disable ssl on pg

.gitignore

@@ -1,2 +1,3 @@
 /secret.*.yaml
 /data/
+*.DS_Store

charts/apps/home-assistant/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  redirectUris:
+    - path: /auth/openid/callback
+      subdomain: "{{ .Values.subdomain }}"
+      matchingMode: strict

charts/apps/home-assistant/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  subdomain: "{{ .Values.subdomain }}"
+  destination:
+    host: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local"
+    port:
+      number: 80

charts/apps/mealie/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: mealie

charts/apps/mealie/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  redirectUris:
+    - path: /login
+      subdomain: "{{ .Values.subdomain }}"
+      matchingMode: strict

charts/apps/mealie/templates/deployment.yaml

@@ -0,0 +1,72 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          ports:
+            - containerPort: 9000
+              name: http
+          env:
+            - name: TZ
+              value: "{{ .Values.globals.timezone }}"
+            - name: BASE_URL
+              value: https://{{ .Values.subdomain }}.{{ .Values.globals.domain }}
+            - name: ALLOW_SIGNUP
+              value: "false"
+            - name: PUID
+              value: "1000"
+            - name: PGID
+              value: "1000"
+            - name: OIDC_AUTH_ENABLED
+              value: "true"
+            - name: OIDC_SIGNUP_ENABLED
+              value: "true"
+            - name: OIDC_USER_GROUP
+              value: "mealie-users"
+            - name: OIDC_ADMIN_GROUP
+              value: "admin"
+            - name: OIDC_AUTO_REDIRECT
+              value: "true"
+            - name: OIDC_PROVIDER_NAME
+              value: Authentik
+            - name: OIDC_REMEMBER_ME
+              value: "true"
+            - name: OIDC_SIGNING_ALGORITHM
+              value: RS256
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-client"
+                  key: clientId
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-client"
+                  key: clientSecret
+            - name: OIDC_CONFIGURATION_URL
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-client"
+                  key: configuration
+
+          volumeMounts:
+            - mountPath: /app/data
+              name: data
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-data"

charts/apps/mealie/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/mealie/templates/http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: HttpService
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  subdomain: "{{ .Values.subdomain }}"
+  destination:
+    host: "{{ .Release.Name }}"
+    port:
+      number: 80

charts/apps/mealie/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/mealie/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 9000
+      protocol: TCP
+      name: http
+  selector:
+    app: "{{ .Release.Name }}"

charts/apps/mealie/values.yaml

@@ -0,0 +1,8 @@
+globals:
+  environment: prod
+  domain: olsen.cloud
+  timezone: Europe/Amsterdam
+subdomain: mealie
+image:
+  repository: ghcr.io/mealie-recipes/mealie
+  tag: latest

charts/apps/miniflux/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: miniflux

charts/apps/miniflux/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  redirectUris:
+    - path: oauth2/oidc/callback
+      subdomain: "{{ .Values.subdomain }}"
+      matchingMode: strict

charts/apps/miniflux/templates/database.yaml

@@ -0,0 +1,6 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: PostgresDatabase
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'

charts/apps/miniflux/templates/deployment.yaml

@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /data
+              name: data
+          env:
+            - name: TZ
+              value: "{{ .Values.globals.timezone }}"
+            - name: RUN_MIGRATIONS
+              value: "1"
+            - name: OAUTH2_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-client"
+                  key: clientId
+            - name: OAUTH2_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-client"
+                  key: clientSecret
+            - name: OAUTH2_OIDC_DISCOVERY_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-client"
+                  key: configuration
+            - name: OAUTH2_OIDC_PROVIDER_NAME
+              value: Authentik
+            - name: OAUTH2_PROVIDER
+              value: oidc
+            - name: OAUTH2_REDIRECT_URL
+              value: https://{{ .Values.subdomain }}.{{ .Values.globals.domain }}/oauth2/oidc/callback
+            - name: OAUTH2_USER_CREATION
+              value: "1"
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-pg-connection"
+                  key: url
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-data"

charts/apps/miniflux/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/miniflux/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/miniflux/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 3000
+      protocol: TCP
+      name: http
+  selector:
+    app: "{{ .Release.Name }}"

charts/apps/miniflux/values.yaml

@@ -0,0 +1,9 @@
+globals:
+  environment: prod
+  timezone: Europe/Amsterdam
+  domain: olsen.cloud
+image:
+  repository: ghcr.io/miniflux/miniflux
+  tag: latest
+  pullPolicy: IfNotPresent
+subdomain: miniflux

cloudflare.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare
+  namespace: homelab
+data:
+  token: WDhqQ1Z2WGtHUVh4XzIzb0d2WmNUcWZkWm8zZGpsMXE0dGIxU0J3Zg==
+  account: ZThkZDYwMDQ5MTI2NDM3MDhhNGZlMDI4YjNkNWEzMzM=
+  tunnelName: aG9tZWxhYg==
+  tunnelId: YTI1ZTI1MDEtNzNiNi00MDc1LWI3MjYtZDc1YWViZmE4ZmNk
+  secret: UWgvRWtGNkY2MUNxSnFwMGlCQXJ3MUxyd245ZldtcTd1RDNrZk1VUEVBVT0=
+
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: lets-encrypt-prod
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: alice@alice.com
+    privateKeySecretRef:
+      name: letsencrypt-prod-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            email: alice@alice.com
+            apiTokenSecretRef:
+              name: cloudflare
+              key: token

images/operator/src/resources/homelab/postgres-database/postgres-database.ts

@@ -97,7 +97,7 @@ class PostgresDatabase extends CustomResource<typeof specSchema> {
       port: clusterSecret.port,
     };
 
-    const url = `postgresql://${expected.user}:${expected.password}@${expected.host}:${expected.port}/${expected.database}`;
+    const url = `postgresql://${expected.user}:${expected.password}@${expected.host}:${expected.port}/${expected.database}?sslmode=disable`;
 
     await this.#secret.set(
       {