Merge pull request 'Update matrixdotorg/synapse Docker tag to v1.93.0' (#101 ) from renovate/matrixdotorg-synapse-1.x into master

Reviewed-on: #101
Merge pull request 'Update mattermost/focalboard Docker tag to v7.11.4' (#102 ) from renovate/mattermost-focalboard-7.x into master
2023-09-27 11:46:30 +00:00 · 2023-09-27 11:46:07 +00:00 · 2023-09-27 00:01:35 +00:00 · 2023-09-26 18:01:32 +00:00 · 2023-09-26 15:05:50 +00:00 · 2023-09-26 15:00:59 +00:00
164 changed files with 10530 additions and 5762 deletions
--- a/manifests/_apps/auth-proxy.yaml
+++ b/manifests/_apps/auth-proxy.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: auth-proxy
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: auth-proxy
    name: cluster-fun (scaleway)
  source:
    path: manifests/auth-proxy
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/base64.yaml
+++ b/manifests/_apps/base64.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: base64
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: base64
    name: civo
  source:
    path: manifests/base64
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/blackhole.yaml
+++ b/manifests/_apps/blackhole.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: blackhole
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: kube-system
    name: cluster-fun (scaleway)
  source:
    path: manifests/blackhole
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/blog.yaml
+++ b/manifests/_apps/blog.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: blog
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: blog
    name: cluster-fun (scaleway)
  source:
    path: manifests/blog
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/cel-tester.yaml
+++ b/manifests/_apps/cel-tester.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: cel-tester
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: cel-tester
    name: civo
  source:
    path: manifests/cel-tester
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/certmanager_chart.yaml
+++ b/manifests/_apps/certmanager_chart.yaml
@@ -0,0 +1,74 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: cert-manager
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: cert-manager
    name: cluster-fun (scaleway)
  source:
    path: manifests/certmanager_chart
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: cert-manager-civo
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: cert-manager
    name: civo
  source:
    path: manifests/certmanager-civo
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: cert-manager-cert-manager
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: cert-manager
    name: cluster-fun (scaleway)
  source:
    repoURL: 'https://charts.jetstack.io'
    targetRevision: 1.11.0
    chart: cert-manager
    helm:
      version: v3
      values: |-
        installCRDs: "true"
        resources:
          requests:
            memory: 32Mi
          limits:
            memory: 64Mi
  syncPolicy:
    automated: {}
--- a/manifests/_apps/cors-proxy.yaml
+++ b/manifests/_apps/cors-proxy.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: cors-proxy
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: cors-proxy
    name: cluster-fun (scaleway)
  source:
    path: manifests/cors-proxy
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/cv.yaml
+++ b/manifests/_apps/cv.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: cv
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: cv
    name: civo
  source:
    path: manifests/cv
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/dashboard.yaml
+++ b/manifests/_apps/dashboard.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: dashboard
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: dashboard
    name: cluster-fun (scaleway)
  source:
    path: manifests/dashboard
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/feed-fetcher.yaml
+++ b/manifests/_apps/feed-fetcher.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: feed-fetcher
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: feed-fetcher
    name: civo
  source:
    path: manifests/feed-fetcher
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/focalboard.yaml
+++ b/manifests/_apps/focalboard.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: focalboard
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: focalboard
    name: cluster-fun (scaleway)
  source:
    path: manifests/focalboard
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/git-sync.yaml
+++ b/manifests/_apps/git-sync.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: git-sync
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: git-sync
    name: cluster-fun (scaleway)
  source:
    path: manifests/git-sync
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/gitea.yaml
+++ b/manifests/_apps/gitea.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: gitea
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: gitea
    name: cluster-fun (scaleway)
  source:
    path: manifests/gitea
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/goplayground.yaml
+++ b/manifests/_apps/goplayground.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: goplayground
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: goplayground
    name: civo
  source:
    path: manifests/goplayground
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/link.yaml
+++ b/manifests/_apps/link.yaml
@@ -0,0 +1,20 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: link
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: link
    name: civo
  source:
    path: manifests/link
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
--- a/manifests/_apps/marcusnoble.yaml
+++ b/manifests/_apps/marcusnoble.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: marcusnoble
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: marcusnoble
    name: cluster-fun (scaleway)
  source:
    path: manifests/marcusnoble
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/mastodon-digest.yaml
+++ b/manifests/_apps/mastodon-digest.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: mastodon-digest
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: mastodon-digest
    name: cluster-fun (scaleway)
  source:
    path: manifests/mastodon-digest
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/mastodon-to-airtable.yaml
+++ b/manifests/_apps/mastodon-to-airtable.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: mastodon-to-airtable
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: mastodon-to-airtable
    name: civo
  source:
    path: manifests/mastodon-to-airtable
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/matrix_chart.yaml
+++ b/manifests/_apps/matrix_chart.yaml
@@ -0,0 +1,26 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: matrix
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: chat
    name: cluster-fun (scaleway)
  source:
    path: manifests/matrix_chart
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
    automated: {}
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
 ---
--- a/manifests/_apps/mealie.yaml
+++ b/manifests/_apps/mealie.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: mealie
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: mealie
    name: cluster-fun (scaleway)
  source:
    path: manifests/mealie
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/monitoring-civo.yaml
+++ b/manifests/_apps/monitoring-civo.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: monitoring-civo
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: monitoring
    name: civo
  source:
    path: manifests/monitoring-civo
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/monitoring.yaml
+++ b/manifests/_apps/monitoring.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: monitoring
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: monitoring
    name: cluster-fun (scaleway)
  source:
    path: manifests/monitoring
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/nextcloud_chart.yaml
+++ b/manifests/_apps/nextcloud_chart.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: nextcloud
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: nextcloud
    name: cluster-fun (scaleway)
  source:
    path: manifests/nextcloud_chart
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
    automated: {}
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/nginx-lb.yaml
+++ b/manifests/_apps/nginx-lb.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: nginx-lb
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: kube-system
    name: cluster-fun (scaleway)
  source:
    path: manifests/nginx-lb
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/nodered.yaml
+++ b/manifests/_apps/nodered.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: nodered
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: node-red
    name: cluster-fun (scaleway)
  source:
    path: manifests/nodered
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/opengraph-image-gen.yaml
+++ b/manifests/_apps/opengraph-image-gen.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: opengraph
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: opengraph
    name: civo
  source:
    path: manifests/opengraph
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/outline.yaml
+++ b/manifests/_apps/outline.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: outline
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: outline
    name: cluster-fun (scaleway)
  source:
    path: manifests/outline
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/paradoxfox.yaml
+++ b/manifests/_apps/paradoxfox.yaml
@@ -0,0 +1,29 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: paradoxfox
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: paradoxfox
    name: cluster-fun (scaleway)
  source:
    path: manifests/paradoxfox
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
    - /stringData
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/proxy-civo.yaml
+++ b/manifests/_apps/proxy-civo.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: proxy-civo
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: proxy-civo
    name: civo
  source:
    path: manifests/proxy-civo
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/qr.yaml
+++ b/manifests/_apps/qr.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: qr
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: qr
    name: civo
  source:
    path: manifests/qr
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/redis.yaml
+++ b/manifests/_apps/redis.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: redis
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: redis
    name: cluster-fun (scaleway)
  source:
    path: manifests/redis
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/reloader.yaml
+++ b/manifests/_apps/reloader.yaml
@@ -0,0 +1,22 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: reloader
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: kube-system
    name: cluster-fun (scaleway)
  source:
    repoURL: 'https://stakater.github.io/stakater-charts'
    targetRevision: v0.0.89
    chart: reloader
  syncPolicy:
    automated: {}
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/rss.yaml
+++ b/manifests/_apps/rss.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: rss
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: rss
    name: cluster-fun (scaleway)
  source:
    path: manifests/rss
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/skooner.yaml
+++ b/manifests/_apps/skooner.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: skooner
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: skooner
    name: cluster-fun (scaleway)
  source:
    path: manifests/skooner
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/starling.yaml
+++ b/manifests/_apps/starling.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: starling
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: starling
    name: cluster-fun (scaleway)
  source:
    path: manifests/starling
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/svg-to-dxf.yaml
+++ b/manifests/_apps/svg-to-dxf.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: svg-to-dxf
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: svg-to-dxf
    name: civo
  source:
    path: manifests/svg-to-dxf
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/talks.yaml
+++ b/manifests/_apps/talks.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: talks
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: talks
    name: civo
  source:
    path: manifests/talks
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/tank.yaml
+++ b/manifests/_apps/tank.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: tank
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: tank
    name: cluster-fun (scaleway)
  source:
    path: manifests/tank
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/text-to-dxf.yaml
+++ b/manifests/_apps/text-to-dxf.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: text-to-dxf
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: text-to-dxf
    name: civo
  source:
    path: manifests/text-to-dxf
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/til.yaml
+++ b/manifests/_apps/til.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: til
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: til
    name: civo
  source:
    path: manifests/til
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/traefik.yaml
+++ b/manifests/_apps/traefik.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: traefik-civo
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: kube-system
    name: civo
  source:
    path: manifests/traefik
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/tweetsvg.yaml
+++ b/manifests/_apps/tweetsvg.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: tweetsvg
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: tweetsvg
    name: civo
  source:
    path: manifests/tweetsvg
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/twitter-profile-pic.yaml
+++ b/manifests/_apps/twitter-profile-pic.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: twitter-profile-pic
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: twitter-profile-pic
    name: cluster-fun (scaleway)
  source:
    path: manifests/twitter-profile-pic
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/twitter-to-airtable.yaml
+++ b/manifests/_apps/twitter-to-airtable.yaml
@@ -0,0 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: twitter-to-airtable
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: twitter-to-airtable
    name: civo
  source:
    path: manifests/twitter-to-airtable
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
  - group: apps
    kind: Deployment
    jqPathExpressions:
    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/wallabag.yaml
+++ b/manifests/_apps/wallabag.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: wallabag
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: wallabag
    name: cluster-fun (scaleway)
  source:
    path: manifests/wallabag
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
    automated: {}
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
--- a/manifests/_apps/weave-net.yaml
+++ b/manifests/_apps/weave-net.yaml
@@ -0,0 +1,18 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: weave-net
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
    namespace: kube-system
    name: cluster-fun (scaleway)
  source:
    path: manifests/weave-net
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
    automated: {}
--- a/manifests/auth-proxy/auth-proxy.yaml
+++ b/manifests/auth-proxy/auth-proxy.yaml
@@ -0,0 +1,202 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: auth-proxy
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: auth-proxy
  namespace: auth-proxy
  annotations:
    kube-1password: mr6spkkx7n3memkbute6ojaarm
    kube-1password/vault: Kubernetes
 type: Opaque
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: tailscale-auth
  namespace: auth-proxy
  annotations:
    kube-1password: 2cqycmsgv5r7vcyvjpblcl2l4y
    kube-1password/vault: Kubernetes
 type: Opaque
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: tailscale-auth-proxy
 type: Opaque
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: tailscale-auth-proxy
  labels:
    app.kubernetes.io/name: tailscale
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: tailscale-auth-proxy
  labels:
    app.kubernetes.io/name: tailscale
 subjects:
 - kind: ServiceAccount
  name: "tailscale-auth-proxy"
 roleRef:
  kind: Role
  name: tailscale-auth-proxy
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: tailscale-auth-proxy
  labels:
    app.kubernetes.io/name: tailscale
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
 - apiGroups: [""]
  resourceNames: ["tailscale-auth-proxy"]
  resources: ["secrets"]
  verbs: ["get", "update"]
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: auth-proxy
  namespace: auth-proxy
  labels:
    app: auth-proxy
  annotations:
    secret.reloader.stakater.com/reload: "tailscale-auth"
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: auth-proxy
  template:
    metadata:
      labels:
        app: auth-proxy
    spec:
      serviceAccountName: tailscale-auth-proxy
      dnsPolicy: ClusterFirst
      dnsConfig:
        nameservers:
          - 100.100.100.100
      initContainers:
      - name: sysctler
        image: busybox
        securityContext:
          privileged: true
        command: ["/bin/sh"]
        args:
          - -c
          - |
            sysctl -w net.ipv4.ip_forward=1
            sysctl -w net.ipv6.conf.all.forwarding=1
            sysctl -w net.ipv6.conf.all.disable_ipv6=0
        resources:
          requests:
            cpu: 1m
            memory: 1Mi
      containers:
      - name: oauth-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
        args:
        - --cookie-secure=false
        - --provider=oidc
        - --provider-display-name=Auth0
        - --upstream=http://talos.averagemarcus.github.beta.tailscale.net
        - --http-address=0.0.0.0:8080
        - --email-domain=*
        - --pass-basic-auth=false
        - --pass-access-token=false
        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
        - --cookie-expire=336h0m0s
        env:
        - name: HOST_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              key: username
              name: auth-proxy
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: password
              name: auth-proxy
        ports:
        - containerPort: 8080
          protocol: TCP
        resources:
          limits:
            memory: 50Mi
          requests:
            memory: 50Mi
      - name: tailscale
        image: ghcr.io/tailscale/tailscale:v1.50
        imagePullPolicy: Always
        env:
        - name: TS_AUTH_KEY
          valueFrom:
            secretKeyRef:
              name: tailscale-auth
              key: password
        - name: TS_KUBE_SECRET
          value: tailscale-auth-proxy
        - name: TS_ACCEPT_DNS
          value: "true"
        - name: TS_EXTRA_ARGS
          value: "--hostname=auth-proxy-oauth2"
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
        command:
        - sh
        - -c
        - |
          export PATH=$PATH:/tailscale/bin
          if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
          if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
          echo "Starting tailscaled"
          tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock &
          PID=$!
          echo "Running tailscale up"
          tailscale --socket=/tmp/tailscaled.sock up \
            --accept-dns=${TS_ACCEPT_DNS} \
            --authkey=${TS_AUTH_KEY} \
            ${TS_EXTRA_ARGS}
          echo "Re-enabling incoming traffic from the cluster"
          wait ${PID}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: auth-proxy
  namespace: auth-proxy
  labels:
    app: auth-proxy
 spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: auth-proxy
  type: ClusterIP
--- a/manifests/auth-proxy/ingress.yaml
+++ b/manifests/auth-proxy/ingress.yaml
@@ -0,0 +1,179 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: auth-proxy
  namespace: auth-proxy
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - downloads.cluster.fun
    - argo.cluster.fun
    - code.cluster.fun
    - jackett.cluster.fun
    - printer.cluster.fun
    - ender3pro.printer.cluster.fun
    - flsunq5.printer.cluster.fun
    - elegoomars2.printer.cluster.fun
    - radarr.cluster.fun
    - readarr.cluster.fun
    - sonarr.cluster.fun
    - lidarr.cluster.fun
    - prowlarr.cluster.fun
    - transmission.cluster.fun
    - tekton.cluster.fun
    secretName: auth-proxy-ingress
  rules:
  - host: downloads.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
  - host: argo.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
  - host: code.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
  - host: jackett.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
  - host: printer.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
  - host: ender3pro.printer.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
  - host: flsunq5.printer.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
  - host: elegoomars2.printer.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
  - host: radarr.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
  - host: readarr.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
  - host: sonarr.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
  - host: lidarr.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
  - host: prowlarr.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
  - host: transmission.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
  - host: tekton.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              name: http
--- a/manifests/auth-proxy/internal-proxy.yaml
+++ b/manifests/auth-proxy/internal-proxy.yaml
@@ -0,0 +1,232 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: host-mappings
  namespace: auth-proxy
  labels:
    app: proxy
 data:
  mapping.json: |
    {
      "tekton-el.auth-proxy.svc": "tekton-el.cluster.local",
      "home.auth-proxy.svc": "home.cluster.local",
      "home.cluster.fun": "home.cluster.local",
      "vmcluster.auth-proxy.svc": "vmcluster.cluster.local",
      "loki.auth-proxy.svc": "loki-write.cluster.local",
      "loki.auth-proxy.svc:80": "loki-write.cluster.local",
      "loki-distributed.auth-proxy.svc": "loki-loki.cluster.local",
      "loki-distributed.auth-proxy.svc:80": "loki-loki.cluster.local"
    }
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: tailscale-internal-proxy
  namespace: auth-proxy
 type: Opaque
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: tailscale-internal-proxy
  labels:
    app.kubernetes.io/name: tailscale
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: tailscale-internal-proxy
  labels:
    app.kubernetes.io/name: tailscale
 subjects:
 - kind: ServiceAccount
  name: "tailscale-internal-proxy"
 roleRef:
  kind: Role
  name: tailscale-internal-proxy
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: tailscale-internal-proxy
  labels:
    app.kubernetes.io/name: tailscale
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
 - apiGroups: [""]
  resourceNames: ["tailscale-internal-proxy"]
  resources: ["secrets"]
  verbs: ["get", "update"]
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: internal-proxy
  namespace: auth-proxy
  labels:
    app: internal-proxy
  annotations:
    configmap.reloader.stakater.com/reload: "host-mappings"
    secret.reloader.stakater.com/reload: "tailscale-internal-proxy"
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: internal-proxy
  template:
    metadata:
      labels:
        app: internal-proxy
    spec:
      serviceAccountName: tailscale-internal-proxy
      dnsPolicy: ClusterFirst
      dnsConfig:
        nameservers:
          - 100.100.100.100
      containers:
      - name: proxy
        image: rg.fr-par.scw.cloud/averagemarcus/proxy:latest
        imagePullPolicy: Always
        env:
        - name: PROXY_DESTINATION
          value: talos.averagemarcus.github.beta.tailscale.net
        - name: PORT
          value: "8080"
        ports:
        - containerPort: 8080
          protocol: TCP
        volumeMounts:
        - name: host-mappings
          mountPath: /config/
      - name: tailscale
        image: ghcr.io/tailscale/tailscale:v1.50
        imagePullPolicy: Always
        tty: true
        env:
        - name: TS_AUTH_KEY
          valueFrom:
            secretKeyRef:
              name: tailscale-auth
              key: password
        - name: TS_KUBE_SECRET
          value: tailscale-internal-proxy
        - name: TS_ACCEPT_DNS
          value: "true"
        - name: TS_EXTRA_ARGS
          value: "--hostname=auth-proxy-internal-proxy"
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
        command:
        - sh
        - -c
        - |
          export PATH=$PATH:/tailscale/bin
          if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
          if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
          echo "Starting tailscaled"
          tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock &
          PID=$!
          echo "Running tailscale up"
          tailscale --socket=/tmp/tailscaled.sock up \
            --accept-dns=${TS_ACCEPT_DNS} \
            --authkey=${TS_AUTH_KEY} \
            ${TS_EXTRA_ARGS}
          echo "Re-enabling incoming traffic from the cluster"
          wait ${PID}
      volumes:
      - name: host-mappings
        configMap:
          name: host-mappings
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: tekton-el
  namespace: auth-proxy
  labels:
    app: internal-proxy
 spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: internal-proxy
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: loki
  namespace: auth-proxy
  labels:
    app: internal-proxy
 spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: internal-proxy
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: loki-distributed
  namespace: auth-proxy
  labels:
    app: internal-proxy
 spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: internal-proxy
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: prometheus
  namespace: auth-proxy
  labels:
    app: internal-proxy
 spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: internal-proxy
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: vmcluster
  namespace: auth-proxy
  labels:
    app: internal-proxy
 spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: internal-proxy
  type: ClusterIP
 ---
--- a/manifests/auth-proxy/non-auth-proxy.yaml
+++ b/manifests/auth-proxy/non-auth-proxy.yaml
@@ -0,0 +1,213 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: tailscale-non-auth-proxy
  namespace: auth-proxy
 type: Opaque
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: tailscale-non-auth-proxy
  labels:
    app.kubernetes.io/name: tailscale
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: tailscale-non-auth-proxy
  labels:
    app.kubernetes.io/name: tailscale
 subjects:
 - kind: ServiceAccount
  name: "tailscale-non-auth-proxy"
 roleRef:
  kind: Role
  name: tailscale-non-auth-proxy
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: tailscale-non-auth-proxy
  labels:
    app.kubernetes.io/name: tailscale
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
 - apiGroups: [""]
  resourceNames: ["tailscale-non-auth-proxy"]
  resources: ["secrets"]
  verbs: ["get", "update"]
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: non-auth-proxy
  namespace: auth-proxy
  labels:
    app: non-auth-proxy
  annotations:
    secret.reloader.stakater.com/reload: "tailscale-non-auth-proxy"
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: non-auth-proxy
  template:
    metadata:
      labels:
        app: non-auth-proxy
    spec:
      serviceAccountName: tailscale-non-auth-proxy
      dnsPolicy: ClusterFirst
      dnsConfig:
        nameservers:
          - 100.100.100.100
      containers:
      - name: oauth-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
        args:
        - --cookie-secure=false
        - --provider=oidc
        - --provider-display-name=Auth0
        - --upstream=http://talos.averagemarcus.github.beta.tailscale.net
        - --http-address=0.0.0.0:8080
        - --email-domain=*
        - --pass-basic-auth=false
        - --pass-access-token=false
        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
        - --cookie-expire=336h0m0s
        - --trusted-ip=0.0.0.0/0
        env:
        - name: HOST_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              key: username
              name: auth-proxy
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: password
              name: auth-proxy
        ports:
        - containerPort: 8080
          protocol: TCP
        resources:
          limits:
            memory: 50Mi
          requests:
            memory: 50Mi
      - name: tailscale
        image: ghcr.io/tailscale/tailscale:v1.50
        imagePullPolicy: Always
        tty: true
        env:
        - name: TS_AUTH_KEY
          valueFrom:
            secretKeyRef:
              name: tailscale-auth
              key: password
        - name: TS_KUBE_SECRET
          value: tailscale-non-auth-proxy
        - name: TS_ACCEPT_DNS
          value: "true"
        - name: TS_EXTRA_ARGS
          value: "--hostname=non-auth-proxy"
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
        command:
        - sh
        - -c
        - |
          export PATH=$PATH:/tailscale/bin
          if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
          if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
          echo "Starting tailscaled"
          tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock &
          PID=$!
          echo "Running tailscale up"
          tailscale --socket=/tmp/tailscaled.sock up \
            --accept-dns=${TS_ACCEPT_DNS} \
            --authkey=${TS_AUTH_KEY} \
            ${TS_EXTRA_ARGS}
          echo "Re-enabling incoming traffic from the cluster"
          wait ${PID}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: non-auth-proxy
  namespace: auth-proxy
  labels:
    app: non-auth-proxy
 spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: non-auth-proxy
  type: ClusterIP
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: non-auth-proxy
  namespace: auth-proxy
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - home.cluster.fun
    - tasks.cluster.fun
    - api.tasks.cluster.fun
    secretName: non-auth-proxy-ingress
  rules:
  - host: home.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: non-auth-proxy
            port:
              name: http
  - host: tasks.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: non-auth-proxy
            port:
              name: http
  - host: api.tasks.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: non-auth-proxy
            port:
              name: http
--- a/manifests/base64/base64.yaml
+++ b/manifests/base64/base64.yaml
@@ -0,0 +1,71 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: base64
  namespace: base64
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: web
    name: web
  selector:
    app: base64
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: base64
  namespace: base64
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: base64
  template:
    metadata:
      labels:
        app: base64
    spec:
      imagePullSecrets:
        - name: docker-config
      containers:
      - name: web
        image: rg.fr-par.scw.cloud/averagemarcus/base64:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 80
          name: web
        resources:
          limits:
            memory: 5Mi
          requests:
            memory: 5Mi
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: base64
  namespace: base64
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
  tls:
  - hosts:
    - base64.cluster.fun
    secretName: base64-ingress
  rules:
  - host: base64.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: base64
            port:
              number: 80
--- a/manifests/blackhole/blackhole.yaml
+++ b/manifests/blackhole/blackhole.yaml
@@ -37,12 +37,11 @@ spec:
        resources:
          limits:
            memory: 10Mi
          requests:
            memory: 10Mi
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: black-hole
@@ -52,6 +51,9 @@ spec:
  - http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
-          serviceName: black-hole
+          service:
-          servicePort: 80
+            name: black-hole
            port:
              number: 80
--- a/manifests/blog/blog.yaml
+++ b/manifests/blog/blog.yaml
@@ -1,9 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: blog
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: blog
@@ -34,7 +29,7 @@ spec:
    spec:
      containers:
      - name: web
-        image: docker.cluster.fun/averagemarcus/blog:latest
+        image: rg.fr-par.scw.cloud/averagemarcus/blog:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 8000
@@ -44,18 +39,27 @@ spec:
            memory: 200Mi
          requests:
            memory: 200Mi
        livenessProbe:
          httpGet:
            path: /healthz
            port: web
          initialDelaySeconds: 10
        readinessProbe:
          httpGet:
            path: /healthz
            port: web
          initialDelaySeconds: 10
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: blog
  namespace: blog
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - marcusnoble.co.uk
@@ -65,22 +69,24 @@ spec:
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
-          serviceName: blog
+          service:
-          servicePort: 80
+            name: blog
            port:
              number: 80
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: blog-www
  namespace: blog
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - www.marcusnoble.co.uk
@@ -90,22 +96,24 @@ spec:
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
-          serviceName: blog
+          service:
-          servicePort: 80
+            name: blog
            port:
              number: 80
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: blog-blog
  namespace: blog
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - blog.marcusnoble.co.uk
@@ -115,7 +123,10 @@ spec:
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
-          serviceName: blog
+          service:
-          servicePort: 80
+            name: blog
            port:
              number: 80
--- a/manifests/buzzers.yaml
+++ b/manifests/buzzers.yaml
@@ -1,70 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: buzzers
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: buzzers
  namespace: buzzers
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: web
    name: web
  selector:
    app: buzzers
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: buzzers
  namespace: buzzers
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: buzzers
  template:
    metadata:
      labels:
        app: buzzers
    spec:
      containers:
      - name: web
        image: docker.cluster.fun/averagemarcus/buzzers:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 80
          name: web
        resources:
          limits:
            memory: 283Mi
          requests:
            memory: 283Mi
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: buzzers
  namespace: buzzers
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
  tls:
  - hosts:
    - buzzers.cluster.fun
    secretName: buzzers-ingress
  rules:
  - host: buzzers.cluster.fun
    http:
      paths:
      - path: /
        backend:
          serviceName: buzzers
          servicePort: 80
--- a/manifests/cctv.yaml
+++ b/manifests/cctv.yaml
@@ -1,114 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: cctv
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: cctv-auth
  namespace: cctv
  annotations:
    kube-1password: mr6spkkx7n3memkbute6ojaarm
    kube-1password/vault: Kubernetes
 type: Opaque
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cctv-auth
  namespace: cctv
  labels:
    app: cctv-auth
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: cctv-auth
  template:
    metadata:
      labels:
        app: cctv-auth
    spec:
      containers:
      - args:
        - --cookie-secure=false
        - --provider=oidc
        - --provider-display-name=Auth0
        - --upstream=http://inlets.inlets.svc.cluster.local
        - --http-address=$(HOST_IP):8080
        - --redirect-url=https://cctv.cluster.fun/oauth2/callback
        - --email-domain=*
        - --pass-basic-auth=false
        - --pass-access-token=false
        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
        env:
        - name: HOST_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              key: username
              name: cctv-auth
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: password
              name: cctv-auth
        image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
        name: oauth-proxy
        ports:
        - containerPort: 8080
          protocol: TCP
        resources:
          limits:
            memory: 50Mi
          requests:
            memory: 50Mi
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: cctv-auth
  namespace: cctv
  labels:
    app: cctv-auth
 spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: cctv-auth
  type: ClusterIP
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: cctv-auth
  namespace: cctv
  labels:
    app: cctv-auth
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
  tls:
  - hosts:
    - cctv.cluster.fun
    secretName: cctv-ingress
  rules:
  - host: cctv.cluster.fun
    http:
      paths:
      - path: /
        backend:
          serviceName: cctv-auth
          servicePort: 80
--- a/manifests/cel-tester/cel-tester.yaml
+++ b/manifests/cel-tester/cel-tester.yaml
@@ -0,0 +1,70 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: cel-tester
  namespace: cel-tester
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: web
    name: web
  selector:
    app: cel-tester
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cel-tester
  namespace: cel-tester
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: cel-tester
  template:
    metadata:
      labels:
        app: cel-tester
    spec:
      containers:
      - name: web
        image: rg.fr-par.scw.cloud/averagemarcus/cel-tester:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 80
          name: web
        resources:
          limits:
            memory: 20Mi
          requests:
            memory: 20Mi
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: cel-tester
  namespace: cel-tester
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
  tls:
  - hosts:
    - cel-tester.cluster.fun
    secretName: cel-tester-ingress
  rules:
  - host: cel-tester.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: cel-tester
            port:
              number: 80
--- a/manifests/certmanager-civo/certmanager_chart.yaml
+++ b/manifests/certmanager-civo/certmanager_chart.yaml
@@ -0,0 +1,23 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: cert-manager
  labels:
    certmanager.k8s.io/disable-validation: "true"
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt
 spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: letsencrypt@marcusnoble.co.uk
    privateKeySecretRef:
      name: letsencrypt
    solvers:
    - http01:
        ingress:
          class: traefik
--- a/manifests/certmanager_chart.yaml
+++ b/manifests/certmanager_chart.yaml
@@ -1,47 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: cert-manager
  labels:
    certmanager.k8s.io/disable-validation: "true"
 ---
 apiVersion: helm.fluxcd.io/v1
 kind: HelmRelease
 metadata:
  name: cert-manager
  namespace: cert-manager
 spec:
  chart:
    repository: https://charts.jetstack.io
    name: cert-manager
    version: v0.15.0
  maxHistory: 5
  values:
    installCRDs: "true"
    resources:
      requests:
        memory: 32Mi
      limits:
        memory: 64Mi
 ---
 apiVersion: cert-manager.io/v1alpha2
 kind: ClusterIssuer
 metadata:
  name: letsencrypt
 spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: letsencrypt@marcusnoble.co.uk
    privateKeySecretRef:
      name: letsencrypt
    solvers:
    - selector: {}
      http01:
        ingress:
          class: traefik
--- a/manifests/certmanager_chart/certmanager_chart.yaml
+++ b/manifests/certmanager_chart/certmanager_chart.yaml
@@ -0,0 +1,23 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: cert-manager
  labels:
    certmanager.k8s.io/disable-validation: "true"
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt
 spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: letsencrypt@marcusnoble.co.uk
    privateKeySecretRef:
      name: letsencrypt
    solvers:
    - http01:
        ingress:
          class: nginx
--- a/manifests/cors-proxy/cors-proxy.yaml
+++ b/manifests/cors-proxy/cors-proxy.yaml
@@ -1,9 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: cors-proxy
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: cors-proxy
@@ -34,57 +29,45 @@ spec:
    spec:
      containers:
      - name: web
-        image: docker.cluster.fun/averagemarcus/cors-proxy:latest
+        image: rg.fr-par.scw.cloud/averagemarcus/cors-proxy:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 8000
          name: web
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: cors-proxy
  namespace: cors-proxy
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - cors-proxy.cluster.fun
    - cors-proxy.marcusnoble.co.uk
    secretName: cors-proxy-ingress
  rules:
  - host: cors-proxy.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
-          serviceName: cors-proxy
+          service:
-          servicePort: 80
+            name: cors-proxy
-
+            port:
---
+              number: 80
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: cors-proxy-mn
  namespace: cors-proxy
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
  tls:
  - hosts:
    - cors-proxy.marcusnoble.co.uk
    secretName: cors-proxy-mn-ingress
  rules:
  - host: cors-proxy.marcusnoble.co.uk
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
-          serviceName: cors-proxy
+          service:
-          servicePort: 80
+            name: cors-proxy
            port:
              number: 80
--- a/manifests/dashboard.yaml
+++ b/manifests/dashboard.yaml
@@ -1,13 +1,8 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: dashboard
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: docker-config
-  namespace: dashboard
+  namespace: cv
  annotations:
    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
    kube-1password/vault: Kubernetes
@@ -19,8 +14,8 @@ data:
 apiVersion: v1
 kind: Service
 metadata:
-  name: dashboard
+  name: cv
-  namespace: dashboard
+  namespace: cv
 spec:
  type: ClusterIP
  ports:
@@ -28,58 +23,62 @@ spec:
    targetPort: web
    name: web
  selector:
-    app: dashboard
+    app: cv
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: dashboard
+  name: cv
-  namespace: dashboard
+  namespace: cv
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app: dashboard
+      app: cv
  template:
    metadata:
      labels:
-        app: dashboard
+        app: cv
    spec:
      imagePullSecrets:
        - name: docker-config
      containers:
      - name: web
-        image: docker.cluster.fun/private/dashboard:latest
+        image: rg.fr-par.scw.cloud/averagemarcus-private/cv:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 80
          name: web
        resources:
          limits:
-            memory: 50Mi
+            memory: 10Mi
          requests:
-            memory: 50Mi
+            memory: 10Mi
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: dashboard
+  name: cv
-  namespace: dashboard
+  namespace: cv
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    kubernetes.io/ingress.class: traefik
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/router.tls: "true"
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
  tls:
  - hosts:
-    - dash.cluster.fun
+    - cv.marcusnoble.co.uk
-    secretName: dashboard-ingress
+    secretName: cv-ingress
  rules:
-  - host: dash.cluster.fun
+  - host: cv.marcusnoble.co.uk
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
-          serviceName: dashboard
+          service:
-          servicePort: 80
+            name: cv
            port:
              number: 80
--- a/manifests/dashboard/dashboard.yaml
+++ b/manifests/dashboard/dashboard.yaml
@@ -0,0 +1,131 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: docker-config
  namespace: dashboard
  annotations:
    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-key: .dockerconfigjson
 type: kubernetes.io/dockerconfigjson
 data:
  .dockerconfigjson: e30=
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: dashboard-auth
  namespace: dashboard
  annotations:
    kube-1password: mr6spkkx7n3memkbute6ojaarm
    kube-1password/vault: Kubernetes
 type: Opaque
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: dashboard
  namespace: dashboard
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: auth
    name: web
  selector:
    app: dashboard
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: dashboard
  namespace: dashboard
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: dashboard
  template:
    metadata:
      labels:
        app: dashboard
    spec:
      imagePullSecrets:
        - name: docker-config
      containers:
      - args:
        - --cookie-secure=false
        - --provider=oidc
        - --provider-display-name=Auth0
        - --upstream=http://localhost:80
        - --http-address=$(HOST_IP):8000
        - --redirect-url=https://dash.cluster.fun/oauth2/callback
        - --email-domain=marcusnoble.co.uk
        - --pass-basic-auth=false
        - --pass-access-token=false
        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
        env:
        - name: HOST_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              key: username
              name: dashboard-auth
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: password
              name: dashboard-auth
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
        name: oauth-proxy
        ports:
        - containerPort: 8000
          protocol: TCP
          name: auth
        resources:
          limits:
            memory: 50Mi
          requests:
            memory: 50Mi
      - name: web
        image: rg.fr-par.scw.cloud/averagemarcus-private/dashboard:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 80
          name: web
        resources:
          limits:
            memory: 50Mi
          requests:
            memory: 50Mi
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: dashboard
  namespace: dashboard
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - dash.cluster.fun
    secretName: dashboard-ingress
  rules:
  - host: dash.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: dashboard
            port:
              number: 80
--- a/manifests/downloads.yaml
+++ b/manifests/downloads.yaml
@@ -1,115 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: downloads
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: downloads-auth
  namespace: downloads
  annotations:
    kube-1password: mr6spkkx7n3memkbute6ojaarm
    kube-1password/vault: Kubernetes
 type: Opaque
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: downloads-auth
  namespace: downloads
  labels:
    app: downloads-auth
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: downloads-auth
  template:
    metadata:
      labels:
        app: downloads-auth
    spec:
      containers:
      - args:
        - --cookie-secure=false
        - --provider=oidc
        - --provider-display-name=Auth0
        - --upstream=http://inlets.inlets.svc.cluster.local
        - --http-address=$(HOST_IP):8080
        - --redirect-url=https://downloads.cluster.fun/oauth2/callback
        - --email-domain=*
        - --pass-basic-auth=false
        - --pass-access-token=false
        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
        env:
        - name: HOST_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              key: username
              name: downloads-auth
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: password
              name: downloads-auth
        image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
        name: oauth-proxy
        ports:
        - containerPort: 8080
          protocol: TCP
        resources:
          limits:
            memory: 250Mi
          requests:
            memory: 250Mi
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: downloads-auth
  namespace: downloads
  labels:
    app: downloads-auth
 spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: downloads-auth
  type: ClusterIP
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: downloads-auth
  namespace: downloads
  labels:
    app: downloads-auth
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
  tls:
  - hosts:
    - downloads.cluster.fun
    secretName: downloads-ingress
  rules:
  - host: downloads.cluster.fun
    http:
      paths:
      - path: /
        backend:
          serviceName: downloads-auth
          servicePort: 80
--- a/manifests/feed-fetcher/feed-fetcher.yaml
+++ b/manifests/feed-fetcher/feed-fetcher.yaml
@@ -0,0 +1,65 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: feed-fetcher
  namespace: feed-fetcher
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: web
    name: web
  selector:
    app: feed-fetcher
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: feed-fetcher
  namespace: feed-fetcher
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: feed-fetcher
  template:
    metadata:
      labels:
        app: feed-fetcher
    spec:
      containers:
      - name: web
        image: rg.fr-par.scw.cloud/averagemarcus/feed-fetcher:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
          name: web
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: feed-fetcher
  namespace: feed-fetcher
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
  tls:
  - hosts:
    - feed-fetcher.cluster.fun
    secretName: feed-fetcher-ingress
  rules:
  - host: feed-fetcher.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: feed-fetcher
            port:
              number: 80
--- a/manifests/focalboard/focalboard.yaml
+++ b/manifests/focalboard/focalboard.yaml
@@ -0,0 +1,116 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: focalboard
  namespace: focalboard
  labels:
    app.kubernetes.io/name: focalboard
  annotations:
    kube-1password: dpszqviipd5tkls5bajzeb56ui
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-key: config.json
 type: Opaque
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: focalboard
  namespace: focalboard
  labels:
    app.kubernetes.io/name: focalboard
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/path: "/metrics"
    prometheus.io/port: "9000"
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: web
    name: web
  selector:
    app.kubernetes.io/name: focalboard
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: focalboard
  namespace: focalboard
  labels:
    app.kubernetes.io/name: focalboard
  annotations:
    secret.reloader.stakater.com/reload: "focalboard"
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app.kubernetes.io/name: focalboard
  template:
    metadata:
      labels:
        app.kubernetes.io/name: focalboard
    spec:
      containers:
      - name: focalboard
        image: mattermost/focalboard:7.11.4
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8000
          name: web
        env:
        - name: FOCALBOARD_PORT
          value: "8000"
        - name: VIRTUAL_HOST
          value: "localhost"
        - name: VIRTUAL_PORT
          value: "8000"
        - name: VIRTUAL_PROTO
          value: "http"
        volumeMounts:
        - name: data
          mountPath: /data
        - name: config
          mountPath: /opt/focalboard/config.json
          subPath: config.json
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: focalboard
      - name: config
        secret:
          secretName: focalboard
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: focalboard
  namespace: focalboard
  labels:
    app.kubernetes.io/name: focalboard
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
 spec:
  tls:
    - hosts:
      - focalboard.cluster.fun
      secretName: focalboard-ingress
  rules:
  - host: focalboard.cluster.fun
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: focalboard
            port:
              number: 80
--- a/manifests/focalboard/pvs.yaml
+++ b/manifests/focalboard/pvs.yaml
@@ -0,0 +1,41 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  annotations:
    pv.kubernetes.io/provisioned-by: csi.scaleway.com
  finalizers:
  - kubernetes.io/pv-protection
  - external-attacher/csi-scaleway-com
  name: pvc-df17f08f-a966-40a0-bc72-26cf2adb89a1
 spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 2Gi
  csi:
    driver: csi.scaleway.com
    fsType: ext4
    volumeAttributes:
      encrypted: "false"
      storage.kubernetes.io/csiProvisionerIdentity: 1658355449315-8081-csi.scaleway.com
    volumeHandle: fr-par-1/d823f97e-7ef0-4fb0-97ac-5a838356c355
  persistentVolumeReclaimPolicy: Retain
  storageClassName: scw-bssd
  volumeMode: Filesystem
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: focalboard
  namespace: focalboard
  labels:
    app.kubernetes.io/name: focalboard
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi
  volumeName: pvc-df17f08f-a966-40a0-bc72-26cf2adb89a1
 ---
--- a/manifests/git-sync/git-sync.yaml
+++ b/manifests/git-sync/git-sync.yaml
@@ -0,0 +1,109 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: git-sync-github
  namespace: git-sync
  annotations:
    kube-1password: cfo2ufhgem57clbscxetxgevue
    kube-1password/vault: Kubernetes
    kube-1password/password-key: token
 type: Opaque
 data:
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: git-sync-gitea
  namespace: git-sync
  annotations:
    kube-1password: b7kpdlcvt7y63bozu3i4j4lojm
    kube-1password/vault: Kubernetes
    kube-1password/password-key: token
 type: Opaque
 data:
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: git-sync-gitlab
  namespace: git-sync
  annotations:
    kube-1password: t47v3xdgadiifgoi4wmqibrlty
    kube-1password/vault: Kubernetes
    kube-1password/password-key: token
 type: Opaque
 data:
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: git-sync-bitbucket
  namespace: git-sync
  annotations:
    kube-1password: adrki45krr2tq34sug7dhdk5iy
    kube-1password/vault: Kubernetes
    kube-1password/password-key: token
 type: Opaque
 data:
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: git-sync-codeberg
  namespace: git-sync
  annotations:
    kube-1password: 5ynzgk6qcgshztkjbddwalixfq
    kube-1password/vault: Kubernetes
    kube-1password/password-key: token
 type: Opaque
 data:
 ---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: git-sync
  namespace: git-sync
 spec:
  schedule: "0 */1 * * *"
  concurrencyPolicy: Forbid
  failedJobsHistoryLimit: 1
  successfulJobsHistoryLimit: 1
  jobTemplate:
    metadata:
      labels:
        cronjob: git-sync
    spec:
      backoffLimit: 1
      template:
        spec:
          containers:
          - name: sync
            image: rg.fr-par.scw.cloud/averagemarcus/git-sync:latest
            imagePullPolicy: Always
            env:
            - name: GITHUB_TOKEN
              valueFrom:
                secretKeyRef:
                  name: git-sync-github
                  key: token
            - name: GITEA_TOKEN
              valueFrom:
                secretKeyRef:
                  name: git-sync-gitea
                  key: token
            - name: GITLAB_TOKEN
              valueFrom:
                secretKeyRef:
                  name: git-sync-gitlab
                  key: token
            - name: BITBUCKET_TOKEN
              valueFrom:
                secretKeyRef:
                  name: git-sync-bitbucket
                  key: token
            - name: CODEBERG_TOKEN
              valueFrom:
                secretKeyRef:
                  name: git-sync-codeberg
                  key: token
          restartPolicy: Never
--- a/manifests/gitea/gitea.yaml
+++ b/manifests/gitea/gitea.yaml
@@ -1,9 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: gitea
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: gitea-secret-key
@@ -47,7 +42,7 @@ spec:
    spec:
      containers:
      - name: git
-        image: gitea/gitea:1.11
+        image: gitea/gitea:1.20.4
        env:
        - name: APP_NAME
          value: "Git"
@@ -69,6 +64,8 @@ spec:
          value: "20"
        - name: DEFAULT_THEME
          value: arc-green
        - name: ALLOWED_HOST_LIST
          value: "*"
        - name: SECRET_KEY
          valueFrom:
            secretKeyRef:
@@ -80,7 +77,6 @@ spec:
        resources:
          requests:
            memory: 400Mi
        volumeMounts:
        - mountPath: /data
          name: git-data
@@ -94,17 +90,17 @@ spec:
        requests:
          storage: 20Gi
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: git
  namespace: gitea
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - git.cluster.fun
@@ -114,6 +110,9 @@ spec:
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
-          serviceName: git
+          service:
-          servicePort: 80
+            name: git
            port:
              number: 80
--- a/manifests/gitea/pvs.yaml
+++ b/manifests/gitea/pvs.yaml
@@ -0,0 +1,47 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  annotations:
    pv.kubernetes.io/provisioned-by: csi.scaleway.com
  creationTimestamp: "2020-05-02T15:38:54Z"
  finalizers:
  - kubernetes.io/pv-protection
  - external-attacher/csi-scaleway-com
  name: pvc-02bd903f-e5ac-4c9f-a976-9fe995a352b2
 spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 20Gi
  csi:
    driver: csi.scaleway.com
    fsType: ext4
    volumeAttributes:
      storage.kubernetes.io/csiProvisionerIdentity: 1588413765965-1847-csi.scaleway.com
    volumeHandle: fr-par-1/2ef4f017-2d41-4662-bfa4-df0dcf2085a1
  persistentVolumeReclaimPolicy: Retain
  storageClassName: scw-bssd-retain
  volumeMode: Filesystem
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  annotations:
    pv.kubernetes.io/bind-completed: "yes"
    pv.kubernetes.io/bound-by-controller: "yes"
    volume.beta.kubernetes.io/storage-provisioner: csi.scaleway.com
  finalizers:
  - kubernetes.io/pvc-protection
  labels:
    app: git
  name: git-data-git-0
  namespace: gitea
 spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
  storageClassName: scw-bssd-retain
  volumeMode: Filesystem
  volumeName: pvc-02bd903f-e5ac-4c9f-a976-9fe995a352b2
--- a/manifests/goplayground/goplayground.yaml
+++ b/manifests/goplayground/goplayground.yaml
@@ -0,0 +1,70 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: goplayground
  namespace: goplayground
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: web
    name: web
  selector:
    app: goplayground
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: goplayground
  namespace: goplayground
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: goplayground
  template:
    metadata:
      labels:
        app: goplayground
    spec:
      containers:
      - name: web
        image: x1unix/go-playground:1.13.4
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8000
          name: web
        resources:
          limits:
            memory: 20Mi
          requests:
            memory: 20Mi
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: goplayground
  namespace: goplayground
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
  tls:
  - hosts:
    - go.cluster.fun
    secretName: goplayground-ingress
  rules:
  - host: go.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: goplayground
            port:
              number: 80
--- a/manifests/harbor_chart.yaml
+++ b/manifests/harbor_chart.yaml
@@ -1,57 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: harbor
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: harbor-values
  namespace: harbor
  annotations:
    kube-1password: igey7vjjiqmj25v64eck7cyj34
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-key: values.yaml
 type: Opaque
 ---
 apiVersion: helm.fluxcd.io/v1
 kind: HelmRelease
 metadata:
  name: harbor
  namespace: harbor
 spec:
  chart:
    repository: https://helm.goharbor.io
    name: harbor
    version: 1.3.2
  maxHistory: 4
  skipCRDs: false
  valuesFrom:
  - secretKeyRef:
      name: harbor-values
      namespace: harbor
      key: values.yaml
      optional: false
  values:
    portal:
      resources:
        requests:
          memory: 64Mi
    core:
      resources:
        requests:
          memory: 64Mi
    jobservice:
      resources:
        requests:
          memory: 64Mi
    registry:
      registry:
        resources:
          requests:
            memory: 64Mi
      controller:
        resources:
          requests:
            memory: 64Mi
--- a/manifests/inlets.yaml
+++ b/manifests/inlets.yaml
@@ -1,103 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: inlets
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: inlets
  namespace: inlets
  annotations:
    kube-1password: podju6t2s2osc3vbkimyce25ti
    kube-1password/vault: Kubernetes
    kube-1password/password-key: token
 type: Opaque
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: inlets
  namespace: inlets
  labels:
    app: inlets
 spec:
  type: ClusterIP
  ports:
    - port: 80
      protocol: TCP
      targetPort: 8000
  selector:
    app: inlets
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: inlets
  namespace: inlets
  labels:
    app: inlets
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: inlets
  template:
    metadata:
      labels:
        app: inlets
    spec:
      containers:
      - name: inlets
        image: inlets/inlets:2.7.0
        imagePullPolicy: Always
        command: ["inlets"]
        args:
        - "server"
        - "--token-from=/var/inlets/token"
        volumeMounts:
          - name: inlets-token-volume
            mountPath: /var/inlets/
      volumes:
        - name: inlets-token-volume
          secret:
            secretName: inlets
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: inlets
  namespace: inlets
 spec:
  rules:
  - host: inlets.cluster.fun
    http:
      paths:
      - path: /
        backend:
          serviceName: inlets
          servicePort: 80
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: pyload
  namespace: inlets
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
  tls:
  - hosts:
    - pyload.cluster.fun
    secretName: pyload-ingress
  rules:
  - host: pyload.cluster.fun
    http:
      paths:
      - path: /
        backend:
          serviceName: inlets
          servicePort: 80
--- a/manifests/kube-janitor.yaml
+++ b/manifests/kube-janitor.yaml
@@ -1,107 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: kube-janitor
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: kube-janitor
  namespace: kube-janitor
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: kube-janitor
 rules:
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
 - apiGroups:
  - "*"
  resources:
  - "*"
  verbs:
  - get
  - watch
  - list
  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: kube-janitor
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kube-janitor
 subjects:
 - kind: ServiceAccount
  name: kube-janitor
  namespace: kube-janitor
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: kube-janitor
  namespace: kube-janitor
 data:
  rules.yaml: |-
    rules:
      - id: tekton-tasks
        resources:
          - pods
          - pipelineruns
        jmespath: "(metadata.labels.\"tekton.dev/pipeline\")"
        ttl: 3h
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    application: kube-janitor
    version: v20.4.1
  name: kube-janitor
  namespace: kube-janitor
 spec:
  replicas: 1
  selector:
    matchLabels:
      application: kube-janitor
  template:
    metadata:
      labels:
        application: kube-janitor
        version: v20.4.1
    spec:
      serviceAccountName: kube-janitor
      containers:
      - name: janitor
        image: hjacobs/kube-janitor:20.4.1
        args:
          - --interval=15
          - --rules-file=/config/rules.yaml
          - --include-namespaces=tekton-pipelines
          - --include-resources=pods
        resources:
          limits:
            memory: 100Mi
          requests:
            memory: 100Mi
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 1000
        volumeMounts:
          - name: config-volume
            mountPath: /config
      volumes:
      - name: config-volume
        configMap:
          name: kube-janitor
--- a/manifests/link/link.yaml
+++ b/manifests/link/link.yaml
@@ -0,0 +1,99 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: urls-map
  namespace: link
  labels:
    app: link
 data:
  urls.yaml: |
    mn: https://marcusnoble.co.uk
    whites: https://twitter.com/whites11/status/1484053621448785920
    devopsnotts22: https://noti.st/averagemarcus/E8Ldoh/managing-kubernetes-without-losing-your-cool
    kubernetes-cool: https://noti.st/averagemarcus/E8Ldoh/managing-kubernetes-without-losing-your-cool
    klustered: https://gist.githubusercontent.com/AverageMarcus/e58301ecf3455caa1638c3ffe70ed138/raw/klustered.sh
    wonders-and-woes: https://noti.st/averagemarcus/sWywEJ/the-wonders-and-woes-of-webhooks
    kubehuddle: https://noti.st/averagemarcus/TqCEd4/the-wonders-and-woes-of-webhooks
    kcduk: https://noti.st/averagemarcus/fxN4gl/managing-kubernetes-without-losing-your-cool
    wonders-and-woes-webinar: https://noti.st/averagemarcus/Hw2IXG/the-wonders-and-woes-of-webhooks
    kcdukraine: https://noti.st/averagemarcus/quuysq/managing-kubernetes-without-losing-your-cool
    devopsox23: https://noti.st/averagemarcus/quuysq/managing-kubernetes-without-losing-your-cool
    dddem23: https://noti.st/averagemarcus/Rt4hFh/managing-kubernetes-without-losing-your-cool
    kube-london: https://noti.st/averagemarcus/SFD1bY/the-wonders-and-woes-of-webhooks
    kcduk23: https://noti.st/averagemarcus/4YvpTx/webhooks-whats-the-worst-that-could-happen
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: link
  namespace: link
  labels:
    app: link
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: web
    name: web
  selector:
    app: link
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: link
  namespace: link
  labels:
    app: link
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: link
  template:
    metadata:
      labels:
        app: link
    spec:
      containers:
      - name: web
        image: rg.fr-par.scw.cloud/averagemarcus/link:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 5050
          name: web
        volumeMounts:
          - name: config
            mountPath: /config
      volumes:
        - name: config
          configMap:
            name: urls-map
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: link
  namespace: link
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
  tls:
  - hosts:
    - go-get.link
    secretName: link-ingress
  rules:
  - host: go-get.link
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: link
            port:
              number: 80
--- a/manifests/linx-server.yaml
+++ b/manifests/linx-server.yaml
@@ -1,114 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: linx-server
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: linx-server
  namespace: linx-server
 data:
  linx-server.conf: |-
    sitename = share
    maxsize = 524288000
    maxexpiry = 0
    selifpath = f
    nologs = false
    force-random-filename = false
    s3-endpoint = https://s3.fr-par.scw.cloud
    s3-region = fr-par
    s3-bucket = cluster.fun-linx
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: linx-server-s3
  namespace: linx-server
  annotations:
    kube-1password: d5dgclm3qrxd4fntivv26ec3ee
    kube-1password/vault: Kubernetes
 type: Opaque
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: linx-server
  namespace: linx-server
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: web
    name: web
  selector:
    app: linx-server
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: linx-server
  namespace: linx-server
 spec:
  replicas: 2
  selector:
    matchLabels:
      app: linx-server
  template:
    metadata:
      labels:
        app: linx-server
    spec:
      containers:
      - name: web
        image: andreimarcu/linx-server:version-2.3.5
        imagePullPolicy: Always
        args:
          - -config
          - /config/linx-server.conf
        ports:
        - containerPort: 8080
          name: web
        env:
          - name: AWS_ACCESS_KEY_ID
            valueFrom:
              secretKeyRef:
                name: linx-server-s3
                key: username
          - name: AWS_SECRET_ACCESS_KEY
            valueFrom:
              secretKeyRef:
                name: linx-server-s3
                key: password
        volumeMounts:
          - name: config
            mountPath: /config
      volumes:
        - name: config
          configMap:
            name: linx-server
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: linx-server
  namespace: linx-server
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
  tls:
  - hosts:
    - share.cluster.fun
    secretName: linx-server-ingress
  rules:
  - host: share.cluster.fun
    http:
      paths:
      - path: /
        backend:
          serviceName: linx-server
          servicePort: 80
--- a/manifests/loki_chart.yaml
+++ b/manifests/loki_chart.yaml
@@ -1,175 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: logging
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: grafana-credentials
  namespace: logging
  annotations:
    kube-1password: wpynfxkdipeeacyfxkvtdsuj54
    kube-1password/vault: Kubernetes
 type: Opaque
 ---
 apiVersion: helm.fluxcd.io/v1
 kind: HelmRelease
 metadata:
  name: loki
  namespace: logging
 spec:
  chart:
    repository: https://grafana.github.io/loki/charts
    name: loki-stack
    version: 0.36.2
  maxHistory: 4
  skipCRDs: false
  values:
    fluent-bit:
      enabled: "true"
    promtail:
      enabled: "true"
    loki:
      persistence:
        enabled: "true"
        size: 10Gi
 ---
 apiVersion: helm.fluxcd.io/v1
 kind: HelmRelease
 metadata:
  name: grafana
  namespace: logging
 spec:
  chart:
    repository: https://kubernetes-charts.storage.googleapis.com
    name: grafana
    version: 5.0.22
  maxHistory: 4
  skipCRDs: false
  values:
    image:
      tag: 7.0.0
    admin:
      existingSecret: "grafana-credentials"
      userKey: username
      passwordKey: password
    persistence:
      enabled: "false"
    datasources:
      datasources.yaml:
        apiVersion: 1
        datasources:
        - name: Loki
          type: loki
          url: http://logging-loki.logging:3100
          access: proxy
          jsonData:
            maxLines: 1000
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: grafana-auth
  namespace: logging
  annotations:
    kube-1password: mr6spkkx7n3memkbute6ojaarm
    kube-1password/vault: Kubernetes
 type: Opaque
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: grafana-auth
  namespace: logging
  labels:
    app: grafana-auth
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: grafana-auth
  template:
    metadata:
      labels:
        app: grafana-auth
    spec:
      containers:
      - args:
        - --cookie-secure=false
        - --provider=oidc
        - --provider-display-name=Auth0
        - --upstream=http://logging-grafana.logging.svc.cluster.local
        - --http-address=$(HOST_IP):8080
        - --redirect-url=https://grafana.cluster.fun/oauth2/callback
        - --email-domain=marcusnoble.co.uk
        - --pass-basic-auth=false
        - --pass-access-token=false
        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
        env:
        - name: HOST_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              key: username
              name: grafana-auth
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: password
              name: grafana-auth
        image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
        name: oauth-proxy
        ports:
        - containerPort: 8080
          protocol: TCP
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: grafana-auth
  namespace: logging
  labels:
    app: grafana-auth
 spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: grafana-auth
  type: ClusterIP
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: grafana-auth
  namespace: logging
  labels:
    app: grafana-auth
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
  tls:
  - hosts:
    - grafana.cluster.fun
    secretName: grafana-ingress
  rules:
  - host: grafana.cluster.fun
    http:
      paths:
      - path: /
        backend:
          serviceName: grafana-auth
          servicePort: 80
--- a/manifests/marcusnoble/marcusnoble.yaml
+++ b/manifests/marcusnoble/marcusnoble.yaml
@@ -0,0 +1,90 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: marcusnoble
  namespace: marcusnoble
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: 8080
    name: web
  selector:
    app: marcusnoble
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: marcusnoble
  namespace: marcusnoble
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: marcusnoble
  template:
    metadata:
      labels:
        app: marcusnoble
    spec:
      containers:
      - name: web
        image: rg.fr-par.scw.cloud/averagemarcus/marcusnoble:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
          name: web
        resources:
          limits:
            memory: 50Mi
          requests:
            memory: 50Mi
        # livenessProbe:
        #   httpGet:
        #     path: /healthz
        #     port: web
        #   initialDelaySeconds: 10
        # readinessProbe:
        #   httpGet:
        #     path: /healthz
        #     port: web
        #   initialDelaySeconds: 10
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: marcusnoble
  namespace: marcusnoble
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - marcusnoble.com
    - www.marcusnoble.com
    secretName: marcusnoble-ingress
  rules:
  - host: marcusnoble.com
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: marcusnoble
            port:
              number: 80
  - host: www.marcusnoble.com
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: marcusnoble
            port:
              number: 80
 ---
--- a/manifests/mastodon-digest/mastodon_digest.yaml
+++ b/manifests/mastodon-digest/mastodon_digest.yaml
@@ -0,0 +1,229 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: docker-config
  namespace: mastodon-digest
  annotations:
    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-key: .dockerconfigjson
 type: kubernetes.io/dockerconfigjson
 data:
  .dockerconfigjson: e30=
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: mastodon-digest-auth
  namespace: mastodon-digest
  annotations:
    kube-1password: mr6spkkx7n3memkbute6ojaarm
    kube-1password/vault: Kubernetes
 type: Opaque
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: mastodon-digest
  namespace: mastodon-digest
  annotations:
    kube-1password: bfklz3yi3dn4e7xtsbttcvhata
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-parse: "true"
 type: Opaque
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: config
  namespace: mastodon-digest
  labels:
    app: mastodon-digest
 data:
  config.json: |
    [
      {
        "timeline": "home",
        "hours": 12,
        "scorer": "ExtendedSimpleWeighted",
        "threshold": "lax",
        "output": "/usr/share/nginx/html/home/"
      },
      {
        "timeline": "federated",
        "hours": 12,
        "scorer": "ExtendedSimpleWeighted",
        "threshold": "lax",
        "output": "/usr/share/nginx/html/federated/"
      }
    ]
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: index
  namespace: mastodon-digest
  labels:
    app: mastodon-digest
 data:
  index.html: |
    <!DOCTYPE html>
    <html lang="en">
    <head>
        <meta chartset="utf-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1" />
        <title>Mastodon Digest</title>
        <style>
        body { background-color: #292c36; font-family: "Arial", sans-serif; }
        div#container { margin: auto; max-width: 640px; padding: 10px; text-align: center; margin: 0 auto; }
        .links { align: center; }
        h1 { color: white; }
        a.button { background: #595aff; color: #fff; line-height: 1.2; min-height: 38px; min-width: 88px; padding: 0 30px; border: 0; border-radius: 6px;; display: inline-flex; justify-content: center; align-items: center; }
    </style>
    </head>
    <body>
        <div id="container">
            <h1>Mastodon Digest</h1>
            <section class="links">
                <a href="home/" class="button">Home</a>
                <a href="federated/" class="button">Federated</a>
            </section>
        </div>
    </body>
    </html>
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: mastodon-digest
  namespace: mastodon-digest
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: auth
    name: web
  selector:
    app: mastodon-digest
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: mastodon-digest
  namespace: mastodon-digest
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: mastodon-digest
  template:
    metadata:
      labels:
        app: mastodon-digest
    spec:
      imagePullSecrets:
        - name: docker-config
      containers:
      - args:
        - --cookie-secure=false
        - --provider=oidc
        - --provider-display-name=Auth0
        - --upstream=http://localhost:80
        - --http-address=$(HOST_IP):8000
        - --redirect-url=https://mastodon-digest.cluster.fun/oauth2/callback
        - --email-domain=marcusnoble.co.uk
        - --pass-basic-auth=false
        - --pass-access-token=false
        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
        env:
        - name: HOST_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              key: username
              name: mastodon-digest-auth
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: password
              name: mastodon-digest-auth
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
        name: oauth-proxy
        ports:
        - containerPort: 8000
          protocol: TCP
          name: auth
        resources:
          limits:
            memory: 50Mi
          requests:
            memory: 50Mi
      - name: web
        image: nginx:stable
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: html
          mountPath: /usr/share/nginx/html
        - name: index
          mountPath: /usr/share/nginx/html/index.html
          subPath: index.html
      - name: digest
        image: rg.fr-par.scw.cloud/averagemarcus-private/mastodon-digest:latest
        imagePullPolicy: Always
        env:
        - name: CONFIG_FILE
          value: /config.json
        envFrom:
        - secretRef:
            name: mastodon-digest
        volumeMounts:
        - name: config
          mountPath: /config.json
          subPath: config.json
        - name: html
          mountPath: /usr/share/nginx/html
      volumes:
      - name: html
        emptyDir: {}
      - name: config
        configMap:
          name: config
      - name: index
        configMap:
          name: index
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: mastodon-digest
  namespace: mastodon-digest
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - mastodon-digest.cluster.fun
    secretName: mastodon-digest-ingress
  rules:
  - host: mastodon-digest.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: mastodon-digest
            port:
              number: 80
--- a/manifests/mastodon-to-airtable/twitter-to-airtable.yaml
+++ b/manifests/mastodon-to-airtable/twitter-to-airtable.yaml
@@ -0,0 +1,151 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: docker-config
  namespace: mastodon-to-airtable
  annotations:
    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-key: .dockerconfigjson
 type: kubernetes.io/dockerconfigjson
 data:
  .dockerconfigjson: e30=
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: mastodon-to-airtable-auth
  namespace: mastodon-to-airtable
  annotations:
    kube-1password: mr6spkkx7n3memkbute6ojaarm
    kube-1password/vault: Kubernetes
 type: Opaque
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: mastodon-to-airtable
  namespace: mastodon-to-airtable
  annotations:
    kube-1password: kizmkmbndgu3ryrox3csev4mim
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-parse: "true"
 type: Opaque
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: mastodon-to-airtable
  namespace: mastodon-to-airtable
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: auth
    name: web
  selector:
    app: mastodon-to-airtable
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: mastodon-to-airtable
  namespace: mastodon-to-airtable
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: mastodon-to-airtable
  template:
    metadata:
      labels:
        app: mastodon-to-airtable
    spec:
      imagePullSecrets:
        - name: docker-config
      containers:
      - args:
        - --cookie-secure=false
        - --provider=oidc
        - --provider-display-name=Auth0
        - --upstream=http://localhost:8080
        - --http-address=$(HOST_IP):8000
        - --redirect-url=https://mastodon-to-airtable.cluster.fun/oauth2/callback
        - --email-domain=marcusnoble.co.uk
        - --pass-basic-auth=false
        - --pass-access-token=false
        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
        env:
        - name: HOST_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              key: username
              name: mastodon-to-airtable-auth
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: password
              name: mastodon-to-airtable-auth
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
        name: oauth-proxy
        ports:
        - containerPort: 8000
          protocol: TCP
          name: auth
        resources:
          limits:
            memory: 50Mi
          requests:
            memory: 50Mi
      - name: web
        image: rg.fr-par.scw.cloud/averagemarcus-private/mastodon-to-airtable:latest
        imagePullPolicy: Always
        env:
        - name: PORT
          value: "8080"
        envFrom:
        - secretRef:
            name: "mastodon-to-airtable"
        ports:
        - containerPort: 8080
          name: web
        resources:
          limits:
            memory: 50Mi
          requests:
            memory: 50Mi
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: mastodon-to-airtable
  namespace: mastodon-to-airtable
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
  tls:
  - hosts:
    - mastodon-to-airtable.cluster.fun
    secretName: mastodon-to-airtable-ingress
  rules:
  - host: mastodon-to-airtable.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: mastodon-to-airtable
            port:
              number: 80
--- a/manifests/matrix_chart.yaml
+++ b/manifests/matrix_chart.yaml
@@ -1,255 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: chat
 ---
 apiVersion: helm.fluxcd.io/v1
 kind: HelmRelease
 metadata:
  name: matrix
  namespace: chat
 spec:
  chart:
    repository: https://dacruz21.github.io/helm-charts
    name: matrix
    version: 1.1.2
  maxHistory: 4
  values:
    matrix:
      serverName: "matrix.cluster.fun"
      telemetry: false
      hostname: "matrix.cluster.fun"
      presence: true
      blockNonAdminInvites: false
      search: true
      adminEmail: "matrix@marcusnoble.co.uk"
      uploads:
        maxSize: 100M
        maxPixels: 32M
      federation:
        enabled: false
        allowPublicRooms: false
        blacklist:
          - '127.0.0.0/8'
          - '10.0.0.0/8'
          - '172.16.0.0/12'
          - '192.168.0.0/16'
          - '100.64.0.0/10'
          - '169.254.0.0/16'
          - '::1/128'
          - 'fe80::/64'
          - 'fc00::/7'
      registration:
        enabled: false
        allowGuests: false
      urlPreviews:
        enabled: true
        rules:
          maxSize: 4M
          ip:
            blacklist:
              - '127.0.0.0/8'
              - '10.0.0.0/8'
              - '172.16.0.0/12'
              - '192.168.0.0/16'
              - '100.64.0.0/10'
              - '169.254.0.0/16'
              - '::1/128'
              - 'fe80::/64'
              - 'fc00::/7'
    volumes:
      media:
        capacity: 4Gi
      signingKey:
        capacity: 1Gi
    postgresql:
      enabled: true
      persistence:
        size: 4Gi
    synapse:
      image:
        repository: "matrixdotorg/synapse"
        tag: v1.12.4
        pullPolicy: IfNotPresent
      service:
        type: ClusterIP
        port: 80
      replicaCount: 1
      resources: {}
    riot:
      enabled: true
      integrations:
        enabled: true
        ui: "https://scalar.vector.im/"
        api: "https://scalar.vector.im/api"
        widgets:
          - "https://scalar.vector.im/_matrix/integrations/v1"
          - "https://scalar.vector.im/api"
          - "https://scalar-staging.vector.im/_matrix/integrations/v1"
          - "https://scalar-staging.vector.im/api"
          - "https://scalar-staging.riot.im/scalar/api"
      # Experimental features in riot-web, see https://github.com/vector-im/riot-web/blob/develop/docs/labs.md
      labs:
        - feature_pinning
        - feature_custom_status
        - feature_state_counters
        - feature_many_integration_managers
        - feature_mjolnir
        - feature_dm_verification
        - feature_bridge_state
        - feature_presence_in_room_list
        - feature_custom_themes
      # Servers to show in the Explore menu (the current server is always shown)
      roomDirectoryServers: []
      # Prefix before permalinks generated when users share links to rooms, users, or messages. If running an unfederated Synapse, set the below to the URL of your Riot instance.
      permalinkPrefix: "https://chat.cluster.fun"
      image:
        repository: "vectorim/riot-web"
        tag: v1.6.0
        pullPolicy: IfNotPresent
      service:
        type: ClusterIP
        port: 80
      replicaCount: 1
      resources: {}
    # Settings for Coturn TURN relay, used for routing voice calls
    coturn:
      enabled: false
    mail:
      enabled: false
      relay:
        enabled: false
    bridges:
      irc:
        enabled: false
      whatsapp:
        enabled: false
      discord:
        enabled: false
    networkPolicies:
      enabled: false
    ingress:
      enabled: false
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: matrix
  namespace: chat
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
  tls:
  - hosts:
    - matrix.cluster.fun
    secretName: matrix-ingress
  rules:
  - host: matrix.cluster.fun
    http:
      paths:
      - path: /.well-known/matrix
        backend:
          serviceName: well-known
          servicePort: 80
      - path: /
        backend:
          serviceName: chat-matrix-synapse
          servicePort: 80
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: riot
  namespace: chat
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
  tls:
  - hosts:
    - chat.cluster.fun
    secretName: riot-ingress
  rules:
  - host: chat.cluster.fun
    http:
      paths:
      - path: /
        backend:
          serviceName: chat-matrix-riot
          servicePort: 80
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: well-known
  namespace: chat
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: well-known
  template:
    metadata:
      labels:
        app: well-known
    spec:
      containers:
      - name: web
        image: nginx
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: well-known
          mountPath: /usr/share/nginx/html/.well-known/matrix
      volumes:
      - name: well-known
        configMap:
          name: well-known
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: well-known
  namespace: chat
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: 80
    name: web
  selector:
    app: well-known
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: well-known
  namespace: chat
 data:
  server: |-
    {
      "m.server": "matrix.cluster.fun:443"
    }
--- a/manifests/matrix_chart/matrix_chart.yaml
+++ b/manifests/matrix_chart/matrix_chart.yaml
@@ -0,0 +1,545 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: matrix
  namespace: chat
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - matrix.cluster.fun
    secretName: matrix-ingress
  rules:
  - host: matrix.cluster.fun
    http:
      paths:
      - path: /.well-known/matrix
        pathType: ImplementationSpecific
        backend:
          service:
            name: well-known
            port:
              number: 80
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: matrix-synapse
            port:
              number: 80
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: riot
  namespace: chat
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - chat.cluster.fun
    secretName: riot-ingress
  rules:
  - host: chat.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: matrix-riot
            port:
              number: 80
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: well-known
  namespace: chat
  annotations:
    configmap.reloader.stakater.com/reload: "well-known"
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: well-known
  template:
    metadata:
      labels:
        app: well-known
    spec:
      containers:
      - name: web
        image: nginx
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: well-known
          mountPath: /usr/share/nginx/html/.well-known/matrix
        resources:
          limits:
            memory: 15Mi
          requests:
            memory: 15Mi
      volumes:
      - name: well-known
        configMap:
          name: well-known
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: well-known
  namespace: chat
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: 80
    name: web
  selector:
    app: well-known
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: well-known
  namespace: chat
 data:
  server: |-
    {
      "m.server": "matrix.cluster.fun:443"
    }
 ---
 # Source: matrix/templates/riot/configmap.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: matrix-riot-config
  namespace: chat
  labels:
    app.kubernetes.io/name: "matrix"
    component: element
 data:
  config.json: |
    {
      "default_server_config": {
        "m.homeserver": {
          "base_url": "https://matrix.cluster.fun"
        }
      },
      "brand": "Element",
      "branding": {},
      "integrations_ui_url": "https://scalar.vector.im/",
      "integrations_rest_url": "https://scalar.vector.im/api",
      "integrations_widgets_urls": [
        "https://scalar.vector.im/_matrix/integrations/v1",
        "https://scalar.vector.im/api",
        "https://scalar-staging.vector.im/_matrix/integrations/v1",
        "https://scalar-staging.vector.im/api",
        "https://scalar-staging.riot.im/scalar/api"
      ],
      "showLabsSettings": true,
      "features": {
        "feature_pinning": true,
        "feature_custom_status": "labs",
        "feature_state_counters": "labs",
        "feature_many_integration_managers": "labs",
        "feature_mjolnir": "labs",
        "feature_dm_verification": "labs",
        "feature_bridge_state": "labs",
        "feature_presence_in_room_list": true,
        "feature_custom_themes": "labs",
        "feature_new_spinner": "labs",
        "feature_jump_to_date": "labs",
        "feature_location_share_pin_drop": "labs",
        "feature_location_share_live": "labs",
        "feature_thread": true,
        "feature_video_rooms": true,
        "feature_favourite_messages": "labs"
      },
      "roomDirectory": {
        "servers": []
      },
      "permalinkPrefix": "https://chat.cluster.fun",
      "enable_presence_by_hs_url": {
        "https://matrix.org": false,
        "https://matrix-client.matrix.org": false
      },
      "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=2IerXP2a5g1e7hxxBbzs"
    }
  nginx.conf: |
    worker_processes  auto;
    error_log  /var/log/nginx/error.log warn;
    pid        /var/run/pid/nginx.pid;
    events {
      worker_connections  1024;
    }
    http {
      include       /etc/nginx/mime.types;
      default_type  application/octet-stream;
      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
      '$status $body_bytes_sent "$http_referer" '
      '"$http_user_agent" "$http_x_forwarded_for"';
      access_log  /var/log/nginx/access.log  main;
      sendfile        on;
      keepalive_timeout  65;
      include /etc/nginx/conf.d/*.conf;
    }
  default.conf: |
    server {
      listen       8080;
      server_name  localhost;
      location / {
          root   /usr/share/nginx/html;
          index  index.html index.htm;
      }
      # redirect server error pages to the static page /50x.html
      #
      error_page   500 502 503 504  /50x.html;
      location = /50x.html {
          root   /usr/share/nginx/html;
      }
    }
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: matrix-synapse-config
  namespace: chat
  annotations:
    kube-1password: wbj4oozwyx6m2zz5m42pgcmymy
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-key: homeserver.yaml
  labels:
    app.kubernetes.io/name: "matrix"
    component: synapse
 type: Opaque
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: matrix-synapse-config
  namespace: chat
  labels:
    app.kubernetes.io/name: "matrix"
    component: element
 data:
  matrix.cluster.fun.log.config: |
    version: 1
    formatters:
      precise:
        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
    filters:
      context:
        (): synapse.util.logcontext.LoggingContextFilter
        request: ""
    handlers:
      console:
        class: logging.StreamHandler
        formatter: precise
        filters: [context]
    loggers:
      synapse:
        level: WARNING
      synapse.storage.SQL:
        # beware: increasing this to DEBUG will make synapse log sensitive
        # information such as access tokens.
        level: WARNING
    root:
      level: WARNING
      handlers: [console]
 ---
 # Source: matrix/templates/riot/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: matrix-riot
  namespace: chat
  labels:
    app.kubernetes.io/name: "matrix"
    component: element
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: matrix-riot
 ---
 # Source: matrix/templates/synapse/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: matrix-synapse
  namespace: chat
  labels:
    app.kubernetes.io/name: "matrix"
    component: synapse
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/path: "/_synapse/metrics"
    prometheus.io/port: "9000"
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
    - port: 9000
      targetPort: metrics
      protocol: TCP
      name: metrics
  selector:
    app.kubernetes.io/name: matrix-synapse
 ---
 # Source: matrix/templates/riot/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: matrix-riot
  namespace: chat
  labels:
    app.kubernetes.io/name: "matrix"
    component: element
 spec:
  replicas: 2
  selector:
    matchLabels:
      app.kubernetes.io/name: matrix-riot
  template:
    metadata:
      labels:
        app.kubernetes.io/name: matrix-riot
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      containers:
        - name: "riot"
          image: "vectorim/element-web:v1.11.44"
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          volumeMounts:
            - mountPath: /app/config.json
              name: riot-config
              subPath: config.json
              readOnly: true
            - mountPath: /etc/nginx/nginx.conf
              name: riot-config
              subPath: nginx.conf
              readOnly: true
            - mountPath: /etc/nginx/conf.d/default.conf
              name: riot-config
              subPath: default.conf
              readOnly: true
            - mountPath: /var/cache/nginx
              name: ephemeral
              subPath: cache
            - mountPath: /var/run/pid
              name: ephemeral
              subPath: pid
          readinessProbe:
            httpGet:
              path: /
              port: http
          startupProbe:
            httpGet:
              path: /
              port: http
          livenessProbe:
            httpGet:
              path: /
              port: http
          securityContext:
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
      volumes:
        - name: riot-config
          configMap:
            name: matrix-riot-config
        - name: ephemeral
          emptyDir: {}
 ---
 # Source: matrix/templates/synapse/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: matrix-synapse
  namespace: chat
  labels:
    app.kubernetes.io/name: "matrix"
    component: synapse
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: matrix-synapse
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app.kubernetes.io/name: matrix-synapse
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      initContainers:
        - name: generate-signing-key
          image: "matrixdotorg/synapse:v1.93.0"
          imagePullPolicy: IfNotPresent
          env:
            - name: SYNAPSE_SERVER_NAME
              value: matrix.cluster.fun
            - name: SYNAPSE_REPORT_STATS
              value: "no"
          command: ["python"]
          args:
            - "-m"
            - "synapse.app.homeserver"
            - "--config-path"
            - "/data/homeserver.yaml"
            - "--keys-directory"
            - "/data/keys"
            - "--generate-keys"
          volumeMounts:
            - name: synapse-config-homeserver
              mountPath: /data/homeserver.yaml
              subPath: homeserver.yaml
            - name: synapse-config-logging
              mountPath: /data/matrix.cluster.fun.log.config
              subPath: matrix.cluster.fun.log.config
            - name: signing-key
              mountPath: /data/keys
      containers:
        - name: "synapse"
          image: "matrixdotorg/synapse:v1.93.0"
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
              containerPort: 8008
              protocol: TCP
            - name: metrics
              containerPort: 9000
              protocol: TCP
          volumeMounts:
            - name: synapse-config-homeserver
              mountPath: /data/homeserver.yaml
              subPath: homeserver.yaml
            - name: mautrix-whatsapp-registration
              mountPath: /data/mautrix-whatsapp-registration.yaml
              subPath: registration.yaml
            # - name: mautrix-signal-registration
            #   mountPath: /data/mautrix-signal-registration.yaml
            #   subPath: registration.yaml
            # - name: mautrix-telegram-registration
            #   mountPath: /data/mautrix-telegram-registration.yaml
            #   subPath: registration.yaml
            - name: synapse-config-logging
              mountPath: /data/matrix.cluster.fun.log.config
              subPath: matrix.cluster.fun.log.config
            - name: signing-key
              mountPath: /data/keys
            - name: user-media
              mountPath: /data/media_store
            - name: uploads
              mountPath: /data/uploads
            - name: tmp
              mountPath: /tmp
          readinessProbe:
            httpGet:
              path: /_matrix/static/
              port: http
            periodSeconds: 10
            timeoutSeconds: 5
          startupProbe:
            httpGet:
              path: /_matrix/static/
              port: http
            failureThreshold: 6
            periodSeconds: 5
            timeoutSeconds: 5
          livenessProbe:
            httpGet:
              path: /_matrix/static/
              port: http
            periodSeconds: 10
            timeoutSeconds: 5
          securityContext:
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
      volumes:
        - name: synapse-config-logging
          configMap:
            name: matrix-synapse-config
        - name: synapse-config-homeserver
          secret:
            secretName: matrix-synapse-config
        - name: mautrix-whatsapp-registration
          secret:
            secretName: mautrix-whatsapp-registration
        # - name: mautrix-signal-registration
        #   secret:
        #     secretName: mautrix-signal-registration
        # - name: mautrix-telegram-registration
        #   secret:
        #     secretName: mautrix-telegram-registration
        - name: signing-key
          persistentVolumeClaim:
            claimName: chat-matrix-signing-key
        - name: user-media
          persistentVolumeClaim:
            claimName: chat-matrix-user-media
        - name: uploads
          emptyDir: {}
        - name: tmp
          emptyDir: {}
 ---
--- a/manifests/matrix_chart/pvs.yaml
+++ b/manifests/matrix_chart/pvs.yaml
@@ -0,0 +1,80 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  annotations:
    pv.kubernetes.io/provisioned-by: csi.scaleway.com
  finalizers:
  - kubernetes.io/pv-protection
  - external-attacher/csi-scaleway-com
  name: pvc-470f5860-49e0-414c-bb36-329970afc44b
 spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 12Gi
  csi:
    driver: csi.scaleway.com
    fsType: ext4
    volumeAttributes:
      storage.kubernetes.io/csiProvisionerIdentity: 1676472026170-8081-csi.scaleway.com
    volumeHandle: fr-par-1/5e73e304-11e8-42cb-90fe-361889089d2d
  persistentVolumeReclaimPolicy: Retain
  storageClassName: scw-bssd
  volumeMode: Filesystem
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: chat-matrix-user-media
  namespace: chat
  labels:
    app.kubernetes.io/name: "matrix"
    component: synapse
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 12Gi
  volumeName: pvc-470f5860-49e0-414c-bb36-329970afc44b
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  annotations:
    pv.kubernetes.io/provisioned-by: csi.scaleway.com
  finalizers:
  - kubernetes.io/pv-protection
  - external-attacher/csi-scaleway-com
  name: pvc-00a8cf81-9453-4014-aa09-9fdbcc42abf2
 spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 1Gi
  csi:
    driver: csi.scaleway.com
    fsType: ext4
    volumeAttributes:
      storage.kubernetes.io/csiProvisionerIdentity: 1588413765965-1847-csi.scaleway.com
    volumeHandle: fr-par-1/e7437eda-59e8-43f5-af49-540618f1bd95
  persistentVolumeReclaimPolicy: Retain
  storageClassName: scw-bssd
  volumeMode: Filesystem
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: chat-matrix-signing-key
  namespace: chat
  labels:
    app.kubernetes.io/name: "matrix"
    component: synapse
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  volumeName: pvc-00a8cf81-9453-4014-aa09-9fdbcc42abf2
 ---
--- a/manifests/matrix_chart/signal_bridge.yaml
+++ b/manifests/matrix_chart/signal_bridge.yaml
@@ -0,0 +1,153 @@
 # apiVersion: v1
 # kind: Secret
 # metadata:
 #   name: mautrix-signal-registration
 #   namespace: chat
 #   annotations:
 #     kube-1password: z6tylu2br724gttcpfyi5egaui
 #     kube-1password/vault: Kubernetes
 #     kube-1password/secret-text-key: registration.yaml
 #   labels:
 #     app.kubernetes.io/name: "mautrix-signal"
 #     component: registration
 # type: Opaque
 # ---
 # apiVersion: v1
 # kind: Secret
 # metadata:
 #   name: mautrix-signal-config
 #   namespace: chat
 #   annotations:
 #     kube-1password: 5vfaorcudozlq4clkzgmzzszqe
 #     kube-1password/vault: Kubernetes
 #     kube-1password/secret-text-key: config.yaml
 #   labels:
 #     app.kubernetes.io/name: "mautrix-signal"
 #     component: config
 # type: Opaque
 # ---
 # apiVersion: v1
 # kind: Service
 # metadata:
 #   name: mautrix-signal
 #   namespace: chat
 #   labels:
 #     app.kubernetes.io/name: mautrix-signal
 #   annotations:
 #     prometheus.io/scrape: "true"
 #     prometheus.io/path: "/metrics"
 #     prometheus.io/port: "9000"
 # spec:
 #   type: ClusterIP
 #   ports:
 #   - port: 29328
 #     targetPort: http
 #     protocol: TCP
 #     name: http
 #   selector:
 #     app.kubernetes.io/name: mautrix-signal
 # ---
 # apiVersion: apps/v1
 # kind: Deployment
 # metadata:
 #   name: mautrix-signal
 #   labels:
 #     app.kubernetes.io/name: mautrix-signal
 # spec:
 #   revisionHistoryLimit: 3
 #   replicas: 1
 #   strategy:
 #     type: Recreate
 #   selector:
 #     matchLabels:
 #       app.kubernetes.io/name: mautrix-signal
 #   template:
 #     metadata:
 #       labels:
 #         app.kubernetes.io/name: mautrix-signal
 #     spec:
 #       serviceAccountName: default
 #       automountServiceAccountToken: true
 #       dnsPolicy: ClusterFirst
 #       enableServiceLinks: true
 #       initContainers:
 #       - name: config-copy
 #         image: bash:latest
 #         imagePullPolicy: IfNotPresent
 #         args:
 #           - -c
 #           - |
 #             cp /secrets/* /data/
 #         volumeMounts:
 #           - name: mautrix-signal-config
 #             mountPath: /secrets/config.yaml
 #             subPath: config.yaml
 #           - name: mautrix-signal-registration
 #             mountPath: /secrets/registration.yaml
 #             subPath: registration.yaml
 #           - name: data
 #             mountPath: /data
 #       containers:
 #         - name: signald
 #           image: docker.io/signald/signald:stable
 #           imagePullPolicy: Always
 #           volumeMounts:
 #           - name: signald
 #             mountPath: /signald
 #         - name: mautrix-signal
 #           image: "dock.mau.dev/mautrix/signal:v0.4.1"
 #           imagePullPolicy: IfNotPresent
 #           env:
 #             - name: "TZ"
 #               value: "UTC"
 #           ports:
 #             - name: http
 #               containerPort: 29328
 #               protocol: TCP
 #             - name: metrics
 #               containerPort: 9000
 #               protocol: TCP
 #           volumeMounts:
 #           - name: signald
 #             mountPath: /signald
 #           - name: data
 #             mountPath: /data
 #           livenessProbe:
 #             tcpSocket:
 #               port: 29318
 #             initialDelaySeconds: 0
 #             failureThreshold: 3
 #             timeoutSeconds: 1
 #             periodSeconds: 10
 #           readinessProbe:
 #             tcpSocket:
 #               port: 29318
 #             initialDelaySeconds: 0
 #             failureThreshold: 3
 #             timeoutSeconds: 1
 #             periodSeconds: 10
 #           startupProbe:
 #             tcpSocket:
 #               port: 29318
 #             initialDelaySeconds: 0
 #             failureThreshold: 30
 #             timeoutSeconds: 1
 #             periodSeconds: 5
 #       volumes:
 #         - name: data
 #           emptyDir: {}
 #         - name: signald
 #           emptyDir: {}
 #         - name: mautrix-signal-config
 #           secret:
 #             secretName: mautrix-signal-config
 #         - name: mautrix-signal-registration
 #           secret:
 #             secretName: mautrix-signal-registration
 # ---
--- a/manifests/matrix_chart/telegram_bridge.yaml
+++ b/manifests/matrix_chart/telegram_bridge.yaml
@@ -0,0 +1,143 @@
 # apiVersion: v1
 # kind: Secret
 # metadata:
 #   name: mautrix-telegram-registration
 #   namespace: chat
 #   annotations:
 #     kube-1password: dancy7ogc4gjlxhfntqejgudwi
 #     kube-1password/vault: Kubernetes
 #     kube-1password/secret-text-key: registration.yaml
 #   labels:
 #     app.kubernetes.io/name: "mautrix-telegram"
 #     component: registration
 # type: Opaque
 # ---
 # apiVersion: v1
 # kind: Secret
 # metadata:
 #   name: mautrix-telegram-config
 #   namespace: chat
 #   annotations:
 #     kube-1password: nilzdpfum35hhwijnwvasbzmcq
 #     kube-1password/vault: Kubernetes
 #     kube-1password/secret-text-key: config.yaml
 #   labels:
 #     app.kubernetes.io/name: "mautrix-telegram"
 #     component: config
 # type: Opaque
 # ---
 # apiVersion: v1
 # kind: Service
 # metadata:
 #   name: mautrix-telegram
 #   namespace: chat
 #   labels:
 #     app.kubernetes.io/name: mautrix-telegram
 #   annotations:
 #     prometheus.io/scrape: "true"
 #     prometheus.io/path: "/metrics"
 #     prometheus.io/port: "9000"
 # spec:
 #   type: ClusterIP
 #   ports:
 #   - port: 29318
 #     targetPort: http
 #     protocol: TCP
 #     name: http
 #   selector:
 #     app.kubernetes.io/name: mautrix-telegram
 # ---
 # apiVersion: apps/v1
 # kind: Deployment
 # metadata:
 #   name: mautrix-telegram
 #   labels:
 #     app.kubernetes.io/name: mautrix-telegram
 # spec:
 #   revisionHistoryLimit: 3
 #   replicas: 1
 #   strategy:
 #     type: Recreate
 #   selector:
 #     matchLabels:
 #       app.kubernetes.io/name: mautrix-telegram
 #   template:
 #     metadata:
 #       labels:
 #         app.kubernetes.io/name: mautrix-telegram
 #     spec:
 #       serviceAccountName: default
 #       automountServiceAccountToken: true
 #       dnsPolicy: ClusterFirst
 #       enableServiceLinks: true
 #       initContainers:
 #       - name: config-copy
 #         image: bash:latest
 #         imagePullPolicy: IfNotPresent
 #         args:
 #           - -c
 #           - |
 #             cp /secrets/* /data/
 #         volumeMounts:
 #           - name: mautrix-telegram-config
 #             mountPath: /secrets/config.yaml
 #             subPath: config.yaml
 #           - name: mautrix-telegram-registration
 #             mountPath: /secrets/registration.yaml
 #             subPath: registration.yaml
 #           - name: data
 #             mountPath: /data
 #       containers:
 #         - name: mautrix-telegram
 #           image: "dock.mau.dev/mautrix/telegram:v0.12.1"
 #           imagePullPolicy: IfNotPresent
 #           env:
 #             - name: "TZ"
 #               value: "UTC"
 #           ports:
 #             - name: http
 #               containerPort: 29318
 #               protocol: TCP
 #             - name: metrics
 #               containerPort: 9000
 #               protocol: TCP
 #           volumeMounts:
 #           - name: data
 #             mountPath: /data
 #           livenessProbe:
 #             tcpSocket:
 #               port: 29318
 #             initialDelaySeconds: 0
 #             failureThreshold: 3
 #             timeoutSeconds: 1
 #             periodSeconds: 10
 #           readinessProbe:
 #             tcpSocket:
 #               port: 29318
 #             initialDelaySeconds: 0
 #             failureThreshold: 3
 #             timeoutSeconds: 1
 #             periodSeconds: 10
 #           startupProbe:
 #             tcpSocket:
 #               port: 29318
 #             initialDelaySeconds: 0
 #             failureThreshold: 30
 #             timeoutSeconds: 1
 #             periodSeconds: 5
 #       volumes:
 #         - name: data
 #           emptyDir: {}
 #         - name: mautrix-telegram-config
 #           secret:
 #             secretName: mautrix-telegram-config
 #         - name: mautrix-telegram-registration
 #           secret:
 #             secretName: mautrix-telegram-registration
 # ---
--- a/manifests/matrix_chart/whatsapp_bridge.yaml
+++ b/manifests/matrix_chart/whatsapp_bridge.yaml
@@ -0,0 +1,143 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: mautrix-whatsapp-registration
  namespace: chat
  annotations:
    kube-1password: x6lzkpyov4dem5jtk2kimyrnvy
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-key: registration.yaml
  labels:
    app.kubernetes.io/name: "mautrix-whatsapp"
    component: registration
 type: Opaque
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: mautrix-whatsapp-config
  namespace: chat
  annotations:
    kube-1password: ji3e2el66bu56bml3kq3ghyojq
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-key: config.yaml
  labels:
    app.kubernetes.io/name: "mautrix-whatsapp"
    component: config
 type: Opaque
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: mautrix-whatsapp
  namespace: chat
  labels:
    app.kubernetes.io/name: mautrix-whatsapp
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/path: "/metrics"
    prometheus.io/port: "9000"
 spec:
  type: ClusterIP
  ports:
  - port: 29318
    targetPort: http
    protocol: TCP
    name: http
  selector:
    app.kubernetes.io/name: mautrix-whatsapp
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: mautrix-whatsapp
  labels:
    app.kubernetes.io/name: mautrix-whatsapp
 spec:
  revisionHistoryLimit: 3
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app.kubernetes.io/name: mautrix-whatsapp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: mautrix-whatsapp
    spec:
      serviceAccountName: default
      automountServiceAccountToken: true
      dnsPolicy: ClusterFirst
      enableServiceLinks: true
      initContainers:
      - name: config-copy
        image: bash:latest
        imagePullPolicy: IfNotPresent
        args:
          - -c
          - |
            cp /secrets/* /data/
        volumeMounts:
          - name: mautrix-whatsapp-config
            mountPath: /secrets/config.yaml
            subPath: config.yaml
          - name: mautrix-whatsapp-registration
            mountPath: /secrets/registration.yaml
            subPath: registration.yaml
          - name: data
            mountPath: /data
      containers:
        - name: mautrix-whatsapp
          image: "dock.mau.dev/mautrix/whatsapp:v0.10.2"
          imagePullPolicy: IfNotPresent
          env:
            - name: "TZ"
              value: "UTC"
          ports:
            - name: http
              containerPort: 29318
              protocol: TCP
            - name: metrics
              containerPort: 9000
              protocol: TCP
          volumeMounts:
          - name: data
            mountPath: /data
          livenessProbe:
            tcpSocket:
              port: 29318
            initialDelaySeconds: 0
            failureThreshold: 3
            timeoutSeconds: 1
            periodSeconds: 10
          readinessProbe:
            tcpSocket:
              port: 29318
            initialDelaySeconds: 0
            failureThreshold: 3
            timeoutSeconds: 1
            periodSeconds: 10
          startupProbe:
            tcpSocket:
              port: 29318
            initialDelaySeconds: 0
            failureThreshold: 30
            timeoutSeconds: 1
            periodSeconds: 5
      volumes:
        - name: data
          emptyDir: {}
        - name: mautrix-whatsapp-config
          secret:
            secretName: mautrix-whatsapp-config
        - name: mautrix-whatsapp-registration
          secret:
            secretName: mautrix-whatsapp-registration
 ---
--- a/manifests/mealie/mealie.yaml
+++ b/manifests/mealie/mealie.yaml
@@ -0,0 +1,167 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: mealie
  namespace: mealie
  annotations:
    kube-1password: 7ibib7oafxbxkvofnd4oxcr3qy
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-parse: "true"
 type: Opaque
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: mealie
  namespace: mealie
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: mealie
  template:
    metadata:
      labels:
        app: mealie
    spec:
      containers:
      - name: frontend
        image: hkotel/mealie:frontend-nightly
        imagePullPolicy: Always
        envFrom:
        - secretRef:
            name: mealie
        env:
        - name: API_URL
          value: "http://localhost:9000"
        - name: PUID
          value: "1000"
        - name: PGID
          value: "1000"
        - name: TOKEN_TIME
          value: "168"
        - name: DB_ENGINE
          value: postgres
        - name: POSTGRES_DB
          value: mealie
        - name: RECIPE_PUBLIC
          value: "false"
        - name: RECIPE_SHOW_NUTRITION
          value: "true"
        - name: RECIPE_SHOW_ASSETS
          value: "true"
        - name: RECIPE_LANDSCAPE_VIEW
          value: "true"
        - name: RECIPE_DISABLE_COMMENTS
          value: "false"
        - name: RECIPE_DISABLE_AMOUNT
          value: "false"
        ports:
        - containerPort: 3000
          name: web
        volumeMounts:
          - mountPath: /app/data
            name: data
      - name: api
        image: hkotel/mealie:api-nightly
        imagePullPolicy: Always
        envFrom:
        - secretRef:
            name: mealie
        env:
        - name: PUID
          value: "1000"
        - name: PGID
          value: "1000"
        - name: DB_ENGINE
          value: postgres
        - name: POSTGRES_DB
          value: mealie
        - name: DEFAULT_EMAIL
          value: "mealie@marcusnoble.co.uk"
        - name: TOKEN_TIME
          value: "168"
        - name: BASE_URL
          value: "https://mealie.cluster.fun"
        ports:
        - containerPort: 9000
          name: api
        volumeMounts:
          - mountPath: /app/data
            name: data
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: mealie
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: mealie
  namespace: mealie
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: web
    name: web
  selector:
    app: mealie
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: mealie-api
  namespace: mealie
 spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: api
    name: api
  selector:
    app: mealie
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: mealie
  namespace: mealie
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - mealie.cluster.fun
    secretName: mealie-ingress
  rules:
  - host: mealie.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: mealie
            port:
              name: web
  - host: mealie.cluster.fun
    http:
      paths:
      - path: /api
        pathType: ImplementationSpecific
        backend:
          service:
            name: mealie-api
            port:
              name: api
--- a/manifests/mealie/pvs.yaml
+++ b/manifests/mealie/pvs.yaml
@@ -0,0 +1,39 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  annotations:
    pv.kubernetes.io/provisioned-by: csi.scaleway.com
  finalizers:
  - kubernetes.io/pv-protection
  - external-attacher/csi-scaleway-com
  name: pvc-afe7fbb6-1f5a-4169-bad1-c9d43752ee7a
 spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 2Gi
  csi:
    driver: csi.scaleway.com
    fsType: ext4
    volumeAttributes:
      encrypted: "false"
      storage.kubernetes.io/csiProvisionerIdentity: 1646426415842-8081-csi.scaleway.com
    volumeHandle: fr-par-1/efbe7dc1-4660-4db8-a3b4-42114075a318
  persistentVolumeReclaimPolicy: Retain
  storageClassName: scw-bssd
  volumeMode: Filesystem
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: mealie
  namespace: mealie
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi
  volumeName: pvc-afe7fbb6-1f5a-4169-bad1-c9d43752ee7a
 ---
--- a/manifests/monitoring-civo/kube-state-metrics.yaml
+++ b/manifests/monitoring-civo/kube-state-metrics.yaml
@@ -0,0 +1,255 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: kube-state-metrics
  namespace: monitoring
  labels:
    app.kubernetes.io/name: kube-state-metrics
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    app.kubernetes.io/name: kube-state-metrics
  name: kube-state-metrics
 rules:
  - apiGroups: ["certificates.k8s.io"]
    resources:
    - certificatesigningrequests
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - configmaps
    verbs: ["list", "watch"]
  - apiGroups: ["batch"]
    resources:
    - cronjobs
    verbs: ["list", "watch"]
  - apiGroups: ["extensions", "apps"]
    resources:
    - daemonsets
    verbs: ["list", "watch"]
  - apiGroups: ["extensions", "apps"]
    resources:
    - deployments
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - endpoints
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling"]
    resources:
    - horizontalpodautoscalers
    verbs: ["list", "watch"]
  - apiGroups: ["extensions", "networking.k8s.io"]
    resources:
    - ingresses
    verbs: ["list", "watch"]
  - apiGroups: ["batch"]
    resources:
    - jobs
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - limitranges
    verbs: ["list", "watch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources:
      - mutatingwebhookconfigurations
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - namespaces
    verbs: ["list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources:
    - networkpolicies
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - nodes
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - persistentvolumeclaims
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - persistentvolumes
    verbs: ["list", "watch"]
  - apiGroups: ["policy"]
    resources:
      - poddisruptionbudgets
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - pods
    verbs: ["list", "watch"]
  - apiGroups: ["extensions", "apps"]
    resources:
    - replicasets
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - replicationcontrollers
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - resourcequotas
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - secrets
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - services
    verbs: ["list", "watch"]
  - apiGroups: ["apps"]
    resources:
    - statefulsets
    verbs: ["list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources:
      - storageclasses
    verbs: ["list", "watch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources:
      - validatingwebhookconfigurations
    verbs: ["list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources:
      - volumeattachments
    verbs: ["list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app.kubernetes.io/name: kube-state-metrics
  name: kube-state-metrics
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kube-state-metrics
 subjects:
 - kind: ServiceAccount
  name: kube-state-metrics
  namespace: monitoring
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: kube-state-metrics
  namespace: monitoring
  labels:
    app.kubernetes.io/name: kube-state-metrics
  annotations:
    prometheus.io/scrape: 'true'
 spec:
  type: "ClusterIP"
  ports:
  - name: "http"
    protocol: TCP
    port: 8080
    targetPort: 8080
  selector:
    app.kubernetes.io/name: kube-state-metrics
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: kube-state-metrics
  namespace: monitoring
  labels:
    app.kubernetes.io/name: kube-state-metrics
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: kube-state-metrics
  replicas: 1
  template:
    metadata:
      labels:
        app.kubernetes.io/name: kube-state-metrics
    spec:
      serviceAccountName: kube-state-metrics
      securityContext:
        fsGroup: 65534
        runAsGroup: 65534
        runAsUser: 65534
      containers:
      - name: kube-state-metrics
        args:
        #- --resources=certificatesigningrequests
        - --resources=configmaps
        - --resources=cronjobs
        - --resources=daemonsets
        - --resources=deployments
        #- --resources=endpoints
        #- --resources=horizontalpodautoscalers
        - --resources=ingresses
        - --resources=jobs
        #- --resources=limitranges
        - --resources=mutatingwebhookconfigurations
        - --resources=namespaces
        #- --resources=networkpolicies
        - --resources=nodes
        - --resources=persistentvolumeclaims
        - --resources=persistentvolumes
        - --resources=poddisruptionbudgets
        - --resources=pods
        - --resources=replicasets
        #- --resources=replicationcontrollers
        #- --resources=resourcequotas
        - --resources=secrets
        - --resources=services
        - --resources=statefulsets
        - --resources=storageclasses
        - --resources=validatingwebhookconfigurations
        #- --resources=volumeattachments
        imagePullPolicy: IfNotPresent
        image: "registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.10.0"
        ports:
        - containerPort: 8080
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8080
          initialDelaySeconds: 5
          timeoutSeconds: 5
        readinessProbe:
          httpGet:
            path: /
            port: 8080
          initialDelaySeconds: 5
          timeoutSeconds: 5
 ---
--- a/manifests/monitoring-civo/prometheus-server.yaml
+++ b/manifests/monitoring-civo/prometheus-server.yaml
@@ -0,0 +1,64 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: prometheus-server
  namespace: monitoring
  labels:
    app.kubernetes.io/name: prometheus
    app.kubernetes.io/component: server
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    app.kubernetes.io/name: prometheus
    app.kubernetes.io/component: server
  name: prometheus-server
 rules:
  - apiGroups:
      - ""
    resources:
      - nodes
      - nodes/proxy
      - nodes/metrics
      - services
      - endpoints
      - pods
      - ingresses
      - configmaps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
      - "networking.k8s.io"
    resources:
      - ingresses/status
      - ingresses
    verbs:
      - get
      - list
      - watch
  - nonResourceURLs:
      - "/metrics"
    verbs:
      - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app.kubernetes.io/name: prometheus
    app.kubernetes.io/component: server
  name: prometheus-server
 subjects:
  - kind: ServiceAccount
    name: prometheus-server
    namespace: monitoring
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: prometheus-server
 ---
--- a/manifests/monitoring-civo/promtail.yaml
+++ b/manifests/monitoring-civo/promtail.yaml
@@ -0,0 +1,292 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: promtail
  namespace: monitoring
  labels:
    app.kubernetes.io/name: promtail
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: promtail
  namespace: monitoring
  labels:
    app.kubernetes.io/name: promtail
 data:
  promtail.yaml: |
    client:
      backoff_config:
        max_period: 5m
        max_retries: 10
        min_period: 500ms
      batchsize: 1048576
      batchwait: 1s
      external_labels: {}
      timeout: 10s
    positions:
      filename: /run/promtail/positions.yaml
    server:
      http_listen_port: 3101
    clients:
    - url: http://loki-distributed.proxy-civo.svc:80/loki/api/v1/push
      external_labels:
        kubernetes_cluster: civo
    target_config:
      sync_period: 10s
    scrape_configs:
    - job_name: kubernetes-pods
      pipeline_stages:
        - docker: {}
        - cri: {}
        - match:
            selector: '{app="weave-net"}'
            action: drop
        - match:
            selector: '{filename=~".*konnectivity.*"}'
            action: drop
        - match:
            selector: '{name=~".*"} |~ ".*/healthz.*"'
            action: drop
        - match:
            selector: '{name=~".*"} |~ ".*/api/health.*"'
            action: drop
        - match:
            selector: '{name=~".*"} |~ ".*kube-probe/.*"'
            action: drop
        - match:
            selector: '{app="internal-proxy"}'
            action: drop
        - match:
            selector: '{app="non-auth-proxy"}'
            action: drop
        - match:
            selector: '{app="vpa"}'
            action: drop
        - match:
            selector: '{app="promtail"}'
            action: drop
        - match:
            selector: '{app="csi-node"}'
            action: drop
        - match:
            selector: '{app="victoria-metrics"}'
            action: drop
        - match:
            selector: '{app="git-sync"}'
            action: drop
        - match:
            selector: '{app="ingress-nginx"}'
            stages:
            - json:
                expressions:
                  request_host: host
                  request_path: path
                  request_method: method
                  response_status: status
            - drop:
                source: "request_path"
                value:  "/healthz"
            - drop:
                source: "request_path"
                value:  "/health"
            - labels:
                request_host:
                request_method:
                response_status:
        - match:
            selector: '{app="traefik"}'
            stages:
            - json:
                expressions:
                  request_host: RequestHost
                  request_path: RequestPath
                  request_method: RequestMethod
                  response_status: OriginStatus
            - drop:
                source: "request_path"
                value:  "/healthz"
            - drop:
                source: "request_path"
                value:  "/health"
            - drop:
                source: "request_path"
                value:  "/ping"
            - labels:
                request_host:
                request_method:
                response_status:
      kubernetes_sd_configs:
        - role: pod
      relabel_configs:
        - source_labels:
            - __meta_kubernetes_pod_controller_name
          regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})?
          action: replace
          target_label: __tmp_controller_name
        - source_labels:
            - __meta_kubernetes_pod_label_app_kubernetes_io_name
            - __meta_kubernetes_pod_label_app
            - __tmp_controller_name
            - __meta_kubernetes_pod_name
          regex: ^;*([^;]+)(;.*)?$
          action: replace
          target_label: app
        - source_labels:
            - __meta_kubernetes_pod_label_app_kubernetes_io_component
            - __meta_kubernetes_pod_label_component
          regex: ^;*([^;]+)(;.*)?$
          action: replace
          target_label: component
        - action: replace
          source_labels:
            - __meta_kubernetes_pod_node_name
          target_label: node_name
        - action: replace
          source_labels:
            - __meta_kubernetes_namespace
          target_label: namespace
        - action: replace
          replacement: $1
          separator: /
          source_labels:
            - namespace
            - app
          target_label: job
        - action: replace
          source_labels:
            - __meta_kubernetes_pod_name
          target_label: pod
        - action: replace
          source_labels:
            - __meta_kubernetes_pod_container_name
          target_label: container
        - action: replace
          replacement: /var/log/pods/*$1/*.log
          separator: /
          source_labels:
            - __meta_kubernetes_pod_uid
            - __meta_kubernetes_pod_container_name
          target_label: __path__
        - action: replace
          replacement: /var/log/pods/*$1/*.log
          regex: true/(.*)
          separator: /
          source_labels:
            - __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash
            - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash
            - __meta_kubernetes_pod_container_name
          target_label: __path__
        - action: labelmap
          regex: __meta_kubernetes_pod_label_(.+)
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: promtail-clusterrole
  labels:
    app.kubernetes.io/name: promtail
 rules:
 - apiGroups: [""] # "" indicates the core API group
  resources:
  - nodes
  - nodes/proxy
  - services
  - endpoints
  - pods
  verbs: ["get", "watch", "list"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: promtail-clusterrolebinding
  labels:
    app.kubernetes.io/name: promtail
 subjects:
  - kind: ServiceAccount
    name: promtail
    namespace: monitoring
 roleRef:
  kind: ClusterRole
  name: promtail-clusterrole
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: promtail
  namespace: monitoring
  labels:
    app.kubernetes.io/name: promtail
  annotations:
    configmap.reloader.stakater.com/reload: "promtail"
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: promtail
  template:
    metadata:
      labels:
        app.kubernetes.io/name: promtail
      annotations:
        prometheus.io/port: http-metrics
        prometheus.io/scrape: "true"
    spec:
      serviceAccountName: promtail
      containers:
        - name: promtail
          image: "grafana/promtail:2.9.1"
          imagePullPolicy: IfNotPresent
          args:
            - "-config.file=/etc/promtail/promtail.yaml"
          volumeMounts:
            - name: config
              mountPath: /etc/promtail
            - name: run
              mountPath: /run/promtail
            - mountPath: /var/lib/docker/containers
              name: docker
              readOnly: true
            - mountPath: /var/log/pods
              name: pods
              readOnly: true
          env:
            - name: HOSTNAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          ports:
            - containerPort: 3101
              name: http-metrics
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 0
            runAsUser: 0
          readinessProbe:
            failureThreshold: 5
            httpGet:
              path: /ready
              port: http-metrics
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
          operator: Exists
      volumes:
        - name: config
          configMap:
            name: promtail
        - name: run
          hostPath:
            path: /run/promtail
        - hostPath:
            path: /var/lib/docker/containers
          name: docker
        - hostPath:
            path: /var/log/pods
          name: pods
 ---
--- a/manifests/monitoring-civo/vmagent.yaml
+++ b/manifests/monitoring-civo/vmagent.yaml
@@ -0,0 +1,163 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: vmagent
  namespace: monitoring
  labels:
    app.kubernetes.io/name: victoria-metrics
    app.kubernetes.io/component: agent
 data:
  prometheus.yml: |
    global:
      scrape_interval: 1m
      external_labels:
        source: civo
        agent: vmagent
    scrape_configs:
    - job_name: 'vmagent'
      static_configs:
        - targets: ['localhost:8429']
    - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
      job_name: kubernetes-nodes
      kubernetes_sd_configs:
      - role: node
      relabel_configs:
      - action: labelmap
        regex: __meta_kubernetes_node_label_(.+)
      - replacement: kubernetes.default.svc:443
        target_label: __address__
      - regex: (.+)
        replacement: /api/v1/nodes/$1/proxy/metrics
        source_labels:
        - __meta_kubernetes_node_name
        target_label: __metrics_path__
      scheme: https
      tls_config:
        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
        insecure_skip_verify: true
    - job_name: kubernetes-service-endpoints
      kubernetes_sd_configs:
      - role: endpoints
      relabel_configs:
      - action: keep
        regex: true
        source_labels:
        - __meta_kubernetes_service_annotation_prometheus_io_scrape
      - action: replace
        regex: (https?)
        source_labels:
        - __meta_kubernetes_service_annotation_prometheus_io_scheme
        target_label: __scheme__
      - action: replace
        regex: (.+)
        source_labels:
        - __meta_kubernetes_service_annotation_prometheus_io_path
        target_label: __metrics_path__
      - action: replace
        regex: ([^:]+)(?::\d+)?;(\d+)
        replacement: $1:$2
        source_labels:
        - __address__
        - __meta_kubernetes_service_annotation_prometheus_io_port
        target_label: __address__
      - action: labelmap
        regex: __meta_kubernetes_service_label_(.+)
      - action: replace
        source_labels:
        - __meta_kubernetes_namespace
        target_label: kubernetes_namespace
      - action: replace
        source_labels:
        - __meta_kubernetes_service_name
        target_label: kubernetes_name
      - action: replace
        source_labels:
        - __meta_kubernetes_endpoint_port_name
        target_label: kubernetes_endpoint_port_name
      - action: replace
        source_labels:
        - __meta_kubernetes_pod_node_name
        target_label: kubernetes_node
    - job_name: kubernetes-pods
      kubernetes_sd_configs:
      - role: pod
      relabel_configs:
      - action: keep
        regex: true
        source_labels:
        - __meta_kubernetes_pod_annotation_prometheus_io_scrape
      - action: replace
        regex: (.+)
        source_labels:
        - __meta_kubernetes_pod_annotation_prometheus_io_path
        target_label: __metrics_path__
      - action: replace
        regex: ([^:]+)(?::\d+)?;(\d+)
        replacement: $1:$2
        source_labels:
        - __address__
        - __meta_kubernetes_pod_annotation_prometheus_io_port
        target_label: __address__
      - action: labelmap
        regex: __meta_kubernetes_pod_label_(.+)
      - action: replace
        source_labels:
        - __meta_kubernetes_namespace
        target_label: kubernetes_namespace
      - action: replace
        source_labels:
        - __meta_kubernetes_pod_name
        target_label: kubernetes_pod_name
      - action: replace
        source_labels:
        - __meta_kubernetes_pod_container_port_name
        target_label: kubernetes_port_name
      - action: drop
        regex: Pending|Succeeded|Failed
        source_labels:
        - __meta_kubernetes_pod_phase
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: vmagent
  namespace: monitoring
  labels:
    app.kubernetes.io/name: victoria-metrics
    app.kubernetes.io/component: agent
  annotations:
    configmap.reloader.stakater.com/reload: "vmagent"
 spec:
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app.kubernetes.io/name: victoria-metrics
      app.kubernetes.io/component: agent
  replicas: 1
  template:
    metadata:
      labels:
        app.kubernetes.io/name: victoria-metrics
        app.kubernetes.io/component: agent
    spec:
      serviceAccountName: prometheus-server
      containers:
        - name: vmagent
          image: "victoriametrics/vmagent:v1.93.5"
          imagePullPolicy: "IfNotPresent"
          args:
            - -remoteWrite.url=http://vmcluster.proxy-civo.svc/insert/0/prometheus/
            - -remoteWrite.showURL
            - -promscrape.config=/config/prometheus.yml
          volumeMounts:
            - name: config-volume
              mountPath: /config
      volumes:
        - name: config-volume
          configMap:
            name: vmagent
 ---
--- a/manifests/monitoring/ingess.yaml
+++ b/manifests/monitoring/ingess.yaml
@@ -0,0 +1,69 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: grafana
  namespace: auth-proxy
  labels:
    app: grafana
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - grafana.cluster.fun
    secretName: grafana-ingress
  rules:
  - host: grafana.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: auth-proxy
            port:
              number: 80
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: prometheus-credentials
  namespace: monitoring
  annotations:
    kube-1password: m7c2n5gqybiyxj6ylydju2nljm
    kube-1password/vault: Kubernetes
    kube-1password/password-key: auth
 type: Opaque
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: prometheus-cloud
  namespace: monitoring
  labels:
    app: prometheus-cloud
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: prometheus-credentials
    nginx.ingress.kubernetes.io/auth-secret-type: auth-file
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - prometheus-cloud.cluster.fun
    secretName: prometheus-cloud-ingress
  rules:
  - host: prometheus-cloud.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: prometheus-server
            port:
              number: 80
--- a/manifests/monitoring/kube-state-metrics.yaml
+++ b/manifests/monitoring/kube-state-metrics.yaml
@@ -0,0 +1,255 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: kube-state-metrics
  namespace: monitoring
  labels:
    app.kubernetes.io/name: kube-state-metrics
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    app.kubernetes.io/name: kube-state-metrics
  name: kube-state-metrics
 rules:
  - apiGroups: ["certificates.k8s.io"]
    resources:
    - certificatesigningrequests
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - configmaps
    verbs: ["list", "watch"]
  - apiGroups: ["batch"]
    resources:
    - cronjobs
    verbs: ["list", "watch"]
  - apiGroups: ["extensions", "apps"]
    resources:
    - daemonsets
    verbs: ["list", "watch"]
  - apiGroups: ["extensions", "apps"]
    resources:
    - deployments
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - endpoints
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling"]
    resources:
    - horizontalpodautoscalers
    verbs: ["list", "watch"]
  - apiGroups: ["extensions", "networking.k8s.io"]
    resources:
    - ingresses
    verbs: ["list", "watch"]
  - apiGroups: ["batch"]
    resources:
    - jobs
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - limitranges
    verbs: ["list", "watch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources:
      - mutatingwebhookconfigurations
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - namespaces
    verbs: ["list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources:
    - networkpolicies
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - nodes
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - persistentvolumeclaims
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - persistentvolumes
    verbs: ["list", "watch"]
  - apiGroups: ["policy"]
    resources:
      - poddisruptionbudgets
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - pods
    verbs: ["list", "watch"]
  - apiGroups: ["extensions", "apps"]
    resources:
    - replicasets
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - replicationcontrollers
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - resourcequotas
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - secrets
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources:
    - services
    verbs: ["list", "watch"]
  - apiGroups: ["apps"]
    resources:
    - statefulsets
    verbs: ["list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources:
      - storageclasses
    verbs: ["list", "watch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources:
      - validatingwebhookconfigurations
    verbs: ["list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources:
      - volumeattachments
    verbs: ["list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app.kubernetes.io/name: kube-state-metrics
  name: kube-state-metrics
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kube-state-metrics
 subjects:
 - kind: ServiceAccount
  name: kube-state-metrics
  namespace: monitoring
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: kube-state-metrics
  namespace: monitoring
  labels:
    app.kubernetes.io/name: kube-state-metrics
  annotations:
    prometheus.io/scrape: 'true'
 spec:
  type: "ClusterIP"
  ports:
  - name: "http"
    protocol: TCP
    port: 8080
    targetPort: 8080
  selector:
    app.kubernetes.io/name: kube-state-metrics
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: kube-state-metrics
  namespace: monitoring
  labels:
    app.kubernetes.io/name: kube-state-metrics
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: kube-state-metrics
  replicas: 1
  template:
    metadata:
      labels:
        app.kubernetes.io/name: kube-state-metrics
    spec:
      serviceAccountName: kube-state-metrics
      securityContext:
        fsGroup: 65534
        runAsGroup: 65534
        runAsUser: 65534
      containers:
      - name: kube-state-metrics
        args:
        #- --resources=certificatesigningrequests
        - --resources=configmaps
        - --resources=cronjobs
        - --resources=daemonsets
        - --resources=deployments
        #- --resources=endpoints
        #- --resources=horizontalpodautoscalers
        - --resources=ingresses
        - --resources=jobs
        #- --resources=limitranges
        - --resources=mutatingwebhookconfigurations
        - --resources=namespaces
        #- --resources=networkpolicies
        - --resources=nodes
        - --resources=persistentvolumeclaims
        - --resources=persistentvolumes
        - --resources=poddisruptionbudgets
        - --resources=pods
        - --resources=replicasets
        #- --resources=replicationcontrollers
        #- --resources=resourcequotas
        - --resources=secrets
        - --resources=services
        - --resources=statefulsets
        - --resources=storageclasses
        - --resources=validatingwebhookconfigurations
        #- --resources=volumeattachments
        imagePullPolicy: IfNotPresent
        image: "registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.10.0"
        ports:
        - containerPort: 8080
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8080
          initialDelaySeconds: 5
          timeoutSeconds: 5
        readinessProbe:
          httpGet:
            path: /
            port: 8080
          initialDelaySeconds: 5
          timeoutSeconds: 5
 ---
--- a/manifests/monitoring/node-exporter.yaml
+++ b/manifests/monitoring/node-exporter.yaml
@@ -0,0 +1,97 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: prometheus-node-exporter
  namespace: monitoring
  labels:
    app.kubernetes.io/name: prometheus
    app.kubernetes.io/component: node-exporter
 ---
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
    prometheus.io/scrape: "true"
  labels:
    app.kubernetes.io/name: prometheus
    app.kubernetes.io/component: node-exporter
  name: prometheus-node-exporter
  namespace: monitoring
 spec:
  clusterIP: None
  ports:
    - name: metrics
      port: 9100
      protocol: TCP
      targetPort: 9100
  selector:
    app.kubernetes.io/name: prometheus
    app.kubernetes.io/component: node-exporter
  type: "ClusterIP"
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  labels:
    app.kubernetes.io/name: prometheus
    app.kubernetes.io/component: node-exporter
  name: prometheus-node-exporter
  namespace: monitoring
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: prometheus
      app.kubernetes.io/component: node-exporter
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app.kubernetes.io/name: prometheus
        app.kubernetes.io/component: node-exporter
    spec:
      serviceAccountName: prometheus-node-exporter
      containers:
        - name: prometheus-node-exporter
          image: "prom/node-exporter:v1.6.1"
          imagePullPolicy: "IfNotPresent"
          args:
            - --path.procfs=/host/proc
            - --path.sysfs=/host/sys
            - --no-collector.wifi
            - --no-collector.hwmon
            - --no-collector.netclass
            - --no-collector.arp
            - --no-collector.bcache
            - --no-collector.bonding
            - --no-collector.btrfs
            - --no-collector.dmi
            - --no-collector.edac
            - --no-collector.entropy
            - --no-collector.fibrechannel
            - --no-collector.infiniband
            - --no-collector.tapestats
            - --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/pods/.+)($|/)
            - --web.listen-address=:9100
          ports:
            - name: metrics
              containerPort: 9100
              hostPort: 9100
          volumeMounts:
            - name: proc
              mountPath: /host/proc
              readOnly:  true
            - name: sys
              mountPath: /host/sys
              readOnly: true
      hostNetwork: true
      hostPID: true
      volumes:
        - name: proc
          hostPath:
            path: /proc
        - name: sys
          hostPath:
            path: /sys
 ---
--- a/manifests/monitoring/prometheus-server.yaml
+++ b/manifests/monitoring/prometheus-server.yaml
@@ -0,0 +1,64 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: prometheus-server
  namespace: monitoring
  labels:
    app.kubernetes.io/name: prometheus
    app.kubernetes.io/component: server
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    app.kubernetes.io/name: prometheus
    app.kubernetes.io/component: server
  name: prometheus-server
 rules:
  - apiGroups:
      - ""
    resources:
      - nodes
      - nodes/proxy
      - nodes/metrics
      - services
      - endpoints
      - pods
      - ingresses
      - configmaps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
      - "networking.k8s.io"
    resources:
      - ingresses/status
      - ingresses
    verbs:
      - get
      - list
      - watch
  - nonResourceURLs:
      - "/metrics"
    verbs:
      - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app.kubernetes.io/name: prometheus
    app.kubernetes.io/component: server
  name: prometheus-server
 subjects:
  - kind: ServiceAccount
    name: prometheus-server
    namespace: monitoring
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: prometheus-server
 ---
--- a/manifests/monitoring/promtail.yaml
+++ b/manifests/monitoring/promtail.yaml
@@ -0,0 +1,271 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: promtail
  namespace: monitoring
  labels:
    app.kubernetes.io/name: promtail
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: promtail
  namespace: monitoring
  labels:
    app.kubernetes.io/name: promtail
 data:
  promtail.yaml: |
    client:
      backoff_config:
        max_period: 5m
        max_retries: 10
        min_period: 500ms
      batchsize: 1048576
      batchwait: 1s
      external_labels: {}
      timeout: 10s
    positions:
      filename: /run/promtail/positions.yaml
    server:
      http_listen_port: 3101
    clients:
    - url: http://loki-distributed.auth-proxy.svc:80/loki/api/v1/push
      external_labels:
        kubernetes_cluster: scaleway
    target_config:
      sync_period: 10s
    scrape_configs:
    - job_name: kubernetes-pods
      pipeline_stages:
        - docker: {}
        - cri: {}
        - match:
            selector: '{app="weave-net"}'
            action: drop
        - match:
            selector: '{filename=~".*konnectivity.*"}'
            action: drop
        - match:
            selector: '{name=~".*"} |~ ".*/healthz.*"'
            action: drop
        - match:
            selector: '{name=~".*"} |~ ".*/api/health.*"'
            action: drop
        - match:
            selector: '{name=~".*"} |~ ".*kube-probe/.*"'
            action: drop
        - match:
            selector: '{app="internal-proxy"}'
            action: drop
        - match:
            selector: '{app="non-auth-proxy"}'
            action: drop
        - match:
            selector: '{app="vpa"}'
            action: drop
        - match:
            selector: '{app="promtail"}'
            action: drop
        - match:
            selector: '{app="csi-node"}'
            action: drop
        - match:
            selector: '{app="victoria-metrics"}'
            action: drop
        - match:
            selector: '{app="git-sync"}'
            action: drop
        - match:
            selector: '{app="ingress-nginx"}'
            stages:
            - json:
                expressions:
                  request_host: host
                  request_path: path
                  request_method: method
                  response_status: status
            - drop:
                source: "request_path"
                value:  "/healthz"
            - drop:
                source: "request_path"
                value:  "/health"
            - labels:
                request_host:
                request_method:
                response_status:
      kubernetes_sd_configs:
        - role: pod
      relabel_configs:
        - source_labels:
            - __meta_kubernetes_pod_controller_name
          regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})?
          action: replace
          target_label: __tmp_controller_name
        - source_labels:
            - __meta_kubernetes_pod_label_app_kubernetes_io_name
            - __meta_kubernetes_pod_label_app
            - __tmp_controller_name
            - __meta_kubernetes_pod_name
          regex: ^;*([^;]+)(;.*)?$
          action: replace
          target_label: app
        - source_labels:
            - __meta_kubernetes_pod_label_app_kubernetes_io_component
            - __meta_kubernetes_pod_label_component
          regex: ^;*([^;]+)(;.*)?$
          action: replace
          target_label: component
        - action: replace
          source_labels:
            - __meta_kubernetes_pod_node_name
          target_label: node_name
        - action: replace
          source_labels:
            - __meta_kubernetes_namespace
          target_label: namespace
        - action: replace
          replacement: $1
          separator: /
          source_labels:
            - namespace
            - app
          target_label: job
        - action: replace
          source_labels:
            - __meta_kubernetes_pod_name
          target_label: pod
        - action: replace
          source_labels:
            - __meta_kubernetes_pod_container_name
          target_label: container
        - action: replace
          replacement: /var/log/pods/*$1/*.log
          separator: /
          source_labels:
            - __meta_kubernetes_pod_uid
            - __meta_kubernetes_pod_container_name
          target_label: __path__
        - action: replace
          replacement: /var/log/pods/*$1/*.log
          regex: true/(.*)
          separator: /
          source_labels:
            - __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash
            - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash
            - __meta_kubernetes_pod_container_name
          target_label: __path__
        - action: labelmap
          regex: __meta_kubernetes_pod_label_(.+)
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: promtail-clusterrole
  labels:
    app.kubernetes.io/name: promtail
 rules:
 - apiGroups: [""] # "" indicates the core API group
  resources:
  - nodes
  - nodes/proxy
  - services
  - endpoints
  - pods
  verbs: ["get", "watch", "list"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: promtail-clusterrolebinding
  labels:
    app.kubernetes.io/name: promtail
 subjects:
  - kind: ServiceAccount
    name: promtail
    namespace: monitoring
 roleRef:
  kind: ClusterRole
  name: promtail-clusterrole
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: promtail
  namespace: monitoring
  labels:
    app.kubernetes.io/name: promtail
  annotations:
    configmap.reloader.stakater.com/reload: "promtail"
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: promtail
  template:
    metadata:
      labels:
        app.kubernetes.io/name: promtail
      annotations:
        prometheus.io/port: http-metrics
        prometheus.io/scrape: "true"
    spec:
      serviceAccountName: promtail
      containers:
        - name: promtail
          image: "grafana/promtail:2.9.1"
          imagePullPolicy: IfNotPresent
          args:
            - "-config.file=/etc/promtail/promtail.yaml"
          volumeMounts:
            - name: config
              mountPath: /etc/promtail
            - name: run
              mountPath: /run/promtail
            - mountPath: /var/lib/docker/containers
              name: docker
              readOnly: true
            - mountPath: /var/log/pods
              name: pods
              readOnly: true
          env:
            - name: HOSTNAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          ports:
            - containerPort: 3101
              name: http-metrics
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 0
            runAsUser: 0
          readinessProbe:
            failureThreshold: 5
            httpGet:
              path: /ready
              port: http-metrics
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
          operator: Exists
      volumes:
        - name: config
          configMap:
            name: promtail
        - name: run
          hostPath:
            path: /run/promtail
        - hostPath:
            path: /var/lib/docker/containers
          name: docker
        - hostPath:
            path: /var/log/pods
          name: pods
 ---
--- a/manifests/monitoring/vmagent.yaml
+++ b/manifests/monitoring/vmagent.yaml
@@ -0,0 +1,170 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: vmagent
  namespace: monitoring
  labels:
    app.kubernetes.io/name: victoria-metrics
    app.kubernetes.io/component: agent
 data:
  prometheus.yml: |
    global:
      scrape_interval: 1m
      external_labels:
        source: scaleway
        agent: vmagent
    scrape_configs:
    - job_name: 'vmagent'
      static_configs:
        - targets: ['localhost:8429']
    - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
      job_name: kubernetes-nodes
      kubernetes_sd_configs:
      - role: node
      relabel_configs:
      - action: labelmap
        regex: __meta_kubernetes_node_label_(.+)
      - replacement: kubernetes.default.svc:443
        target_label: __address__
      - regex: (.+)
        replacement: /api/v1/nodes/$1/proxy/metrics
        source_labels:
        - __meta_kubernetes_node_name
        target_label: __metrics_path__
      scheme: https
      tls_config:
        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
        insecure_skip_verify: true
    - job_name: kubernetes-service-endpoints
      kubernetes_sd_configs:
      - role: endpoints
      relabel_configs:
      - action: drop
        source_labels: [__meta_kubernetes_pod_container_init]
        regex: true
      - action: keep
        regex: true
        source_labels:
        - __meta_kubernetes_service_annotation_prometheus_io_scrape
      - action: replace
        regex: (https?)
        source_labels:
        - __meta_kubernetes_service_annotation_prometheus_io_scheme
        target_label: __scheme__
      - action: replace
        regex: (.+)
        source_labels:
        - __meta_kubernetes_service_annotation_prometheus_io_path
        target_label: __metrics_path__
      - action: replace
        regex: ([^:]+)(?::\d+)?;(\d+)
        replacement: $1:$2
        source_labels:
        - __address__
        - __meta_kubernetes_service_annotation_prometheus_io_port
        target_label: __address__
      - action: labelmap
        regex: __meta_kubernetes_service_label_(.+)
      - action: replace
        source_labels:
        - __meta_kubernetes_namespace
        target_label: kubernetes_namespace
      - action: replace
        source_labels:
        - __meta_kubernetes_service_name
        target_label: kubernetes_name
      - action: replace
        source_labels:
        - __meta_kubernetes_pod_node_name
        target_label: kubernetes_node
    - job_name: kubernetes-pods
      kubernetes_sd_configs:
      - role: pod
      relabel_configs:
      - action: drop
        source_labels: [__meta_kubernetes_pod_container_init]
        regex: true
      - action: keep
        regex: true
        source_labels:
        - __meta_kubernetes_pod_annotation_prometheus_io_scrape
      - action: replace
        regex: (.+)
        source_labels:
        - __meta_kubernetes_pod_annotation_prometheus_io_path
        target_label: __metrics_path__
      - action: replace
        regex: ([^:]+)(?::\d+)?;(\d+)
        replacement: $1:$2
        source_labels:
        - __address__
        - __meta_kubernetes_pod_annotation_prometheus_io_port
        target_label: __address__
      - action: labelmap
        regex: __meta_kubernetes_pod_label_(.+)
      - action: replace
        source_labels:
        - __meta_kubernetes_namespace
        target_label: kubernetes_namespace
      - action: replace
        source_labels:
        - __meta_kubernetes_pod_name
        target_label: kubernetes_pod_name
      - action: drop
        regex: Pending|Succeeded|Failed
        source_labels:
        - __meta_kubernetes_pod_phase
    - job_name: 'node-exporter'
      kubernetes_sd_configs:
        - role: endpoints
      relabel_configs:
      - source_labels: [__meta_kubernetes_endpoints_name]
        regex: 'prometheus-node-exporter'
        action: keep
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: vmagent
  namespace: monitoring
  labels:
    app.kubernetes.io/name: victoria-metrics
    app.kubernetes.io/component: agent
  annotations:
    configmap.reloader.stakater.com/reload: "vmagent"
 spec:
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app.kubernetes.io/name: victoria-metrics
      app.kubernetes.io/component: agent
  replicas: 1
  template:
    metadata:
      labels:
        app.kubernetes.io/name: victoria-metrics
        app.kubernetes.io/component: agent
    spec:
      serviceAccountName: prometheus-server
      containers:
        - name: vmagent
          image: "victoriametrics/vmagent:v1.93.5"
          imagePullPolicy: "IfNotPresent"
          args:
            - -remoteWrite.url=http://vmcluster.auth-proxy.svc/insert/0/prometheus/
            - -remoteWrite.showURL
            - -promscrape.config=/config/prometheus.yml
            - -promscrape.suppressDuplicateScrapeTargetErrors
          volumeMounts:
            - name: config-volume
              mountPath: /config
      volumes:
        - name: config-volume
          configMap:
            name: vmagent
 ---
--- a/manifests/nextcloud_chart.yaml
+++ b/manifests/nextcloud_chart.yaml
@@ -1,61 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: nextcloud
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: nextcloud-values
  namespace: nextcloud
  annotations:
    kube-1password: v32a4zpuvhmxxrwmtmmv6526ry
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-key: values.yaml
 type: Opaque
 ---
 apiVersion: helm.fluxcd.io/v1
 kind: HelmRelease
 metadata:
  name: nextcloud
  namespace: nextcloud
 spec:
  chart:
    repository: https://kubernetes-charts.storage.googleapis.com
    name: nextcloud
    version: 1.10.0
  maxHistory: 5
  valuesFrom:
  - secretKeyRef:
      name: nextcloud-values
      namespace: nextcloud
      key: values.yaml
      optional: false
  values:
    image:
      tag: 18-apache
    ingress:
      enabled: true
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
        traefik.ingress.kubernetes.io/frontend-entry-points: http,https
        traefik.ingress.kubernetes.io/redirect-entry-point: https
        traefik.ingress.kubernetes.io/redirect-permanent: "true"
      tls:
      - hosts:
        - nextcloud.cluster.fun
        secretName: nextcloud-ingress
    nextcloud:
      host: nextcloud.cluster.fun
    persistence:
      enabled: true
      storageClass: scw-bssd-retain
      size: 5Gi
    cronjob:
      enabled: true
    resources:
      requests:
        memory: 500Mi
--- a/manifests/nextcloud_chart/manifest.yaml
+++ b/manifests/nextcloud_chart/manifest.yaml
@@ -0,0 +1,416 @@
 ---
 # Source: nextcloud/charts/redis/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: nextcloud-nextcloud-redis
  namespace: nextcloud
  labels:
    app: redis
    release: "nextcloud-nextcloud"
  annotations:
    kube-1password: u54jxidod7tlnpwva37f5hcu5y
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-parse: "true"
 type: Opaque
 ---
 # Source: nextcloud/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: nextcloud-nextcloud
  labels:
    app.kubernetes.io/name: nextcloud
    app.kubernetes.io/instance: nextcloud-nextcloud
  annotations:
    kube-1password: iaz4xmtr2czpsjl6xirhryzfia
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-parse: "true"
 type: Opaque
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: nextcloud-s3
  labels:
    app.kubernetes.io/name: nextcloud
    app.kubernetes.io/instance: nextcloud-nextcloud
  annotations:
    kube-1password: 7zanxzbyzfctc5d2yqfq6e5zcy
    kube-1password/vault: Kubernetes
    kube-1password/secret-text-key: s3.config.php
 type: Opaque
 ---
 # Source: nextcloud/templates/config.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: nextcloud-nextcloud-config
  labels:
    app.kubernetes.io/name: nextcloud
    app.kubernetes.io/instance: nextcloud-nextcloud
 data:
  general.config.php: |-
    <?php
    $CONFIG = array (
        'overwriteprotocol' => 'https'
    );
  .htaccess: |-
    # line below if for Apache 2.4
    <ifModule mod_authz_core.c>
    Require all denied
    </ifModule>
    # line below if for Apache 2.2
    <ifModule !mod_authz_core.c>
    deny from all
    </ifModule>
    # section for Apache 2.2 and 2.4
    <ifModule mod_autoindex.c>
    IndexIgnore *
    </ifModule>
  redis.config.php: |-
    <?php
    if (getenv('REDIS_HOST')) {
        $CONFIG = array (
          'memcache.distributed' => '\\OC\\Memcache\\Redis',
        'memcache.locking' => '\\OC\\Memcache\\Redis',
        'redis' => array(
          'host' => getenv('REDIS_HOST'),
          'port' => getenv('REDIS_HOST_PORT') ?: 6379,
          'password' => getenv('REDIS_HOST_PASSWORD'),
          'dbindex'  => getenv('REDIS_DB_INDEX') ?: 0,
        ),
      );
    }
  apache-pretty-urls.config.php: |-
    <?php
    $CONFIG = array (
        'htaccess.RewriteBase' => '/',
    );
  apcu.config.php: |-
    <?php
    $CONFIG = array (
        'memcache.local' => '\\OC\\Memcache\\APCu',
    );
  apps.config.php: |-
    <?php
    $CONFIG = array (
        "apps_paths" => array (
            0 => array (
                    "path"     => OC::$SERVERROOT."/apps",
                  "url"      => "/apps",
                  "writable" => false,
          ),
          1 => array (
                    "path"     => OC::$SERVERROOT."/custom_apps",
                  "url"      => "/custom_apps",
                  "writable" => true,
          ),
      ),
    );
  autoconfig.php: |-
    <?php
    $autoconfig_enabled = false;
    if (getenv('SQLITE_DATABASE')) {
          $AUTOCONFIG["dbtype"] = "sqlite";
        $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE');
        $autoconfig_enabled = true;
    } elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) {
          $AUTOCONFIG["dbtype"] = "mysql";
        $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE');
        $AUTOCONFIG["dbuser"] = getenv('MYSQL_USER');
        $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD');
        $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST');
        $autoconfig_enabled = true;
    } elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) {
          $AUTOCONFIG["dbtype"] = "pgsql";
        $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB');
        $AUTOCONFIG["dbuser"] = getenv('POSTGRES_USER');
        $AUTOCONFIG["dbpass"] = getenv('POSTGRES_PASSWORD');
        $AUTOCONFIG["dbhost"] = getenv('POSTGRES_HOST');
        $autoconfig_enabled = true;
    }
    if ($autoconfig_enabled) {
          $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
    }
  smtp.config.php: |-
    <?php
    if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN')) {
        $CONFIG = array (
          'mail_smtpmode' => 'smtp',
        'mail_smtphost' => getenv('SMTP_HOST'),
        'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
        'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
        'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
        'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
        'mail_smtpname' => getenv('SMTP_NAME') ?: '',
        'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '',
        'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
        'mail_domain' => getenv('MAIL_DOMAIN'),
      );
    }
 ---
 # Source: nextcloud/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: nextcloud-nextcloud
  labels:
    app.kubernetes.io/name: nextcloud
    app.kubernetes.io/instance: nextcloud-nextcloud
    app.kubernetes.io/component: app
 spec:
  type: ClusterIP
  ports:
  - port: 8080
    targetPort: http
    protocol: TCP
    name: http
  selector:
    app.kubernetes.io/name: nextcloud
    app.kubernetes.io/component: app
 ---
 # Source: nextcloud/templates/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: nextcloud-nextcloud
  labels:
    app.kubernetes.io/name: nextcloud
    app.kubernetes.io/instance: nextcloud-nextcloud
    app.kubernetes.io/component: app
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app.kubernetes.io/name: nextcloud
      app.kubernetes.io/instance: nextcloud-nextcloud
      app.kubernetes.io/component: app
  template:
    metadata:
      labels:
        app.kubernetes.io/name: nextcloud
        app.kubernetes.io/instance: nextcloud-nextcloud
        app.kubernetes.io/component: app
        nextcloud-nextcloud-redis-client: "true"
    spec:
      containers:
      - name: nextcloud
        image: "nextcloud:27.1.1-apache"
        imagePullPolicy: IfNotPresent
        env:
        - name: SQLITE_DATABASE
          value: "nextcloud"
        - name: NEXTCLOUD_ADMIN_USER
          valueFrom:
            secretKeyRef:
              name: nextcloud-nextcloud
              key: nextcloud-username
        - name: NEXTCLOUD_ADMIN_PASSWORD
          valueFrom:
            secretKeyRef:
              name: nextcloud-nextcloud
              key: nextcloud-password
        - name: NEXTCLOUD_TRUSTED_DOMAINS
          value: nextcloud.cluster.fun
        - name: NEXTCLOUD_DATA_DIR
          value: "/var/www/html/data"
        - name: REDIS_HOST
          valueFrom:
            secretKeyRef:
              name: nextcloud-nextcloud-redis
              key: redis-host
        - name: REDIS_PORT
          valueFrom:
            secretKeyRef:
              name: nextcloud-nextcloud-redis
              key: redis-port
        - name: REDIS_HOST_PASSWORD
          valueFrom:
            secretKeyRef:
              name: nextcloud-nextcloud-redis
              key: redis-password
        - name: REDIS_DB_INDEX
          valueFrom:
            secretKeyRef:
              name: nextcloud-nextcloud-redis
              key: redis-db-index
        ports:
        - name: http
          containerPort: 80
          protocol: TCP
        livenessProbe:
          httpGet:
            path: /status.php
            port: http
            httpHeaders:
            - name: Host
              value: "nextcloud.cluster.fun"
          initialDelaySeconds: 10
          periodSeconds: 10
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 3
        readinessProbe:
          httpGet:
            path: /status.php
            port: http
            httpHeaders:
            - name: Host
              value: "nextcloud.cluster.fun"
          initialDelaySeconds: 10
          periodSeconds: 10
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 3
        # Cover case where upgrade is being performed
        startupProbe:
          httpGet:
            path: /status.php
            port: http
            httpHeaders:
            - name: Host
              value: "nextcloud.cluster.fun"
          failureThreshold: 30
          periodSeconds: 10
        resources:
          requests:
            memory: 450Mi
        volumeMounts:
        - name: nextcloud-data
          mountPath: /var/www/
          subPath: root
        - name: nextcloud-data
          mountPath: /var/www/html
          subPath: html
        - name: nextcloud-data
          mountPath: /var/www/html/data
          subPath: data
        - name: nextcloud-data
          mountPath: /var/www/html/config
          subPath: config
        - name: nextcloud-data
          mountPath: /var/www/html/custom_apps
          subPath: custom_apps
        - name: nextcloud-data
          mountPath: /var/www/tmp
          subPath: tmp
        - name: nextcloud-data
          mountPath: /var/www/html/themes
          subPath: themes
        - name: nextcloud-config
          mountPath: /var/www/html/config/general.config.php
          subPath: general.config.php
        - name: nextcloud-s3
          mountPath: /var/www/html/config/s3.config.php
          subPath: s3.config.php
        - name: nextcloud-config
          mountPath: /var/www/html/config/.htaccess
          subPath: .htaccess
        - name: nextcloud-config
          mountPath: /var/www/html/config/apache-pretty-urls.config.php
          subPath: apache-pretty-urls.config.php
        - name: nextcloud-config
          mountPath: /var/www/html/config/apcu.config.php
          subPath: apcu.config.php
        - name: nextcloud-config
          mountPath: /var/www/html/config/apps.config.php
          subPath: apps.config.php
        - name: nextcloud-config
          mountPath: /var/www/html/config/autoconfig.php
          subPath: autoconfig.php
        - name: nextcloud-config
          mountPath: /var/www/html/config/redis.config.php
          subPath: redis.config.php
        - name: nextcloud-config
          mountPath: /var/www/html/config/smtp.config.php
          subPath: smtp.config.php
      volumes:
      - name: nextcloud-data
        persistentVolumeClaim:
          claimName: nextcloud-nextcloud-nextcloud
      - name: nextcloud-config
        configMap:
          name: nextcloud-nextcloud-config
      - name: nextcloud-s3
        secret:
          secretName: nextcloud-s3
      # Will mount configuration files as www-data (id: 33) for nextcloud
      securityContext:
        fsGroup: 33
 ---
 # Source: nextcloud/templates/cronjob.yaml
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: nextcloud-nextcloud-cron
  labels:
    app.kubernetes.io/name: nextcloud
    app.kubernetes.io/instance: nextcloud-nextcloud
  annotations:
    {}
 spec:
  schedule: "*/5 * * * *"
  concurrencyPolicy: Forbid
  failedJobsHistoryLimit: 5
  successfulJobsHistoryLimit: 2
  jobTemplate:
    metadata:
      labels:
        app.kubernetes.io/name: nextcloud
    spec:
      template:
        metadata:
          labels:
            app.kubernetes.io/name: nextcloud
        spec:
          restartPolicy: Never
          containers:
            - name: nextcloud
              image: "nextcloud:27.1.1-apache"
              imagePullPolicy: IfNotPresent
              command: [ "curl" ]
              args:
                - "--fail"
                - "-L"
                - "https://nextcloud.cluster.fun/cron.php"
              resources:
                requests:
                  memory: 200Mi
 ---
 # Source: nextcloud/templates/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: nextcloud-nextcloud
  labels:
    app.kubernetes.io/name: nextcloud
    app.kubernetes.io/instance: nextcloud-nextcloud
    app.kubernetes.io/component: app
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
 spec:
  rules:
  - host: nextcloud.cluster.fun
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nextcloud-nextcloud
            port:
              number: 8080
  tls:
    - hosts:
      - nextcloud.cluster.fun
      secretName: nextcloud-ingress
--- a/manifests/nextcloud_chart/pvs.yaml
+++ b/manifests/nextcloud_chart/pvs.yaml
@@ -0,0 +1,43 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  annotations:
    pv.kubernetes.io/provisioned-by: csi.scaleway.com
  finalizers:
  - kubernetes.io/pv-protection
  - external-attacher/csi-scaleway-com
  name: pvc-db95ada8-d8e4-400a-acea-7d594ecffa36
 spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 5Gi
  csi:
    driver: csi.scaleway.com
    fsType: ext4
    volumeAttributes:
      storage.kubernetes.io/csiProvisionerIdentity: 1588413765965-1847-csi.scaleway.com
    volumeHandle: fr-par-1/5c16182d-f742-4ae5-a70c-386aa356f906
  persistentVolumeReclaimPolicy: Retain
  storageClassName: scw-bssd-retain
  volumeMode: Filesystem
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: nextcloud-nextcloud-nextcloud
  labels:
    app.kubernetes.io/name: nextcloud
    helm.sh/chart: nextcloud-2.6.3
    app.kubernetes.io/instance: nextcloud-nextcloud
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: app
 spec:
  accessModes:
    - "ReadWriteOnce"
  resources:
    requests:
      storage: "5Gi"
  storageClassName: "scw-bssd-retain"
  volumeName: pvc-db95ada8-d8e4-400a-acea-7d594ecffa36
 ---
--- a/Show More
+++ b/Show More