roger/k3s-cluster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init cluster

Browse Source
This commit is contained in:
Roger Oriol
2025-11-02 18:13:46 +01:00
parent 915d40cdce
commit d5d0958502
18 changed files with 922 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1 +1,2 @@
**/*secret* **/*secret*
gym-tracker/

0
README.md Normal file
View File

176
gitea/gitea.yaml Normal file
View File

@@ -0,0 +1,176 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: gitea
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-data
namespace: gitea
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea
namespace: gitea
labels:
app: gitea
spec:
replicas: 1
selector:
matchLabels:
app: gitea
template:
metadata:
labels:
app: gitea
spec:
nodeSelector:
kubernetes.io/arch: arm64
containers:
- name: gitea
image: gitea/gitea:1.24.6
env:
- name: USER_UID
value: "1000"
- name: USER_GID
value: "1000"
ports:
- containerPort: 3000
name: http
protocol: TCP
- containerPort: 22
name: ssh
protocol: TCP
volumeMounts:
- name: gitea-data
mountPath: /data
- name: timezone
mountPath: /etc/timezone
readOnly: true
- name: localtime
mountPath: /etc/localtime
readOnly: true
volumes:
- name: gitea-data
persistentVolumeClaim:
claimName: gitea-data
- name: timezone
hostPath:
path: /etc/timezone
type: File
- name: localtime
hostPath:
path: /etc/localtime
type: File
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-runner-data
namespace: gitea
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: gitea-runner-config
namespace: gitea
data:
GITEA_INSTANCE_URL: "http://gitea.rogi.casa"
---
apiVersion: v1
kind: Secret
metadata:
name: gitea-runner-secret
namespace: gitea
type: Opaque
stringData:
GITEA_RUNNER_REGISTRATION_TOKEN: "BqkIGoAiwSYUFm2CPXlvvKAdSw5fl6ayCAb60zsM"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea-runner
namespace: gitea
labels:
app: gitea-runner
spec:
replicas: 1
selector:
matchLabels:
app: gitea-runner
template:
metadata:
labels:
app: gitea-runner
spec:
nodeSelector:
kubernetes.io/arch: arm64
containers:
- name: gitea-runner
image: vegardit/gitea-act-runner:0.1.6
env:
- name: GITEA_INSTANCE_URL
valueFrom:
configMapKeyRef:
name: gitea-runner-config
key: GITEA_INSTANCE_URL
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: gitea-runner-secret
key: GITEA_RUNNER_REGISTRATION_TOKEN
- name: GITEA_RUNNER_UID
value: "1000"
- name: GITEA_RUNNER_GID
value: "100"
volumeMounts:
- name: docker-socket
mountPath: /var/run/docker.sock
- name: runner-data
mountPath: /data
volumes:
- name: docker-socket
hostPath:
path: /var/run/docker.sock
type: Socket
- name: runner-data
persistentVolumeClaim:
claimName: gitea-runner-data
---
apiVersion: v1
kind: Service
metadata:
name: gitea
namespace: gitea
labels:
app: gitea
spec:
type: ClusterIP
ports:
- name: http
port: 80
targetPort: 3000
protocol: TCP
- name: ssh
port: 22
targetPort: 22
protocol: TCP
selector:
app: gitea

1
gym-tracker Submodule

Submodule gym-tracker added at 5e237b6174

146
homeassistant/homeassistant.txt Normal file
View File

@@ -0,0 +1,146 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: home-assistant
---
apiVersion: v1
kind: Service
metadata:
namespace: home-assistant
name: home-assistant
spec:
selector:
app: home-assistant
type: ClusterIP
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8123
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: home-assistant
name: home-assistant
labels:
app: home-assistant
spec:
replicas: 1
selector:
matchLabels:
app: home-assistant
template:
metadata:
labels:
app: home-assistant
spec:
containers:
- name: bluez
image: ghcr.io/mysticrenji/bluez-service:v1.0.0
securityContext:
privileged: true
- name: home-assistant
image: ghcr.io/mysticrenji/homeassistant-arm64:2023.3.0
resources:
requests:
memory: "256Mi"
limits:
memory: "512Mi"
ports:
- containerPort: 8123
volumeMounts:
- mountPath: /config
name: config
- mountPath: /config/configuration.yaml
subPath: configuration.yaml
name: configmap-file
- mountPath: /config/automations.yaml
subPath: automations.yaml
name: configmap-file
- mountPath: /media
name: media-volume
# - mountPath: /run/dbus
# name: d-bus
# readOnly: true
- mountPath: /dev/ttyUSB1
name: zigbee
#- mountPath: /dev/video0
# name: cam
securityContext:
privileged: true
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
hostNetwork: true
volumes:
- name: config
persistentVolumeClaim:
claimName: home-assistant-pvc
- name: media-volume
hostPath:
path: /tmp/media
- name: configmap-file
configMap:
name: home-assistant-configmap
# hostPath:
# path: /tmp/home-assistant
# type: DirectoryOrCreate
# - name: d-bus
# hostPath:
# path: /run/dbus
- name: zigbee
hostPath:
path: /dev/ttyACM0
#- name: cam
# hostPath:
# path: /dev/video0
---
kind: ConfigMap
apiVersion: v1
metadata:
name: home-assistant-configmap
namespace: home-assistant
data:
known_devices.yaml: |
automations.yaml: |
configuration.yaml: |-
default_config:
frontend:
themes: !include_dir_merge_named themes
automation: !include automations.yaml
http:
use_x_forwarded_for: true
trusted_proxies:
- 10.10.0.0/16
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: home-assistant-pvc
labels:
app: home-assistant
namespace: home-assistant
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 9Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: zwavejs2mqtt-pvc
labels:
app: zwavejs2mqtt
namespace: home-assistant
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Mi

75
homeassistant/homeassistant.yaml Normal file
View File

@@ -0,0 +1,75 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: home-assistant
---
apiVersion: v1
kind: Service
metadata:
namespace: home-assistant
name: home-assistant
spec:
selector:
app: home-assistant
type: ClusterIP
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8123
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: home-assistant
name: home-assistant
labels:
app: home-assistant
spec:
replicas: 1
selector:
matchLabels:
app: home-assistant
template:
metadata:
labels:
app: home-assistant
spec:
containers:
- name: home-assistant
image: ghcr.io/home-assistant/home-assistant:stable
resources:
requests:
memory: "256Mi"
limits:
memory: "512Mi"
ports:
- containerPort: 8123
volumeMounts:
securityContext:
privileged: true
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
hostNetwork: true
volumes:
- name: config
persistentVolumeClaim:
claimName: home-assistant-pvc
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: home-assistant-pvc
labels:
app: home-assistant
namespace: home-assistant
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 9Gi

193
ingress.yaml
View File

@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
name: rogicasa-ingress name: rogicasa-ingress
namespace: default # Change to your preferred namespace namespace: default
annotations: annotations:
# Use Traefik as the ingress controller (default in k3s) # Use Traefik as the ingress controller (default in k3s)
kubernetes.io/ingress.class: "traefik" kubernetes.io/ingress.class: "traefik"
@@ -69,4 +69,193 @@ spec:
port: port:
number: 80 number: 80
path: / path: /
- host: phoenix.rogi.casa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: phoenix-service
port:
number: 80
- host: gym.rogi.casa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gym-tracker
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-ingress
namespace: gitea
annotations:
# Use Traefik as the ingress controller (default in k3s)
kubernetes.io/ingress.class: "traefik"
# Enable SSL redirect
traefik.ingress.kubernetes.io/redirect-entry-point: https
# Optional: enable compression
traefik.ingress.kubernetes.io/compress: "true"
cert-manager.io/issuer: prod-issuer
cert-manager.io/issuer-kind: OriginIssuer
cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
spec:
tls:
- hosts:
- "*.rogi.casa"
secretName: rogicasa-tls
rules:
- host: gitea.rogi.casa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: monitoring-ingress
namespace: monitoring
annotations:
# Use Traefik as the ingress controller (default in k3s)
kubernetes.io/ingress.class: "traefik"
# Enable SSL redirect
traefik.ingress.kubernetes.io/redirect-entry-point: https
# Optional: enable compression
traefik.ingress.kubernetes.io/compress: "true"
cert-manager.io/issuer: prod-issuer
cert-manager.io/issuer-kind: OriginIssuer
cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
spec:
tls:
- hosts:
- "*.rogi.casa"
secretName: rogicasa-tls
rules:
- host: grafana.rogi.casa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: grafana
port:
number: 80
- host: prometheus.rogi.casa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: prometheus-k8s
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vaultwarden-ingress
namespace: vaultwarden
annotations:
# Use Traefik as the ingress controller (default in k3s)
kubernetes.io/ingress.class: "traefik"
# Enable SSL redirect
traefik.ingress.kubernetes.io/redirect-entry-point: https
# Optional: enable compression
traefik.ingress.kubernetes.io/compress: "true"
cert-manager.io/issuer: prod-issuer
cert-manager.io/issuer-kind: OriginIssuer
cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
spec:
tls:
- hosts:
- "*.rogi.casa"
secretName: rogicasa-tls
rules:
- host: vaultwarden.rogi.casa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vaultwarden
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: homeassistant-ingress
namespace: home-assistant
annotations:
# Use Traefik as the ingress controller (default in k3s)
kubernetes.io/ingress.class: "traefik"
# Enable SSL redirect
traefik.ingress.kubernetes.io/redirect-entry-point: https
# Optional: enable compression
traefik.ingress.kubernetes.io/compress: "true"
cert-manager.io/issuer: prod-issuer
cert-manager.io/issuer-kind: OriginIssuer
cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
spec:
tls:
- hosts:
- "*.rogi.casa"
secretName: rogicasa-tls
rules:
- host: homeassistant.rogi.casa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: home-assistant
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: minecraft-ingress
namespace: minecraft
annotations:
# Use Traefik as the ingress controller (default in k3s)
kubernetes.io/ingress.class: "traefik"
# Enable SSL redirect
traefik.ingress.kubernetes.io/redirect-entry-point: https
# Optional: enable compression
traefik.ingress.kubernetes.io/compress: "true"
cert-manager.io/issuer: prod-issuer
cert-manager.io/issuer-kind: OriginIssuer
cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
spec:
tls:
- hosts:
- "*.rogi.casa"
secretName: rogicasa-tls
rules:
- host: minecraft.rogi.casa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: minecraft-server
port:
number: 25565

1
jellyfin-kubernetes Submodule

Submodule jellyfin-kubernetes added at 8ed3bfe251

1
kube-prometheus Submodule

Submodule kube-prometheus added at 2fe94c3379

4
litellm/litellm.yaml
View File

@@ -13,6 +13,10 @@ data:
litellm_params: litellm_params:
model: ollama/qwen3:32b model: ollama/qwen3:32b
api_base: "http://10.88.88.236:11434" api_base: "http://10.88.88.236:11434"
- model_name: gemma3:27b
litellm_params:
model: ollama/gemma3:27b
api_base: "http://10.88.88.236:11434"
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment

20
minecraft-server/minecraft-server.yaml Normal file
View File

@@ -0,0 +1,20 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: minecraft
---
apiVersion: v1
kind: Service
metadata:
name: minecraft-server
namespace: minecraft
labels:
app: minecraft-server
spec:
type: LoadBalancer
ports:
- name: minecraft
port: 25565
selector:
app: minecraft-server

14
minecraft-server/pvc.yaml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: minecraft-data
namespace: minecraft
spec:
#storageClassName: longhorn
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

75
minecraft-server/ss.yaml Normal file
View File

@@ -0,0 +1,75 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: minecraft-server
namespace: minecraft
spec:
selector:
matchLabels:
app: minecraft-server
template:
metadata:
labels:
app: minecraft-server
spec:
containers:
- name: minecraft-server
image: itzg/minecraft-server:latest # Or specific version if needed
env:
- name: EULA
value: "TRUE"
- name: MODE
value: "survival"
- name: TYPE
value: "CURSEFORGE"
- name: INIT_MEMORY
value: 1G
- name: MAX_MEMORY
value: 4G
- name: CF_SERVER_MOD
value: "/modpacks/your-modpack.zip"
- name: ALLOW_FLIGHT
value: "TRUE"
- name: USE_AIKAR_FLAGS
value: "TRUE"
- name: RCON_PASSWORD
value: "rcon-password"
ports:
- name: minecraft
containerPort: 25565 # Expose port 25565
- name: minecraft-rcon
containerPort: 25575
- name: metrics
containerPort: 19565
resources:
requests:
cpu: 1 #4 # Adjust based on expected workload
memory: "1Gi" #"12Gi" # Adjust based on expected workload
limits:
cpu: 2 #8 # Adjust based on expected workload
memory: "4Gi" #"16Gi" # Adjust based on expected workload
readinessProbe:
exec:
command:
- mcstatus
- 127.0.0.1
- ping
initialDelaySeconds: 30
periodSeconds: 30
livenessProbe:
exec:
command:
- mcstatus
- 127.0.0.1
- ping
initialDelaySeconds: 30
periodSeconds: 30
volumeMounts:
- name: minecraft-data
mountPath: /data
volumes:
- name: minecraft-data
persistentVolumeClaim:
claimName: minecraft-data

1
n8n-hosting Submodule

Submodule n8n-hosting added at 3e6a954f28

1
phoenix Submodule

Submodule phoenix added at 5f2e821a83

13
pihole/pihole.yaml
View File

@@ -27,6 +27,11 @@ spec:
labels: labels:
app: pihole app: pihole
spec: spec:
dnsPolicy: "None"
dnsConfig:
nameservers:
- 8.8.8.8
- 8.8.4.4
containers: containers:
- name: pihole - name: pihole
image: pihole/pihole:latest image: pihole/pihole:latest
@@ -46,14 +51,6 @@ spec:
#value: "" #value: ""
#- name: FTLCONF_webserver_api_password #- name: FTLCONF_webserver_api_password
#value: '' #value: ''
- name: FTLCONF_REPLY_ADDR4
value: pihole
- name: FTLCONF_dns_upstreams
value: "8.8.8.8;8.8.4.4"
#- name: PIHOLE_DNS_
#value: 127.0.0.1#5054
#- name: PIHOLE_DNS_
#value: "8.8.8.8;8.8.4.4"
#- name: DNSMASQ_LISTENING #- name: DNSMASQ_LISTENING
#value: "all" #value: "all"
- name: FTLCONF_dns_listeningMode - name: FTLCONF_dns_listeningMode

97
qbittorrent/qbittorrent.yaml Normal file
View File

@@ -0,0 +1,97 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: qbittorrent
labels:
app: qbittorrent
spec:
replicas: 1
selector:
matchLabels:
app: qbittorrent
template:
metadata:
labels:
app: qbittorrent
spec:
containers:
- name: qbittorrent
image: lscr.io/linuxserver/qbittorrent:latest
ports:
- containerPort: 6880 # Web UI
- containerPort: 6881 # Torrenting (TCP)
env:
- name: PUID
value: "1000"
- name: PGID
value: "1000"
- name: TZ
value: "Etc/UTC"
- name: WEBUI_PORT
value: "6880"
- name: TORRENTING_PORT
value: "6881"
volumeMounts:
- name: config
mountPath: /config
- name: downloads
mountPath: /downloads
volumes:
- name: config
persistentVolumeClaim:
claimName: qbittorrent-config
- name: downloads
persistentVolumeClaim:
claimName: qbittorrent-downloads
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: qbittorrent-config
labels:
app: qbittorrent
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: standard
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: qbittorrent-downloads
labels:
app: qbittorrent
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: standard
---
apiVersion: v1
kind: Service
metadata:
name: qbittorrent
labels:
app: qbittorrent
spec:
type: NodePort
ports:
- port: 6880
targetPort: 6880
protocol: TCP
name: webui
- port: 6881
targetPort: 6881
protocol: TCP
name: torrenting-tcp
- port: 6881
targetPort: 6881
protocol: UDP
name: torrenting-udp
selector:
app: qbittorrent

113
vaultwarden/vaultwarden.yaml Normal file
View File

@@ -0,0 +1,113 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/warn-version: latest
name: vaultwarden
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vaultwarden
namespace: vaultwarden
labels:
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/instance: vaultwarden
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/instance: vaultwarden
template:
metadata:
name: vaultwarden
labels:
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/instance: vaultwarden
spec:
volumes:
- name: vaultwarden-pv-storage
persistentVolumeClaim:
claimName: vaultwarden-pv-claim
containers:
- name: vaultwarden
image: vaultwarden/server:latest
env:
- name: ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: vaultwarden-admin
key: admin-token
- name: WEBSOCKET_ENABLED
value: "true"
securityContext:
privileged: false
volumeMounts:
- mountPath: "/data"
name: vaultwarden-pv-storage
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
livenessProbe:
httpGet:
path: /index.html
port: 80
scheme: HTTP
initialDelaySeconds: 60
timeoutSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 6
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vaultwarden-pv-claim
namespace: vaultwarden
labels:
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/instance: vaultwarden
spec:
# storageClassName: nfs-client # Needs to be specified if no default class is set
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
name: vaultwarden
namespace: vaultwarden
labels:
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/instance: vaultwarden
spec:
selector:
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/instance: vaultwarden
ports:
- name: http
protocol: TCP
port: 80
targetPort: 80
type: ClusterIP
---
apiVersion: v1
kind: Secret
metadata:
name: vaultwarden-admin
namespace: vaultwarden
labels:
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/instance: vaultwarden
type: Opaque
stringData:
admin-token: 8v6cw+7E7nCUyc1ajyri1Bb2oL3rVK5aQv0CLv9HOBUKcAChU93GPhHuUTHnsZ9w