Update k8s/apps/gitea/deployment.yaml

Reviewed-on: #1

k8s/apps/gitea/deployment.yaml

@@ -30,6 +30,20 @@ spec:
       containers:
         - name: gitea
           image: 'gitea/gitea:latest'
+          env:
+            - name: GITEA__service__REGISTER_MANUAL_CONFIRM
+              value: "true"
+            - name: GITEA__service__ENABLE_CAPTCHA
+              value: "false"
+            - name: GITEA__service__REQUIRE_CAPTCHA_FOR_LOGIN
+              value: "true"
+            - name: GITEA__service__REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA
+              value: "true"
+            - name: GITEA__service__CAPTCHA_TYPE
+              value: "hcaptcha"
+          envFrom:
+          - secretRef:
+              name: gitea-recapcha-creds
           ports:
             - name: http
               containerPort: 3000
@@ -56,19 +70,23 @@ spec:
         app: gitea-runner
     spec:
       nodeSelector:
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
+        kubernetes.io/hostname: home.homenet
       volumes:
         - name: docker-sock
           hostPath:
-            #path: /var/run/k3s/containerd/containerd.sock
             path: /var/run/docker.sock
             type: Socket
+        - name: runner-data
+          persistentVolumeClaim:
+            claimName: gitea-runner-pvc
       containers:
         - name: gitea-runner
           image: gitea/act_runner:nightly
           volumeMounts:
             - name: docker-sock
               mountPath: /var/run/docker.sock
+            - name: runner-data
+              mountPath: /data
           env:
             - name: GITEA_INSTANCE_URL
               value: "https://gt.hexor.cy"
@@ -82,3 +100,16 @@ spec:
             - name: GITEA_RUNNER_LABELS
               value: "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04"
 
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-runner-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: local-path
+

k8s/apps/gitea/external-secrets.yaml

@@ -23,3 +23,37 @@ spec:
         key: e475b5ab-ea3c-48a5-bb4c-a6bc552fc064
         property: login.password
 
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea-recapcha-creds
+spec:
+  refreshInterval: 1m
+  target:
+    name: gitea-recapcha-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        GITEA__service__HCAPTCHA_SITEKEY: |-
+          {{ .HCAPTCHA_SITEKEY }}
+        GITEA__service__HCAPTCHA_SECRET: |-
+          {{ .HCAPTCHA_SECRET }}
+  data:
+    - secretKey: HCAPTCHA_SITEKEY
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 89c8d8d2-6b53-42c5-805f-38a341ef163e
+        property: login.username
+    - secretKey: HCAPTCHA_SECRET
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 89c8d8d2-6b53-42c5-805f-38a341ef163e
+        property: login.password

k8s/apps/immich/deployments.yaml

@@ -14,53 +14,78 @@ spec:
         app: immich-server
     spec:
       containers:
-        - name: immich-server
-          image: ghcr.io/immich-app/immich-server:release
-          ports:
-            - containerPort: 2283
-          env:
-            - name: UPLOAD_LOCATION
-              value: /usr/src/app/upload
-            - name: DB_PASSWORD
-              value: postgres
-            - name: DB_USERNAME
-              value: postgres
-            - name: DB_DATABASE_NAME
-              value: immich
-            - name: REDIS_HOST
-              value: redis
-            - name: REDIS_PORT
-              value: "6379"
-            - name: TZ
-              value: Asia/Nicosia
-          volumeMounts:
-            - mountPath: /usr/src/app/upload
-              name: upload-storage
-            - mountPath: /GPHOTO
-              name: gphoto-storage
-            - mountPath: /etc/localtime
-              name: localtime
-              readOnly: true
-      nodeSelector:
-        kubernetes.io/hostname: nas.homenet
+      - name: immich-server
+        image: ghcr.io/immich-app/immich-server:release
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 2283
+        env:
+        - name: UPLOAD_LOCATION
+          value: /usr/src/app/upload
+        - name: DB_URL
+          value: postgresql://postgres:postgres@immich-rw.immich:5432/immich
+        - name: REDIS_HOST
+          value: redis
+        - name: REDIS_PORT
+          value: "6379"
+        - name: TZ
+          value: Asia/Nicosia
+        volumeMounts:
+        - mountPath: /usr/src/app/upload
+          name: upload-storage
+        - mountPath: /GPHOTO
+          name: gphoto-storage
+        - mountPath: /Camera
+          name: camera
+        - mountPath: /etc/localtime
+          name: localtime
+          readOnly: true
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            preference:
+              matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                - home.homenet
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                - home.homenet
+                - nas.homenet
       volumes:
-        - name: upload-storage
-          persistentVolumeClaim:
-            claimName: immich-upload-pvc
-        - name: gphoto-storage
-          persistentVolumeClaim:
-            claimName: immich-gphoto-pvc
-        - name: localtime
-          hostPath:
-            path: /etc/localtime
-            type: File
+      - name: upload-storage
+        nfs:
+          server: nas.homenet
+          path: /mnt/storage/Storage/k8s/immich/library/
+          readOnly: false
+      - name: gphoto-storage
+        nfs:
+          server: nas.homenet
+          path: /mnt/storage/Storage/k8s/immich/GPHOTO/
+          readOnly: false
+      - name: camera
+        nfs:
+          server: nas.homenet
+          path: /mnt/storage/Storage/Photos/Phone/
+          readOnly: true
+      - name: localtime
+        hostPath:
+          path: /etc/localtime
+          type: File
+
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: immich-machine-learning
 spec:
-  replicas: 1
+  replicas: 4
   selector:
     matchLabels:
       app: immich-ml
@@ -69,20 +94,68 @@ spec:
       labels:
         app: immich-ml
     spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                  - home.homenet
+                  - master.tail2fe2d.ts.net
+                  - nas.homenet
+
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 4
+            preference:
+              matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                - home.homenet
+          - weight: 6
+            preference:
+              matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                - master.tail2fe2d.ts.net
+          - weight: 1
+            preference:
+              matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                - home.homenet
+
+      topologySpreadConstraints:
+      - maxSkew: 2
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
+        labelSelector:
+          matchLabels:
+            app: immich-ml
       containers:
-        - name: immich-ml
-          image: ghcr.io/immich-app/immich-machine-learning:release
-          env:
-            - name: TZ
-              value: Asia/Nicosia
-          volumeMounts:
-            - mountPath: /cache
-              name: model-cache
-      nodeSelector:
-        kubernetes.io/hostname: nas.homenet
+      - name: immich-ml
+        image: ghcr.io/immich-app/immich-machine-learning:release
+        imagePullPolicy: Always
+        env:
+        - name: TZ
+          value: Asia/Nicosia
+        - name: IMMICH_MACHINE_LEARNING_MODEL_FACE
+          value: buffalo_l
+        - name: IMMICH_MACHINE_LEARNING_MODEL_CLIP
+          value: ViT-L/14
+        - name: IMMICH_MACHINE_LEARNING_USE_GPU
+          value: "true"
+        volumeMounts:
+        - mountPath: /cache
+          name: model-cache
       volumes:
-        - name: model-cache
-          emptyDir: {}
+      - name: model-cache
+        emptyDir: {}
+
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -106,60 +179,3 @@ spec:
               command: ["redis-cli", "ping"]
       nodeSelector:
         kubernetes.io/hostname: nas.homenet
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: database
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: database
-  template:
-    metadata:
-      labels:
-        app: database
-    spec:
-      securityContext:
-        fsGroup: 999
-      containers:
-        - name: immich-postgres
-          image: tensorchord/pgvecto-rs:pg14-v0.2.0
-          securityContext:
-            runAsUser: 999
-            runAsGroup: 999
-          env:
-            - name: POSTGRES_PASSWORD
-              value: postgres
-            - name: POSTGRES_USER
-              value: postgres
-            - name: POSTGRES_DB
-              value: immich
-            - name: POSTGRES_INITDB_ARGS
-              value: '--data-checksums'
-            - name: TZ
-              value: Asia/Nicosia
-          command: ["postgres"]
-          args:
-            - "-c"
-            - "shared_preload_libraries=vectors.so"
-            - "-c"
-            - "search_path='\"$user\", public, vectors'"
-            - "-c"
-            - "logging_collector=on"
-            - "-c"
-            - "max_wal_size=2GB"
-            - "-c"
-            - "shared_buffers=512MB"
-            - "-c"
-            - "wal_compression=on"
-          volumeMounts:
-            - mountPath: /var/lib/postgresql/data
-              name: db-storage
-      nodeSelector:
-        kubernetes.io/hostname: nas.homenet
-      volumes:
-        - name: db-storage
-          persistentVolumeClaim:
-            claimName: immich-db-pvc

k8s/apps/immich/service.yaml

@@ -97,6 +97,24 @@ spec:
                 name: immich-server
                 port:
                   number: 2283
+  tls:
+    - secretName: immich-tls
+      hosts:
+        - photos.hexor.cy
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: immich-homenet-tls-ingress
+  annotations:
+    ingressClassName: traefik
+    cert-manager.io/cluster-issuer: hexor-lab
+    traefik.ingress.kubernetes.io/router.middlewares: |
+      kube-system-https-redirect@kubernetescrd, immich-upload-buffering@kubernetescrd
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  rules:
     - host: photos.homenet
       http:
         paths:
@@ -108,7 +126,6 @@ spec:
                 port:
                   number: 2283
   tls:
-    - secretName: immich-tls
+    - secretName: immich-homenet-tls
       hosts:
-        - photos.hexor.cy
         - photos.homenet

k8s/apps/jellyfin/qbittorent.yaml

@@ -54,7 +54,7 @@ spec:
             type: DirectoryOrCreate
         - name: media
           hostPath:
-            path: /k8s/jellyfin/media
+            path: /k8s/media/downloads
             type: DirectoryOrCreate
       containers:
         - name: qbittorrent

k8s/apps/jellyfin/values.yaml

@@ -15,7 +15,7 @@ persistence:
     isPvc: false
     customVolume:
       hostPath:
-        path: /k8s/jellyfin/media
+        path: /k8s/media/downloads
         type: DirectoryOrCreate
 
 ingress:

k8s/apps/khm/deployment.yaml

@@ -22,11 +22,12 @@ spec:
       containers:
         - name: khm
           image: 'ultradesu/khm:latest'
+          imagePullPolicy: Always
           command:
             - /bin/sh
             - -c
             - |
-              /usr/local/bin/khm --server --db-user=${PG_USER} --db-password=${PG_PASS} --flows=default --db-host=psql.psql.svc --ip=0.0.0.0
+              /usr/local/bin/khm --server --db-user=${PG_USER} --db-password=${PG_PASS} --flows=private,work --db-host=psql.psql.svc --ip=0.0.0.0
           env:
             - name: PG_USER
               valueFrom:

k8s/apps/paperless/gotenberg-values.yaml

@@ -0,0 +1,20 @@
+replicaCount: 1
+
+image:
+  repository: gotenberg/gotenberg
+  tag: "8"
+
+nodeSelector:
+  kubernetes.io/hostname: nas.homenet
+
+resources:
+  limits:
+    cpu: 1000m
+    memory: 1Gi
+  requests:
+    cpu: 200m
+    memory: 256Mi
+
+service:
+  type: ClusterIP
+  port: 3000

k8s/apps/paperless/kustomization.yaml

@@ -11,6 +11,20 @@ helmCharts:
     version: 0.24.1
     releaseName: paperless-ngx
     namespace: paperless
-    valuesFile: values.yaml
+    valuesFile: paperless-values.yaml
+    includeCRDs: true
+  - name: tika
+    repo: https://apache.jfrog.io/artifactory/tika
+    version: 2.9.0
+    releaseName: apache-tika
+    namespace: paperless
+    valuesFile: tika-values.yaml
+    includeCRDs: true
+  - name: gotenberg
+    repo: https://maikumori.github.io/helm-charts
+    version: 1.12.0
+    releaseName: gotenberg
+    namespace: paperless
+    valuesFile: gotenberg-values.yaml
     includeCRDs: true
 

k8s/apps/paperless/paperless-values.yaml

@@ -1,11 +1,11 @@
 image:
-  tag: 2.15.1
+  tag: 2.15.3
 initContainers:
   install-tesseract-langs:
     image: ghcr.io/paperless-ngx/paperless-ngx:2.15.1
     command: ["/bin/sh", "-c"]
     args:
-      - apt-get update && apt-get install -y --reinstall tesseract-ocr-rus tesseract-ocr-eng tesseract-ocr-ell && cp -v -r /usr/share/tesseract-ocr/5/tessdata/* /custom-tessdata/
+      - apt-get update && apt-get install -y --reinstall tesseract-ocr-rus tesseract-ocr-jpn tesseract-ocr-chi-sim tesseract-ocr-eng tesseract-ocr-ell && cp -v -r /usr/share/tesseract-ocr/5/tessdata/* /custom-tessdata/
     volumeMounts:
       - name: tessdata
         mountPath: /custom-tessdata
@@ -15,9 +15,13 @@ env:
   TZ: Asia/Nicosia
   PAPERLESS_URL: https://docs.hexor.cy
   PAPERLESS_ALLOWED_HOSTS: docs.hexor.cy
+  PAPERLESS_REDIS: redis://:NOTSECUREBUTMAYBELOCAL@paperless-ngx-redis-master
   PAPERLESS_CSRF_TRUSTED_ORIGINS: https://idm.hexor.cy
-  PAPERLESS_OCR_LANGUAGE: "eng+rus+ell"
+  PAPERLESS_OCR_LANGUAGE: "eng+rus+ell+jpn+chi_sim"
   TESSDATA_PREFIX: /custom-tessdata
+  PAPERLESS_TIKA_ENABLED: "1"
+  PAPERLESS_TIKA_GOTENBERG_ENDPOINT: "http://gotenberg.paperless.svc:3000"
+  PAPERLESS_TIKA_ENDPOINT: "http://apache-tika.paperless.svc:9998"
   PAPERLESS_DBENGINE: postgresql
   PAPERLESS_DBHOST: psql-nas.psql.svc
   PAPERLESS_DBPORT: "5432"
@@ -87,6 +91,17 @@ persistence:
     hostPath: /mnt/storage/Storage/k8s/paperless/consume
     globalMounts:
       - path: /usr/src/paperless/consume
+redis:
+  enabled: true
+  master:
+    nodeSelector:
+      kubernetes.io/hostname: nas.homenet
+  replica:
+    nodeSelector:
+      kubernetes.io/hostname: nas.homenet
+  global:
+    redis:
+      password: "NOTSECUREBUTMAYBELOCAL"
 postgresql:
   enabled: false
 mariadb:

k8s/apps/paperless/tika-values.yaml

@@ -0,0 +1,20 @@
+replicaCount: 1
+
+image:
+  repository: apache/tika
+  tag: "latest"
+
+nodeSelector:
+  kubernetes.io/hostname: nas.homenet
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
+
+service:
+  type: ClusterIP
+  port: 9998

k8s/apps/qbittorent-nas/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: qbittorent-nas
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: qbittorent-nas
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/qbittorent-nas
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+

k8s/apps/qbittorent-nas/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - qbittorent.yaml

k8s/apps/qbittorent-nas/qbittorent.yaml

@@ -0,0 +1,62 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: qbittorent-nas
+  labels:
+    app: qbittorent-nas
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  selector:
+    matchLabels:
+      app: qbittorent-nas
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        app: qbittorent-nas
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: nas.homenet
+      volumes:
+        - name: config
+          hostPath:
+            path: /mnt/storage/Storage/configs/qbittorrent
+            type: DirectoryOrCreate
+        - name: media
+          hostPath:
+            path: /mnt/storage/Storage/Donwloads
+            type: DirectoryOrCreate
+      containers:
+        - name: qbittorrent
+          image: 'linuxserver/qbittorrent:latest'
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            - name: config
+              mountPath: /config
+            - name: media
+              mountPath: /downloads
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: qbittorent-nas
+spec:
+  type: NodePort
+  selector:
+    app: qbittorent-nas
+  ports:
+    - port: 8080
+      targetPort: 8080
+      nodePort: 31337
+      protocol: TCP

k8s/apps/rustdesk/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: rustdesk
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: rustdesk
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/rustdesk
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+

k8s/apps/rustdesk/external-secrets.yaml

@@ -0,0 +1,66 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: postgres-creds
+spec:
+  target:
+    name: postgres-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        psql_user: paperless
+        psql_pass: |-
+          {{ .psql_pass }}
+        oauth_config: |-
+          {
+            "openid_connect": {
+              "APPS": [
+                {
+                  "provider_id": "authentik",
+                  "name": "Authentik",
+                  "client_id": "{{ .oauth_id }}",
+                  "secret": "{{ .oauth_secret }}",
+                  "settings": {
+                    "server_url": "{{ .server_url }}"
+                  }
+                }
+              ],
+              "OAUTH_PKCE_ENABLED": "True"
+            }
+          }
+  data:
+    - secretKey: psql_pass
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[5].value
+    - secretKey: oauth_id
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
+        property: fields[0].value
+    - secretKey: oauth_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
+        property: fields[1].value
+    - secretKey: server_url
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
+        property: fields[2].value
+

k8s/apps/rustdesk/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  #- external-secrets.yaml
+
+helmCharts:
+  - name: rustdesk-server-oss
+    repo: https://schich.tel/helm-charts
+    version: 0.2.2
+    releaseName: rustdesk
+    namespace: rustdesk
+    valuesFile: values.yaml
+    includeCRDs: true
+

k8s/apps/rustdesk/values.yaml

@@ -0,0 +1,87 @@
+replicaCount: 1
+
+image:
+  repository: docker.io/rustdesk/rustdesk-server
+  pullPolicy: IfNotPresent
+  tag: 1
+
+nodeSelector:
+  kubernetes.io/hostname: master.tail2fe2d.ts.net
+
+ingress:
+  enabled: true
+  className: "traefik"
+  annotations:
+    ingressClassName: traefik
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    acme.cert-manager.io/http01-edit-in-place: "true"
+  hosts:
+  - rd.hexor.cy
+  tls:
+    - secretName: rustdesk-tls
+      hosts:
+        - rd.hexor.cy
+
+service:
+  type: LoadBalancer
+  externalTrafficPolicy: Cluster
+  loadBalancerIP: null
+  enableWebClientSupport: false
+  hbbr:
+    replayPort:
+      port: 21117
+      targetPort: 21117
+    clientPort:
+      port: 21119
+      targetPort: 21119
+  hbbs:
+    natPort:
+      port: 21115
+      targetPort: 21115
+    registryPort:
+      port: 21116
+      targetPort: 21116
+    heartbeatPort:
+      port: 21116
+      targetPort: 21116
+    webPort:
+      port: 21118
+      targetPort: 21118
+
+resources:
+  hbbrResource: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+  hbbsResource: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+  # Additional volumes on the output Deployment definition.
+volume: {}
+
+# - name: foo
+#   secret:
+#     secretName: mysecret
+#     optional: false
+
+# - name: foo
+#   mountPath: "/etc/foo"
+#   readOnly: true
+

k8s/apps/sonarr-stack/bazarr-values.yaml

@@ -0,0 +1,13 @@
+nodeSelector:
+  kubernetes.io/hostname: master.tail2fe2d.ts.net
+
+volumes:
+  - name: downloads
+    hostPath:
+      path: /k8s/media/downloads
+      type: DirectoryOrCreate
+
+volumeMounts:
+  - name: downloads
+    mountPath: /downloads
+    readOnly: false

k8s/apps/sonarr-stack/kustomization.yaml

@@ -13,8 +13,6 @@ helmCharts:
     namespace: sonarr-stack
     valuesFile: sonarr-values.yaml
     includeCRDs: true
-
-helmCharts:
   - name: prowlarr
     repo: https://charts.pree.dev
     version: 1.42.0
@@ -22,4 +20,11 @@ helmCharts:
     namespace: sonarr-stack
     valuesFile: sonarr-values.yaml
     includeCRDs: true
+  - name: bazarr
+    repo: oci://ghcr.io/m0nsterrr/helm-charts
+    version: 2.0.3
+    releaseName: bazarr
+    namespace: sonarr-stack
+    valuesFile: bazarr-values.yaml
+    includeCRDs: true
 

k8s/apps/sonarr-stack/prowlarr-values.yaml

@@ -7,5 +7,3 @@ persistence:
   config:
     enabled: true
     mountPath: /config
-    accessMode: ReadWriteOnce
-    size: 1Gi

k8s/apps/sonarr-stack/sonarr-values.yaml

@@ -6,13 +6,10 @@ nodeSelector:
 persistence:
   config:
     enabled: true
-    mountPath: /config
-    accessMode: ReadWriteOnce
-    size: 1Gi
 
   downloads:
     enabled: true
     type: hostPath
-    hostPath: /k8s/jellyfin/media
+    hostPath: /k8s/media/downloads
     mountPath: /downloads
     accessMode: ReadWriteOnce

k8s/apps/stirling-pdf/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: stirling-pdf
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: stirling-pdf
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/stirling-pdf
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+

k8s/apps/stirling-pdf/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+
+helmCharts:
+  - name: stirling-pdf-chart
+    repo: https://stirling-tools.github.io/Stirling-PDF-chart
+    version: 1.10.0
+    releaseName: stirling-pdf
+    namespace: stirling-pdf
+    valuesFile: values.yaml
+    includeCRDs: true
+

k8s/apps/stirling-pdf/values.yaml

@@ -0,0 +1,56 @@
+replicaCount: 1
+
+image:
+  registry: docker.stirlingpdf.com
+  repository: stirlingtools/stirling-pdf
+  tag: "latest"
+  pullPolicy: Always
+
+securityContext:
+  enabled: true
+  fsGroup: 1000
+
+ingress:
+  enabled: true
+  ingressClassName: "traefik"
+  pathType: "Prefix"
+  
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt"
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+  labels:
+    app: stirling-pdf
+  
+  hosts:
+    - name: pdf.hexor.cy
+      path: /
+      tls: true
+      tlsSecret: pdf-hexor-cy-tls
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 250m
+    memory: 256Mi
+
+probes:
+  liveness:
+    enabled: true
+    initialDelaySeconds: 30
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 3
+  readiness:
+    enabled: true
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    timeoutSeconds: 3
+    failureThreshold: 3
+
+envs:
+  - name: UI_APP_NAME
+    value: "Stirling PDF"
+  - name: UI_HOME_DESCRIPTION
+    value: "Your locally hosted one-stop-shop for all your PDF needs."

k8s/apps/syncthing/kustomization.yaml

@@ -9,8 +9,15 @@ helmCharts:
   - name: syncthing
     repo: https://k8s-home-lab.github.io/helm-charts
     version: 4.0.0
-    releaseName: syncthing
+    releaseName: syncthing-master
     namespace: syncthing
-    valuesFile: syncthing-values.yaml
+    valuesFile: syncthing-master.yaml
     includeCRDs: true
 
+  - name: syncthing
+    repo: https://k8s-home-lab.github.io/helm-charts
+    version: 4.0.0
+    releaseName: syncthing-khv
+    namespace: syncthing
+    valuesFile: syncthing-khv.yaml
+    includeCRDs: true

k8s/apps/syncthing/syncthing-khv.yaml

@@ -0,0 +1,42 @@
+image:
+  tag: latest
+persistence:
+  config:
+    enabled: true
+    type: hostPath
+    hostPath: "/k8s/syncthing"
+    mountPath: "/var/syncthing"
+  storage:
+    enabled: true
+    type: hostPath
+    hostPath: "/home/share"
+    mountPath: "/storage"
+nodeSelector:
+  kubernetes.io/hostname: iris.khv
+service:
+  main:
+    ports:
+      http:
+        port: 8384
+  listen:
+    enabled: true
+    type: LoadBalancer
+    ports:
+      listen:
+        enabled: true
+        port: 30023
+        protocol: TCP
+        targetPort: 22000
+    selector:
+      app.kubernetes.io/name: syncthing
+  discovery:
+    enabled: true
+    type: NodePort
+    externalTrafficPolicy: Cluster
+    ports:
+      discovery:
+        enabled: true
+        port: 21027
+        protocol: UDP
+        targetPort: 21027
+

k8s/apps/syncthing/syncthing-master.yaml

@@ -1,3 +1,6 @@
+image:
+  tag: latest
+  
 persistence:
   config:
     enabled: true

k8s/core/argocd/appprojects.yaml

@@ -30,3 +30,20 @@ spec:
     server: https://kubernetes.default.svc
   sourceRepos:
   - ssh://git@gt.hexor.cy:30022/ab/homelab.git
+
+---
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: games
+  namespace: argocd
+spec:
+  clusterResourceWhitelist:
+  - group: '*'
+    kind: '*'
+  description: Hexor Home Lab Games
+  destinations:
+  - namespace: '*'
+    server: https://kubernetes.default.svc
+  sourceRepos:
+  - ssh://git@gt.hexor.cy:30022/ab/homelab.git

k8s/core/authentik/values.yaml

@@ -1,6 +1,9 @@
 global:
+  image:
+    tag: "2025.4.1"
   nodeSelector:
     kubernetes.io/hostname: master.tail2fe2d.ts.net
+
 authentik:
     error_reporting:
         enabled: true
@@ -16,8 +19,6 @@ server:
   envFrom:
     - secretRef:
         name: authentik-creds
-  image:
-    tag: "2025.2.4"
   ingress:
       enabled: true
       ingressClassName: traefik
@@ -26,17 +27,18 @@ server:
         traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
       hosts:
         - idm.hexor.cy
-        - nas.hexor.cy      # TrueNAS Limassol
-        - nc.hexor.cy       # NaxtCloud
-        - of.hexor.cy       # Outfleet-v2
-        - master.hexor.cy   # k8s dashboard
-        - qbt.hexor.cy      # qBittorent for Jellyfin
-        - prom.hexor.cy     # Prometheus
-        - ss.hexor.cy       # Syncthing UI
-        - khm.hexor.cy      # Known Hosts keys Manager
-        - backup.hexor.cy   # Kopia Backup UI
-        - fm.hexor.cy       # Filemanager
-        - hexound.hexor.cy  # Hexound
+        - nas.hexor.cy       # TrueNAS Limassol
+        - nc.hexor.cy        # NaxtCloud
+        - of.hexor.cy        # Outfleet-v2
+        - master.hexor.cy    # k8s dashboard
+        - qbt.hexor.cy       # qBittorent for Jellyfin
+        - prom.hexor.cy      # Prometheus
+        - ss.hexor.cy        # Syncthing UI
+        - khm.hexor.cy       # Known Hosts keys Manager
+        - backup.hexor.cy    # Kopia Backup UI
+        - fm.hexor.cy        # Filemanager
+        - hexound.hexor.cy   # Hexound
+        - minecraft.hexor.cy # Minecraft UI and server
       tls:
         - secretName: idm-tls
           hosts:

k8s/core/cert-manager/kustomization.yaml

@@ -5,6 +5,7 @@ resources:
   - app.yaml
   - external-secrets.yaml
   - issuer.yaml
+  - self-signed.yaml
 
 helmCharts:
   - name: cert-manager

k8s/core/cert-manager/self-signed.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: hexor-ca-root
+spec:
+  isCA: true
+  duration: 87600h # 10y
+  commonName: hexor-ca
+  secretName: hexor-ca-root-secret
+  issuerRef:
+    name: selfsigned
+    kind: ClusterIssuer
+
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: hexor-lab
+spec:
+  ca:
+    secretName: hexor-ca-root-secret

k8s/core/external-secrets/Dockerfile-bitwarden-cli

@@ -1,6 +1,6 @@
 FROM debian:sid
 
-ENV BW_CLI_VERSION=2024.7.2
+ENV BW_CLI_VERSION=2025.5.0
 
 RUN apt update && \
     apt install -y wget unzip && \
@@ -12,15 +12,15 @@ RUN apt update && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
-// Entrypoint content
-    #!/bin/sh
-    set -e
-    bw config server ${BW_HOST}
-    export BW_SESSION=$(bw login ${BW_USER} --passwordenv BW_PASSWORD --raw)
-    bw unlock --check
-    echo 'Running `bw server` on port 8087'
-    bw serve --hostname 0.0.0.0 #--disable-origin-protection
-// End Entrypoint content
+# Build entrypoint script
+RUN echo '#!/bin/sh\n\
+set -e\n\
+bw config server ${BW_HOST}\n\
+export BW_SESSION=$(bw login ${BW_USER} --passwordenv BW_PASSWORD --raw)\n\
+bw unlock --check\n\
+echo "Running \`bw server\` on port 8087"\n\
+bw serve --hostname 0.0.0.0\n' > /entrypoint.sh && \
+    chmod +x /entrypoint.sh
+
+CMD ["/entrypoint.sh"]
 
-    COPY entrypoint.sh /
-    CMD ["/entrypoint.sh"]

k8s/core/external-secrets/bitwarden-store.yaml

@@ -37,7 +37,7 @@ spec:
         kubernetes.io/hostname: master.tail2fe2d.ts.net
       containers:
         - name: bitwarden-cli
-          image: ultradesu/bitwarden-client:2024.7.2
+          image: ultradesu/bitwarden-client:2025.5.0
           imagePullPolicy: Always
           env:
             - name: BW_HOST

k8s/core/external-secrets/kustomization.yaml

@@ -8,7 +8,7 @@ resources:
 helmCharts:
   - name: external-secrets
     repo: https://charts.external-secrets.io
-    version: 0.15.1
+    version: 0.16.2
     releaseName: external-secrets
     namespace: external-secrets
     valuesFile: values.yaml

k8s/core/postgresql/kustomization.yaml

@@ -6,6 +6,7 @@ resources:
   - app.yaml
   - external-secrets.yaml
   - main-db.yaml
+  - nas.yaml
   - nas-db.yaml
 
 
@@ -15,6 +16,12 @@ helmCharts:
     version: 1.37.0
     releaseName: pgmanager
     namespace: psql
-    valuesFile: values.yaml
+    valuesFile: pgadmin4-values.yaml
     includeCRDs: true
 
+  - name: cloudnative-pg
+    repo: https://cloudnative-pg.github.io/charts
+    version: 0.23.2
+    releaseName: cnpg
+    namespace: psql
+    includeCRDs: true

k8s/core/postgresql/nas.yaml

@@ -0,0 +1,141 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: immich-pv
+  namespace: immich
+spec:
+  capacity:
+    storage: 50Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-storage
+  nfs:
+    server: nas.homenet
+    path: /mnt/storage/Storage/k8s/immich/db-vector
+    readOnly: false
+  volumeMode: Filesystem
+
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: nfs-storage
+provisioner: kubernetes.io/no-provisioner
+reclaimPolicy: Retain
+volumeBindingMode: Immediate
+
+---
+apiVersion: v1
+data:
+  password: cG9zdGdyZXM=
+  username: cG9zdGdyZXM=
+kind: Secret
+metadata:
+  name: immich-db-pass
+  namespace: immich
+type: kubernetes.io/basic-auth
+
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: immich
+  namespace: immich
+spec:
+  description: "PostgreSQL cluster for Immich with vector support"
+  imageName: ghcr.io/tensorchord/cloudnative-pgvecto.rs:14-v0.3.0
+  enableSuperuserAccess: true
+  instances: 1
+  startDelay: 300
+  primaryUpdateStrategy: unsupervised
+  
+  postgresql:
+    parameters:
+      shared_buffers: "512MB"
+      max_wal_size: "2GB"
+      wal_compression: "on"
+    shared_preload_libraries:
+      - "vectors.so"
+    pg_hba:
+      - host all all 0.0.0.0/0 md5
+  
+  bootstrap:
+    initdb:
+      database: immich
+      owner: postgres
+      dataChecksums: true
+      secret:
+        name: immich-db-pass
+      postInitApplicationSQL:
+        - ALTER SYSTEM SET search_path TO "$user", public, vectors;
+        - SET search_path TO "$user", public, vectors;
+        - CREATE EXTENSION IF NOT EXISTS "vectors";
+        - ALTER SCHEMA vectors OWNER TO "postgres";
+        - GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA vectors TO "postgres";
+        - GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "postgres";
+        - CREATE EXTENSION IF NOT EXISTS cube;
+        - CREATE EXTENSION IF NOT EXISTS earthdistance;
+  
+  storage:
+    size: 50Gi
+    storageClass: nfs-storage
+    pvcTemplate:
+      accessModes:
+        - ReadWriteOnce
+      resources:
+        requests:
+          storage: 50Gi
+      storageClassName: nfs-storage
+      volumeMode: Filesystem
+  
+  resources:
+    requests:
+      memory: "1Gi"
+      cpu: "500m"
+    limits:
+      memory: "2Gi"
+      cpu: "1"
+  
+  affinity:
+    enablePodAntiAffinity: true
+    nodeAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 100
+          preference:
+            matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                  - nas.homenet
+      
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+          - matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                  - home.homenet
+                  - nas.homenet
+    
+    tolerations:
+      - key: cnpg.io/cluster
+        effect: NoSchedule
+        value: immich-db
+        operator: Equal
+    
+    additionalPodAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 1
+          podAffinityTerm:
+            labelSelector:
+              matchExpressions:
+                - key: app.component
+                  operator: In
+                  values:
+                    - "pg-cluster"
+            topologyKey: topology.kubernetes.io/zone
+  
+  monitoring:
+    enablePodMonitor: true

k8s/core/postgresql/pgadmin4-values.yaml

@@ -1,5 +1,5 @@
 image:
-  tag: "9.2"
+  tag: "9.3"
   pullPolicy: Always
 env:
   email: "postgres@hexor.cy"

k8s/core/system-upgrade/app.yaml

@@ -13,9 +13,6 @@ spec:
     targetRevision: HEAD
     path: k8s/core/system-upgrade
   syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
     syncOptions:
       - CreateNamespace=true
 

k8s/core/system-upgrade/plan.yaml

@@ -16,7 +16,7 @@ spec:
   serviceAccountName: system-upgrade
   upgrade:
     image: rancher/k3s-upgrade
-  version: v1.32.3+k3s1
+  version: v1.33.1+k3s1
 ---
 # Agent plan
 apiVersion: upgrade.cattle.io/v1
@@ -39,5 +39,5 @@ spec:
   serviceAccountName: system-upgrade
   upgrade:
     image: rancher/k3s-upgrade
-  version: v1.32.3+k3s1
+  version: v1.33.1+k3s1
 

k8s/games/minecraft/deployments.yaml

@@ -18,7 +18,7 @@ data:
         location / {
           proxy_pass http://localhost:8123;
           sub_filter 'Minecraft Dynamic Map' "Hexor's MC server";
-          sub_filter "</body>" '<p style="background-color: #CEC6CB; color: black; padding: 10px 10px; text-align: center; font-size: large; text-decoration: none; display: inline-block; border-radius: 4px; position: absolute; top: 10px; left: 150px;">Get <a href="https://prismlauncher.org/" >Prism Launcher</a> and <a href="/clients/1.12.2.zip" >client.zip</a> for this server</p></body>';
+          sub_filter "</body>" '<p style="background-color: #CEC6CB; color: black; padding: 10px 10px; text-align: center; font-size: large; text-decoration: none; display: inline-block; border-radius: 4px; position: absolute; top: 10px; left: 150px;">Get <a href="https://github.com/PrismLauncher/PrismLauncher/releases/tag/8.4" >Prism Launcher</a> and <a href="/clients/1.12.2.zip" >client.zip</a> for this server. Server address <b>minecraft.hexor.cy:30565</b></p></body>';
           sub_filter_once off;
         }
         location /clients/ {
@@ -61,7 +61,7 @@ spec:
       - name: storage
         hostPath:
           path: /k8s/mc-server/
-          type: Directory
+          type: DirectoryOrCreate
       - name: nginx-config
         configMap:
           name: nginx-config
@@ -82,8 +82,8 @@ spec:
           image: 'openjdk:8-jdk-alpine'
           command: ["java"]
           args:
-            - -Xms12G
-            - -Xmx12G
+            - -Xms4G
+            - -Xmx4G
             - -XX:+UseG1GC
             - -XX:+ParallelRefProcEnabled
             - -XX:MaxGCPauseMillis=200
@@ -108,10 +108,10 @@ spec:
           workingDir: /mc/
           resources:
               limits:
-                memory: 15Gi
+                memory: 8Gi
                 #cpu: 1
               requests:
-                memory: 10Gi
+                memory: 5Gi
                 #cpu: 100m
           ports:
             - name: game