chore(apps): Add catalog

apps/adguard.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: adguard
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.halis.io/athens-school/adguard
+    targetRevision: master
+    path: manifests
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ApplyOutOfSyncOnly=true
+      - PruneLast=true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: adguard

apps/dawarich.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dawarich
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.halis.io/athens-school/dawarich
+    targetRevision: master
+    path: manifests
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ApplyOutOfSyncOnly=true
+      - PruneLast=true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: dawarich

apps/ghostfolio.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ghostfolio
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.halis.io/athens-school/ghostfolio
+    targetRevision: master
+    path: manifests
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ApplyOutOfSyncOnly=true
+      - PruneLast=true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: ghostfolio

apps/immich.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: immich
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.halis.io/athens-school/immich
+    targetRevision: master
+    path: manifests
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ApplyOutOfSyncOnly=true
+      - PruneLast=true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: immich

apps/mastodon.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mastodon
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.halis.io/athens-school/mastodon
+    targetRevision: master
+    path: manifests
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ApplyOutOfSyncOnly=true
+      - PruneLast=true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: mastodon

apps/mealie.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mealie
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.halis.io/athens-school/mealie
+    targetRevision: master
+    path: manifests
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ApplyOutOfSyncOnly=true
+      - PruneLast=true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: mealie

apps/netbird.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: netbird
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.halis.io/athens-school/netbird
+    targetRevision: master
+    path: manifests
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ApplyOutOfSyncOnly=true
+      - PruneLast=true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: netbird

apps/paperless.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: paperless
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.halis.io/athens-school/paperless
+    targetRevision: master
+    path: manifests
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ApplyOutOfSyncOnly=true
+      - PruneLast=true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: paperless

apps/zitadel.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: zitadel
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.halis.io/athens-school/zitadel
+    targetRevision: dev
+    path: manifests
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ApplyOutOfSyncOnly=true
+      - PruneLast=true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: zitadel

environments/prod/bootstrap/kustomization.yaml

@@ -3,18 +3,21 @@ kind: Kustomization
 
 resources:
   # MetalLB installation and configuration
-- github.com/metallb/metallb/config/native?ref=v0.14.3
+- github.com/metallb/metallb/config/native?ref=v0.14.9
   # Traefik CRD
   #- https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
   #- https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
   # Cert manager CRD
-- https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml
+- https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.crds.yaml
   # Longhorn CRD
-- https://raw.githubusercontent.com/longhorn/longhorn/v1.7.2/deploy/longhorn.yaml
+- https://raw.githubusercontent.com/longhorn/longhorn/v1.8.1/deploy/longhorn.yaml
   # SOPS secrets operator CRDs
 - https://raw.githubusercontent.com/isindir/sops-secrets-operator/master/config/crd/bases/isindir.github.com_sopssecrets.yaml
   # Install CoudNativePG operator
-- https://github.com/cloudnative-pg/cloudnative-pg/raw/refs/heads/main/releases/cnpg-1.24.1.yaml
+- https://github.com/cloudnative-pg/cloudnative-pg/raw/refs/heads/main/releases/cnpg-1.25.0.yaml
+  # Install Valkey operator
+  #- https://github.com/hyperspike/valkey-operator/releases/download/v0.0.57/install.yaml
+  #- ../../../valkey-operator
 
 patches:
 - path: ./metallb-patch.yaml

longhorn/daily-backup.yaml

@@ -0,0 +1,15 @@
+apiVersion: longhorn.io/v1beta1
+kind: RecurringJob
+metadata:
+  name: daily-backup
+  namespace: longhorn-system
+spec:
+  cron: "0 0 * * *"
+  task: backup
+  groups:
+  - standard-pvc
+  retain: 2
+  concurrency: 2
+  labels:
+    recurrence: daily
+    group: standard-pvc

longhorn/hourly-snapshot.yaml

@@ -0,0 +1,15 @@
+apiVersion: longhorn.io/v1beta1
+kind: RecurringJob
+metadata:
+  name: hourly-snapshot
+  namespace: longhorn-system
+spec:
+  cron: "0 * * * *"
+  task: snapshot
+  groups:
+  - standard-pvc
+  retain: 10
+  concurrency: 2
+  labels:
+    recurrence: hourly
+    group: standard-pvc

longhorn/kustomization.yaml

@@ -3,6 +3,9 @@ kind: Kustomization
 
 resources:
   - ingress.yaml
-  - recurrent-backup.yaml
+  - daily-backup.yaml
+  - weekly-backup.yaml
+  - monthly-backup.yaml
+  - hourly-snapshot.yaml
   - secrets.yaml
   - servicemonitor.yaml

longhorn/monthly-backup.yaml

@@ -0,0 +1,15 @@
+apiVersion: longhorn.io/v1beta1
+kind: RecurringJob
+metadata:
+  name: monthly-backup
+  namespace: longhorn-system
+spec:
+  cron: "0 0 1 * *"
+  task: backup
+  groups:
+  - standard-pvc
+  retain: 2
+  concurrency: 2
+  labels:
+    recurrence: monthly
+    group: standard-pvc

longhorn/weekly-backup.yaml

@@ -0,0 +1,15 @@
+apiVersion: longhorn.io/v1beta1
+kind: RecurringJob
+metadata:
+  name: weekly-backup
+  namespace: longhorn-system
+spec:
+  cron: "0 0 * * 0"
+  task: backup
+  groups:
+  - standard-pvc
+  retain: 2
+  concurrency: 2
+  labels:
+    recurrence: weekly
+    group: standard-pvc

metallb/configmap.yaml

@@ -8,5 +8,6 @@ data:
     ipaddress-pools:
     - name: default
       addresses:
+      - 10.10.0.0/24
       - 10.20.0.0/24
       - 51.15.80.73/32

metallb/ipaddresspool.yaml

@@ -7,3 +7,4 @@ spec:
   addresses:
     - 51.15.80.73/32
     - 10.10.0.0/24
+    - 10.20.0.0/24

minecraft/deployment.yaml

@@ -1,35 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: minecraft
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: minecraft
-  template:
-    metadata:
-      labels:
-        app: minecraft
-    spec:
-      containers:
-        - name: minecraft
-          image: itzg/minecraft-server
-          ports:
-            - containerPort: 25565
-              protocol: TCP
-          env:
-            - name: EULA
-              value: "TRUE"
-          volumeMounts:
-            - name: minecraft-data
-              mountPath: /data/world
-              subPath: world
-      volumes:
-        - name: minecraft-data
-          persistentVolumeClaim:
-              claimName: minecraft-pvc
-      nodeSelector:
-          kubernetes.io/hostname: "archimedes"
-      securityContext:
-          fsGroup: 1000

minecraft/ingress.yaml

@@ -1,13 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRouteTCP
-metadata:
-    name: minecrafttcp
-spec:
-    entryPoints:
-      - minecrafttcp
-
-    routes:
-      - match: HostSNI(`*`)
-        services:
-          - name: minecraft-svc-tcp
-            port: 25565

minecraft/pvc.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-    name: minecraft-pvc
-spec:
-    accessModes:
-        - ReadWriteOnce
-    resources:
-        requests:
-            storage: 5Gi
-    storageClassName: flat-storage-class

minecraft/service.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-    name: minecraft-svc-tcp
-
-spec:
-  type: ClusterIP
-  ports:
-    - protocol: TCP
-      port: 25565
-  selector:
-    app: minecraft

nginx/external/deploy.yaml

@@ -351,6 +351,30 @@ spec:
     port: 443
     protocol: TCP
     targetPort: https
+  - name: netbird-one-udp
+    port: 3478
+    protocol: UDP
+    targetPort: netbird-one-udp
+  - name: netbird-one-tcp
+    port: 3478
+    protocol: TCP
+    targetPort: netbird-one-tcp
+  - name: netbird-two-udp
+    port: 5349
+    protocol: UDP
+    targetPort: netbird-two-udp
+  - name: netbird-two-tcp
+    port: 5349
+    protocol: TCP
+    targetPort: netbird-two-tcp
+  - name: netbird-rel-tcp
+    port: 33080
+    protocol: TCP
+    targetPort: netbird-rel-tcp
+  - name: netbird-rel-udp
+    port: 33080
+    protocol: UDP
+    targetPort: netbird-rel-udp
   - name: prometheus
     port: 10254
     protocol: TCP
@@ -444,6 +468,8 @@ spec:
         - --validating-webhook-certificate=/usr/local/certificates/cert
         - --validating-webhook-key=/usr/local/certificates/key
         - --enable-metrics=true
+        - --udp-services-configmap=$(POD_NAMESPACE)/nginx-external-ingress-udp-services
+        - --tcp-services-configmap=$(POD_NAMESPACE)/nginx-external-ingress-tcp-services
         env:
         - name: POD_NAME
           valueFrom:
@@ -480,6 +506,24 @@ spec:
         - containerPort: 443
           name: https
           protocol: TCP
+        - containerPort: 3478
+          name: netbird-one-udp
+          protocol: UDP
+        - containerPort: 3478
+          name: netbird-one-tcp
+          protocol: TCP
+        - containerPort: 5349
+          name: netbird-two-udp
+          protocol: UDP
+        - containerPort: 5349
+          name: netbird-two-tcp
+          protocol: TCP
+        - containerPort: 33080
+          name: netbird-rel-tcp
+          protocol: TCP
+        - containerPort: 33080
+          name: netbird-rel-udp
+          protocol: UDP
         - containerPort: 8443
           name: webhook
           protocol: TCP

nginx/external/kustomization.yaml

@@ -4,4 +4,6 @@ kind: Kustomization
 resources:
   - deploy.yaml
   - loadbalancer.yaml
-  - networkpolicy.yaml
+  #- networkpolicy.yaml
+  - udp-services.yaml
+  - tcp-services.yaml

nginx/external/loadbalancer.yaml

@@ -17,5 +17,29 @@ spec:
       port: 443
       protocol: TCP
       targetPort: 443
+    - name: netbird-one-udp
+      port: 3478
+      protocol: UDP
+      targetPort: 3478
+    - name: netbird-one-tcp
+      port: 3478
+      protocol: TCP
+      targetPort: 3478
+    - name: netbird-two-udp
+      port: 5349
+      protocol: UDP
+      targetPort: 5349
+    - name: netbird-two-tcp
+      port: 5349
+      protocol: TCP
+      targetPort: 5349
+    - name: netbird-rel-udp
+      port: 33080
+      protocol: UDP
+      targetPort: 33080
+    - name: netbird-rel-tcp
+      port: 33080
+      protocol: TCP
+      targetPort: 33080
   type: LoadBalancer
   externalTrafficPolicy: Local

nginx/external/networkpolicy.yaml

@@ -21,8 +21,8 @@ spec:
           - 54.224.0.0/11 # Random crawler
     ports:
     - protocol: TCP
-      port: 80
-    - protocol: TCP
-      port: 443
-    - protocol: TCP
-      port: 8443
+      port: 1
+      endPort: 65535
+    - protocol: UDP
+      port: 1
+      endPort: 65535

nginx/external/tcp-services.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-external-ingress-tcp-services
+  namespace: nginx-ingress
+data:
+  "3478": "netbird/netbird-turn-svc:3478"
+  "5349": "netbird/netbird-turn-svc:5349"
+  "33080": "netbird/netbird-relay-svc:33080"

nginx/external/udp-services.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-external-ingress-udp-services
+  namespace: nginx-ingress
+data:
+  "3478": "netbird/netbird-turn-svc:3478"
+  "5349": "netbird/netbird-turn-svc:5349"
+  "33080": "netbird/netbird-relay-svc:33080"

nginx/internal/deploy.yaml

@@ -341,6 +341,14 @@ spec:
   - IPv4
   ipFamilyPolicy: SingleStack
   ports:
+  - name: dns-tcp
+    port: 53
+    protocol: TCP
+    targetPort: dns-tcp
+  - name: dns-udp
+    port: 53
+    protocol: TCP
+    targetPort: dns-udp
   - appProtocol: http
     name: http
     port: 80
@@ -444,6 +452,8 @@ spec:
         - --validating-webhook-certificate=/usr/local/certificates/cert
         - --validating-webhook-key=/usr/local/certificates/key
         - --enable-metrics=true
+        - --udp-services-configmap=$(POD_NAMESPACE)/nginx-internal-ingress-udp-services
+        - --tcp-services-configmap=$(POD_NAMESPACE)/nginx-internal-ingress-tcp-services
         env:
         - name: POD_NAME
           valueFrom:
@@ -474,6 +484,12 @@ spec:
           timeoutSeconds: 1
         name: controller
         ports:
+        - containerPort: 53
+          name: dns-tcp
+          protocol: TCP
+        - containerPort: 53
+          name: dns-udp
+          protocol: UDP
         - containerPort: 80
           name: http
           protocol: TCP

nginx/internal/kustomization.yaml

@@ -3,4 +3,7 @@ kind: Kustomization
 
 resources:
   - deploy.yaml
-  - loadbalancer.yaml
+  - loadbalancer-local.yaml
+  - loadbalancer-vpn.yaml
+  - udp-services.yaml
+  - tcp-services.yaml

nginx/internal/loadbalancer-local.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-internal-ingress-controller-loadbalancer-local
+  namespace: nginx-ingress
+spec:
+  selector:
+    app.kubernetes.io/component: controller-internal
+    app.kubernetes.io/instance: nginx-internal-ingress
+    app.kubernetes.io/name: nginx-internal-ingress
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    - name: dns-tcp
+      port: 53
+      protocol: TCP
+      targetPort: 53
+    - name: dns-udp
+      port: 53
+      protocol: UDP
+      targetPort: 53
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  loadBalancerIP: 10.10.0.16

nginx/internal/loadbalancer-vpn.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-internal-ingress-controller-loadbalancer-vpn
+  namespace: nginx-ingress
+spec:
+  selector:
+    app.kubernetes.io/component: controller-internal
+    app.kubernetes.io/instance: nginx-internal-ingress
+    app.kubernetes.io/name: nginx-internal-ingress
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    - name: dns-tcp
+      port: 53
+      protocol: TCP
+      targetPort: 53
+    - name: dns-udp
+      port: 53
+      protocol: UDP
+      targetPort: 53
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  loadBalancerIP: 10.20.0.1

nginx/internal/tcp-services.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-internal-ingress-tcp-services
+  namespace: nginx-ingress
+data:
+  "53": "adguard/adguard-svc:53"

nginx/internal/udp-services.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-internal-ingress-udp-services
+  namespace: nginx-ingress
+data:
+  "53": "adguard/adguard-svc:53"