homelab/manifests/README.md

2.3 KiB

Kubernetes Manifests

This directory contains raw Kubernetes resources grouped by service area. Most subdirectories are consumed by Argo CD Applications in argocd/apps.

Directories

Directory Contents
argocd/ App-of-apps, Argo CD ingress, Argo CD OIDC sealed secret
authentik/ Authentik ingress, public ingress, proxy outpost, middleware, secret scripts
cert-manager/ Internal and Let's Encrypt ClusterIssuers, Porkbun secret script
core/ Dashy, Glances, CoreDNS custom config, CA installer
gitea/ Gitea storage, backup, public ingress, runner and OIDC/admin secrets
home-services/ HA gateway, AI gateway, Discord bot, service TLS, registry secret
homeassistant/ Home Assistant external service and ingress
media/ Jellyfin, qBittorrent, JDownloader, Immich
monitoring/ Monitoring PVs, Grafana datasource, Grafana/Auth OIDC secrets
network/ Pi-hole secrets, DDNS, Traefik dashboard, external host ingresses
portfolio/ Portfolio deployment, ingress, registry pull secret

Secrets

There are two patterns:

  • *-sealed.yaml files are safe to commit and are reconciled by Sealed Secrets.
  • *.sh scripts create runtime Secrets from .env directly in the cluster.

Use .env.example as the template for local secret names. kubeseal must point at the in-cluster controller named sealed-secrets-controller in kube-system.

Regenerate committed sealed secrets with the matching script, then commit the resulting YAML. Runtime secret scripts should be run against the target cluster and should not produce committed plaintext.

Certificates

Internal services generally use internal-ca-issuer and home.arpa hostnames. Public services use Let's Encrypt issuers and nik4nao.com hostnames.

The CA installer lives in core/ca-installer. Its ca-sync CronJob keeps the served ca.crt and Apple mobileconfig in sync with the cert-manager CA secret.

DNS

Internal DNS records are configured in values/pihole.yaml and values/pihole-debian.yaml. Add a new hostname to both files when adding a home.arpa service.

Dashy

core/dashy.yaml defines the deployment and a placeholder ConfigMap. The real dashboard config comes from config/dashy/conf.yaml:

bash manifests/core/apply-dashy-config.sh