Disable proxy protocol

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>

manifests/_apps/auth-proxy.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: auth-proxy
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: auth-proxy
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/auth-proxy
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/base64.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: base64
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: base64
+    name: civo
+  source:
+    path: manifests/base64
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/blackhole.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: blackhole
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: kube-system
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/blackhole
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/blog.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: blog
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: blog
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/blog
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/certmanager_chart.yaml

@@ -0,0 +1,74 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: cert-manager
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/certmanager_chart
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager-civo
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: cert-manager
+    name: civo
+  source:
+    path: manifests/certmanager-civo
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager-cert-manager
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: cert-manager
+    name: cluster-fun (scaleway)
+  source:
+    repoURL: 'https://charts.jetstack.io'
+    targetRevision: 1.6.1
+    chart: cert-manager
+    helm:
+      version: v3
+      values: |-
+        installCRDs: "true"
+        resources:
+          requests:
+            memory: 32Mi
+          limits:
+            memory: 64Mi
+  syncPolicy:
+    automated: {}

manifests/_apps/cors-proxy.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cors-proxy
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: cors-proxy
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/cors-proxy
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/cv.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cv
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: cv
+    name: civo
+  source:
+    path: manifests/cv
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/dashboard.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dashboard
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: dashboard
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/dashboard
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/feed-fetcher.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: feed-fetcher
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: feed-fetcher
+    name: civo
+  source:
+    path: manifests/feed-fetcher
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/focalboard.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: focalboard
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: focalboard
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/focalboard
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/git-sync.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: git-sync
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: git-sync
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/git-sync
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/gitea.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitea
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: gitea
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/gitea
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/goplayground.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: goplayground
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: goplayground
+    name: civo
+  source:
+    path: manifests/goplayground
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/link.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: link
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: link
+    name: civo
+  source:
+    path: manifests/link
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true

manifests/_apps/marcusnoble.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: marcusnoble
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: marcusnoble
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/marcusnoble
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/mastodon-digest.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mastodon-digest
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: mastodon-digest
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/mastodon-digest
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/mastodon-to-airtable.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mastodon-to-airtable
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: mastodon-to-airtable
+    name: civo
+  source:
+    path: manifests/mastodon-to-airtable
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/matrix_chart.yaml

@@ -0,0 +1,26 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: matrix
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: chat
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/matrix_chart
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated: {}
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+
+---

manifests/_apps/mealie.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mealie
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: mealie
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/mealie
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/monitoring-civo.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: monitoring-civo
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: monitoring
+    name: civo
+  source:
+    path: manifests/monitoring-civo
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/monitoring.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: monitoring
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: monitoring
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/monitoring
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/nextcloud_chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nextcloud
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: nextcloud
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/nextcloud_chart
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated: {}
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/nginx-lb.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nginx-lb
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: kube-system
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/nginx-lb
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/nodered.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nodered
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: node-red
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/nodered
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/opengraph-image-gen.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: opengraph
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: opengraph
+    name: civo
+  source:
+    path: manifests/opengraph
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/outline.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: outline
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: outline
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/outline
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/paradoxfox.yaml

@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: paradoxfox
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: paradoxfox
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/paradoxfox
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+    - /stringData
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/proxy-civo.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: proxy-civo
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: proxy-civo
+    name: civo
+  source:
+    path: manifests/proxy-civo
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/qr.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: qr
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: qr
+    name: civo
+  source:
+    path: manifests/qr
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/redis.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: redis
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: redis
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/redis
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/reloader.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: reloader
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: kube-system
+    name: cluster-fun (scaleway)
+  source:
+    repoURL: 'https://stakater.github.io/stakater-charts'
+    targetRevision: v0.0.89
+    chart: reloader
+  syncPolicy:
+    automated: {}
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/rss.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: rss
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: rss
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/rss
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/skooner.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: skooner
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: skooner
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/skooner
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/starling.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: starling
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: starling
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/starling
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/svg-to-dxf.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: svg-to-dxf
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: svg-to-dxf
+    name: civo
+  source:
+    path: manifests/svg-to-dxf
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/talks.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: talks
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: talks
+    name: civo
+  source:
+    path: manifests/talks
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/tank.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tank
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: tank
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/tank
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/text-to-dxf.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: text-to-dxf
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: text-to-dxf
+    name: civo
+  source:
+    path: manifests/text-to-dxf
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/til.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: til
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: til
+    name: civo
+  source:
+    path: manifests/til
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/traefik.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik-civo
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: kube-system
+    name: civo
+  source:
+    path: manifests/traefik
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/tweetsvg.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tweetsvg
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: tweetsvg
+    name: civo
+  source:
+    path: manifests/tweetsvg
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/twitter-profile-pic.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: twitter-profile-pic
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: twitter-profile-pic
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/twitter-profile-pic
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/twitter-to-airtable.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: twitter-to-airtable
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: twitter-to-airtable
+    name: civo
+  source:
+    path: manifests/twitter-to-airtable
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image

manifests/_apps/wallabag.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: wallabag
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: wallabag
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/wallabag
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated: {}
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/weave-net.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: weave-net
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: kube-system
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/weave-net
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}

manifests/auth-proxy/auth-proxy.yaml

@@ -0,0 +1,200 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: auth-proxy
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: auth-proxy
+  namespace: auth-proxy
+  annotations:
+    kube-1password: mr6spkkx7n3memkbute6ojaarm
+    kube-1password/vault: Kubernetes
+type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tailscale-auth
+  namespace: auth-proxy
+  annotations:
+    kube-1password: 2cqycmsgv5r7vcyvjpblcl2l4y
+    kube-1password/vault: Kubernetes
+type: Opaque
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tailscale-auth-proxy
+type: Opaque
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale-auth-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tailscale-auth-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+subjects:
+- kind: ServiceAccount
+  name: "tailscale-auth-proxy"
+roleRef:
+  kind: Role
+  name: tailscale-auth-proxy
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tailscale-auth-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resourceNames: ["tailscale-auth-proxy"]
+  resources: ["secrets"]
+  verbs: ["get", "update"]
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: auth-proxy
+  namespace: auth-proxy
+  labels:
+    app: auth-proxy
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: auth-proxy
+  template:
+    metadata:
+      labels:
+        app: auth-proxy
+    spec:
+      serviceAccountName: tailscale-auth-proxy
+      dnsPolicy: ClusterFirst
+      dnsConfig:
+        nameservers:
+          - 100.100.100.100
+      initContainers:
+      - name: sysctler
+        image: busybox
+        securityContext:
+          privileged: true
+        command: ["/bin/sh"]
+        args:
+          - -c
+          - |
+            sysctl -w net.ipv4.ip_forward=1
+            sysctl -w net.ipv6.conf.all.forwarding=1
+            sysctl -w net.ipv6.conf.all.disable_ipv6=0
+        resources:
+          requests:
+            cpu: 1m
+            memory: 1Mi
+      containers:
+      - name: oauth-proxy
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1
+        args:
+        - --cookie-secure=false
+        - --provider=oidc
+        - --provider-display-name=Auth0
+        - --upstream=http://talos.averagemarcus.github.beta.tailscale.net
+        - --http-address=0.0.0.0:8080
+        - --email-domain=*
+        - --pass-basic-auth=false
+        - --pass-access-token=false
+        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
+        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
+        - --cookie-expire=336h0m0s
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: auth-proxy
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: auth-proxy
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+      - name: tailscale
+        image: ghcr.io/tailscale/tailscale:v1.29
+        imagePullPolicy: Always
+        env:
+        - name: TS_AUTH_KEY
+          valueFrom:
+            secretKeyRef:
+              name: tailscale-auth
+              key: password
+        - name: TS_KUBE_SECRET
+          value: tailscale-auth-proxy
+        - name: TS_ACCEPT_DNS
+          value: "true"
+        - name: TS_EXTRA_ARGS
+          value: "--hostname=auth-proxy-oauth2"
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        command:
+        - sh
+        - -c
+        - |
+          export PATH=$PATH:/tailscale/bin
+          if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
+          if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
+          echo "Starting tailscaled"
+          tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock &
+          PID=$!
+          echo "Running tailscale up"
+          tailscale --socket=/tmp/tailscaled.sock up \
+            --accept-dns=${TS_ACCEPT_DNS} \
+            --authkey=${TS_AUTH_KEY} \
+            ${TS_EXTRA_ARGS}
+          echo "Re-enabling incoming traffic from the cluster"
+          wait ${PID}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: auth-proxy
+  namespace: auth-proxy
+  labels:
+    app: auth-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: auth-proxy
+  type: ClusterIP

manifests/auth-proxy/ingress.yaml

@@ -0,0 +1,179 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: auth-proxy
+  namespace: auth-proxy
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - downloads.cluster.fun
+    - argo.cluster.fun
+    - code.cluster.fun
+    - jackett.cluster.fun
+    - printer.cluster.fun
+    - ender3pro.printer.cluster.fun
+    - flsunq5.printer.cluster.fun
+    - elegoomars2.printer.cluster.fun
+    - radarr.cluster.fun
+    - readarr.cluster.fun
+    - sonarr.cluster.fun
+    - lidarr.cluster.fun
+    - prowlarr.cluster.fun
+    - transmission.cluster.fun
+    - tekton.cluster.fun
+    secretName: auth-proxy-ingress
+  rules:
+  - host: downloads.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: argo.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: code.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: jackett.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: printer.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: ender3pro.printer.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: flsunq5.printer.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: elegoomars2.printer.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: radarr.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: readarr.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: sonarr.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: lidarr.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: prowlarr.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: transmission.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: tekton.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http

manifests/auth-proxy/internal-proxy.yaml

@@ -0,0 +1,231 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: host-mappings
+  namespace: auth-proxy
+  labels:
+    app: proxy
+data:
+  mapping.json: |
+    {
+      "tekton-el.auth-proxy.svc": "tekton-el.cluster.local",
+      "home.auth-proxy.svc": "home.cluster.local",
+      "home.cluster.fun": "home.cluster.local",
+      "vmcluster.auth-proxy.svc": "vmcluster.cluster.local",
+      "loki.auth-proxy.svc": "loki-write.cluster.local",
+      "loki.auth-proxy.svc:80": "loki-write.cluster.local",
+      "loki-distributed.auth-proxy.svc": "loki-loki.cluster.local",
+      "loki-distributed.auth-proxy.svc:80": "loki-loki.cluster.local"
+    }
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tailscale-internal-proxy
+  namespace: auth-proxy
+type: Opaque
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale-internal-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tailscale-internal-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+subjects:
+- kind: ServiceAccount
+  name: "tailscale-internal-proxy"
+roleRef:
+  kind: Role
+  name: tailscale-internal-proxy
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tailscale-internal-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resourceNames: ["tailscale-internal-proxy"]
+  resources: ["secrets"]
+  verbs: ["get", "update"]
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: internal-proxy
+  namespace: auth-proxy
+  labels:
+    app: internal-proxy
+  annotations:
+    configmap.reloader.stakater.com/reload: "host-mappings"
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: internal-proxy
+  template:
+    metadata:
+      labels:
+        app: internal-proxy
+    spec:
+      serviceAccountName: tailscale-internal-proxy
+      dnsPolicy: ClusterFirst
+      dnsConfig:
+        nameservers:
+          - 100.100.100.100
+      containers:
+      - name: proxy
+        image: rg.fr-par.scw.cloud/averagemarcus/proxy:latest
+        imagePullPolicy: Always
+        env:
+        - name: PROXY_DESTINATION
+          value: talos.averagemarcus.github.beta.tailscale.net
+        - name: PORT
+          value: "8080"
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        volumeMounts:
+        - name: host-mappings
+          mountPath: /config/
+      - name: tailscale
+        image: ghcr.io/tailscale/tailscale:v1.29
+        imagePullPolicy: Always
+        tty: true
+        env:
+        - name: TS_AUTH_KEY
+          valueFrom:
+            secretKeyRef:
+              name: tailscale-auth
+              key: password
+        - name: TS_KUBE_SECRET
+          value: tailscale-internal-proxy
+        - name: TS_ACCEPT_DNS
+          value: "true"
+        - name: TS_EXTRA_ARGS
+          value: "--hostname=auth-proxy-internal-proxy"
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        command:
+        - sh
+        - -c
+        - |
+          export PATH=$PATH:/tailscale/bin
+          if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
+          if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
+          echo "Starting tailscaled"
+          tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock &
+          PID=$!
+          echo "Running tailscale up"
+          tailscale --socket=/tmp/tailscaled.sock up \
+            --accept-dns=${TS_ACCEPT_DNS} \
+            --authkey=${TS_AUTH_KEY} \
+            ${TS_EXTRA_ARGS}
+          echo "Re-enabling incoming traffic from the cluster"
+          wait ${PID}
+      volumes:
+      - name: host-mappings
+        configMap:
+          name: host-mappings
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tekton-el
+  namespace: auth-proxy
+  labels:
+    app: internal-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: internal-proxy
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: loki
+  namespace: auth-proxy
+  labels:
+    app: internal-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: internal-proxy
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: loki-distributed
+  namespace: auth-proxy
+  labels:
+    app: internal-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: internal-proxy
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: prometheus
+  namespace: auth-proxy
+  labels:
+    app: internal-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: internal-proxy
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vmcluster
+  namespace: auth-proxy
+  labels:
+    app: internal-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: internal-proxy
+  type: ClusterIP
+---

manifests/auth-proxy/non-auth-proxy.yaml

@@ -0,0 +1,211 @@
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tailscale-non-auth-proxy
+  namespace: auth-proxy
+type: Opaque
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale-non-auth-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tailscale-non-auth-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+subjects:
+- kind: ServiceAccount
+  name: "tailscale-non-auth-proxy"
+roleRef:
+  kind: Role
+  name: tailscale-non-auth-proxy
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tailscale-non-auth-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resourceNames: ["tailscale-non-auth-proxy"]
+  resources: ["secrets"]
+  verbs: ["get", "update"]
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: non-auth-proxy
+  namespace: auth-proxy
+  labels:
+    app: non-auth-proxy
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: non-auth-proxy
+  template:
+    metadata:
+      labels:
+        app: non-auth-proxy
+    spec:
+      serviceAccountName: tailscale-non-auth-proxy
+      dnsPolicy: ClusterFirst
+      dnsConfig:
+        nameservers:
+          - 100.100.100.100
+      containers:
+      - name: oauth-proxy
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1
+        args:
+        - --cookie-secure=false
+        - --provider=oidc
+        - --provider-display-name=Auth0
+        - --upstream=http://talos.averagemarcus.github.beta.tailscale.net
+        - --http-address=0.0.0.0:8080
+        - --email-domain=*
+        - --pass-basic-auth=false
+        - --pass-access-token=false
+        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
+        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
+        - --cookie-expire=336h0m0s
+        - --trusted-ip=0.0.0.0/0
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: auth-proxy
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: auth-proxy
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+      - name: tailscale
+        image: ghcr.io/tailscale/tailscale:v1.29
+        imagePullPolicy: Always
+        tty: true
+        env:
+        - name: TS_AUTH_KEY
+          valueFrom:
+            secretKeyRef:
+              name: tailscale-auth
+              key: password
+        - name: TS_KUBE_SECRET
+          value: tailscale-non-auth-proxy
+        - name: TS_ACCEPT_DNS
+          value: "true"
+        - name: TS_EXTRA_ARGS
+          value: "--hostname=non-auth-proxy"
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        command:
+        - sh
+        - -c
+        - |
+          export PATH=$PATH:/tailscale/bin
+          if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
+          if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
+          echo "Starting tailscaled"
+          tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock &
+          PID=$!
+          echo "Running tailscale up"
+          tailscale --socket=/tmp/tailscaled.sock up \
+            --accept-dns=${TS_ACCEPT_DNS} \
+            --authkey=${TS_AUTH_KEY} \
+            ${TS_EXTRA_ARGS}
+          echo "Re-enabling incoming traffic from the cluster"
+          wait ${PID}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: non-auth-proxy
+  namespace: auth-proxy
+  labels:
+    app: non-auth-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: non-auth-proxy
+  type: ClusterIP
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: non-auth-proxy
+  namespace: auth-proxy
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - home.cluster.fun
+    - tasks.cluster.fun
+    - api.tasks.cluster.fun
+    secretName: non-auth-proxy-ingress
+  rules:
+  - host: home.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: non-auth-proxy
+            port:
+              name: http
+  - host: tasks.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: non-auth-proxy
+            port:
+              name: http
+  - host: api.tasks.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: non-auth-proxy
+            port:
+              name: http

manifests/base64/base64.yaml

@@ -0,0 +1,71 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: base64
+  namespace: base64
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: base64
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: base64
+  namespace: base64
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: base64
+  template:
+    metadata:
+      labels:
+        app: base64
+    spec:
+      imagePullSecrets:
+        - name: docker-config
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/base64:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+          name: web
+        resources:
+          limits:
+            memory: 5Mi
+          requests:
+            memory: 5Mi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: base64
+  namespace: base64
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  tls:
+  - hosts:
+    - base64.cluster.fun
+    secretName: base64-ingress
+  rules:
+  - host: base64.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: base64
+            port:
+              number: 80

manifests/blackhole/blackhole.yaml

@@ -37,12 +37,11 @@ spec:
         resources:
           limits:
             memory: 10Mi
-
           requests:
             memory: 10Mi
 
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: black-hole
@@ -52,6 +51,9 @@ spec:
   - http:
       paths:
       - path: /
+        pathType: ImplementationSpecific
         backend:
-          serviceName: black-hole
-          servicePort: 80
+          service:
+            name: black-hole
+            port:
+              number: 80

manifests/blog/blog.yaml

@@ -1,9 +1,4 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: blog
----
-apiVersion: v1
 kind: Service
 metadata:
   name: blog
@@ -34,7 +29,7 @@ spec:
     spec:
       containers:
       - name: web
-        image: docker.cluster.fun/averagemarcus/blog:latest
+        image: rg.fr-par.scw.cloud/averagemarcus/blog:latest
         imagePullPolicy: Always
         ports:
         - containerPort: 8000
@@ -44,18 +39,27 @@ spec:
             memory: 200Mi
           requests:
             memory: 200Mi
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: web
+          initialDelaySeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: web
+          initialDelaySeconds: 10
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: blog
   namespace: blog
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
+  ingressClassName: nginx
   tls:
   - hosts:
     - marcusnoble.co.uk
@@ -65,22 +69,24 @@ spec:
     http:
       paths:
       - path: /
+        pathType: ImplementationSpecific
         backend:
-          serviceName: blog
-          servicePort: 80
+          service:
+            name: blog
+            port:
+              number: 80
 
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: blog-www
   namespace: blog
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
+  ingressClassName: nginx
   tls:
   - hosts:
     - www.marcusnoble.co.uk
@@ -90,22 +96,24 @@ spec:
     http:
       paths:
       - path: /
+        pathType: ImplementationSpecific
         backend:
-          serviceName: blog
-          servicePort: 80
+          service:
+            name: blog
+            port:
+              number: 80
 
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: blog-blog
   namespace: blog
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
+  ingressClassName: nginx
   tls:
   - hosts:
     - blog.marcusnoble.co.uk
@@ -115,7 +123,10 @@ spec:
     http:
       paths:
       - path: /
+        pathType: ImplementationSpecific
         backend:
-          serviceName: blog
-          servicePort: 80
+          service:
+            name: blog
+            port:
+              number: 80
 

manifests/buzzers.yaml

@@ -1,70 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: buzzers
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: buzzers
-  namespace: buzzers
-spec:
-  type: ClusterIP
-  ports:
-  - port: 80
-    targetPort: web
-    name: web
-  selector:
-    app: buzzers
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: buzzers
-  namespace: buzzers
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: buzzers
-  template:
-    metadata:
-      labels:
-        app: buzzers
-    spec:
-      containers:
-      - name: web
-        image: docker.cluster.fun/averagemarcus/buzzers:latest
-        imagePullPolicy: Always
-        ports:
-        - containerPort: 80
-          name: web
-        resources:
-          limits:
-            memory: 283Mi
-          requests:
-            memory: 283Mi
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: buzzers
-  namespace: buzzers
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - buzzers.cluster.fun
-    secretName: buzzers-ingress
-  rules:
-  - host: buzzers.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: buzzers
-          servicePort: 80

manifests/cctv.yaml

@@ -1,114 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cctv
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: cctv-auth
-  namespace: cctv
-  annotations:
-    kube-1password: mr6spkkx7n3memkbute6ojaarm
-    kube-1password/vault: Kubernetes
-type: Opaque
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: cctv-auth
-  namespace: cctv
-  labels:
-    app: cctv-auth
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: cctv-auth
-  template:
-    metadata:
-      labels:
-        app: cctv-auth
-    spec:
-      containers:
-      - args:
-        - --cookie-secure=false
-        - --provider=oidc
-        - --provider-display-name=Auth0
-        - --upstream=http://inlets.inlets.svc.cluster.local
-        - --http-address=$(HOST_IP):8080
-        - --redirect-url=https://cctv.cluster.fun/oauth2/callback
-        - --email-domain=*
-        - --pass-basic-auth=false
-        - --pass-access-token=false
-        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
-        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
-        env:
-        - name: HOST_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-        - name: OAUTH2_PROXY_CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              key: username
-              name: cctv-auth
-        - name: OAUTH2_PROXY_CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              key: password
-              name: cctv-auth
-        image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
-        name: oauth-proxy
-        ports:
-        - containerPort: 8080
-          protocol: TCP
-        resources:
-          limits:
-            memory: 50Mi
-          requests:
-            memory: 50Mi
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: cctv-auth
-  namespace: cctv
-  labels:
-    app: cctv-auth
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: cctv-auth
-  type: ClusterIP
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: cctv-auth
-  namespace: cctv
-  labels:
-    app: cctv-auth
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - cctv.cluster.fun
-    secretName: cctv-ingress
-  rules:
-  - host: cctv.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: cctv-auth
-          servicePort: 80

manifests/certmanager-civo/certmanager_chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    certmanager.k8s.io/disable-validation: "true"
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: letsencrypt@marcusnoble.co.uk
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+    - http01:
+        ingress:
+          class: traefik

manifests/certmanager_chart.yaml

@@ -1,47 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager
-  labels:
-    certmanager.k8s.io/disable-validation: "true"
-
----
-
-apiVersion: helm.fluxcd.io/v1
-kind: HelmRelease
-metadata:
-  name: cert-manager
-  namespace: cert-manager
-spec:
-  chart:
-    repository: https://charts.jetstack.io
-    name: cert-manager
-    version: v0.15.0
-  maxHistory: 5
-  values:
-    installCRDs: "true"
-    resources:
-      requests:
-
-        memory: 32Mi
-      limits:
-
-        memory: 64Mi
-
----
-
-apiVersion: cert-manager.io/v1alpha2
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: letsencrypt@marcusnoble.co.uk
-    privateKeySecretRef:
-      name: letsencrypt
-    solvers:
-    - selector: {}
-      http01:
-        ingress:
-          class: traefik

manifests/certmanager_chart/certmanager_chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    certmanager.k8s.io/disable-validation: "true"
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: letsencrypt@marcusnoble.co.uk
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+    - http01:
+        ingress:
+          class: nginx

manifests/cors-proxy/cors-proxy.yaml

@@ -1,9 +1,4 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: cors-proxy
----
-apiVersion: v1
 kind: Service
 metadata:
   name: cors-proxy
@@ -34,57 +29,45 @@ spec:
     spec:
       containers:
       - name: web
-        image: docker.cluster.fun/averagemarcus/cors-proxy:latest
+        image: rg.fr-par.scw.cloud/averagemarcus/cors-proxy:latest
         imagePullPolicy: Always
         ports:
         - containerPort: 8000
           name: web
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: cors-proxy
   namespace: cors-proxy
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
+  ingressClassName: nginx
   tls:
   - hosts:
     - cors-proxy.cluster.fun
+    - cors-proxy.marcusnoble.co.uk
     secretName: cors-proxy-ingress
   rules:
   - host: cors-proxy.cluster.fun
     http:
       paths:
       - path: /
+        pathType: ImplementationSpecific
         backend:
-          serviceName: cors-proxy
-          servicePort: 80
-
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: cors-proxy-mn
-  namespace: cors-proxy
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - cors-proxy.marcusnoble.co.uk
-    secretName: cors-proxy-mn-ingress
-  rules:
+          service:
+            name: cors-proxy
+            port:
+              number: 80
   - host: cors-proxy.marcusnoble.co.uk
     http:
       paths:
       - path: /
+        pathType: ImplementationSpecific
         backend:
-          serviceName: cors-proxy
-          servicePort: 80
+          service:
+            name: cors-proxy
+            port:
+              number: 80

manifests/cv/cv.yaml

@@ -1,13 +1,8 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: dashboard
----
-apiVersion: v1
 kind: Secret
 metadata:
   name: docker-config
-  namespace: dashboard
+  namespace: cv
   annotations:
     kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
     kube-1password/vault: Kubernetes
@@ -19,8 +14,8 @@ data:
 apiVersion: v1
 kind: Service
 metadata:
-  name: dashboard
-  namespace: dashboard
+  name: cv
+  namespace: cv
 spec:
   type: ClusterIP
   ports:
@@ -28,58 +23,62 @@ spec:
     targetPort: web
     name: web
   selector:
-    app: dashboard
+    app: cv
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: dashboard
-  namespace: dashboard
+  name: cv
+  namespace: cv
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: dashboard
+      app: cv
   template:
     metadata:
       labels:
-        app: dashboard
+        app: cv
     spec:
       imagePullSecrets:
         - name: docker-config
       containers:
       - name: web
-        image: docker.cluster.fun/private/dashboard:latest
+        image: rg.fr-par.scw.cloud/averagemarcus-private/cv:latest
         imagePullPolicy: Always
         ports:
         - containerPort: 80
           name: web
         resources:
           limits:
-            memory: 50Mi
+            memory: 10Mi
           requests:
-            memory: 50Mi
+            memory: 10Mi
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: dashboard
-  namespace: dashboard
+  name: cv
+  namespace: cv
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
   tls:
   - hosts:
-    - dash.cluster.fun
-    secretName: dashboard-ingress
+    - cv.marcusnoble.co.uk
+    secretName: cv-ingress
   rules:
-  - host: dash.cluster.fun
+  - host: cv.marcusnoble.co.uk
     http:
       paths:
       - path: /
+        pathType: ImplementationSpecific
         backend:
-          serviceName: dashboard
-          servicePort: 80
+          service:
+            name: cv
+            port:
+              number: 80

manifests/dashboard/dashboard.yaml

@@ -0,0 +1,131 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: docker-config
+  namespace: dashboard
+  annotations:
+    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .dockerconfigjson
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: e30=
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dashboard-auth
+  namespace: dashboard
+  annotations:
+    kube-1password: mr6spkkx7n3memkbute6ojaarm
+    kube-1password/vault: Kubernetes
+type: Opaque
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dashboard
+  namespace: dashboard
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: auth
+    name: web
+  selector:
+    app: dashboard
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dashboard
+  namespace: dashboard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: dashboard
+  template:
+    metadata:
+      labels:
+        app: dashboard
+    spec:
+      imagePullSecrets:
+        - name: docker-config
+      containers:
+      - args:
+        - --cookie-secure=false
+        - --provider=oidc
+        - --provider-display-name=Auth0
+        - --upstream=http://localhost:80
+        - --http-address=$(HOST_IP):8000
+        - --redirect-url=https://dash.cluster.fun/oauth2/callback
+        - --email-domain=marcusnoble.co.uk
+        - --pass-basic-auth=false
+        - --pass-access-token=false
+        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
+        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: dashboard-auth
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: dashboard-auth
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1
+        name: oauth-proxy
+        ports:
+        - containerPort: 8000
+          protocol: TCP
+          name: auth
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus-private/dashboard:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+          name: web
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dashboard
+  namespace: dashboard
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - dash.cluster.fun
+    secretName: dashboard-ingress
+  rules:
+  - host: dash.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: dashboard
+            port:
+              number: 80

manifests/downloads.yaml

@@ -1,115 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: downloads
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: downloads-auth
-  namespace: downloads
-  annotations:
-    kube-1password: mr6spkkx7n3memkbute6ojaarm
-    kube-1password/vault: Kubernetes
-type: Opaque
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: downloads-auth
-  namespace: downloads
-  labels:
-    app: downloads-auth
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: downloads-auth
-  template:
-    metadata:
-      labels:
-        app: downloads-auth
-    spec:
-      containers:
-      - args:
-        - --cookie-secure=false
-        - --provider=oidc
-        - --provider-display-name=Auth0
-        - --upstream=http://inlets.inlets.svc.cluster.local
-        - --http-address=$(HOST_IP):8080
-        - --redirect-url=https://downloads.cluster.fun/oauth2/callback
-        - --email-domain=*
-        - --pass-basic-auth=false
-        - --pass-access-token=false
-        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
-        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
-        env:
-        - name: HOST_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-        - name: OAUTH2_PROXY_CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              key: username
-              name: downloads-auth
-        - name: OAUTH2_PROXY_CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              key: password
-              name: downloads-auth
-        image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
-        name: oauth-proxy
-        ports:
-        - containerPort: 8080
-          protocol: TCP
-        resources:
-          limits:
-            memory: 250Mi
-          requests:
-            memory: 250Mi
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: downloads-auth
-  namespace: downloads
-  labels:
-    app: downloads-auth
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: downloads-auth
-  type: ClusterIP
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: downloads-auth
-  namespace: downloads
-  labels:
-    app: downloads-auth
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - downloads.cluster.fun
-    secretName: downloads-ingress
-  rules:
-  - host: downloads.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: downloads-auth
-          servicePort: 80
-

manifests/feed-fetcher/feed-fetcher.yaml

@@ -0,0 +1,65 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: feed-fetcher
+  namespace: feed-fetcher
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: feed-fetcher
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: feed-fetcher
+  namespace: feed-fetcher
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: feed-fetcher
+  template:
+    metadata:
+      labels:
+        app: feed-fetcher
+    spec:
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/feed-fetcher:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+          name: web
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: feed-fetcher
+  namespace: feed-fetcher
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  tls:
+  - hosts:
+    - feed-fetcher.cluster.fun
+    secretName: feed-fetcher-ingress
+  rules:
+  - host: feed-fetcher.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: feed-fetcher
+            port:
+              number: 80
+

manifests/focalboard/focalboard.yaml

@@ -0,0 +1,132 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: focalboard
+  namespace: focalboard
+  labels:
+    app.kubernetes.io/name: focalboard
+  annotations:
+    kube-1password: dpszqviipd5tkls5bajzeb56ui
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: config.json
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: focalboard
+  namespace: focalboard
+  labels:
+    app.kubernetes.io/name: focalboard
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: focalboard
+  namespace: focalboard
+  labels:
+    app.kubernetes.io/name: focalboard
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/metrics"
+    prometheus.io/port: "9000"
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app.kubernetes.io/name: focalboard
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: focalboard
+  namespace: focalboard
+  labels:
+    app.kubernetes.io/name: focalboard
+  annotations:
+    secret.reloader.stakater.com/reload: "focalboard"
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: focalboard
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: focalboard
+    spec:
+      containers:
+      - name: focalboard
+        image: mattermost/focalboard:7.4.4
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 8000
+          name: web
+        env:
+        - name: FOCALBOARD_PORT
+          value: "8000"
+        - name: VIRTUAL_HOST
+          value: "localhost"
+        - name: VIRTUAL_PORT
+          value: "8000"
+        - name: VIRTUAL_PROTO
+          value: "http"
+        volumeMounts:
+        - name: data
+          mountPath: /data
+        - name: config
+          mountPath: /opt/focalboard/config.json
+          subPath: config.json
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: focalboard
+      - name: config
+        secret:
+          secretName: focalboard
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: focalboard
+  namespace: focalboard
+  labels:
+    app.kubernetes.io/name: focalboard
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+spec:
+  tls:
+    - hosts:
+      - focalboard.cluster.fun
+      secretName: focalboard-ingress
+  rules:
+  - host: focalboard.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: focalboard
+            port:
+              number: 80

manifests/git-sync/git-sync.yaml

@@ -0,0 +1,109 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-github
+  namespace: git-sync
+  annotations:
+    kube-1password: cfo2ufhgem57clbscxetxgevue
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: token
+type: Opaque
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-gitea
+  namespace: git-sync
+  annotations:
+    kube-1password: b7kpdlcvt7y63bozu3i4j4lojm
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: token
+type: Opaque
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-gitlab
+  namespace: git-sync
+  annotations:
+    kube-1password: t47v3xdgadiifgoi4wmqibrlty
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: token
+type: Opaque
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-bitbucket
+  namespace: git-sync
+  annotations:
+    kube-1password: adrki45krr2tq34sug7dhdk5iy
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: token
+type: Opaque
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-codeberg
+  namespace: git-sync
+  annotations:
+    kube-1password: 5ynzgk6qcgshztkjbddwalixfq
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: token
+type: Opaque
+data:
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: git-sync
+  namespace: git-sync
+spec:
+  schedule: "0 */1 * * *"
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 1
+  successfulJobsHistoryLimit: 1
+  jobTemplate:
+    metadata:
+      labels:
+        cronjob: git-sync
+    spec:
+      backoffLimit: 1
+      template:
+        spec:
+          containers:
+          - name: sync
+            image: rg.fr-par.scw.cloud/averagemarcus/git-sync:latest
+            imagePullPolicy: Always
+            env:
+            - name: GITHUB_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: git-sync-github
+                  key: token
+            - name: GITEA_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: git-sync-gitea
+                  key: token
+            - name: GITLAB_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: git-sync-gitlab
+                  key: token
+            - name: BITBUCKET_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: git-sync-bitbucket
+                  key: token
+            - name: CODEBERG_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: git-sync-codeberg
+                  key: token
+          restartPolicy: Never

manifests/gitea/gitea.yaml

@@ -1,9 +1,4 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: gitea
----
-apiVersion: v1
 kind: Secret
 metadata:
   name: gitea-secret-key
@@ -47,7 +42,7 @@ spec:
     spec:
       containers:
       - name: git
-        image: gitea/gitea:1.11
+        image: gitea/gitea:1.17.3
         env:
         - name: APP_NAME
           value: "Git"
@@ -69,6 +64,8 @@ spec:
           value: "20"
         - name: DEFAULT_THEME
           value: arc-green
+        - name: ALLOWED_HOST_LIST
+          value: "*"
         - name: SECRET_KEY
           valueFrom:
             secretKeyRef:
@@ -94,17 +91,17 @@ spec:
         requests:
           storage: 20Gi
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: git
   namespace: gitea
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
 spec:
+  ingressClassName: nginx
   tls:
   - hosts:
     - git.cluster.fun
@@ -114,6 +111,9 @@ spec:
     http:
       paths:
       - path: /
+        pathType: ImplementationSpecific
         backend:
-          serviceName: git
-          servicePort: 80
+          service:
+            name: git
+            port:
+              number: 80

manifests/goplayground/goplayground.yaml

@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: goplayground
+  namespace: goplayground
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: goplayground
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: goplayground
+  namespace: goplayground
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: goplayground
+  template:
+    metadata:
+      labels:
+        app: goplayground
+    spec:
+      containers:
+      - name: web
+        image: x1unix/go-playground:1.12.0
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 8000
+          name: web
+        resources:
+          limits:
+            memory: 20Mi
+          requests:
+            memory: 20Mi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: goplayground
+  namespace: goplayground
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  tls:
+  - hosts:
+    - go.cluster.fun
+    secretName: goplayground-ingress
+  rules:
+  - host: go.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: goplayground
+            port:
+              number: 80
+

manifests/harbor_chart.yaml

@@ -1,57 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: harbor
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: harbor-values
-  namespace: harbor
-  annotations:
-    kube-1password: igey7vjjiqmj25v64eck7cyj34
-    kube-1password/vault: Kubernetes
-    kube-1password/secret-text-key: values.yaml
-type: Opaque
----
-apiVersion: helm.fluxcd.io/v1
-kind: HelmRelease
-metadata:
-  name: harbor
-  namespace: harbor
-spec:
-  chart:
-    repository: https://helm.goharbor.io
-    name: harbor
-    version: 1.3.2
-  maxHistory: 4
-  skipCRDs: false
-  valuesFrom:
-  - secretKeyRef:
-      name: harbor-values
-      namespace: harbor
-      key: values.yaml
-      optional: false
-  values:
-    portal:
-      resources:
-        requests:
-          memory: 64Mi
-    core:
-      resources:
-        requests:
-          memory: 64Mi
-    jobservice:
-      resources:
-        requests:
-          memory: 64Mi
-    registry:
-      registry:
-        resources:
-          requests:
-            memory: 64Mi
-      controller:
-        resources:
-          requests:
-            memory: 64Mi
-

manifests/inlets.yaml

@@ -1,103 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: inlets
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: inlets
-  namespace: inlets
-  annotations:
-    kube-1password: podju6t2s2osc3vbkimyce25ti
-    kube-1password/vault: Kubernetes
-    kube-1password/password-key: token
-type: Opaque
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: inlets
-  namespace: inlets
-  labels:
-    app: inlets
-spec:
-  type: ClusterIP
-  ports:
-    - port: 80
-      protocol: TCP
-      targetPort: 8000
-  selector:
-    app: inlets
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: inlets
-  namespace: inlets
-  labels:
-    app: inlets
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: inlets
-  template:
-    metadata:
-      labels:
-        app: inlets
-    spec:
-      containers:
-      - name: inlets
-        image: inlets/inlets:2.7.0
-        imagePullPolicy: Always
-        command: ["inlets"]
-        args:
-        - "server"
-        - "--token-from=/var/inlets/token"
-        volumeMounts:
-          - name: inlets-token-volume
-            mountPath: /var/inlets/
-      volumes:
-        - name: inlets-token-volume
-          secret:
-            secretName: inlets
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: inlets
-  namespace: inlets
-spec:
-  rules:
-  - host: inlets.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: inlets
-          servicePort: 80
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: pyload
-  namespace: inlets
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - pyload.cluster.fun
-    secretName: pyload-ingress
-  rules:
-  - host: pyload.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: inlets
-          servicePort: 80

manifests/kube-janitor.yaml

@@ -1,107 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: kube-janitor
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kube-janitor
-  namespace: kube-janitor
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kube-janitor
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-- apiGroups:
-  - "*"
-  resources:
-  - "*"
-  verbs:
-  - get
-  - watch
-  - list
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kube-janitor
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kube-janitor
-subjects:
-- kind: ServiceAccount
-  name: kube-janitor
-  namespace: kube-janitor
----
-
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: kube-janitor
-  namespace: kube-janitor
-data:
-  rules.yaml: |-
-    rules:
-      - id: tekton-tasks
-        resources:
-          - pods
-          - pipelineruns
-        jmespath: "(metadata.labels.\"tekton.dev/pipeline\")"
-        ttl: 3h
-
----
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    application: kube-janitor
-    version: v20.4.1
-  name: kube-janitor
-  namespace: kube-janitor
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      application: kube-janitor
-  template:
-    metadata:
-      labels:
-        application: kube-janitor
-        version: v20.4.1
-    spec:
-      serviceAccountName: kube-janitor
-      containers:
-      - name: janitor
-        image: hjacobs/kube-janitor:20.4.1
-        args:
-          - --interval=15
-          - --rules-file=/config/rules.yaml
-          - --include-namespaces=tekton-pipelines
-          - --include-resources=pods
-        resources:
-          limits:
-            memory: 100Mi
-          requests:
-            memory: 100Mi
-        securityContext:
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          runAsUser: 1000
-        volumeMounts:
-          - name: config-volume
-            mountPath: /config
-      volumes:
-      - name: config-volume
-        configMap:
-          name: kube-janitor

manifests/link/link.yaml

@@ -0,0 +1,94 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: urls-map
+  namespace: link
+  labels:
+    app: link
+data:
+  urls.yaml: |
+    mn: https://marcusnoble.co.uk
+    whites: https://twitter.com/whites11/status/1484053621448785920
+    devopsnotts22: https://noti.st/averagemarcus/E8Ldoh/managing-kubernetes-without-losing-your-cool
+    kubernetes-cool: https://noti.st/averagemarcus/E8Ldoh/managing-kubernetes-without-losing-your-cool
+    klustered: https://gist.githubusercontent.com/AverageMarcus/e58301ecf3455caa1638c3ffe70ed138/raw/klustered.sh
+    wonders-and-woes: https://noti.st/averagemarcus/sWywEJ/the-wonders-and-woes-of-webhooks
+    kubehuddle: https://noti.st/averagemarcus/TqCEd4/the-wonders-and-woes-of-webhooks
+    kcduk: https://noti.st/averagemarcus/fxN4gl/managing-kubernetes-without-losing-your-cool
+    wonders-and-woes-webinar: https://noti.st/averagemarcus/Hw2IXG/the-wonders-and-woes-of-webhooks
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: link
+  namespace: link
+  labels:
+    app: link
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: link
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: link
+  namespace: link
+  labels:
+    app: link
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: link
+  template:
+    metadata:
+      labels:
+        app: link
+    spec:
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/link:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 5050
+          name: web
+        volumeMounts:
+          - name: config
+            mountPath: /config
+      volumes:
+        - name: config
+          configMap:
+            name: urls-map
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: link
+  namespace: link
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  tls:
+  - hosts:
+    - go-get.link
+    secretName: link-ingress
+  rules:
+  - host: go-get.link
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: link
+            port:
+              number: 80

manifests/linx-server.yaml

@@ -1,114 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: linx-server
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: linx-server
-  namespace: linx-server
-data:
-  linx-server.conf: |-
-    sitename = share
-    maxsize = 524288000
-    maxexpiry = 0
-    selifpath = f
-    nologs = false
-    force-random-filename = false
-    s3-endpoint = https://s3.fr-par.scw.cloud
-    s3-region = fr-par
-    s3-bucket = cluster.fun-linx
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: linx-server-s3
-  namespace: linx-server
-  annotations:
-    kube-1password: d5dgclm3qrxd4fntivv26ec3ee
-    kube-1password/vault: Kubernetes
-type: Opaque
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: linx-server
-  namespace: linx-server
-spec:
-  type: ClusterIP
-  ports:
-  - port: 80
-    targetPort: web
-    name: web
-  selector:
-    app: linx-server
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: linx-server
-  namespace: linx-server
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: linx-server
-  template:
-    metadata:
-      labels:
-        app: linx-server
-    spec:
-      containers:
-      - name: web
-        image: andreimarcu/linx-server:version-2.3.5
-        imagePullPolicy: Always
-        args:
-          - -config
-          - /config/linx-server.conf
-        ports:
-        - containerPort: 8080
-          name: web
-        env:
-          - name: AWS_ACCESS_KEY_ID
-            valueFrom:
-              secretKeyRef:
-                name: linx-server-s3
-                key: username
-          - name: AWS_SECRET_ACCESS_KEY
-            valueFrom:
-              secretKeyRef:
-                name: linx-server-s3
-                key: password
-        volumeMounts:
-          - name: config
-            mountPath: /config
-      volumes:
-        - name: config
-          configMap:
-            name: linx-server
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: linx-server
-  namespace: linx-server
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - share.cluster.fun
-    secretName: linx-server-ingress
-  rules:
-  - host: share.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: linx-server
-          servicePort: 80

manifests/loki_chart.yaml

@@ -1,175 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: logging
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: grafana-credentials
-  namespace: logging
-  annotations:
-    kube-1password: wpynfxkdipeeacyfxkvtdsuj54
-    kube-1password/vault: Kubernetes
-type: Opaque
----
-apiVersion: helm.fluxcd.io/v1
-kind: HelmRelease
-metadata:
-  name: loki
-  namespace: logging
-spec:
-  chart:
-    repository: https://grafana.github.io/loki/charts
-    name: loki-stack
-    version: 0.36.2
-  maxHistory: 4
-  skipCRDs: false
-  values:
-    fluent-bit:
-      enabled: "true"
-    promtail:
-      enabled: "true"
-    loki:
-      persistence:
-        enabled: "true"
-        size: 10Gi
-
----
-apiVersion: helm.fluxcd.io/v1
-kind: HelmRelease
-metadata:
-  name: grafana
-  namespace: logging
-spec:
-  chart:
-    repository: https://kubernetes-charts.storage.googleapis.com
-    name: grafana
-    version: 5.0.22
-  maxHistory: 4
-  skipCRDs: false
-  values:
-    image:
-      tag: 7.0.0
-    admin:
-      existingSecret: "grafana-credentials"
-      userKey: username
-      passwordKey: password
-    persistence:
-      enabled: "false"
-    datasources:
-      datasources.yaml:
-        apiVersion: 1
-        datasources:
-        - name: Loki
-          type: loki
-          url: http://logging-loki.logging:3100
-          access: proxy
-          jsonData:
-            maxLines: 1000
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: grafana-auth
-  namespace: logging
-  annotations:
-    kube-1password: mr6spkkx7n3memkbute6ojaarm
-    kube-1password/vault: Kubernetes
-type: Opaque
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: grafana-auth
-  namespace: logging
-  labels:
-    app: grafana-auth
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: grafana-auth
-  template:
-    metadata:
-      labels:
-        app: grafana-auth
-    spec:
-      containers:
-      - args:
-        - --cookie-secure=false
-        - --provider=oidc
-        - --provider-display-name=Auth0
-        - --upstream=http://logging-grafana.logging.svc.cluster.local
-        - --http-address=$(HOST_IP):8080
-        - --redirect-url=https://grafana.cluster.fun/oauth2/callback
-        - --email-domain=marcusnoble.co.uk
-        - --pass-basic-auth=false
-        - --pass-access-token=false
-        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
-        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
-        env:
-        - name: HOST_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-        - name: OAUTH2_PROXY_CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              key: username
-              name: grafana-auth
-        - name: OAUTH2_PROXY_CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              key: password
-              name: grafana-auth
-        image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
-        name: oauth-proxy
-        ports:
-        - containerPort: 8080
-          protocol: TCP
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: grafana-auth
-  namespace: logging
-  labels:
-    app: grafana-auth
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: grafana-auth
-  type: ClusterIP
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: grafana-auth
-  namespace: logging
-  labels:
-    app: grafana-auth
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - grafana.cluster.fun
-    secretName: grafana-ingress
-  rules:
-  - host: grafana.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: grafana-auth
-          servicePort: 80

manifests/marcusnoble/marcusnoble.yaml

@@ -0,0 +1,90 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: marcusnoble
+  namespace: marcusnoble
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: 8080
+    name: web
+  selector:
+    app: marcusnoble
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: marcusnoble
+  namespace: marcusnoble
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: marcusnoble
+  template:
+    metadata:
+      labels:
+        app: marcusnoble
+    spec:
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/marcusnoble:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+          name: web
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+        # livenessProbe:
+        #   httpGet:
+        #     path: /healthz
+        #     port: web
+        #   initialDelaySeconds: 10
+        # readinessProbe:
+        #   httpGet:
+        #     path: /healthz
+        #     port: web
+        #   initialDelaySeconds: 10
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: marcusnoble
+  namespace: marcusnoble
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - marcusnoble.com
+    - www.marcusnoble.com
+    secretName: marcusnoble-ingress
+  rules:
+  - host: marcusnoble.com
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: marcusnoble
+            port:
+              number: 80
+  - host: www.marcusnoble.com
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: marcusnoble
+            port:
+              number: 80
+
+---

manifests/mastodon-digest/mastodon_digest.yaml

@@ -0,0 +1,229 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: docker-config
+  namespace: mastodon-digest
+  annotations:
+    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .dockerconfigjson
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: e30=
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mastodon-digest-auth
+  namespace: mastodon-digest
+  annotations:
+    kube-1password: mr6spkkx7n3memkbute6ojaarm
+    kube-1password/vault: Kubernetes
+type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mastodon-digest
+  namespace: mastodon-digest
+  annotations:
+    kube-1password: bfklz3yi3dn4e7xtsbttcvhata
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-parse: "true"
+type: Opaque
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config
+  namespace: mastodon-digest
+  labels:
+    app: mastodon-digest
+data:
+  config.json: |
+    [
+      {
+        "timeline": "home",
+        "hours": 12,
+        "scorer": "ExtendedSimpleWeighted",
+        "threshold": "lax",
+        "output": "/usr/share/nginx/html/home/"
+      },
+      {
+        "timeline": "federated",
+        "hours": 12,
+        "scorer": "ExtendedSimpleWeighted",
+        "threshold": "lax",
+        "output": "/usr/share/nginx/html/federated/"
+      }
+    ]
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: index
+  namespace: mastodon-digest
+  labels:
+    app: mastodon-digest
+data:
+  index.html: |
+    <!DOCTYPE html>
+    <html lang="en">
+    <head>
+        <meta chartset="utf-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1" />
+        <title>Mastodon Digest</title>
+        <style>
+        body { background-color: #292c36; font-family: "Arial", sans-serif; }
+        div#container { margin: auto; max-width: 640px; padding: 10px; text-align: center; margin: 0 auto; }
+        .links { align: center; }
+        h1 { color: white; }
+        a.button { background: #595aff; color: #fff; line-height: 1.2; min-height: 38px; min-width: 88px; padding: 0 30px; border: 0; border-radius: 6px;; display: inline-flex; justify-content: center; align-items: center; }
+    </style>
+    </head>
+    <body>
+        <div id="container">
+            <h1>Mastodon Digest</h1>
+            <section class="links">
+                <a href="home/" class="button">Home</a>
+                <a href="federated/" class="button">Federated</a>
+            </section>
+        </div>
+    </body>
+    </html>
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mastodon-digest
+  namespace: mastodon-digest
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: auth
+    name: web
+  selector:
+    app: mastodon-digest
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mastodon-digest
+  namespace: mastodon-digest
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mastodon-digest
+  template:
+    metadata:
+      labels:
+        app: mastodon-digest
+    spec:
+      imagePullSecrets:
+        - name: docker-config
+      containers:
+      - args:
+        - --cookie-secure=false
+        - --provider=oidc
+        - --provider-display-name=Auth0
+        - --upstream=http://localhost:80
+        - --http-address=$(HOST_IP):8000
+        - --redirect-url=https://mastodon-digest.cluster.fun/oauth2/callback
+        - --email-domain=marcusnoble.co.uk
+        - --pass-basic-auth=false
+        - --pass-access-token=false
+        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
+        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: mastodon-digest-auth
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: mastodon-digest-auth
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1
+        name: oauth-proxy
+        ports:
+        - containerPort: 8000
+          protocol: TCP
+          name: auth
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+
+      - name: web
+        image: nginx:stable
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 80
+          name: web
+        volumeMounts:
+        - name: html
+          mountPath: /usr/share/nginx/html
+        - name: index
+          mountPath: /usr/share/nginx/html/index.html
+          subPath: index.html
+
+      - name: digest
+        image: rg.fr-par.scw.cloud/averagemarcus-private/mastodon-digest:latest
+        imagePullPolicy: Always
+        env:
+        - name: CONFIG_FILE
+          value: /config.json
+        envFrom:
+        - secretRef:
+            name: mastodon-digest
+        volumeMounts:
+        - name: config
+          mountPath: /config.json
+          subPath: config.json
+        - name: html
+          mountPath: /usr/share/nginx/html
+      volumes:
+      - name: html
+        emptyDir: {}
+      - name: config
+        configMap:
+          name: config
+      - name: index
+        configMap:
+          name: index
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mastodon-digest
+  namespace: mastodon-digest
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - mastodon-digest.cluster.fun
+    secretName: mastodon-digest-ingress
+  rules:
+  - host: mastodon-digest.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: mastodon-digest
+            port:
+              number: 80

manifests/mastodon-to-airtable/twitter-to-airtable.yaml

@@ -0,0 +1,151 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: docker-config
+  namespace: mastodon-to-airtable
+  annotations:
+    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .dockerconfigjson
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: e30=
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mastodon-to-airtable-auth
+  namespace: mastodon-to-airtable
+  annotations:
+    kube-1password: mr6spkkx7n3memkbute6ojaarm
+    kube-1password/vault: Kubernetes
+type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mastodon-to-airtable
+  namespace: mastodon-to-airtable
+  annotations:
+    kube-1password: kizmkmbndgu3ryrox3csev4mim
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-parse: "true"
+type: Opaque
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mastodon-to-airtable
+  namespace: mastodon-to-airtable
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: auth
+    name: web
+  selector:
+    app: mastodon-to-airtable
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mastodon-to-airtable
+  namespace: mastodon-to-airtable
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mastodon-to-airtable
+  template:
+    metadata:
+      labels:
+        app: mastodon-to-airtable
+    spec:
+      imagePullSecrets:
+        - name: docker-config
+      containers:
+      - args:
+        - --cookie-secure=false
+        - --provider=oidc
+        - --provider-display-name=Auth0
+        - --upstream=http://localhost:8080
+        - --http-address=$(HOST_IP):8000
+        - --redirect-url=https://mastodon-to-airtable.cluster.fun/oauth2/callback
+        - --email-domain=marcusnoble.co.uk
+        - --pass-basic-auth=false
+        - --pass-access-token=false
+        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
+        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: mastodon-to-airtable-auth
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: mastodon-to-airtable-auth
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1
+        name: oauth-proxy
+        ports:
+        - containerPort: 8000
+          protocol: TCP
+          name: auth
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus-private/mastodon-to-airtable:latest
+        imagePullPolicy: Always
+        env:
+        - name: PORT
+          value: "8080"
+        envFrom:
+        - secretRef:
+            name: "mastodon-to-airtable"
+        ports:
+        - containerPort: 8080
+          name: web
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mastodon-to-airtable
+  namespace: mastodon-to-airtable
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  tls:
+  - hosts:
+    - mastodon-to-airtable.cluster.fun
+    secretName: mastodon-to-airtable-ingress
+  rules:
+  - host: mastodon-to-airtable.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: mastodon-to-airtable
+            port:
+              number: 80

manifests/matrix_chart.yaml

@@ -1,255 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: chat
-
----
-
-apiVersion: helm.fluxcd.io/v1
-kind: HelmRelease
-metadata:
-  name: matrix
-  namespace: chat
-spec:
-  chart:
-    repository: https://dacruz21.github.io/helm-charts
-    name: matrix
-    version: 1.1.2
-  maxHistory: 4
-  values:
-    matrix:
-      serverName: "matrix.cluster.fun"
-      telemetry: false
-      hostname: "matrix.cluster.fun"
-      presence: true
-      blockNonAdminInvites: false
-      search: true
-      adminEmail: "matrix@marcusnoble.co.uk"
-      uploads:
-        maxSize: 100M
-        maxPixels: 32M
-      federation:
-        enabled: false
-        allowPublicRooms: false
-        blacklist:
-          - '127.0.0.0/8'
-          - '10.0.0.0/8'
-          - '172.16.0.0/12'
-          - '192.168.0.0/16'
-          - '100.64.0.0/10'
-          - '169.254.0.0/16'
-          - '::1/128'
-          - 'fe80::/64'
-          - 'fc00::/7'
-      registration:
-        enabled: false
-        allowGuests: false
-      urlPreviews:
-        enabled: true
-        rules:
-          maxSize: 4M
-          ip:
-            blacklist:
-              - '127.0.0.0/8'
-              - '10.0.0.0/8'
-              - '172.16.0.0/12'
-              - '192.168.0.0/16'
-              - '100.64.0.0/10'
-              - '169.254.0.0/16'
-              - '::1/128'
-              - 'fe80::/64'
-              - 'fc00::/7'
-
-    volumes:
-      media:
-        capacity: 4Gi
-      signingKey:
-        capacity: 1Gi
-
-    postgresql:
-      enabled: true
-      persistence:
-        size: 4Gi
-
-    synapse:
-      image:
-        repository: "matrixdotorg/synapse"
-        tag: v1.12.4
-        pullPolicy: IfNotPresent
-      service:
-        type: ClusterIP
-        port: 80
-      replicaCount: 1
-      resources: {}
-
-    riot:
-      enabled: true
-      integrations:
-        enabled: true
-        ui: "https://scalar.vector.im/"
-        api: "https://scalar.vector.im/api"
-        widgets:
-          - "https://scalar.vector.im/_matrix/integrations/v1"
-          - "https://scalar.vector.im/api"
-          - "https://scalar-staging.vector.im/_matrix/integrations/v1"
-          - "https://scalar-staging.vector.im/api"
-          - "https://scalar-staging.riot.im/scalar/api"
-      # Experimental features in riot-web, see https://github.com/vector-im/riot-web/blob/develop/docs/labs.md
-      labs:
-        - feature_pinning
-        - feature_custom_status
-        - feature_state_counters
-        - feature_many_integration_managers
-        - feature_mjolnir
-        - feature_dm_verification
-        - feature_bridge_state
-        - feature_presence_in_room_list
-        - feature_custom_themes
-      # Servers to show in the Explore menu (the current server is always shown)
-      roomDirectoryServers: []
-      # Prefix before permalinks generated when users share links to rooms, users, or messages. If running an unfederated Synapse, set the below to the URL of your Riot instance.
-      permalinkPrefix: "https://chat.cluster.fun"
-      image:
-        repository: "vectorim/riot-web"
-        tag: v1.6.0
-        pullPolicy: IfNotPresent
-      service:
-        type: ClusterIP
-        port: 80
-      replicaCount: 1
-      resources: {}
-
-    # Settings for Coturn TURN relay, used for routing voice calls
-    coturn:
-      enabled: false
-
-    mail:
-      enabled: false
-      relay:
-        enabled: false
-
-    bridges:
-      irc:
-        enabled: false
-      whatsapp:
-        enabled: false
-      discord:
-        enabled: false
-
-    networkPolicies:
-      enabled: false
-
-    ingress:
-      enabled: false
----
-
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: matrix
-  namespace: chat
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - matrix.cluster.fun
-    secretName: matrix-ingress
-  rules:
-  - host: matrix.cluster.fun
-    http:
-      paths:
-      - path: /.well-known/matrix
-        backend:
-          serviceName: well-known
-          servicePort: 80
-      - path: /
-        backend:
-          serviceName: chat-matrix-synapse
-          servicePort: 80
-
----
-
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: riot
-  namespace: chat
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - chat.cluster.fun
-    secretName: riot-ingress
-  rules:
-  - host: chat.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: chat-matrix-riot
-          servicePort: 80
-
----
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: well-known
-  namespace: chat
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: well-known
-  template:
-    metadata:
-      labels:
-        app: well-known
-    spec:
-      containers:
-      - name: web
-        image: nginx
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 80
-          name: web
-        volumeMounts:
-        - name: well-known
-          mountPath: /usr/share/nginx/html/.well-known/matrix
-      volumes:
-      - name: well-known
-        configMap:
-          name: well-known
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: well-known
-  namespace: chat
-spec:
-  type: ClusterIP
-  ports:
-  - port: 80
-    targetPort: 80
-    name: web
-  selector:
-    app: well-known
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: well-known
-  namespace: chat
-data:
-  server: |-
-    {
-      "m.server": "matrix.cluster.fun:443"
-    }

manifests/matrix_chart/matrix_chart.yaml

@@ -0,0 +1,577 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: matrix
+  namespace: chat
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - matrix.cluster.fun
+    secretName: matrix-ingress
+  rules:
+  - host: matrix.cluster.fun
+    http:
+      paths:
+      - path: /.well-known/matrix
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: well-known
+            port:
+              number: 80
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: matrix-synapse
+            port:
+              number: 80
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: riot
+  namespace: chat
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - chat.cluster.fun
+    secretName: riot-ingress
+  rules:
+  - host: chat.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: matrix-riot
+            port:
+              number: 80
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: well-known
+  namespace: chat
+  annotations:
+    configmap.reloader.stakater.com/reload: "well-known"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: well-known
+  template:
+    metadata:
+      labels:
+        app: well-known
+    spec:
+      containers:
+      - name: web
+        image: nginx
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 80
+          name: web
+        volumeMounts:
+        - name: well-known
+          mountPath: /usr/share/nginx/html/.well-known/matrix
+        resources:
+          limits:
+            memory: 15Mi
+          requests:
+            memory: 15Mi
+      volumes:
+      - name: well-known
+        configMap:
+          name: well-known
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: well-known
+  namespace: chat
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: 80
+    name: web
+  selector:
+    app: well-known
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: well-known
+  namespace: chat
+data:
+  server: |-
+    {
+      "m.server": "matrix.cluster.fun:443"
+    }
+
+
+---
+
+
+# Source: matrix/templates/riot/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: matrix-riot-config
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: element
+data:
+  config.json: |
+    {
+      "default_server_config": {
+        "m.homeserver": {
+          "base_url": "https://matrix.cluster.fun"
+        }
+      },
+      "brand": "Element",
+      "branding": {},
+      "integrations_ui_url": "https://scalar.vector.im/",
+      "integrations_rest_url": "https://scalar.vector.im/api",
+      "integrations_widgets_urls": [
+        "https://scalar.vector.im/_matrix/integrations/v1",
+        "https://scalar.vector.im/api",
+        "https://scalar-staging.vector.im/_matrix/integrations/v1",
+        "https://scalar-staging.vector.im/api",
+        "https://scalar-staging.riot.im/scalar/api"
+      ],
+      "showLabsSettings": true,
+      "features": {
+        "feature_pinning": true,
+        "feature_custom_status": "labs",
+        "feature_state_counters": "labs",
+        "feature_many_integration_managers": "labs",
+        "feature_mjolnir": "labs",
+        "feature_dm_verification": "labs",
+        "feature_bridge_state": "labs",
+        "feature_presence_in_room_list": true,
+        "feature_custom_themes": "labs",
+        "feature_new_spinner": "labs",
+        "feature_jump_to_date": "labs",
+        "feature_location_share_pin_drop": "labs",
+        "feature_location_share_live": "labs",
+        "feature_thread": true,
+        "feature_video_rooms": true,
+        "feature_favourite_messages": "labs"
+      },
+      "roomDirectory": {
+        "servers": []
+      },
+      "permalinkPrefix": "https://chat.cluster.fun",
+      "enable_presence_by_hs_url": {
+        "https://matrix.org": false,
+        "https://matrix-client.matrix.org": false
+      },
+      "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=2IerXP2a5g1e7hxxBbzs"
+    }
+  nginx.conf: |
+    worker_processes  auto;
+
+    error_log  /var/log/nginx/error.log warn;
+    pid        /var/run/pid/nginx.pid;
+
+    events {
+      worker_connections  1024;
+    }
+
+    http {
+      include       /etc/nginx/mime.types;
+      default_type  application/octet-stream;
+
+      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+      '$status $body_bytes_sent "$http_referer" '
+      '"$http_user_agent" "$http_x_forwarded_for"';
+
+      access_log  /var/log/nginx/access.log  main;
+
+      sendfile        on;
+
+      keepalive_timeout  65;
+
+      include /etc/nginx/conf.d/*.conf;
+    }
+  default.conf: |
+    server {
+      listen       8080;
+      server_name  localhost;
+
+      location / {
+          root   /usr/share/nginx/html;
+          index  index.html index.htm;
+      }
+
+      # redirect server error pages to the static page /50x.html
+      #
+      error_page   500 502 503 504  /50x.html;
+      location = /50x.html {
+          root   /usr/share/nginx/html;
+      }
+    }
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: matrix-synapse-config
+  namespace: chat
+  annotations:
+    kube-1password: wbj4oozwyx6m2zz5m42pgcmymy
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: homeserver.yaml
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+type: Opaque
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: matrix-synapse-config
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: element
+data:
+  matrix.cluster.fun.log.config: |
+    version: 1
+
+    formatters:
+      precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+    filters:
+      context:
+        (): synapse.util.logcontext.LoggingContextFilter
+        request: ""
+
+    handlers:
+      console:
+        class: logging.StreamHandler
+        formatter: precise
+        filters: [context]
+
+    loggers:
+      synapse:
+        level: WARNING
+      synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: WARNING
+
+    root:
+      level: WARNING
+      handlers: [console]
+---
+# Source: matrix/templates/synapse/media-pvc.yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: chat-matrix-media-store
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 8Gi
+---
+# Source: matrix/templates/synapse/signing-key-pvc.yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: chat-matrix-signing-key
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+# Source: matrix/templates/riot/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-riot
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: element
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: matrix-riot
+---
+# Source: matrix/templates/synapse/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-synapse
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/_synapse/metrics"
+    prometheus.io/port: "9000"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+    - port: 9000
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+  selector:
+    app.kubernetes.io/name: matrix-synapse
+---
+# Source: matrix/templates/riot/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: matrix-riot
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: element
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: matrix-riot
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: matrix-riot
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+        - name: "riot"
+          image: "vectorim/element-web:v1.11.14"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /app/config.json
+              name: riot-config
+              subPath: config.json
+              readOnly: true
+            - mountPath: /etc/nginx/nginx.conf
+              name: riot-config
+              subPath: nginx.conf
+              readOnly: true
+            - mountPath: /etc/nginx/conf.d/default.conf
+              name: riot-config
+              subPath: default.conf
+              readOnly: true
+            - mountPath: /var/cache/nginx
+              name: ephemeral
+              subPath: cache
+            - mountPath: /var/run/pid
+              name: ephemeral
+              subPath: pid
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          startupProbe:
+            httpGet:
+              path: /
+              port: http
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+      volumes:
+        - name: riot-config
+          configMap:
+            name: matrix-riot-config
+        - name: ephemeral
+          emptyDir: {}
+---
+# Source: matrix/templates/synapse/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: matrix-synapse
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: matrix-synapse
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: matrix-synapse
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+        - name: generate-signing-key
+          image: "matrixdotorg/synapse:v1.71.0"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: SYNAPSE_SERVER_NAME
+              value: matrix.cluster.fun
+            - name: SYNAPSE_REPORT_STATS
+              value: "no"
+          command: ["python"]
+          args:
+            - "-m"
+            - "synapse.app.homeserver"
+            - "--config-path"
+            - "/data/homeserver.yaml"
+            - "--keys-directory"
+            - "/data/keys"
+            - "--generate-keys"
+          volumeMounts:
+            - name: synapse-config-homeserver
+              mountPath: /data/homeserver.yaml
+              subPath: homeserver.yaml
+            - name: synapse-config-logging
+              mountPath: /data/matrix.cluster.fun.log.config
+              subPath: matrix.cluster.fun.log.config
+            - name: signing-key
+              mountPath: /data/keys
+      containers:
+        - name: "synapse"
+          image: "matrixdotorg/synapse:v1.71.0"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8008
+              protocol: TCP
+            - name: metrics
+              containerPort: 9000
+              protocol: TCP
+          volumeMounts:
+            - name: synapse-config-homeserver
+              mountPath: /data/homeserver.yaml
+              subPath: homeserver.yaml
+            - name: mautrix-whatsapp-registration
+              mountPath: /data/mautrix-whatsapp-registration.yaml
+              subPath: registration.yaml
+            - name: mautrix-signal-registration
+              mountPath: /data/mautrix-signal-registration.yaml
+              subPath: registration.yaml
+            - name: mautrix-telegram-registration
+              mountPath: /data/mautrix-telegram-registration.yaml
+              subPath: registration.yaml
+            - name: synapse-config-logging
+              mountPath: /data/matrix.cluster.fun.log.config
+              subPath: matrix.cluster.fun.log.config
+            - name: signing-key
+              mountPath: /data/keys
+            - name: media-store
+              mountPath: /data/media_store
+            - name: uploads
+              mountPath: /data/uploads
+            - name: tmp
+              mountPath: /tmp
+          readinessProbe:
+            httpGet:
+              path: /_matrix/static/
+              port: http
+            periodSeconds: 10
+            timeoutSeconds: 5
+          startupProbe:
+            httpGet:
+              path: /_matrix/static/
+              port: http
+            failureThreshold: 6
+            periodSeconds: 5
+            timeoutSeconds: 5
+          livenessProbe:
+            httpGet:
+              path: /_matrix/static/
+              port: http
+            periodSeconds: 10
+            timeoutSeconds: 5
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+      volumes:
+        - name: synapse-config-logging
+          configMap:
+            name: matrix-synapse-config
+        - name: synapse-config-homeserver
+          secret:
+            secretName: matrix-synapse-config
+        - name: mautrix-whatsapp-registration
+          secret:
+            secretName: mautrix-whatsapp-registration
+        - name: mautrix-signal-registration
+          secret:
+            secretName: mautrix-signal-registration
+        - name: mautrix-telegram-registration
+          secret:
+            secretName: mautrix-telegram-registration
+        - name: signing-key
+          persistentVolumeClaim:
+            claimName: chat-matrix-signing-key
+        - name: media-store
+          persistentVolumeClaim:
+            claimName: chat-matrix-media-store
+        - name: uploads
+          emptyDir: {}
+        - name: tmp
+          emptyDir: {}
+---

manifests/matrix_chart/signal_bridge.yaml

@@ -0,0 +1,153 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-signal-registration
+  namespace: chat
+  annotations:
+    kube-1password: z6tylu2br724gttcpfyi5egaui
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: registration.yaml
+  labels:
+    app.kubernetes.io/name: "mautrix-signal"
+    component: registration
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-signal-config
+  namespace: chat
+  annotations:
+    kube-1password: 5vfaorcudozlq4clkzgmzzszqe
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: config.yaml
+  labels:
+    app.kubernetes.io/name: "mautrix-signal"
+    component: config
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mautrix-signal
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: mautrix-signal
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/metrics"
+    prometheus.io/port: "9000"
+spec:
+  type: ClusterIP
+  ports:
+  - port: 29328
+    targetPort: http
+    protocol: TCP
+    name: http
+  selector:
+    app.kubernetes.io/name: mautrix-signal
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mautrix-signal
+  labels:
+    app.kubernetes.io/name: mautrix-signal
+spec:
+  revisionHistoryLimit: 3
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: mautrix-signal
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: mautrix-signal
+    spec:
+      serviceAccountName: default
+      automountServiceAccountToken: true
+      dnsPolicy: ClusterFirst
+      enableServiceLinks: true
+      initContainers:
+      - name: config-copy
+        image: bash:latest
+        imagePullPolicy: IfNotPresent
+        args:
+          - -c
+          - |
+            cp /secrets/* /data/
+        volumeMounts:
+          - name: mautrix-signal-config
+            mountPath: /secrets/config.yaml
+            subPath: config.yaml
+          - name: mautrix-signal-registration
+            mountPath: /secrets/registration.yaml
+            subPath: registration.yaml
+          - name: data
+            mountPath: /data
+      containers:
+        - name: signald
+          image: docker.io/signald/signald:stable
+          imagePullPolicy: Always
+          volumeMounts:
+          - name: signald
+            mountPath: /signald
+        - name: mautrix-signal
+          image: "dock.mau.dev/mautrix/signal:v0.4.1"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: "TZ"
+              value: "UTC"
+          ports:
+            - name: http
+              containerPort: 29328
+              protocol: TCP
+            - name: metrics
+              containerPort: 9000
+              protocol: TCP
+          volumeMounts:
+          - name: signald
+            mountPath: /signald
+          - name: data
+            mountPath: /data
+          livenessProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          readinessProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 30
+            timeoutSeconds: 1
+            periodSeconds: 5
+      volumes:
+        - name: data
+          emptyDir: {}
+        - name: signald
+          emptyDir: {}
+        - name: mautrix-signal-config
+          secret:
+            secretName: mautrix-signal-config
+        - name: mautrix-signal-registration
+          secret:
+            secretName: mautrix-signal-registration
+---

manifests/matrix_chart/telegram_bridge.yaml

@@ -0,0 +1,143 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-telegram-registration
+  namespace: chat
+  annotations:
+    kube-1password: dancy7ogc4gjlxhfntqejgudwi
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: registration.yaml
+  labels:
+    app.kubernetes.io/name: "mautrix-telegram"
+    component: registration
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-telegram-config
+  namespace: chat
+  annotations:
+    kube-1password: nilzdpfum35hhwijnwvasbzmcq
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: config.yaml
+  labels:
+    app.kubernetes.io/name: "mautrix-telegram"
+    component: config
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mautrix-telegram
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: mautrix-telegram
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/metrics"
+    prometheus.io/port: "9000"
+spec:
+  type: ClusterIP
+  ports:
+  - port: 29318
+    targetPort: http
+    protocol: TCP
+    name: http
+  selector:
+    app.kubernetes.io/name: mautrix-telegram
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mautrix-telegram
+  labels:
+    app.kubernetes.io/name: mautrix-telegram
+spec:
+  revisionHistoryLimit: 3
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: mautrix-telegram
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: mautrix-telegram
+    spec:
+      serviceAccountName: default
+      automountServiceAccountToken: true
+      dnsPolicy: ClusterFirst
+      enableServiceLinks: true
+      initContainers:
+      - name: config-copy
+        image: bash:latest
+        imagePullPolicy: IfNotPresent
+        args:
+          - -c
+          - |
+            cp /secrets/* /data/
+        volumeMounts:
+          - name: mautrix-telegram-config
+            mountPath: /secrets/config.yaml
+            subPath: config.yaml
+          - name: mautrix-telegram-registration
+            mountPath: /secrets/registration.yaml
+            subPath: registration.yaml
+          - name: data
+            mountPath: /data
+      containers:
+        - name: mautrix-telegram
+          image: "dock.mau.dev/mautrix/telegram:v0.12.1"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: "TZ"
+              value: "UTC"
+          ports:
+            - name: http
+              containerPort: 29318
+              protocol: TCP
+            - name: metrics
+              containerPort: 9000
+              protocol: TCP
+          volumeMounts:
+          - name: data
+            mountPath: /data
+          livenessProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          readinessProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 30
+            timeoutSeconds: 1
+            periodSeconds: 5
+      volumes:
+        - name: data
+          emptyDir: {}
+        - name: mautrix-telegram-config
+          secret:
+            secretName: mautrix-telegram-config
+        - name: mautrix-telegram-registration
+          secret:
+            secretName: mautrix-telegram-registration
+---

manifests/matrix_chart/whatsapp_bridge.yaml

@@ -0,0 +1,143 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-whatsapp-registration
+  namespace: chat
+  annotations:
+    kube-1password: x6lzkpyov4dem5jtk2kimyrnvy
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: registration.yaml
+  labels:
+    app.kubernetes.io/name: "mautrix-whatsapp"
+    component: registration
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-whatsapp-config
+  namespace: chat
+  annotations:
+    kube-1password: ji3e2el66bu56bml3kq3ghyojq
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: config.yaml
+  labels:
+    app.kubernetes.io/name: "mautrix-whatsapp"
+    component: config
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mautrix-whatsapp
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/metrics"
+    prometheus.io/port: "9000"
+spec:
+  type: ClusterIP
+  ports:
+  - port: 29318
+    targetPort: http
+    protocol: TCP
+    name: http
+  selector:
+    app.kubernetes.io/name: mautrix-whatsapp
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mautrix-whatsapp
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+spec:
+  revisionHistoryLimit: 3
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: mautrix-whatsapp
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: mautrix-whatsapp
+    spec:
+      serviceAccountName: default
+      automountServiceAccountToken: true
+      dnsPolicy: ClusterFirst
+      enableServiceLinks: true
+      initContainers:
+      - name: config-copy
+        image: bash:latest
+        imagePullPolicy: IfNotPresent
+        args:
+          - -c
+          - |
+            cp /secrets/* /data/
+        volumeMounts:
+          - name: mautrix-whatsapp-config
+            mountPath: /secrets/config.yaml
+            subPath: config.yaml
+          - name: mautrix-whatsapp-registration
+            mountPath: /secrets/registration.yaml
+            subPath: registration.yaml
+          - name: data
+            mountPath: /data
+      containers:
+        - name: mautrix-whatsapp
+          image: "dock.mau.dev/mautrix/whatsapp:v0.7.1"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: "TZ"
+              value: "UTC"
+          ports:
+            - name: http
+              containerPort: 29318
+              protocol: TCP
+            - name: metrics
+              containerPort: 9000
+              protocol: TCP
+          volumeMounts:
+          - name: data
+            mountPath: /data
+          livenessProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          readinessProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 30
+            timeoutSeconds: 1
+            periodSeconds: 5
+      volumes:
+        - name: data
+          emptyDir: {}
+        - name: mautrix-whatsapp-config
+          secret:
+            secretName: mautrix-whatsapp-config
+        - name: mautrix-whatsapp-registration
+          secret:
+            secretName: mautrix-whatsapp-registration
+---

manifests/mealie/mealie.yaml

@@ -0,0 +1,180 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mealie
+  namespace: mealie
+  annotations:
+    kube-1password: 7ibib7oafxbxkvofnd4oxcr3qy
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-parse: "true"
+type: Opaque
+
+---
+
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: mealie
+  namespace: mealie
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mealie
+  namespace: mealie
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mealie
+  template:
+    metadata:
+      labels:
+        app: mealie
+    spec:
+      containers:
+      - name: frontend
+        image: hkotel/mealie:frontend-nightly
+        imagePullPolicy: Always
+        envFrom:
+        - secretRef:
+            name: mealie
+        env:
+        - name: API_URL
+          value: "http://localhost:9000"
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TOKEN_TIME
+          value: "168"
+        - name: DB_ENGINE
+          value: postgres
+        - name: POSTGRES_DB
+          value: mealie
+        - name: RECIPE_PUBLIC
+          value: "false"
+        - name: RECIPE_SHOW_NUTRITION
+          value: "true"
+        - name: RECIPE_SHOW_ASSETS
+          value: "true"
+        - name: RECIPE_LANDSCAPE_VIEW
+          value: "true"
+        - name: RECIPE_DISABLE_COMMENTS
+          value: "false"
+        - name: RECIPE_DISABLE_AMOUNT
+          value: "false"
+        ports:
+        - containerPort: 3000
+          name: web
+        volumeMounts:
+          - mountPath: /app/data
+            name: data
+      - name: api
+        image: hkotel/mealie:api-nightly
+        imagePullPolicy: Always
+        envFrom:
+        - secretRef:
+            name: mealie
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: DB_ENGINE
+          value: postgres
+        - name: POSTGRES_DB
+          value: mealie
+        - name: DEFAULT_EMAIL
+          value: "mealie@marcusnoble.co.uk"
+        - name: TOKEN_TIME
+          value: "168"
+        - name: BASE_URL
+          value: "https://mealie.cluster.fun"
+        ports:
+        - containerPort: 9000
+          name: api
+        volumeMounts:
+          - mountPath: /app/data
+            name: data
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: mealie
+
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mealie
+  namespace: mealie
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: mealie
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mealie-api
+  namespace: mealie
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: api
+    name: api
+  selector:
+    app: mealie
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mealie
+  namespace: mealie
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - mealie.cluster.fun
+    secretName: mealie-ingress
+  rules:
+  - host: mealie.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: mealie
+            port:
+              name: web
+  - host: mealie.cluster.fun
+    http:
+      paths:
+      - path: /api
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: mealie-api
+            port:
+              name: api

manifests/monitoring-civo/kube-state-metrics.yaml

@@ -0,0 +1,255 @@
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  name: kube-state-metrics
+rules:
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+    - certificatesigningrequests
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - configmaps
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["batch"]
+    resources:
+    - cronjobs
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - daemonsets
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - deployments
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - endpoints
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["autoscaling"]
+    resources:
+    - horizontalpodautoscalers
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources:
+    - ingresses
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["batch"]
+    resources:
+    - jobs
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - limitranges
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources:
+      - mutatingwebhookconfigurations
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - namespaces
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+    - networkpolicies
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - nodes
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - persistentvolumeclaims
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - persistentvolumes
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["policy"]
+    resources:
+      - poddisruptionbudgets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - pods
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - replicasets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - replicationcontrollers
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - resourcequotas
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - secrets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - services
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["apps"]
+    resources:
+    - statefulsets
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["storage.k8s.io"]
+    resources:
+      - storageclasses
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources:
+      - validatingwebhookconfigurations
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["storage.k8s.io"]
+    resources:
+      - volumeattachments
+    verbs: ["list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  name: kube-state-metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-state-metrics
+subjects:
+- kind: ServiceAccount
+  name: kube-state-metrics
+  namespace: monitoring
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  annotations:
+    prometheus.io/scrape: 'true'
+spec:
+  type: "ClusterIP"
+  ports:
+  - name: "http"
+    protocol: TCP
+    port: 8080
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/name: kube-state-metrics
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kube-state-metrics
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: kube-state-metrics
+    spec:
+      serviceAccountName: kube-state-metrics
+      securityContext:
+        fsGroup: 65534
+        runAsGroup: 65534
+        runAsUser: 65534
+      containers:
+      - name: kube-state-metrics
+        args:
+        #- --resources=certificatesigningrequests
+        - --resources=configmaps
+        - --resources=cronjobs
+        - --resources=daemonsets
+        - --resources=deployments
+        #- --resources=endpoints
+        #- --resources=horizontalpodautoscalers
+        - --resources=ingresses
+        - --resources=jobs
+        #- --resources=limitranges
+        - --resources=mutatingwebhookconfigurations
+        - --resources=namespaces
+        #- --resources=networkpolicies
+        - --resources=nodes
+        - --resources=persistentvolumeclaims
+        - --resources=persistentvolumes
+        - --resources=poddisruptionbudgets
+        - --resources=pods
+        - --resources=replicasets
+        #- --resources=replicationcontrollers
+        #- --resources=resourcequotas
+        - --resources=secrets
+        - --resources=services
+        - --resources=statefulsets
+        - --resources=storageclasses
+        - --resources=validatingwebhookconfigurations
+        #- --resources=volumeattachments
+        imagePullPolicy: IfNotPresent
+        image: "k8s.gcr.io/kube-state-metrics/kube-state-metrics:v2.4.2"
+        ports:
+        - containerPort: 8080
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+---

manifests/monitoring-civo/prometheus-server.yaml

@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-server
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+  name: prometheus-server
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - nodes/proxy
+      - nodes/metrics
+      - services
+      - endpoints
+      - pods
+      - ingresses
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "extensions"
+      - "networking.k8s.io"
+    resources:
+      - ingresses/status
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - nonResourceURLs:
+      - "/metrics"
+    verbs:
+      - get
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+  name: prometheus-server
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-server
+    namespace: monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-server
+---

manifests/monitoring-civo/promtail.yaml

@@ -0,0 +1,292 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+data:
+  promtail.yaml: |
+    client:
+      backoff_config:
+        max_period: 5m
+        max_retries: 10
+        min_period: 500ms
+      batchsize: 1048576
+      batchwait: 1s
+      external_labels: {}
+      timeout: 10s
+    positions:
+      filename: /run/promtail/positions.yaml
+    server:
+      http_listen_port: 3101
+    clients:
+    - url: http://loki-distributed.proxy-civo.svc:80/loki/api/v1/push
+      external_labels:
+        kubernetes_cluster: civo
+    target_config:
+      sync_period: 10s
+    scrape_configs:
+    - job_name: kubernetes-pods
+      pipeline_stages:
+        - docker: {}
+        - cri: {}
+        - match:
+            selector: '{app="weave-net"}'
+            action: drop
+        - match:
+            selector: '{filename=~".*konnectivity.*"}'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*/healthz.*"'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*/api/health.*"'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*kube-probe/.*"'
+            action: drop
+        - match:
+            selector: '{app="internal-proxy"}'
+            action: drop
+        - match:
+            selector: '{app="non-auth-proxy"}'
+            action: drop
+        - match:
+            selector: '{app="vpa"}'
+            action: drop
+        - match:
+            selector: '{app="promtail"}'
+            action: drop
+        - match:
+            selector: '{app="csi-node"}'
+            action: drop
+        - match:
+            selector: '{app="victoria-metrics"}'
+            action: drop
+        - match:
+            selector: '{app="git-sync"}'
+            action: drop
+        - match:
+            selector: '{app="ingress-nginx"}'
+            stages:
+            - json:
+                expressions:
+                  request_host: host
+                  request_path: path
+                  request_method: method
+                  response_status: status
+            - drop:
+                source: "request_path"
+                value:  "/healthz"
+            - drop:
+                source: "request_path"
+                value:  "/health"
+            - labels:
+                request_host:
+                request_method:
+                response_status:
+        - match:
+            selector: '{app="traefik"}'
+            stages:
+            - json:
+                expressions:
+                  request_host: RequestHost
+                  request_path: RequestPath
+                  request_method: RequestMethod
+                  response_status: OriginStatus
+            - drop:
+                source: "request_path"
+                value:  "/healthz"
+            - drop:
+                source: "request_path"
+                value:  "/health"
+            - drop:
+                source: "request_path"
+                value:  "/ping"
+            - labels:
+                request_host:
+                request_method:
+                response_status:
+      kubernetes_sd_configs:
+        - role: pod
+      relabel_configs:
+        - source_labels:
+            - __meta_kubernetes_pod_controller_name
+          regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})?
+          action: replace
+          target_label: __tmp_controller_name
+        - source_labels:
+            - __meta_kubernetes_pod_label_app_kubernetes_io_name
+            - __meta_kubernetes_pod_label_app
+            - __tmp_controller_name
+            - __meta_kubernetes_pod_name
+          regex: ^;*([^;]+)(;.*)?$
+          action: replace
+          target_label: app
+        - source_labels:
+            - __meta_kubernetes_pod_label_app_kubernetes_io_component
+            - __meta_kubernetes_pod_label_component
+          regex: ^;*([^;]+)(;.*)?$
+          action: replace
+          target_label: component
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_node_name
+          target_label: node_name
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_namespace
+          target_label: namespace
+        - action: replace
+          replacement: $1
+          separator: /
+          source_labels:
+            - namespace
+            - app
+          target_label: job
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_name
+          target_label: pod
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_container_name
+          target_label: container
+        - action: replace
+          replacement: /var/log/pods/*$1/*.log
+          separator: /
+          source_labels:
+            - __meta_kubernetes_pod_uid
+            - __meta_kubernetes_pod_container_name
+          target_label: __path__
+        - action: replace
+          replacement: /var/log/pods/*$1/*.log
+          regex: true/(.*)
+          separator: /
+          source_labels:
+            - __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash
+            - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash
+            - __meta_kubernetes_pod_container_name
+          target_label: __path__
+        - action: labelmap
+          regex: __meta_kubernetes_pod_label_(.+)
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: promtail-clusterrole
+  labels:
+    app.kubernetes.io/name: promtail
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources:
+  - nodes
+  - nodes/proxy
+  - services
+  - endpoints
+  - pods
+  verbs: ["get", "watch", "list"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: promtail-clusterrolebinding
+  labels:
+    app.kubernetes.io/name: promtail
+subjects:
+  - kind: ServiceAccount
+    name: promtail
+    namespace: monitoring
+roleRef:
+  kind: ClusterRole
+  name: promtail-clusterrole
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+  annotations:
+    configmap.reloader.stakater.com/reload: "promtail"
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: promtail
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: promtail
+      annotations:
+        prometheus.io/port: http-metrics
+        prometheus.io/scrape: "true"
+    spec:
+      serviceAccountName: promtail
+      containers:
+        - name: promtail
+          image: "grafana/promtail:2.6.1"
+          imagePullPolicy: IfNotPresent
+          args:
+            - "-config.file=/etc/promtail/promtail.yaml"
+          volumeMounts:
+            - name: config
+              mountPath: /etc/promtail
+            - name: run
+              mountPath: /run/promtail
+            - mountPath: /var/lib/docker/containers
+              name: docker
+              readOnly: true
+            - mountPath: /var/log/pods
+              name: pods
+              readOnly: true
+          env:
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          ports:
+            - containerPort: 3101
+              name: http-metrics
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsGroup: 0
+            runAsUser: 0
+          readinessProbe:
+            failureThreshold: 5
+            httpGet:
+              path: /ready
+              port: http-metrics
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Exists
+      volumes:
+        - name: config
+          configMap:
+            name: promtail
+        - name: run
+          hostPath:
+            path: /run/promtail
+        - hostPath:
+            path: /var/lib/docker/containers
+          name: docker
+        - hostPath:
+            path: /var/log/pods
+          name: pods
+---

manifests/monitoring-civo/vmagent.yaml

@@ -0,0 +1,163 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vmagent
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: victoria-metrics
+    app.kubernetes.io/component: agent
+data:
+  prometheus.yml: |
+    global:
+      scrape_interval: 1m
+      external_labels:
+        source: civo
+        agent: vmagent
+    scrape_configs:
+    - job_name: 'vmagent'
+      static_configs:
+        - targets: ['localhost:8429']
+    - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      job_name: kubernetes-nodes
+      kubernetes_sd_configs:
+      - role: node
+      relabel_configs:
+      - action: labelmap
+        regex: __meta_kubernetes_node_label_(.+)
+      - replacement: kubernetes.default.svc:443
+        target_label: __address__
+      - regex: (.+)
+        replacement: /api/v1/nodes/$1/proxy/metrics
+        source_labels:
+        - __meta_kubernetes_node_name
+        target_label: __metrics_path__
+      scheme: https
+      tls_config:
+        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        insecure_skip_verify: true
+    - job_name: kubernetes-service-endpoints
+      kubernetes_sd_configs:
+      - role: endpoints
+      relabel_configs:
+      - action: keep
+        regex: true
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_scrape
+      - action: replace
+        regex: (https?)
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_scheme
+        target_label: __scheme__
+      - action: replace
+        regex: (.+)
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_path
+        target_label: __metrics_path__
+      - action: replace
+        regex: ([^:]+)(?::\d+)?;(\d+)
+        replacement: $1:$2
+        source_labels:
+        - __address__
+        - __meta_kubernetes_service_annotation_prometheus_io_port
+        target_label: __address__
+      - action: labelmap
+        regex: __meta_kubernetes_service_label_(.+)
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_namespace
+        target_label: kubernetes_namespace
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_service_name
+        target_label: kubernetes_name
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_endpoint_port_name
+        target_label: kubernetes_endpoint_port_name
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_pod_node_name
+        target_label: kubernetes_node
+    - job_name: kubernetes-pods
+      kubernetes_sd_configs:
+      - role: pod
+      relabel_configs:
+      - action: keep
+        regex: true
+        source_labels:
+        - __meta_kubernetes_pod_annotation_prometheus_io_scrape
+      - action: replace
+        regex: (.+)
+        source_labels:
+        - __meta_kubernetes_pod_annotation_prometheus_io_path
+        target_label: __metrics_path__
+      - action: replace
+        regex: ([^:]+)(?::\d+)?;(\d+)
+        replacement: $1:$2
+        source_labels:
+        - __address__
+        - __meta_kubernetes_pod_annotation_prometheus_io_port
+        target_label: __address__
+      - action: labelmap
+        regex: __meta_kubernetes_pod_label_(.+)
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_namespace
+        target_label: kubernetes_namespace
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_pod_name
+        target_label: kubernetes_pod_name
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_pod_container_port_name
+        target_label: kubernetes_port_name
+      - action: drop
+        regex: Pending|Succeeded|Failed
+        source_labels:
+        - __meta_kubernetes_pod_phase
+
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vmagent
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: victoria-metrics
+    app.kubernetes.io/component: agent
+  annotations:
+    configmap.reloader.stakater.com/reload: "vmagent"
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: victoria-metrics
+      app.kubernetes.io/component: agent
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: victoria-metrics
+        app.kubernetes.io/component: agent
+    spec:
+      serviceAccountName: prometheus-server
+      containers:
+        - name: vmagent
+          image: "victoriametrics/vmagent:v1.77.2"
+          imagePullPolicy: "IfNotPresent"
+          args:
+            - -remoteWrite.url=http://vmcluster.proxy-civo.svc/insert/0/prometheus/
+            - -remoteWrite.showURL
+            - -promscrape.config=/config/prometheus.yml
+          volumeMounts:
+            - name: config-volume
+              mountPath: /config
+      volumes:
+        - name: config-volume
+          configMap:
+            name: vmagent
+---

manifests/monitoring/ingess.yaml

@@ -0,0 +1,69 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grafana
+  namespace: auth-proxy
+  labels:
+    app: grafana
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - grafana.cluster.fun
+    secretName: grafana-ingress
+  rules:
+  - host: grafana.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              number: 80
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: prometheus-credentials
+  namespace: monitoring
+  annotations:
+    kube-1password: m7c2n5gqybiyxj6ylydju2nljm
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: auth
+type: Opaque
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: prometheus-cloud
+  namespace: monitoring
+  labels:
+    app: prometheus-cloud
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/auth-type: basic
+    nginx.ingress.kubernetes.io/auth-secret: prometheus-credentials
+    nginx.ingress.kubernetes.io/auth-secret-type: auth-file
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - prometheus-cloud.cluster.fun
+    secretName: prometheus-cloud-ingress
+  rules:
+  - host: prometheus-cloud.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: prometheus-server
+            port:
+              number: 80

manifests/monitoring/kube-state-metrics.yaml

@@ -0,0 +1,255 @@
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  name: kube-state-metrics
+rules:
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+    - certificatesigningrequests
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - configmaps
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["batch"]
+    resources:
+    - cronjobs
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - daemonsets
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - deployments
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - endpoints
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["autoscaling"]
+    resources:
+    - horizontalpodautoscalers
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources:
+    - ingresses
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["batch"]
+    resources:
+    - jobs
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - limitranges
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources:
+      - mutatingwebhookconfigurations
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - namespaces
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+    - networkpolicies
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - nodes
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - persistentvolumeclaims
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - persistentvolumes
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["policy"]
+    resources:
+      - poddisruptionbudgets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - pods
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - replicasets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - replicationcontrollers
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - resourcequotas
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - secrets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - services
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["apps"]
+    resources:
+    - statefulsets
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["storage.k8s.io"]
+    resources:
+      - storageclasses
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources:
+      - validatingwebhookconfigurations
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["storage.k8s.io"]
+    resources:
+      - volumeattachments
+    verbs: ["list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  name: kube-state-metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-state-metrics
+subjects:
+- kind: ServiceAccount
+  name: kube-state-metrics
+  namespace: monitoring
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  annotations:
+    prometheus.io/scrape: 'true'
+spec:
+  type: "ClusterIP"
+  ports:
+  - name: "http"
+    protocol: TCP
+    port: 8080
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/name: kube-state-metrics
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kube-state-metrics
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: kube-state-metrics
+    spec:
+      serviceAccountName: kube-state-metrics
+      securityContext:
+        fsGroup: 65534
+        runAsGroup: 65534
+        runAsUser: 65534
+      containers:
+      - name: kube-state-metrics
+        args:
+        #- --resources=certificatesigningrequests
+        - --resources=configmaps
+        - --resources=cronjobs
+        - --resources=daemonsets
+        - --resources=deployments
+        #- --resources=endpoints
+        #- --resources=horizontalpodautoscalers
+        - --resources=ingresses
+        - --resources=jobs
+        #- --resources=limitranges
+        - --resources=mutatingwebhookconfigurations
+        - --resources=namespaces
+        #- --resources=networkpolicies
+        - --resources=nodes
+        - --resources=persistentvolumeclaims
+        - --resources=persistentvolumes
+        - --resources=poddisruptionbudgets
+        - --resources=pods
+        - --resources=replicasets
+        #- --resources=replicationcontrollers
+        #- --resources=resourcequotas
+        - --resources=secrets
+        - --resources=services
+        - --resources=statefulsets
+        - --resources=storageclasses
+        - --resources=validatingwebhookconfigurations
+        #- --resources=volumeattachments
+        imagePullPolicy: IfNotPresent
+        image: "k8s.gcr.io/kube-state-metrics/kube-state-metrics:v2.4.2"
+        ports:
+        - containerPort: 8080
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+---

manifests/monitoring/node-exporter.yaml

@@ -0,0 +1,97 @@
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-node-exporter
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: node-exporter
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    prometheus.io/scrape: "true"
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: node-exporter
+  name: prometheus-node-exporter
+  namespace: monitoring
+spec:
+  clusterIP: None
+  ports:
+    - name: metrics
+      port: 9100
+      protocol: TCP
+      targetPort: 9100
+  selector:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: node-exporter
+  type: "ClusterIP"
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: node-exporter
+  name: prometheus-node-exporter
+  namespace: monitoring
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
+      app.kubernetes.io/component: node-exporter
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: prometheus
+        app.kubernetes.io/component: node-exporter
+    spec:
+      serviceAccountName: prometheus-node-exporter
+      containers:
+        - name: prometheus-node-exporter
+          image: "prom/node-exporter:v1.3.1"
+          imagePullPolicy: "IfNotPresent"
+          args:
+            - --path.procfs=/host/proc
+            - --path.sysfs=/host/sys
+            - --no-collector.wifi
+            - --no-collector.hwmon
+            - --no-collector.netclass
+            - --no-collector.arp
+            - --no-collector.bcache
+            - --no-collector.bonding
+            - --no-collector.btrfs
+            - --no-collector.dmi
+            - --no-collector.edac
+            - --no-collector.entropy
+            - --no-collector.fibrechannel
+            - --no-collector.infiniband
+            - --no-collector.tapestats
+            - --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/pods/.+)($|/)
+            - --web.listen-address=:9100
+          ports:
+            - name: metrics
+              containerPort: 9100
+              hostPort: 9100
+          volumeMounts:
+            - name: proc
+              mountPath: /host/proc
+              readOnly:  true
+            - name: sys
+              mountPath: /host/sys
+              readOnly: true
+      hostNetwork: true
+      hostPID: true
+      volumes:
+        - name: proc
+          hostPath:
+            path: /proc
+        - name: sys
+          hostPath:
+            path: /sys
+---

manifests/monitoring/prometheus-server.yaml

@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-server
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+  name: prometheus-server
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - nodes/proxy
+      - nodes/metrics
+      - services
+      - endpoints
+      - pods
+      - ingresses
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "extensions"
+      - "networking.k8s.io"
+    resources:
+      - ingresses/status
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - nonResourceURLs:
+      - "/metrics"
+    verbs:
+      - get
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+  name: prometheus-server
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-server
+    namespace: monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-server
+---

manifests/monitoring/promtail.yaml

@@ -0,0 +1,271 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+data:
+  promtail.yaml: |
+    client:
+      backoff_config:
+        max_period: 5m
+        max_retries: 10
+        min_period: 500ms
+      batchsize: 1048576
+      batchwait: 1s
+      external_labels: {}
+      timeout: 10s
+    positions:
+      filename: /run/promtail/positions.yaml
+    server:
+      http_listen_port: 3101
+    clients:
+    - url: http://loki-distributed.auth-proxy.svc:80/loki/api/v1/push
+      external_labels:
+        kubernetes_cluster: scaleway
+    target_config:
+      sync_period: 10s
+    scrape_configs:
+    - job_name: kubernetes-pods
+      pipeline_stages:
+        - docker: {}
+        - cri: {}
+        - match:
+            selector: '{app="weave-net"}'
+            action: drop
+        - match:
+            selector: '{filename=~".*konnectivity.*"}'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*/healthz.*"'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*/api/health.*"'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*kube-probe/.*"'
+            action: drop
+        - match:
+            selector: '{app="internal-proxy"}'
+            action: drop
+        - match:
+            selector: '{app="non-auth-proxy"}'
+            action: drop
+        - match:
+            selector: '{app="vpa"}'
+            action: drop
+        - match:
+            selector: '{app="promtail"}'
+            action: drop
+        - match:
+            selector: '{app="csi-node"}'
+            action: drop
+        - match:
+            selector: '{app="victoria-metrics"}'
+            action: drop
+        - match:
+            selector: '{app="git-sync"}'
+            action: drop
+        - match:
+            selector: '{app="ingress-nginx"}'
+            stages:
+            - json:
+                expressions:
+                  request_host: host
+                  request_path: path
+                  request_method: method
+                  response_status: status
+            - drop:
+                source: "request_path"
+                value:  "/healthz"
+            - drop:
+                source: "request_path"
+                value:  "/health"
+            - labels:
+                request_host:
+                request_method:
+                response_status:
+      kubernetes_sd_configs:
+        - role: pod
+      relabel_configs:
+        - source_labels:
+            - __meta_kubernetes_pod_controller_name
+          regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})?
+          action: replace
+          target_label: __tmp_controller_name
+        - source_labels:
+            - __meta_kubernetes_pod_label_app_kubernetes_io_name
+            - __meta_kubernetes_pod_label_app
+            - __tmp_controller_name
+            - __meta_kubernetes_pod_name
+          regex: ^;*([^;]+)(;.*)?$
+          action: replace
+          target_label: app
+        - source_labels:
+            - __meta_kubernetes_pod_label_app_kubernetes_io_component
+            - __meta_kubernetes_pod_label_component
+          regex: ^;*([^;]+)(;.*)?$
+          action: replace
+          target_label: component
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_node_name
+          target_label: node_name
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_namespace
+          target_label: namespace
+        - action: replace
+          replacement: $1
+          separator: /
+          source_labels:
+            - namespace
+            - app
+          target_label: job
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_name
+          target_label: pod
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_container_name
+          target_label: container
+        - action: replace
+          replacement: /var/log/pods/*$1/*.log
+          separator: /
+          source_labels:
+            - __meta_kubernetes_pod_uid
+            - __meta_kubernetes_pod_container_name
+          target_label: __path__
+        - action: replace
+          replacement: /var/log/pods/*$1/*.log
+          regex: true/(.*)
+          separator: /
+          source_labels:
+            - __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash
+            - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash
+            - __meta_kubernetes_pod_container_name
+          target_label: __path__
+        - action: labelmap
+          regex: __meta_kubernetes_pod_label_(.+)
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: promtail-clusterrole
+  labels:
+    app.kubernetes.io/name: promtail
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources:
+  - nodes
+  - nodes/proxy
+  - services
+  - endpoints
+  - pods
+  verbs: ["get", "watch", "list"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: promtail-clusterrolebinding
+  labels:
+    app.kubernetes.io/name: promtail
+subjects:
+  - kind: ServiceAccount
+    name: promtail
+    namespace: monitoring
+roleRef:
+  kind: ClusterRole
+  name: promtail-clusterrole
+  apiGroup: rbac.authorization.k8s.io
+---
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+  annotations:
+    configmap.reloader.stakater.com/reload: "promtail"
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: promtail
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: promtail
+      annotations:
+        prometheus.io/port: http-metrics
+        prometheus.io/scrape: "true"
+    spec:
+      serviceAccountName: promtail
+      containers:
+        - name: promtail
+          image: "grafana/promtail:2.6.1"
+          imagePullPolicy: IfNotPresent
+          args:
+            - "-config.file=/etc/promtail/promtail.yaml"
+          volumeMounts:
+            - name: config
+              mountPath: /etc/promtail
+            - name: run
+              mountPath: /run/promtail
+            - mountPath: /var/lib/docker/containers
+              name: docker
+              readOnly: true
+            - mountPath: /var/log/pods
+              name: pods
+              readOnly: true
+          env:
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          ports:
+            - containerPort: 3101
+              name: http-metrics
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsGroup: 0
+            runAsUser: 0
+          readinessProbe:
+            failureThreshold: 5
+            httpGet:
+              path: /ready
+              port: http-metrics
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Exists
+      volumes:
+        - name: config
+          configMap:
+            name: promtail
+        - name: run
+          hostPath:
+            path: /run/promtail
+        - hostPath:
+            path: /var/lib/docker/containers
+          name: docker
+        - hostPath:
+            path: /var/log/pods
+          name: pods
+---

manifests/monitoring/vmagent.yaml

@@ -0,0 +1,170 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vmagent
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: victoria-metrics
+    app.kubernetes.io/component: agent
+data:
+  prometheus.yml: |
+    global:
+      scrape_interval: 1m
+      external_labels:
+        source: scaleway
+        agent: vmagent
+    scrape_configs:
+    - job_name: 'vmagent'
+      static_configs:
+        - targets: ['localhost:8429']
+    - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      job_name: kubernetes-nodes
+      kubernetes_sd_configs:
+      - role: node
+      relabel_configs:
+      - action: labelmap
+        regex: __meta_kubernetes_node_label_(.+)
+      - replacement: kubernetes.default.svc:443
+        target_label: __address__
+      - regex: (.+)
+        replacement: /api/v1/nodes/$1/proxy/metrics
+        source_labels:
+        - __meta_kubernetes_node_name
+        target_label: __metrics_path__
+      scheme: https
+      tls_config:
+        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        insecure_skip_verify: true
+
+    - job_name: kubernetes-service-endpoints
+      kubernetes_sd_configs:
+      - role: endpoints
+      relabel_configs:
+      - action: drop
+        source_labels: [__meta_kubernetes_pod_container_init]
+        regex: true
+      - action: keep
+        regex: true
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_scrape
+      - action: replace
+        regex: (https?)
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_scheme
+        target_label: __scheme__
+      - action: replace
+        regex: (.+)
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_path
+        target_label: __metrics_path__
+      - action: replace
+        regex: ([^:]+)(?::\d+)?;(\d+)
+        replacement: $1:$2
+        source_labels:
+        - __address__
+        - __meta_kubernetes_service_annotation_prometheus_io_port
+        target_label: __address__
+      - action: labelmap
+        regex: __meta_kubernetes_service_label_(.+)
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_namespace
+        target_label: kubernetes_namespace
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_service_name
+        target_label: kubernetes_name
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_pod_node_name
+        target_label: kubernetes_node
+
+    - job_name: kubernetes-pods
+      kubernetes_sd_configs:
+      - role: pod
+      relabel_configs:
+      - action: drop
+        source_labels: [__meta_kubernetes_pod_container_init]
+        regex: true
+      - action: keep
+        regex: true
+        source_labels:
+        - __meta_kubernetes_pod_annotation_prometheus_io_scrape
+      - action: replace
+        regex: (.+)
+        source_labels:
+        - __meta_kubernetes_pod_annotation_prometheus_io_path
+        target_label: __metrics_path__
+      - action: replace
+        regex: ([^:]+)(?::\d+)?;(\d+)
+        replacement: $1:$2
+        source_labels:
+        - __address__
+        - __meta_kubernetes_pod_annotation_prometheus_io_port
+        target_label: __address__
+      - action: labelmap
+        regex: __meta_kubernetes_pod_label_(.+)
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_namespace
+        target_label: kubernetes_namespace
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_pod_name
+        target_label: kubernetes_pod_name
+      - action: drop
+        regex: Pending|Succeeded|Failed
+        source_labels:
+        - __meta_kubernetes_pod_phase
+
+    - job_name: 'node-exporter'
+      kubernetes_sd_configs:
+        - role: endpoints
+      relabel_configs:
+      - source_labels: [__meta_kubernetes_endpoints_name]
+        regex: 'prometheus-node-exporter'
+        action: keep
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vmagent
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: victoria-metrics
+    app.kubernetes.io/component: agent
+  annotations:
+    configmap.reloader.stakater.com/reload: "vmagent"
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: victoria-metrics
+      app.kubernetes.io/component: agent
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: victoria-metrics
+        app.kubernetes.io/component: agent
+    spec:
+      serviceAccountName: prometheus-server
+      containers:
+        - name: vmagent
+          image: "victoriametrics/vmagent:v1.77.2"
+          imagePullPolicy: "IfNotPresent"
+          args:
+            - -remoteWrite.url=http://vmcluster.auth-proxy.svc/insert/0/prometheus/
+            - -remoteWrite.showURL
+            - -promscrape.config=/config/prometheus.yml
+            - -promscrape.suppressDuplicateScrapeTargetErrors
+          volumeMounts:
+            - name: config-volume
+              mountPath: /config
+      volumes:
+        - name: config-volume
+          configMap:
+            name: vmagent
+---

manifests/nextcloud_chart.yaml

@@ -1,61 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: nextcloud
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: nextcloud-values
-  namespace: nextcloud
-  annotations:
-    kube-1password: v32a4zpuvhmxxrwmtmmv6526ry
-    kube-1password/vault: Kubernetes
-    kube-1password/secret-text-key: values.yaml
-type: Opaque
----
-
-apiVersion: helm.fluxcd.io/v1
-kind: HelmRelease
-metadata:
-  name: nextcloud
-  namespace: nextcloud
-spec:
-  chart:
-    repository: https://kubernetes-charts.storage.googleapis.com
-    name: nextcloud
-    version: 1.10.0
-  maxHistory: 5
-  valuesFrom:
-  - secretKeyRef:
-      name: nextcloud-values
-      namespace: nextcloud
-      key: values.yaml
-      optional: false
-  values:
-    image:
-      tag: 18-apache
-    ingress:
-      enabled: true
-      annotations:
-        cert-manager.io/cluster-issuer: letsencrypt
-        traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-        traefik.ingress.kubernetes.io/redirect-entry-point: https
-        traefik.ingress.kubernetes.io/redirect-permanent: "true"
-      tls:
-      - hosts:
-        - nextcloud.cluster.fun
-        secretName: nextcloud-ingress
-    nextcloud:
-      host: nextcloud.cluster.fun
-    persistence:
-      enabled: true
-      storageClass: scw-bssd-retain
-      size: 5Gi
-    cronjob:
-      enabled: true
-    resources:
-      requests:
-        memory: 500Mi
-

manifests/nextcloud_chart/manifest.yaml

@@ -0,0 +1,443 @@
+---
+# Source: nextcloud/charts/redis/templates/secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nextcloud-nextcloud-redis
+  namespace: nextcloud
+  labels:
+    app: redis
+    chart: redis-11.0.5
+    release: "nextcloud-nextcloud"
+    heritage: "Helm"
+  annotations:
+    kube-1password: u54jxidod7tlnpwva37f5hcu5y
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-parse: "true"
+type: Opaque
+
+---
+# Source: nextcloud/templates/secrets.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nextcloud-nextcloud
+  labels:
+    app.kubernetes.io/name: nextcloud
+    helm.sh/chart: nextcloud-2.6.3
+    app.kubernetes.io/instance: nextcloud-nextcloud
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    kube-1password: iaz4xmtr2czpsjl6xirhryzfia
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-parse: "true"
+type: Opaque
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nextcloud-s3
+  labels:
+    app.kubernetes.io/name: nextcloud
+    helm.sh/chart: nextcloud-2.6.3
+    app.kubernetes.io/instance: nextcloud-nextcloud
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    kube-1password: 7zanxzbyzfctc5d2yqfq6e5zcy
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: s3.config.php
+type: Opaque
+
+---
+# Source: nextcloud/templates/config.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nextcloud-nextcloud-config
+  labels:
+    app.kubernetes.io/name: nextcloud
+    helm.sh/chart: nextcloud-2.6.3
+    app.kubernetes.io/instance: nextcloud-nextcloud
+    app.kubernetes.io/managed-by: Helm
+data:
+  general.config.php: |-
+    <?php
+    $CONFIG = array (
+        'overwriteprotocol' => 'https'
+    );
+  .htaccess: |-
+    # line below if for Apache 2.4
+    <ifModule mod_authz_core.c>
+    Require all denied
+    </ifModule>
+    # line below if for Apache 2.2
+    <ifModule !mod_authz_core.c>
+    deny from all
+    </ifModule>
+    # section for Apache 2.2 and 2.4
+    <ifModule mod_autoindex.c>
+    IndexIgnore *
+    </ifModule>
+  redis.config.php: |-
+    <?php
+    if (getenv('REDIS_HOST')) {
+        $CONFIG = array (
+          'memcache.distributed' => '\\OC\\Memcache\\Redis',
+        'memcache.locking' => '\\OC\\Memcache\\Redis',
+        'redis' => array(
+          'host' => getenv('REDIS_HOST'),
+          'port' => getenv('REDIS_HOST_PORT') ?: 6379,
+          'password' => getenv('REDIS_HOST_PASSWORD'),
+          'dbindex'  => getenv('REDIS_DB_INDEX') ?: 0,
+        ),
+      );
+    }
+  apache-pretty-urls.config.php: |-
+    <?php
+    $CONFIG = array (
+        'htaccess.RewriteBase' => '/',
+    );
+  apcu.config.php: |-
+    <?php
+    $CONFIG = array (
+        'memcache.local' => '\\OC\\Memcache\\APCu',
+    );
+  apps.config.php: |-
+    <?php
+    $CONFIG = array (
+        "apps_paths" => array (
+            0 => array (
+                    "path"     => OC::$SERVERROOT."/apps",
+                  "url"      => "/apps",
+                  "writable" => false,
+          ),
+          1 => array (
+                    "path"     => OC::$SERVERROOT."/custom_apps",
+                  "url"      => "/custom_apps",
+                  "writable" => true,
+          ),
+      ),
+    );
+  autoconfig.php: |-
+    <?php
+    $autoconfig_enabled = false;
+    if (getenv('SQLITE_DATABASE')) {
+          $AUTOCONFIG["dbtype"] = "sqlite";
+        $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE');
+        $autoconfig_enabled = true;
+    } elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) {
+          $AUTOCONFIG["dbtype"] = "mysql";
+        $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE');
+        $AUTOCONFIG["dbuser"] = getenv('MYSQL_USER');
+        $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD');
+        $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST');
+        $autoconfig_enabled = true;
+    } elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) {
+          $AUTOCONFIG["dbtype"] = "pgsql";
+        $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB');
+        $AUTOCONFIG["dbuser"] = getenv('POSTGRES_USER');
+        $AUTOCONFIG["dbpass"] = getenv('POSTGRES_PASSWORD');
+        $AUTOCONFIG["dbhost"] = getenv('POSTGRES_HOST');
+        $autoconfig_enabled = true;
+    }
+    if ($autoconfig_enabled) {
+          $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
+    }
+  smtp.config.php: |-
+    <?php
+    if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN')) {
+        $CONFIG = array (
+          'mail_smtpmode' => 'smtp',
+        'mail_smtphost' => getenv('SMTP_HOST'),
+        'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
+        'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
+        'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
+        'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
+        'mail_smtpname' => getenv('SMTP_NAME') ?: '',
+        'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '',
+        'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
+        'mail_domain' => getenv('MAIL_DOMAIN'),
+      );
+    }
+---
+# Source: nextcloud/templates/nextcloud-pvc.yaml
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: nextcloud-nextcloud-nextcloud
+  labels:
+    app.kubernetes.io/name: nextcloud
+    helm.sh/chart: nextcloud-2.6.3
+    app.kubernetes.io/instance: nextcloud-nextcloud
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: app
+spec:
+  accessModes:
+    - "ReadWriteOnce"
+  resources:
+    requests:
+      storage: "5Gi"
+  storageClassName: "scw-bssd-retain"
+---
+
+
+# Source: nextcloud/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: nextcloud-nextcloud
+  labels:
+    app.kubernetes.io/name: nextcloud
+    helm.sh/chart: nextcloud-2.6.3
+    app.kubernetes.io/instance: nextcloud-nextcloud
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: app
+spec:
+  type: ClusterIP
+  ports:
+  - port: 8080
+    targetPort: http
+    protocol: TCP
+    name: http
+  selector:
+    app.kubernetes.io/name: nextcloud
+    app.kubernetes.io/component: app
+---
+# Source: nextcloud/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nextcloud-nextcloud
+  labels:
+    app.kubernetes.io/name: nextcloud
+    helm.sh/chart: nextcloud-2.6.3
+    app.kubernetes.io/instance: nextcloud-nextcloud
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: app
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: nextcloud
+      app.kubernetes.io/instance: nextcloud-nextcloud
+      app.kubernetes.io/component: app
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: nextcloud
+        app.kubernetes.io/instance: nextcloud-nextcloud
+        app.kubernetes.io/component: app
+        nextcloud-nextcloud-redis-client: "true"
+    spec:
+      containers:
+      - name: nextcloud
+        image: "nextcloud:24.0.7-apache"
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: SQLITE_DATABASE
+          value: "nextcloud"
+        - name: NEXTCLOUD_ADMIN_USER
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-nextcloud
+              key: nextcloud-username
+        - name: NEXTCLOUD_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-nextcloud
+              key: nextcloud-password
+        - name: NEXTCLOUD_TRUSTED_DOMAINS
+          value: nextcloud.cluster.fun
+        - name: NEXTCLOUD_DATA_DIR
+          value: "/var/www/html/data"
+        - name: REDIS_HOST
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-nextcloud-redis
+              key: redis-host
+        - name: REDIS_PORT
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-nextcloud-redis
+              key: redis-port
+        - name: REDIS_HOST_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-nextcloud-redis
+              key: redis-password
+        - name: REDIS_DB_INDEX
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-nextcloud-redis
+              key: redis-db-index
+        ports:
+        - name: http
+          containerPort: 80
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /status.php
+            port: http
+            httpHeaders:
+            - name: Host
+              value: "nextcloud.cluster.fun"
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /status.php
+            port: http
+            httpHeaders:
+            - name: Host
+              value: "nextcloud.cluster.fun"
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 3
+        resources:
+          requests:
+            memory: 450Mi
+        volumeMounts:
+        - name: nextcloud-data
+          mountPath: /var/www/
+          subPath: root
+        - name: nextcloud-data
+          mountPath: /var/www/html
+          subPath: html
+        - name: nextcloud-data
+          mountPath: /var/www/html/data
+          subPath: data
+        - name: nextcloud-data
+          mountPath: /var/www/html/config
+          subPath: config
+        - name: nextcloud-data
+          mountPath: /var/www/html/custom_apps
+          subPath: custom_apps
+        - name: nextcloud-data
+          mountPath: /var/www/tmp
+          subPath: tmp
+        - name: nextcloud-data
+          mountPath: /var/www/html/themes
+          subPath: themes
+        - name: nextcloud-config
+          mountPath: /var/www/html/config/general.config.php
+          subPath: general.config.php
+        - name: nextcloud-s3
+          mountPath: /var/www/html/config/s3.config.php
+          subPath: s3.config.php
+        - name: nextcloud-config
+          mountPath: /var/www/html/config/.htaccess
+          subPath: .htaccess
+        - name: nextcloud-config
+          mountPath: /var/www/html/config/apache-pretty-urls.config.php
+          subPath: apache-pretty-urls.config.php
+        - name: nextcloud-config
+          mountPath: /var/www/html/config/apcu.config.php
+          subPath: apcu.config.php
+        - name: nextcloud-config
+          mountPath: /var/www/html/config/apps.config.php
+          subPath: apps.config.php
+        - name: nextcloud-config
+          mountPath: /var/www/html/config/autoconfig.php
+          subPath: autoconfig.php
+        - name: nextcloud-config
+          mountPath: /var/www/html/config/redis.config.php
+          subPath: redis.config.php
+        - name: nextcloud-config
+          mountPath: /var/www/html/config/smtp.config.php
+          subPath: smtp.config.php
+      volumes:
+      - name: nextcloud-data
+        persistentVolumeClaim:
+          claimName: nextcloud-nextcloud-nextcloud
+      - name: nextcloud-config
+        configMap:
+          name: nextcloud-nextcloud-config
+      - name: nextcloud-s3
+        secret:
+          secretName: nextcloud-s3
+      # Will mount configuration files as www-data (id: 33) for nextcloud
+      securityContext:
+        fsGroup: 33
+---
+# Source: nextcloud/templates/cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: nextcloud-nextcloud-cron
+  labels:
+    app.kubernetes.io/name: nextcloud
+    helm.sh/chart: nextcloud-2.6.3
+    app.kubernetes.io/instance: nextcloud-nextcloud
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+spec:
+  schedule: "*/5 * * * *"
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 5
+  successfulJobsHistoryLimit: 2
+  jobTemplate:
+    metadata:
+      labels:
+        app.kubernetes.io/name: nextcloud
+        app.kubernetes.io/managed-by: Helm
+    spec:
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: nextcloud
+            app.kubernetes.io/managed-by: Helm
+        spec:
+          restartPolicy: Never
+          containers:
+            - name: nextcloud
+              image: "nextcloud:24.0.7-apache"
+              imagePullPolicy: IfNotPresent
+              command: [ "curl" ]
+              args:
+                - "--fail"
+                - "-L"
+                - "https://nextcloud.cluster.fun/cron.php"
+              resources:
+                requests:
+                  memory: 200Mi
+---
+# Source: nextcloud/templates/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nextcloud-nextcloud
+  labels:
+    app.kubernetes.io/name: nextcloud
+    helm.sh/chart: nextcloud-2.6.3
+    app.kubernetes.io/instance: nextcloud-nextcloud
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: app
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+spec:
+  rules:
+  - host: nextcloud.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: nextcloud-nextcloud
+            port:
+              number: 8080
+  tls:
+    - hosts:
+      - nextcloud.cluster.fun
+      secretName: nextcloud-ingress

manifests/nginx-lb/nginx-lb.yaml

@@ -0,0 +1,700 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-nginx-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - ingress-nginx-leader
+  resources:
+  - leases
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - list
+  - watch
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - list
+  - watch
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  # use-proxy-protocol: "true"
+  log-format-upstream: '{"time": "$time_iso8601", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "host": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time,"method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "redirect_location": "$redirect_location" }'
+  plugins: "redirect_location"
+  location-snippet: |
+    set $redirect_location '';
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  annotations:
+    meta.helm.sh/release-name: kapsule-ingress
+    meta.helm.sh/release-namespace: kube-system
+  labels:
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    k8s.scw.cloud/ingress: nginx
+    k8s.scw.cloud/object: ConfigMap
+    k8s.scw.cloud/system: ingress
+  name: ingress-nginx-plugin-redirect-location
+  namespace: kube-system
+data:
+  main.lua: |
+    local ngx = ngx
+    local _M = {}
+    function _M.header_filter()
+      ngx.var.redirect_location = ngx.resp.get_headers()["Location"]
+    end
+    return _M
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: "true"
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-nginx-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        - --annotations-prefix=nginx.ingress.kubernetes.io
+        - --watch-ingress-without-class
+        - --enable-metrics
+        - --tcp-services-configmap=$(POD_NAMESPACE)/ingress-nginx-tcp-services
+        - --udp-services-configmap=$(POD_NAMESPACE)/ingress-nginx-udp-services
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+        - name: plugins
+          mountPath: /etc/nginx/lua/plugins/redirect_location
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+      - name: plugins
+        configMap:
+          name: ingress-nginx-plugin-redirect-location
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.5.1
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.5.1
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None

manifests/nodered/nodered.yaml

@@ -1,9 +1,4 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: node-red
----
-apiVersion: v1
 kind: Secret
 metadata:
   name: node-red
@@ -73,7 +68,7 @@ spec:
             mountPath: /data
       containers:
       - name: web
-        image: nodered/node-red:latest-12
+        image: nodered/node-red:2.2.3-12
         imagePullPolicy: Always
         ports:
         - containerPort: 1880
@@ -89,16 +84,14 @@ spec:
           persistentVolumeClaim:
             claimName: node-red
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: node-red
   namespace: node-red
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
   tls:
   - hosts:
@@ -109,6 +102,9 @@ spec:
     http:
       paths:
       - path: /
+        pathType: ImplementationSpecific
         backend:
-          serviceName: node-red
-          servicePort: 80
+          service:
+            name: node-red
+            port:
+              number: 80

manifests/opengraph/opengraph.yaml

@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: opengraph
+  namespace: opengraph
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: opengraph
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: opengraph
+  namespace: opengraph
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: opengraph
+  template:
+    metadata:
+      labels:
+        app: opengraph
+    spec:
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/opengraph-image-gen:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 3000
+          name: web
+        resources:
+          limits:
+            memory: 200Mi
+          requests:
+            memory: 200Mi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: opengraph
+  namespace: opengraph
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  tls:
+  - hosts:
+    - opengraph.cluster.fun
+    secretName: opengraph-ingress
+  rules:
+  - host: opengraph.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: opengraph
+            port:
+              number: 80
+

manifests/outline/outline.yaml

@@ -0,0 +1,111 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: outline
+  namespace: outline
+  annotations:
+    kube-1password: maouivotrbgydslnsukbjrwgja
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .env
+type: Opaque
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: outline
+  namespace: outline
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app.kubernetes.io/name: outline
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: outline
+  namespace: outline
+  labels:
+    app.kubernetes.io/name: outline
+  annotations:
+    secret.reloader.stakater.com/reload: "outline"
+spec:
+  revisionHistoryLimit: 3
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: outline
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: outline
+    spec:
+      containers:
+      - name: outline
+        image: outlinewiki/outline:0.68.0
+        imagePullPolicy: IfNotPresent
+        command:
+          - sh
+          - -c
+          - |
+            sleep 10
+            yarn db:migrate --env=production-ssl-disabled
+            yarn start
+        env:
+        - name: ALLOWED_DOMAINS
+          value: marcusnoble.co.uk,namelessplanet.com,paradoxfox.shop
+        - name: OIDC_SCOPES
+          value: "openid profile email"
+        ports:
+        - containerPort: 3000
+          name: web
+        livenessProbe:
+          httpGet:
+            path: /_health
+            port: web
+          initialDelaySeconds: 10
+        startupProbe:
+          httpGet:
+            path: /_health
+            port: web
+          failureThreshold: 30
+          timeoutSeconds: 1
+          periodSeconds: 5
+        volumeMounts:
+          - mountPath: /opt/outline/.env
+            subPath: .env
+            name: outline-env
+            readOnly: true
+      volumes:
+        - name: outline-env
+          secret:
+            secretName: outline
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: outline
+  namespace: outline
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - outline.cluster.fun
+    secretName: outline-ingress
+  rules:
+  - host: outline.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: outline
+            port:
+              number: 80

manifests/paradoxfox/admin.yaml

@@ -0,0 +1,89 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: paradoxfox-admin
+  namespace: paradoxfox
+  labels:
+    app.kubernetes.io/name: paradoxfox
+    app.kubernetes.io/component: admin
+spec:
+  replicas: 0
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: paradoxfox
+      app.kubernetes.io/component: admin
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: paradoxfox
+        app.kubernetes.io/component: admin
+    spec:
+      imagePullSecrets:
+        - name: docker-config
+      containers:
+      - name: paradoxfox-admin
+        image: rg.fr-par.scw.cloud/averagemarcus-private/paradoxfox-admin:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 9000
+          name: web
+        env:
+        - name: NODE_ENV
+          value: "production"
+        - name: PORT
+          value: "9000"
+        - name: GATSBY_MEDUSA_BACKEND_URL
+          value: "https://api.paradoxfox.shop"
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: paradoxfox-admin
+  namespace: paradoxfox
+  labels:
+    app.kubernetes.io/name: paradoxfox
+    app.kubernetes.io/component: admin
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app.kubernetes.io/name: paradoxfox
+    app.kubernetes.io/component: admin
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: paradoxfox-admin
+  namespace: paradoxfox
+  labels:
+    app.kubernetes.io/name: paradoxfox
+    app.kubernetes.io/component: admin
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - admin.paradoxfox.shop
+    secretName: paradoxfox-admin-ingress
+  rules:
+  - host: admin.paradoxfox.shop
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: paradoxfox-admin
+            port:
+              number: 80
+
+---

manifests/paradoxfox/api.yaml

@@ -0,0 +1,112 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: paradoxfox-api
+  namespace: paradoxfox
+  labels:
+    app.kubernetes.io/name: paradoxfox
+    app.kubernetes.io/component: api
+  annotations:
+    kube-1password: hypviaps3z54ujuj37d6vyaile
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-parse: "true"
+type: Opaque
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: paradoxfox-api
+  namespace: paradoxfox
+  labels:
+    app.kubernetes.io/name: paradoxfox
+    app.kubernetes.io/component: api
+spec:
+  replicas: 0
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: paradoxfox
+      app.kubernetes.io/component: api
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: paradoxfox
+        app.kubernetes.io/component: api
+    spec:
+      imagePullSecrets:
+        - name: docker-config
+      containers:
+      - name: paradoxfox-api
+        image: rg.fr-par.scw.cloud/averagemarcus-private/paradoxfox-api:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 9000
+          name: web
+        env:
+        - name: PORT
+          value: "9000"
+        - name: NODE_ENV
+          value: "production"
+        - name: ADMIN_CORS
+          # value: "https://admin.paradoxfox.shop,http://localhost:7000,http://localhost:7001"
+          value: "https://admin.paradoxfox.shop"
+        - name: STORE_CORS
+          # value: "https://paradoxfox.shop,http://localhost:8000"
+          value: "https://paradoxfox.shop"
+        envFrom:
+        - secretRef:
+            name: paradoxfox-api
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: paradoxfox-api
+  namespace: paradoxfox
+  labels:
+    app.kubernetes.io/name: paradoxfox
+    app.kubernetes.io/component: api
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app.kubernetes.io/name: paradoxfox
+    app.kubernetes.io/component: api
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: paradoxfox-api
+  namespace: paradoxfox
+  labels:
+    app.kubernetes.io/name: paradoxfox
+    app.kubernetes.io/component: api
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - api.paradoxfox.shop
+    secretName: paradoxfox-api-ingress
+  rules:
+  - host: api.paradoxfox.shop
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: paradoxfox-api
+            port:
+              number: 80
+
+---

manifests/paradoxfox/paradoxfox.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: docker-config
+  namespace: paradoxfox
+  annotations:
+    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .dockerconfigjson
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: e30=
+
+---