update

charts/apps/bytestash/values.yaml

@@ -1,2 +0,0 @@
-environment: dev
-subdomain: bytestash

charts/apps/charts/audiobookshelf/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: audiobookshelf

charts/apps/charts/audiobookshelf/templates/client.yaml

@@ -0,0 +1,13 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /audiobookshelf/auth/openid/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict
+    - path: /audiobookshelf/auth/openid/mobile-redirect
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/charts/audiobookshelf/templates/deployment.yaml

@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /config
+              name: config
+            - mountPath: /metadata
+              name: metadata
+            - mountPath: /audiobooks
+              name: audiobooks
+            - mountPath: /podcasts
+              name: podcasts
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-config'
+        - name: metadata
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-metadata'
+        - name: audiobooks
+          persistentVolumeClaim:
+            claimName: books
+        - name: podcasts
+          persistentVolumeClaim:
+            claimName: podcasts

charts/apps/charts/audiobookshelf/templates/external-http-service.yaml

@@ -3,8 +3,8 @@ kind: ExternalHttpService
 metadata:
   name: '{{ .Release.Name }}'
 spec:
-  environment: '{{ .Values.environment }}'
+  environment: '{{ .Values.globals.environment }}'
-  subdomain: '{{ .Values.subdomain }}-external'
+  subdomain: '{{ .Values.subdomain }}'
   destination:
     host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
     port:

charts/apps/charts/audiobookshelf/templates/pvc.yaml

@@ -0,0 +1,24 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-config'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'
+
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-metadata'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/charts/audiobookshelf/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/charts/audiobookshelf/values.yaml

@@ -0,0 +1,7 @@
+globals:
+  environment: prod
+image:
+  repository: ghcr.io/advplyr/audiobookshelf
+  tag: 2.26.1
+  pullPolicy: IfNotPresent
+subdomain: audiobookshelf

charts/apps/charts/bytestash/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /api/auth/oidc/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/charts/bytestash/templates/deployment.yaml

@@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
   name: '{{ .Release.Name }}'
   labels:
@@ -22,6 +22,10 @@ spec:
             - containerPort: 5000
               name: http
           env:
+            - name: ALLOW_NEW_ACCOUNTS
+              value: 'true'
+            - name: DISABLE_INTERNAL_ACCOUNTS
+              value: 'true'
             - name: OIDC_ENABLED
               value: 'true'
             - name: OIDC_DISPLAY_NAME
@@ -42,27 +46,10 @@ spec:
                   name: '{{ .Release.Name }}-client'
                   key: configuration
 
-            # !! IMPORTANT !!
-            # You MUST update this Redirect URI to match your external URL.
-            # This URI must also be configured in your Authentik provider settings for this client.
-            #- name: BS_OIDC_REDIRECT_URI
-            #value: 'https://bytestash.your-domain.com/login/oauth2/code/oidc'
           volumeMounts:
             - mountPath: /data/snippets
-              name: bytestash-data
+              name: data
-
+      volumes:
-      # Defines security context for the pod to avoid running as root.
+        - name: data
-      # securityContext:
+          persistentVolumeClaim:
-      #   runAsUser: 1000
+            claimName: '{{ .Release.Name }}-data'
-      #   runAsGroup: 1000
-      #   fsGroup: 1000
-
-  volumeClaimTemplates:
-    - metadata:
-        name: bytestash-data
-      spec:
-        accessModes: ['ReadWriteOnce']
-        storageClassName: '{{ .Values.environment }}'
-        resources:
-          requests:
-            storage: 5Gi

charts/apps/charts/bytestash/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/charts/bytestash/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/charts/bytestash/values.yaml

@@ -0,0 +1,3 @@
+globals:
+  environment: prod
+subdomain: bytestash

charts/apps/charts/gitea/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: gitea

charts/apps/charts/gitea/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /user/oauth2/Authentik/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/charts/gitea/templates/database.yaml

@@ -0,0 +1,6 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: PostgresDatabase
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'

charts/apps/charts/gitea/templates/deployment.yaml

@@ -0,0 +1,96 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /data
+              name: data
+          env:
+            - name: TZ
+              value: '{{ .Values.globals.timezone }}'
+            - name: USER_UID
+              value: '1000'
+            - name: USER_GID
+              value: '1000'
+            - name: GITEA__service__REQUIRE_EXTERNAL_REGISTRATION_PASSWORD
+              value: 'true'
+            - name: GITEA__service__ENABLE_BASIC_AUTHENTICATION
+              value: 'true'
+            - name: GITEA__service__ENABLE_PASSWORD_SIGNIN_FORM
+              value: 'false'
+            - name: GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE
+              value: 'true'
+            - name: GITEA__service__DEFAULT_USER_IS_RESTRICTED
+              value: 'true'
+            - name: GITEA__service__DEFAULT_USER_VISIBILITY
+              value: 'private'
+            - name: GITEA__service__DEFAULT_ORG_VISIBILITY
+              value: 'private'
+            - name: GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION
+              value: 'true'
+            - name: GITEA__other__SHOW_FOOTER_POWERED_BY
+              value: 'false'
+            - name: GITEA__other__SHOW_FOOTER_TEMPLATE_LOAD_TIME
+              value: 'false'
+            - name: GITEA__other__SHOW_FOOTER_VERSION
+              value: 'false'
+            - name: GITEA__repository__ENABLE_PUSH_CREATE_USER
+              value: 'true'
+            - name: GITEA__repository__ENABLE_PUSH_CREATE_ORG
+              value: 'true'
+            - name: GITEA__openid__ENABLE_OPENID_SIGNIN
+              value: 'false'
+            - name: GITEA__openid__ENABLE_OPENID_SIGNUP
+              value: 'false'
+            - name: GITEA__database__DB_TYPE
+              value: postgres
+            - name: GITEA__database__NAME
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: database
+            - name: GITEA__database__HOST
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: host
+            - name: GITEA__database__USER
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: user
+            - name: GITEA__database__PASSWD
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: password
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-data'

charts/apps/charts/gitea/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/charts/gitea/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/charts/gitea/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 3000
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/charts/gitea/values.yaml

@@ -0,0 +1,8 @@
+globals:
+  environment: prod
+  timezone: Europe/Amsterdam
+image:
+  repository: docker.gitea.com/gitea
+  tag: latest
+  pullPolicy: IfNotPresent
+subdomain: gitea

charts/apps/charts/headscale/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: headscale

charts/apps/charts/headscale/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /oidc/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/charts/headscale/templates/config-map.yaml

@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: '{{ .Release.Name }}-config-template'
+data:
+  config.yaml.template: |
+    server_url: ${PUBLIC_URL}
+    listen_addr: 0.0.0.0:8080
+    metrics_listen_addr: 0.0.0.0:9090
+    grpc_listen_addr: 0.0.0.0:50443
+
+    private_key_path: /var/lib/headscale/private_key # Path inside the container
+
+    noise:
+      private_key_path: /var/lib/headscale/noise_private_key # Path inside the container
+
+    listen_routes: false 
+    base_domain: "${PUBLIC_URL}" # For client routes and DNS push.
+
+    derp:
+      server:
+        enabled: false
+        region_id: 999
+        region_code: "headscale"
+        region_name: "Headscale Embedded DERP"
+        stun_listen_addr: "0.0.0.0:3478"
+        automatically_add_embedded_derp_region: true
+      urls:
+        - https://controlplane.tailscale.com/derpmap/default
+      auto_update_enabled: true
+      update_frequency: 24h
+
+    oidc:
+      enabled: true
+      only_start_if_oidc_is_available: true
+      issuer: "${OIDC_ISSUER_URL}"
+      client_id: "${OIDC_CLIENT_ID}"
+      client_secret: "${OIDC_CLIENT_SECRET}"
+      scopes: ["openid", "profile", "email"]
+      redirect_url: "${PUBLIC_URL}/oidc/callback"
+      pkce:
+        enabled: true
+        method: S256
+
+
+    # DNS configuration
+    dns:
+      magic_dns: false
+      override_local_dns: true # Push Headscale's DNS settings to clients
+      ttl: 60
+      nameservers:
+        global:
+          - 1.1.1.1 # Cloudflare DNS
+          #- 10.43.0.10 # Replace with your ClusterIP for kube-dns/CoreDNS
+      # Domains to search for (e.g., for Kubernetes services)
+      search_domains:
+        - svc.cluster.local
+        - cluster.local
+
+    auto_create_users: true
+
+    oidc_user_property: preferred_username # Or 'email' or 'sub'
+
+    prefixes:
+      v4: 10.20.20.0/24 # Example: A /24 subnet for your VPN clients
+
+    database:
+      type: sqlite
+      sqlite:
+        path: /var/lib/headscale/db.sqlite

charts/apps/charts/headscale/templates/deployment.yaml

@@ -0,0 +1,97 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      # To expose WireGuard UDP directly, we need a NodePort service.
+      # The Pod needs to be aware of the external port it's being exposed on.
+      # The easiest way to get WireGuard to listen on the correct port and make it
+      # externally accessible is to use `hostNetwork: true` for the UDP component,
+      # or by directly specifying the listen port in Headscale config if the NodePort is stable.
+
+      # OPTION 1: Best for simple homelab on bare metal where host network traffic isn't an issue
+      # hostNetwork: true # This makes the pod listen directly on the node's IPs
+      # dnsPolicy: ClusterFirstWithHostNet # Required if using hostNetwork
+
+      initContainers:
+        - name: generate-config
+          image: alpine/git # A small image with 'envsubst' available or easily installable
+          imagePullPolicy: IfNotPresent
+          command: ['sh', '-c']
+          args:
+            - |
+              # Install envsubst if it's not present (alpine/git may not have it by default)
+              apk update && apk add bash gettext
+
+              # Substitute environment variables into the template
+              # The vars are passed via `env` section below
+              envsubst < /config-template/config.yaml.template > /etc/headscale/config.yaml
+
+              mkdir -p /etc/headscale
+              # Optional: Verify the generated config
+              echo "--- Generated Headscale Configuration ---"
+              cat /etc/headscale/config.yaml
+              echo "---------------------------------------"
+          env:
+            # These are the variables that `envsubst` will look for and replace
+            - name: PUBLIC_URL
+              value: 'https://{{ .Values.subdomain }}.olsen.cloud'
+            - name: OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: configurationIssuer
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientId
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientSecret
+            # Add any other variables used in config.yaml.template here
+          volumeMounts:
+            - name: config-template
+              mountPath: /config-template # Mount the ConfigMap as a volume
+              readOnly: true
+            - name: headscale-config
+              mountPath: /etc/headscale # Destination for the generated config
+
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: headscale/headscale:latest # Use the official image
+          command: ['headscale', 'serve']
+          ports:
+            - name: http-api
+              containerPort: 8080
+              protocol: TCP
+            - name: wireguard-udp
+              containerPort: 41641
+              protocol: UDP
+          volumeMounts:
+            - name: headscale-data
+              mountPath: /var/lib/headscale
+            - name: headscale-config
+              mountPath: /etc/headscale
+      volumes:
+        - name: config-template
+          configMap:
+            name: '{{ .Release.Name }}-config-template'
+        - name: headscale-config
+          emptyDir: {}
+        - name: headscale-data
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-data'

charts/apps/charts/headscale/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/charts/headscale/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/charts/headscale/templates/service.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 8080
+      protocol: TCP
+      name: http
+    - name: wireguard-udp # TODO: should this be a LB service?
+      port: 41641
+      targetPort: 41641
+      protocol: UDP
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/charts/headscale/values.yaml

@@ -0,0 +1,7 @@
+globals:
+  environment: prod
+image:
+  repository: headscale/headscale
+  tag: latest
+  pullPolicy: IfNotPresent
+subdomain: headscale

charts/apps/charts/jellyfin/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: Jellyfin

charts/apps/charts/jellyfin/notes.md

@@ -0,0 +1 @@
+https://www.authelia.com/integration/openid-connect/clients/jellyfin/

charts/apps/charts/jellyfin/templates/client.yaml

@@ -5,5 +5,6 @@ metadata:
 spec:
   environment: '{{ .Values.environment }}'
   redirectUris:
-    - url: https://localhost:3000/api/v1/authentik/oauth2/callback
+    - path: /sso/OID/redirect/Authentik
+      subdomain: '{{ .Values.globals.subdomain }}'
       matchingMode: strict

charts/apps/charts/jellyfin/templates/config-pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-config'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.environment }}'

charts/apps/charts/jellyfin/templates/deployment.yaml

@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+          ports:
+            - name: http
+              containerPort: 8096
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /config
+              name: config
+            - mountPath: /media/movies
+              name: movies
+            - mountPath: /media/tv-shows
+              name: tvshows
+            - mountPath: /media/music
+              name: music
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-config'
+        - name: movies
+          persistentVolumeClaim:
+            claimName: movies
+        - name: tvshows
+          persistentVolumeClaim:
+            claimName: tvshows
+        - name: music
+          persistentVolumeClaim:
+            claimName: music

charts/apps/charts/jellyfin/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/charts/jellyfin/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 8096
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/charts/jellyfin/values.yaml

@@ -0,0 +1,7 @@
+globals:
+  environment: prod
+image:
+  repository: docker.io/jellyfin/jellyfin
+  tag: latest
+  pullPolicy: IfNotPresent
+subdomain: jellyfin

charts/apps/charts/metamcp/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: metamcp

charts/apps/charts/metamcp/templates/database.yaml

@@ -0,0 +1,6 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: PostgresDatabase
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'

charts/apps/charts/metamcp/templates/deployment.yaml

@@ -0,0 +1,79 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+          ports:
+            - name: http
+              containerPort: 12008
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /data
+              name: data
+          env:
+            - name: TZ
+              value: '{{ .Values.globals.timezone }}'
+            - name: APP_URL
+              value: https://metamcp.olsen.cloud # TODO: Change
+            - name: NEXT_PUBLIC_APP_URL
+              value: https://metamcp.olsen.cloud # TODO: Change
+            - name: BETTER_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-secrets'
+                  key: betterauth
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: url
+            - name: POSTGRES_DB
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: database
+            - name: POSTGRES_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: host
+            - name: POSTGRES_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: port
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: user
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: password
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-data'

charts/apps/charts/metamcp/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/charts/metamcp/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/charts/metamcp/templates/secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: GenerateSecret
+metadata:
+  name: '{{ .Release.Name }}-secrets'
+spec:
+  fields:
+    - name: betterauth
+      encoding: base64
+      length: 64

charts/apps/charts/metamcp/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 12008
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/charts/metamcp/values.yaml

@@ -0,0 +1,8 @@
+globals:
+  environment: prod
+  timezone: Europe/Amsterdam
+image:
+  repository: ghcr.io/metatool-ai/metamcp
+  tag: latest
+  pullPolicy: IfNotPresent
+subdomain: metamcp

charts/apps/charts/miniflux.disable/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: ByteStash

charts/apps/charts/miniflux.disable/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /api/auth/oidc/callback
+      subdomain: bytestash
+      matchingMode: strict

charts/apps/charts/miniflux.disable/templates/deployment.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  serviceName: '{{ .Release.Name }}-headless'
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: ghcr.io/miniflux/miniflux:latest
+          ports:
+            - containerPort: 8080
+              name: http
+          env:
+            - name: ALLOW_NEW_ACCOUNTS
+              value: 'true'
+            - name: DISABLE_INTERNAL_ACCOUNTS
+              value: 'true'
+            - name: OIDC_ENABLED
+              value: 'true'
+            - name: OIDC_DISPLAY_NAME
+              value: OIDC
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientId
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientSecret
+            - name: OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: configuration
+
+          volumeMounts:
+            - mountPath: /data/snippets
+              name: data
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-data'

charts/apps/charts/miniflux.disable/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/charts/miniflux.disable/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/charts/miniflux.disable/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 8080
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/charts/miniflux.disable/values.yaml

@@ -0,0 +1,3 @@
+globals:
+  environment: prod
+subdomain: miniflux

charts/apps/charts/n8n/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: Jellyfin

charts/apps/charts/n8n/templates/database.yaml

@@ -0,0 +1,6 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: PostgresDatabase
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'

charts/apps/charts/n8n/templates/deployment.yaml

@@ -0,0 +1,73 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+          ports:
+            - name: http
+              containerPort: 5678
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /home/node/.n8n
+              name: data
+          env:
+            - name: TZ
+              value: '{{ .Values.globals.timezone }}'
+            - name: GENERIC_TIMEZONE
+              value: '{{ .Values.globals.timezone }}'
+            - name: N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS
+              value: 'true'
+            - name: N8N_RUNNERS_ENABLED
+              value: 'true'
+            - name: DB_TYPE
+              value: postgresdb
+            - name: DB_POSTGRESDB_DATABASE
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: database
+            - name: DB_POSTGRESDB_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: host
+            - name: DB_POSTGRESDB_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: port
+            - name: DB_POSTGRESDB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: user
+            - name: DB_POSTGRESDB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-pg-connection'
+                  key: password
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-data'

charts/apps/charts/n8n/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/charts/n8n/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/charts/n8n/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 5678
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/charts/n8n/values.yaml

@@ -0,0 +1,8 @@
+globals:
+  environment: prod
+  timezone: Europe/Amsterdam
+image:
+  repository: docker.n8n.io/n8nio/n8n
+  tag: latest
+  pullPolicy: IfNotPresent
+subdomain: n8n

charts/apps/charts/ollama/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: ollama

charts/apps/charts/ollama/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /oauth/oidc/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/charts/ollama/templates/deployment.yaml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+          ports:
+            - name: http
+              containerPort: 11434
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /root/.ollama
+              name: data
+
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-data'

charts/apps/charts/ollama/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/charts/ollama/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 11434
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/charts/ollama/values.yaml

@@ -0,0 +1,7 @@
+globals:
+  environment: prod
+image:
+  repository: ollama/ollama
+  tag: 0.11.8
+  pullPolicy: IfNotPresent
+subdomain: openwebui

charts/apps/charts/openwebui/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: openwebui

charts/apps/charts/openwebui/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /oauth/oidc/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/charts/openwebui/templates/deployment.yaml

@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /app/backend/data
+              name: data
+          env:
+            - name: ENABLE_SIGNUP
+              value: 'false'
+            - name: WEBUI_URL # TODO: remove
+              value: https://openwebui.olsen.cloud
+            - name: ENABLE_OAUTH_PERSISTENT_CONFIG
+              value: 'false'
+            - name: ENABLE_OAUTH_SIGNUP
+              value: 'true'
+            - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
+              value: 'true'
+            - name: OAUTH_PROVIDER_NAME
+              value: authentik
+            - name: OPENID_PROVIDER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: configuration
+            - name: OAUTH_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientId
+            - name: OAUTH_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientSecret
+            - name: ENABLE_LOGIN_FORM
+              value: 'false'
+            - name: OPENID_REDIRECT
+              value: https://openwebui.olsen.cloud/oauth/oidc/callback
+
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-data'

charts/apps/charts/openwebui/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/charts/openwebui/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/charts/openwebui/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 8080
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/charts/openwebui/values.yaml

@@ -0,0 +1,7 @@
+globals:
+  environment: prod
+image:
+  repository: ghcr.io/open-webui/open-webui
+  tag: main
+  pullPolicy: IfNotPresent
+subdomain: openwebui

charts/apps/charts/volumes/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: Resources

charts/apps/charts/volumes/templates/books-pvc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: books
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual-books
+  nfs:
+    path: '{{ .Values.books.path }}'
+    server: '{{ .Values.host }}'
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: books
+spec:
+  storageClassName: manual-books
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi

charts/apps/charts/volumes/templates/movies-pvc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: movies
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual-movies
+  nfs:
+    path: '{{ .Values.movies.path }}'
+    server: '{{ .Values.host }}'
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: movies
+spec:
+  storageClassName: manual-movies
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi

charts/apps/charts/volumes/templates/music-pvc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: music
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual-music
+  nfs:
+    path: '{{ .Values.music.path }}'
+    server: '{{ .Values.host }}'
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: music
+spec:
+  storageClassName: manual-music
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi

charts/apps/charts/volumes/templates/podcasts-pvc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: podcasts
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual-podcasts
+  nfs:
+    path: '{{ .Values.podcasts.path }}'
+    server: '{{ .Values.host }}'
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: podcasts
+spec:
+  storageClassName: manual-podcasts
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi

charts/apps/charts/volumes/templates/tv-pvc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: tvshows
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual-tvshows
+  nfs:
+    path: '{{ .Values.tvshows.path }}'
+    server: '{{ .Values.host }}'
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tvshows
+spec:
+  storageClassName: manual-tvshows
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi

charts/apps/charts/volumes/values.yaml

@@ -0,0 +1,11 @@
+host: 192.168.20.106
+movies:
+  path: /mnt/HDD/Movies
+tvshows:
+  path: /mnt/HDD/TV-Shows
+music:
+  path: /mnt/HDD/Music2
+books:
+  path: /mnt/HDD/Books
+podcasts:
+  path: /mnt/HDD/Podcasts

charts/apps/root/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: root

charts/apps/root/templates/apps.yaml

@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: homelab-apps
+  namespace: '{{ .Values.env }}-argo'
+spec:
+  generators:
+    - git:
+      repoURL: '{{ .Values.repo }}'
+      revision: '{{ .Values.ref }}'
+      directories:
+        - path: charts/apps/*
+          include: '.*'
+          exclude: '.*.disabled'
+  template:
+    metadata:
+      name: '{{`{{path.basename}}`}}'
+    spec:
+      project: default
+      source:
+        repoURL: '{{ .Values.repo }}'
+        targetRevision: '{{ .Values.ref }}'
+        path: charts/apps/{{`{{path.basename}}`}}
+        helm:
+          values: |
+            globals: {{ .Values.globals | toYaml | nindent 14 }}
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: '{{ .Values.globals.env }}'
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true

charts/apps/root/templates/root.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: homelab-root
+  namespace: '{{ .Values.globals.env }}-argo'
+spec:
+  project: default
+  source:
+    repoURL: '{{ .Values.repo }}'
+    targetRevision: '{{ .Values.ref }}'
+    path: charts/root
+    helm:
+      valueFiles:
+        - values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: '{{ .Values.globals.env }}-argo'
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

charts/apps/root/values.yaml

@@ -0,0 +1,4 @@
+globals:
+  env: prod
+repo: https://github.com/morten-olsen/homelab-operator.git
+ref: HEAD

istio-test.yaml

@@ -0,0 +1,22 @@
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: dev-authentik-override
+  namespace: dev
+spec:
+  hosts:
+    - authentik.mortenolsen.nett
+  ports:
+    - number: 443
+      name: https
+      protocol: HTTPS
+    - number: 80
+      name: http
+      protocol: HTTP
+  location: MESH_EXTERNAL
+  resolution: STATIC
+  endpoints:
+    - address: 1.1.1.1
+      ports:
+        https: 443
+        http: 80

manifests/environment.yaml

@@ -6,9 +6,9 @@ metadata:
 apiVersion: homelab.mortenolsen.pro/v1
 kind: Environment
 metadata:
-  name: dev
+  name: prod
 spec:
-  domain: one.dev.olsen.cloud
+  domain: olsen.cloud
-  networkIp: 192.168.107.2
+  networkIp: 192.168.20.180
   tls:
     issuer: lets-encrypt-prod

skaffold.yaml

@@ -4,16 +4,10 @@ metadata:
   name: homelab-operator
 
 build:
-  # This tells Skaffold to build the image locally using your Docker daemon.
+  cluster: {}
-  local:
-    push: false
-    # This is the crucial part for your workflow. Instead of pushing to a
-    # registry, it loads the built image directly into your cluster's nodes.
-    # load: true
   artifacts:
-    # Defines the image to build. It matches the placeholder in deployment.yaml.
     - image: homelaboperator
-      context: . # The build context is the root directory
+      context: .
       docker:
         dockerfile: Dockerfile
 

src/bootstrap/repos/repos.ts

@@ -9,6 +9,7 @@ class RepoService {
   #istio: HelmRepo;
   #authentik: HelmRepo;
   #cloudflare: HelmRepo;
+  #argo: HelmRepo;
 
   constructor(services: Services) {
     const resourceService = services.get(ResourceService);
@@ -16,11 +17,13 @@ class RepoService {
     this.#istio = resourceService.get(HelmRepo, 'istio', NAMESPACE);
     this.#authentik = resourceService.get(HelmRepo, 'authentik', NAMESPACE);
     this.#cloudflare = resourceService.get(HelmRepo, 'cloudflare', NAMESPACE);
+    this.#argo = resourceService.get(HelmRepo, 'argo', NAMESPACE);
 
     this.#jetstack.on('changed', this.ensure);
     this.#istio.on('changed', this.ensure);
     this.#authentik.on('changed', this.ensure);
     this.#cloudflare.on('changed', this.ensure);
+    this.#argo.on('changed', this.ensure);
   }
 
   public get jetstack() {
@@ -39,6 +42,10 @@ class RepoService {
     return this.#cloudflare;
   }
 
+  public get argo() {
+    return this.#argo;
+  }
+
   public ensure = async () => {
     await this.#jetstack.set({
       url: 'https://charts.jetstack.io',
@@ -55,6 +62,10 @@ class RepoService {
     await this.#cloudflare.set({
       url: 'https://cloudflare.github.io/helm-charts',
     });
+
+    await this.#argo.set({
+      url: 'https://argoproj.github.io/argo-helm',
+    });
   };
 }
 

src/resources/homelab/authentik-server/authentik-server.ts

@@ -15,9 +15,9 @@ import { generateRandomHexPass } from '#utils/secrets.ts';
 import { Service } from '#resources/core/service/service.ts';
 import { HelmRelease } from '#resources/flux/helm-release/helm-release.ts';
 import { RepoService } from '#bootstrap/repos/repos.ts';
-import { VirtualService } from '#resources/istio/virtual-service/virtual-service.ts';
 import { DestinationRule } from '#resources/istio/destination-rule/destination-rule.ts';
 import { NotReadyError } from '#utils/errors.ts';
+import { ExternalHttpService } from '../external-http-service.ts/external-http-service.ts';
 
 const specSchema = z.object({
   environment: z.string(),
@@ -44,7 +44,7 @@ class AuthentikServer extends CustomResource<typeof specSchema> {
   #initSecret: Secret<InitSecretData>;
   #service: Service;
   #helmRelease: HelmRelease;
-  #virtualService: VirtualService;
+  #externalHttpService: ExternalHttpService;
   #destinationRule: DestinationRule;
 
   constructor(options: CustomResourceOptions<typeof specSchema>) {
@@ -68,11 +68,10 @@ class AuthentikServer extends CustomResource<typeof specSchema> {
     this.#helmRelease = resourceService.get(HelmRelease, this.name, this.namespace);
     this.#helmRelease.on('changed', this.queueReconcile);
 
-    this.#virtualService = resourceService.get(VirtualService, this.name, this.namespace);
-    this.#virtualService.on('changed', this.queueReconcile);
-
     this.#destinationRule = resourceService.get(DestinationRule, this.name, this.namespace);
     this.#destinationRule.on('changed', this.queueReconcile);
+
+    this.#externalHttpService = resourceService.get(ExternalHttpService, this.name, this.namespace);
   }
 
   public get service() {
@@ -254,28 +253,19 @@ class AuthentikServer extends CustomResource<typeof specSchema> {
       },
     });
 
-    const gateway = this.#environment.current.gateway;
+    await this.#externalHttpService.ensure({
-    await this.#virtualService.set({
       metadata: {
         ownerReferences: [this.ref],
       },
       spec: {
-        gateways: [`${gateway.namespace}/${gateway.name}`, 'mesh'],
+        environment: this.spec.environment,
-        hosts: [domain],
+        subdomain: this.spec.subdomain || 'authentik',
-        http: [
+        destination: {
-          {
+          host: this.#service.hostname,
-            route: [
+          port: {
-              {
+            number: 80,
-                destination: {
-                  host: this.#service.hostname,
-                  port: {
-                    number: 80,
-                  },
-                },
-              },
-            ],
           },
-        ],
+        },
       },
     });
   };

src/resources/homelab/cloudflare-tunnel/cloudflare-tunnel.ts

@@ -12,6 +12,7 @@ import { RepoService } from '#bootstrap/repos/repos.ts';
 import { Secret } from '#resources/core/secret/secret.ts';
 import { NotReadyError } from '#utils/errors.ts';
 import { NamespaceService } from '#bootstrap/namespaces/namespaces.ts';
+import { CloudflareService } from '#services/cloudflare/cloudflare.ts';
 
 const specSchema = z.object({});
 
@@ -29,6 +30,7 @@ class CloudflareTunnel extends CustomResource<typeof specSchema> {
 
   #helmRelease: HelmRelease;
   #secret: Secret<SecretData>;
+  #cloudflareService;
 
   constructor(options: CustomResourceOptions<typeof specSchema>) {
     super(options);
@@ -40,6 +42,9 @@ class CloudflareTunnel extends CustomResource<typeof specSchema> {
     this.#helmRelease = resourceService.get(HelmRelease, this.name, namespace);
     this.#secret = resourceService.get(Secret<SecretData>, 'cloudflare', namespace);
     this.#secret.on('changed', this.queueReconcile);
+
+    this.#cloudflareService = this.services.get(CloudflareService);
+    this.#cloudflareService.on('changed', this.queueReconcile);
   }
 
   #handleResourceChanged = (resource: Resource<ExpectedAny>) => {
@@ -60,6 +65,18 @@ class CloudflareTunnel extends CustomResource<typeof specSchema> {
       hostname: rule?.hostname,
       service: `http://${rule?.destination.host}:${rule?.destination.port.number}`,
     }));
+    if (this.#cloudflareService.ready) {
+      for (const route of ingress) {
+        if (!route.hostname) {
+          continue;
+        }
+        try {
+          await this.#cloudflareService.ensureTunnel(route.hostname);
+        } catch (err) {
+          console.error(err);
+        }
+      }
+    }
     await this.#helmRelease.ensure({
       metadata: {
         ownerReferences: [this.ref],

src/resources/homelab/environment/environment.ts

@@ -14,6 +14,8 @@ import { Gateway } from '#resources/istio/gateway/gateway.ts';
 import { NotReadyError } from '#utils/errors.ts';
 import { NamespaceService } from '#bootstrap/namespaces/namespaces.ts';
 import { CloudflareService } from '#services/cloudflare/cloudflare.ts';
+import { HelmRelease } from '#resources/flux/helm-release/helm-release.ts';
+import { RepoService } from '#bootstrap/repos/repos.ts';
 
 const specSchema = z.object({
   domain: z.string(),
@@ -37,6 +39,8 @@ class Environment extends CustomResource<typeof specSchema> {
   #redisServer: RedisServer;
   #authentikServer: AuthentikServer;
   #cloudflareService: CloudflareService;
+  #argoRelease: HelmRelease;
+  #argoNamespace: Namespace;
 
   constructor(options: CustomResourceOptions<typeof specSchema>) {
     super(options);
@@ -67,6 +71,11 @@ class Environment extends CustomResource<typeof specSchema> {
 
     this.#authentikServer = resourceService.get(AuthentikServer, `${this.name}-authentik`, homelabNamespace);
     this.#authentikServer.on('changed', this.queueReconcile);
+
+    this.#argoNamespace = resourceService.get(Namespace, `${this.name}-argo`);
+
+    this.#argoRelease = resourceService.get(HelmRelease, `${this.name}-argo`, homelabNamespace);
+    this.#argoRelease.on('changed', this.queueReconcile);
   }
 
   public get certificate() {
@@ -99,27 +108,6 @@ class Environment extends CustomResource<typeof specSchema> {
       throw new NotReadyError('InvalidSpec');
     }
 
-    if (this.#cloudflareService.ready && spec.networkIp) {
-      const client = this.#cloudflareService.client;
-      const zones = await client.zones.list({
-        name: spec.domain,
-      });
-      const [zone] = zones.result;
-      if (!zone) {
-        throw new NotReadyError('NoZoneFound');
-      }
-
-      const existingRecords = await client.dns.records.list({
-        zone_id: zone.id,
-        name: {
-          exact: `*.${spec.domain}`,
-        },
-      });
-
-      console.log('Cloudflare records', existingRecords);
-
-      // zones.result[0].
-    }
     await this.#namespace.ensure({
       metadata: {
         labels: {
@@ -208,6 +196,33 @@ class Environment extends CustomResource<typeof specSchema> {
         ],
       },
     });
+
+    await this.#argoNamespace.ensure({});
+
+    const repoService = this.services.get(RepoService);
+    await this.#argoRelease.ensure({
+      spec: {
+        targetNamespace: this.#argoNamespace.name,
+        interval: '1h',
+        values: {
+          applicationset: {
+            enabled: true,
+          },
+        },
+        chart: {
+          spec: {
+            chart: 'argo-cd',
+            version: '3.9.0',
+            sourceRef: {
+              apiVersion: 'source.toolkit.fluxcd.io/v1',
+              kind: 'HelmRepository',
+              name: repoService.argo.name,
+              namespace: repoService.argo.namespace,
+            },
+          },
+        },
+      },
+    });
   };
 }
 

src/resources/homelab/generate-secret/generate-secret.ts

@@ -40,7 +40,7 @@ class GenerateSecret extends CustomResource<typeof specSchema> {
       ...current,
     };
 
-    await this.#secret.ensure(expected);
+    await this.#secret.set(expected);
   };
 }
 

src/resources/homelab/oidc-client/oidc-client.ts

@@ -19,7 +19,8 @@ const specSchema = z.object({
   clientType: z.enum(ClientTypeEnum).optional(),
   redirectUris: z.array(
     z.object({
-      url: z.string(),
+      subdomain: z.string(),
+      path: z.string(),
       matchingMode: z.enum(['strict', 'regex']),
     }),
   ),
@@ -98,8 +99,14 @@ class OIDCClient extends CustomResource<typeof specSchema> {
       token: authentikSecret.token,
     });
 
+    const redirectUris = this.spec.redirectUris.map((uri) => ({
+      matchingMode: uri.matchingMode,
+      url: new URL(uri.path, `https://${uri.subdomain}.${this.#environment.current?.spec?.domain}`).toString(),
+    }));
+
     await authentikServer.upsertClient({
       ...this.spec,
+      redirectUris,
       name: this.name,
       secret: secret.clientSecret,
     });

src/resources/homelab/postgres-database/postgres-database.ts

@@ -26,6 +26,7 @@ type SecretData = {
   database: string;
   host: string;
   port: string;
+  url: string;
 };
 
 const sanitizeName = (input: string) => {
@@ -87,15 +88,22 @@ class PostgresDatabase extends CustomResource<typeof specSchema> {
       throw new NotReadyError('MissingClusterSecret');
     }
 
+    const expected = {
+      password: generateRandomHexPass(),
+      user: this.username,
+      database: this.database,
+      ...this.#secret.value,
+      host: clusterSecret.host,
+      port: clusterSecret.port,
+    };
+
+    const url = `postgresql://${expected.user}:${expected.password}@${expected.host}:${expected.port}/${expected.database}`;
+
     await this.#secret.set(
-      (current) => ({
+      {
-        password: generateRandomHexPass(),
+        ...expected,
-        user: this.username,
+        url,
-        database: this.database,
+      },
-        ...current,
-        host: clusterSecret.host,
-        port: clusterSecret.port,
-      }),
       {
         metadata: {
           ownerReferences: [this.ref],

src/services/cloudflare/cloudflare.ts

@@ -52,6 +52,55 @@ class CloudflareService extends EventEmitter<CloudflareServiceEvents> {
 
     return client;
   }
+
+  public ensureTunnel = async (route: string) => {
+    const secret = this.#secret.value;
+    if (!secret) {
+      return;
+    }
+    const client = this.client;
+    const domainParts = route.split('.');
+    const cname = `${secret.tunnelId}.cfargotunnel.com`;
+    const tld = domainParts.pop();
+    const root = domainParts.pop();
+    const zoneName = `${root}.${tld}`;
+    const name = domainParts.join('.');
+
+    const zones = await client.zones.list({
+      name: zoneName,
+    });
+    const [zone] = zones.result;
+    if (!zone) {
+      return;
+    }
+    const records = await client.dns.records.list({
+      zone_id: zone.id,
+      name: {
+        exact: route,
+      },
+      type: 'CNAME',
+    });
+    const [record] = records.result;
+    if (record) {
+      await client.dns.records.edit(record.id, {
+        zone_id: zone.id,
+        type: 'CNAME',
+        content: cname,
+        name: name,
+        ttl: 1,
+        proxied: true,
+      });
+    } else {
+      await client.dns.records.create({
+        zone_id: zone.id,
+        type: 'CNAME',
+        content: cname,
+        name: name,
+        ttl: 1,
+        proxied: true,
+      });
+    }
+  };
 }
 
 export { CloudflareService };