update

charts/apps/charts/bytestash/templates/client.yaml

@@ -6,5 +6,5 @@ spec:
   environment: '{{ .Values.globals.environment }}'
   redirectUris:
     - path: /api/auth/oidc/callback
-      subdomain: bytestash
+      subdomain: '{{ .Values.subdomain }}'
       matchingMode: strict

charts/apps/charts/headscale/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: headscale

charts/apps/charts/headscale/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /oidc/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/charts/headscale/templates/config-map.yaml

@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: '{{ .Release.Name }}-config-template'
+data:
+  config.yaml.template: |
+    server_url: ${PUBLIC_URL}
+    listen_addr: 0.0.0.0:8080
+    metrics_listen_addr: 0.0.0.0:9090
+    grpc_listen_addr: 0.0.0.0:50443
+
+    private_key_path: /var/lib/headscale/private_key # Path inside the container
+
+    noise:
+      private_key_path: /var/lib/headscale/noise_private_key # Path inside the container
+
+    listen_routes: false 
+    base_domain: "${PUBLIC_URL}" # For client routes and DNS push.
+
+    derp:
+      server:
+        enabled: false
+        region_id: 999
+        region_code: "headscale"
+        region_name: "Headscale Embedded DERP"
+        stun_listen_addr: "0.0.0.0:3478"
+        automatically_add_embedded_derp_region: true
+      urls:
+        - https://controlplane.tailscale.com/derpmap/default
+      auto_update_enabled: true
+      update_frequency: 24h
+
+    oidc:
+      enabled: true
+      only_start_if_oidc_is_available: true
+      issuer: "${OIDC_ISSUER_URL}"
+      client_id: "${OIDC_CLIENT_ID}"
+      client_secret: "${OIDC_CLIENT_SECRET}"
+      scopes: ["openid", "profile", "email"]
+      redirect_url: "${PUBLIC_URL}/oidc/callback"
+      pkce:
+        enabled: true
+        method: S256
+
+
+    # DNS configuration
+    dns:
+      magic_dns: false
+      override_local_dns: true # Push Headscale's DNS settings to clients
+      ttl: 60
+      nameservers:
+        global:
+          - 1.1.1.1 # Cloudflare DNS
+          #- 10.43.0.10 # Replace with your ClusterIP for kube-dns/CoreDNS
+      # Domains to search for (e.g., for Kubernetes services)
+      search_domains:
+        - svc.cluster.local
+        - cluster.local
+
+    auto_create_users: true
+
+    oidc_user_property: preferred_username # Or 'email' or 'sub'
+
+    prefixes:
+      v4: 10.20.20.0/24 # Example: A /24 subnet for your VPN clients
+
+    database:
+      type: sqlite
+      sqlite:
+        path: /var/lib/headscale/db.sqlite

charts/apps/charts/headscale/templates/deployment.yaml

@@ -0,0 +1,97 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      # To expose WireGuard UDP directly, we need a NodePort service.
+      # The Pod needs to be aware of the external port it's being exposed on.
+      # The easiest way to get WireGuard to listen on the correct port and make it
+      # externally accessible is to use `hostNetwork: true` for the UDP component,
+      # or by directly specifying the listen port in Headscale config if the NodePort is stable.
+
+      # OPTION 1: Best for simple homelab on bare metal where host network traffic isn't an issue
+      # hostNetwork: true # This makes the pod listen directly on the node's IPs
+      # dnsPolicy: ClusterFirstWithHostNet # Required if using hostNetwork
+
+      initContainers:
+        - name: generate-config
+          image: alpine/git # A small image with 'envsubst' available or easily installable
+          imagePullPolicy: IfNotPresent
+          command: ['sh', '-c']
+          args:
+            - |
+              # Install envsubst if it's not present (alpine/git may not have it by default)
+              apk update && apk add bash gettext
+
+              # Substitute environment variables into the template
+              # The vars are passed via `env` section below
+              envsubst < /config-template/config.yaml.template > /etc/headscale/config.yaml
+
+              mkdir -p /etc/headscale
+              # Optional: Verify the generated config
+              echo "--- Generated Headscale Configuration ---"
+              cat /etc/headscale/config.yaml
+              echo "---------------------------------------"
+          env:
+            # These are the variables that `envsubst` will look for and replace
+            - name: PUBLIC_URL
+              value: 'https://{{ .Values.subdomain }}.olsen.cloud'
+            - name: OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: configurationIssuer
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientId
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientSecret
+            # Add any other variables used in config.yaml.template here
+          volumeMounts:
+            - name: config-template
+              mountPath: /config-template # Mount the ConfigMap as a volume
+              readOnly: true
+            - name: headscale-config
+              mountPath: /etc/headscale # Destination for the generated config
+
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: headscale/headscale:latest # Use the official image
+          command: ['headscale', 'serve']
+          ports:
+            - name: http-api
+              containerPort: 8080
+              protocol: TCP
+            - name: wireguard-udp
+              containerPort: 41641
+              protocol: UDP
+          volumeMounts:
+            - name: headscale-data
+              mountPath: /var/lib/headscale
+            - name: headscale-config
+              mountPath: /etc/headscale
+      volumes:
+        - name: config-template
+          configMap:
+            name: '{{ .Release.Name }}-config-template'
+        - name: headscale-config
+          emptyDir: {}
+        - name: headscale-data
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-data'

charts/apps/charts/headscale/templates/service.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 8080
+      protocol: TCP
+      name: http
+    - name: wireguard-udp # TODO: should this be a LB service?
+      port: 41641
+      targetPort: 41641
+      protocol: UDP
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/charts/headscale/values.yaml

@@ -0,0 +1,7 @@
+globals:
+  environment: prod
+image:
+  repository: headscale/headscale
+  tag: latest
+  pullPolicy: IfNotPresent
+subdomain: headscale

charts/apps/charts/openwebui/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/charts/openwebui/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/charts/volumes/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: Resources

charts/apps/charts/volumes/templates/books-pvc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: books
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual-books
+  nfs:
+    path: '{{ .Values.books.path }}'
+    server: '{{ .Values.host }}'
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: books
+spec:
+  storageClassName: manual-books
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi

charts/apps/charts/volumes/templates/movies-pvc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: movies
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual-movies
+  nfs:
+    path: '{{ .Values.movies.path }}'
+    server: '{{ .Values.host }}'
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: movies
+spec:
+  storageClassName: manual-movies
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi

charts/apps/charts/volumes/templates/music-pvc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: music
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual-music
+  nfs:
+    path: '{{ .Values.music.path }}'
+    server: '{{ .Values.host }}'
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: music
+spec:
+  storageClassName: manual-music
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi

charts/apps/charts/volumes/templates/podcasts-pvc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: podcasts
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual-podcasts
+  nfs:
+    path: '{{ .Values.podcasts.path }}'
+    server: '{{ .Values.host }}'
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: podcasts
+spec:
+  storageClassName: manual-podcasts
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi

charts/apps/charts/volumes/templates/tv-pvc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: tvshows
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual-tvshows
+  nfs:
+    path: '{{ .Values.tvshows.path }}'
+    server: '{{ .Values.host }}'
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tvshows
+spec:
+  storageClassName: manual-tvshows
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi

charts/apps/charts/volumes/values.yaml

@@ -0,0 +1,11 @@
+host: 192.168.20.106
+movies:
+  path: /mnt/HDD/Movies
+tvshows:
+  path: /mnt/HDD/TV-Shows
+music:
+  path: /mnt/HDD/Music2
+books:
+  path: /mnt/HDD/Books
+podcasts:
+  path: /mnt/HDD/Podcasts

charts/apps/root/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: root

charts/apps/root/templates/apps.yaml

@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: homelab-apps
+  namespace: '{{ .Values.env }}-argo'
+spec:
+  generators:
+    - git:
+      repoURL: '{{ .Values.repo }}'
+      revision: '{{ .Values.ref }}'
+      directories:
+        - path: charts/apps/*
+          include: '.*'
+          exclude: '.*.disabled'
+  template:
+    metadata:
+      name: '{{`{{path.basename}}`}}'
+    spec:
+      project: default
+      source:
+        repoURL: '{{ .Values.repo }}'
+        targetRevision: '{{ .Values.ref }}'
+        path: charts/apps/{{`{{path.basename}}`}}
+        helm:
+          values: |
+            globals: {{ .Values.globals | toYaml | nindent 14 }}
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: '{{ .Values.globals.env }}'
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true

charts/apps/root/templates/root.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: homelab-root
+  namespace: '{{ .Values.globals.env }}-argo'
+spec:
+  project: default
+  source:
+    repoURL: '{{ .Values.repo }}'
+    targetRevision: '{{ .Values.ref }}'
+    path: charts/root
+    helm:
+      valueFiles:
+        - values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: '{{ .Values.globals.env }}-argo'
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

charts/apps/root/values.yaml

@@ -0,0 +1,4 @@
+globals:
+  env: prod
+repo: https://github.com/morten-olsen/homelab-operator.git
+ref: HEAD