Update k8s/core/postgresql/external-secrets.yaml

Reviewed-on: ab/homelab#1

.gitea/workflows/lint.yaml

@@ -1,9 +1,7 @@
 name: Check with kubeconform
-
 on:
   push:
     branches: [ main ]
-
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -16,22 +14,53 @@ jobs:
       - name: Kubeconform validation
         id: kubeconform
         run: |
+          # Create exclusion list - add files that should be skipped from validation
+          EXCLUSIONS=(
+            "./k8s/core/system-upgrade/crd.yaml"
+            # Add more files here as needed
+            # "./path/to/another/file.yaml"
+          )
+          
           # Create a temporary file for storing validation output
           VALIDATION_OUTPUT=$(mktemp)
           
-          # Run kubeconform and capture output
+          # Function to check if file is in exclusions
-          find . -name '*.yaml' \
+          is_excluded() {
+            local file="$1"
+            for exclusion in "${EXCLUSIONS[@]}"; do
+              if [[ "$file" == "$exclusion" ]]; then
+                return 0
+              fi
+            done
+            return 1
+          }
+          
+          # Find all yaml files and filter out exclusions
+          YAML_FILES=()
+          while IFS= read -r -d '' file; do
+            if ! is_excluded "$file"; then
+              YAML_FILES+=("$file")
+            else
+              echo "⚠️  Skipping excluded file: $file"
+            fi
+          done < <(find . -name '*.yaml' \
             ! -name '*values.yaml' \
             ! -path './.gitea/*' \
-            -print0 \
+            -print0)
-          | xargs -0 kubeconform \
+          
-            -summary \
+          # Run kubeconform only if there are files to validate
-            -verbose \
+          if [ ${#YAML_FILES[@]} -gt 0 ]; then
-            -output pretty \
+            printf '%s\0' "${YAML_FILES[@]}" | xargs -0 kubeconform \
-            -ignore-missing-schemas \
+              -summary \
-            -schema-location default \
+              -verbose \
-            -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
+              -output pretty \
-            -schema-location 'https://raw.githubusercontent.com/SchemaStore/schemastore/refs/heads/master/src/schemas/json/kustomization.json' > $VALIDATION_OUTPUT 2>&1 || true
+              -ignore-missing-schemas \
+              -schema-location default \
+              -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
+              -schema-location 'https://raw.githubusercontent.com/SchemaStore/schemastore/refs/heads/master/src/schemas/json/kustomization.json' > $VALIDATION_OUTPUT 2>&1 || true
+          else
+            echo "No files to validate after applying exclusions" > $VALIDATION_OUTPUT
+          fi
           
           # Display output in logs
           cat $VALIDATION_OUTPUT
@@ -44,7 +73,7 @@ jobs:
             cat invalid_files.txt
             exit 1
           else
-            echo "All manifests are valid!"
+            echo "✅ All manifests are valid!"
           fi
         continue-on-error: true
       

.gitignore

@@ -58,3 +58,4 @@ tags
 # Persistent undo
 [._]*.un~
 
+.DS_Store

k8s/apps/gitea/deployment.yaml

@@ -30,6 +30,27 @@ spec:
       containers:
         - name: gitea
           image: 'gitea/gitea:latest'
+          resources:
+            requests:
+              memory: "512Mi"
+              cpu: "200m"
+            limits:
+              memory: "2Gi"
+              cpu: "1000m"
+          env:
+            - name: GITEA__service__REGISTER_MANUAL_CONFIRM
+              value: "true"
+            - name: GITEA__service__ENABLE_CAPTCHA
+              value: "false"
+            - name: GITEA__service__REQUIRE_CAPTCHA_FOR_LOGIN
+              value: "true"
+            - name: GITEA__service__REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA
+              value: "true"
+            - name: GITEA__service__CAPTCHA_TYPE
+              value: "hcaptcha"
+          envFrom:
+          - secretRef:
+              name: gitea-recapcha-creds
           ports:
             - name: http
               containerPort: 3000
@@ -56,20 +77,30 @@ spec:
         app: gitea-runner
     spec:
       nodeSelector:
-        #kubernetes.io/hostname: master.tail2fe2d.ts.net
+        kubernetes.io/hostname: home.homenet
-        kubernetes.io/hostname: nas.homenet
       volumes:
         - name: docker-sock
           hostPath:
-            #path: /var/run/k3s/containerd/containerd.sock
             path: /var/run/docker.sock
             type: Socket
+        - name: runner-data
+          persistentVolumeClaim:
+            claimName: gitea-runner-pvc
       containers:
         - name: gitea-runner
           image: gitea/act_runner:nightly
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "4Gi"
+              cpu: "2000m"
           volumeMounts:
             - name: docker-sock
               mountPath: /var/run/docker.sock
+            - name: runner-data
+              mountPath: /data
           env:
             - name: GITEA_INSTANCE_URL
               value: "https://gt.hexor.cy"
@@ -83,3 +114,16 @@ spec:
             - name: GITEA_RUNNER_LABELS
               value: "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04"
 
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-runner-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: local-path
+

k8s/apps/gitea/external-secrets.yaml

@@ -23,3 +23,37 @@ spec:
         key: e475b5ab-ea3c-48a5-bb4c-a6bc552fc064
         property: login.password
 
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea-recapcha-creds
+spec:
+  refreshInterval: 1m
+  target:
+    name: gitea-recapcha-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        GITEA__service__HCAPTCHA_SITEKEY: |-
+          {{ .HCAPTCHA_SITEKEY }}
+        GITEA__service__HCAPTCHA_SECRET: |-
+          {{ .HCAPTCHA_SECRET }}
+  data:
+    - secretKey: HCAPTCHA_SITEKEY
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 89c8d8d2-6b53-42c5-805f-38a341ef163e
+        property: login.username
+    - secretKey: HCAPTCHA_SECRET
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 89c8d8d2-6b53-42c5-805f-38a341ef163e
+        property: login.password

k8s/apps/hexound/deployment.yaml

@@ -24,6 +24,13 @@ spec:
       initContainers:
         - name: git-cloner
           image: alpine/git
+          resources:
+            requests:
+              memory: "32Mi"
+              cpu: "50m"
+            limits:
+              memory: "128Mi"
+              cpu: "200m"
           command:
             - git
             - clone
@@ -36,6 +43,13 @@ spec:
       containers:
         - name: hexound
           image: trafex/php-nginx:3.8.0
+          resources:
+            requests:
+              memory: "64Mi"
+              cpu: "50m"
+            limits:
+              memory: "256Mi"
+              cpu: "200m"
           volumeMounts:
             - name: hexound-repo
               mountPath: /var/www/html

k8s/apps/immich/deployments.yaml

@@ -17,6 +17,13 @@ spec:
       - name: immich-server
         image: ghcr.io/immich-app/immich-server:release
         imagePullPolicy: Always
+        resources:
+          requests:
+            memory: "1Gi"
+            cpu: "500m"
+          limits:
+            memory: "4Gi"
+            cpu: "2000m"
         ports:
         - containerPort: 2283
         env:
@@ -140,6 +147,13 @@ spec:
       - name: immich-ml
         image: ghcr.io/immich-app/immich-machine-learning:release
         imagePullPolicy: Always
+        resources:
+          requests:
+            memory: "2Gi"
+            cpu: "1000m"
+          limits:
+            memory: "8Gi"
+            cpu: "4000m"
         env:
         - name: TZ
           value: Asia/Nicosia
@@ -174,6 +188,13 @@ spec:
       containers:
         - name: redis
           image: redis:6.2-alpine
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
           readinessProbe:
             exec:
               command: ["redis-cli", "ping"]

k8s/apps/jellyfin/values.yaml

@@ -1,5 +1,12 @@
 image:
   tag: 10.10.7
+resources:
+  requests:
+    memory: "2Gi"
+    cpu: "1000m"
+  limits:
+    memory: "8Gi"
+    cpu: "4000m"
 nodeSelector:
   kubernetes.io/hostname: master.tail2fe2d.ts.net
 persistence:

k8s/apps/khm/deployment.yaml

@@ -23,6 +23,13 @@ spec:
         - name: khm
           image: 'ultradesu/khm:latest'
           imagePullPolicy: Always
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "1Gi"
+              cpu: "500m"
           command:
             - /bin/sh
             - -c

k8s/apps/paperless/gotenberg-values.yaml

@@ -8,12 +8,12 @@ nodeSelector:
   kubernetes.io/hostname: nas.homenet
 
 resources:
-  limits:
-    cpu: 1000m
-    memory: 1Gi
   requests:
-    cpu: 200m
+    memory: "512Mi"
-    memory: 256Mi
+    cpu: "200m"
+  limits:
+    memory: "2Gi"
+    cpu: "1000m"
 
 service:
   type: ClusterIP

k8s/apps/paperless/paperless-values.yaml

@@ -1,8 +1,22 @@
 image:
   tag: 2.15.3
+resources:
+  requests:
+    memory: "1Gi"
+    cpu: "500m"
+  limits:
+    memory: "4Gi"
+    cpu: "2000m"
 initContainers:
   install-tesseract-langs:
     image: ghcr.io/paperless-ngx/paperless-ngx:2.15.1
+    resources:
+      requests:
+        memory: "256Mi"
+        cpu: "100m"
+      limits:
+        memory: "1Gi"
+        cpu: "500m"
     command: ["/bin/sh", "-c"]
     args:
       - apt-get update && apt-get install -y --reinstall tesseract-ocr-rus tesseract-ocr-jpn tesseract-ocr-chi-sim tesseract-ocr-eng tesseract-ocr-ell && cp -v -r /usr/share/tesseract-ocr/5/tessdata/* /custom-tessdata/

k8s/apps/paperless/tika-values.yaml

@@ -8,12 +8,12 @@ nodeSelector:
   kubernetes.io/hostname: nas.homenet
 
 resources:
-  limits:
-    cpu: 500m
-    memory: 512Mi
   requests:
-    cpu: 100m
+    memory: "256Mi"
-    memory: 128Mi
+    cpu: "100m"
+  limits:
+    memory: "1Gi"
+    cpu: "500m"
 
 service:
   type: ClusterIP

k8s/apps/rustdesk/deployment.yaml

@@ -0,0 +1,134 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rustdesk-hbbs
+  labels:
+    app: rustdesk-hbbs
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: rustdesk-hbbs
+  template:
+    metadata:
+      labels:
+        app: rustdesk-hbbs
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+      - name: hbbs
+        image: rustdesk/rustdesk-server:latest
+        imagePullPolicy: Always
+        resources:
+          requests:
+            memory: "128Mi"
+            cpu: "100m"
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+        command: ["hbbs"]
+        args:
+          - "--relay-servers"
+          - "rd.hexor.cy:21117"
+          - "--port"
+          - "21116"
+        ports:
+        - name: registry
+          containerPort: 21116
+          protocol: TCP
+        - name: nat
+          containerPort: 21115
+          protocol: TCP
+        volumeMounts:
+        - name: keys
+          mountPath: /data
+          readOnly: true
+        - name: data
+          mountPath: /data-persistent
+        env:
+        - name: RUST_LOG
+          value: "info"
+        - name: DB_URL
+          value: "/data-persistent/db_v2.sqlite3"
+        workingDir: /data
+      volumes:
+      - name: keys
+        secret:
+          secretName: rustdesk-keys
+          items:
+          - key: id_ed25519
+            path: id_ed25519
+            mode: 0600
+          - key: id_ed25519.pub
+            path: id_ed25519.pub
+            mode: 0644
+      - name: data
+        hostPath:
+          path: /k8s/rustdesk/hbbs
+          type: DirectoryOrCreate
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rustdesk-hbbr
+  labels:
+    app: rustdesk-hbbr
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: rustdesk-hbbr
+  template:
+    metadata:
+      labels:
+        app: rustdesk-hbbr
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+      - name: hbbr
+        image: rustdesk/rustdesk-server:latest
+        imagePullPolicy: Always
+        resources:
+          requests:
+            memory: "128Mi"
+            cpu: "100m"
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+        command: ["hbbr"]
+        args:
+          - "--port"
+          - "21117"
+        ports:
+        - name: relay
+          containerPort: 21117
+          protocol: TCP
+        volumeMounts:
+        - name: keys
+          mountPath: /data
+          readOnly: true
+        - name: data
+          mountPath: /data-persistent
+        env:
+        - name: RUST_LOG
+          value: "info"
+        workingDir: /data
+      volumes:
+      - name: keys
+        secret:
+          secretName: rustdesk-keys
+          items:
+          - key: id_ed25519
+            path: id_ed25519
+            mode: 0600
+          - key: id_ed25519.pub
+            path: id_ed25519.pub
+            mode: 0644
+      - name: data
+        hostPath:
+          path: /k8s/rustdesk/hbbr
+          type: DirectoryOrCreate

k8s/apps/rustdesk/external-secrets.yaml

@@ -2,65 +2,33 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: postgres-creds
+  name: rustdesk-keys
 spec:
   target:
-    name: postgres-creds
+    name: rustdesk-keys
     deletionPolicy: Delete
     template:
       type: Opaque
       data:
-        psql_user: paperless
+        id_ed25519: |-
-        psql_pass: |-
+          {{ .private_key }}
-          {{ .psql_pass }}
+        id_ed25519.pub: |-
-        oauth_config: |-
+          {{ .public_key }}
-          {
-            "openid_connect": {
-              "APPS": [
-                {
-                  "provider_id": "authentik",
-                  "name": "Authentik",
-                  "client_id": "{{ .oauth_id }}",
-                  "secret": "{{ .oauth_secret }}",
-                  "settings": {
-                    "server_url": "{{ .server_url }}"
-                  }
-                }
-              ],
-              "OAUTH_PKCE_ENABLED": "True"
-            }
-          }
   data:
-    - secretKey: psql_pass
+    - secretKey: private_key
       sourceRef:
         storeRef:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        key: f5591dfd-a0ab-4101-a2d7-e06380d3dcc9
-        property: fields[5].value
-    - secretKey: oauth_id
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
         property: fields[0].value
-    - secretKey: oauth_secret
+    - secretKey: public_key
       sourceRef:
         storeRef:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
-        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
+        key: f5591dfd-a0ab-4101-a2d7-e06380d3dcc9
         property: fields[1].value
-    - secretKey: server_url
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
-        property: fields[2].value
 

k8s/apps/rustdesk/external-secrets.yaml.backup

@@ -0,0 +1,66 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: postgres-creds
+spec:
+  target:
+    name: postgres-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        psql_user: paperless
+        psql_pass: |-
+          {{ .psql_pass }}
+        oauth_config: |-
+          {
+            "openid_connect": {
+              "APPS": [
+                {
+                  "provider_id": "authentik",
+                  "name": "Authentik",
+                  "client_id": "{{ .oauth_id }}",
+                  "secret": "{{ .oauth_secret }}",
+                  "settings": {
+                    "server_url": "{{ .server_url }}"
+                  }
+                }
+              ],
+              "OAUTH_PKCE_ENABLED": "True"
+            }
+          }
+  data:
+    - secretKey: psql_pass
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[5].value
+    - secretKey: oauth_id
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
+        property: fields[0].value
+    - secretKey: oauth_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
+        property: fields[1].value
+    - secretKey: server_url
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
+        property: fields[2].value
+

k8s/apps/rustdesk/kustomization.yaml

@@ -3,14 +3,8 @@ kind: Kustomization
 
 resources:
   - app.yaml
-  #- external-secrets.yaml
+  - deployment.yaml
-
+  - service.yaml
-helmCharts:
+  - external-secrets.yaml
-  - name: rustdesk-server-oss
+  - network-policy.yaml
-    repo: https://schich.tel/helm-charts
-    version: 0.2.2
-    releaseName: rustdesk
-    namespace: rustdesk
-    valuesFile: values.yaml
-    includeCRDs: true
 

k8s/apps/rustdesk/network-policy.yaml

@@ -0,0 +1,73 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: rustdesk-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      app: rustdesk-hbbs
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Allow all incoming connections to RustDesk ports
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 21115
+    - protocol: TCP
+      port: 21116
+    - protocol: UDP
+      port: 21116
+  egress:
+  # Allow DNS
+  - to: []
+    ports:
+    - protocol: UDP
+      port: 53
+    - protocol: TCP
+      port: 53
+  # Allow communication between HBBS and HBBR
+  - to:
+    - podSelector:
+        matchLabels:
+          app: rustdesk-hbbr
+    ports:
+    - protocol: TCP
+      port: 21117
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: rustdesk-hbbr-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      app: rustdesk-hbbr
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Allow all incoming connections to relay port
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 21117
+  # Allow connections from HBBS
+  - from:
+    - podSelector:
+        matchLabels:
+          app: rustdesk-hbbs
+    ports:
+    - protocol: TCP
+      port: 21117
+  egress:
+  # Allow DNS
+  - to: []
+    ports:
+    - protocol: UDP
+      port: 53
+    - protocol: TCP
+      port: 53

k8s/apps/rustdesk/service.yaml

@@ -0,0 +1,57 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rustdesk-hbbs
+  labels:
+    app: rustdesk-hbbs
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  selector:
+    app: rustdesk-hbbs
+  ports:
+  - name: registry-tcp
+    port: 21116
+    targetPort: 21116
+    protocol: TCP
+  - name: nat
+    port: 21115
+    targetPort: 21115
+    protocol: TCP
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rustdesk-hbbs-udp
+  labels:
+    app: rustdesk-hbbs
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  selector:
+    app: rustdesk-hbbs
+  ports:
+  - name: registry-udp
+    port: 21116
+    targetPort: 21116
+    protocol: UDP
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rustdesk-hbbr
+  labels:
+    app: rustdesk-hbbr
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  selector:
+    app: rustdesk-hbbr
+  ports:
+  - name: relay
+    port: 21117
+    targetPort: 21117
+    protocol: TCP

k8s/apps/rustdesk/values.yaml

@@ -1,87 +0,0 @@
-replicaCount: 1
-
-image:
-  repository: docker.io/rustdesk/rustdesk-server
-  pullPolicy: IfNotPresent
-  tag: 1
-
-nodeSelector:
-  kubernetes.io/hostname: master.tail2fe2d.ts.net
-
-ingress:
-  enabled: true
-  className: "traefik"
-  annotations:
-    ingressClassName: traefik
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-    acme.cert-manager.io/http01-edit-in-place: "true"
-  hosts:
-  - rd.hexor.cy
-  tls:
-    - secretName: rustdesk-tls
-      hosts:
-        - rd.hexor.cy
-
-service:
-  type: LoadBalancer
-  externalTrafficPolicy: Cluster
-  loadBalancerIP: null
-  enableWebClientSupport: false
-  hbbr:
-    replayPort:
-      port: 21117
-      targetPort: 21117
-    clientPort:
-      port: 21119
-      targetPort: 21119
-  hbbs:
-    natPort:
-      port: 21115
-      targetPort: 21115
-    registryPort:
-      port: 21116
-      targetPort: 21116
-    heartbeatPort:
-      port: 21116
-      targetPort: 21116
-    webPort:
-      port: 21118
-      targetPort: 21118
-
-resources:
-  hbbrResource: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-  hbbsResource: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-
-  # Additional volumes on the output Deployment definition.
-volume: {}
-
-# - name: foo
-#   secret:
-#     secretName: mysecret
-#     optional: false
-
-# - name: foo
-#   mountPath: "/etc/foo"
-#   readOnly: true
-

k8s/apps/sonarr-stack/bazarr-values.yaml

@@ -1,3 +1,10 @@
+resources:
+  requests:
+    memory: "256Mi"
+    cpu: "100m"
+  limits:
+    memory: "1Gi"
+    cpu: "500m"
 nodeSelector:
   kubernetes.io/hostname: master.tail2fe2d.ts.net
 

k8s/apps/sonarr-stack/prowlarr-values.yaml

@@ -1,5 +1,12 @@
 env:
   TZ: Asia/Nicosia
+resources:
+  requests:
+    memory: "256Mi"
+    cpu: "100m"
+  limits:
+    memory: "1Gi"
+    cpu: "500m"
 nodeSelector:
   kubernetes.io/hostname: master.tail2fe2d.ts.net
 

k8s/apps/sonarr-stack/sonarr-values.yaml

@@ -1,5 +1,12 @@
 env:
   TZ: Asia/Nicosia
+resources:
+  requests:
+    memory: "512Mi"
+    cpu: "200m"
+  limits:
+    memory: "2Gi"
+    cpu: "1000m"
 nodeSelector:
   kubernetes.io/hostname: master.tail2fe2d.ts.net
 

k8s/apps/stirling-pdf/values.yaml

@@ -28,12 +28,12 @@ ingress:
       tlsSecret: pdf-hexor-cy-tls
 
 resources:
-  limits:
-    cpu: 500m
-    memory: 512Mi
   requests:
-    cpu: 250m
+    memory: "512Mi"
-    memory: 256Mi
+    cpu: "200m"
+  limits:
+    memory: "2Gi"
+    cpu: "1000m"
 
 probes:
   liveness:

k8s/apps/vaultwarden/deployment.yaml

@@ -31,6 +31,13 @@ spec:
         - name: vaultwarden
           image: 'vaultwarden/server:latest'
           imagePullPolicy: Always
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "1Gi"
+              cpu: "500m"
           env:
             - name: DOMAIN
               value: https://vw.hexor.cy

k8s/apps/vpn/outfleet.yaml

@@ -30,8 +30,11 @@ spec:
           args:
             - "-c"
             - |
-              python ./manage.py makemigrations vpn
+              set -x
+              #python ./manage.py makemigrations
+              #python ./manage.py makemigrations vpn
               python ./manage.py migrate
+              python ./manage.py migrate vpn
               python ./manage.py create_admin
               python ./manage.py runserver 0.0.0.0:8000
           envFrom:

k8s/core/argocd/app.yaml

@@ -13,9 +13,6 @@ spec:
     targetRevision: HEAD
     path: k8s/core/argocd
   syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
     syncOptions:
       - CreateNamespace=true
 

k8s/core/argocd/external-secrets.yaml

@@ -14,8 +14,8 @@ spec:
         labels:
           app.kubernetes.io/part-of: argocd
       data:
-        id: "{{ .client_id | quote }}"
+        id: "{{ .client_id }}"
-        secret: "{{ .client_secret | quote }}"
+        secret: "{{ .client_secret }}"
   data:
     - secretKey: client_id
       sourceRef:

k8s/core/argocd/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 helmCharts:
   - name: argo-cd
     repo: https://argoproj.github.io/argo-helm
-    version: 7.8.26
+    version: 8.1.3
     releaseName: argocd
     namespace: argocd
     valuesFile: values.yaml

k8s/core/argocd/values.yaml

@@ -17,9 +17,10 @@ configs:
     server.insecure: "true"
   cm:
     create: true
+    exec.enabled: true
     kustomize.buildOptions: --enable-helm
     application.instanceLabelKey: argocd.argoproj.io/instance
-    admin.enabled: true
+    admin.enabled: false
     timeout.reconciliation: 60s
     oidc.config: |
       name: Authentik
@@ -32,7 +33,20 @@ configs:
     create: true
     policy.default: ""
     policy.csv: |
-      g, k8s_dashboard, role:admin
+      # Bound OIDC Group and internal role
+      g, Game Servers Managers, GameServersManagersRole
+      # Role permissions
+      p, GameServersManagersRole, applications, get, games/*, allow
+      p, GameServersManagersRole, applications, update, games/*, allow
+      p, GameServersManagersRole, applications, sync, games/*, allow
+      p, GameServersManagersRole, applications, override, games/*, allow
+      p, GameServersManagersRole, applications, action/*, games/*, allow
+      p, GameServersManagersRole, exec, create, games/*, allow
+      p, GameServersManagersRole, logs, get, games/*, allow
+      p, GameServersManagersRole, applications, delete, games/*, deny
+
+      # Admin policy
+      g, ArgoCD Admins, role:admin
 
   secret:
     createSecret: true

k8s/core/authentik/values.yaml

@@ -1,6 +1,6 @@
 global:
   image:
-    tag: "2025.4.1"
+    tag: "2025.6.4"
   nodeSelector:
     kubernetes.io/hostname: master.tail2fe2d.ts.net
 

k8s/core/external-secrets/bitwarden-store.yaml

@@ -39,6 +39,13 @@ spec:
         - name: bitwarden-cli
           image: ultradesu/bitwarden-client:2025.5.0
           imagePullPolicy: Always
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
           env:
             - name: BW_HOST
               valueFrom:

k8s/core/kubernetes-dashboard/deployments.yaml

@@ -20,6 +20,13 @@ spec:
         - name: kubernetes-dashboard
           image: kubernetesui/dashboard:v2.7.0
           imagePullPolicy: Always
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
           ports:
             - containerPort: 8443
               protocol: TCP
@@ -87,6 +94,13 @@ spec:
       containers:
         - name: dashboard-metrics-scraper
           image: kubernetesui/metrics-scraper:v1.0.6
+          resources:
+            requests:
+              memory: "64Mi"
+              cpu: "50m"
+            limits:
+              memory: "256Mi"
+              cpu: "200m"
           ports:
             - containerPort: 8000
               protocol: TCP

k8s/core/postgresql/app.yaml

@@ -13,9 +13,7 @@ spec:
     targetRevision: HEAD
     path: k8s/core/postgresql
   syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
     syncOptions:
       - CreateNamespace=true
+      - ServerSideApply=true
 

k8s/core/postgresql/external-secrets.yaml

@@ -40,6 +40,9 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
         key: 832042b9-7edb-4f4c-9254-3c8884ba9733
         property: login.username
     - secretKey: password
@@ -48,6 +51,9 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
         key: 832042b9-7edb-4f4c-9254-3c8884ba9733
         property: login.password
     - secretKey: client_id
@@ -56,6 +62,9 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
         key: 832042b9-7edb-4f4c-9254-3c8884ba9733
         property: fields[0].value
     - secretKey: client_secret
@@ -64,6 +73,9 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
         key: 832042b9-7edb-4f4c-9254-3c8884ba9733
         property: fields[1].value
     - secretKey: pgadmin_url
@@ -72,6 +84,9 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
         key: 832042b9-7edb-4f4c-9254-3c8884ba9733
         property: fields[2].value
 ---
@@ -98,6 +113,8 @@ spec:
           {{ .grafana }}
         USER_khm: |-
           {{ .khm }}
+        USER_kanjai: |-
+          {{ .kanjai }}
   data:
     - secretKey: authentik
       sourceRef:
@@ -105,6 +122,9 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
         key: 2a9deb39-ef22-433e-a1be-df1555625e22
         property: fields[0].value
     - secretKey: outfleet
@@ -113,6 +133,9 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
         key: 2a9deb39-ef22-433e-a1be-df1555625e22
         property: fields[1].value
     - secretKey: grafana
@@ -121,6 +144,9 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
         key: 2a9deb39-ef22-433e-a1be-df1555625e22
         property: fields[2].value
     - secretKey: khm
@@ -129,6 +155,9 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
         key: 2a9deb39-ef22-433e-a1be-df1555625e22
         property: fields[3].value
     - secretKey: nextcloud
@@ -137,6 +166,9 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
         key: 2a9deb39-ef22-433e-a1be-df1555625e22
         property: fields[4].value
     - secretKey: paperless
@@ -145,5 +177,19 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
         key: 2a9deb39-ef22-433e-a1be-df1555625e22
         property: fields[5].value
+    - secretKey: kanjai
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[7].value

k8s/core/prometheus/prom-values.yaml

@@ -14,16 +14,10 @@ prometheus:
             labels: {instance: jp}
           - targets: ['100.117.24.104:9098']
             labels: {instance: bg}
-          - targets: ['100.117.24.104:9099']
+      - job_name: cs_16_server
-            labels: {instance: fi}
-
-      - job_name: term_humid_sensors
         static_configs:
-        - targets: ['100.117.24.104:7536']
+          - targets: ['prom-a2s-exporter.counter-strike.svc:9841']
-      - job_name: win_exporter
+            labels: {instance: master}
-        static_configs:
-        - targets: ['10.0.5.100:9182']
-          labels: {instance: win.homenet}
 
     retention: "99999d"
     retentionSize: "0"

k8s/core/system-upgrade/crd.yaml

@@ -10,7 +10,7 @@ spec:
     kind: Plan
     plural: plans
     singular: plan
-  preserveUnknownFields: false
+  #preserveUnknownFields: false
   scope: Namespaced
   versions:
   - additionalPrinterColumns:

k8s/core/system-upgrade/plan.yaml

@@ -16,7 +16,7 @@ spec:
   serviceAccountName: system-upgrade
   upgrade:
     image: rancher/k3s-upgrade
-  version: v1.33.1+k3s1
+  version: v1.33.2+k3s1
 ---
 # Agent plan
 apiVersion: upgrade.cattle.io/v1
@@ -39,5 +39,5 @@ spec:
   serviceAccountName: system-upgrade
   upgrade:
     image: rancher/k3s-upgrade
-  version: v1.33.1+k3s1
+  version: v1.33.2+k3s1
 

k8s/games/beam-ng/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: beam-ng
+  namespace: argocd
+spec:
+  project: games
+  destination:
+    namespace: beam-ng
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/games/beam-ng
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+

k8s/games/beam-ng/deployments.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: beam-ng
+  labels:
+    app: beam-ng
+spec:
+  selector:
+    matchLabels:
+      app: beam-ng
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        app: beam-ng
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: beam-ng
+          image: 'rouhim/beammp-server'
+          resources:
+            requests:
+              memory: "1Gi"
+              cpu: "500m"
+            limits:
+              memory: "4Gi"
+              cpu: "2000m"
+          env:
+            - name: BEAMMP_NAME
+              value: 'Anal Hexor'
+            - name: BEAMMP_AUTH_KEY
+              value: '1488_228'
+          ports:
+            - name: udp
+              containerPort: 30814
+              protocol: UDP
+            - containerPort: 30814
+              name: tcp
+              protocol: TCP

k8s/games/beam-ng/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - deployments.yaml
+  - services.yaml
+

k8s/games/beam-ng/services.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: beam-ng
+spec:
+  externalIPs:
+    - 138.201.61.182
+  selector:
+    app: beam-ng
+  ports:
+    - protocol: TCP
+      name: tcp
+      port: 30814
+      targetPort: 30814
+    - protocol: UDP
+      name: udp
+      port: 30814
+      targetPort: 30814
+

k8s/games/counter-strike-16/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: counter-strike-16
+  namespace: argocd
+spec:
+  project: games
+  destination:
+    namespace: counter-strike
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/games/counter-strike-16
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+

k8s/games/counter-strike-16/deployments.yaml

@@ -0,0 +1,81 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cs16-server-config
+data:
+  MAXPLAYERS: "10"
+  START_MAP: "fy_pool_day"
+  SERVER_NAME: "GEYMERSKIY SOYUZ"
+  START_MONEY: "1000"
+  BUY_TIME: "0.25"
+  FRIENDLY_FIRE: "1"
+  SERVER_PASSWORD: ""
+  RCON_PASSWORD: ""
+  ADMIN_STEAM: "0:0:27591350"
+  RESTART_ON_FAIL: "true"
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: counter-strike-16
+  labels:
+    app: counter-strike-16
+spec:
+  selector:
+    matchLabels:
+      app: counter-strike-16
+  replicas: 1
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: counter-strike-16
+    spec:
+      nodeSelector:
+        #kubernetes.io/hostname: home.homenet
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      terminationGracePeriodSeconds: 10
+      containers:
+        - name: prom-a2s-exporter
+          image: armsnyder/a2s-exporter:latest
+          resources:
+            requests:
+              memory: "32Mi"
+              cpu: "50m"
+            limits:
+              memory: "128Mi"
+              cpu: "200m"
+          ports:
+            - containerPort: 9841
+              protocol: TCP
+          args:
+            - --address
+            - cs.hexor.cy:30015
+        - name: counter-strike-16
+          image: 'kingk0der/counter-strike-1.6:latest'
+          resources:
+            requests:
+              memory: "512Mi"
+              cpu: "200m"
+            limits:
+              memory: "2Gi"
+              cpu: "1000m"
+          args:
+            - +log
+            - -port
+            - "30015"
+          envFrom:
+          - configMapRef:
+              name: cs16-server-config
+          ports:
+          - containerPort: 26900
+            protocol: UDP
+          - containerPort: 27020
+            protocol: UDP
+          - containerPort: 30015
+            protocol: UDP
+          - containerPort: 30015
+            protocol: TCP

k8s/games/counter-strike-16/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - deployments.yaml
+  - services.yaml
+

k8s/games/counter-strike-16/services.yaml

@@ -0,0 +1,47 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: counter-strike-16-lb
+spec:
+  type: LoadBalancer
+  selector:
+    app: counter-strike-16
+  ports:
+  - name: game-udp
+    port: 30015
+    targetPort: 30015
+    protocol: UDP
+    nodePort: 30015
+  - name: game-tcp
+    port: 30015
+    targetPort: 30015
+    protocol: TCP
+    nodePort: 30015
+  - name: rcon
+    port: 27020
+    targetPort: 27020
+    protocol: UDP
+    nodePort: 30020
+  - name: hltv
+    port: 26900
+    targetPort: 26900
+    protocol: UDP
+    nodePort: 30900
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: prom-a2s-exporter
+  labels:
+    app: counter-strike-16
+spec:
+  selector:
+    app: counter-strike-16
+  ports:
+    - name: metrics
+      port: 9841
+      targetPort: 9841
+      protocol: TCP
+  type: ClusterIP

k8s/games/minecraft/deployments.yaml

@@ -6,35 +6,64 @@ metadata:
   namespace: minecraft
 data:
   nginx.conf: |
-    user  nginx;
+    user nginx;
-    worker_processes  1;
+    worker_processes 1;
+    error_log /var/log/nginx/error.log warn;
+    pid /var/run/nginx.pid;
+
     events {
-      worker_connections  1024;
+        worker_connections 1024;
     }
+
     http {
-      server {
+        include /etc/nginx/mime.types;
-        listen 80;
+        default_type application/octet-stream;
         
-        location / {
+        server {
-          proxy_pass http://localhost:8123;
+            listen 80;
-          sub_filter 'Minecraft Dynamic Map' "Hexor's MC server";
+            
-          sub_filter "</body>" '<p style="background-color: #CEC6CB; color: black; padding: 10px 10px; text-align: center; font-size: large; text-decoration: none; display: inline-block; border-radius: 4px; position: absolute; top: 10px; left: 150px;">Get <a href="https://github.com/PrismLauncher/PrismLauncher/releases/tag/8.4" >Prism Launcher</a> and <a href="/clients/1.12.2.zip" >client.zip</a> for this server. Server address <b>minecraft.hexor.cy:30565</b></p></body>';
+            # Custom 502 error page with auto-refresh
-          sub_filter_once off;
+            error_page 502 /502.html;
+            location = /502.html {
+                internal;
+                return 200 '<!DOCTYPE html><html><head><meta charset="utf-8"><title>Server Loading</title><style>body{font-family:Arial,sans-serif;text-align:center;margin-top:100px;background:#f0f0f0}h1{color:#333}p{color:#666;font-size:18px}</style></head><body><h1>Server is loading probably...</h1><p>Please wait a moment and try refreshing the page.</p><script>setTimeout(function(){window.location.reload();}, 10000);</script></body></html>';
+                add_header Content-Type text/html;
+            }
+            
+            # Main location - proxy to Minecraft Dynmap
+            location / {
+                # Proxy configuration for Dynmap server
+                proxy_pass http://localhost:8123;
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                
+                # Inject user authentication meta tag into HTML head
+                sub_filter '<head>' '<head><meta name="remote-user" content="$http_x_authentik_username">';
+                
+                # Replace default Dynmap title with custom server name
+                sub_filter 'Minecraft Dynamic Map' "Hexor's MC server";
+                
+                # Inject all custom content before closing body tag (single replacement)
+                sub_filter "</body>" '<script>function getUsername(){var headers=document.querySelectorAll("meta");for(var i=0;i<headers.length;i++){if(headers[i].getAttribute("name")==="remote-user"){return headers[i].getAttribute("content");}}var jwt=document.cookie.split("; ").find(row=>row.startsWith("authentik_session="));if(jwt){try{var token=jwt.split("=")[1];var payload=JSON.parse(atob(token.split(".")[1]));return payload.sub||payload.username||"web-user";}catch(e){}}return "web-user";}var username=getUsername();console.log("Username found:", username);if(username && username!=="web-user" && window.location.search.indexOf("playername=")===-1){var currentUrl=new URL(window.location.href);currentUrl.searchParams.set("playername",username);console.log("Redirecting to:", currentUrl.href);window.location.href=currentUrl.href;}document.addEventListener("DOMContentLoaded",function(){var userBlock=document.createElement("div");userBlock.style.cssText="background-color: #CEC6CB; color: black; padding: 8px; text-align: center; font-size: medium; border-radius: 4px; position: absolute; top: 10px; right: 150px; max-width: 200px;";userBlock.innerHTML="Logged in as: <b>"+username+"</b>";document.body.appendChild(userBlock);});</script><p style="background-color: #CEC6CB; color: black; padding: 10px 10px; text-align: center; font-size: large; text-decoration: none; display: inline-block; border-radius: 4px; position: absolute; top: 10px; left: 150px;">GEYMERSKIY SOYUZ Server <br>Get <a href="https://github.com/PrismLauncher/PrismLauncher/releases/tag/8.4" >Prism Launcher</a> and <a href="/clients/1.12.2.zip" >client.zip</a> for this server. Server address <b>minecraft.hexor.cy:30565</b><br><br><a href="#" onclick="showInstallModal(); return false;" style="color: black; text-decoration: underline;">Windows Install Script</a></p><div id="installModal" style="display: none; position: fixed; z-index: 1000; left: 0; top: 0; width: 100%; height: 100%; background-color: rgba(0,0,0,0.5);"><div style="background-color: #CEC6CB; margin: 15% auto; padding: 10px; border-radius: 4px; width: 70%; max-width: 500px; text-align: center; color: black; font-size: large;"><h3 style="margin-top: 0; color: black;">Windows Installation</h3><p style="color: black;">Copy and paste this command into PowerShell:</p><textarea id="scriptCommand" readonly style="width: 90%; height: 60px; font-family: monospace; padding: 8px; border: 1px solid #888; border-radius: 4px; resize: none; background-color: white; color: black;">iwr -useb https://minecraft.hexor.cy/clients/win-install.ps1 | iex</textarea><br><br><button id="copyButton" onclick="copyToClipboard()" style="background-color: #CEC6CB; color: black; padding: 10px 15px; border: 1px solid #888; border-radius: 4px; cursor: pointer; margin-right: 10px; font-size: large; text-decoration: none;">Copy</button><button onclick="closeInstallModal()" style="background-color: #CEC6CB; color: black; padding: 10px 15px; border: 1px solid #888; border-radius: 4px; cursor: pointer; font-size: large; text-decoration: none;">Close</button></div></div><script>function showInstallModal() { document.getElementById("installModal").style.display = "block"; } function closeInstallModal() { document.getElementById("installModal").style.display = "none"; } function copyToClipboard() { var textarea = document.getElementById("scriptCommand"); textarea.select(); textarea.setSelectionRange(0, 99999); if (document.execCommand("copy")) { var button = document.getElementById("copyButton"); button.style.borderColor = "#4CAF50"; setTimeout(function() { button.style.borderColor = "#888"; }, 2000); } } window.onclick = function(event) { var modal = document.getElementById("installModal"); if (event.target == modal) { closeInstallModal(); } }</script></body>';
+                
+                # Apply sub_filter replacements globally (not just once)
+                sub_filter_once off;
+            }
+            
+            # Static file serving for client downloads
+            location /clients/ {
+                alias /mc/clients/;
+                sendfile on;                          # Enable efficient file serving
+                add_header Content-Disposition "attachment";  # Force download
+                autoindex on;                         # Enable directory listing
+                gzip off;                            # Disable compression for downloads
+                chunked_transfer_encoding off;       # Disable chunked encoding
+            }
         }
-        location /clients/ {
-            types { }
-            sendfile           on;
-            tcp_nopush on;
-            tcp_nodelay       on;
-            keepalive_timeout 65;
-            sendfile_max_chunk 1m;
-            default_type application/zip;
-            add_header Content-Disposition "attachment";
-            alias /mc/clients/;
-            autoindex on;
-        }
-      }
     }
+
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -68,22 +97,12 @@ spec:
 
       terminationGracePeriodSeconds: 10
       containers:
-        - name: nginx
-          image: nginx:latest
-          ports:
-            - containerPort: 80
-          volumeMounts:
-            - name: nginx-config
-              mountPath: /etc/nginx/nginx.conf
-              subPath: nginx.conf
-            - name: storage
-              mountPath: /mc
         - name: minecraft
           image: 'openjdk:8-jdk-alpine'
           command: ["java"]
           args:
-            - -Xms12G
+            - -Xms4G
-            - -Xmx12G
+            - -Xmx4G
             - -XX:+UseG1GC
             - -XX:+ParallelRefProcEnabled
             - -XX:MaxGCPauseMillis=200
@@ -107,12 +126,12 @@ spec:
             - nogui
           workingDir: /mc/
           resources:
-              limits:
+            requests:
-                memory: 15Gi
+              memory: "8Gi"
-                #cpu: 1
+              cpu: "2000m"
-              requests:
+            limits:
-                memory: 10Gi
+              memory: "12Gi"
-                #cpu: 100m
+              cpu: "4000m"
           ports:
             - name: game
               containerPort: 25565
@@ -120,9 +139,29 @@ spec:
             - name: dynmap
               containerPort: 8123
               protocol: TCP
+            - name: webstatus-mod
+              containerPort: 8080
+              protocol: TCP
           volumeMounts:
             - name: storage
               mountPath: /mc
+        - name: nginx
+          image: nginx:latest
+          resources:
+            requests:
+              memory: "64Mi"
+              cpu: "50m"
+            limits:
+              memory: "256Mi"
+              cpu: "200m"
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: nginx-config
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
+            - name: storage
+              mountPath: /mc
 
 ---
 apiVersion: v1

k8s/games/minecraft/ingress.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dynmap-tls-ingress
+  annotations:
+    ingressClassName: traefik
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  rules:
+    - host: minecraft.hexor.cy
+      http:
+        paths:
+          - path: /clients/
+            pathType: Prefix
+            backend:
+              service:
+                name: minecraft
+                port:
+                  number: 80
+  tls:
+    - secretName: dynmap-tls
+      hosts:
+        - minecraft.hexor.cy
+

k8s/games/minecraft/kustomization.yaml

@@ -5,4 +5,4 @@ resources:
   - app.yaml
   - deployments.yaml
   - services.yaml
-
+  #- ingress.yaml

k8s/games/minecraft/services.yaml

@@ -3,7 +3,6 @@ apiVersion: v1
 kind: Service
 metadata:
   name: minecraft-dynmap
-  namespace: minecraft
 spec:
   selector:
     app: minecraft
@@ -12,12 +11,24 @@ spec:
       port: 80
       targetPort: 80
 
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: minecraft-webstatus-mod
+spec:
+  selector:
+    app: minecraft
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
+
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: minecraft-game
-  namespace: minecraft
 spec:
   type: LoadBalancer
   ports: