# Kubernetes Manifests This directory contains raw Kubernetes resources grouped by service area. Most subdirectories are consumed by Argo CD Applications in `argocd/apps`. ## Directories | Directory | Contents | | --- | --- | | `argocd/` | App-of-apps, Argo CD ingress, Argo CD OIDC sealed secret | | `authentik/` | Authentik ingress, public ingress, proxy outpost, middleware, secret scripts | | `cert-manager/` | Internal and Let's Encrypt ClusterIssuers, Porkbun secret script | | `core/` | Dashy, Glances, CoreDNS custom config, CA installer | | `gitea/` | Gitea storage, backup, public ingress, runner and OIDC/admin secrets | | `home-services/` | HA gateway, AI gateway, Discord bot, service TLS, registry secret | | `homeassistant/` | Home Assistant external service and ingress | | `media/` | Jellyfin, qBittorrent, JDownloader, Immich | | `monitoring/` | Monitoring PVs, Grafana datasource, Grafana/Auth OIDC secrets | | `network/` | Pi-hole secrets, DDNS, Traefik dashboard, external host ingresses | | `portfolio/` | Portfolio deployment, ingress, registry pull secret | ## Secrets There are two patterns: - `*-sealed.yaml` files are safe to commit and are reconciled by Sealed Secrets. - `*.sh` scripts create runtime Secrets from `.env` directly in the cluster. Use `.env.example` as the template for local secret names. `kubeseal` must point at the in-cluster controller named `sealed-secrets-controller` in `kube-system`. Regenerate committed sealed secrets with the matching script, then commit the resulting YAML. Runtime secret scripts should be run against the target cluster and should not produce committed plaintext. ## Certificates Internal services generally use `internal-ca-issuer` and `home.arpa` hostnames. Public services use Let's Encrypt issuers and `nik4nao.com` hostnames. The CA installer lives in `core/ca-installer`. Its `ca-sync` CronJob keeps the served `ca.crt` and Apple mobileconfig in sync with the cert-manager CA secret. ## DNS Internal DNS records are configured in `values/pihole.yaml` and `values/pihole-debian.yaml`. Add a new hostname to both files when adding a `home.arpa` service. ## Dashy `core/dashy.yaml` defines the deployment and a placeholder ConfigMap. The real dashboard config comes from `config/dashy/conf.yaml`: ```bash bash manifests/core/apply-dashy-config.sh ```