diff --git a/.mise.toml b/.mise.toml index 8d4925d..962e966 100644 --- a/.mise.toml +++ b/.mise.toml @@ -13,25 +13,25 @@ TALOS_DIR = "{{config_root}}/talos" python = "3.13" "pipx:makejinja" = "2.8.0" "pipx:flux-local" = "7.5.6" -talhelper = "3.0.29" +talhelper = "3.0.30" uv = "latest" k9s = "latest" helm-diff = "latest" -"aqua:cilium/cilium-cli" = "0.18.4" -"aqua:cli/cli" = "2.74.2" -"aqua:cloudflare/cloudflared" = "2025.6.1" -"aqua:cue-lang/cue" = "0.13.1" +"aqua:cilium/cilium-cli" = "0.18.5" +"aqua:cli/cli" = "2.75.0" +"aqua:cloudflare/cloudflared" = "2025.7.0" +"aqua:cue-lang/cue" = "0.13.2" "aqua:FiloSottile/age" = "1.2.1" -"aqua:fluxcd/flux2" = "2.6.2" +"aqua:fluxcd/flux2" = "2.6.4" "aqua:getsops/sops" = "3.10.2" "aqua:go-task/task" = "3.44.0" -"aqua:helm/helm" = "3.18.3" -"aqua:helmfile/helmfile" = "1.1.2" +"aqua:helm/helm" = "3.18.4" +"aqua:helmfile/helmfile" = "1.1.3" "aqua:jqlang/jq" = "1.7.1" "aqua:kubernetes-sigs/kustomize" = "5.6.0" "aqua:kubernetes/kubectl" = "1.32.2" -"aqua:mikefarah/yq" = "4.45.4" -"aqua:siderolabs/talos" = "1.10.4" +"aqua:mikefarah/yq" = "4.46.1" +"aqua:siderolabs/talos" = "1.10.5" "aqua:yannh/kubeconform" = "0.7.0" "go:github.com/VictoriaMetrics-Community/mcp-victoriametrics/cmd/mcp-victoriametrics" = { version = "latest" } "go:github.com/backube/volsync/kubectl-volsync" = { version = "latest" } diff --git a/bootstrap/helmfile.yaml b/bootstrap/helmfile.yaml index 58f6b8f..57bb79d 100644 --- a/bootstrap/helmfile.yaml +++ b/bootstrap/helmfile.yaml @@ -31,7 +31,7 @@ releases: namespace: kube-system atomic: true chart: cilium/cilium - version: 1.17.5 + version: 1.17.6 values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/kube-system/cilium/app/helm/values.yaml'] - name: coredns @@ -54,7 +54,7 @@ releases: namespace: cert-manager atomic: true chart: jetstack/cert-manager - version: v1.18.1 + version: v1.18.2 values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml'] needs: ['kube-system/spegel'] @@ -62,7 +62,7 @@ releases: namespace: flux-system atomic: true chart: controlplaneio/flux-operator - version: 0.23.0 + version: 0.24.1 values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/flux-system/flux-operator/app/helm/values.yaml'] needs: ['cert-manager/cert-manager'] @@ -70,6 +70,6 @@ releases: namespace: flux-system atomic: true chart: controlplaneio/flux-instance - version: 0.23.0 + version: 0.24.1 values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml'] needs: ['flux-system/flux-operator'] diff --git a/kubernetes/apps/auth/authelia/app/helmrelease.yaml b/kubernetes/apps/auth/authelia/app/helmrelease.yaml index 30bfa32..50b38c8 100644 --- a/kubernetes/apps/auth/authelia/app/helmrelease.yaml +++ b/kubernetes/apps/auth/authelia/app/helmrelease.yaml @@ -37,7 +37,7 @@ spec: app: image: repository: ghcr.io/authelia/authelia - tag: 4.39.4@sha256:64b356c30fd817817a4baafb4dbc0f9f8702e46b49e1edb92ff42e19e487b517 + tag: 4.39.5@sha256:023e02e5203dfa0ebaee7a48b5bae34f393d1f9cada4a9df7fbf87eb1759c671 env: AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true" X_AUTHELIA_CONFIG_FILTERS: template diff --git a/kubernetes/apps/default/homepage/app/config/services.yaml b/kubernetes/apps/default/homepage/app/config/services.yaml index 6f5f35b..ab2e494 100644 --- a/kubernetes/apps/default/homepage/app/config/services.yaml +++ b/kubernetes/apps/default/homepage/app/config/services.yaml @@ -1,7 +1,7 @@ - Home: - BlueIris: icon: blue-iris.png - href: http://bi.${SECRET_DOMAIN_INT} + href: http://blueiris.${SECRET_DOMAIN_INT} description: Cameras - Games: - Minecraft Maps: diff --git a/kubernetes/apps/default/homepage/app/helmrelease.yaml b/kubernetes/apps/default/homepage/app/helmrelease.yaml index 61fda92..ff2b827 100644 --- a/kubernetes/apps/default/homepage/app/helmrelease.yaml +++ b/kubernetes/apps/default/homepage/app/helmrelease.yaml @@ -44,7 +44,7 @@ spec: app: image: repository: ghcr.io/gethomepage/homepage - tag: v1.3.2@sha256:4f923bf0e9391b3a8bc5527e539b022e92dcc8a3a13e6ab66122ea9ed030e196 + tag: v1.4.0@sha256:63434aafeb3d49be1f21ebd3c5d777fe5b7794c31342daad4e96f09b72a57188 env: TZ: ${CLUSTER_TZ} HOMEPAGE_ALLOWED_HOSTS: *host diff --git a/kubernetes/apps/default/miniflux/app/helmrelease.yaml b/kubernetes/apps/default/miniflux/app/helmrelease.yaml index 8328f65..7c950cc 100644 --- a/kubernetes/apps/default/miniflux/app/helmrelease.yaml +++ b/kubernetes/apps/default/miniflux/app/helmrelease.yaml @@ -28,7 +28,7 @@ spec: app: image: repository: ghcr.io/miniflux/miniflux - tag: 2.2.9 + tag: 2.2.10 envFrom: - secretRef: name: miniflux-secret @@ -77,6 +77,10 @@ spec: ingress: app: annotations: + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.auth.svc.cluster.local:9091/api/authz/auth-request" + nginx.ingress.kubernetes.io/auth-signin: "https://auth-k8s.${SECRET_DOMAIN_INT}?rm=$request_method" + nginx.ingress.kubernetes.io/auth-response-headers: "Remote-User,Remote-Name,Remote-Groups,Remote-Email" gethomepage.dev/enabled: "true" gethomepage.dev/group: Media gethomepage.dev/description: RSS Reader diff --git a/kubernetes/apps/default/miniflux/app/values.yaml b/kubernetes/apps/default/miniflux/app/values.yaml index 209a2ba..90fcfc7 100644 --- a/kubernetes/apps/default/miniflux/app/values.yaml +++ b/kubernetes/apps/default/miniflux/app/values.yaml @@ -9,3 +9,7 @@ controllers: value: 1 - name: BASE_URL value: https://rss.${SECRET_DOMAIN_INT} + - name: AUTH_PROXY_HEADER + value: Remote-User + - name: AUTH_PROXY_USER_CREATION + value: 1 diff --git a/kubernetes/apps/default/navidrome/app/helmrelease.yaml b/kubernetes/apps/default/navidrome/app/helmrelease.yaml index 7c48946..2b548d3 100644 --- a/kubernetes/apps/default/navidrome/app/helmrelease.yaml +++ b/kubernetes/apps/default/navidrome/app/helmrelease.yaml @@ -28,12 +28,12 @@ spec: replicas: 1 strategy: Recreate annotations: - # reloader.stakater.com/auto: "true" + reloader.stakater.com/auto: "true" containers: app: image: repository: deluan/navidrome - tag: "0.56.1" + tag: "0.57.0" env: TZ: ${CLUSTER_TZ} ND_LOGLEVEL: info @@ -44,6 +44,9 @@ spec: ND_MUSICFOLDER: /public/Media/Music ND_IMAGECACHESIZE: "500MB" ND_SCANNER_SCHEDULE: "@every 4h" + envFrom: + - secretRef: + name: navidrome-secret probes: liveness: &probes enabled: true diff --git a/kubernetes/apps/default/navidrome/app/kustomization.yaml b/kubernetes/apps/default/navidrome/app/kustomization.yaml index 372f754..692343c 100644 --- a/kubernetes/apps/default/navidrome/app/kustomization.yaml +++ b/kubernetes/apps/default/navidrome/app/kustomization.yaml @@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helmrelease.yaml + - ./secret.sops.yaml diff --git a/kubernetes/apps/default/navidrome/app/secret.sops.yaml b/kubernetes/apps/default/navidrome/app/secret.sops.yaml new file mode 100644 index 0000000..499f0bf --- /dev/null +++ b/kubernetes/apps/default/navidrome/app/secret.sops.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: navidrome-secret +stringData: + ND_LASTFM_APIKEY: ENC[AES256_GCM,data:F/H1UKq1SAF3v133nxuD0+foIiBRac6M6T33jIhNLJI=,iv:pO5D7lZZXF2r8sZN9AtZnpZNZeV0Vjbpxe3W8Orpmyw=,tag:HUPz5gTzPvJnGiXaEScYpA==,type:str] + ND_LASTFM_SECRET: ENC[AES256_GCM,data:B+Wq9BJLqaQnu+sd/qYXOiyyW36+4If+ppd+fX8n4JE=,iv:YFAY2XjYFr2NHN6WYLgGmaJexVuPGmYw7hcCcVYDfvU=,tag:20lPy/PFjgMECP5IR0ul/g==,type:str] +sops: + age: + - recipient: age1a68j5zasa55y39u5ecus7g4dzl3rqp0u6h6jwpuw3743cdf9dd4sykfhr4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxOEtvWkp0RklibUpsS0d0 + V0Z1QWV6SXN0eklxYWhnMTdlZXRQRzBnRVNnCnFIcTEzc3g2QkxmYTYyNkt5VkM1 + UzZlZDMycHVoNEQxMHRQV2VwbmF5Z0UKLS0tIHpjeVJEQUNjKytlR1JRb2J1YXA0 + UWtSUmVQRUYya3I1bzVwMThnM3R3NEUKK42Yi71h3S04afyynSjHR1+tXeyd++c4 + YJlkogj/ftT9bmvZLP9U6wOteZ2hyAIxGKTXLQJsWF5EX45wa3CL6w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-07T01:17:34Z" + mac: ENC[AES256_GCM,data:72qHR516HZWVpm1GMCwl4Fag+OMmxd5QjZt1OhHaG6256pb+YYxOhxBqB4xfqzGG0YnEbt4CpfogjMaDjdf+HJH30n132xsxXAeYqBxHtaGAK44Y9uNhlB7Mt++6srTtdd9ypUWdiuV/7hYbceqm02eO368ybsnOXECgnPeDaus=,iv:DY4Fep4FgRhdG1WfAdJGEWQpBlF2wpl7g2ioTidGmpU=,tag:6atDpbmWMJTquar37K9UiQ==,type:str] + encrypted_regex: ^(data|stringData)$ + mac_only_encrypted: true + version: 3.10.2 diff --git a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml index f8370db..9acbcf9 100644 --- a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml @@ -39,7 +39,7 @@ spec: app: image: repository: ghcr.io/home-operations/prowlarr - tag: 2.0.0.5094@sha256:5b890c19bf39a1ca3d889d2b8a6f6a9f1bfa2f63ad51d700f64fd2bd11eec089 + tag: 2.0.1.5101@sha256:e9e0cf64a1ab90ca61688de85bb732d7c3e5142d40a2d9af6172551252cb31c3 env: TZ: ${CLUSTER_TZ} PROWLARR__SERVER__PORT: &containerPort 80 diff --git a/kubernetes/apps/default/radarr/app/helmrelease.yaml b/kubernetes/apps/default/radarr/app/helmrelease.yaml index f4e6d66..e1fc062 100644 --- a/kubernetes/apps/default/radarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/radarr/app/helmrelease.yaml @@ -64,7 +64,7 @@ spec: app: image: repository: ghcr.io/home-operations/radarr - tag: 5.27.0.10101@sha256:f1a47717f5792d82becbe278c9502d756b898d63b2c637da131172c4adf1ffc7 + tag: 5.27.1.10122@sha256:e6e4fb8383b9f232a5f7d6d7c1eadd03501685468c382131643ba8aed03098ba env: TZ: ${CLUSTER_TZ} RADARR__SERVER__PORT: &containerPort 80 diff --git a/kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml b/kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml index cf6c74b..c1ac07a 100644 --- a/kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml +++ b/kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml @@ -2,7 +2,7 @@ instance: distribution: # renovate: datasource=github-releases depName=controlplaneio-fluxcd/distribution - version: 2.6.2 + version: 2.6.4 cluster: networkPolicy: false components: diff --git a/kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml b/kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml index 4164c64..cd9f989 100644 --- a/kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml +++ b/kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip operation: copy ref: - tag: 0.23.0 + tag: 0.24.1 url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-instance verify: provider: cosign diff --git a/kubernetes/apps/flux-system/flux-operator/app/helmrelease.yaml b/kubernetes/apps/flux-system/flux-operator/app/helmrelease.yaml index 6d11f30..d4067c9 100644 --- a/kubernetes/apps/flux-system/flux-operator/app/helmrelease.yaml +++ b/kubernetes/apps/flux-system/flux-operator/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip operation: copy ref: - tag: 0.23.0 + tag: 0.24.1 url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator verify: provider: cosign diff --git a/kubernetes/apps/kube-system/cilium/app/helm/values.yaml b/kubernetes/apps/kube-system/cilium/app/helm/values.yaml index c0ddc00..bb3ed29 100644 --- a/kubernetes/apps/kube-system/cilium/app/helm/values.yaml +++ b/kubernetes/apps/kube-system/cilium/app/helm/values.yaml @@ -2,29 +2,33 @@ autoDirectNodeRoutes: true bpf: masquerade: true - # Ref: https://github.com/siderolabs/talos/issues/10002 - hostLegacyRouting: true -cni: - # Required for pairing with Multus CNI - exclusive: false + preAllocateMaps: true +#Enable BPF clock source probing for more efficient tick retrieval. +bpfClockProbe: true +bgpControlPlane: + enabled: true cgroup: automount: enabled: false hostRoot: /sys/fs/cgroup -# NOTE: devices might need to be set if you have more than one active NIC on your hosts -# devices: eno+ eth+ +cni: + # Required for pairing with Multus CNI + exclusive: false endpointRoutes: enabled: true envoy: enabled: false dashboards: enabled: true +# this requires node/pod bounce +# https://docs.cilium.io/en/latest/operations/performance/tuning/#ipv4-big-tcp +# enableIPv4BIGTCP: true hubble: - enabled: true - relay: - enabled: true - ui: - enabled: true + enabled: false + # relay: + # enabled: true + # ui: + # enabled: true ipam: mode: kubernetes ipv4NativeRoutingCIDR: "100.64.0.0/16" @@ -36,7 +40,8 @@ l2announcements: enabled: true loadBalancer: algorithm: maglev - mode: "snat" + # try switching to dsr again from snat + mode: "dsr" localRedirectPolicy: true operator: dashboards: @@ -45,7 +50,7 @@ operator: enabled: true serviceMonitor: enabled: true - replicas: 1 + replicas: 2 rollOutPods: true prometheus: enabled: true @@ -74,5 +79,6 @@ securityContext: - NET_ADMIN - SYS_ADMIN - SYS_RESOURCE -socketLB: - hostNamespaceOnly: true +# no longer needed? +# socketLB: +# hostNamespaceOnly: true diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml index 00f277e..e663469 100644 --- a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml @@ -19,7 +19,7 @@ spec: chart: spec: chart: cilium - version: 1.17.5 + version: 1.17.6 sourceRef: kind: HelmRepository name: cilium diff --git a/kubernetes/apps/kube-system/cilium/app/networks.yaml b/kubernetes/apps/kube-system/cilium/app/networks.yaml index c03315e..e420195 100644 --- a/kubernetes/apps/kube-system/cilium/app/networks.yaml +++ b/kubernetes/apps/kube-system/cilium/app/networks.yaml @@ -23,3 +23,51 @@ spec: nodeSelector: matchLabels: kubernetes.io/os: linux +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumbgpadvertisement_v2alpha1.json +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPAdvertisement +metadata: + name: l3-bgp-advertisement + labels: + advertise: bgp +spec: + advertisements: + - advertisementType: Service + service: + addresses: ["LoadBalancerIP"] + selector: + matchExpressions: + - { key: somekey, operator: NotIn, values: ["never-used-value"] } +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumbgppeerconfig_v2alpha1.json +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPPeerConfig +metadata: + name: l3-bgp-peer-config +spec: + families: + - afi: ipv4 + safi: unicast + advertisements: + matchLabels: + advertise: bgp +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumbgpclusterconfig_v2alpha1.json +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPClusterConfig +metadata: + name: l3-bgp-cluster-config +spec: + nodeSelector: + matchLabels: + kubernetes.io/os: linux + bgpInstances: + - name: cilium + localASN: 64514 + peers: + - name: unifi + peerASN: 64512 + peerAddress: 192.168.1.1 + peerConfigRef: + name: l3-bgp-peer-config diff --git a/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml b/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml index ae05033..04cd4ff 100644 --- a/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip operation: copy ref: - tag: 2.1.4 + tag: 2.1.5 url: oci://ghcr.io/stakater/charts/reloader --- # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json diff --git a/kubernetes/apps/minecraft/kustomization.yaml b/kubernetes/apps/minecraft/kustomization.yaml new file mode 100644 index 0000000..db5c8fc --- /dev/null +++ b/kubernetes/apps/minecraft/kustomization.yaml @@ -0,0 +1,13 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: minecraft +components: + - ../../components/common + - ../../components/repos/app-template +resources: + - ./mc-common/ks.yaml + - ./mc-deadly/ks.yaml + - ./mc-friendly/ks.yaml + - ./mc-router/ks.yaml diff --git a/kubernetes/apps/minecraft/mc-common/configs/common-config.configmap.yaml b/kubernetes/apps/minecraft/mc-common/configs/common-config.configmap.yaml new file mode 100644 index 0000000..3a3e57f --- /dev/null +++ b/kubernetes/apps/minecraft/mc-common/configs/common-config.configmap.yaml @@ -0,0 +1,13 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/configmap.json +apiVersion: v1 +kind: ConfigMap +metadata: + name: mc-common-config-cm +data: + # /data/plugins/BlueMap/core.conf + bluemap_core.conf: | + accept-download: true + renderThreadCount: -4 + metrics: true + data: "bluemap" + scan-for-mod-resources: true diff --git a/kubernetes/apps/minecraft/mc-common/configs/configmap.yaml b/kubernetes/apps/minecraft/mc-common/configs/configmap.yaml new file mode 100644 index 0000000..5561d34 --- /dev/null +++ b/kubernetes/apps/minecraft/mc-common/configs/configmap.yaml @@ -0,0 +1,26 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/configmap.json +apiVersion: v1 +kind: ConfigMap +metadata: + name: mc-common-cm +data: + # don't update this mindlessly, check plugin compatiblity first + VERSION: "1.21.5" + # older versions are in the experimental channel + PAPER_CHANNEL: experimental + # protocol lib using dev build for 1.21 support + PLUGINS: | + https://ci.dmulloy2.net/job/ProtocolLib/lastSuccessfulBuild/artifact/build/libs/ProtocolLib.jar + https://github.com/oddlama/vane/releases/download/v1.18.0/vane-core-1.18.0.jar + https://github.com/oddlama/vane/releases/download/v1.18.0/vane-trifles-1.18.0.jar + https://github.com/oddlama/vane/releases/download/v1.18.0/vane-admin-1.18.0.jar + https://github.com/oddlama/vane/releases/download/v1.18.0/vane-enchantments-1.18.0.jar + https://github.com/oddlama/vane/releases/download/v1.18.0/vane-portals-1.18.0.jar + https://hangarcdn.papermc.io/plugins/ViaVersion/ViaVersion/versions/5.4.1/PAPER/ViaVersion-5.4.1.jar + https://hangarcdn.papermc.io/plugins/ViaVersion/ViaBackwards/versions/5.4.1/PAPER/ViaBackwards-5.4.1.jar + https://download.luckperms.net/1594/bukkit/loader/LuckPerms-Bukkit-5.5.9.jar + https://hangarcdn.papermc.io/plugins/jmp/TabTPS/versions/1.3.28/PAPER/tabtps-spigot-1.3.28.jar + https://github.com/EssentialsX/Essentials/releases/download/2.21.1/EssentialsX-2.21.1.jar + https://github.com/MC-Machinations/PaperTweaks/releases/download/v0.5.0/PaperTweaks.jar + https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v5.9/bluemap-5.9-spigot.jar + https://www.spigotmc.org/resources/bluemap-essentials.84365/download?version=509269 diff --git a/kubernetes/apps/minecraft/mc-common/configs/kustomization.yaml b/kubernetes/apps/minecraft/mc-common/configs/kustomization.yaml new file mode 100644 index 0000000..55fc3cf --- /dev/null +++ b/kubernetes/apps/minecraft/mc-common/configs/kustomization.yaml @@ -0,0 +1,6 @@ +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./configmap.yaml + - ./common-config.configmap.yaml diff --git a/kubernetes/apps/minecraft/mc-common/ks.yaml b/kubernetes/apps/minecraft/mc-common/ks.yaml new file mode 100644 index 0000000..3c618af --- /dev/null +++ b/kubernetes/apps/minecraft/mc-common/ks.yaml @@ -0,0 +1,26 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app mc-common + namespace: &namespace minecraft +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 1m + path: ./kubernetes/apps/minecraft/mc-common/configs + postBuild: + substituteFrom: + - name: cluster-settings + kind: ConfigMap + - name: cluster-secrets + kind: Secret + prune: true + retryInterval: 2m + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: *namespace + timeout: 5m diff --git a/kubernetes/apps/minecraft/mc-deadly/app/helmrelease.yaml b/kubernetes/apps/minecraft/mc-deadly/app/helmrelease.yaml new file mode 100644 index 0000000..d3beb40 --- /dev/null +++ b/kubernetes/apps/minecraft/mc-deadly/app/helmrelease.yaml @@ -0,0 +1,116 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s-labs/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app mc-deadly +spec: + interval: 1m + chartRef: + kind: OCIRepository + name: app-template + install: + remediation: + retries: -1 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + controllers: + mc-deadly: + # yaml-language-server: $schema=https://raw.githubusercontent.com/itzg/minecraft-server-charts/refs/heads/master/charts/minecraft/values.schema.json + type: statefulset + replicas: 1 + strategy: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 0 + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + image: + repository: ghcr.io/itzg/minecraft-server + tag: 2025.6.2@sha256:262e2309f7cc6b2ff0ac1458ac52c91e9bc778989543feec6588501f6dad31ef + env: + TZ: ${CLUSTER_TZ} + APP_SERVICE_PORT: &containerPort 25565 + EULA: "true" + TYPE: "PAPER" + LEVEL: "deadly" + DIFFICULTY: "easy" + MAX_PLAYERS: 10 + MODE: "survival" + MEMORY: 2048M + STOP_SERVER_ANNOUNCE_DELAY: 30 + STOP_DURATION: 60 + envFrom: + - secretRef: + name: mc-deadly-secret + - configMapRef: + name: mc-common-cm + probes: + liveness: + custom: true + spec: + command: + - mc-health + initialDelaySeconds: 30 + periodSeconds: 5 + failureThreshold: 20 + successThreshold: 1 + timeoutSeconds: 1 + readiness: + custom: true + spec: + command: + - mc-health + initialDelaySeconds: 30 + periodSeconds: 5 + failureThreshold: 20 + successThreshold: 2 + timeoutSeconds: 1 + startup: + custom: true + spec: + command: + - mc-health + enabled: true + failureThreshold: 5 + periodSeconds: 10 + successThreshold: 1 + initialDelaySeconds: 120 + resources: + requests: + memory: 2Gi + cpu: 1 + limits: + memory: 3Gi + service: + app: + controller: *app + type: ClusterIP + annotations: + "mc-router.itzg.me/externalServerName": "mc-deadly.${SECRET_DOMAIN_INT}" + ports: + minecraft: + port: *containerPort + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + persistence: + data: + enabled: true + existingClaim: mc-deadly-pvc + type: persistentVolumeClaim + config: + type: configMap + name: mc-common-config-cm + globalMounts: + - path: /data/plugins/BlueMap/core.conf + subPath: bluemap_core.conf diff --git a/kubernetes/apps/minecraft/mc-deadly/app/kustomization.yaml b/kubernetes/apps/minecraft/mc-deadly/app/kustomization.yaml new file mode 100644 index 0000000..692343c --- /dev/null +++ b/kubernetes/apps/minecraft/mc-deadly/app/kustomization.yaml @@ -0,0 +1,6 @@ +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml + - ./secret.sops.yaml diff --git a/kubernetes/apps/minecraft/mc-deadly/app/secret.sops.yaml b/kubernetes/apps/minecraft/mc-deadly/app/secret.sops.yaml new file mode 100644 index 0000000..5b9c030 --- /dev/null +++ b/kubernetes/apps/minecraft/mc-deadly/app/secret.sops.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Secret +metadata: + name: mc-deadly-secret +stringData: + OPS: ENC[AES256_GCM,data:2QG+rZ3zLTME6A==,iv:JxQ84hQhRJcokBhVr1lYevEMgsJMOrY5IMmvPQLqlfQ=,tag:UK4nkNS79JH/taV1yEz9FQ==,type:str] + RCON_PASSWORD: ENC[AES256_GCM,data:9B2Vj3LYKKQGR58arppY,iv:dvum7ZO+6umKd/pXdQMXpKgslgUn1IMMLni81qj1BOo=,tag:KuIEofqk3+Q+oshmpSv4yg==,type:str] + MOTD: ENC[AES256_GCM,data:sVughg3g1VrirgOvDZea7krB5v6AqeTuaeuFUztiqJjjatM79SW4bQX3,iv:0g6THtBmYs/6Q8zXTeuXlXKhtEkXYGkyLn0bN1+mUNs=,tag:ca4Y/BVoO3eSX4XgH0M/MA==,type:str] +sops: + age: + - recipient: age1a68j5zasa55y39u5ecus7g4dzl3rqp0u6h6jwpuw3743cdf9dd4sykfhr4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTa05FRElQMlVTMXNFSXNt + NXp1Q0MwdnBlOFhYeUpYSzhsRFQ4cG5rd3hBCmdhRGtRMXRLTVhVcWpyVDBFVXBv + b1hwUFNJK2EzdlFhY2Vaa3kvZE1nNlkKLS0tIDJwaGxrT24wTGsvVENqTmpYcWFY + UTNGNnlSWkVScGlJUHlyQ3o0YU8xREEK11Sv8GQrH1M9bFCnD4p5ccH0nSje1DQB + NsfHEuZUHXSPmEcjwkPgiirMHXWTkwkVinbCEYPaDFMkusTiSAYKOw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-18T02:08:36Z" + mac: ENC[AES256_GCM,data:XQzI2dWZs+Ktd0UC5ucNUmH13dA67Q57UudNYzzGG+QmjgMQL7x/7OVKQ+lyfPopEGW5xrTKhhXtpde0wC5+WgC6oUi0iRN3s2c1z3whqWEM41ytRYTmKpwpppcX43u5dtCgO/qyS1AXsncdtOm2E0TmK8gMfFrzsDbpiUE2+ok=,iv:1ObcAwrHkArdTXrF8hGDKnVorLtBBsiqF9CNpDc3gEs=,tag:UQ5eJt/nfhvjN3tijE5MGg==,type:str] + encrypted_regex: ^(data|stringData)$ + mac_only_encrypted: true + version: 3.10.2 diff --git a/kubernetes/apps/minecraft/mc-deadly/ks.yaml b/kubernetes/apps/minecraft/mc-deadly/ks.yaml new file mode 100644 index 0000000..8bc41d5 --- /dev/null +++ b/kubernetes/apps/minecraft/mc-deadly/ks.yaml @@ -0,0 +1,29 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app mc-deadly + namespace: &namespace minecraft +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: mc-common + namespace: *namespace + interval: 1m + path: ./kubernetes/apps/minecraft/mc-deadly/app + postBuild: + substituteFrom: + - name: cluster-settings + kind: ConfigMap + - name: cluster-secrets + kind: Secret + prune: true + retryInterval: 2m + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: *namespace + timeout: 5m diff --git a/kubernetes/apps/minecraft/mc-friendly/app/helmrelease.yaml b/kubernetes/apps/minecraft/mc-friendly/app/helmrelease.yaml new file mode 100644 index 0000000..9ae68a6 --- /dev/null +++ b/kubernetes/apps/minecraft/mc-friendly/app/helmrelease.yaml @@ -0,0 +1,138 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s-labs/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app mc-friendly +spec: + interval: 1m + chartRef: + kind: OCIRepository + name: app-template + install: + remediation: + retries: -1 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + controllers: + mc-friendly: + # yaml-language-server: $schema=https://raw.githubusercontent.com/itzg/minecraft-server-charts/refs/heads/master/charts/minecraft/values.schema.json + type: statefulset + replicas: 1 + strategy: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 0 + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + image: + repository: ghcr.io/itzg/minecraft-server + tag: 2025.6.2@sha256:262e2309f7cc6b2ff0ac1458ac52c91e9bc778989543feec6588501f6dad31ef + env: + TZ: ${CLUSTER_TZ} + APP_SERVICE_PORT: &containerPort 25565 + EULA: "true" + TYPE: "PAPER" + LEVEL: "friendly" + DIFFICULTY: "easy" + MAX_PLAYERS: 10 + MODE: "creative" + MEMORY: 2048M + ALLOW_FLIGHT: "true" + STOP_SERVER_ANNOUNCE_DELAY: 30 + STOP_DURATION: 60 + envFrom: + - secretRef: + name: mc-friendly-secret + - configMapRef: + name: mc-common-cm + probes: + liveness: + custom: true + spec: + command: + - mc-health + initialDelaySeconds: 30 + periodSeconds: 5 + failureThreshold: 20 + successThreshold: 1 + timeoutSeconds: 1 + readiness: + custom: true + spec: + command: + - mc-health + initialDelaySeconds: 30 + periodSeconds: 5 + failureThreshold: 20 + successThreshold: 2 + timeoutSeconds: 1 + startup: + custom: true + spec: + command: + - mc-health + enabled: true + failureThreshold: 5 + periodSeconds: 10 + successThreshold: 1 + initialDelaySeconds: 120 + resources: + requests: + memory: 2Gi + cpu: 1 + limits: + memory: 3Gi + ingress: + app: + enabled: true + className: internal + hosts: + - host: &host "mc-friendly-map.${SECRET_DOMAIN_INT}" + paths: + - path: / + service: + identifier: map + port: http + service: + app: + controller: *app + forceRename: *app + type: ClusterIP + annotations: + "mc-router.itzg.me/externalServerName": "mc-friendly.${SECRET_DOMAIN_INT}" + ports: + minecraft: + port: *containerPort + map: + controller: *app + type: ClusterIP + ports: + http: + port: 8100 + targetPort: 8100 + protocol: TCP + + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + persistence: + data: + enabled: true + existingClaim: mc-friendly-pvc + type: persistentVolumeClaim + config: + type: configMap + name: mc-common-config-cm + globalMounts: + - path: /data/plugins/BlueMap/core.conf + subPath: bluemap_core.conf diff --git a/kubernetes/apps/minecraft/mc-friendly/app/kustomization.yaml b/kubernetes/apps/minecraft/mc-friendly/app/kustomization.yaml new file mode 100644 index 0000000..692343c --- /dev/null +++ b/kubernetes/apps/minecraft/mc-friendly/app/kustomization.yaml @@ -0,0 +1,6 @@ +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml + - ./secret.sops.yaml diff --git a/kubernetes/apps/minecraft/mc-friendly/app/secret.sops.yaml b/kubernetes/apps/minecraft/mc-friendly/app/secret.sops.yaml new file mode 100644 index 0000000..819d6f1 --- /dev/null +++ b/kubernetes/apps/minecraft/mc-friendly/app/secret.sops.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Secret +metadata: + name: mc-friendly-secret +stringData: + OPS: ENC[AES256_GCM,data:QIlrR0oQz4ENpw==,iv:m30T05/KLSjn9lOGqUlU9y1LR+nCNl2tFOd1nbxsMDk=,tag:mZowK9DhbBHhYwTXcBYFkw==,type:str] + RCON_PASSWORD: ENC[AES256_GCM,data:eO+RmsgopZWMVaKOaoir,iv:r6u1HgkhbvkHqUSACs48X9oyG0oa/tYa0MgIB35gJRs=,tag:btvstIJKA3MQf0Yt7NXe+w==,type:str] + MOTD: ENC[AES256_GCM,data:tjKuEKoXDUXIfvTy/LZEcbLcfeiQbCb9aHpg8oMpFIFuaw2TnzTeQSV5Vv6vhAen4DgvCTBzFLApGyqoAqy3fYXLUZjqFwDfHtgZNmd11F6BhQ==,iv:e4LmFIOoKY6hMjatpS31wJgI8G/CZFeTK9EZMjtYKaU=,tag:lFT6W6iUkG9E5j6pMJR+Ng==,type:str] +sops: + age: + - recipient: age1a68j5zasa55y39u5ecus7g4dzl3rqp0u6h6jwpuw3743cdf9dd4sykfhr4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSlZJMlVVVy9GZG9SalF2 + bHRBbm5IUEd0SUlJY0c0aHZvcmI5ZmNnWm5nCnNvallDMXpnRC9DNHlSWkIzUjli + eGhOeGRRc1NnUnA2VlpIVWNZblpCRTAKLS0tIGpNWDdOOUxBKzYvRmR5MzhrRHBD + YnVFT3dEK2pURWxyQUY0ZEZOZk4rbWsKFQZNVZQ7rjJAwre0mVk4QSI/CUkQ5WrH + sWVW6Beh59JWPZcDk2/X3izBk8kr5o3T8PTUOOaZEWcB1t8OHqN17A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-19T03:24:23Z" + mac: ENC[AES256_GCM,data:ULL9qPeB7ODxgTiEOTl0KRGzfZrQL+kav4xFeeOYo+Ag/RTDC4+9y45Kn5HK5z/Eitf/JUZPMjpBZZiSgK0Kn9SabDvJJOJco5U1ctUyhME54j/VhoDxfpEm4qPW0Ftel2ZlVHJUQm3AINP1hX8JJ3/f2xGKzc1FjRJJZXeZn4g=,iv:M6FGHkrrJ7LTVt1RySf2CjnE482n5kZtM9xcPkWciP0=,tag:GO6eQmLmwmC23vR1BgCS5Q==,type:str] + encrypted_regex: ^(data|stringData)$ + mac_only_encrypted: true + version: 3.10.2 diff --git a/kubernetes/apps/minecraft/mc-friendly/ks.yaml b/kubernetes/apps/minecraft/mc-friendly/ks.yaml new file mode 100644 index 0000000..5685c3c --- /dev/null +++ b/kubernetes/apps/minecraft/mc-friendly/ks.yaml @@ -0,0 +1,29 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app mc-friendly + namespace: &namespace minecraft +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: mc-common + namespace: *namespace + interval: 1m + path: ./kubernetes/apps/minecraft/mc-friendly/app + postBuild: + substituteFrom: + - name: cluster-settings + kind: ConfigMap + - name: cluster-secrets + kind: Secret + prune: true + retryInterval: 2m + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: *namespace + timeout: 5m diff --git a/kubernetes/apps/minecraft/mc-router/app/helmrelease.yaml b/kubernetes/apps/minecraft/mc-router/app/helmrelease.yaml new file mode 100644 index 0000000..ddae86a --- /dev/null +++ b/kubernetes/apps/minecraft/mc-router/app/helmrelease.yaml @@ -0,0 +1,97 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s-labs/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app mc-router + namespace: &namespace minecraft +spec: + interval: 1m + chartRef: + kind: OCIRepository + name: app-template + install: + timeout: 2m + remediation: + retries: -1 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + serviceAccount: + mc-router: + enabled: true + controllers: + mc-router: + replicas: 1 + strategy: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + image: + repository: ghcr.io/itzg/mc-router + tag: 1.33.0 + env: + TZ: ${CLUSTER_TZ} + APP_SERVICE_PORT: &containerPort 25565 + IN_KUBE_CLUSTER: "true" + AUTO_SCALE_UP: "true" + AUTO_SCALE_DOWN: "true" + AUTO_SCALE_DOWN_AFTER: 15m + KUBE_NAMESPACE: *namespace + resources: + requests: + memory: 64M + cpu: 250m + limits: + memory: 256M + serviceAccount: + identifier: mc-router + service: + minecraft: + controller: *app + type: LoadBalancer + annotations: + lbipam.cilium.io/ips: "192.168.1.85" + external-dns.alpha.kubernetes.io/hostname: "mc-router.${SECRET_DOMAIN_INT},mc-deadly.${SECRET_DOMAIN_INT},mc-friendly.${SECRET_DOMAIN_INT}" + ports: + minecraft: + port: *containerPort + targetPort: *containerPort + protocol: TCP + api: + controller: *app + type: ClusterIP + ports: + api: + port: &apiPort 8080 + protocol: TCP + targetPort: 8080 + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + probes: + readiness: + enabled: true + custom: true + spec: + initialDelaySeconds: 30 + failureThreshold: 5 + healthyThreshold: 1 + periodSeconds: 10 + httpGet: &probe + path: /routes + port: *apiPort + scheme: HTTP + httpHeaders: + - name: Accept + value: application/json diff --git a/kubernetes/apps/minecraft/mc-router/app/kustomization.yaml b/kubernetes/apps/minecraft/mc-router/app/kustomization.yaml new file mode 100644 index 0000000..3a7f22e --- /dev/null +++ b/kubernetes/apps/minecraft/mc-router/app/kustomization.yaml @@ -0,0 +1,6 @@ +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml + - ./role.yaml diff --git a/kubernetes/apps/minecraft/mc-router/app/role.yaml b/kubernetes/apps/minecraft/mc-router/app/role.yaml new file mode 100644 index 0000000..eb3dad4 --- /dev/null +++ b/kubernetes/apps/minecraft/mc-router/app/role.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mc-router +rules: + - apiGroups: [""] + resources: ["services"] + verbs: ["watch", "list"] + - apiGroups: ["apps"] + resources: ["statefulsets", "statefulsets/scale"] + verbs: ["watch", "list", "get", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mc-router +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mc-router +subjects: + - kind: ServiceAccount + name: mc-router + namespace: minecraft diff --git a/kubernetes/apps/minecraft/mc-router/app/role.yaml.old b/kubernetes/apps/minecraft/mc-router/app/role.yaml.old new file mode 100644 index 0000000..9cdd088 --- /dev/null +++ b/kubernetes/apps/minecraft/mc-router/app/role.yaml.old @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mc-router +rules: + - apiGroups: [""] + resources: ["services"] + verbs: ["watch", "list"] + - apiGroups: ["apps"] + resources: ["statefulsets", "statefulsets/scale"] + verbs: ["watch", "list", "get", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mc-router +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mc-router +subjects: + - kind: ServiceAccount + name: mc-router diff --git a/kubernetes/apps/minecraft/mc-router/ks.yaml b/kubernetes/apps/minecraft/mc-router/ks.yaml new file mode 100644 index 0000000..e116f6a --- /dev/null +++ b/kubernetes/apps/minecraft/mc-router/ks.yaml @@ -0,0 +1,26 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app mc-router + namespace: &namespace minecraft +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 1m + path: ./kubernetes/apps/minecraft/mc-router/app + postBuild: + substituteFrom: + - name: cluster-settings + kind: ConfigMap + - name: cluster-secrets + kind: Secret + prune: true + retryInterval: 2m + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: *namespace + timeout: 5m diff --git a/kubernetes/apps/network/external/cloudflared/helmrelease.yaml b/kubernetes/apps/network/external/cloudflared/helmrelease.yaml index d8e9410..6143db5 100644 --- a/kubernetes/apps/network/external/cloudflared/helmrelease.yaml +++ b/kubernetes/apps/network/external/cloudflared/helmrelease.yaml @@ -26,7 +26,7 @@ spec: app: image: repository: docker.io/cloudflare/cloudflared - tag: 2025.6.1 + tag: 2025.7.0 env: NO_AUTOUPDATE: true TUNNEL_METRICS: 0.0.0.0:8080 diff --git a/kubernetes/apps/network/external/external-dns/helmrelease.yaml b/kubernetes/apps/network/external/external-dns/helmrelease.yaml index 29a8b32..8dc037a 100644 --- a/kubernetes/apps/network/external/external-dns/helmrelease.yaml +++ b/kubernetes/apps/network/external/external-dns/helmrelease.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: external-dns - version: 1.16.1 + version: 1.17.0 sourceRef: kind: HelmRepository name: external-dns @@ -25,6 +25,8 @@ spec: strategy: rollback retries: 3 values: + image: + tag: v0.18.0 fullnameOverride: *app provider: name: cloudflare diff --git a/kubernetes/apps/network/external/ingress-nginx/helmrelease.yaml b/kubernetes/apps/network/external/ingress-nginx/helmrelease.yaml index f4e860c..2bb766e 100644 --- a/kubernetes/apps/network/external/ingress-nginx/helmrelease.yaml +++ b/kubernetes/apps/network/external/ingress-nginx/helmrelease.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: ingress-nginx - version: 4.12.3 + version: 4.13.0 sourceRef: kind: HelmRepository name: ingress-nginx diff --git a/kubernetes/apps/network/internal/ingress-nginx/helmrelease.yaml b/kubernetes/apps/network/internal/ingress-nginx/helmrelease.yaml index 1ed09a4..43da4b1 100644 --- a/kubernetes/apps/network/internal/ingress-nginx/helmrelease.yaml +++ b/kubernetes/apps/network/internal/ingress-nginx/helmrelease.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: ingress-nginx - version: 4.12.3 + version: 4.13.0 sourceRef: kind: HelmRepository name: ingress-nginx diff --git a/kubernetes/apps/network/internal/internal-dns/helmrelease.yaml b/kubernetes/apps/network/internal/internal-dns/helmrelease.yaml index 424b927..76a55c1 100644 --- a/kubernetes/apps/network/internal/internal-dns/helmrelease.yaml +++ b/kubernetes/apps/network/internal/internal-dns/helmrelease.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: external-dns - version: 1.15.2 + version: 1.17.0 sourceRef: kind: HelmRepository name: external-dns @@ -28,6 +28,8 @@ spec: - kind: ConfigMap name: internal-dns-values values: + image: + tag: v0.18.0 fullnameOverride: *app env: - name: EXTERNAL_DNS_RFC2136_KERBEROS_USERNAME diff --git a/kubernetes/apps/observability/smartctl-exporter/app/helmrelease.yaml b/kubernetes/apps/observability/smartctl-exporter/app/helmrelease.yaml index 62f92a1..a84ed7c 100644 --- a/kubernetes/apps/observability/smartctl-exporter/app/helmrelease.yaml +++ b/kubernetes/apps/observability/smartctl-exporter/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip operation: copy ref: - tag: 0.15.3 + tag: 0.15.4 url: oci://ghcr.io/prometheus-community/charts/prometheus-smartctl-exporter --- # yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json diff --git a/kubernetes/apps/observability/snmp-exporter/app/helmrelease.yaml b/kubernetes/apps/observability/snmp-exporter/app/helmrelease.yaml index 5e3668e..c85719a 100644 --- a/kubernetes/apps/observability/snmp-exporter/app/helmrelease.yaml +++ b/kubernetes/apps/observability/snmp-exporter/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip operation: copy ref: - tag: 9.4.0 + tag: 9.5.0 url: oci://ghcr.io/prometheus-community/charts/prometheus-snmp-exporter --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json diff --git a/kubernetes/apps/observability/victoria-metrics/app/smartctl.vmstaticscrape.yaml b/kubernetes/apps/observability/victoria-metrics/app/smartctl.vmstaticscrape.yaml index 6e08ccf..964cb5d 100644 --- a/kubernetes/apps/observability/victoria-metrics/app/smartctl.vmstaticscrape.yaml +++ b/kubernetes/apps/observability/victoria-metrics/app/smartctl.vmstaticscrape.yaml @@ -7,6 +7,8 @@ spec: targetEndpoints: - targets: - "proxmox.${SECRET_DOMAIN_INT}:9633/metrics" + - "proxmox2.${SECRET_DOMAIN_INT}:9633/metrics" + - "rpi2.${SECRET_DOMAIN_INT}:9633/metrics" scrape_interval: 2m relabelConfigs: - source_labels: [__address__] @@ -14,6 +16,12 @@ spec: target_label: instance regex: "([A-Za-z0-9.-]*).*" replacement: $1 + - source_labels: [device] + action: replace + target_label: device + regex: "bus_(\\d+)_sat.*_(\\d+)" + replacement: "bus_${1}_sas_${2}" + metadata: name: *jobName namespace: observability diff --git a/kubernetes/components/repos/app-template/ocirepository.yaml b/kubernetes/components/repos/app-template/ocirepository.yaml index e921b52..03a4127 100644 --- a/kubernetes/components/repos/app-template/ocirepository.yaml +++ b/kubernetes/components/repos/app-template/ocirepository.yaml @@ -10,7 +10,7 @@ spec: mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip operation: copy ref: - tag: 4.1.1 + tag: 4.1.2 url: oci://ghcr.io/bjw-s-labs/helm/app-template verify: provider: cosign