chore(deps): update helm release external-secrets to v1.3.2

Reviewed-on: #35

.gitea/workflows/production.yaml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 📥Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
       - name: 🚀Validating the manifests
         uses: frenck/action-yamllint@v1.5.0
         with:

catalog-info.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: backstage.io/v1alpha1
+kind: Domain
+metadata:
+  name: dgse-cloud
+  description: "Infrastructure for DGSE Cloud services."
+spec:
+  owner: dgse-cloud
+---
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: artemis-cluster
+  description: A collection of all entities running on the Artemis cluster
+spec:
+  targets:
+    - ./clusters/artemis/catalog.yaml
+    - ./clusters/artemis/apps/argocd/catalog.yaml
+    - ./clusters/artemis/apps/cnpg/catalog.yaml
+    - ./clusters/artemis/apps/digital-garden/catalog.yaml
+    - ./clusters/artemis/apps/external-secrets/catalog.yaml
+    - ./clusters/artemis/apps/gitea/catalog.yaml
+    - ./clusters/artemis/apps/gitea-runners/catalog.yaml
+    - ./clusters/artemis/apps/immich/catalog.yaml
+    - ./clusters/artemis/apps/mailu/catalog.yaml
+    - ./clusters/artemis/apps/nextcloud/catalog.yaml

clusters/artemis/apps/argocd/catalog.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: argocd
+  description: "ArgoCD is a declarative, GitOps continuous delivery tool for Kubernetes."
+  links:
+    - url: https://cd.dgse.cloud
+      title: Dashboard
+      icon: dashboard
+  annotations:
+    argocd/app-name: argocd
+    argocd/app-namespace: argocd
+spec:
+  type: service
+  lifecycle: production
+  owner: owners
+  system: artemis-cluster

clusters/artemis/apps/cnpg/catalog.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: cnpg
+  description: "CloudNativePG is a Kubernetes operator that manages PostgreSQL databases in a cloud-native way."
+  annotations:
+    argocd/app-name: cnpg
+    argocd/app-namespace: cnpg-system
+spec:
+  type: service
+  lifecycle: production
+  owner: owners
+  system: artemis-cluster

clusters/artemis/apps/digital-garden/catalog.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: digital-garden
+  description: "A collection of notes, essays, and other writing that is published on the web."
+  links:
+    - url: https://groothuis.io
+      title: Public Website
+      icon: web
+  annotations:
+    argocd/app-name: digital-garden
+    argocd/app-namespace: digital-garden
+spec:
+  type: website
+  lifecycle: production
+  owner: owners
+  system: artemis-cluster

clusters/artemis/apps/external-secrets/application.yaml

@@ -18,6 +18,7 @@ spec:
     name: in-cluster
   syncPolicy:
     syncOptions:
+      - ServerSideApply=true
       - CreateNamespace=true
     automated:
       prune: true

clusters/artemis/apps/external-secrets/catalog.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: external-secrets
+  description: "Vault Secrets Operator to sync secrets from Vault to Kubernetes"
+  annotations:
+    argocd/app-name: external-secrets
+    argocd/app-namespace: external-secrets
+spec:
+  type: service
+  lifecycle: production
+  owner: owners
+  system: artemis-cluster

clusters/artemis/apps/gitea-runners/catalog.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: gitea-runners
+  description: "Gitea Action Runners"
+  annotations:
+    argocd/app-name: gitea-runners
+    argocd/app-namespace: gitea-runners
+spec:
+  type: service
+  lifecycle: production
+  owner: owners
+  system: artemis-cluster
+  dependencyOf:
+    - component:gitea

clusters/artemis/apps/gitea/catalog.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: gitea
+  description: "Self-hosted Git Server"
+  links:
+    - url: https://git.dgse.cloud
+      title: Git Server
+      icon: web
+  annotations:
+    argocd/app-name: gitea
+    argocd/app-namespace: gitea
+spec:
+  type: service
+  lifecycle: production
+  owner: owners
+  system: artemis-cluster
+  dependsOn:
+    - Component:gitea-runners

clusters/artemis/apps/immich/catalog.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: immich
+  description: "Self-hosted photo and video backup solution directly from your mobile phone."
+  links:
+    - url: https://photos.dgse.cloud
+      title: Git Server
+      icon: web
+  annotations:
+    argocd/app-name: immich
+    argocd/app-namespace: immich
+spec:
+  type: service
+  lifecycle: production
+  owner: owners
+  system: artemis-cluster

clusters/artemis/apps/kaneo/app-project.yaml

@@ -2,15 +2,15 @@
 apiVersion: argoproj.io/v1alpha1
 kind: AppProject
 metadata:
-  name: kener
+  name: kaneo
 spec:
-  description: Monitoring tool
+  description: Project Management
   sourceRepos:
     - '*'
   sourceNamespaces:
     - '*'
   destinations:
-    - namespace: 'kener'
+    - namespace: 'kaneo'
       server: '*'
   clusterResourceWhitelist:
     - group: '*'

clusters/artemis/apps/kaneo/application.yaml

@@ -1,20 +1,20 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: kener
-  namespace: kener
+  name: kaneo
+  namespace: kaneo
   labels:
     platform.dgse.cloud/cluster: artemis
   finalizers:
     - resources-finalizer.argocd.argoproj.io
 spec:
-  project: kener
+  project: kaneo
   source:
     repoURL: 'https://git.dgse.cloud/DGSE/kubernetes.git'
-    path: manifests/artemis/kener
+    path: manifests/artemis/kaneo
     targetRevision: main
   destination:
-    namespace: kener
+    namespace: kaneo
     name: in-cluster
   syncPolicy:
     syncOptions:

clusters/artemis/apps/kustomization.yaml

@@ -13,7 +13,7 @@ resources:
   - pocket-id
   - vaultwarden
   - mailu
-  - ntfy
   - penpot
   - immich
   - digital-garden
+  - kaneo

clusters/artemis/apps/mailu/catalog.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: mailu
+  description: "Self-hosted mail server"
+  links:
+    - url: https://mail.dgse.cloud
+      title: Mail Server
+      icon: web
+  annotations:
+    argocd/app-name: mailu
+    argocd/app-namespace: mailu
+spec:
+  type: service
+  lifecycle: production
+  owner: owners
+  system: artemis-cluster

clusters/artemis/apps/nextcloud/app-project.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: nextcloud
+spec:
+  description: Self Hosted Cloud
+  sourceRepos:
+    - '*'
+  sourceNamespaces:
+    - '*'
+  destinations:
+    - namespace: 'nextcloud'
+      server: '*'
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'

clusters/artemis/apps/nextcloud/application.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nextcloud
+  namespace: nextcloud
+  labels:
+    platform.dgse.cloud/cluster: artemis
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: nextcloud
+  source:
+    repoURL: 'https://git.dgse.cloud/DGSE/kubernetes.git'
+    path: manifests/artemis/nextcloud
+    targetRevision: main
+  destination:
+    namespace: nextcloud
+    name: in-cluster
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      prune: true
+      selfHeal: true

clusters/artemis/apps/nextcloud/catalog.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: nextcloud
+  description: "Self-hosted photo and video backup solution directly from your mobile phone."
+  links:
+    - url: https://nextcloud.dgse.cloud
+      title: Git Server
+      icon: web
+  annotations:
+    argocd/app-name: nextcloud
+    argocd/app-namespace: nextcloud
+    backstage.io/techdocs-ref: dir:.
+spec:
+  type: service
+  lifecycle: production
+  owner: owners
+  system: artemis-cluster

clusters/artemis/apps/nextcloud/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app-project.yaml
+  - application.yaml

clusters/artemis/catalog.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: backstage.io/v1alpha1
+kind: System
+metadata:
+  name: artemis-cluster
+  description: "The Artemis cluster is a Kubernetes cluster hosting all infra for DGSE Cloud."
+spec:
+  owner: owners
+  domain: dgse-cloud

docs/index.md

@@ -0,0 +1 @@
+# NextCloud

manifests/artemis/argocd/backstage-rbac.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backstage-argocd-server-access
+subjects:
+  - kind: ServiceAccount
+    name: backstage-argocd
+    namespace: argocd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-server

manifests/artemis/argocd/backstage-sa.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: backstage-argocd
+  namespace: argocd

manifests/artemis/argocd/kustomization.yaml

@@ -5,9 +5,11 @@ metadata:
   name: argocd
 
 resources:
-  - github.com/argoproj/argo-cd/manifests/cluster-install?ref=v2.14.15
+  - github.com/argoproj/argo-cd/manifests/cluster-install?ref=v3.2.6
   - ingressRoute.yaml
   - certificate.yaml
+  - backstage-sa.yaml
+  - backstage-rbac.yaml
 
 patches:
   - target:
@@ -45,7 +47,9 @@ patches:
       metadata:
         name: argocd-cm
       data:
-        admin.enabled: "false"
+        accounts.admin: "apiKey, login"
+        accounts.backstage.enabled: "true"
+        admin.enabled: "true"
         kustomize.buildOptions: --enable-helm
         url: https://cd.dgse.cloud
         oidc.config: |
@@ -118,3 +122,23 @@ patches:
         apiGroup: rbac.authorization.k8s.io
         kind: ClusterRole
         name: argocd-server
+
+  # Map Backstage SA to Argo CD role:admin (full Argo CD permissions)
+  - target:
+      kind: ConfigMap
+      name: argocd-rbac-cm
+    patch: |-
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: argocd-rbac-cm
+        namespace: argocd
+      data:
+        policy.csv: |
+          g, argocd_admins, role:admin
+          p, argocd_users, applications, list, *, allow
+          p, argocd_users, applications, sync, *, allow
+          p, argocd_users, applications, refresh, *, allow
+          p, argocd_users, applications, get, *, allow
+          g, system:serviceaccount:argocd:backstage-argocd, role:admin
+          p, system:serviceaccount:argocd:backstage-argocd, applications, *, */*, allow

manifests/artemis/external-secrets/kustomization.yaml

@@ -10,6 +10,6 @@ resources:
 helmCharts:
   - name: external-secrets
     repo: https://charts.external-secrets.io/
-    version: 0.20.4
+    version: 1.3.2
     releaseName: external-secrets
     namespace: external-secrets

manifests/artemis/gitea/kustomization.yaml

@@ -7,7 +7,7 @@ metadata:
 helmCharts:
   - name: gitea
     repo: https://dl.gitea.com/charts/
-    version: 12.4.0
+    version: 12.5.0
     releaseName: gitea
     namespace: gitea
     valuesFile: values.yaml

manifests/artemis/gitea/values.yaml

@@ -643,6 +643,13 @@ postgresql-ha:
     repmgrPassword: changeme2
     postgresPassword: changeme1
     password: changeme4
+    resources:
+      limits:
+        cpu: 2000m
+        memory: 2Gi
+      requests:
+        cpu: 1500m
+        memory: 2Gi
 
   ## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword
   ## @param postgresql-ha.pgpool.image.repository Image repository, eg. `bitnamilegacy/pgpool`.
@@ -652,6 +659,13 @@ postgresql-ha:
     image:
       repository: bitnamilegacy/pgpool
     srCheckPassword: changeme4
+    resources:
+      limits:
+        cpu: 1000m
+        memory: 2Gi
+      requests:
+        cpu: 250m
+        memory: 1Gi
 
   ## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
   service:

manifests/artemis/immich/kustomization.yaml

@@ -12,7 +12,7 @@ resources:
 helmCharts:
   - name: immich
     repo: https://immich-app.github.io/immich-charts
-    version: 0.10.1
+    version: 0.10.3
     releaseName: immich
     namespace: immich
     valuesFile: values.yaml

manifests/artemis/immich/values.yaml

@@ -94,7 +94,7 @@ server:
           secretName: immich-tls
 
 machine-learning:
-  enabled: true
+  enabled: false
   controllers:
     main:
       containers:

manifests/artemis/immich/volumeClaims.yaml

@@ -1,15 +1,15 @@
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: immich-ml-pvc
-spec:
-  storageClassName: local-path
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 10Gi
+# ---
+# apiVersion: v1
+# kind: PersistentVolumeClaim
+# metadata:
+#   name: immich-ml-pvc
+# spec:
+#   storageClassName: local-path
+#   accessModes:
+#     - ReadWriteOnce
+#   resources:
+#     requests:
+#       storage: 10Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim

manifests/artemis/kaneo/kustomization.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+metadata:
+  name: kaneo
+
+#resources:
+#  - secret.yaml
+
+helmCharts:
+  - name: charts/kaneo
+    repo: https://github.com/usekaneo/kaneo
+    version: 0.1.0
+    releaseName: kaneo
+    namespace: kaneo
+    valuesFile: values.yaml

manifests/artemis/kaneo/values.yaml

@@ -0,0 +1,183 @@
+# Global values
+nameOverride: ""
+fullnameOverride: ""
+replicaCount: 1
+# Autoscaling configuration
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 10
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+# Pod configuration
+podAnnotations: {}
+podSecurityContext: {}
+nodeSelector: {}
+tolerations: []
+affinity: {}
+# Service account configuration
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+# PostgreSQL database configuration
+postgresql:
+  # Set to true to deploy PostgreSQL as part of this chart
+  enabled: true
+  image:
+    repository: postgres
+    tag: 16-alpine
+    pullPolicy: IfNotPresent
+  # Database configuration
+  auth:
+    database: kaneo
+    username: kaneo_user
+    password: kaneo_password
+    # Use existing secret for database credentials (optional)
+    existingSecret: ""
+    secretKeys:
+      adminPasswordKey: postgres-password
+      userPasswordKey: password
+  # Persistence for PostgreSQL data
+  persistence:
+    enabled: true
+    size: 8Gi
+    storageClass: ""
+    accessMode: ReadWriteOnce
+  # PostgreSQL service configuration
+  service:
+    type: ClusterIP
+    port: 5432
+  # Resources for PostgreSQL
+  resources: {}
+  # resources:
+  #   limits:
+  #     cpu: 500m
+  #     memory: 512Mi
+  #   requests:
+  #     cpu: 100m
+  #     memory: 128Mi
+# API backend configuration
+api:
+  image:
+    repository: ghcr.io/usekaneo/api
+    tag: latest
+    pullPolicy: IfNotPresent
+  securityContext: {}
+  service:
+    type: ClusterIP
+    port: 1337
+    targetPort: 1337
+  # Resources are optional and disabled by default
+  resources: {}
+  # resources:
+  #   limits:
+  #     cpu: 500m
+  #     memory: 512Mi
+  #   requests:
+  #     cpu: 100m
+  #     memory: 128Mi
+
+  # Environment variables for the API
+  env:
+    jwtAccess: appelflap
+    existingSecret:
+      enabled: false
+      name: ""
+      key: jwt-access
+    disableRegistration: false
+    # Database configuration
+    database:
+      # Use external PostgreSQL (set postgresql.enabled to false)
+      # Important: when using external postgres, make sure you have set up the db user correctly:
+      #   CREATE DATABASE kaneo;
+      #   CREATE USER kaneo_user WITH PASSWORD 'your_password';
+      #   GRANT ALL PRIVILEGES ON DATABASE kaneo TO kaneo_user;
+      #   \c kaneo;
+      #   GRANT USAGE ON SCHEMA public TO kaneo_user;
+      #   GRANT CREATE ON SCHEMA public TO kaneo_user;
+      #   ALTER SCHEMA public OWNER TO kaneo_user;
+      external:
+        enabled: false
+        host: ""
+        port: 5432
+        database: kaneo
+        username: kaneo_user
+        password: ""
+        # Use existing secret for external database credentials in the form of a uri, e.g.: "postgresql://user:pass@host:port/db"
+        existingSecret:
+          enabled: false
+          name: ""
+          passwordKey: postgres_uri
+  livenessProbe:
+    httpGet:
+      path: /me
+      port: api
+    initialDelaySeconds: 30
+    periodSeconds: 10
+  readinessProbe:
+    httpGet:
+      path: /me
+      port: api
+    initialDelaySeconds: 5
+    periodSeconds: 10
+# Web frontend configuration
+web:
+  image:
+    repository: ghcr.io/usekaneo/web
+    tag: latest
+    pullPolicy: IfNotPresent
+  # Environment variables for the Web
+  env:
+    # Optional: Override the default API URL (http://localhost:1337)
+    # The /api path will be automatically appended to the URL
+    # Make sure this url matches the ingress host
+    # apiUrl: "https://kaneo.example.com"
+    apiUrl: ""
+  securityContext: {}
+  service:
+    type: ClusterIP
+    port: 80
+    targetPort: 80
+  # Resources are optional and disabled by default
+  resources: {}
+  # resources:
+  #   limits:
+  #     cpu: 300m
+  #     memory: 256Mi
+  #   requests:
+  #     cpu: 100m
+  #     memory: 128Mi
+
+  livenessProbe:
+    httpGet:
+      path: /
+      port: web
+    initialDelaySeconds: 30
+    periodSeconds: 10
+  readinessProbe:
+    httpGet:
+      path: /
+      port: web
+    initialDelaySeconds: 5
+    periodSeconds: 10
+# Ingress configuration
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+  hosts:
+    # Use the same host in the web env variable apiUrl (with http:// or https://)
+    - host: projects.dgse.cloud
+      paths:
+        - path: /?(.*)
+          pathType: ImplementationSpecific
+          service: web
+          port: 80
+        - path: /api/?(.*)
+          pathType: ImplementationSpecific
+          service: api
+          port: 1337
+  tls:
+    - projects.dgse.cloud

manifests/artemis/kener/db-cluster.yaml

@@ -1,21 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: kener-postgres
-spec:
-  instances: 1
-  managed:
-    roles:
-      - name: kener
-        superuser: true
-        login: true
-  bootstrap:
-    initdb:
-      database: kener
-      owner: kener
-      secret:
-        name: kener-postgres-user
-
-  storage:
-    size: 4Gi
-    storageClass: local-path

manifests/artemis/kener/deployment.yaml

@@ -1,79 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: kener
-spec:
-  selector:
-    matchLabels:
-      app: kener
-  template:
-    metadata:
-      labels:
-        app: kener
-    spec:
-      containers:
-        - name: kener
-          image: rajnandan1/kener:latest
-          ports:
-            - containerPort: 3000
-              name: http
-          volumeMounts:
-            - name: kener-uploads
-              mountPath: "/app/uploads"
-          env:
-            - name: ORIGIN
-              valueFrom:
-                secretKeyRef:
-                  name: kener-secret
-                  key: ORIGIN
-            - name: DATABASE_URL
-              valueFrom:
-                secretKeyRef:
-                  name: kener-secret
-                  key: DATABASE_URL
-            - name: KENER_SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: kener-secret
-                  key: KENER_SECRET_KEY
-            - name: SMTP_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: kener-secret
-                  key: SMTP_HOST
-            - name: SMTP_PORT
-              valueFrom:
-                secretKeyRef:
-                  name: kener-secret
-                  key: SMTP_PORT
-            - name: SMTP_USER
-              valueFrom:
-                secretKeyRef:
-                  name: kener-secret
-                  key: SMTP_USER
-            - name: SMTP_PASS
-              valueFrom:
-                secretKeyRef:
-                  name: kener-secret
-                  key: SMTP_PASS
-            - name: SMTP_SECURE
-              valueFrom:
-                secretKeyRef:
-                  name: kener-secret
-                  key: SMTP_SECURE
-            - name: SMTP_FROM_EMAIL
-              valueFrom:
-                secretKeyRef:
-                  name: kener-secret
-                  key: SMTP_FROM_EMAIL
-            - name: TZ
-              valueFrom:
-                secretKeyRef:
-                  name: kener-secret
-                  key: TZ
-
-      volumes:
-        - name: kener-uploads
-          persistentVolumeClaim:
-            claimName: kener-pvc

manifests/artemis/kener/ingress.yaml

@@ -1,22 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-  name: kener-ingress
-spec:
-  rules:
-    - host: monitor.dgse.cloud
-      http:
-        paths:
-          - backend:
-              service:
-                name: kener
-                port:
-                  number: 3000
-            path: /
-            pathType: Prefix
-  tls:
-    - hosts:
-        - monitor.dgse.cloud
-      secretName: letsencrypt

manifests/artemis/kener/kustomization.yaml

@@ -1,13 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-metadata:
-  name: kener
-
-resources:
-  - secret.yaml
-  - db-cluster.yaml
-  - service.yaml
-  - pvc.yaml
-  - deployment.yaml
-  - ingress.yaml

manifests/artemis/kener/pvc.yaml

@@ -1,11 +0,0 @@
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: kener-pvc
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 20Gi

manifests/artemis/kener/secret.yaml

@@ -1,74 +0,0 @@
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: kener-secret
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: platform
-    kind: ClusterSecretStore
-  target:
-    name: kener-secret
-  data:
-    - secretKey: ORIGIN
-      remoteRef:
-        key: kener
-        property: ORIGIN
-    - secretKey: DATABASE_URL
-      remoteRef:
-        key: kener
-        property: DATABASE_URL
-    - secretKey: KENER_SECRET_KEY
-      remoteRef:
-        key: kener
-        property: KENER_SECRET_KEY
-    - secretKey: SMTP_HOST
-      remoteRef:
-        key: kener
-        property: SMTP_HOST
-    - secretKey: SMTP_PORT
-      remoteRef:
-        key: kener
-        property: SMTP_PORT
-    - secretKey: SMTP_USER
-      remoteRef:
-        key: kener
-        property: SMTP_USER
-    - secretKey: SMTP_PASS
-      remoteRef:
-        key: kener
-        property: SMTP_PASS
-    - secretKey: SMTP_SECURE
-      remoteRef:
-        key: kener
-        property: SMTP_SECURE
-    - secretKey: SMTP_FROM_EMAIL
-      remoteRef:
-        key: kener
-        property: SMTP_FROM_EMAIL
-    - secretKey: TZ
-      remoteRef:
-        key: kener
-        property: TZ
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: kener-postgres-user
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: platform
-    kind: ClusterSecretStore
-  target:
-    name: kener-postgres-user
-  data:
-    - secretKey: username
-      remoteRef:
-        key: kener
-        property: postgres_username
-    - secretKey: password
-      remoteRef:
-        key: kener
-        property: postgres_password

manifests/artemis/kener/service.yaml

@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: kener
-spec:
-  selector:
-    app: kener
-  ports:
-    - protocol: TCP
-      port: 3000
-      targetPort: 3000

manifests/artemis/mailu/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 helmCharts:
   - name: mailu
     repo: https://mailu.github.io/helm-charts/
-    version: 2.1.2
+    version: 2.6.3
     releaseName: mailu
     namespace: mailu
     valuesFile: values.yaml

manifests/artemis/mailu/values.yaml

@@ -166,7 +166,7 @@ limits:
     ipv6Mask: 56
     user: 100/day
     exemptionLength: 86400
-    exemption: "10.42.0.0/16"
+    exemption: "10.42.4.105"
 
   # Configuration to reduce outgoing spam in case of a compromised account. See the documentation for further information: https://mailu.io/1.9/configuration.html?highlight=MESSAGE_RATELIMIT
   ## @param limits.messageRatelimit.value Sets the `MESSAGE_RATELIMIT` environment variable in the `admin` pod

manifests/artemis/nextcloud/kustomization.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+metadata:
+  name: nextcloud
+
+resources:
+  - secret.yaml
+
+helmCharts:
+  - name: nextcloud
+    repo: https://nextcloud.github.io/helm/
+    version: 8.5.2
+    releaseName: nextcloud
+    namespace: nextcloud
+    valuesFile: values.yaml

manifests/artemis/nextcloud/secret.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: nextcloud-secret
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: platform
+    kind: ClusterSecretStore
+  target:
+    name: nextcloud-secret
+  data:
+    - secretKey: nextcloud-username
+      remoteRef:
+        key: nextcloud
+        property: nextcloud-username
+    - secretKey: nextcloud-password
+      remoteRef:
+        key: nextcloud
+        property: nextcloud-password
+    - secretKey: smtp-password
+      remoteRef:
+        key: nextcloud
+        property: smtp-password
+    - secretKey: smtp-username
+      remoteRef:
+        key: nextcloud
+        property: smtp-username
+    - secretKey: smtp-host
+      remoteRef:
+        key: nextcloud
+        property: smtp-host

manifests/artemis/nextcloud/values.yaml

@@ -0,0 +1,981 @@
+## ref: https://hub.docker.com/r/library/nextcloud/tags/
+##
+image:
+  repository: nextcloud
+  flavor: apache
+  # default is generated by flavor and appVersion
+  tag:
+  pullPolicy: IfNotPresent
+  # pullSecrets:
+  #   - myRegistrKeySecretName
+
+nameOverride: ""
+fullnameOverride: ""
+podAnnotations: {}
+podLabels: {}
+deploymentAnnotations: {}
+deploymentLabels: {}
+
+# Number of replicas to be deployed
+replicaCount: 1
+
+## Allowing use of ingress controllers
+## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
+##
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+  tls:
+    - secretName: nextcloud-tls
+      hosts:
+        - nextcloud.dgse.cloud
+  labels: {}
+  path: /
+  pathType: Prefix
+
+# Allow configuration of lifecycle hooks
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
+lifecycle: {}
+# lifecycle:
+#   postStartCommand: []
+#   preStopCommand: []
+
+phpClientHttpsFix:
+  enabled: false
+  protocol: https
+
+nextcloud:
+  host: nextcloud.dgse.cloud
+#  username: admin
+#  password: changeme
+  ## Use an existing secret
+  existingSecret:
+    enabled: true
+    secretName: nextcloud-secret
+    usernameKey: nextcloud-username
+    passwordKey: nextcloud-password
+    tokenKey: ""
+    smtpUsernameKey: smtp-username
+    smtpPasswordKey: smtp-password
+    smtpHostKey: smtp-host
+  update: 0
+  # If web server is not binding default port, you can define it
+  containerPort: 80
+  datadir: /var/www/html/data
+  persistence:
+    subPath:
+  # if set, we'll template this list to the NEXTCLOUD_TRUSTED_DOMAINS env var
+  trustedDomains: []
+  ## SMTP configuration
+  mail:
+    enabled: false
+    # the user we send email as
+    fromAddress: user
+    # the domain we send email from
+    domain: domain.com
+    smtp:
+      host: domain.com
+      secure: ssl
+      port: 465
+      authtype: LOGIN
+      name: user
+      password: pass
+  ## Primary ObjectStore options
+  # see: https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/primary_storage.html#configuring-object-storage-as-primary-storage
+  objectStore:
+    # https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3
+    s3:
+      enabled: false
+      # ignored if nextcloud.objectstore.s3.existingSecret is not empty string
+      accessKey: ""
+      # ignored if nextcloud.objectstore.s3.existingSecret is not empty string
+      secretKey: ""
+      # use legacy auth method
+      legacyAuth: false
+      # s3 endpoint to use; only required if you're not using AWS
+      host: ""
+      # use TLS/SSL for S3 connections
+      ssl: true
+      # default port that can be changed based on your object store, e.g. for minio, you can use 9000
+      port: "443"
+      # this is the default in the nextcloud docs
+      region: "eu-west-1"
+      # required if using s3, the name of the bucket you'd like to use
+      bucket: ""
+      # object prefix in bucket
+      prefix: ""
+      # set to true if you are not using DNS for your buckets.
+      usePathStyle: false
+      # autocreate the bucket
+      autoCreate: false
+      # optonal parameter: you probably want to keep this as default
+      storageClass: "STANDARD"
+      # server side encryption key. learn more: https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/primary_storage.html#s3-sse-c-encryption-support
+      sse_c_key: ""
+      # use an existingSecret for S3 credentials. If set, we ignore the following under nextcloud.objectStore.s3
+      # endpoint, accessKey, secretKey
+      existingSecret: ""
+      secretKeys:
+        # key in nextcloud.objectStore.s3.existingSecret to use for s3 endpoint
+        host: ""
+        # key in nextcloud.objectStore.s3.existingSecret to use for s3 accessKeyID
+        accessKey: ""
+        # key in nextcloud.objectStore.s3.existingSecret to use for s3 secretAccessKey
+        secretKey: ""
+        # key in nextcloud.objectStore.s3.existingSecret to use for the s3 bucket
+        bucket: ""
+        # key in nextcloud.objectStore.s3.existingSecret to use for the s3 sse_c_key
+        sse_c_key: ""
+    ## options related to using Swift as a primary object storage
+    # https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/primary_storage.html#openstack-swift
+    swift:
+      enabled: false
+      # swift user info
+      user:
+        domain: "Default"
+        name: ""
+        password: ""
+      # swift project info
+      project:
+        name: ""
+        domain: "Default"
+      # The Identity / Keystone endpoint
+      url: ""
+      region: ""
+      # optional on some swift implementations
+      service: "swift"
+      # the container to store the data in
+      container: ""
+      # autocreate container
+      autoCreate: false
+
+  ## PHP Configuration files
+  # Will be injected in /usr/local/etc/php/conf.d for apache image and in /usr/local/etc/php-fpm.d when nginx.enabled: true
+  phpConfigs: {}
+  ## Default config files that utilize environment variables:
+  # see: https://github.com/nextcloud/docker/tree/master#auto-configuration-via-environment-variables
+  # IMPORTANT: Will be used only if you put extra configs, otherwise default will come from nextcloud itself
+  # Default confgurations can be found here: https://github.com/nextcloud/docker/tree/master/.config
+  defaultConfigs:
+    # To protect /var/www/html/config
+    .htaccess: true
+    # Apache configuration for rewrite urls
+    apache-pretty-urls.config.php: true
+    # Define APCu as local cache
+    apcu.config.php: true
+    # Apps directory configs
+    apps.config.php: true
+    # Used for auto configure database
+    autoconfig.php: true
+    # Redis default configuration
+    redis.config.php: true
+    # Reverse proxy default configuration
+    reverse-proxy.config.php: true
+    # S3 Object Storage as primary storage
+    s3.config.php: true
+    # SMTP default configuration via environment variables
+    smtp.config.php: true
+    # Swift Object Storage as primary storage
+    swift.config.php: true
+    # disables the web based updater as the default nextcloud docker image does not support it
+    upgrade-disable-web.config.php: true
+    # -- imaginary support config
+    imaginary.config.php: false
+
+  # Extra config files created in /var/www/html/config/
+  # ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
+  configs: {}
+  # For example, to enable image and text file previews:
+  #  previews.config.php: |-
+  #    <?php
+  #    $CONFIG = array (
+  #      'enable_previews' => true,
+  #      'enabledPreviewProviders' => array (
+  #        'OC\Preview\Movie',
+  #        'OC\Preview\PNG',
+  #        'OC\Preview\JPEG',
+  #        'OC\Preview\GIF',
+  #        'OC\Preview\BMP',
+  #        'OC\Preview\XBitmap',
+  #        'OC\Preview\MP3',
+  #        'OC\Preview\MP4',
+  #        'OC\Preview\TXT',
+  #        'OC\Preview\MarkDown',
+  #        'OC\Preview\PDF'
+  #      ),
+  #    );
+
+  # Hooks for auto configuration
+  # Here you could write small scripts which are placed in `/docker-entrypoint-hooks.d/<hook-name>/helm.sh`
+  # ref: https://github.com/nextcloud/docker?tab=readme-ov-file#auto-configuration-via-hook-folders
+  hooks:
+    pre-installation:
+    post-installation:
+    pre-upgrade:
+    post-upgrade:
+    before-starting:
+
+  ## Strategy used to replace old pods
+  ## IMPORTANT: use with care, it is suggested to leave as that for upgrade purposes
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  strategy:
+    type: Recreate
+    # type: RollingUpdate
+    # rollingUpdate:
+    #   maxSurge: 1
+    #   maxUnavailable: 0
+
+  ##
+  ## Extra environment variables
+  extraEnv:
+  #  - name: SOME_SECRET_ENV
+  #    valueFrom:
+  #      secretKeyRef:
+  #        name: nextcloud
+  #        key: secret_key
+
+  # Extra init containers that runs before pods start.
+  extraInitContainers: []
+  #  - name: do-something
+  #    image: busybox
+  #    command: ['do', 'something']
+
+  # Extra sidecar containers.
+  extraSidecarContainers: []
+  #  - name: nextcloud-logger
+  #    image: busybox
+  #    command: [/bin/sh, -c, 'while ! test -f "/run/nextcloud/data/nextcloud.log"; do sleep 1; done; tail -n+1 -f /run/nextcloud/data/nextcloud.log']
+  #    volumeMounts:
+  #    - name: nextcloud-data
+  #      mountPath: /run/nextcloud/data
+
+  # Extra mounts for the pods. Example shown is for connecting a legacy NFS volume
+  # to NextCloud pods in Kubernetes. This can then be configured in External Storage
+  extraVolumes:
+  #  - name: nfs
+  #    nfs:
+  #      server: "10.0.0.1"
+  #      path: "/nextcloud_data"
+  #      readOnly: false
+  extraVolumeMounts:
+  #  - name: nfs
+  #    mountPath: "/legacy_data"
+
+  # Set securityContext parameters for the nextcloud CONTAINER only (will not affect nginx container).
+  # For example, you may need to define runAsNonRoot directive
+  securityContext: {}
+  #   runAsUser: 33
+  #   runAsGroup: 33
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: false
+
+  # Set securityContext parameters for the entire pod. For example, you may need to define runAsNonRoot directive
+  podSecurityContext: {}
+  #   runAsUser: 33
+  #   runAsGroup: 33
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: false
+
+  # Settings for the MariaDB init container
+  mariaDbInitContainer:
+    resources: {}
+    # Set mariadb initContainer securityContext parameters. For example, you may need to define runAsNonRoot directive
+    securityContext: {}
+
+  # Settings for the PostgreSQL init container
+  postgreSqlInitContainer:
+    resources: {}
+    # Set postgresql initContainer securityContext parameters. For example, you may need to define runAsNonRoot directive
+    securityContext: {}
+
+nginx:
+  ## You need to set an fpm version of the image for nextcloud if you want to use nginx!
+  enabled: false
+
+  image:
+    repository: nginx
+    tag: alpine
+    pullPolicy: IfNotPresent
+
+  containerPort: 80
+  # This configures nginx to listen on either IPv4, IPv6 or both
+  ipFamilies:
+    - IPv4
+    # - IPv6
+  config:
+    # This generates the default nginx config as per the nextcloud documentation
+    default: true
+    headers:
+      # -- HSTS settings
+      # WARNING: Only add the preload option once you read about
+      # the consequences in https://hstspreload.org/. This option
+      # will add the domain to a hardcoded list that is shipped
+      # in all major browsers and getting removed from this list
+      # could take several months.
+      # Example:
+      # "Strict-Transport-Security": "max-age=15768000; includeSubDomains; preload;"
+      "Strict-Transport-Security": ""
+      "Referrer-Policy": "no-referrer"
+      "X-Content-Type-Options": "nosniff"
+      "X-Frame-Options": "SAMEORIGIN"
+      "X-Permitted-Cross-Domain-Policies": "none"
+      "X-Robots-Tag": "noindex, nofollow"
+      "X-XSS-Protection": "1; mode=block"
+
+    # Added in server block of default config.
+    serverBlockCustom: |
+      # set max upload size
+      client_max_body_size 10G;
+      client_body_timeout 300s;
+      fastcgi_buffers 64 4K;
+      fastcgi_read_timeout 3600s;
+
+    custom:
+    # custom: |-
+    #     worker_processes  1;..
+
+  resources: {}
+
+  # Set nginx container securityContext parameters. For example, you may need to define runAsNonRoot directive
+  securityContext: {}
+  # the nginx alpine container default user is 82
+  #   runAsUser: 82
+  #   runAsGroup: 33
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: true
+
+  ## Extra environment variables
+  extraEnv: []
+  #  - name: SOME_ENV
+  #    value: ENV_VALUE
+
+internalDatabase:
+  enabled: true
+  name: nextcloud
+
+##
+## External database configuration
+##
+externalDatabase:
+  enabled: false
+
+  ## Supported database engines: mysql or postgresql
+  type: mysql
+
+  ## Database host. You can optionally include a colon delimited port like "myhost:1234"
+  host: ""
+
+  ## Database user
+  user: nextcloud
+
+  ## Database password
+  password: ""
+
+  ## Database name
+  database: nextcloud
+
+  ## Use a existing secret
+  existingSecret:
+    enabled: false
+    # secretName: nameofsecret
+    usernameKey: db-username
+    passwordKey: db-password
+    # hostKey: db-hostname-or-ip
+    # databaseKey: db-name
+
+global:
+  security:
+    # required for bitnamilegacy repos
+    allowInsecureImages: true
+
+##
+## MariaDB chart configuration
+## ref: https://github.com/bitnami/charts/tree/main/bitnami/mariadb
+##
+mariadb:
+  ## Whether to deploy a mariadb server from the bitnami mariab db helm chart
+  # to satisfy the applications database requirements. if you want to deploy this bitnami mariadb, set this and externalDatabase to true
+  # To use an ALREADY DEPLOYED mariadb database, set this to false and configure the externalDatabase parameters
+  enabled: false
+
+  image:
+    repository: bitnamilegacy/mariadb
+
+  # see: https://github.com/bitnami/charts/tree/main/bitnami/mariadb#global-parameters
+  global:
+    # overwrites the primary.persistence.storageClass value
+    defaultStorageClass: ""
+
+  auth:
+    database: nextcloud
+    username: nextcloud
+    password: changeme
+    # Use existing secret (auth.rootPassword, auth.password, and auth.replicationPassword will be ignored).
+    # secret must contain the keys mariadb-root-password, mariadb-replication-password and mariadb-password
+    existingSecret: ""
+
+  architecture: standalone
+
+  ## Enable persistence using Persistent Volume Claims
+  ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
+  ##
+  primary:
+    persistence:
+      enabled: false
+      # Use an existing Persistent Volume Claim (must be created ahead of time)
+      existingClaim: ""
+      storageClass: ""
+      accessMode: ReadWriteOnce
+      size: 8Gi
+
+##
+## PostgreSQL chart configuration
+## for more options see https://github.com/bitnami/charts/tree/main/bitnami/postgresql
+##
+postgresql:
+  enabled: false
+  image:
+    repository: bitnamilegacy/postgresql
+  global:
+    postgresql:
+      # global.postgresql.auth overrides postgresql.auth
+      auth:
+        username: nextcloud
+        password: changeme
+        database: nextcloud
+        # Name of existing secret to use for PostgreSQL credentials.
+        # auth.postgresPassword, auth.password, and auth.replicationPassword will be ignored and picked up from this secret.
+        # secret might also contains the key ldap-password if LDAP is enabled.
+        # ldap.bind_password will be ignored and picked from this secret in this case.
+        existingSecret: ""
+        # Names of keys in existing secret to use for PostgreSQL credentials
+        secretKeys:
+          adminPasswordKey: ""
+          userPasswordKey: ""
+          replicationPasswordKey: ""
+  primary:
+    persistence:
+      enabled: false
+      # Use an existing Persistent Volume Claim (must be created ahead of time)
+      # existingClaim: ""
+      # storageClass: ""
+
+##
+## External Redis configuration
+##
+externalRedis:
+  enabled: false
+
+  ## Redis host
+  host: ""
+
+  ## Redis port
+  port: "6379"
+
+  ## Redis password
+  password: ""
+
+  ## Use a existing secret
+  existingSecret:
+    enabled: false
+    # secretName: nameofsecret
+    passwordKey: redis-password
+
+##
+## Redis chart configuration
+## for more options see https://github.com/bitnami/charts/tree/main/bitnami/redis
+##
+
+redis:
+  enabled: false
+  image:
+    repository: bitnamilegacy/redis
+  auth:
+    enabled: true
+    password: "changeme"
+    # name of an existing secret with Redis® credentials (instead of auth.password), must be created ahead of time
+    existingSecret: ""
+    # Password key to be retrieved from existing secret
+    existingSecretPasswordKey: ""
+  # Since Redis is used for caching only, you might want to use a storageClass with different reclaim policy and backup settings
+  global:
+    storageClass: ""
+  master:
+    persistence:
+      enabled: true
+  replica:
+    persistence:
+      enabled: true
+
+##
+## Collabora chart configuration
+## for more options see https://github.com/CollaboraOnline/online/tree/master/kubernetes/helm/collabora-online
+##
+collabora:
+  enabled: false
+
+  autoscaling:
+    # enable autocaling, please check collabora README.md first
+    enabled: false
+
+  collabora:
+    ## HTTPS nextcloud domain, if needed
+    aliasgroups: []
+    #   - host: "https://nextcloud.domain:443"
+
+    # set extra parameters for collabora
+    # you may need to add --o:ssl.termination=true
+    extra_params: --o:ssl.enable=false
+
+    ## Specify server_name when the hostname is not reachable directly for
+    # example behind reverse-proxy. example: collabora.domain
+    server_name: null
+
+    existingSecret:
+      # set to true to to get collabora admin credentials from an existin secret
+      # if set, ignores collabora.collabora.username and password
+      enabled: false
+      # name of existing Kubernetes Secret with collboara admin credentials
+      secretName: ""
+      usernameKey: "username"
+      passwordKey: "password"
+
+    # setup admin login credentials, these are ignored if
+    # collabora.collabora.existingSecret.enabled=true
+    password: examplepass
+    username: admin
+
+  # setup ingress
+  ingress:
+    # enable ingress for collabora online
+    enabled: false
+    className: ""
+    # please check collabora values.yaml for nginx/haproxy annotations examples
+    annotations: {}
+    hosts:
+      - host: chart-example.local
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+    tls: []
+    #  - secretName: collabora-ingress-tls
+    #    hosts:
+    #      - collabora.domain
+
+  # see collabora helm README.md for recommended values
+  resources: {}
+
+## Cronjob to execute Nextcloud background tasks
+## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#cron
+##
+cronjob:
+  enabled: false
+
+  # Either 'sidecar' or 'cronjob'
+  type: sidecar
+
+  # Runs crond as a sidecar container in the Nextcloud pod
+  # Note: crond requires root
+  sidecar:
+    ## Cronjob sidecar resource requests and limits
+    ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+    ##
+    resources: {}
+
+    # Allow configuration of lifecycle hooks
+    # ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
+    lifecycle: {}
+    # lifecycle:
+    #   postStartCommand: []
+    #   preStopCommand: []
+    # Set securityContext parameters. For example, you may need to define runAsNonRoot directive
+    securityContext: {}
+    #   runAsUser: 33
+    #   runAsGroup: 33
+    #   runAsNonRoot: true
+    #   readOnlyRootFilesystem: true
+
+    # The command the cronjob container executes.
+    command:
+      - /cron.sh
+
+  # Uses a Kubernetes CronJob to execute the Nextcloud cron tasks
+  # Note: can run as non-root user. Should run as same user as the Nextcloud pod.
+  cronjob:
+    # Use a CronJob instead of crond sidecar container
+    # crond does not work when not running as root user
+    # Note: requires `persistence.enabled=true`
+    schedule: "*/5 * * * *"
+    successfulJobsHistoryLimit: 3
+    failedJobsHistoryLimit: 5
+    # -- Additional labels for cronjob
+    labels: {}
+    # -- Additional labels for cronjob pod
+    podLabels: {}
+    annotations: {}
+    backoffLimit: 1
+    affinity: {}
+    # Often RWO volumes are used. But the cronjob pod needs access to the same volume as the nextcloud pod.
+    # Depending on your provider two pods on the same node can still access the same volume.
+    # Following config ensures that the cronjob pod is scheduled on the same node as the nextcloud pod.
+    # affinity:
+    #   podAffinity:
+    #     requiredDuringSchedulingIgnoredDuringExecution:
+    #       - labelSelector:
+    #           matchExpressions:
+    #             - key: app.kubernetes.io/name
+    #               operator: In
+    #               values:
+    #                 - nextcloud
+    #             - key: app.kubernetes.io/component
+    #               operator: In
+    #               values:
+    #                 - app
+    #         topologyKey: kubernetes.io/hostname
+
+    ## Resource requests and limits
+    ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+    ##
+    resources: {}
+    # Allow configuration of lifecycle hooks
+    # ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
+    # Set securityContext parameters. For example, you may need to define runAsNonRoot directive
+    securityContext: {}
+    #   runAsUser: 33
+    #   runAsGroup: 33
+    #   runAsNonRoot: true
+    #   readOnlyRootFilesystem: true
+
+    # The command to run in the cronjob container
+    # Example to incerase memory limit: php -d memory_limit=2G ...
+    command:
+      - php
+      - -f
+      - /var/www/html/cron.php
+      - --
+      - --verbose
+
+service:
+  type: ClusterIP
+  port: 8080
+  loadBalancerIP: ""
+  nodePort:
+  # -- use additional annotation on service for nextcloud
+  annotations: {}
+  # -- Set this to "ClientIP" to make sure that connections from the same client
+  # are passed to the same Nextcloud pod each time.
+  sessionAffinity: ""
+  sessionAffinityConfig: {}
+
+## Enable persistence using Persistent Volume Claims
+## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
+##
+persistence:
+  # Nextcloud Data (/var/www/html)
+  enabled: true
+  annotations: {}
+  labels: {}
+  ## nextcloud data Persistent Volume Storage Class
+  ## If defined, storageClassName: <storageClass>
+  ## If set to "-", storageClassName: "", which disables dynamic provisioning
+  ## If undefined (the default) or set to null, no storageClassName spec is
+  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+  ##   GKE, AWS & OpenStack)
+  ##
+  storageClass: "local-path"
+
+  ## A manually managed Persistent Volume and Claim
+  ## Requires persistence.enabled: true
+  ## If defined, PVC must be created manually before volume will be bound
+  # existingClaim:
+
+  accessMode: ReadWriteOnce
+  size: 50Gi
+
+  ## Use an additional pvc for the data directory rather than a subpath of the default PVC
+  ## Useful to store data on a different storageClass (e.g. on slower disks)
+  nextcloudData:
+    enabled: false
+    subPath:
+    labels: {}
+    annotations: {}
+    # storageClass: "-"
+    # existingClaim:
+    accessMode: ReadWriteOnce
+    size: 8Gi
+
+resources: {}
+# We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+# resources:
+#   limits:
+#    cpu: 100m
+#    memory: 128Mi
+#   requests:
+#    cpu: 100m
+#    memory: 128Mi
+
+## Liveness and readiness probe values
+## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+##
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 10
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 3
+  successThreshold: 1
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 10
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 3
+  successThreshold: 1
+startupProbe:
+  enabled: false
+  initialDelaySeconds: 30
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 30
+  successThreshold: 1
+
+## Enable pod autoscaling using HorizontalPodAutoscaler
+## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+##
+hpa:
+  enabled: false
+  cputhreshold: 60
+  minPods: 1
+  maxPods: 10
+
+nodeSelector: {}
+
+tolerations: []
+
+# -- Nextcloud pod topologySpreadConstraints
+topologySpreadConstraints: []
+
+affinity: {}
+
+dnsConfig: {}
+# Custom dns config for Nextcloud containers.
+# You can for example configure ndots. This may be needed in some clusters with alpine images.
+# options:
+#   - name: ndots
+#     value: "1"
+
+imaginary:
+  # -- Start Imgaginary
+  enabled: false
+  # -- Number of imaginary pod replicas to deploy
+  replicaCount: 1
+
+  image:
+    # -- Imaginary image registry
+    registry: docker.io
+    # -- Imaginary image name
+    repository: h2non/imaginary
+    # -- Imaginary image tag
+    tag: 1.2.4
+    # -- Imaginary image pull policy
+    pullPolicy: IfNotPresent
+    # -- Imaginary image pull secrets
+    pullSecrets: []
+
+  # -- Additional annotations for imaginary
+  podAnnotations: {}
+  # -- Additional labels for imaginary
+  podLabels: {}
+  # -- Imaginary pod nodeSelector
+  nodeSelector: {}
+  # -- Imaginary pod tolerations
+  tolerations: []
+  # -- Imaginary pod topologySpreadConstraints
+  topologySpreadConstraints: []
+
+  # -- imaginary resources
+  resources: {}
+
+  # -- Optional security context for the Imaginary container
+  securityContext:
+    runAsUser: 1000
+    runAsNonRoot: true
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   drop:
+    #     - ALL
+
+  # -- Optional security context for the Imaginary pod (applies to all containers in the pod)
+  podSecurityContext: {}
+  # runAsNonRoot: true
+  # seccompProfile:
+  #   type: RuntimeDefault
+
+  readinessProbe:
+    enabled: true
+    failureThreshold: 3
+    successThreshold: 1
+    periodSeconds: 10
+    timeoutSeconds: 1
+  livenessProbe:
+    enabled: true
+    failureThreshold: 3
+    successThreshold: 1
+    periodSeconds: 10
+    timeoutSeconds: 1
+
+  service:
+    # -- Imaginary: Kubernetes Service type
+    type: ClusterIP
+    # -- Imaginary: LoadBalancerIp for service type LoadBalancer
+    loadBalancerIP:
+    # -- Imaginary: NodePort for service type NodePort
+    nodePort:
+    # -- Additional annotations for service imaginary
+    annotations: {}
+    # -- Additional labels for service imaginary
+    labels: {}
+
+## Prometheus Exporter / Metrics
+##
+metrics:
+  enabled: false
+
+  replicaCount: 1
+  # Optional: becomes NEXTCLOUD_SERVER env var in the nextcloud-exporter container.
+  # Without it, we will use the full name of the nextcloud service
+  server: ""
+  # The metrics exporter needs to know how you serve Nextcloud either http or https
+  https: false
+  # Use API token if set, otherwise fall back to password authentication
+  # https://github.com/xperimental/nextcloud-exporter#token-authentication
+  # Currently you still need to set the token manually in your nextcloud install
+  token: ""
+  timeout: 5s
+  # if set to true, exporter skips certificate verification of Nextcloud server.
+  tlsSkipVerify: false
+  info:
+    # Optional: becomes NEXTCLOUD_INFO_APPS env var in the nextcloud-exporter container.
+    # Enables gathering of apps-related metrics. Defaults to false
+    apps: false
+    update: false
+
+  image:
+    repository: xperimental/nextcloud-exporter
+    tag: 0.8.0
+    pullPolicy: IfNotPresent
+    # pullSecrets:
+    #   - myRegistrKeySecretName
+
+  ## Metrics exporter resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources: {}
+
+  # -- Metrics exporter pod Annotation
+  podAnnotations: {}
+
+  # -- Metrics exporter pod Labels
+  podLabels: {}
+
+  # -- Metrics exporter pod nodeSelector
+  nodeSelector: {}
+
+  # -- Metrics exporter pod tolerations
+  tolerations: []
+
+  # -- Metrics exporter pod affinity
+  affinity: {}
+
+  service:
+    type: ClusterIP
+    # Use serviceLoadBalancerIP to request a specific static IP,
+    # otherwise leave blank
+    loadBalancerIP:
+    annotations:
+      prometheus.io/scrape: "true"
+      prometheus.io/port: "9205"
+    labels: {}
+
+  # -- security context for the metrics CONTAINER in the pod
+  securityContext:
+    runAsUser: 1000
+    runAsNonRoot: true
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   drop:
+    #     - ALL
+
+  # -- security context for the metrics POD
+  podSecurityContext: {}
+  # runAsNonRoot: true
+  # seccompProfile:
+  #   type: RuntimeDefault
+
+  ## Prometheus Operator ServiceMonitor configuration
+  ##
+  serviceMonitor:
+    ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
+    ##
+    enabled: false
+
+    ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
+    ##
+    namespace: ""
+
+    ## @param metrics.serviceMonitor.namespaceSelector The selector of the namespace where the target service is located (defaults to the release namespace)
+    namespaceSelector:
+
+    ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
+    ##
+    jobLabel: ""
+
+    ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
+    ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+    ##
+    interval: 30s
+
+    ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
+    ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+    ##
+    scrapeTimeout: ""
+
+    ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
+    ##
+    labels: {}
+
+  rules:
+    # -- Deploy Prometheus Rules (Alerts) for the exporter
+    # @section -- Metrics
+    enabled: false
+    # -- Label on Prometheus Rules CRD Manifest
+    # @section -- Metrics
+    labels: {}
+    defaults:
+      # -- Add Default Rules
+      # @section -- Metrics
+      enabled: true
+      # -- Label on the rules (the severity is already set)
+      # @section -- Metrics
+      labels: {}
+      # -- Filter on metrics on alerts (default just for this helm-chart)
+      # @section -- Metrics
+      filter: ""
+    # -- Add own Rules to Prometheus Rules
+    # @section -- Metrics
+    additionalRules: []
+
+rbac:
+  enabled: false
+  serviceaccount:
+    create: true
+    name: nextcloud-serviceaccount
+    annotations: {}
+
+## @param securityContext for nextcloud pod @deprecated Use `nextcloud.podSecurityContext` instead
+securityContext: {}

manifests/artemis/ntfy/basicauth.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: basic-auth
-spec:
-  basicAuth:
-    secret: basic-auth

manifests/artemis/ntfy/configmap.yaml

@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: ntfy
-data:
-  server.yml: |
-    # Template: https://github.com/binwiederhier/ntfy/blob/main/server/server.yml
-    base-url: https://notifications.dgse.cloud
-    enable-login: true
-    enable-signup: false
-    upstream-base-url: "https://ntfy.sh"

manifests/artemis/ntfy/deployment.yaml

@@ -1,33 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: ntfy
-spec:
-  selector:
-    matchLabels:
-      app: ntfy
-  template:
-    metadata:
-      labels:
-        app: ntfy
-    spec:
-      containers:
-        - name: ntfy
-          image: binwiederhier/ntfy
-          args: ["serve"]
-          resources:
-            limits:
-              memory: "128Mi"
-              cpu: "500m"
-          ports:
-            - containerPort: 80
-              name: http
-          volumeMounts:
-            - name: config
-              mountPath: "/etc/ntfy"
-              readOnly: true
-      volumes:
-        - name: config
-          configMap:
-            name: ntfy

manifests/artemis/ntfy/ingress.yaml

@@ -1,18 +0,0 @@
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: ntfy-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`notifications.dgse.cloud`)
-      kind: Rule
-      middlewares:
-        - name: basic-auth
-      services:
-        - name: ntfy
-          port: 80
-  tls:
-    secretName: letsencrypt

manifests/artemis/ntfy/service.yaml

@@ -1,12 +0,0 @@
----
-# Basic service for port 80
-apiVersion: v1
-kind: Service
-metadata:
-  name: ntfy
-spec:
-  selector:
-    app: ntfy
-  ports:
-    - port: 80
-      targetPort: 80

manifests/artemis/penpot/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 helmCharts:
   - name: penpot
     repo: http://helm.penpot.app
-    version: 0.28.0
+    version: 0.32.0
     releaseName: penpot
     namespace: penpot
     valuesFile: values.yaml

manifests/artemis/uptime-kuma/deployment.yaml

@@ -21,7 +21,7 @@ spec:
     spec:
       containers:
         - name: uptime-kuma
-          image: louislam/uptime-kuma:1.23.16
+          image: louislam/uptime-kuma:2.0.2
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 3001

manifests/artemis/vault/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 helmCharts:
   - name: vault
     repo: https://helm.releases.hashicorp.com/
-    version: 0.30.0
+    version: 0.31.0
     releaseName: vault
     namespace: vault
     valuesFile: values.yaml

manifests/artemis/vaultwarden/kustomization.yaml

@@ -7,7 +7,7 @@ metadata:
 helmCharts:
   - name: vaultwarden
     repo: https://guerzon.github.io/vaultwarden/
-    version: 0.31.8
+    version: 0.34.4
     releaseName: vaultwarden
     namespace: vaultwarden
     valuesFile: values.yaml

mkdocs.yaml

@@ -0,0 +1,7 @@
+---
+site_name: "Nextcloud"
+site_description: "Self-hosted file hosting service"
+nav:
+  - Introduction: index.md
+plugins:
+  - techdocs-core

renovate.json

@@ -3,6 +3,9 @@
     "config:base"  
   ],
   "labels": ["Kind/Security"],
+  "major": {
+    "addLabels": ["Priority/High"]
+  },
   "minor": {
     "addLabels": ["Priority/Medium"]
   },
@@ -16,6 +19,10 @@
     {
       "updateTypes": ["minor", "patch", "pin", "digest"],
       "automerge": false
+    },
+    {
+      "matchFiles": ["**/values.yaml", "**/values/*.yaml"],
+      "enabled": false
     }
   ]
 }