homeasistant/homeassistant.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: homeassistant
+  namespace: homeassistant
 spec:
   replicas: 1
   selector:
@@ -9,6 +10,7 @@ spec:
       name: homeassistant
   template:
     metadata:
+      namespace: homeassistant
       labels:
         name: homeassistant
     spec:
@@ -21,6 +23,10 @@ spec:
                 operator: In
                 values:
                   - local
+              - key: has_bluetooth
+                operator: In
+                values:
+                  - "true"
       hostNetwork: true
       containers:
         - name: homeassistant
@@ -32,6 +38,8 @@ spec:
           volumeMounts:
           - name: homeassistant
             mountPath: /config
+          - name: dbus-socket
+            mountPath: /var/run/dbus/system_bus_socket
           ports:
             - containerPort: 8123
               name: http
@@ -39,11 +47,16 @@ spec:
       - name: homeassistant
         persistentVolumeClaim:
           claimName: homeassistant
+      - name: dbus-socket
+        hostPath:
+          path: /var/run/dbus/system_bus_socket
+          type: Socket
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: homeassistant
+  namespace: homeassistant
 spec:
   ipFamilyPolicy: PreferDualStack
   type: NodePort
@@ -60,6 +73,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: homeassistant
+  namespace: homeassistant
 spec:
   storageClassName: nfs-vrt
   accessModes:
@@ -67,3 +81,39 @@ spec:
   resources:
     requests:
       storage: 300Mi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: homeassistant
+  name: homeassistant-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+    nginx.org/client-max-body-size: "500m"
+    nginx.org/proxy-connect-timeout: "60s"
+    nginx.org/proxy-read-timeout: "60s"
+    nginx.org/hsts: "True"
+    nginx.org/hsts-max-age: "15552000"
+    # Uncomment to allow solving HTTP01 challenge
+    nginx.org/redirect-to-https: "true"
+    nginx.org/location-snippets: |
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+spec:
+  tls:
+  - hosts:
+    - ha.dodges.it
+    secretName: ha-le-secret
+  rules:
+  - host: ha.dodges.it
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: homeassistant
+            port:
+              number: 8123
+  ingressClassName: nginx

ingress/ingress.yaml

@@ -403,38 +403,6 @@ spec:
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
-metadata:
-  name: gradewhisperer-ingress
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-    nginx.org/client-max-body-size: "500m"
-    nginx.org/proxy-connect-timeout: "60s"
-    nginx.org/proxy-read-timeout: "60s"
-    nginx.org/hsts: "False"
-    # Uncomment to allow solving HTTP01 challenge
-    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.org/redirect-to-https: "false"
-spec:
-  tls:
-  - hosts:
-    - gradewhisperer.dodges.it
-    secretName: gradewhisperer-le-secret
-  rules:
-  - host: gradewhisperer.dodges.it
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: gradewhisperer
-            port:
-              number: 80
-  ingressClassName: nginx
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
 metadata:
   name: osmedeus-ingress
   annotations:

ipfs/ipfs-pvc.yaml

@@ -3,7 +3,7 @@ kind: PersistentVolumeClaim
 metadata:
   name: ipfs
 spec:
-  storageClassName: manual
+  storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
   resources:

mariadb/mariadb-pvc.yaml

@@ -4,7 +4,7 @@ metadata:
   namespace: mariadb
   name: mariadb-master-pvc
 spec:
-  storageClassName: manual
+  storageClassName: nfs-vrt
   accessModes:
     - ReadWriteMany
   resources:
@@ -17,7 +17,7 @@ metadata:
   namespace: mariadb
   name: mariadb-replicas-pvc
 spec:
-  storageClassName: manual
+  storageClassName: nfs-vrt
   accessModes:
     - ReadWriteMany
   resources:

monitoring/values.yaml

@@ -174,6 +174,10 @@ defaultRules:
   ## Prefix for runbook URLs. Use this to override the first part of the runbookURLs that is common to all rules.
   runbookUrl: "https://runbooks.prometheus-operator.dev/runbooks"
 
+  node:
+    fsSelector: 'fstype!=""'
+    # fsSelector: 'fstype=~"ext[234]|btrfs|xfs|zfs"'
+
   ## Disabled PrometheusRule alerts
   disabled: {}
   # KubeAPIDown: true
@@ -275,6 +279,10 @@ alertmanager:
   ##
   apiVersion: v2
 
+  ## @param alertmanager.enableFeatures Enable access to Alertmanager disabled features.
+  ##
+  enableFeatures: []
+
   ## Service account for Alertmanager to use.
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
   ##
@@ -286,8 +294,6 @@ alertmanager:
 
   ## Configure pod disruption budgets for Alertmanager
   ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget
-  ## This configuration is immutable once created and will require the PDB to be deleted to be changed
-  ## https://github.com/kubernetes/kubernetes/issues/45398
   ##
   podDisruptionBudget:
     enabled: false
@@ -478,6 +484,10 @@ alertmanager:
     annotations: {}
     labels: {}
     clusterIP: ""
+    ipDualStack:
+      enabled: false
+      ipFamilies: ["IPv6", "IPv4"]
+      ipFamilyPolicy: "PreferDualStack"
 
     ## Port for Alertmanager Service to listen on
     ##
@@ -752,8 +762,8 @@ alertmanager:
     storage:
       volumeClaimTemplate:
         spec:
-          storageClassName: nfs-client
-          accessModes: ["ReadWriteOnce"]
+          storageClassName: nfs-vrt
+          accessModes: ["ReadWriteMany"]
           resources:
             requests:
               storage: 50Gi
@@ -1021,10 +1031,10 @@ grafana:
     persistence:
       enabled: true
       type: sts
-      storageClassName: "nfs-client"
+      storageClassName: "nfs-vrt"
       accessModes:
-        - ReadWriteOnce
-      size: 20Gi
+        - ReadWriteMany
+      size: 50Gi
       finalizers:
         - kubernetes.io/pvc-protection
 
@@ -1058,6 +1068,7 @@ grafana:
       defaultDatasourceEnabled: true
       isDefaultDatasource: true
 
+      name: Prometheus
       uid: prometheus
 
       ## URL of prometheus datasource
@@ -1092,6 +1103,7 @@ grafana:
         # traceIdLabelName: trace_id
       alertmanager:
         enabled: true
+        name: Alertmanager
         uid: alertmanager
         handleGrafanaManagedAlerts: false
         implementation: prometheus
@@ -1122,10 +1134,17 @@ grafana:
   #   url: https://{{ printf "%s-prometheus.svc" .Release.Name }}:9090
   #   version: 1
 
+  # Flag to mark provisioned data sources for deletion if they are no longer configured.
+  # It takes no effect if data sources are already listed in the deleteDatasources section.
+  # ref: https://grafana.com/docs/grafana/latest/administration/provisioning/#example-data-source-config-file
+  prune: false
+
   ## Passed to grafana subchart and used by servicemonitor below
   ##
   service:
     portName: http-web
+    ipFamilies: []
+    ipFamilyPolicy: ""
 
   serviceMonitor:
     # If true, a ServiceMonitor CRD is created for a prometheus operator
@@ -1292,6 +1311,12 @@ kubelet:
     ##
     https: true
 
+    ## Skip TLS certificate validation when scraping.
+    ## This is enabled by default because kubelet serving certificate deployed by kubeadm is by default self-signed
+    ## ref: https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#kubelet-serving-certs
+    ##
+    insecureSkipVerify: true
+
     ## Enable scraping /metrics/cadvisor from kubelet's service
     ##
     cAdvisor: true
@@ -1460,6 +1485,10 @@ kubeControllerManager:
     ##
     port: null
     targetPort: null
+    ipDualStack:
+      enabled: true
+      ipFamilies: ["IPv6", "IPv4"]
+      ipFamilyPolicy: "PreferDualStack"
     # selector:
     #   component: kube-controller-manager
 
@@ -1546,6 +1575,11 @@ coreDns:
     enabled: true
     port: 9153
     targetPort: 9153
+
+    ipDualStack:
+      enabled: false
+      ipFamilies: ["IPv6", "IPv4"]
+      ipFamilyPolicy: "PreferDualStack"
     # selector:
     #   k8s-app: kube-dns
   serviceMonitor:
@@ -1622,6 +1656,10 @@ kubeDns:
     skydns:
       port: 10055
       targetPort: 10055
+    ipDualStack:
+      enabled: false
+      ipFamilies: ["IPv6", "IPv4"]
+      ipFamilyPolicy: "PreferDualStack"
     # selector:
     #   k8s-app: kube-dns
   serviceMonitor:
@@ -1719,6 +1757,10 @@ kubeEtcd:
     enabled: true
     port: 2381
     targetPort: 2381
+    ipDualStack:
+      enabled: false
+      ipFamilies: ["IPv6", "IPv4"]
+      ipFamilyPolicy: "PreferDualStack"
     # selector:
     #   component: etcd
 
@@ -1823,6 +1865,10 @@ kubeScheduler:
     ##
     port: null
     targetPort: null
+    ipDualStack:
+      enabled: false
+      ipFamilies: ["IPv6", "IPv4"]
+      ipFamilyPolicy: "PreferDualStack"
     # selector:
     #   component: kube-scheduler
 
@@ -1916,6 +1962,10 @@ kubeProxy:
     enabled: true
     port: 10249
     targetPort: 10249
+    ipDualStack:
+      enabled: false
+      ipFamilies: ["IPv6", "IPv4"]
+      ipFamilyPolicy: "PreferDualStack"
     # selector:
     #   k8s-app: kube-proxy
 
@@ -2086,6 +2136,13 @@ prometheus-node-exporter:
     - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$
   service:
     portName: http-metrics
+    ipDualStack:
+      enabled: false
+      ipFamilies: ["IPv6", "IPv4"]
+      ipFamilyPolicy: "PreferDualStack"
+    labels:
+      jobLabel: node-exporter
+
   prometheus:
     monitor:
       enabled: true
@@ -2174,6 +2231,25 @@ prometheusOperator:
     # The default webhook port is 10250 in order to work out-of-the-box in GKE private clusters and avoid adding firewall rules.
     internalPort: 10250
 
+  ## Liveness probe for the prometheusOperator deployment
+  ##
+  livenessProbe:
+    enabled: true
+    failureThreshold: 3
+    initialDelaySeconds: 0
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 1
+  ## Readiness probe for the prometheusOperator deployment
+  ##
+  readinessProbe:
+    enabled: true
+    failureThreshold: 3
+    initialDelaySeconds: 0
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 1
+
   ## Admission webhook support for PrometheusRules resources added in Prometheus Operator 0.30 can be enabled to prevent incorrectly formatted
   ## rules from making their way into prometheus and potentially preventing the container from starting
   admissionWebhooks:
@@ -2195,6 +2271,15 @@ prometheusOperator:
     #   argocd.argoproj.io/hook-delete-policy: HookSucceeded
 
     namespaceSelector: {}
+    objectSelector: {}
+
+    mutatingWebhookConfiguration:
+      annotations: {}
+      #   argocd.argoproj.io/hook: PreSync
+
+    validatingWebhookConfiguration:
+      annotations: {}
+      #   argocd.argoproj.io/hook: PreSync
 
     deployment:
       enabled: false
@@ -2239,6 +2324,10 @@ prometheusOperator:
         annotations: {}
         labels: {}
         clusterIP: ""
+        ipDualStack:
+          enabled: false
+          ipFamilies: ["IPv6", "IPv4"]
+          ipFamilyPolicy: "PreferDualStack"
 
         ## Port to expose on each node
         ## Only used if service.type is 'NodePort'
@@ -2422,6 +2511,7 @@ prometheusOperator:
       ## Provide a priority class name to the webhook patching job
       ##
       priorityClassName: ""
+      ttlSecondsAfterFinished: 60
       annotations: {}
       #   argocd.argoproj.io/hook: PreSync
       #   argocd.argoproj.io/hook-delete-policy: HookSucceeded
@@ -2440,6 +2530,12 @@ prometheusOperator:
         runAsUser: 2000
         seccompProfile:
           type: RuntimeDefault
+      ## Service account for Prometheus Operator Webhook Job Patch to use.
+      ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+      ##
+      serviceAccount:
+        create: true
+        automountServiceAccountToken: true
 
     # Security context for create job container
     createSecretJob:
@@ -2527,6 +2623,10 @@ prometheusOperator:
     annotations: {}
     labels: {}
     clusterIP: ""
+    ipDualStack:
+      enabled: false
+      ipFamilies: ["IPv6", "IPv4"]
+      ipFamilyPolicy: "PreferDualStack"
 
   ## Port to expose on each node
   ## Only used if service.type is 'NodePort'
@@ -2592,6 +2692,7 @@ prometheusOperator:
     ##
     enabled: true
     namespace: kube-system
+    selector: ""
     ## Use '{{ template "kube-prometheus-stack.fullname" . }}-kubelet' by default
     name: ""
 
@@ -2809,7 +2910,7 @@ prometheusOperator:
   thanosImage:
     registry: quay.io
     repository: thanos/thanos
-    tag: v0.34.1
+    tag: v0.36.1
     sha: ""
 
   ## Set a Label Selector to filter watched prometheus and prometheusAgent
@@ -2904,6 +3005,13 @@ prometheus:
     ##
     type: ClusterIP
 
+    ## Service dual stack
+    ##
+    ipDualStack:
+      enabled: false
+      ipFamilies: ["IPv6", "IPv4"]
+      ipFamilyPolicy: "PreferDualStack"
+
     ## gRPC port config
     portName: grpc
     port: 10901
@@ -2986,6 +3094,10 @@ prometheus:
     annotations: {}
     labels: {}
     clusterIP: ""
+    ipDualStack:
+      enabled: false
+      ipFamilies: ["IPv6", "IPv4"]
+      ipFamilyPolicy: "PreferDualStack"
 
     ## Port for Prometheus Service to listen on
     ##
@@ -3078,10 +3190,15 @@ prometheus:
     ##
     type: ClusterIP
 
+    ## Service dual stack
+    ##
+    ipDualStack:
+      enabled: false
+      ipFamilies: ["IPv6", "IPv4"]
+      ipFamilyPolicy: "PreferDualStack"
+
   ## Configure pod disruption budgets for Prometheus
   ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget
-  ## This configuration is immutable once created and will require the PDB to be deleted to be changed
-  ## https://github.com/kubernetes/kubernetes/issues/45398
   ##
   podDisruptionBudget:
     enabled: false
@@ -3296,8 +3413,23 @@ prometheus:
   ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#prometheusspec
   ##
   prometheusSpec:
+    ## Statefulset's persistent volume claim retention policy
+    ## pvcDeleteOnStsDelete and pvcDeleteOnStsScale determine whether
+    ## statefulset's PVCs are deleted (true) or retained (false) on scaling down
+    ## and deleting statefulset, respectively. Requires 1.27.0+.
+    ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
+    persistentVolumeClaimRetentionPolicy: {}
+    #  whenDeleted: Retain
+    #  whenScaled: Retain
+
     ## If true, pass --storage.tsdb.max-block-duration=2h to prometheus. This is already done if using Thanos
     ##
+    ## AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod,
+    ## If the field isn’t set, the operator mounts the service account token by default.
+    ## Warning: be aware that by default, Prometheus requires the service account token for Kubernetes service discovery,
+    ## It is possible to use strategic merge patch to project the service account token into the ‘prometheus’ container.
+    automountServiceAccountToken: true
+
     disableCompaction: false
     ## APIServerConfig
     ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#apiserverconfig
@@ -3318,6 +3450,16 @@ prometheus:
     ##
     scrapeTimeout: ""
 
+    ## List of scrape classes to expose to scraping objects such as
+    ## PodMonitors, ServiceMonitors, Probes and ScrapeConfigs.
+    ##
+    scrapeClasses: []
+    # - name: istio-mtls
+    #   default: false
+    #   tlsConfig:
+    #     caFile: /etc/prometheus/secrets/istio.default/root-cert.pem
+    #     certFile: /etc/prometheus/secrets/istio.default/cert-chain.pem
+
     ## Interval between consecutive evaluations.
     ##
     evaluationInterval: ""
@@ -3358,7 +3500,7 @@ prometheus:
     image:
       registry: quay.io
       repository: prometheus/prometheus
-      tag: v2.50.1
+      tag: v2.54.1
       sha: ""
 
     ## Tolerations for use with node taints
@@ -3679,8 +3821,8 @@ prometheus:
     ##
        volumeClaimTemplate:
          spec:
-           storageClassName: nfs-client
-           accessModes: ["ReadWriteOnce"]
+           storageClassName: nfs-vrt
+           accessModes: ["ReadWriteMany"]
            resources:
              requests:
                storage: 50Gi
@@ -3984,6 +4126,10 @@ prometheus:
     ## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#prometheustracingconfig
     tracingConfig: {}
 
+    ## Defines the service discovery role used to discover targets from ServiceMonitor objects and Alertmanager endpoints.
+    ## If set, the value should be either “Endpoints” or “EndpointSlice”. If unset, the operator assumes the “Endpoints” role.
+    serviceDiscoveryRole: ""
+
     ## Additional configuration which is not covered by the properties above. (passed through tpl)
     additionalConfig: {}
 
@@ -3995,7 +4141,7 @@ prometheus:
     ## Defines the maximum time that the `prometheus` container's startup probe
     ## will wait before being considered failed. The startup probe will return
     ## success after the WAL replay is complete. If set, the value should be
-    ## greater than 60 (seconds). Otherwise it will be equal to 600 seconds (15
+    ## greater than 60 (seconds). Otherwise it will be equal to 900 seconds (15
     ## minutes).
     maximumStartupDurationSeconds: 0
 
@@ -4179,8 +4325,6 @@ thanosRuler:
 
   ## Configure pod disruption budgets for ThanosRuler
   ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget
-  ## This configuration is immutable once created and will require the PDB to be deleted to be changed
-  ## https://github.com/kubernetes/kubernetes/issues/45398
   ##
   podDisruptionBudget:
     enabled: false
@@ -4226,6 +4370,10 @@ thanosRuler:
     annotations: {}
     labels: {}
     clusterIP: ""
+    ipDualStack:
+      enabled: false
+      ipFamilies: ["IPv6", "IPv4"]
+      ipFamilyPolicy: "PreferDualStack"
 
     ## Port for ThanosRuler Service to listen on
     ##
@@ -4343,7 +4491,7 @@ thanosRuler:
     image:
       registry: quay.io
       repository: thanos/thanos
-      tag: v0.34.1
+      tag: v0.36.1
       sha: ""
 
     ## Namespaces to be selected for PrometheusRules discovery.
@@ -4404,8 +4552,8 @@ thanosRuler:
     storage:
       volumeClaimTemplate:
         spec:
-          storageClassName: nfs-client
-          accessModes: ["ReadWriteOnce"]
+          storageClassName: nfs-vrt
+          accessModes: ["ReadWriteMany"]
           resources:
             requests:
               storage: 50Gi
@@ -4439,6 +4587,10 @@ thanosRuler:
     ##
     externalPrefix:
 
+    ## If true, http://{{ template "kube-prometheus-stack.thanosRuler.name" . }}.{{ template "kube-prometheus-stack.namespace" . }}:{{ .Values.thanosRuler.service.port }}
+    ## will be used as value for externalPrefix
+    externalPrefixNilUsesHelmValues: true
+
     ## The route prefix ThanosRuler registers HTTP handlers for. This is useful, if using ExternalURL and a proxy is rewriting HTTP routes of a request, and the actual ExternalURL is still true,
     ## but the server serves requests under a different route prefix. For example for use with kubectl proxy.
     ##
@@ -4461,6 +4613,10 @@ thanosRuler:
         #   access_key: ""
         #   secret_key: ""
 
+    ## Labels by name to drop before sending to alertmanager
+    ## Maps to the --alert.label-drop flag of thanos ruler.
+    alertDropLabels: []
+
     ## QueryEndpoints defines Thanos querier endpoints from which to query metrics.
     ## Maps to the --query flag of thanos ruler.
     queryEndpoints: []
@@ -4601,6 +4757,17 @@ thanosRuler:
     ##
     portName: "web"
 
+    ## WebTLSConfig defines the TLS parameters for HTTPS
+    ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#thanosrulerwebspec
+    web: {}
+
+    ## Additional configuration which is not covered by the properties above. (passed through tpl)
+    additionalConfig: {}
+
+    ## Additional configuration which is not covered by the properties above.
+    ## Useful, if you need advanced templating
+    additionalConfigString: ""
+
   ## ExtraSecret can be used to store various data in an extra secret
   ## (use it for example to store hashed basic auth credentials)
   extraSecret:

nextcloud/image/Dockerfile

@@ -1,4 +1,4 @@
-FROM nextcloud:29.0.2-apache
+FROM nextcloud:29.0.5-apache
 
 RUN apt-get update && apt-get install -y \
     supervisor \

nextcloud/nextcloud-dply.yaml

@@ -26,7 +26,7 @@ spec:
                   - amd64
       containers:
         - name: nextcloud
-          image: qdii/nextcloud:29.0.3-apache
+          image: qdii/nextcloud:29.0.5-apache
           env:
           - name: MYSQL_DATABASE
             value: "nextcloud"
@@ -72,6 +72,8 @@ spec:
           volumeMounts:
           - name: nextcloud
             mountPath: /var/www/html
+          - name: pics
+            mountPath: /var/www/html/data/qdii/files/pic
           ports:
             - containerPort: 80
               name: http
@@ -92,6 +94,9 @@ spec:
         - name: nextcloud
           persistentVolumeClaim:
             claimName: nextcloud
+        - name: pics
+          persistentVolumeClaim:
+            claimName: pics
 ---
 apiVersion: batch/v1
 kind: CronJob

nextcloud/nextcloud-pv.yaml

@@ -13,3 +13,18 @@ spec:
     server: 192.168.2.44
     readOnly: false
 ---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pics-pv
+spec:
+  storageClassName: manual
+  capacity:
+    storage: 3Ti
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /mnt/cns/pics
+    server: 192.168.2.1
+    readOnly: false
+

nextcloud/nextcloud-pvc.yaml

@@ -9,3 +9,15 @@ spec:
   resources:
     requests:
       storage: 3Ti
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pics
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 3Ti

nvidia/values.yaml

@@ -3,31 +3,25 @@
 # Use "name" to point to an external ConfigMap with a list of configurations.
 # Use "map" to build an integrated ConfigMap from a set of configurations as
 # part of this helm chart. An example of setting "map" might be:
-# config:
-#   map:
-#     default: |-
-#       version: v1
-#       flags:
-#         migStrategy: none
-#     mig-single: |-
-#       version: v1
-#       flags:
-#         migStrategy: single
-#     mig-mixed: |-
-#       version: v1
-#       flags:
-#         migStrategy: mixed
 config:
-  # ConfigMap name if pulling from an external ConfigMap
-  name: ""
-  # Set of named configs to build an integrated ConfigMap from
-  map: {}
-  # Default config name within the ConfigMap
+  map:
+    default: |-
+      version: v1
+      flags:
+        migStrategy: none
+        failOnInitError: true
+        plugin:
+          passDeviceSpecs: true
+      sharing:
+        timeSlicing:
+          renameByDefault: false
+          failRequestsGreaterThanOne: false
+          resources:
+          - name: nvidia.com/gpu
+            replicas: 5
   default: ""
-  # List of fallback strategies to attempt if no config is selected and no default is provided
   fallbackStrategies: ["named" , "single"]
 
-legacyDaemonsetAPI: null
 compatWithCPUManager: null
 migStrategy: null
 failOnInitError: null
@@ -36,6 +30,7 @@ deviceIDStrategy: null
 nvidiaDriverRoot: null
 gdsEnabled: null
 mofedEnabled: null
+deviceDiscoveryStrategy: null
 
 nameOverride: ""
 fullnameOverride: ""
@@ -59,9 +54,29 @@ podSecurityContext: {}
 securityContext: {}
 
 resources: {}
-nodeSelector:
-  kubernetes.io/hostname: smk.dodges.it
-affinity: {}
+nodeSelector: {}
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        # On discrete-GPU based systems NFD adds the following label where 10de is the NVIDIA PCI vendor ID
+        - key: feature.node.kubernetes.io/pci-10de.present
+          operator: In
+          values:
+          - "true"
+      - matchExpressions:
+        # On some Tegra-based systems NFD detects the CPU vendor ID as NVIDIA
+        - key: feature.node.kubernetes.io/cpu-model.vendor_id
+          operator: In
+          values:
+          - "NVIDIA"
+      - matchExpressions:
+        # We allow a GPU deployment to be forced by setting the following label to "true"
+        - key: "nvidia.com/gpu.present"
+          operator: In
+          values:
+          - "true"
 tolerations:
   # This toleration is deprecated. Kept here for backward compatibility
   # See https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
@@ -79,15 +94,31 @@ priorityClassName: "system-node-critical"
 
 runtimeClassName: null
 
-# Subcharts
+devicePlugin:
+  enabled: true
+
+gfd:
+  enabled: false
+  nameOverride: gpu-feature-discovery
+  namespaceOverride: ""
+  noTimestamp: null
+  sleepInterval: null
+  securityContext:
+    # privileged access is required for the gpu-feature-discovery to access the
+    # vgpu info on a host.
+    # TODO: This should be optional and detected automatically.
+    privileged: true
+
+# Helm dependency
 nfd:
   nameOverride: node-feature-discovery
   enableNodeFeatureApi: false
   master:
-    extraLabelNs:
-      - nvidia.com
     serviceAccount:
       name: node-feature-discovery
+      create: true
+    config:
+      extraLabelNs: ["nvidia.com"]
 
   worker:
     tolerations:
@@ -104,13 +135,19 @@ nfd:
         pci:
           deviceClassWhitelist:
           - "02"
-          - "0200"
-          - "0207"
-          - "0300"
-          - "0302"
+          - "03"
           deviceLabelFields:
           - vendor
-gfd:
-  enabled: false
-  nameOverride: gpu-feature-discovery
-  namespaceOverride: ""
+
+mps:
+  # root specifies the location where files and folders for managing MPS will
+  # be created. This includes a daemon-specific /dev/shm and pipe and log
+  # directories.
+  # Pipe directories will be created at {{ mps.root }}/{{ .ResourceName }}
+  root: "/run/nvidia/mps"
+
+
+cdi:
+  # nvidiaHookPath specifies the path to the nvidia-cdi-hook or nvidia-ctk executables on the host.
+  # This is required to ensure that the generated CDI specification refers to the correct CDI hooks.
+  nvidiaHookPath: null

ollama/open-webui.yaml

@@ -60,12 +60,12 @@ metadata:
   name: open-webui-data
   namespace: llm
 spec:
-  storageClassName: nfs-client
+  storageClassName: nfs-vrt
   accessModes:
     - ReadWriteMany
   resources:
     requests:
-      storage: 10Gi
+      storage: 200Gi
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress

ollama/values.yaml

@@ -1,34 +1,31 @@
 ollama:
   gpu:
     enabled: true
+    type: "nvidia"
     number: 1 
-  models: 
-    - mistral
-    - mixtral
-    - gemma
 ingress:
-  enabled: true
-  className: "nginx"
-  annotations:
-    acme.cert-manager.io/http01-edit-in-place: "true"
-    cert-manager.io/cluster-issuer: "letsencrypt"
-    nginx.org/client-max-body-size: "500m"
-    nginx.org/proxy-connect-timeout: "60s"
-    nginx.org/proxy-read-timeout: "60s"
-    nginx.org/redirect-to-https: "false"
-    ingress.kubernetes.io/ssl-redirect: "false"
-  hosts:
-    - host: "llm.dodges.it"
-      paths:
-        - path: "/"
-          pathType: "Prefix"
-  tls:
-    - hosts:
-      - llm.dodges.it
-      secretName: llm-le-secret
+  enabled: false
+  # className: "nginx"
+  # annotations:
+  #   acme.cert-manager.io/http01-edit-in-place: "true"
+  #   cert-manager.io/cluster-issuer: "letsencrypt"
+  #   nginx.org/client-max-body-size: "500m"
+  #   nginx.org/proxy-connect-timeout: "60s"
+  #   nginx.org/proxy-read-timeout: "60s"
+  #   nginx.org/redirect-to-https: "true"
+  #   ingress.kubernetes.io/ssl-redirect: "true"
+  # hosts:
+  #   - host: "llm.dodges.it"
+  #     paths:
+  #       - path: "/"
+  #         pathType: "Prefix"
+  # tls:
+  #   - hosts:
+  #     - llm.dodges.it
+  #     secretName: llm-le-secret
 persistentVolume:
-  enabled: "true"
-  storageClass: "nfs-client"
-  size: "200Gi"
+  enabled: true
+  storageClass: "nfs-vrt"
+  size: "100Gi"
 nodeSelector:
   nvidia.com/gpu.present: "true"

puppet/values.yaml

@@ -11,6 +11,7 @@ puppetdb:
     PUPPETDB_JAVA_ARGS: "-Djava.net.preferIPv4Stack=true -Xms256m -Xmx256m -XX:+UseParallelGC -Xloggc:/opt/puppetlabs/server/data/puppetdb/puppetdb_gc.log -Djdk.tls.ephemeralDHKeySize=2048"
   service:
     type: ClusterIP
+  tag: "8.6.0-v1.6.0"
 puppetboard:
   enabled: false
 puppetserver:
@@ -23,6 +24,7 @@ puppetserver:
     extraEnv:
       AUTOSIGN: true
   image: "ghcr.io/voxpupuli/container-puppetserver"
+  tag: "8.6.1-v1.6.0"
 global:
   postgresql:
     auth:

tor/tor-pv.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: tor
-spec:
-  storageClassName: manual
-  capacity:
-    storage: 10Mi
-  accessModes:
-    - ReadWriteOnce
-  nfs:
-    path: /volume1/NFS/tor
-    server: 192.168.2.44
-    readOnly: false
----

tor/tor-pvc.yaml

@@ -3,7 +3,7 @@ kind: PersistentVolumeClaim
 metadata:
   name: tor
 spec:
-  storageClassName: manual
+  storageClassName: nfs-vrt
   accessModes:
     - ReadWriteOnce
   resources:

transmission/transmission-pvc.yaml

@@ -3,7 +3,7 @@ kind: PersistentVolumeClaim
 metadata:
   name: transmission-dl-incomplete-pvc
 spec:
-  storageClassName: manual
+  storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
   resources:
@@ -15,7 +15,7 @@ kind: PersistentVolumeClaim
 metadata:
   name: transmission-dl-pvc
 spec:
-  storageClassName: manual
+  storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
   resources:
@@ -27,7 +27,7 @@ kind: PersistentVolumeClaim
 metadata:
   name: transmission-config-pvc
 spec:
-  storageClassName: manual
+  storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
   resources:
@@ -39,7 +39,7 @@ kind: PersistentVolumeClaim
 metadata:
   name: transmission-watch-pvc
 spec:
-  storageClassName: manual
+  storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
   resources:

volleybot/volleybot.yaml

@@ -0,0 +1,95 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vbt
+  namespace: vbt
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: vbt
+  template:
+    metadata:
+      namespace: vbt
+      labels:
+        name: vbt
+        nginx: backend
+    spec:
+      containers:
+        - name: vbt
+          env:
+          - name: TWILIO_ACCOUNT_SID
+            valueFrom:
+              secretKeyRef:
+                name: twilio
+                key: account_sid
+          - name: TWILIO_AUTH_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: twilio
+                key: auth_token
+          - name: TWILIO_WA_PHONE_NUMBER
+            value: '+41795757244'
+          image: qdii/volleybot:0.0.1
+          imagePullPolicy: "Always"
+          ports:
+            - containerPort: 8000
+              name: http
+          livenessProbe:
+            initialDelaySeconds: 300
+            timeoutSeconds: 10
+            httpGet:
+              path: "/api/healthz"
+              port: 8000
+              httpHeaders:
+                - name: Host
+                  value: "vbt.dodges.it"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vbt
+  namespace: vbt
+spec:
+  type: ClusterIP
+  ipFamilyPolicy: PreferDualStack
+  selector:
+    name: vbt
+  ports:
+    - protocol: TCP
+      port: 8000
+      targetPort: 8000
+      name: http
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: vbt-ingress
+  namespace: vbt
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+    nginx.org/client-max-body-size: "500m"
+    nginx.org/proxy-connect-timeout: "60s"
+    nginx.org/proxy-read-timeout: "60s"
+    # Uncomment to allow solving HTTP01 challenge
+    nginx.org/hsts: "false"
+    ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.org/redirect-to-https: "false"
+spec:
+  tls:
+  - hosts:
+    - vbt.dodges.it
+    secretName: vbt-le-secret
+  rules:
+  - host: vbt.dodges.it
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: vbt
+            port:
+              number: 8000
+  ingressClassName: nginx