Compare commits
1 Commits
auto-updat
...
auto-updat
| Author | SHA1 | Date | |
|---|---|---|---|
|
ad49d0ab0b |
@@ -39,7 +39,6 @@ ArgoCD homelab project
|
||||
| Application | Status |
|
||||
| :--- | :---: |
|
||||
| **comfyui** | [](https://ag.hexor.cy/applications/argocd/comfyui) |
|
||||
| **furumi-dev** | [](https://ag.hexor.cy/applications/argocd/furumi-dev) |
|
||||
| **furumi-server** | [](https://ag.hexor.cy/applications/argocd/furumi-server) |
|
||||
| **gitea** | [](https://ag.hexor.cy/applications/argocd/gitea) |
|
||||
| **greece-notifier** | [](https://ag.hexor.cy/applications/argocd/greece-notifier) |
|
||||
|
||||
@@ -1,20 +0,0 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: furumi-dev
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: apps
|
||||
destination:
|
||||
namespace: furumi-dev
|
||||
server: https://kubernetes.default.svc
|
||||
source:
|
||||
repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
|
||||
targetRevision: HEAD
|
||||
path: k8s/apps/furumi-dev
|
||||
syncPolicy:
|
||||
automated:
|
||||
selfHeal: true
|
||||
prune: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
@@ -1,55 +0,0 @@
|
||||
---
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: furumi-ng-creds
|
||||
spec:
|
||||
target:
|
||||
name: furumi-ng-creds
|
||||
deletionPolicy: Delete
|
||||
template:
|
||||
type: Opaque
|
||||
data:
|
||||
OIDC_CLIENT_ID: |-
|
||||
{{ .client_id }}
|
||||
OIDC_CLIENT_SECRET: |-
|
||||
{{ .client_secret }}
|
||||
OIDC_ISSUER_URL: https://idm.hexor.cy/application/o/furumi-dev/
|
||||
OIDC_REDIRECT_URL: https://music-dev.hexor.cy/auth/callback
|
||||
OIDC_SESSION_SECRET: |-
|
||||
{{ .session_secret }}
|
||||
PG_STRING: |-
|
||||
postgres://furumi_dev:{{ .pg_pass }}@psql.psql.svc:5432/furumi_dev
|
||||
data:
|
||||
- secretKey: client_id
|
||||
sourceRef:
|
||||
storeRef:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
|
||||
property: fields[0].value
|
||||
- secretKey: client_secret
|
||||
sourceRef:
|
||||
storeRef:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
|
||||
property: fields[1].value
|
||||
- secretKey: session_secret
|
||||
sourceRef:
|
||||
storeRef:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
|
||||
property: fields[2].value
|
||||
- secretKey: pg_pass
|
||||
sourceRef:
|
||||
storeRef:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
key: 2a9deb39-ef22-433e-a1be-df1555625e22
|
||||
property: fields[17].value
|
||||
@@ -1,59 +0,0 @@
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: admin-strip
|
||||
spec:
|
||||
stripPrefix:
|
||||
prefixes:
|
||||
- /admin
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: furumi-tls-ingress
|
||||
annotations:
|
||||
ingressClassName: traefik
|
||||
cert-manager.io/cluster-issuer: letsencrypt
|
||||
traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
|
||||
acme.cert-manager.io/http01-edit-in-place: "true"
|
||||
spec:
|
||||
rules:
|
||||
- host: music-dev.hexor.cy
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: furumi-dev-web-player
|
||||
port:
|
||||
number: 8080
|
||||
tls:
|
||||
- secretName: furumi-tls
|
||||
hosts:
|
||||
- '*.hexor.cy'
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: furumi-dev-admin-ingress
|
||||
annotations:
|
||||
ingressClassName: traefik
|
||||
traefik.ingress.kubernetes.io/router.middlewares: furumi-server-admin-strip@kubernetescrd,kube-system-https-redirect@kubernetescrd
|
||||
spec:
|
||||
rules:
|
||||
- host: music-dev.hexor.cy
|
||||
http:
|
||||
paths:
|
||||
- path: /admin
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: furumi-dev-metadata-agent
|
||||
port:
|
||||
number: 8090
|
||||
tls:
|
||||
- secretName: furumi-tls
|
||||
hosts:
|
||||
- '*.hexor.cy'
|
||||
@@ -1,10 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- app.yaml
|
||||
- service.yaml
|
||||
- external-secrets.yaml
|
||||
- ingress.yaml
|
||||
- web-player.yaml
|
||||
- metadata-agent.yaml
|
||||
@@ -1,59 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: furumi-dev-metadata-agent
|
||||
labels:
|
||||
app: furumi-dev-metadata-agent
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: furumi-dev-metadata-agent
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: furumi-dev-metadata-agent
|
||||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/hostname: master.tail2fe2d.ts.net
|
||||
containers:
|
||||
- name: furumi-dev-metadata-agent
|
||||
image: ultradesu/furumi-metadata-agent:dev
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: FURUMI_AGENT_DATABASE_URL
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: furumi-ng-creds
|
||||
key: PG_STRING
|
||||
- name: FURUMI_AGENT_INBOX_DIR
|
||||
value: "/inbox"
|
||||
- name: FURUMI_AGENT_STORAGE_DIR
|
||||
value: "/media"
|
||||
- name: FURUMI_AGENT_OLLAMA_URL
|
||||
value: "http://ollama.ollama.svc:11434"
|
||||
- name: FURUMI_AGENT_OLLAMA_MODEL
|
||||
value: "qwen3:14b"
|
||||
- name: FURUMI_AGENT_POLL_INTERVAL_SECS
|
||||
value: "10"
|
||||
- name: RUST_LOG
|
||||
value: "info"
|
||||
ports:
|
||||
- name: admin-ui
|
||||
containerPort: 8090
|
||||
protocol: TCP
|
||||
volumeMounts:
|
||||
- name: library
|
||||
mountPath: /media
|
||||
- name: inbox
|
||||
mountPath: /inbox
|
||||
volumes:
|
||||
- name: library
|
||||
hostPath:
|
||||
path: /k8s/furumi-dev/library
|
||||
type: DirectoryOrCreate
|
||||
- name: inbox
|
||||
hostPath:
|
||||
path: /k8s/furumi-dev/inbox
|
||||
type: DirectoryOrCreate
|
||||
|
||||
@@ -1,32 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: furumi-dev-metadata-agent
|
||||
labels:
|
||||
app: furumi-dev-metadata-agent
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: furumi-dev-metadata-agent
|
||||
ports:
|
||||
- name: admin-ui
|
||||
protocol: TCP
|
||||
port: 8090
|
||||
targetPort: 8090
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: furumi-dev-web-player
|
||||
labels:
|
||||
app: furumi-dev-web-player
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: furumi-dev-web-player
|
||||
ports:
|
||||
- name: web-ui
|
||||
protocol: TCP
|
||||
port: 8080
|
||||
targetPort: 8080
|
||||
@@ -1,70 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: furumi-dev-web-player
|
||||
labels:
|
||||
app: furumi-dev-web-player
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: furumi-dev-web-player
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: furumi-dev-web-player
|
||||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/hostname: master.tail2fe2d.ts.net
|
||||
containers:
|
||||
- name: furumi-dev-web-player
|
||||
image: ultradesu/furumi-web-player:dev
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: FURUMI_PLAYER_OIDC_CLIENT_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: furumi-ng-creds
|
||||
key: OIDC_CLIENT_ID
|
||||
- name: FURUMI_PLAYER_OIDC_CLIENT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: furumi-ng-creds
|
||||
key: OIDC_CLIENT_SECRET
|
||||
- name: FURUMI_PLAYER_OIDC_ISSUER_URL
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: furumi-ng-creds
|
||||
key: OIDC_ISSUER_URL
|
||||
- name: FURUMI_PLAYER_OIDC_REDIRECT_URL
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: furumi-ng-creds
|
||||
key: OIDC_REDIRECT_URL
|
||||
- name: FURUMI_PLAYER_OIDC_SESSION_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: furumi-ng-creds
|
||||
key: OIDC_SESSION_SECRET
|
||||
- name: FURUMI_PLAYER_DATABASE_URL
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: furumi-ng-creds
|
||||
key: PG_STRING
|
||||
- name: FURUMI_PLAYER_STORAGE_DIR
|
||||
value: "/media"
|
||||
- name: RUST_LOG
|
||||
value: "info"
|
||||
ports:
|
||||
- name: web-ui
|
||||
containerPort: 8080
|
||||
protocol: TCP
|
||||
volumeMounts:
|
||||
- name: music
|
||||
mountPath: /media
|
||||
volumes:
|
||||
- name: music
|
||||
hostPath:
|
||||
path: /k8s/furumi-dev/library
|
||||
type: DirectoryOrCreate
|
||||
|
||||
@@ -33,7 +33,7 @@ spec:
|
||||
- name: FURUMI_AGENT_OLLAMA_URL
|
||||
value: "http://ollama.ollama.svc:11434"
|
||||
- name: FURUMI_AGENT_OLLAMA_MODEL
|
||||
value: "qwen3.5:9b"
|
||||
value: "qwen3:14b"
|
||||
- name: FURUMI_AGENT_POLL_INTERVAL_SECS
|
||||
value: "10"
|
||||
- name: RUST_LOG
|
||||
|
||||
@@ -5,7 +5,6 @@ resources:
|
||||
- app.yaml
|
||||
- external-secrets.yaml
|
||||
- https-middleware.yaml
|
||||
- outpost-selector-fix.yaml
|
||||
# - worker-restart.yaml
|
||||
|
||||
helmCharts:
|
||||
|
||||
@@ -1,81 +0,0 @@
|
||||
## Workaround for authentik bug: embedded outpost controller creates
|
||||
## a Service with selectors that don't match the pod labels it sets.
|
||||
## Remove this after upgrading to a version with the fix.
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: outpost-selector-fix
|
||||
namespace: authentik
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: outpost-selector-fix
|
||||
namespace: authentik
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["services"]
|
||||
verbs: ["get", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["endpoints"]
|
||||
verbs: ["get"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: outpost-selector-fix
|
||||
namespace: authentik
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: outpost-selector-fix
|
||||
namespace: authentik
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: outpost-selector-fix
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: outpost-selector-fix
|
||||
namespace: authentik
|
||||
spec:
|
||||
schedule: "*/5 * * * *"
|
||||
successfulJobsHistoryLimit: 1
|
||||
failedJobsHistoryLimit: 3
|
||||
concurrencyPolicy: Replace
|
||||
jobTemplate:
|
||||
spec:
|
||||
ttlSecondsAfterFinished: 300
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: outpost-selector-fix
|
||||
restartPolicy: OnFailure
|
||||
containers:
|
||||
- name: fix
|
||||
image: bitnami/kubectl:latest
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
SVC="ak-outpost-authentik-embedded-outpost"
|
||||
# check if endpoints are populated
|
||||
ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
|
||||
if [ -n "$ADDRS" ]; then
|
||||
echo "Endpoints OK ($ADDRS), nothing to fix"
|
||||
exit 0
|
||||
fi
|
||||
echo "No endpoints for $SVC, patching selector..."
|
||||
kubectl patch svc "$SVC" -n authentik --type=json -p '[
|
||||
{"op":"remove","path":"/spec/selector/app.kubernetes.io~1component"},
|
||||
{"op":"replace","path":"/spec/selector/app.kubernetes.io~1name","value":"authentik-outpost-proxy"}
|
||||
]'
|
||||
echo "Patched. Verifying..."
|
||||
sleep 2
|
||||
ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
|
||||
if [ -n "$ADDRS" ]; then
|
||||
echo "Fix confirmed, endpoints: $ADDRS"
|
||||
else
|
||||
echo "WARNING: still no endpoints after patch"
|
||||
exit 1
|
||||
fi
|
||||
@@ -54,6 +54,7 @@ server:
|
||||
traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
|
||||
hosts:
|
||||
- idm.hexor.cy
|
||||
- ollama.hexor.cy
|
||||
tls:
|
||||
- secretName: idm-tls
|
||||
hosts:
|
||||
|
||||
@@ -133,8 +133,6 @@ spec:
|
||||
{{ .mas }}
|
||||
USER_furumi: |-
|
||||
{{ .furumi }}
|
||||
USER_furumi_dev: |-
|
||||
{{ .furumi_dev }}
|
||||
data:
|
||||
- secretKey: authentik
|
||||
sourceRef:
|
||||
@@ -312,15 +310,4 @@ spec:
|
||||
metadataPolicy: None
|
||||
key: 2a9deb39-ef22-433e-a1be-df1555625e22
|
||||
property: fields[16].value
|
||||
- secretKey: furumi_dev
|
||||
sourceRef:
|
||||
storeRef:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
conversionStrategy: Default
|
||||
decodingStrategy: None
|
||||
metadataPolicy: None
|
||||
key: 2a9deb39-ef22-433e-a1be-df1555625e22
|
||||
property: fields[17].value
|
||||
|
||||
|
||||
@@ -292,60 +292,7 @@ resource "authentik_outpost" "outposts" {
|
||||
authentik_host_browser = ""
|
||||
object_naming_template = "ak-outpost-%(name)s"
|
||||
authentik_host_insecure = false
|
||||
kubernetes_json_patches = {
|
||||
deployment = [
|
||||
{
|
||||
op = "add"
|
||||
path = "/spec/template/spec/containers/0/env/-"
|
||||
value = {
|
||||
name = "AUTHENTIK_POSTGRESQL__HOST"
|
||||
value = "psql.psql.svc"
|
||||
}
|
||||
},
|
||||
{
|
||||
op = "add"
|
||||
path = "/spec/template/spec/containers/0/env/-"
|
||||
value = {
|
||||
name = "AUTHENTIK_POSTGRESQL__PORT"
|
||||
value = "5432"
|
||||
}
|
||||
},
|
||||
{
|
||||
op = "add"
|
||||
path = "/spec/template/spec/containers/0/env/-"
|
||||
value = {
|
||||
name = "AUTHENTIK_POSTGRESQL__NAME"
|
||||
value = "authentik"
|
||||
}
|
||||
},
|
||||
{
|
||||
op = "add"
|
||||
path = "/spec/template/spec/containers/0/env/-"
|
||||
value = {
|
||||
name = "AUTHENTIK_POSTGRESQL__USER"
|
||||
valueFrom = {
|
||||
secretKeyRef = {
|
||||
name = "authentik-creds"
|
||||
key = "AUTHENTIK_POSTGRESQL__USER"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
op = "add"
|
||||
path = "/spec/template/spec/containers/0/env/-"
|
||||
value = {
|
||||
name = "AUTHENTIK_POSTGRESQL__PASSWORD"
|
||||
valueFrom = {
|
||||
secretKeyRef = {
|
||||
name = "authentik-creds"
|
||||
key = "AUTHENTIK_POSTGRESQL__PASSWORD"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
kubernetes_json_patches = null
|
||||
kubernetes_service_type = "ClusterIP"
|
||||
kubernetes_image_pull_secrets = []
|
||||
kubernetes_ingress_class_name = null
|
||||
|
||||
@@ -202,7 +202,7 @@ EOT
|
||||
meta_icon = "https://img.icons8.com/external-icongeek26-outline-icongeek26/64/external-llama-animal-head-icongeek26-outline-icongeek26.png"
|
||||
mode = "proxy"
|
||||
outpost = "kubernetes-outpost"
|
||||
intercept_header_auth = true
|
||||
access_groups = ["admins"]
|
||||
create_group = true
|
||||
access_groups = ["admins"]
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user