec:
+      serviceAccountName: cert-manager-cainjector
+      securityContext:
+        runAsNonRoot: true
+      containers:
+        - name: cert-manager
+          image: "quay.io/jetstack/cert-manager-cainjector:v1.8.2"
+          imagePullPolicy: IfNotPresent
+          args:
+          - --v=2
+          - --leader-election-namespace=kube-system
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+---
+# Source: cert-manager/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-manager
+  namespace: "cert-manager"
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: cert-manager
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: "controller"
+  template:
+    metadata:
+      labels:
+        app: cert-manager
+        app.kubernetes.io/name: cert-manager
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/component: "controller"
+        app.kubernetes.io/version: "v1.8.2"
+      annotations:
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9402'
+    spec:
+      serviceAccountName: cert-manager
+      securityContext:
+        runAsNonRoot: true
+      containers:
+        - name: cert-manager
+          image: "quay.io/jetstack/cert-manager-controller:v1.8.2"
+          imagePullPolicy: IfNotPresent
+          args:
+          - --v=2
+          - --cluster-resource-namespace=$(POD_NAMESPACE)
+          - --leader-election-namespace=kube-system
+          ports:
+          - containerPort: 9402
+            name: http-metrics
+            protocol: TCP
+          securityContext:
+            allowPrivilegeEscalation: false
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+      nodeSelector:
+        kubernetes.io/os: linux
+---
+# Source: cert-manager/templates/webhook-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-manager-webhook
+  namespace: "cert-manager"
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "webhook"
+    app.kubernetes.io/version: "v1.8.2"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: webhook
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: "webhook"
+  template:
+    metadata:
+      labels:
+        app: webhook
+        app.kubernetes.io/name: webhook
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/component: "webhook"
+        app.kubernetes.io/version: "v1.8.2"
+    spec:
+      serviceAccountName: cert-manager-webhook
+      securityContext:
+        runAsNonRoot: true
+      containers:
+        - name: cert-manager
+          image: "quay.io/jetstack/cert-manager-webhook:v1.8.2"
+          imagePullPolicy: IfNotPresent
+          args:
+          - --v=2
+          - --secure-port=10250
+          - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
+          - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
+          - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
+          ports:
+          - name: https
+            protocol: TCP
+            containerPort: 10250
+          livenessProbe:
+            httpGet:
+              path: /livez
+              port: 6080
+              scheme: HTTP
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            timeoutSeconds: 1
+            successThreshold: 1
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 6080
+              scheme: HTTP
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 1
+            successThreshold: 1
+            failureThreshold: 3
+          securityContext:
+            allowPrivilegeEscalation: false
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+      nodeSelector:
+        kubernetes.io/os: linux
+---
+# Source: cert-manager/templates/webhook-mutating-webhook.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: cert-manager-webhook
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "webhook"
+    app.kubernetes.io/version: "v1.8.2"
+  annotations:
+    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
+webhooks:
+  - name: webhook.cert-manager.io
+    rules:
+      - apiGroups:
+          - "cert-manager.io"
+          - "acme.cert-manager.io"
+        apiVersions:
+          - "v1"
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - "*/*"
+    admissionReviewVersions: ["v1"]
+    # This webhook only accepts v1 cert-manager resources.
+    # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
+    # this webhook (after the resources have been converted to v1).
+    matchPolicy: Equivalent
+    timeoutSeconds: 10
+    failurePolicy: Fail
+    # Only include 'sideEffects' field in Kubernetes 1.12+
+    sideEffects: None
+    clientConfig:
+      service:
+        name: cert-manager-webhook
+        namespace: "cert-manager"
+        path: /mutate
+---
+# Source: cert-manager/templates/webhook-validating-webhook.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: cert-manager-webhook
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "webhook"
+    app.kubernetes.io/version: "v1.8.2"
+  annotations:
+    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
+webhooks:
+  - name: webhook.cert-manager.io
+    namespaceSelector:
+      matchExpressions:
+      - key: "cert-manager.io/disable-validation"
+        operator: "NotIn"
+        values:
+        - "true"
+      - key: "name"
+        operator: "NotIn"
+        values:
+        - cert-manager
+    rules:
+      - apiGroups:
+          - "cert-manager.io"
+          - "acme.cert-manager.io"
+        apiVersions:
+          - "v1"
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - "*/*"
+    admissionReviewVersions: ["v1"]
+    # This webhook only accepts v1 cert-manager resources.
+    # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
+    # this webhook (after the resources have been converted to v1).
+    matchPolicy: Equivalent
+    timeoutSeconds: 10
+    failurePolicy: Fail
+    sideEffects: None
+    clientConfig:
+      service:
+        name: cert-manager-webhook
+        namespace: "cert-manager"
+        path: /validate

archive/2022.07.bxl-k3s-pi/utils/cert-manager/config.yaml

@@ -0,0 +1,26 @@
+# Copyright 2021 The cert-manager Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Source: cert-manager/templates/webhook-config.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cert-manager-webhook
+  namespace: "cert-manager"
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "webhook"
+data:

archive/2022.07.bxl-k3s-pi/utils/cert-manager/rbac.yaml

@@ -0,0 +1,759 @@
+# Copyright 2021 The cert-manager Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Source: cert-manager/templates/cainjector-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: true
+metadata:
+  name: cert-manager-cainjector
+  namespace: "cert-manager"
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "cainjector"
+    app.kubernetes.io/version: "v1.8.2"
+---
+# Source: cert-manager/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: true
+metadata:
+  name: cert-manager
+  namespace: "cert-manager"
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+---
+# Source: cert-manager/templates/webhook-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: true
+metadata:
+  name: cert-manager-webhook
+  namespace: "cert-manager"
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "webhook"
+    app.kubernetes.io/version: "v1.8.2"
+---
+# Source: cert-manager/templates/cainjector-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-cainjector
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "cainjector"
+    app.kubernetes.io/version: "v1.8.2"
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "create", "update", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["apiregistration.k8s.io"]
+    resources: ["apiservices"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch", "update"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# Issuer controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-controller-issuers
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["issuers", "issuers/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["issuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# ClusterIssuer controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-controller-clusterissuers
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers", "clusterissuers/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# Certificates controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-controller-certificates
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
+    verbs: ["get", "list", "watch"]
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  # admission controller enabled:
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates/finalizers", "certificaterequests/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders"]
+    verbs: ["create", "delete", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# Orders controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-controller-orders
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+rules:
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders", "orders/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders", "challenges"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers", "issuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges"]
+    verbs: ["create", "delete"]
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  # admission controller enabled:
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders/finalizers"]
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# Challenges controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-controller-challenges
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+rules:
+  # Use to update challenge resource status
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges", "challenges/status"]
+    verbs: ["update", "patch"]
+  # Used to watch challenge resources
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges"]
+    verbs: ["get", "list", "watch"]
+  # Used to watch challenges, issuer and clusterissuer resources
+  - apiGroups: ["cert-manager.io"]
+    resources: ["issuers", "clusterissuers"]
+    verbs: ["get", "list", "watch"]
+  # Need to be able to retrieve ACME account private key to complete challenges
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+  # Used to create events
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  # HTTP01 rules
+  - apiGroups: [""]
+    resources: ["pods", "services"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch", "create", "delete", "update"]
+  - apiGroups: [ "gateway.networking.k8s.io" ]
+    resources: [ "httproutes" ]
+    verbs: ["get", "list", "watch", "create", "delete", "update"]
+  # We require the ability to specify a custom hostname when we are creating
+  # new ingress resources.
+  # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
+  - apiGroups: ["route.openshift.io"]
+    resources: ["routes/custom-host"]
+    verbs: ["create"]
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  # admission controller enabled:
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges/finalizers"]
+    verbs: ["update"]
+  # DNS01 rules (duplicated above)
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# ingress-shim controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-controller-ingress-shim
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests"]
+    verbs: ["create", "update", "delete"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  # admission controller enabled:
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gateways", "httproutes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gateways/finalizers", "httproutes/finalizers"]
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-view
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests", "issuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges", "orders"]
+    verbs: ["get", "list", "watch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-edit
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests", "issuers"]
+    verbs: ["create", "delete", "deletecollection", "patch", "update"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates/status"]
+    verbs: ["update"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges", "orders"]
+    verbs: ["create", "delete", "deletecollection", "patch", "update"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-controller-approve:cert-manager-io
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "cert-manager"
+    app.kubernetes.io/version: "v1.8.2"
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["signers"]
+    verbs: ["approve"]
+    resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# Permission to:
+# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
+# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-controller-certificatesigningrequests
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "cert-manager"
+    app.kubernetes.io/version: "v1.8.2"
+rules:
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["certificatesigningrequests"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["certificatesigningrequests/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["signers"]
+    resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
+    verbs: ["sign"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+---
+# Source: cert-manager/templates/webhook-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-webhook:subjectaccessreviews
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "webhook"
+    app.kubernetes.io/version: "v1.8.2"
+rules:
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["subjectaccessreviews"]
+  verbs: ["create"]
+---
+# Source: cert-manager/templates/cainjector-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-cainjector
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "cainjector"
+    app.kubernetes.io/version: "v1.8.2"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-cainjector
+subjects:
+  - name: cert-manager-cainjector
+    namespace: "cert-manager"
+    kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-controller-issuers
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-issuers
+subjects:
+  - name: cert-manager
+    namespace: "cert-manager"
+    kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-controller-clusterissuers
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-clusterissuers
+subjects:
+  - name: cert-manager
+    namespace: "cert-manager"
+    kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-controller-certificates
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-certificates
+subjects:
+  - name: cert-manager
+    namespace: "cert-manager"
+    kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-controller-orders
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-orders
+subjects:
+  - name: cert-manager
+    namespace: "cert-manager"
+    kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-controller-challenges
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-challenges
+subjects:
+  - name: cert-manager
+    namespace: "cert-manager"
+    kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-controller-ingress-shim
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-ingress-shim
+subjects:
+  - name: cert-manager
+    namespace: "cert-manager"
+    kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-controller-approve:cert-manager-io
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "cert-manager"
+    app.kubernetes.io/version: "v1.8.2"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-approve:cert-manager-io
+subjects:
+  - name: cert-manager
+    namespace: "cert-manager"
+    kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-controller-certificatesigningrequests
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "cert-manager"
+    app.kubernetes.io/version: "v1.8.2"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-certificatesigningrequests
+subjects:
+  - name: cert-manager
+    namespace: "cert-manager"
+    kind: ServiceAccount
+---
+# Source: cert-manager/templates/webhook-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-webhook:subjectaccessreviews
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "webhook"
+    app.kubernetes.io/version: "v1.8.2"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook:subjectaccessreviews
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook
+  namespace: cert-manager
+---
+# Source: cert-manager/templates/cainjector-rbac.yaml
+# leader election rules
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-cainjector:leaderelection
+  namespace: kube-system
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "cainjector"
+    app.kubernetes.io/version: "v1.8.2"
+rules:
+  # Used for leader election by the controller
+  # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
+  #   see cmd/cainjector/start.go#L113
+  # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
+  #   see cmd/cainjector/start.go#L137
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
+    verbs: ["get", "update", "patch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["create"]
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager:leaderelection
+  namespace: kube-system
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+rules:
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    resourceNames: ["cert-manager-controller"]
+    verbs: ["get", "update", "patch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["create"]
+---
+# Source: cert-manager/templates/webhook-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-webhook:dynamic-serving
+  namespace: "cert-manager"
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "webhook"
+    app.kubernetes.io/version: "v1.8.2"
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames:
+  - 'cert-manager-webhook-ca'
+  verbs: ["get", "list", "watch", "update"]
+# It's not possible to grant CREATE permission on a single resourceName.
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+---
+# Source: cert-manager/templates/cainjector-rbac.yaml
+# grant cert-manager permission to manage the leaderelection configmap in the
+# leader election namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-cainjector:leaderelection
+  namespace: kube-system
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "cainjector"
+    app.kubernetes.io/version: "v1.8.2"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-cainjector:leaderelection
+subjects:
+  - kind: ServiceAccount
+    name: cert-manager-cainjector
+    namespace: cert-manager
+---
+# Source: cert-manager/templates/rbac.yaml
+# grant cert-manager permission to manage the leaderelection configmap in the
+# leader election namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager:leaderelection
+  namespace: kube-system
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"
+    app.kubernetes.io/version: "v1.8.2"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager:leaderelection
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager
+    namespace: cert-manager
+---
+# Source: cert-manager/templates/webhook-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook:dynamic-serving
+  namespace: "cert-manager"
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "webhook"
+    app.kubernetes.io/version: "v1.8.2"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-webhook:dynamic-serving
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook
+  namespace: cert-manager

archive/2022.07.bxl-k3s-pi/utils/devops/argo-cd/app.yaml

@@ -0,0 +1,986 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: argocd-applicationset-controller
+    app.kubernetes.io/part-of: argocd-applicationset
+  annotations:
+    reloader.stakater.com/auto: "true"
+  name: argocd-applicationset-controller
+  namespace: devops
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-applicationset-controller
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: argocd-applicationset-controller
+    spec:
+      containers:
+      - command:
+        - entrypoint.sh
+        - applicationset-controller
+        env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: ghcr.io/jr64/argocd-applicationset:v0.4.0  # quay.io/argoproj/argocd-applicationset:v0.4.1
+        imagePullPolicy: Always
+        name: argocd-applicationset-controller
+        ports:
+        - containerPort: 7000
+          name: webhook
+        volumeMounts:
+        - mountPath: /app/config/ssh
+          name: ssh-known-hosts
+        - mountPath: /app/config/tls
+          name: tls-certs
+        - mountPath: /app/config/gpg/source
+          name: gpg-keys
+        - mountPath: /app/config/gpg/keys
+          name: gpg-keyring
+      serviceAccountName: argocd-applicationset-controller
+      volumes:
+      - configMap:
+          name: argocd-ssh-known-hosts-cm
+        name: ssh-known-hosts
+      - configMap:
+          name: argocd-tls-certs-cm
+        name: tls-certs
+      - configMap:
+          name: argocd-gpg-keys-cm
+        name: gpg-keys
+      - emptyDir: {}
+        name: gpg-keyring
+---
+# apiVersion: apps/v1
+# kind: Deployment
+# metadata:
+#   labels:
+#     app.kubernetes.io/component: dex-server
+#     app.kubernetes.io/name: argocd-dex-server
+#     app.kubernetes.io/part-of: argocd
+#   name: argocd-dex-server
+#   namespace: devops
+# spec:
+#   selector:
+#     matchLabels:
+#       app.kubernetes.io/name: argocd-dex-server
+#   template:
+#     metadata:
+#       labels:
+#         app.kubernetes.io/name: argocd-dex-server
+#     spec:
+#       affinity:
+#         podAntiAffinity:
+#           preferredDuringSchedulingIgnoredDuringExecution:
+#           - podAffinityTerm:
+#               labelSelector:
+#                 matchLabels:
+#                   app.kubernetes.io/part-of: argocd
+#               topologyKey: kubernetes.io/hostname
+#             weight: 5
+#       containers:
+#       - command:
+#         - /shared/argocd-dex
+#         - rundex
+#         image: ghcr.io/dexidp/dex:v2.30.2
+#         imagePullPolicy: Always
+#         name: dex
+#         ports:
+#         - containerPort: 5556
+#         - containerPort: 5557
+#         - containerPort: 5558
+#         securityContext:
+#           allowPrivilegeEscalation: false
+#           readOnlyRootFilesystem: true
+#           runAsNonRoot: true
+#         volumeMounts:
+#         - mountPath: /shared
+#           name: static-files
+#         - mountPath: /tmp
+#           name: dexconfig
+#       initContainers:
+#       - command:
+#         - cp
+#         - -n
+#         - /usr/local/bin/argocd
+#         - /shared/argocd-dex
+#         image: quay.io/argoproj/argocd:v2.3.4
+#         imagePullPolicy: Always
+#         name: copyutil
+#         volumeMounts:
+#         - mountPath: /shared
+#           name: static-files
+#         - mountPath: /tmp
+#           name: dexconfig
+#       serviceAccountName: argocd-dex-server
+#       volumes:
+#       - emptyDir: {}
+#         name: static-files
+#       - emptyDir: {}
+#         name: dexconfig
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argocd-notifications-controller
+  namespace: devops
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-notifications-controller
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: argocd-notifications-controller
+    spec:
+      containers:
+      - command:
+        - argocd-notifications
+        image: quay.io/argoproj/argocd:v2.3.4
+        imagePullPolicy: Always
+        livenessProbe:
+          tcpSocket:
+            port: 9001
+        name: argocd-notifications-controller
+        volumeMounts:
+        - mountPath: /app/config/tls
+          name: tls-certs
+        - mountPath: /app/config/reposerver/tls
+          name: argocd-repo-server-tls
+        workingDir: /app
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: argocd-notifications-controller
+      volumes:
+      - configMap:
+          name: argocd-tls-certs-cm
+        name: tls-certs
+      - name: argocd-repo-server-tls
+        secret:
+          items:
+          - key: tls.crt
+            path: tls.crt
+          - key: tls.key
+            path: tls.key
+          - key: ca.crt
+            path: ca.crt
+          optional: true
+          secretName: argocd-repo-server-tls
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: repo-server
+    app.kubernetes.io/name: argocd-repo-server
+    app.kubernetes.io/part-of: argocd
+  name: argocd-repo-server
+  namespace: devops
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-repo-server
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: argocd-repo-server
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - podAffinityTerm:
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/name: argocd-repo-server
+              topologyKey: kubernetes.io/hostname
+            weight: 100
+          - podAffinityTerm:
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/part-of: argocd
+              topologyKey: kubernetes.io/hostname
+            weight: 5
+      automountServiceAccountToken: false
+      containers:
+      - command:
+        - entrypoint.sh
+        - argocd-repo-server
+        - --redis
+        - redis.storage:6379
+        env:
+        - name: ARGOCD_RECONCILIATION_TIMEOUT
+          valueFrom:
+            configMapKeyRef:
+              key: timeout.reconciliation
+              name: argocd-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LOGFORMAT
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.log.format
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LOGLEVEL
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.log.level
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.parallelism.limit
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_DISABLE_TLS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.disable.tls
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_TLS_MIN_VERSION
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.tls.minversion
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_TLS_MAX_VERSION
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.tls.maxversion
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_TLS_CIPHERS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.tls.ciphers
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_CACHE_EXPIRATION
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.repo.cache.expiration
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: REDIS_SERVER
+          valueFrom:
+            configMapKeyRef:
+              key: redis.server
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: REDISDB
+          valueFrom:
+            configMapKeyRef:
+              key: redis.db
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.default.cache.expiration
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: HELM_CACHE_HOME
+          value: /helm-working-dir
+        - name: HELM_CONFIG_HOME
+          value: /helm-working-dir
+        - name: HELM_DATA_HOME
+          value: /helm-working-dir
+        image: quay.io/argoproj/argocd:v2.3.4
+        imagePullPolicy: Always
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz?full=true
+            port: 8084
+          initialDelaySeconds: 30
+          periodSeconds: 5
+        name: argocd-repo-server
+        ports:
+        - containerPort: 8081
+        - containerPort: 8084
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8084
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - all
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+        volumeMounts:
+        - mountPath: /app/config/ssh
+          name: ssh-known-hosts
+        - mountPath: /app/config/tls
+          name: tls-certs
+        - mountPath: /app/config/gpg/source
+          name: gpg-keys
+        - mountPath: /app/config/gpg/keys
+          name: gpg-keyring
+        - mountPath: /app/config/reposerver/tls
+          name: argocd-repo-server-tls
+        - mountPath: /tmp
+          name: tmp
+        - mountPath: /helm-working-dir
+          name: helm-working-dir
+        - mountPath: /home/argocd/cmp-server/plugins
+          name: plugins
+      initContainers:
+      - command:
+        - cp
+        - -n
+        - /usr/local/bin/argocd
+        - /var/run/argocd/argocd-cmp-server
+        image: quay.io/argoproj/argocd:v2.3.4
+        name: copyutil
+        volumeMounts:
+        - mountPath: /var/run/argocd
+          name: var-files
+      volumes:
+      - configMap:
+          name: argocd-ssh-known-hosts-cm
+        name: ssh-known-hosts
+      - configMap:
+          name: argocd-tls-certs-cm
+        name: tls-certs
+      - configMap:
+          name: argocd-gpg-keys-cm
+        name: gpg-keys
+      - emptyDir: {}
+        name: gpg-keyring
+      - emptyDir: {}
+        name: tmp
+      - emptyDir: {}
+        name: helm-working-dir
+      - name: argocd-repo-server-tls
+        secret:
+          items:
+          - key: tls.crt
+            path: tls.crt
+          - key: tls.key
+            path: tls.key
+          - key: ca.crt
+            path: ca.crt
+          optional: true
+          secretName: argocd-repo-server-tls
+      - emptyDir: {}
+        name: var-files
+      - emptyDir: {}
+        name: plugins
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/name: argocd-server
+    app.kubernetes.io/part-of: argocd
+  name: argocd-server
+  namespace: devops
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-server
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: argocd-server
+    spec:
+      containers:
+      - command:
+        - argocd-server
+        - --insecure
+        # - --auth-mode sso
+        env:
+        - name: ARGOCD_SERVER_INSECURE
+          valueFrom:
+            configMapKeyRef:
+              key: server.insecure
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_BASEHREF
+          valueFrom:
+            configMapKeyRef:
+              key: server.basehref
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_ROOTPATH
+          valueFrom:
+            configMapKeyRef:
+              key: server.rootpath
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_LOGFORMAT
+          valueFrom:
+            configMapKeyRef:
+              key: server.log.format
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LOGLEVEL
+          valueFrom:
+            configMapKeyRef:
+              key: server.log.level
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_REPO_SERVER
+          valueFrom:
+            configMapKeyRef:
+              key: repo.server
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_DEX_SERVER
+          valueFrom:
+            configMapKeyRef:
+              key: server.dex.server
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_DISABLE_AUTH
+          valueFrom:
+            configMapKeyRef:
+              key: server.disable.auth
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_ENABLE_GZIP
+          valueFrom:
+            configMapKeyRef:
+              key: server.enable.gzip
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              key: server.repo.server.timeout.seconds
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_X_FRAME_OPTIONS
+          valueFrom:
+            configMapKeyRef:
+              key: server.x.frame.options
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT
+          valueFrom:
+            configMapKeyRef:
+              key: server.repo.server.plaintext
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_REPO_SERVER_STRICT_TLS
+          valueFrom:
+            configMapKeyRef:
+              key: server.repo.server.strict.tls
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_TLS_MIN_VERSION
+          valueFrom:
+            configMapKeyRef:
+              key: server.tls.minversion
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_TLS_MAX_VERSION
+          valueFrom:
+            configMapKeyRef:
+              key: server.tls.maxversion
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_TLS_CIPHERS
+          valueFrom:
+            configMapKeyRef:
+              key: server.tls.ciphers
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_CONNECTION_STATUS_CACHE_EXPIRATION
+          valueFrom:
+            configMapKeyRef:
+              key: server.connection.status.cache.expiration
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_OIDC_CACHE_EXPIRATION
+          valueFrom:
+            configMapKeyRef:
+              key: server.oidc.cache.expiration
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_LOGIN_ATTEMPTS_EXPIRATION
+          valueFrom:
+            configMapKeyRef:
+              key: server.login.attempts.expiration
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_STATIC_ASSETS
+          valueFrom:
+            configMapKeyRef:
+              key: server.staticassets
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APP_STATE_CACHE_EXPIRATION
+          valueFrom:
+            configMapKeyRef:
+              key: server.app.state.cache.expiration
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: REDIS_SERVER
+          valueFrom:
+            configMapKeyRef:
+              key: redis.server
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: REDISDB
+          valueFrom:
+            configMapKeyRef:
+              key: redis.db
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
+          valueFrom:
+            configMapKeyRef:
+              key: server.default.cache.expiration
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_MAX_COOKIE_NUMBER
+          valueFrom:
+            configMapKeyRef:
+              key: server.http.cookie.maxnumber
+              name: argocd-cmd-params-cm
+              optional: true
+        image: quay.io/argoproj/argocd:v2.3.4
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthz?full=true
+            port: 8080
+          initialDelaySeconds: 3
+          periodSeconds: 30
+        name: argocd-server
+        ports:
+        - containerPort: 8080
+        - containerPort: 8083
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 3
+          periodSeconds: 30
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - all
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+        volumeMounts:
+        - mountPath: /app/config/ssh
+          name: ssh-known-hosts
+        - mountPath: /app/config/tls
+          name: tls-certs
+        - mountPath: /app/config/server/tls
+          name: argocd-repo-server-tls
+        - mountPath: /home/argocd
+          name: plugins-home
+        - mountPath: /tmp
+          name: tmp
+        - mountPath: /etc/ssl/certs/git.bhasher.com.pem
+          name: tls-certs
+          subPath: git.bhasher.com
+      serviceAccountName: argocd-server
+      volumes:
+      - emptyDir: {}
+        name: plugins-home
+      - emptyDir: {}
+        name: tmp
+      - emptyDir: {}
+        name: static-files
+      - configMap:
+          name: argocd-ssh-known-hosts-cm
+        name: ssh-known-hosts
+      - configMap:
+          name: argocd-tls-certs-cm
+        name: tls-certs
+      - name: argocd-repo-server-tls
+        secret:
+          items:
+          - key: tls.crt
+            path: tls.crt
+          - key: tls.key
+            path: tls.key
+          - key: ca.crt
+            path: ca.crt
+          optional: true
+          secretName: argocd-repo-server-tls
+---
+
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app.kubernetes.io/component: application-controller
+    app.kubernetes.io/name: argocd-application-controller
+    app.kubernetes.io/part-of: argocd
+  name: argocd-application-controller
+  namespace: devops
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-application-controller
+  serviceName: argocd-application-controller
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: argocd-application-controller
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - podAffinityTerm:
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/name: argocd-application-controller
+              topologyKey: kubernetes.io/hostname
+            weight: 100
+          - podAffinityTerm:
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/part-of: argocd
+              topologyKey: kubernetes.io/hostname
+            weight: 5
+      containers:
+      - command:
+        - argocd-application-controller
+        env:
+        - name: ARGOCD_RECONCILIATION_TIMEOUT
+          valueFrom:
+            configMapKeyRef:
+              key: timeout.reconciliation
+              name: argocd-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
+          valueFrom:
+            configMapKeyRef:
+              key: repo.server
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.repo.server.timeout.seconds
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.status.processors
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.operation.processors
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT
+          valueFrom:
+            configMapKeyRef:
+              key: controller.log.format
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL
+          valueFrom:
+            configMapKeyRef:
+              key: controller.log.level
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION
+          valueFrom:
+            configMapKeyRef:
+              key: controller.metrics.cache.expiration
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.timeout.seconds
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
+          valueFrom:
+            configMapKeyRef:
+              key: controller.repo.server.plaintext
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.repo.server.strict.tls
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APP_STATE_CACHE_EXPIRATION
+          valueFrom:
+            configMapKeyRef:
+              key: controller.app.state.cache.expiration
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: REDIS_SERVER
+          valueFrom:
+            configMapKeyRef:
+              key: redis.server
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: REDISDB
+          valueFrom:
+            configMapKeyRef:
+              key: redis.db
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
+          valueFrom:
+            configMapKeyRef:
+              key: controller.default.cache.expiration
+              name: argocd-cmd-params-cm
+              optional: true
+        image: quay.io/argoproj/argocd:v2.3.4
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8082
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        name: argocd-application-controller
+        ports:
+        - containerPort: 8082
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8082
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - all
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+        volumeMounts:
+        - mountPath: /app/config/controller/tls
+          name: argocd-repo-server-tls
+        - mountPath: /home/argocd
+          name: argocd-home
+        workingDir: /home/argocd
+      serviceAccountName: argocd-application-controller
+      volumes:
+      - emptyDir: {}
+        name: argocd-home
+      - name: argocd-repo-server-tls
+        secret:
+          items:
+          - key: tls.crt
+            path: tls.crt
+          - key: tls.key
+            path: tls.key
+          - key: ca.crt
+            path: ca.crt
+          optional: true
+          secretName: argocd-repo-server-tls
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: argocd-applicationset-controller
+    app.kubernetes.io/part-of: argocd-applicationset
+  name: argocd-applicationset-controller
+  namespace: devops
+spec:
+  ports:
+  - name: webhook
+    port: 7000
+    protocol: TCP
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/name: argocd-applicationset-controller
+---
+# apiVersion: v1
+# kind: Service
+# metadata:
+#   labels:
+#     app.kubernetes.io/component: dex-server
+#     app.kubernetes.io/name: argocd-dex-server
+#     app.kubernetes.io/part-of: argocd
+#   name: argocd-dex-server
+#   namespace: devops
+# spec:
+#   ports:
+#   - name: http
+#     port: 5556
+#     protocol: TCP
+#     targetPort: 5556
+#   - name: grpc
+#     port: 5557
+#     protocol: TCP
+#     targetPort: 5557
+#   - name: metrics
+#     port: 5558
+#     protocol: TCP
+#     targetPort: 5558
+#   selector:
+#     app.kubernetes.io/name: argocd-dex-server
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/name: argocd-metrics
+    app.kubernetes.io/part-of: argocd
+  name: argocd-metrics
+  namespace: devops
+spec:
+  ports:
+  - name: metrics
+    port: 8082
+    protocol: TCP
+    targetPort: 8082
+  selector:
+    app.kubernetes.io/name: argocd-application-controller
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-notifications-controller-metrics
+  name: argocd-notifications-controller-metrics
+  namespace: devops
+spec:
+  ports:
+  - name: metrics
+    port: 9001
+    protocol: TCP
+    targetPort: 9001
+  selector:
+    app.kubernetes.io/name: argocd-notifications-controller
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+  namespace: devops
+spec:
+  ports:
+  - name: tcp-redis
+    port: 6379
+    targetPort: 6379
+  selector:
+    app.kubernetes.io/name: argocd-redis
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: repo-server
+    app.kubernetes.io/name: argocd-repo-server
+    app.kubernetes.io/part-of: argocd
+  name: argocd-repo-server
+  namespace: devops
+spec:
+  ports:
+  - name: server
+    port: 8081
+    protocol: TCP
+    targetPort: 8081
+  - name: metrics
+    port: 8084
+    protocol: TCP
+    targetPort: 8084
+  selector:
+    app.kubernetes.io/name: argocd-repo-server
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/name: argocd-server
+    app.kubernetes.io/part-of: argocd
+  name: argocd-server
+  namespace: devops
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/name: argocd-server
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/name: argocd-server-metrics
+    app.kubernetes.io/part-of: argocd
+  name: argocd-server-metrics
+  namespace: devops
+spec:
+  ports:
+  - name: metrics
+    port: 8083
+    protocol: TCP
+    targetPort: 8083
+  selector:
+    app.kubernetes.io/name: argocd-server
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd
+  namespace: devops
+  annotations:
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "argocd.bhasher.com"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - argocd.bhasher.com
+    secretName: argocd-tls
+  rules:
+  - host: argocd.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              number: 80

archive/2022.07.bxl-k3s-pi/utils/devops/argo-cd/config.yaml

@@ -0,0 +1,146 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
+  name: argocd-cm
+  namespace: devops
+data:
+  url: https://argocd.bhasher.com
+  oidc.config: |
+    name: Authelia
+    issuer: https://idp.bhasher.com
+    sessionExpiry: 24h
+    clientId: argocd
+    clientSecret: $oidc.authelia.clientSecret
+    redirectUrl: https://argo-server/auth/callback
+    requestedScopes:
+      - openid
+      - groups
+      - email
+      - profile
+    insecureSkipVerify: true
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-cmd-params-cm
+    app.kubernetes.io/part-of: argocd
+  name: argocd-cmd-params-cm
+  namespace: devops
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-gpg-keys-cm
+    app.kubernetes.io/part-of: argocd
+  name: argocd-gpg-keys-cm
+  namespace: devops
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  creationTimestamp: null
+  name: argocd-notifications-cm
+  namespace: devops
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-rbac-cm
+    app.kubernetes.io/part-of: argocd
+  name: argocd-rbac-cm
+  namespace: devops
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-ssh-known-hosts-cm
+    app.kubernetes.io/part-of: argocd
+  name: argocd-ssh-known-hosts-cm
+  namespace: devops
+data:
+  ssh_known_hosts: |-
+    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+    github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+    gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
+    gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
+    gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
+    ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
+    vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
+    github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+    github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-tls-certs-cm
+    app.kubernetes.io/part-of: argocd
+  name: argocd-tls-certs-cm
+  namespace: devops
+data:
+  git.bhasher.com: |
+    -----BEGIN CERTIFICATE-----
+    MIIKIzCCBgugAwIBAgIUSathEP5DGHryMtf1O98KMTUgZyIwDQYJKoZIhvcNAQEN
+    BQAwgZgxCzAJBgNVBAYTAkJFMRAwDgYDVQQIDAdCZWxnaXVtMQowCAYDVQQHDAEu
+    MRIwEAYDVQQKDAlCaGFzaGVyQ0ExEzARBgNVBAsMCkJoYXNoZXIgSVQxIzAhBgNV
+    BAMMGkJoYXNoZXJDQSBSb290IENlcnRpZmljYXRlMR0wGwYJKoZIhvcNAQkBFg5j
+    YUBiaGFzaGVyLmNvbTAeFw0yMjA0MjkyMzI2MzJaFw0zMjA0MjgyMzI2MzJaMIGY
+    MQswCQYDVQQGEwJCRTEQMA4GA1UECAwHQmVsZ2l1bTEKMAgGA1UEBwwBLjESMBAG
+    A1UECgwJQmhhc2hlckNBMRMwEQYDVQQLDApCaGFzaGVyIElUMSMwIQYDVQQDDBpC
+    aGFzaGVyQ0EgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqGSIb3DQEJARYOY2FAYmhh
+    c2hlci5jb20wggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIEAQCYcYWraaSp
+    2Tn+ic7zCPWg/Xy7C2KjL5tdRq4D09eZsnUnruTNvhEbXs+cgEj6u2UQ09jiNA2Z
+    7oYjpNrcr6Hit10n9H2Mpn4nTcYYrA/44Aa0yKY97v3vMM0+Q4/1LDrX96fpvegC
+    qn3VRJd8gHCmRIG4I74QpRdxB7DSkcc749NsyBOP7Hsicpwx9sXE5zBwxlTGBbvR
+    4v7HjaqxxaTqC7V6qTcjG2FjpkxMbZj7lVXyQik07UEnVV0zqAlnie2843d62xSv
+    2zQmyEwtnwvkrKnNKZIt+nELI3DmvHKW9hbB1lNz5zwfX+bwCudoKeXOpsAOY5Vj
+    oYNEDp6+oqPF9/+tqsXjFamC0boe898v6beT8PYNX+yAVc5cOfcgBkR4dupyXyZe
+    SyrGw29wmccyPqfADrr53PTn84kgvGRi0DGAH7VLd8eHbQ6kRuJtvspPXMBL6co9
+    qX3spVJWF00qt6IHrF0oYioCuibxlG/0Hnp0zvO4U9I0DosoVkAOlKjTXppjNDDZ
+    sHdHGkyX+OP868ht0JyTFarSQs6WVWvL6Gs6VCjuiFNwETxq9tYLmKN1IfcZf6Be
+    sVpKD2xISRiMtKsfwmE+1CfUACWqlvsB13vFjw8ZB4eOOUnuG/svvx17TY8J3SAW
+    iAzWnMECFGdJfcqepEln71J9gqO7HuuTiwofV967ruqCtxX7sOWG29xz3tB+JVW4
+    78e0RjOC9sIXF3840WVG8GDbvmFjs0O/ZnYBfNYXh+kNkgIriJa1jnpZ16yVARAs
+    D4RrQ1hg+aKcxe0nzxodnjJKECD7MRfxQPEHs/CAC50IhLj/Ez797SH6NSkvAGNz
+    fmtgYC61zUuKAttJhkzD7lEE5PlSXlif67J8dCbb/ie8qNQTJ4i9ijMoZD6hhieR
+    0NyRiMCGbyaQso7gRwbGxbIa4hp21Vi9XJj6q0U/90S2vBMdokZl+qmKktspxlCH
+    /O7YL3alEmEZxOVz78VpAu/0fHyFc1hCr6FVOmfrsCc2RIbdMGxbLZwAA9tP8R+u
+    CI/aVjxLNQTw6uSjeTekoNeWcXenNYM/REr96HEgvVcwytGX02wbHciulFi/NSyW
+    d5nCst0GhXWA8iQX/WKX1uQUPLoimJGLxUjAT8yVHXsE+otnoCumCrXsrQpMhvga
+    yWg2TLVSh7QvBnrs9JJNp6Z8vVGZuw/VcWxckFu2m7/eNLJc5+f/NXl6wVq0O1OG
+    NIVoqatD/yBl0NgBwQXqSR/PJ30C/bQTuYwTaTiWNGD7gLcGTW61S8EWqGCYdZLu
+    UkYDeafp1LzUyw1wOpxvnKVnMux+3lLceQubWSC4F6XqMCn/nYIMGnQ1Hs/zF/1G
+    7MKi96ZMLsrXAgMBAAGjYzBhMB0GA1UdDgQWBBSgDfvqI+DQCUiCtDfzU0jWjEDS
+    NTAfBgNVHSMEGDAWgBSgDfvqI+DQCUiCtDfzU0jWjEDSNTAPBgNVHRMBAf8EBTAD
+    AQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCBAEAcrmgBpzu4MQg
+    GLVLNghy+r/01V4fWGx7uyTkWrx0xtEyPUA0Sl1Pky3BNeA9ySfxVYzFPOOOKLLb
+    lsK22LF1bHx7yU8oTuJpgDluE5xK0bKfWqcnDQEwlKfkhJTUu1zO+e8c05oi68fS
+    EcMo/jLGWNuLMUhMQ/OGyaTUeZCXLulUfgWF/NyUDJPfZhPP+U68nXs0fdX7LMq8
+    uIOQlQEA/7Xo5Xz73AA0YimA8XxqhCZIoAhcLOE620sHzpiHlWJ/S1OnFzrUMSeG
+    xnOuXiOqsBklsW5b819UXLhOqKk5PnAoB+ZhoVG1HxoGTG9wQdq1/wpxNyWhYpDH
+    Tj0eLNs7Q7EwZaB6gtAvXDX6yC0/HQ3z6UnMzLViifaON9zC+ljBb63u7ZZ1qBXb
+    qF9Ub3/mgdHIhiy9iBY/JTMQxEZnLqPDwVgSnuwuoF0LYAzX3Tdba2K4wXIZHOtg
+    KVswHtsthGs25CUMfxUw1C0BgjQc8PX3+fWwBQG58ziww+rEwSl/8jxCriyA7mTc
+    nigyfQhMti00lHo+Se0KG9mbkFsgKQfHJ7uCXYVsRf0FM4tn08kRX22ubXD1UE+g
+    EZSWNmrNb+ZnVUQhAqylP5RFGaULPRstW1gKzF0gn5HKt6muz3fWIkKoY57xLphe
+    2XwJppNc02+l7RVb+oMIcRPBmKc7JB7i7dU5ctlae6iLeQnYIa1RZ9DCQhsUqvlk
+    7SHotC3PuXLT6haeF8MUBkt9Og3l+KcsgHhZJqOqeTO4x1wfnqeMvUHG6rsn/DEA
+    O+qu4CVVq+C73Xrl76kZpZkAk40Cw1DeRRObRXCnGuD+/eOGuoTHUXToiOQBnXx7
+    IfDPj+8G4ss3Wb4syH8hhKNn4TEHzHn3NCjKD9NWH0qWIqEnlrxYTkWpRckGMgN6
+    8lCKoH6JnIuLOELsXLey5qwEh8DrEG9+/6TZo1bxziE3+G1FmM/UuiZ4/sp/1rKS
+    nU6k3D3x5yjZbE1Eogq5JI47i/2J75x1uWUgIppYsaI1UvCX7Uux9r1PCMI7ixPz
+    GhS2wKt3jCGU6ulX5vnihDglQXAEP5V+JRcI0xsdEkdB/3lU963EwvFjldQHuJP3
+    I8emKNFl4lnDqloNo1xBqePoD9K0XJF8HHosvLxjUVhc98kmK8rlnGvjyL897KbG
+    chHUpmcOvehDStG9BecQJB7O6F3utebzetuAjBzdzfRVjLMJ9fP5z/py1RgTNk1Y
+    YH6NHOwUEDN1ojFI04z6gnHP8qHhDdCi4Dk9IRJ5zoTtHOpxfYF0EeoqJLOkBpxP
+    n7MKBI2FTJH22/b+YA12FYi9flBI85yHAJwtMvvh2kZssOAMKV0ccNG1EOD6v6dS
+    Pzrn2j0Zdg==
+    -----END CERTIFICATE-----

archive/2022.07.bxl-k3s-pi/utils/devops/argo-cd/network-policies.yaml

@@ -0,0 +1,121 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-application-controller-network-policy
+  namespace: devops
+spec:
+  ingress:
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: 8082
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-application-controller
+  policyTypes:
+  - Ingress
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-dex-server-network-policy
+  namespace: devops
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    ports:
+    - port: 5556
+      protocol: TCP
+    - port: 5557
+      protocol: TCP
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: 5558
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-dex-server
+  policyTypes:
+  - Ingress
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-redis-network-policy
+  namespace: devops
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-repo-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    ports:
+    - port: 6379
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-redis
+  policyTypes:
+  - Ingress
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-repo-server-network-policy
+  namespace: devops
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-notifications-controller
+    ports:
+    - port: 8081
+      protocol: TCP
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: 8084
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-repo-server
+  policyTypes:
+  - Ingress
+  
+---
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-server-network-policy
+  namespace: devops
+spec:
+  ingress:
+  - {}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-server
+  policyTypes:
+  - Ingress

archive/2022.07.bxl-k3s-pi/utils/devops/argo-cd/notifier.secret.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-notifications-secret
+  namespace: devops
+type: Opaque

archive/2022.07.bxl-k3s-pi/utils/devops/argo-cd/rbac.yaml

@@ -0,0 +1,446 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: application-controller
+    app.kubernetes.io/name: argocd-application-controller
+    app.kubernetes.io/part-of: argocd
+  name: argocd-application-controller
+  namespace: devops
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: argocd-applicationset-controller
+    app.kubernetes.io/part-of: argocd-applicationset
+  name: argocd-applicationset-controller
+  namespace: devops
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: dex-server
+    app.kubernetes.io/name: argocd-dex-server
+    app.kubernetes.io/part-of: argocd
+  name: argocd-dex-server
+  namespace: devops
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-notifications-controller
+  namespace: devops
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+  namespace: devops
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/name: argocd-server
+    app.kubernetes.io/part-of: argocd
+  name: argocd-server
+  namespace: devops
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: application-controller
+    app.kubernetes.io/name: argocd-application-controller
+    app.kubernetes.io/part-of: argocd
+  name: argocd-application-controller
+  namespace: devops
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: argocd-applicationset-controller
+    app.kubernetes.io/part-of: argocd-applicationset
+  name: argocd-applicationset-controller
+  namespace: devops
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  - applicationsets
+  - applicationsets/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applicationsets/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  - extensions
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: dex-server
+    app.kubernetes.io/name: argocd-dex-server
+    app.kubernetes.io/part-of: argocd
+  name: argocd-dex-server
+  namespace: devops
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argocd-notifications-controller
+  namespace: devops
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - argocd-notifications-cm
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resourceNames:
+  - argocd-notifications-secret
+  resources:
+  - secrets
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/name: argocd-server
+    app.kubernetes.io/part-of: argocd
+  name: argocd-server
+  namespace: devops
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - delete
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: application-controller
+    app.kubernetes.io/name: argocd-application-controller
+    app.kubernetes.io/part-of: argocd
+  name: argocd-application-controller
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- nonResourceURLs:
+  - '*'
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/name: argocd-server
+    app.kubernetes.io/part-of: argocd
+  name: argocd-server
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - delete
+  - get
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/log
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: application-controller
+    app.kubernetes.io/name: argocd-application-controller
+    app.kubernetes.io/part-of: argocd
+  name: argocd-application-controller
+  namespace: devops
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-application-controller
+subjects:
+- kind: ServiceAccount
+  name: argocd-application-controller
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: argocd-applicationset-controller
+    app.kubernetes.io/part-of: argocd-applicationset
+  name: argocd-applicationset-controller
+  namespace: devops
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-applicationset-controller
+subjects:
+- kind: ServiceAccount
+  name: argocd-applicationset-controller
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: dex-server
+    app.kubernetes.io/name: argocd-dex-server
+    app.kubernetes.io/part-of: argocd
+  name: argocd-dex-server
+  namespace: devops
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-dex-server
+subjects:
+- kind: ServiceAccount
+  name: argocd-dex-server
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argocd-notifications-controller
+  namespace: devops
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-notifications-controller
+subjects:
+- kind: ServiceAccount
+  name: argocd-notifications-controller
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+  namespace: devops
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-redis
+subjects:
+- kind: ServiceAccount
+  name: argocd-redis
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/name: argocd-server
+    app.kubernetes.io/part-of: argocd
+  name: argocd-server
+  namespace: devops
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-server
+subjects:
+- kind: ServiceAccount
+  name: argocd-server
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: application-controller
+    app.kubernetes.io/name: argocd-application-controller
+    app.kubernetes.io/part-of: argocd
+  name: argocd-application-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-application-controller
+subjects:
+- kind: ServiceAccount
+  name: argocd-application-controller
+  namespace: devops
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/name: argocd-server
+    app.kubernetes.io/part-of: argocd
+  name: argocd-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-server
+subjects:
+- kind: ServiceAccount
+  name: argocd-server
+  namespace: devops

archive/2022.07.bxl-k3s-pi/utils/devops/argo-cd/sealedsecret.yaml

@@ -0,0 +1,20 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: argocd-secret
+  namespace: devops
+spec:
+  encryptedData:
+    oidc.authelia.clientSecret: AgBxmb5FeitSFQ4rt+c/GDGGgYs1OdQcvxCuIPu/23bq129shPTuGfJL6pbu7g67p3gy06bZ+LZswyMu1/eaBGbopVSFg9VsNVULIaGTcvGMlQpsfG+cMZ70Yhn2taGFV40AlQMEbmVwOv/1hiUOG6osS45VEepnxNcp1Wrg33FecF/OQDi1QcsPlToA05B4cyft7/jCeXr9ZS7FOrQrKAWfdniFaZfsh445YYfg6lU/T+DzsLkiTmFsdNC1awam1Ia0i3yQqgPLqJ+BXOF39BNgJIocgyttKmSm2IpAxGeY/vbB29M/FHbgYXyKGxgzXYAQOjPhOVX2Gyw6KBnoc9oCAvStyJdYKHSIUqswpW0R3Dq4yGeFwolaHD5RyH3830Ng13lhtJMLYXPxS7ExP9oZTA4JUF5wzOSC/8//vzxxx4v42xcogOzeaarWqjkF9otsnvgMa092aFNpgnuS1qO6DqY2S3ISEBu/lRRq9yFxH4Pz7xA87xWIPUD4JsjE1E6bfEgx0UUzQxLa76A+AJF/px9ESzNO7woGnc3P70ZYuQ8frEg49stAjFkK4SekHA3ENsdZ5Ck4Z0fF1BTI1Fvo+whSq8f7e/BqRCzVTHDubnAZYuGunzb2b693VUl4fs2DDX9N9U9y0ZKwI1fMzo04CbqPJgROspOilTa4RSUkAk8fHDj5D45JIpZDKGwKJ0mxT3FlTz0SNklTksLDgExxkRMHPN+I+vPZq+8QrnTDX+VQMdZXiJdtoT/q+Dx80fT8Wwi84nGTHjysqfnmLcCd
+  template:
+    data: null
+    metadata:
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/name: argocd-secret
+        app.kubernetes.io/part-of: argocd
+      name: argocd-secret
+      namespace: devops
+    type: Opaque
+

archive/2022.07.bxl-k3s-pi/utils/devops/init.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: devops

archive/2022.07.bxl-k3s-pi/utils/devops/kubernetes-dashboard/dashboard.yaml

@@ -0,0 +1,146 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubernetes-dashboard-certs
+  namespace: devops
+  labels:
+    k8s-app: kubernetes-dashboard
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubernetes-dashboard-csrf
+  namespace: devops
+  labels:
+    k8s-app: kubernetes-dashboard
+type: Opaque
+data:
+  csrf: ""
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubernetes-dashboard-key-holder
+  namespace: devops
+  labels:
+    k8s-app: kubernetes-dashboard
+type: Opaque
+
+---
+
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: kubernetes-dashboard
+  namespace: devops
+  labels:
+    k8s-app: kubernetes-dashboard
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      k8s-app: kubernetes-dashboard
+  template:
+    metadata:
+      labels:
+        k8s-app: kubernetes-dashboard
+    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: kubernetes-dashboard
+          image: kubernetesui/dashboard:v2.5.1
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8443
+              protocol: TCP
+          args:
+            - --auto-generate-certificates
+            - --namespace=devops
+            - --token-ttl=21600
+          volumeMounts:
+            - name: kubernetes-dashboard-certs
+              mountPath: /certs
+              # Create on-disk volume to store exec logs
+            - mountPath: /tmp
+              name: tmp-volume
+          livenessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /
+              port: 8443
+            initialDelaySeconds: 30
+            timeoutSeconds: 30
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 1001
+            runAsGroup: 2001
+      volumes:
+        - name: kubernetes-dashboard-certs
+          secret:
+            secretName: kubernetes-dashboard-certs
+        - name: tmp-volume
+          emptyDir: {}
+      serviceAccountName: kubernetes-dashboard
+      nodeSelector:
+        "kubernetes.io/os": linux
+      # Comment the following tolerations if Dashboard must not be deployed on master
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: kubernetes-dashboard
+  namespace: devops
+  labels:
+    k8s-app: kubernetes-dashboard
+spec:
+  type: ClusterIP
+  ports:
+  - port: 8443
+    targetPort: 8443
+    protocol: TCP
+    name: dashboard
+  selector:
+    k8s-app: kubernetes-dashboard
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: k3s
+  namespace: devops
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "dashboard.bhasher.com"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+spec:
+  tls:
+  - hosts:
+    - dashboard.bhasher.com
+    secretName: k3s-tls
+  rules:
+  - host: dashboard.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: kubernetes-dashboard
+            port:
+              number: 8443

archive/2022.07.bxl-k3s-pi/utils/devops/kubernetes-dashboard/metrics.yaml

@@ -0,0 +1,71 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    k8s-app: dashboard-metrics-scraper
+  name: dashboard-metrics-scraper
+  namespace: devops
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      k8s-app: dashboard-metrics-scraper
+  template:
+    metadata:
+      labels:
+        k8s-app: dashboard-metrics-scraper
+    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      dnsPolicy: ClusterFirst
+      hostNetwork: true
+      containers:
+        - name: dashboard-metrics-scraper
+          image: kubernetesui/metrics-scraper:v1.0.7
+          ports:
+            - containerPort: 8000
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              scheme: HTTP
+              path: /
+              port: 8000
+            initialDelaySeconds: 30
+            timeoutSeconds: 30
+          volumeMounts:
+          - mountPath: /tmp
+            name: tmp-volume
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 1001
+            runAsGroup: 2001
+      serviceAccountName: kubernetes-dashboard
+      nodeSelector:
+        "kubernetes.io/os": linux
+      # Comment the following tolerations if Dashboard must not be deployed on master
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+      volumes:
+        - name: tmp-volume
+          emptyDir: {}
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: dashboard-metrics-scraper
+  namespace: devops
+  labels:
+    k8s-app: dashboard-metrics-scraper
+spec:
+  ports:
+    - port: 8000
+      targetPort: 8000
+      name: dashboard-metrics-scrapper
+  selector:
+    k8s-app: dashboard-metrics-scraper

archive/2022.07.bxl-k3s-pi/utils/devops/kubernetes-dashboard/rbac.yaml

@@ -0,0 +1,85 @@
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: devops
+
+---
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: devops
+rules:
+  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
+    verbs: ["get", "update", "delete"]
+    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["kubernetes-dashboard-settings"]
+    verbs: ["get", "update"]
+    # Allow Dashboard to get metrics.
+  - apiGroups: [""]
+    resources: ["services"]
+    resourceNames: ["heapster", "dashboard-metrics-scraper"]
+    verbs: ["proxy"]
+  - apiGroups: [""]
+    resources: ["services/proxy"]
+    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
+    verbs: ["get"]
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+rules:
+  # Allow Metrics Scraper to get metrics from the Metrics server
+  - apiGroups: ["metrics.k8s.io"]
+    resources: ["pods", "nodes"]
+    verbs: ["get", "list", "watch"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: devops
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: kubernetes-dashboard
+subjects:
+  - kind: ServiceAccount
+    name: kubernetes-dashboard
+    namespace: devops
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-dashboard
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubernetes-dashboard
+subjects:
+  - kind: ServiceAccount
+    name: kubernetes-dashboard
+    namespace: devops

archive/2022.07.bxl-k3s-pi/utils/devops/kubernetes-dashboard/user.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubernetes-dashboard-admin
+  namespace: devops
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubernetes-dashboard-admin
+  namespace: devops
+  annotations:
+    kubernetes.io/service-account.name: kubernetes-dashboard-admin
+type: kubernetes.io/service-account-token
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  creationTimestamp: null
+  name: kubernetes-dashboard-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: kubernetes-dashboard-admin
+  namespace: devops

archive/2022.07.bxl-k3s-pi/utils/devops/reloader.yaml

@@ -0,0 +1,108 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: reloader
+  namespace: devops
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: reloader-role
+  namespace: devops
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - configmaps
+    verbs:
+      - list
+      - get
+      - watch
+  - apiGroups:
+      - "apps"
+    resources:
+      - deployments
+      - daemonsets
+      - statefulsets
+    verbs:
+      - list
+      - get
+      - update
+      - patch
+  - apiGroups:
+      - "extensions"
+    resources:
+      - deployments
+      - daemonsets
+    verbs:
+      - list
+      - get
+      - update
+      - patch
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: reloader-role-binding
+  namespace: devops
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: reloader-role
+subjects:
+  - kind: ServiceAccount
+    name: reloader
+    namespace: devops
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: reloader
+  name: reloader
+  namespace: devops
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: reloader
+  template:
+    metadata:
+      labels:
+        app: reloader
+    spec:
+      containers:
+      - image: stakater/reloader:v0.0.110
+        imagePullPolicy: IfNotPresent
+        name: reloader
+        ports:
+        - name: http
+          containerPort: 9090
+        livenessProbe:
+          httpGet:
+            path: /metrics
+            port: http
+          timeoutSeconds: 5
+          failureThreshold: 5
+          periodSeconds: 10
+          successThreshold: 1
+        readinessProbe:
+          httpGet:
+            path: /metrics
+            port: http
+          timeoutSeconds: 5
+          failureThreshold: 5
+          periodSeconds: 10
+          successThreshold: 1
+      securityContext: 
+        runAsNonRoot: true
+        runAsUser: 65534
+      serviceAccountName: reloader

archive/2022.07.bxl-k3s-pi/utils/idp/authelia/app.yaml

@@ -0,0 +1,90 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authelia
+  namespace: idp
+  labels:
+    app: authelia
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: authelia
+  template:
+    metadata:
+      labels:
+        app: authelia
+    spec:
+      containers:
+      - name: authelia
+        image: authelia/authelia:latest
+        args: ["--config", "/config/configuration.yml,/config/oidc.yml"]
+        ports:
+        - name: http
+          containerPort: 9091
+        volumeMounts:
+        - name: authelia-config
+          mountPath: /config/configuration.yml
+          subPath: configuration.yml
+        - name: authelia-oidc
+          mountPath: /config/oidc.yml
+          subPath: oidc.yml
+        envFrom:
+        - secretRef:
+            name: authelia
+      volumes:
+      - name: authelia-config
+        configMap:
+          name: authelia-config
+      - name: authelia-oidc
+        secret:
+          secretName: authelia-oidc
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: authelia
+  namespace: idp
+  labels:
+    app: authelia
+spec:
+  ports:
+  - name: http
+    port: 9091
+    targetPort: 9091
+  selector:
+    app: authelia
+  type: ClusterIP
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: authelia
+  namespace: idp
+  annotations:
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "idp.bhasher.com"
+spec:
+  ingressClassName: "nginx-external"
+  tls:
+  - hosts:
+    - idp.bhasher.com
+    secretName: authelia-tls
+  rules:
+  - host: idp.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: authelia
+            port:
+              number: 9091

archive/2022.07.bxl-k3s-pi/utils/idp/authelia/config.yaml

@@ -0,0 +1,158 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: authelia-config
+  namespace: idp
+data:
+  configuration.yml: |
+    default_redirection_url: https://portal.bhasher.com
+    theme: dark
+
+    server:
+      host: 0.0.0.0
+      port: 9091
+
+    log:
+      level: debug
+    
+    totp:
+      disable: false
+      issuer: idp.bhasher.com
+      algorithm: sha256
+      digits: 6
+      period: 30
+      skew: 1
+      secret_size: 32
+
+    authentication_backend:
+      disable_reset_password: false
+      refresh_interval: 5m
+      ldap:
+        implementation: custom
+        url: ldap://openldap.idp.svc.cluster.local
+        timeout: 5s
+        start_tls: false
+        base_dn: DC=bhasher,DC=com
+        username_attribute: uid
+        additional_users_dn: ou=users
+        users_filter: (&({username_attribute}={input})(objectClass=inetOrgPerson))
+        additional_groups_dn: ou=groups
+        groups_filter: (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
+        group_name_attribute: cn
+        mail_attribute: mail
+        display_name_attribute: cn
+        permit_referrals: false
+    
+    access_control:
+      default_policy: deny
+      rules:
+      - domain: '*.bhasher.com'
+        policy: two_factor
+        subject:
+        - "group:admin"
+      - domain: 'git.bhasher.com'
+        policy: two_factor
+        subject:
+        - "group:contributor"
+      - domain: 'wiki.bhasher.com'
+        policy: two_factor
+        subject:
+        - "group:contributor"
+      - domain: 'radarr.bhasher.com'
+        policy: two_factor
+        subject:
+        - "group:mediaserver"
+      - domain: 'nextcloud.bhasher.com'
+        policy: two_factor
+        subject:
+        - "group:home"
+    
+    session:
+      name: auth_session
+      domain: bhasher.com
+      same_site: lax
+      expiration: 1d
+      inactivity: 3h
+      remember_me_duration: 1w
+      redis:
+        host: redis.storage.svc.cluster.local
+        port: 6379
+
+    regulation:
+      max_retries: 3
+      find_time: 1m
+      ban_time: 5m
+
+    storage:
+      # local:
+      #   path: /data/db.sqlite3
+      postgres:
+        host: postgres.storage.svc.cluster.local
+        port: 5432
+        database: authelia
+        schema: public
+        username: authelia
+
+    notifier:
+      smtp:
+        username: no-reply@bhasher.com
+        host: bdubois.io
+        port: 587
+        sender: no-reply@bhasher.com
+        tls:
+          skip_verify: true
+
+    password_policy:
+      standard:
+        enabled: true
+        min_length: 8
+        max_length: 0
+        require_uppercase: false
+        require_lowercase: false
+        require_number: false
+        require_special: false
+
+    identity_providers:
+      oidc:
+        issuer_private_key: |
+          -----BEGIN RSA PRIVATE KEY-----
+          MIIEowIBAAKCAQEAwz+97ZILHP+8Hxu2XsK17QZEyOiGQ45SRl6/UbjhiN5Cc5di
+          UQ3I8LaHwvxrsbbBaqLQsYVISye8xdeVvKEa/Pk/VYVGRgOQ+DFHPthOYwGa9bZa
+          INtvOKy85OiqFY8mamRiTkCDo4unxVf35mI6Z01+a5WycvG2mC1VY3v0VC2/PyJt
+          uRusqk9946DbP7IJ83WS8GuVEGsKna8pjr1DW2kC+qUZtA8pM0mH8EK1o2wDKPOb
+          X/4J+/A9kbx2Gnt8gxq3NtErcUHsSKwQtQfik38ehfFfOxq+xINjn5W90gUvx2q5
+          zI3gk2cJFTxiKqRtYfTETnepvKqkzTMlBCVAMwIDAQABAoIBAHlpfMBrbW+18xRh
+          FjGs4JYorMNGHJ+Ls8vAhTXbQpvqoeXhQCjo6ogM6TUt5AYZgALAhgeturvJVRCt
+          s5YdlHu0vlZ+zqkg9JfxhL0mou/cArFCmJ8P9QSIHdo2d/V6E8ha7ep9IZ6kbEpC
+          HoxrjqfIP5HE/7eMaSAOKKf5X4Cr701/3r/0rD+BsYZPC0eklRO2W1x801n0+ks0
+          oVI1/fNkM+F8It7GK/AC1KGThLL8DzBP9cwYaqnABktNKCh+/2z4+50G9z8Bcc3F
+          4FUYubidahZ0DD0KniFGcENfDhLPpy3HsQU6Sp5IgZBaM+jbbp5Grv3Wh7kqDEOQ
+          tmdjEGECgYEA7ZLpHm8h2C9nMFwMzCR18VQgAzLlhCxBJn7wOF5EUOJWNRCo1To1
+          G9qNMUKb1pcnwYGc2s488YfiUkufxZKCjdRSmVwul4D5ufb4zGu/4ulzfrx6DnjJ
+          8BBAtYPiP5RD+m9keB1OI6BHYOMtLi4Vv+XjkasTbtYRWcPdQABC+DECgYEA0mR1
+          ye9T4KcrQoFP14I0vFkVLe2gzVa3Kn5MSM7iMMXcTV3G2GSQCtufpVRbGvw0qgDy
+          cdIvT24dIhYaqF33IuJdZgzSlM4/3KQbMPhVlLpaGpiP1CqUuxsTlrjzOZUkTZBE
+          BrfkBO9VwaGX35WqnatFyXJ3TEWPt4/1s9DfiaMCgYEA4sg6gDLVu+iEOEWmcbjc
+          XWJQrL0JGwKjrnu+FBDoZc2pPT6J7AGEcPJPlZZf7Jid+rofYT8+LdHo2WYXPiJ9
+          PaZQstSsJTOZL0vydDDnG1R+S5zfZrEnE2JwYtViRA7kVUvAPGi9DoURngs+NbcI
+          TAbHFWaZRlRSe73clhup0gECgYBK9Pm2MSssDcLu1c1RVZVeSUqva0rv/WYSoJ6j
+          DfouMEAV3EQ80k8zXx3YtF4lFhfZPa8i+CRc4zlD7KYguCGVbxqhgg4AcB72iA0b
+          /E3ZSC9T7GjJyUXmB3aKK2iUaltduvlRf3CghXiDHQRT5ym7NMsPQ1XXea0DVCnQ
+          n6kUiwKBgDAMfny68ymQVskEv/NCTbRkpz6O1DA997QyjPV/QyfSpt1znPuNvgkE
+          SQu0C/b47Nm2ZGAHVryWLo8bBS8+ECEV74GM/kHoDWpWzEeoxynW+dBZoP9sbKzZ
+          LCWjPegQEkVdtp83Thfqb/MfeUj8GHf8MegIGoJd50f19tggd4a3
+          -----END RSA PRIVATE KEY-----
+        access_token_lifespan: 3h
+        authorize_code_lifespan: 1m
+        id_token_lifespan: 1h
+        refresh_token_lifespan: 90m
+        enable_client_debug_messages: false
+        cors:
+          endpoints:
+          - authorization
+          - token
+          - revocation
+          - introspection
+          allowed_origins:
+          - https://git.bhasher.com
+          allowed_origins_from_client_redirect_uris: false

archive/2022.07.bxl-k3s-pi/utils/idp/authelia/sealedsecret.yaml

@@ -0,0 +1,24 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: authelia
+  namespace: idp
+spec:
+  encryptedData:
+    AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: AgBtB6SSmfYza95ukD5MArbufyWVvVzkvgcN6K4wfELiNzFD36Ky725zCG6K56SNj+hidMiUuiTBEY1QCWsq03YfPxtfdFSQNe7nZoeu7acxP61cIM7MzAhV09q/qt+QdJbYNSai7wAaq316SJbvxw4H/pyYz58K38c7oJ4ZBdK+XSjKgRfgEwir1LY3GF3JkQjC4HrQSR/f1kPyG29+KzTjWB7C1SolMEX+pXwjEvRnoARPEyAIW1S4M2o/0xOp7BDml0j2KVgVhOvjljyP7tR47NFdbWTQ4Vs6gtLRxNjHIG+UVQxOpZdcDIhXK5mLlFXN6mDE+0Tc6wns1SuUcsPaTCx1hO0By6aCN2TjDwtKitLIe7UgJvu+aDbTy8EkXhfUysYTgkgRgQtuKYoLNE0QKwDNx6B4aHghhnpeagHgmHLUbbYn1tYhAcWSjmTQfggWhUP/tpY9SiPIvx4E2JjUIwM2CwIjP6P890Xhk8WffDxbL/PtDwmFTyo5wC6FPZneEwZ+CRpXIIls4ZvXbEyrXBKGITuaJ1oDzSi3MJCYl/KO9swID5nY64xc+0qAGET0Vm81RsoTkkf44+swHmxIcnVgH1+lyyy3/LoPsx5uu1zhyv19XpW8jnmHhp57DpklOdhptdwE/nNWvDwfc7rzfHiiWHRQWMkiwOVooEDKkE9ah2NVhYtgRC024QCBjwQdwTPegVYwJKgvoJr32WaCFtnJoZol1wJqCjI8wTDPWW0stQ70xSI/0uF+R0JTpj+HqBizktmteC7vupz0sPGr
+    AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: AgBZEwrilDSO36V3RIrkRwe9AZiFj0sRretYzDxq+Hu9VksVUi2nqZ/WUI2dVSYrwn+FXE5N0Tbd4zFtmiLSH0yn55pQim7I3mqJcKKh6t/3bw4uCoZ3tCl/zZv96hyD2SEGDd5FQeiairxEZm/cVFNUZbUq5uBh4nbuCx42dKIis7SjeEpqxxKF2y6y/ruykR0i/f/v2Hmcy1VwDvimI/uoKXwnrbIFaF5EK29MFIjFyeqrYn2CGBFwaOmgnGA+NXkNLUkMEbupxeFunuvaCOQLY8hyAtB55A/aLMQt/PY56xWTDIshVvFcRIximPBa+3c1wBAUBQIHLkjrciZ5fwK5SGbjAzQKWL7vnw12tgLul3SgLrGL8o/12EqsQbTyYERi0fbU45XzFkJtQLEAe6YoH7z1NVQCES2yiu1s4EBK3iHJ5EQyQ1bDHhAoSRKk5QxHP5j7b7PoMgT+QrRnLZOyvoOX0H/Dx2IX2Y2S+Cu7BzxM5QqI9zEnQFIwAj89Vveq2Ulu7eS3G09H33EFth/6gU8RzEE0ZOORT106aKRCWsOTDYJNladbfaI3vpeSj2gOvYnexixL4/N84oqfv27SlxFQT921wRo6PuovB97He1iY8u+xcXxeWki7aV4pLoMPqcWKneOelbSywFj0x5stiijgYvG31UEluhXMjrs9RYGnEyzi6YEiNuDnA/182KANFrdP/iD6pJTPpcLMl/IPEYiK2TO8OVA0tlWMaw==
+    AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: AgBRH3NyEss1PgYn2DRwISaWTHGpwkjDUIvV0qPOOhslF5DW2B1axB9tx9U/ZEhAvGAKpeB1lVPaOVcD66+8q5qVIfNsEcWaChv9oGrSG0621JUcx8747+kAZduHLYk7pmnY6c68bqTMbVDw9xtrjZUQpLhqxdPPMHE6Ax7JsEqotujR7DTr2JRvAipGvaRSapOApTpps4hyhJJ7U3n5NvNYQFQiHmN6m1QuTb4hTBhbrWP2U4TBggapbw/3NglZYLTFDGMXBl1LqfE2zaOUlyCMoS2AYc5tMzy+m3j8PBcXK7wv9wUn4XFQgeSLd+jXgL78LTTc9X1VpNE4o6tkJisG/WL444RkSjrd9gOBOlCjxHcbkST5ofQFkqNZ6MW0gCn17JbPXpbFJlDjBH6YfPMGbyIJMT7KA5i8ysDi1vW8VNWBgBfmd9Yp0mR9m5ugUr670kMClOlUXTHnTt1DyX79J8pySVMGThfWct2ZM4cWUSQn6varzE/VlfPO7ZdqdpdQ7f2gi+sdp/RZ36JWDgBDpkiegBHjTEk/nF2dd2ijE/cEuGLKQP/L1/8J5SvgrkhImKWSYmQe60wEIoOq10TIqSRtIUub7ci+iiRkvx+13LwernhNqHJUeO7ccvDagyW6sC65sTsbykcFlCt+MtXpsFGYx+1dmP8ljzxdtTrxt3iYZ4dA9AgYlvvJLgtRUlDxhfRXNQpFZ02ZdRslqFNiWm0gQmRmuJQVYYPD7Xs8fgr25SjfVMhpa5uEa3kOiG7cfahSk4mHARRisq1rPqz3
+    AUTHELIA_JWT_SECRET: AgAdnQfSX3qcWgP+LqvO0ORr1Dd50WFfwWTYuMTdni+wh2cDqomgdt2TA8VhM75yf2F2blIRWmJxP/6ttQ8q0XYdUAwwwd0BndSt8gPzOxrCfiq9gTscSBa0hBCJiamQVzv4+9Mx8frLasMBeNRXkLulS8HG/ucMOZUmcJrBPihUrLLl+HR7OWv+ZJj03dDPHeFahSVW1G5Ra11nCPjB72XMSaz2X/IWamY5QdSW4PE7Me/7mLzmdxS/CxqQDJBgv/M4eR6Js4OJcusHKKgOkVnBqJ8aLba7SYdsXx4DRjoZ627+AdMMHNXwK6QZip/7LwcBgytFwuXz6hBIIZjgHIQhXtT5xO1+hkZN/zGUZG/L44Jl1oo76ftC6KhmA71HQ8b8nKVWngB6zdNjDRgs+rT+h4MyYNYIuQXIEV9vTKwvj1tU37Ld9aS1pKWZ0VxuKzzdeyUVpVblEcrNzi8NbhY6uCm24oPGEBbG6fkpDg7alLos6gJFUqJCqq28YZDXrQaieiULKburSoWAVjcmLVk9AqmN99s+GGT5kBxAwmyMoP5LcZueIqNaf51tV8wRPvmLOc+E9+B6Hi2DYfb/Us5qGTCnGcAxKbMWeZJv5bP6b+6JjHlViYhuSK6ku9jNRgTd5VeQBGEp7atxKpTkkiktNFtgAEXXDFr3duZfU5p6Naxzht8vTJd+ie5YCNo0CMerAzRUai8f7KgmpMjd651xVuLypwo57Nv28NgFAnLJB+VbbvQpFOPwc7E+2uVAbJt0QWUols7AU0azXS2hrfYi
+    AUTHELIA_NOTIFIER_SMTP_PASSWORD: AgBuPO+b2gfZZxpC+YIrr/V894WnruQHW3zDzWR/iOV5y4zx0VhCP5NeynnLeYBPDzyClj/IjC+ji1NChLS1716OYTjGBxYY5he0v5A76cvKw5yjDcptVZ/kCKekZmp6/cljGZg59ZTApQlX3hmM8ilv0NzFamZWaZl1I85fA33Rma2K70yDVTrTF5fL9jDQALt8cqCIk9DJY4rDi1C0GjLvwPhrx4uUaucPpIxOBmqAbMIobBnJxL3e42157Fzc13RnCjdw5N37uU4s3UjEkSzbifIGDkqQBkA6VI4It8/uR27UMYw1MNCmbAClO1xQ4vmEWUhBIQ9kAwuehNvm2o5zKXze66nwy68SUHDWwnB5E2jgChAnZylqAaQALmGZy7fP5Z4OPymHW+l08JB+hv6cv8cuHuajAHmX96jlLXU3cuvrTM/NTwNzsp3vqeLfcZMxbq6KZ1INHuvLTpcKPQaRUg7rIMzU1YPatBN9r1WP8vAfMaXl2s1ctFysRpp34jonlJoE55G5VEYn+MDNYdrdVCjsAAhoNJ5oFxXSX+dASDo2vPp9QcVUHiud3g8wBfJ2ydbqi8kk+rMZIU7r5V1Kn0n6WmSU2OANf3W2DqRNouSHbdbA+rnaBTmXnyHxSNncw78mZ5WIasCm9Ld1XcyMGf2T/fCjN5qlxKt+Ze8BSsCgnDGEMeR9GJFR8bK9v4fb9QbpM0mlkWzFlXVoTcVHkbhZf5DePggwiilWKYG3DCs6YCVME9Xg6hOWkOjrM/sZMSwwfMHCVRJJ4fuwU/UC
+    AUTHELIA_SESSION_SECRET: AgB9Dd/P3SeegcuIq0/jXh1LRZpijJD3q3spQjjsaUmB/rC5p/MnjG7AAePDmoMmiOlKtDu5CLHj6GHQa/eJ7attIxrC3qtthTZi63ASuxm+KtZw/kyG7OGsx/XuIueEdSkBLtzhPdN6Sno0+T1ZlVnQZ3TTwnidc/qoVEhP0NWpq/IZtkAY0AetCQrIFeJBIsM3RcqNHBq7kEwYzsoMHMYVrYwpKOXzawjj2YWVTzr91duxfrrmVBjNcheKyHWOtJhzWpCWV3QmWDvZ5J88tl5RZudFLabzzVlrw3voBteY7jSxC1DAVTxm29D4AaoVgpl31iAn6AECrRIBbWaHhHVmwc6E8LA6eyFYEQP893Szuh0Dv0f+LM6IC9IAwHd8XBBqZbI+xRtXWOTRlmcSxL+6shswWuW9d5zkl8GkUp0NWBUI/tQoHbdZvBUDProVcCtGmxEQoNG9Hr8TaI6G7zm8ES6tgAqZCSNlC/OqzCX0g6Qni52ASR8YY6JfyyGnqCssmAkx4FYXL4d2XKSeb0+4adURih1j0WGCujapYKwxG1ozyBU8cBx+tLWm1CWHNhm9m7BPvZNQ+OlZ1LHcxBXIHAUIH8CqxUozQn8kfMKPN+gX6od9vNBy5o3zSadeLZpbHdSnJpYWBTnbCbU4wfwdQzVt7WZnxZMiwKpGLQGVeJOiZMV6d13Ekmdz+t8l+1MtnW3Cm+HQBVYaQF47jJou8poq4ZS03bcnzmUhkwpD/ety4XZZvkGlPAVjyXp8sd5srKZ1bhv8CA0wRhzSX/7/
+    AUTHELIA_STORAGE_ENCRYPTION_KEY: AgCP7lrcqQFZ+N3geMzM/tUeP0kD4naVeL4l0wRWsFK1l6z91qr7vaNNUsj5ZaikTI+jkTbAcke/Sj3Sp0b5sOP6J0A4qAOV0J+sRyEvdgbTrtj5NLtM3H+QrTaKZjdmkZfnCsxKY812brBBS2KpFUo0kLb3uMIo0i3erJMkk/IZ4JuCWdMFP1/B66VjdX2Wi1g1MuyV2XWtu0YjoMDBF342s5g7mbUXai9fOgq3KZpNOX5VrD5ns2UexLfQySpRP+Oi5qtT5KtZQ+bQoegsbZglsM5K7iEaYTwA7zOdP113u2eWiEFhas4hV3dph4owAj68uILvvjDAWzJ7y6uA8FxPMoX2OZA7fmbAZTgsi98uKtS8zg+IFK4aEJnyJUtO08TkANoQWkVfkwTDlMVTwLrxV6zdZrT3bjAypUKsc/wPG3rGi12RRd6h//r1HbLxVViojLHmoHipn3FjSTsaaEhtnpDWUIDeurWWsiJKdcieA56h4hKSM7/RwMEPhkbDkrXh94K+gP8kSXGJOlt3+yF//NwwfZyr2q4eusnuUQOAIB1a2Whr9Nl9DfyqFSW0Oxe+wihOWisEkuWVdiQ8d0O7a20kjcqrng+WueAv/L9gkDoE1TcfkcukugDCZF0U9IzD8+NuBYZ9e2DQ7tXgqzezlytcUNNIr14jA6ZAuCtLnTm5c0bFr702rC9V4oskRZMrLnKb46UwQTZW4ADFaYZrinNp/q9eyQCKS3aaK5zCDAiNPU0TNFZLYR/bHQIy4tzowkyzNm+zyOh1MDfQHqwc
+    AUTHELIA_STORAGE_POSTGRES_PASSWORD: AgAH4aJY2onCeT6wN6hDc2QVi5mTtMxYo/Y4b6+X/c40BFWc3Fb2hQa1BM1AGVrk5RrhFVaixXNghb6BpwIbugKIzi6eAMEn4ZSp/EQi5g9AuDrQfHwW2mi53ivkeflkxbgFQC8Ggno10W9kHdXqIhHVKtUeKf9dIAonRHVIz4D5JjwcVGL6CRun7R+LmMVj11+9J/lZUDqLzLODbi2lht85gxi1E/7qM/UkvUjWpkH2rJuqEBx/2weu9F0hxBnD1QhSiC0tNYOBAycmO6G/7DMHJUhQTAJIJUH9bT6M652SrNmq1bzj64bXkNSo04lQmSSB4zQzELtonzIgeo1WsHTksrXJz4sMMCosBhNntLRP+RX0aicrolbXZ/ay+dx0lkZrTNcBdIUZw6Px0VMOC9r4RcYd/2/XNayL5sHSdt4hvE6NTJz31YRGRK884shtIhvCLK8goUoqb+Rf7gdxS7AB4qdpwDIPbDZ9YnmDggpaq0ammSf5SalGOPiBKvpyK2XYUrTgDhK5iKgjOlQ/UDtqZKu2JkHzymg5Bz58XH+h1EasDIID0x3xr3S+bR+b+qQt6/T8KLpe3/S+q9sEYqCKiAv80i3JtPzdKejh//NnLUWUR8Nx0V/xoiMXGG3T/h2L+QHW4d/Cj5ISCf33sn4Wnnk1t5vRis08yCRo77UOk/NIOPSBT4d7ZXQ5Ojv/Hx7nJfUXlcnHpvgmMRg08HBUso947+Ad++Zi/O/WZV8wip4gqqIYlESISEsjBbDpzD2apz3HDRT+fYTN0Og9JJRZ
+  template:
+    data: null
+    metadata:
+      creationTimestamp: null
+      name: authelia
+      namespace: idp
+    type: Opaque
+

archive/2022.07.bxl-k3s-pi/utils/idp/init.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: idp

archive/2022.07.bxl-k3s-pi/utils/idp/ldapusermanager/app.yaml

@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ldapusermanager
+  namespace: idp
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ldapusermanager
+  template:
+    metadata:
+      labels:
+        app: ldapusermanager
+    spec:
+      containers:
+      - name: ldapusermanager
+        image: wheelybird/ldap-user-manager:latest
+        envFrom:
+        - configMapRef:
+            name: ldapusermanager
+        - secretRef:
+            name: ldapusermanager
+        ports:
+          - name: http
+            containerPort: 80
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name:  ldapusermanager
+  namespace: idp
+spec:
+  selector:
+    app:  ldapusermanager
+  type:  ClusterIP
+  ports:
+  - name: http
+    port: 80
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ldapusermanager
+  namespace: idp
+  annotations:
+    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
+    cert-manager.io/common-name: "accounts.bhasher.com"
+    nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Groups
+    nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
+    nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
+    nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - accounts.bhasher.com
+    secretName: ldapusermanager-tls
+  rules:
+  - host: accounts.bhasher.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: ldapusermanager
+            port:
+              number: 80

archive/2022.07.bxl-k3s-pi/utils/idp/ldapusermanager/config.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ldapusermanager
+  namespace: idp
+data:
+  LDAP_URI: "ldap://openldap.idp.svc.cluster.local"
+  LDAP_BASE_DN: "dc=bhasher,dc=com"
+  LDAP_ADMIN_BIND_DN: "cn=admin,dc=bhasher,dc=com"
+  LDAP_ADMINS_GROUP: "admin"
+  SERVER_HOSTNAME: "accounts.bhasher.com"
+  SERVER_PORT: "80"
+  NO_HTTPS: "true"
+  ORGANISATION_NAME: "Bhasher's Accounts"
+  SITE_NAME: "Account Manager"
+  SHOW_POSIX_ATTRIBUTE: "true"
+  LDAP_USER_OU: "users"
+  LDAP_GROUP_OU: "groups"
+  LDAP_REQUIRE_STARTTLS: "false"
+  LDAP_IGNORE_CERT_ERRORS: "true"
+  LDAP_ACCOUNT_ATTRIBUTE: "uid"
+  LDAP_GROUP_ATTRIBUTE: "cn"
+  DEFAULT_USER_GROUP: "default"
+  ENFORCE_SAFE_SYSTEM_NAMES: "false"
+  USERNAME_FORMAT: "{first_name}.{last_name}"
+  PASSWORD_HASH: "SHA512CRYPT"
+  ACCEPT_WEAK_PASSWORDS: "false"
+  # LDAP_GROUP_MEMBERSHIP_USES_UID: "true"
+  LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES: "jpegPhoto^:Profile picture,sshpubkey^+:SSH public key"
+  REMOTE_HTTP_HEADERS_LOGIN: "true"
+  # FORCE_RFC2307BIS: "true"

archive/2022.07.bxl-k3s-pi/utils/idp/ldapusermanager/sealedsecret.yaml

@@ -0,0 +1,17 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: ldapusermanager
+  namespace: idp
+spec:
+  encryptedData:
+    LDAP_ADMIN_BIND_PWD: AgCwWqGEeY/x+xmJGvOCROOpKCyXyA8cMUfPxEiKUpq3smRJ68L2vOQfXbcdmPXI8a/XkLNmdzUKG1rsYWKH07WGa0SlH6BXHnmhJkeo4/k1uqk14Sw1S8JdptZCMyDXeWHOPJbK8bJiRz8n2WPcGO1srlkh9F5IT7lvxmee93xTS/g8l4adXzz7eK030n2QaC8m5NrVYxRUMVq+5XQQSymCrpxW7BMF96QAXc47Vf+JdPieqdi2CFv75zwIA0ikIC4MBFU1FVimfZT2l2pCwWImtKPHf73EHKEjmFwfWezasnWE0MWK7c+x3hkU6hxTH24YGjuGMDWG7NrcUJ45ntAO9wHAyQZ0lyFzDxLXaOJ9j6vOGFA+Perm5TP8UHU5Y906knLo7rA0Yg+ESp6BdIaD6AttiDpA97Pn+pvIfAi6FqqawSTROAF2/nP92q/B3yLOVOL7nrg1CMwGzZihlhYKAt3I2GUF7bsV0T8vssbiRsrOSAOyE/umKiwgiPo05G+EHAUehzbsOiEIN9YIQN/9fgyFcIUkqrpMzAefo0SsxMzW8ESdQswDChtZQfurvq891AutZWZKjWfosL1LE0cwe/42kbA9tw06Ii+OX3IHeT7cbUHGvlqloBDvur7DUtJd+g/Wuvk/NIPuRYrEDJOGZ0QeoabgKINuUv2zbkU8o9WXq+Y1BZyg0Vfi6O0+kcI5hTHFNq/RD5Pt+8di/Xp6i2irQV6UWTb49zMotI4h81qsv/3Q0sVH1tJKRTN6KHxfmJLeBz0jq2GUdle0Ut0B
+  template:
+    data: null
+    metadata:
+      creationTimestamp: null
+      name: ldapusermanager
+      namespace: idp
+    type: Opaque
+