58 lines
2.3 KiB
Markdown
58 lines
2.3 KiB
Markdown
# Kubernetes Manifests
|
|
|
|
This directory contains raw Kubernetes resources grouped by service area. Most
|
|
subdirectories are consumed by Argo CD Applications in `argocd/apps`.
|
|
|
|
## Directories
|
|
|
|
| Directory | Contents |
|
|
| --- | --- |
|
|
| `argocd/` | App-of-apps, Argo CD ingress, Argo CD OIDC sealed secret |
|
|
| `authentik/` | Authentik ingress, public ingress, proxy outpost, middleware, secret scripts |
|
|
| `cert-manager/` | Internal and Let's Encrypt ClusterIssuers, Porkbun secret script |
|
|
| `core/` | Dashy, Glances, CoreDNS custom config, CA installer |
|
|
| `gitea/` | Gitea storage, backup, public ingress, runner and OIDC/admin secrets |
|
|
| `home-services/` | HA gateway, AI gateway, Discord bot, service TLS, registry secret |
|
|
| `homeassistant/` | Home Assistant external service and ingress |
|
|
| `media/` | Jellyfin, qBittorrent, JDownloader, Immich |
|
|
| `monitoring/` | Monitoring PVs, Grafana datasource, Grafana/Auth OIDC secrets |
|
|
| `network/` | Pi-hole secrets, DDNS, Traefik dashboard, external host ingresses |
|
|
| `portfolio/` | Portfolio deployment, ingress, registry pull secret |
|
|
|
|
## Secrets
|
|
|
|
There are two patterns:
|
|
|
|
- `*-sealed.yaml` files are safe to commit and are reconciled by Sealed Secrets.
|
|
- `*.sh` scripts create runtime Secrets from `.env` directly in the cluster.
|
|
|
|
Use `.env.example` as the template for local secret names. `kubeseal` must point
|
|
at the in-cluster controller named `sealed-secrets-controller` in `kube-system`.
|
|
|
|
Regenerate committed sealed secrets with the matching script, then commit the
|
|
resulting YAML. Runtime secret scripts should be run against the target cluster
|
|
and should not produce committed plaintext.
|
|
|
|
## Certificates
|
|
|
|
Internal services generally use `internal-ca-issuer` and `home.arpa` hostnames.
|
|
Public services use Let's Encrypt issuers and `nik4nao.com` hostnames.
|
|
|
|
The CA installer lives in `core/ca-installer`. Its `ca-sync` CronJob keeps the
|
|
served `ca.crt` and Apple mobileconfig in sync with the cert-manager CA secret.
|
|
|
|
## DNS
|
|
|
|
Internal DNS records are configured in `values/pihole.yaml` and
|
|
`values/pihole-debian.yaml`. Add a new hostname to both files when adding a
|
|
`home.arpa` service.
|
|
|
|
## Dashy
|
|
|
|
`core/dashy.yaml` defines the deployment and a placeholder ConfigMap. The real
|
|
dashboard config comes from `config/dashy/conf.yaml`:
|
|
|
|
```bash
|
|
bash manifests/core/apply-dashy-config.sh
|
|
```
|