skrd/server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: skrd:c2e732730a888009354a6460b4dfb5d759049d86
Branches Tags
skrd:main
..
compare: skrd:main
Branches Tags
skrd:main

23 Commits
c2e732730a ... main

Author SHA1 Message Date
Daniel
7cde2f5123 Version ya no es necesaio en archivos compose 2026-02-16 20:32:23 -03:00
Daniel
b6efc9f55a Quitando variable sin utilizar de traefik 2026-02-16 20:30:42 -03:00
Daniel
888fac609f Fijando versiones a los contenedores 2026-02-16 20:25:23 -03:00
Daniel
f6d7848914 Quitando mas de crowdsec 2026-02-16 20:12:21 -03:00
Daniel
a38f0c6487 Quitando configuracion de crowdsec 2026-02-16 20:09:13 -03:00
Daniel
c48fb6bf3a Corrigiendo traefik 2026-02-16 20:04:23 -03:00
Daniel
b1a09b76b3 Corrigiendo stack de miniflux 2026-02-16 19:53:56 -03:00
Daniel
bda189c903 Quitando crowdsec 2026-02-16 19:39:45 -03:00
Daniel
daccaf3819 Actualizando configuracion de stacks 2026-02-16 07:51:58 -03:00
Daniel
e425b0c137 Actualizando detalles de home assistant y traefik 2025-11-09 03:54:15 -03:00
Daniel
12f2d718e3 Agregando configuración de home assistant 2025-11-09 01:34:24 -03:00
Daniel
056f0cdb1d Agregando nueva configuración para instalar pihole 2025-11-08 21:38:24 -03:00
Daniel
6abc71f90e Actualizando stacks 2025-11-08 21:36:11 -03:00
Daniel
cc93471cb0 Mejorando configuracion de stacks usando traefik 2025-11-08 01:11:42 -03:00
Daniel
115aac9d2a Merge branch 'main' of git.skrd.fun:skrd/server 2025-11-07 20:01:20 -03:00
Daniel
1e67c4200e Cambiando stacks 2025-11-07 20:01:06 -03:00
skrd
7623c6d744 Configurando moka 2025-10-08 01:42:45 -03:00
skrd
5426e4327d Agregando sitios 2025-10-03 00:26:54 -03:00
Daniel
eb2ab36dc3 Jugandoc on ceph 2025-09-24 20:01:10 -03:00
Daniel
94188f3249 organizando ceph y empezando a crear object storage 2025-06-14 21:48:18 -04:00
Daniel
14d762d085 lanzando cnpg 2025-06-14 16:57:17 -04:00
Daniel Cortes
22bfe3ad64 cephs funcionando! no se que cambio :p 2025-06-13 21:49:54 -04:00
Daniel Cortes
85ffc06ac2 Intentando cambiar a ceph, aun falla~ 2025-06-13 09:17:54 -04:00
120 changed files with 20893 additions and 450 deletions
Expand all files Collapse all files

21
manifest/01-traefik/middlewares.yml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
namespace: default
name: allow-local-only
spec:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.0.0/16
- 10.0.0.0/8
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: redirect-https
namespace: default
spec:
redirectScheme:
scheme: https
permanent: true

22
manifest/01-traefik/traefik.yml
View File

@@ -14,25 +14,3 @@ spec:
- "--providers.kubernetesingress.allowexternalnameservices" - "--providers.kubernetesingress.allowexternalnameservices"
- "--providers.kubernetescrd.allowexternalnameservices" - "--providers.kubernetescrd.allowexternalnameservices"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
namespace: default
name: allow-local-only
spec:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.0.0/16
- 10.0.0.0/8
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-https
namespace: default
spec:
redirectScheme:
scheme: https
permanent: true

0
manifest/08-dashboard/admin-user.yml → manifest/03-dashboard/admin-user.yml
View File

0
manifest/08-dashboard/dashboard.yml → manifest/03-dashboard/dashboard.yml
View File

0
manifest/08-dashboard/get-secret.sh → manifest/03-dashboard/get-secret.sh Normal file → Executable file
View File

63
manifest/03-dashboard/ingress.yml Normal file
View File

@@ -0,0 +1,63 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
namespace: kubernetes-dashboard
name: allow-local-only
spec:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.0.0/16
- 10.0.0.0/8
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: redirect-https
namespace: kubernetes-dashboard
spec:
redirectScheme:
scheme: https
permanent: true
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: insecure-transport
namespace: kubernetes-dashboard
spec:
insecureSkipVerify: true
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dashboard-certificate
namespace: kubernetes-dashboard
spec:
secretName: k8s-skrd-fun-tls
dnsNames:
- "k8s.skrd.fun"
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: dashboard-ingress
namespace: kubernetes-dashboard
spec:
entryPoints:
- websecure
routes:
- match: "Host(`k8s.skrd.fun`)"
kind: Rule
middlewares:
- name: allow-local-only
- name: redirect-https
services:
- name: kubernetes-dashboard-kong-proxy
port: 443
serversTransport: insecure-transport
tls:
secretName: k8s-skrd-fun-tls

0
manifest/08-dashboard/role-binding.yml → manifest/03-dashboard/role-binding.yml
View File

0
manifest/08-dashboard/secret.yml → manifest/03-dashboard/secret.yml
View File

356
manifest/04-ceph/base/cluster.yaml Normal file
View File

@@ -0,0 +1,356 @@
#################################################################################################################
# Define the settings for the rook-ceph cluster with common settings for a production cluster.
# All nodes with available raw devices will be used for the Ceph cluster. At least three nodes are required
# in this example. See the documentation for more details on storage settings available.
# For example, to create the cluster:
# kubectl create -f crds.yaml -f common.yaml -f operator.yaml
# kubectl create -f cluster.yaml
#################################################################################################################
apiVersion: ceph.rook.io/v1
kind: CephCluster
metadata:
name: rook-ceph
namespace: rook-ceph # namespace:cluster
spec:
cephVersion:
# The container image used to launch the Ceph daemon pods (mon, mgr, osd, mds, rgw).
# v18 is Reef, v19 is Squid
# RECOMMENDATION: In production, use a specific version tag instead of the general v19 flag, which pulls the latest release and could result in different
# versions running within the cluster. See tags available at https://hub.docker.com/r/ceph/ceph/tags/.
# If you want to be more precise, you can always use a timestamp tag such as quay.io/ceph/ceph:v19.2.2-20250409
# This tag might not contain a new Ceph version, just security fixes from the underlying operating system, which will reduce vulnerabilities
image: quay.io/ceph/ceph:v19.2.2
# Whether to allow unsupported versions of Ceph. Currently Reef and Squid are supported.
# Future versions such as Tentacle (v20) would require this to be set to `true`.
# Do not set to true in production.
allowUnsupported: false
# The path on the host where configuration files will be persisted. Must be specified. If there are multiple clusters, the directory must be unique for each cluster.
# Important: if you reinstall the cluster, make sure you delete this directory from each host or else the mons will fail to start on the new cluster.
# In Minikube, the '/data' directory is configured to persist across reboots. Use "/data/rook" in Minikube environment.
dataDirHostPath: /var/lib/rook
# Whether or not upgrade should continue even if a check fails
# This means Ceph's status could be degraded and we don't recommend upgrading but you might decide otherwise
# Use at your OWN risk
# To understand Rook's upgrade process of Ceph, read https://rook.io/docs/rook/latest/ceph-upgrade.html#ceph-version-upgrades
skipUpgradeChecks: false
# Whether or not continue if PGs are not clean during an upgrade
continueUpgradeAfterChecksEvenIfNotHealthy: false
# WaitTimeoutForHealthyOSDInMinutes defines the time (in minutes) the operator would wait before an OSD can be stopped for upgrade or restart.
# If the timeout exceeds and OSD is not ok to stop, then the operator would skip upgrade for the current OSD and proceed with the next one
# if `continueUpgradeAfterChecksEvenIfNotHealthy` is `false`. If `continueUpgradeAfterChecksEvenIfNotHealthy` is `true`, then operator would
# continue with the upgrade of an OSD even if its not ok to stop after the timeout. This timeout won't be applied if `skipUpgradeChecks` is `true`.
# The default wait timeout is 10 minutes.
waitTimeoutForHealthyOSDInMinutes: 10
# Whether or not requires PGs are clean before an OSD upgrade. If set to `true` OSD upgrade process won't start until PGs are healthy.
# This configuration will be ignored if `skipUpgradeChecks` is `true`.
# Default is false.
upgradeOSDRequiresHealthyPGs: false
mon:
# Set the number of mons to be started. Generally recommended to be 3.
# For highest availability, an odd number of mons should be specified.
count: 3
# The mons should be on unique nodes. For production, at least 3 nodes are recommended for this reason.
# Mons should only be allowed on the same node for test environments where data loss is acceptable.
allowMultiplePerNode: false
mgr:
# When higher availability of the mgr is needed, increase the count to 2.
# In that case, one mgr will be active and one in standby. When Ceph updates which
# mgr is active, Rook will update the mgr services to match the active mgr.
count: 2
allowMultiplePerNode: false
modules:
# List of modules to optionally enable or disable.
# Note the "dashboard" and "monitoring" modules are already configured by other settings in the cluster CR.
- name: rook
enabled: true
# enable the ceph dashboard for viewing cluster status
dashboard:
enabled: true
# serve the dashboard under a subpath (useful when you are accessing the dashboard via a reverse proxy)
# urlPrefix: /ceph-dashboard
# serve the dashboard at the given port.
# port: 8443
# serve the dashboard using SSL
ssl: false
# The url of the Prometheus instance
# prometheusEndpoint: <protocol>://<prometheus-host>:<port>
# Whether SSL should be verified if the Prometheus server is using https
# prometheusEndpointSSLVerify: false
# enable prometheus alerting for cluster
monitoring:
# requires Prometheus to be pre-installed
enabled: false
# Whether to disable the metrics reported by Ceph. If false, the prometheus mgr module and Ceph exporter are enabled.
# If true, the prometheus mgr module and Ceph exporter are both disabled. Default is false.
metricsDisabled: false
# Ceph exporter metrics config.
exporter:
# Specifies which performance counters are exported.
# Corresponds to --prio-limit Ceph exporter flag
# 0 - all counters are exported
perfCountersPrioLimit: 5
# Time to wait before sending requests again to exporter server (seconds)
# Corresponds to --stats-period Ceph exporter flag
statsPeriodSeconds: 5
network:
connections:
# Whether to encrypt the data in transit across the wire to prevent eavesdropping the data on the network.
# The default is false. When encryption is enabled, all communication between clients and Ceph daemons, or between Ceph daemons will be encrypted.
# When encryption is not enabled, clients still establish a strong initial authentication and data integrity is still validated with a crc check.
# IMPORTANT: Encryption requires the 5.11 kernel for the latest nbd and cephfs drivers. Alternatively for testing only,
# you can set the "mounter: rbd-nbd" in the rbd storage class, or "mounter: fuse" in the cephfs storage class.
# The nbd and fuse drivers are *not* recommended in production since restarting the csi driver pod will disconnect the volumes.
encryption:
enabled: false
# Whether to compress the data in transit across the wire. The default is false.
# See the kernel requirements above for encryption.
compression:
enabled: false
# Whether to require communication over msgr2. If true, the msgr v1 port (6789) will be disabled
# and clients will be required to connect to the Ceph cluster with the v2 port (3300).
# Requires a kernel that supports msgr v2 (kernel 5.11 or CentOS 8.4 or newer).
requireMsgr2: false
# enable host networking
#provider: host
# enable the Multus network provider
#provider: multus
#selectors:
# The selector keys are required to be `public` and `cluster`.
# Based on the configuration, the operator will do the following:
# 1. if only the `public` selector key is specified both public_network and cluster_network Ceph settings will listen on that interface
# 2. if both `public` and `cluster` selector keys are specified the first one will point to 'public_network' flag and the second one to 'cluster_network'
#
# In order to work, each selector value must match a NetworkAttachmentDefinition object in Multus
#
# public: public-conf --> NetworkAttachmentDefinition object name in Multus
# cluster: cluster-conf --> NetworkAttachmentDefinition object name in Multus
# Provide internet protocol version. IPv6, IPv4 or empty string are valid options. Empty string would mean IPv4
#ipFamily: "IPv6"
# Ceph daemons to listen on both IPv4 and Ipv6 networks
#dualStack: false
# Enable multiClusterService to export the mon and OSD services to peer cluster.
# This is useful to support RBD mirroring between two clusters having overlapping CIDRs.
# Ensure that peer clusters are connected using an MCS API compatible application, like Globalnet Submariner.
#multiClusterService:
# enabled: false
# enable the crash collector for ceph daemon crash collection
crashCollector:
disable: false
# Uncomment daysToRetain to prune ceph crash entries older than the
# specified number of days.
#daysToRetain: 30
# enable log collector, daemons will log on files and rotate
logCollector:
enabled: true
periodicity: daily # one of: hourly, daily, weekly, monthly
maxLogSize: 500M # SUFFIX may be 'M' or 'G'. Must be at least 1M.
# automate [data cleanup process](https://github.com/rook/rook/blob/master/Documentation/Storage-Configuration/ceph-teardown.md#delete-the-data-on-hosts) in cluster destruction.
cleanupPolicy:
# Since cluster cleanup is destructive to data, confirmation is required.
# To destroy all Rook data on hosts during uninstall, confirmation must be set to "yes-really-destroy-data".
# This value should only be set when the cluster is about to be deleted. After the confirmation is set,
# Rook will immediately stop configuring the cluster and only wait for the delete command.
# If the empty string is set, Rook will not destroy any data on hosts during uninstall.
confirmation: ""
# sanitizeDisks represents settings for sanitizing OSD disks on cluster deletion
sanitizeDisks:
# method indicates if the entire disk should be sanitized or simply ceph's metadata
# in both case, re-install is possible
# possible choices are 'complete' or 'quick' (default)
method: quick
# dataSource indicate where to get random bytes from to write on the disk
# possible choices are 'zero' (default) or 'random'
# using random sources will consume entropy from the system and will take much more time then the zero source
dataSource: zero
# iteration overwrite N times instead of the default (1)
# takes an integer value
iteration: 1
# allowUninstallWithVolumes defines how the uninstall should be performed
# If set to true, cephCluster deletion does not wait for the PVs to be deleted.
allowUninstallWithVolumes: false
# To control where various services will be scheduled by kubernetes, use the placement configuration sections below.
# The example under 'all' would have all services scheduled on kubernetes nodes labeled with 'role=storage-node' and
# tolerate taints with a key of 'storage-node'.
# placement:
# all:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: role
# operator: In
# values:
# - storage-node
# podAffinity:
# podAntiAffinity:
# topologySpreadConstraints:
# tolerations:
# - key: storage-node
# operator: Exists
# The above placement information can also be specified for mon, osd, and mgr components
# mon:
# Monitor deployments may contain an anti-affinity rule for avoiding monitor
# collocation on the same node. This is a required rule when host network is used
# or when AllowMultiplePerNode is false. Otherwise this anti-affinity rule is a
# preferred rule with weight: 50.
# osd:
# prepareosd:
# mgr:
# cleanup:
annotations:
# all:
# mon:
# mgr:
# osd:
# exporter:
# crashcollector:
# cleanup:
# prepareosd:
# cmdreporter is for jobs to detect ceph and csi versions, and check network status
# cmdreporter:
# clusterMetadata annotations will be applied to only `rook-ceph-mon-endpoints` configmap and the `rook-ceph-mon` and `rook-ceph-admin-keyring` secrets.
# And clusterMetadata annotations will not be merged with `all` annotations.
# clusterMetadata:
# kubed.appscode.com/sync: "true"
# If no mgr annotations are set, prometheus scrape annotations will be set by default.
# mgr:
labels:
# all:
# mon:
# osd:
# cleanup:
# mgr:
# prepareosd:
# These labels are applied to ceph-exporter servicemonitor only
# exporter:
# monitoring is a list of key-value pairs. It is injected into all the monitoring resources created by operator.
# These labels can be passed as LabelSelector to Prometheus
# monitoring:
# crashcollector:
resources:
#The requests and limits set here, allow the mgr pod to use half of one CPU core and 1 gigabyte of memory
# mgr:
# limits:
# memory: "1024Mi"
# requests:
# cpu: "500m"
# memory: "1024Mi"
# The above example requests/limits can also be added to the other components
# mon:
# osd:
# For OSD it also is a possible to specify requests/limits based on device class
# osd-hdd:
# osd-ssd:
# osd-nvme:
# prepareosd:
# mgr-sidecar:
# crashcollector:
# logcollector:
# cleanup:
# exporter:
# cmd-reporter:
# The option to automatically remove OSDs that are out and are safe to destroy.
removeOSDsIfOutAndSafeToRemove: false
priorityClassNames:
#all: rook-ceph-default-priority-class
mon: system-node-critical
osd: system-node-critical
mgr: system-cluster-critical
#crashcollector: rook-ceph-crashcollector-priority-class
storage: # cluster level storage configuration and selection
useAllNodes: true
useAllDevices: true
#deviceFilter:
config:
# crushRoot: "custom-root" # specify a non-default root label for the CRUSH map
# metadataDevice: "md0" # specify a non-rotational storage so ceph-volume will use it as block db device of bluestore.
# databaseSizeMB: "1024" # uncomment if the disks are smaller than 100 GB
# osdsPerDevice: "1" # this value can be overridden at the node or device level
# encryptedDevice: "true" # the default value for this option is "false"
# deviceClass: "myclass" # specify a device class for OSDs in the cluster
allowDeviceClassUpdate: false # whether to allow changing the device class of an OSD after it is created
allowOsdCrushWeightUpdate: false # whether to allow resizing the OSD crush weight after osd pvc is increased
# Individual nodes and their config can be specified as well, but 'useAllNodes' above must be set to false. Then, only the named
# nodes below will be used as storage resources. Each node's 'name' field should match their 'kubernetes.io/hostname' label.
# nodes:
# - name: "172.17.4.201"
# devices: # specific devices to use for storage can be specified for each node
# - name: "sdb"
# - name: "nvme01" # multiple osds can be created on high performance devices
# config:
# osdsPerDevice: "5"
# - name: "/dev/disk/by-id/ata-ST4000DM004-XXXX" # devices can be specified using full udev paths
# config: # configuration can be specified at the node level which overrides the cluster level config
# - name: "172.17.4.301"
# deviceFilter: "^sd."
# Whether to always schedule OSD pods on nodes declared explicitly in the "nodes" section, even if they are
# temporarily not schedulable. If set to true, consider adding placement tolerations for unschedulable nodes.
scheduleAlways: false
# when onlyApplyOSDPlacement is false, will merge both placement.All() and placement.osd
onlyApplyOSDPlacement: false
# Time for which an OSD pod will sleep before restarting, if it stopped due to flapping
# flappingRestartIntervalHours: 24
# The ratio at which Ceph should block IO if the OSDs are too full. The default is 0.95.
# fullRatio: 0.95
# The ratio at which Ceph should stop backfilling data if the OSDs are too full. The default is 0.90.
# backfillFullRatio: 0.90
# The ratio at which Ceph should raise a health warning if the OSDs are almost full. The default is 0.85.
# nearFullRatio: 0.85
# The section for configuring management of daemon disruptions during upgrade or fencing.
disruptionManagement:
# If true, the operator will create and manage PodDisruptionBudgets for OSD, Mon, RGW, and MDS daemons. OSD PDBs are managed dynamically
# via the strategy outlined in the [design](https://github.com/rook/rook/blob/master/design/ceph/ceph-managed-disruptionbudgets.md). The operator will
# block eviction of OSDs by default and unblock them safely when drains are detected.
managePodBudgets: true
# A duration in minutes that determines how long an entire failureDomain like `region/zone/host` will be held in `noout` (in addition to the
# default DOWN/OUT interval) when it is draining. This is only relevant when `managePodBudgets` is `true`. The default value is `30` minutes.
osdMaintenanceTimeout: 30
# csi defines CSI Driver settings applied per cluster.
csi:
readAffinity:
# Enable read affinity to enable clients to optimize reads from an OSD in the same topology.
# Enabling the read affinity may cause the OSDs to consume some extra memory.
# For more details see this doc:
# https://rook.io/docs/rook/latest/Storage-Configuration/Ceph-CSI/ceph-csi-drivers/#enable-read-affinity-for-rbd-volumes
enabled: false
# cephfs driver specific settings.
cephfs:
# Set CephFS Kernel mount options to use https://docs.ceph.com/en/latest/man/8/mount.ceph/#options.
# kernelMountOptions: ""
# Set CephFS Fuse mount options to use https://docs.ceph.com/en/latest/man/8/ceph-fuse/#options.
# fuseMountOptions: ""
# healthChecks
# Valid values for daemons are 'mon', 'osd', 'status'
healthCheck:
daemonHealth:
mon:
disabled: false
interval: 45s
osd:
disabled: false
interval: 60s
status:
disabled: false
interval: 60s
# Change pod liveness probe timing or threshold values. Works for all mon,mgr,osd daemons.
livenessProbe:
mon:
disabled: false
mgr:
disabled: false
osd:
disabled: false
# Change pod startup probe timing or threshold values. Works for all mon,mgr,osd daemons.
startupProbe:
mon:
disabled: false
mgr:
disabled: false
osd:
disabled: false

1329
manifest/04-ceph/base/common.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

14897
manifest/04-ceph/base/crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

29
manifest/04-ceph/base/ingress.yml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: rook-ceph-certificate
namespace: rook-ceph
spec:
secretName: rook-ceph-skrd-fun-tls
dnsNames:
- "rook-ceph.skrd.fun"
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: rook-ceph-dashboard-ingress
namespace: rook-ceph
spec:
entryPoints:
- websecure
routes:
- match: "Host(`rook-ceph.skrd.fun`)"
kind: Rule
services:
- name: rook-ceph-mgr-dashboard
port: http-dashboard
tls:
secretName: rook-ceph-skrd-fun-tls

698
manifest/04-ceph/base/operator.yaml Normal file
View File

@@ -0,0 +1,698 @@
#################################################################################################################
# The deployment for the rook operator
# Contains the common settings for most Kubernetes deployments.
# For example, to create the rook-ceph cluster:
# kubectl create -f crds.yaml -f common.yaml -f operator.yaml
# kubectl create -f cluster.yaml
#
# Also see other operator sample files for variations of operator.yaml:
# - operator-openshift.yaml: Common settings for running in OpenShift
###############################################################################################################
# Rook Ceph Operator Config ConfigMap
# Use this ConfigMap to override Rook-Ceph Operator configurations.
# NOTE! Precedence will be given to this config if the same Env Var config also exists in the
# Operator Deployment.
# To move a configuration(s) from the Operator Deployment to this ConfigMap, add the config
# here. It is recommended to then remove it from the Deployment to eliminate any future confusion.
kind: ConfigMap
apiVersion: v1
metadata:
name: rook-ceph-operator-config
# should be in the namespace of the operator
namespace: rook-ceph # namespace:operator
data:
# The logging level for the operator: ERROR | WARNING | INFO | DEBUG
ROOK_LOG_LEVEL: "INFO"
# The address for the operator's controller-runtime metrics. 0 is disabled. :8080 serves metrics on port 8080.
ROOK_OPERATOR_METRICS_BIND_ADDRESS: "0"
# Allow using loop devices for osds in test clusters.
ROOK_CEPH_ALLOW_LOOP_DEVICES: "false"
# Enable CSI Operator
ROOK_USE_CSI_OPERATOR: "false"
# Enable the CSI driver.
# To run the non-default version of the CSI driver, see the override-able image properties in operator.yaml
ROOK_CSI_ENABLE_CEPHFS: "true"
# Enable the default version of the CSI RBD driver. To start another version of the CSI driver, see image properties below.
ROOK_CSI_ENABLE_RBD: "true"
# Enable the CSI NFS driver. To start another version of the CSI driver, see image properties below.
ROOK_CSI_ENABLE_NFS: "false"
# Disable the CSI driver.
ROOK_CSI_DISABLE_DRIVER: "false"
# Set to true to enable Ceph CSI pvc encryption support.
CSI_ENABLE_ENCRYPTION: "false"
# Set to true to enable host networking for CSI CephFS and RBD nodeplugins. This may be necessary
# in some network configurations where the SDN does not provide access to an external cluster or
# there is significant drop in read/write performance.
# CSI_ENABLE_HOST_NETWORK: "true"
# Set to true to enable adding volume metadata on the CephFS subvolume and RBD images.
# Not all users might be interested in getting volume/snapshot details as metadata on CephFS subvolume and RBD images.
# Hence enable metadata is false by default.
# CSI_ENABLE_METADATA: "true"
# cluster name identifier to set as metadata on the CephFS subvolume and RBD images. This will be useful in cases
# like for example, when two container orchestrator clusters (Kubernetes/OCP) are using a single ceph cluster.
# CSI_CLUSTER_NAME: "my-prod-cluster"
# Set logging level for cephCSI containers maintained by the cephCSI.
# Supported values from 0 to 5. 0 for general useful logs, 5 for trace level verbosity.
# CSI_LOG_LEVEL: "0"
# Set logging level for Kubernetes-csi sidecar containers.
# Supported values from 0 to 5. 0 for general useful logs (the default), 5 for trace level verbosity.
# CSI_SIDECAR_LOG_LEVEL: "0"
# csi driver name prefix for cephfs, rbd and nfs. if not specified, default
# will be the namespace name where rook-ceph operator is deployed.
# search for `# csi-provisioner-name` in the storageclass and
# volumesnashotclass and update the name accordingly.
# CSI_DRIVER_NAME_PREFIX: "rook-ceph"
# Set replicas for csi provisioner deployment.
CSI_PROVISIONER_REPLICAS: "2"
# OMAP generator will generate the omap mapping between the PV name and the RBD image.
# CSI_ENABLE_OMAP_GENERATOR need to be enabled when we are using rbd mirroring feature.
# By default OMAP generator sidecar is deployed with CSI provisioner pod, to disable
# it set it to false.
# CSI_ENABLE_OMAP_GENERATOR: "false"
# set to false to disable deployment of snapshotter container in CephFS provisioner pod.
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "true"
# set to false to disable deployment of snapshotter container in NFS provisioner pod.
CSI_ENABLE_NFS_SNAPSHOTTER: "true"
# set to false to disable deployment of snapshotter container in RBD provisioner pod.
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
# set to false to disable volume group snapshot feature. This feature is
# enabled by default as long as the necessary CRDs are available in the cluster.
CSI_ENABLE_VOLUME_GROUP_SNAPSHOT: "true"
# Enable cephfs kernel driver instead of ceph-fuse.
# If you disable the kernel client, your application may be disrupted during upgrade.
# See the upgrade guide: https://rook.io/docs/rook/latest/ceph-upgrade.html
# NOTE! cephfs quota is not supported in kernel version < 4.17
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
# (Optional) policy for modifying a volume's ownership or permissions when the RBD PVC is being mounted.
# supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html
CSI_RBD_FSGROUPPOLICY: "File"
# (Optional) policy for modifying a volume's ownership or permissions when the CephFS PVC is being mounted.
# supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html
CSI_CEPHFS_FSGROUPPOLICY: "File"
# (Optional) policy for modifying a volume's ownership or permissions when the NFS PVC is being mounted.
# supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html
CSI_NFS_FSGROUPPOLICY: "File"
# (Optional) control the host mount of /etc/selinux for csi plugin pods.
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
# The default version of CSI supported by Rook will be started. To change the version
# of the CSI driver to something other than what is officially supported, change
# these images to the desired release of the CSI driver.
# ROOK_CSI_CEPH_IMAGE: "quay.io/cephcsi/cephcsi:v3.14.0"
# ROOK_CSI_REGISTRAR_IMAGE: "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.13.0"
# ROOK_CSI_RESIZER_IMAGE: "registry.k8s.io/sig-storage/csi-resizer:v1.13.2"
# ROOK_CSI_PROVISIONER_IMAGE: "registry.k8s.io/sig-storage/csi-provisioner:v5.2.0"
# ROOK_CSI_SNAPSHOTTER_IMAGE: "registry.k8s.io/sig-storage/csi-snapshotter:v8.2.1"
# ROOK_CSI_ATTACHER_IMAGE: "registry.k8s.io/sig-storage/csi-attacher:v4.8.1"
# To indicate the image pull policy to be applied to all the containers in the csi driver pods.
# ROOK_CSI_IMAGE_PULL_POLICY: "IfNotPresent"
# (Optional) set user created priorityclassName for csi plugin pods.
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
# (Optional) set user created priorityclassName for csi provisioner pods.
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
# CSI CephFS plugin daemonset update strategy, supported values are OnDelete and RollingUpdate.
# Default value is RollingUpdate.
# CSI_CEPHFS_PLUGIN_UPDATE_STRATEGY: "OnDelete"
# A maxUnavailable parameter of CSI cephFS plugin daemonset update strategy.
# Default value is 1.
# CSI_CEPHFS_PLUGIN_UPDATE_STRATEGY_MAX_UNAVAILABLE: "1"
# CSI RBD plugin daemonset update strategy, supported values are OnDelete and RollingUpdate.
# Default value is RollingUpdate.
# CSI_RBD_PLUGIN_UPDATE_STRATEGY: "OnDelete"
# A maxUnavailable parameter of CSI RBD plugin daemonset update strategy.
# Default value is 1.
# CSI_RBD_PLUGIN_UPDATE_STRATEGY_MAX_UNAVAILABLE: "1"
# CSI NFS plugin daemonset update strategy, supported values are OnDelete and RollingUpdate.
# Default value is RollingUpdate.
# CSI_NFS_PLUGIN_UPDATE_STRATEGY: "OnDelete"
# kubelet directory path, if kubelet configured to use other than /var/lib/kubelet path.
# ROOK_CSI_KUBELET_DIR_PATH: "/var/lib/kubelet"
# Labels to add to the CSI CephFS Deployments and DaemonSets Pods.
# ROOK_CSI_CEPHFS_POD_LABELS: "key1=value1,key2=value2"
# Labels to add to the CSI RBD Deployments and DaemonSets Pods.
# ROOK_CSI_RBD_POD_LABELS: "key1=value1,key2=value2"
# Labels to add to the CSI NFS Deployments and DaemonSets Pods.
# ROOK_CSI_NFS_POD_LABELS: "key1=value1,key2=value2"
# (Optional) CephCSI CephFS plugin Volumes
# CSI_CEPHFS_PLUGIN_VOLUME: |
# - name: lib-modules
# hostPath:
# path: /run/current-system/kernel-modules/lib/modules/
# - name: host-nix
# hostPath:
# path: /nix
# (Optional) CephCSI CephFS plugin Volume mounts
# CSI_CEPHFS_PLUGIN_VOLUME_MOUNT: |
# - name: host-nix
# mountPath: /nix
# readOnly: true
# (Optional) CephCSI RBD plugin Volumes
# CSI_RBD_PLUGIN_VOLUME: |
# - name: lib-modules
# hostPath:
# path: /run/current-system/kernel-modules/lib/modules/
# - name: host-nix
# hostPath:
# path: /nix
# (Optional) CephCSI RBD plugin Volume mounts
# CSI_RBD_PLUGIN_VOLUME_MOUNT: |
# - name: host-nix
# mountPath: /nix
# readOnly: true
# (Optional) CephCSI provisioner NodeAffinity (applied to both CephFS and RBD provisioner).
# CSI_PROVISIONER_NODE_AFFINITY: "role=storage-node; storage=rook, ceph"
# (Optional) CephCSI provisioner tolerations list(applied to both CephFS and RBD provisioner).
# Put here list of taints you want to tolerate in YAML format.
# CSI provisioner would be best to start on the same nodes as other ceph daemons.
# CSI_PROVISIONER_TOLERATIONS: |
# - effect: NoSchedule
# key: node-role.kubernetes.io/control-plane
# operator: Exists
# - effect: NoExecute
# key: node-role.kubernetes.io/etcd
# operator: Exists
# (Optional) CephCSI plugin NodeAffinity (applied to both CephFS and RBD plugin).
# CSI_PLUGIN_NODE_AFFINITY: "role=storage-node; storage=rook, ceph"
# (Optional) CephCSI plugin tolerations list(applied to both CephFS and RBD plugin).
# Put here list of taints you want to tolerate in YAML format.
# CSI plugins need to be started on all the nodes where the clients need to mount the storage.
# CSI_PLUGIN_TOLERATIONS: |
# - effect: NoSchedule
# key: node-role.kubernetes.io/control-plane
# operator: Exists
# - effect: NoExecute
# key: node-role.kubernetes.io/etcd
# operator: Exists
# (Optional) CephCSI RBD provisioner NodeAffinity (if specified, overrides CSI_PROVISIONER_NODE_AFFINITY).
# CSI_RBD_PROVISIONER_NODE_AFFINITY: "role=rbd-node"
# (Optional) CephCSI RBD provisioner tolerations list(if specified, overrides CSI_PROVISIONER_TOLERATIONS).
# Put here list of taints you want to tolerate in YAML format.
# CSI provisioner would be best to start on the same nodes as other ceph daemons.
# CSI_RBD_PROVISIONER_TOLERATIONS: |
# - key: node.rook.io/rbd
# operator: Exists
# (Optional) CephCSI RBD plugin NodeAffinity (if specified, overrides CSI_PLUGIN_NODE_AFFINITY).
# CSI_RBD_PLUGIN_NODE_AFFINITY: "role=rbd-node"
# (Optional) CephCSI RBD plugin tolerations list(if specified, overrides CSI_PLUGIN_TOLERATIONS).
# Put here list of taints you want to tolerate in YAML format.
# CSI plugins need to be started on all the nodes where the clients need to mount the storage.
# CSI_RBD_PLUGIN_TOLERATIONS: |
# - key: node.rook.io/rbd
# operator: Exists
# (Optional) CephCSI CephFS provisioner NodeAffinity (if specified, overrides CSI_PROVISIONER_NODE_AFFINITY).
# CSI_CEPHFS_PROVISIONER_NODE_AFFINITY: "role=cephfs-node"
# (Optional) CephCSI CephFS provisioner tolerations list(if specified, overrides CSI_PROVISIONER_TOLERATIONS).
# Put here list of taints you want to tolerate in YAML format.
# CSI provisioner would be best to start on the same nodes as other ceph daemons.
# CSI_CEPHFS_PROVISIONER_TOLERATIONS: |
# - key: node.rook.io/cephfs
# operator: Exists
# (Optional) CephCSI CephFS plugin NodeAffinity (if specified, overrides CSI_PLUGIN_NODE_AFFINITY).
# CSI_CEPHFS_PLUGIN_NODE_AFFINITY: "role=cephfs-node"
# NOTE: Support for defining NodeAffinity for operators other than "In" and "Exists" requires the user to input a
# valid v1.NodeAffinity JSON or YAML string. For example, the following is valid YAML v1.NodeAffinity:
# CSI_CEPHFS_PLUGIN_NODE_AFFINITY: |
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: myKey
# operator: DoesNotExist
# (Optional) CephCSI CephFS plugin tolerations list(if specified, overrides CSI_PLUGIN_TOLERATIONS).
# Put here list of taints you want to tolerate in YAML format.
# CSI plugins need to be started on all the nodes where the clients need to mount the storage.
# CSI_CEPHFS_PLUGIN_TOLERATIONS: |
# - key: node.rook.io/cephfs
# operator: Exists
# (Optional) CephCSI NFS provisioner NodeAffinity (overrides CSI_PROVISIONER_NODE_AFFINITY).
# CSI_NFS_PROVISIONER_NODE_AFFINITY: "role=nfs-node"
# (Optional) CephCSI NFS provisioner tolerations list (overrides CSI_PROVISIONER_TOLERATIONS).
# Put here list of taints you want to tolerate in YAML format.
# CSI provisioner would be best to start on the same nodes as other ceph daemons.
# CSI_NFS_PROVISIONER_TOLERATIONS: |
# - key: node.rook.io/nfs
# operator: Exists
# (Optional) CephCSI NFS plugin NodeAffinity (overrides CSI_PLUGIN_NODE_AFFINITY).
# CSI_NFS_PLUGIN_NODE_AFFINITY: "role=nfs-node"
# (Optional) CephCSI NFS plugin tolerations list (overrides CSI_PLUGIN_TOLERATIONS).
# Put here list of taints you want to tolerate in YAML format.
# CSI plugins need to be started on all the nodes where the clients need to mount the storage.
# CSI_NFS_PLUGIN_TOLERATIONS: |
# - key: node.rook.io/nfs
# operator: Exists
# (Optional) CEPH CSI RBD provisioner resource requirement list, Put here list of resource
# requests and limits you want to apply for provisioner pod
#CSI_RBD_PROVISIONER_RESOURCE: |
# - name : csi-provisioner
# resource:
# requests:
# memory: 128Mi
# cpu: 100m
# limits:
# memory: 256Mi
# - name : csi-resizer
# resource:
# requests:
# memory: 128Mi
# cpu: 100m
# limits:
# memory: 256Mi
# - name : csi-attacher
# resource:
# requests:
# memory: 128Mi
# cpu: 100m
# limits:
# memory: 256Mi
# - name : csi-snapshotter
# resource:
# requests:
# memory: 128Mi
# cpu: 100m
# limits:
# memory: 256Mi
# - name : csi-rbdplugin
# resource:
# requests:
# memory: 512Mi
# cpu: 250m
# limits:
# memory: 1Gi
# - name : csi-omap-generator
# resource:
# requests:
# memory: 512Mi
# cpu: 250m
# limits:
# memory: 1Gi
# - name : liveness-prometheus
# resource:
# requests:
# memory: 128Mi
# cpu: 50m
# limits:
# memory: 256Mi
# (Optional) CEPH CSI RBD plugin resource requirement list, Put here list of resource
# requests and limits you want to apply for plugin pod
#CSI_RBD_PLUGIN_RESOURCE: |
# - name : driver-registrar
# resource:
# requests:
# memory: 128Mi
# cpu: 50m
# limits:
# memory: 256Mi
# - name : csi-rbdplugin
# resource:
# requests:
# memory: 512Mi
# cpu: 250m
# limits:
# memory: 1Gi
# - name : liveness-prometheus
# resource:
# requests:
# memory: 128Mi
# cpu: 50m
# limits:
# memory: 256Mi
# (Optional) CEPH CSI CephFS provisioner resource requirement list, Put here list of resource
# requests and limits you want to apply for provisioner pod
#CSI_CEPHFS_PROVISIONER_RESOURCE: |
# - name : csi-provisioner
# resource:
# requests:
# memory: 128Mi
# cpu: 100m
# limits:
# memory: 256Mi
# - name : csi-resizer
# resource:
# requests:
# memory: 128Mi
# cpu: 100m
# limits:
# memory: 256Mi
# - name : csi-attacher
# resource:
# requests:
# memory: 128Mi
# cpu: 100m
# limits:
# memory: 256Mi
# - name : csi-snapshotter
# resource:
# requests:
# memory: 128Mi
# cpu: 100m
# limits:
# memory: 256Mi
# - name : csi-cephfsplugin
# resource:
# requests:
# memory: 512Mi
# cpu: 250m
# limits:
# memory: 1Gi
# - name : liveness-prometheus
# resource:
# requests:
# memory: 128Mi
# cpu: 50m
# limits:
# memory: 256Mi
# (Optional) CEPH CSI CephFS plugin resource requirement list, Put here list of resource
# requests and limits you want to apply for plugin pod
#CSI_CEPHFS_PLUGIN_RESOURCE: |
# - name : driver-registrar
# resource:
# requests:
# memory: 128Mi
# cpu: 50m
# limits:
# memory: 256Mi
# - name : csi-cephfsplugin
# resource:
# requests:
# memory: 512Mi
# cpu: 250m
# limits:
# memory: 1Gi
# - name : liveness-prometheus
# resource:
# requests:
# memory: 128Mi
# cpu: 50m
# limits:
# memory: 256Mi
# (Optional) CEPH CSI NFS provisioner resource requirement list, Put here list of resource
# requests and limits you want to apply for provisioner pod
# CSI_NFS_PROVISIONER_RESOURCE: |
# - name : csi-provisioner
# resource:
# requests:
# memory: 128Mi
# cpu: 100m
# limits:
# memory: 256Mi
# - name : csi-nfsplugin
# resource:
# requests:
# memory: 512Mi
# cpu: 250m
# limits:
# memory: 1Gi
# - name : csi-attacher
# resource:
# requests:
# memory: 128Mi
# cpu: 100m
# limits:
# memory: 256Mi
# (Optional) CEPH CSI NFS plugin resource requirement list, Put here list of resource
# requests and limits you want to apply for plugin pod
# CSI_NFS_PLUGIN_RESOURCE: |
# - name : driver-registrar
# resource:
# requests:
# memory: 128Mi
# cpu: 50m
# limits:
# memory: 256Mi
# - name : csi-nfsplugin
# resource:
# requests:
# memory: 512Mi
# cpu: 250m
# limits:
# memory: 1Gi
# Configure CSI CephFS liveness metrics port
# Set to true to enable Ceph CSI liveness container.
CSI_ENABLE_LIVENESS: "false"
# CSI_CEPHFS_LIVENESS_METRICS_PORT: "9081"
# Configure CSI RBD liveness metrics port
# CSI_RBD_LIVENESS_METRICS_PORT: "9080"
# We can override the ports for each individual component that uses the CSIADDONS sidecar
# This is useful if we're running in hostNetwork, where ports may conflict on the same host
# CSIADDONS_PORT: "9070"
# CSIADDONS_RBD_PROVISIONER_PORT: "9070"
# CSIADDONS_CEPHFS_PROVISIONER_PORT: "9070"
# Set CephFS Kernel mount options to use https://docs.ceph.com/en/latest/man/8/mount.ceph/#options
# Set to "ms_mode=secure" when connections.encrypted is enabled in CephCluster CR
# CSI_CEPHFS_KERNEL_MOUNT_OPTIONS: "ms_mode=secure"
# (Optional) Duration in seconds that non-leader candidates will wait to force acquire leadership. Default to 137 seconds.
# CSI_LEADER_ELECTION_LEASE_DURATION: "137s"
# (Optional) Deadline in seconds that the acting leader will retry refreshing leadership before giving up. Defaults to 107 seconds.
# CSI_LEADER_ELECTION_RENEW_DEADLINE: "107s"
# (Optional) Retry Period in seconds the LeaderElector clients should wait between tries of actions. Defaults to 26 seconds.
# CSI_LEADER_ELECTION_RETRY_PERIOD: "26s"
# Whether the OBC provisioner should watch on the ceph cluster namespace or not, if not default provisioner value is set
ROOK_OBC_WATCH_OPERATOR_NAMESPACE: "true"
# Custom prefix value for the OBC provisioner instead of ceph cluster namespace, do not set on existing cluster
# ROOK_OBC_PROVISIONER_NAME_PREFIX: "custom-prefix"
# Many OBC additional config fields may be risky for administrators to allow users control over.
# The safe and default-allowed fields are 'maxObjects' and 'maxSize'.
# Other fields should be considered risky. To allow all additional configs, use this value:
# "maxObjects,maxSize,bucketMaxObjects,bucketMaxSize,bucketPolicy,bucketLifecycle,bucketOwner"
# ROOK_OBC_ALLOW_ADDITIONAL_CONFIG_FIELDS: "maxObjects,maxSize" # default allowed configs
# Whether to start the discovery daemon to watch for raw storage devices on nodes in the cluster.
# This daemon does not need to run if you are only going to create your OSDs based on StorageClassDeviceSets with PVCs.
ROOK_ENABLE_DISCOVERY_DAEMON: "true"
# The timeout value (in seconds) of Ceph commands. It should be >= 1. If this variable is not set or is an invalid value, it's default to 15.
ROOK_CEPH_COMMANDS_TIMEOUT_SECONDS: "15"
# Enable the csi addons sidecar.
CSI_ENABLE_CSIADDONS: "false"
# Enable watch for faster recovery from rbd rwo node loss
ROOK_WATCH_FOR_NODE_FAILURE: "true"
# ROOK_CSIADDONS_IMAGE: "quay.io/csiaddons/k8s-sidecar:v0.12.0"
# The CSI GRPC timeout value (in seconds). It should be >= 120. If this variable is not set or is an invalid value, it's default to 150.
CSI_GRPC_TIMEOUT_SECONDS: "150"
# Enable topology based provisioning.
CSI_ENABLE_TOPOLOGY: "false"
# Domain labels define which node labels to use as domains
# for CSI nodeplugins to advertise their domains
# NOTE: the value here serves as an example and needs to be
# updated with node labels that define domains of interest
# CSI_TOPOLOGY_DOMAIN_LABELS: "kubernetes.io/hostname,topology.kubernetes.io/zone,topology.rook.io/rack"
# Whether to skip any attach operation altogether for CephCSI PVCs.
# See more details [here](https://kubernetes-csi.github.io/docs/skip-attach.html#skip-attach-with-csi-driver-object).
# If set to false it skips the volume attachments and makes the creation of pods using the CephCSI PVC fast.
# **WARNING** It's highly discouraged to use this for RWO volumes. for RBD PVC it can cause data corruption,
# csi-addons operations like Reclaimspace and PVC Keyrotation will also not be supported if set to false
# since we'll have no VolumeAttachments to determine which node the PVC is mounted on.
# Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/103305) for more details.
CSI_CEPHFS_ATTACH_REQUIRED: "true"
CSI_RBD_ATTACH_REQUIRED: "true"
CSI_NFS_ATTACH_REQUIRED: "true"
# Rook Discover toleration. Will tolerate all taints with all keys.
# (Optional) Rook Discover tolerations list. Put here list of taints you want to tolerate in YAML format.
# DISCOVER_TOLERATIONS: |
# - effect: NoSchedule
# key: node-role.kubernetes.io/control-plane
# operator: Exists
# - effect: NoExecute
# key: node-role.kubernetes.io/etcd
# operator: Exists
# (Optional) Rook Discover priority class name to set on the pod(s)
# DISCOVER_PRIORITY_CLASS_NAME: "<PriorityClassName>"
# (Optional) Discover Agent NodeAffinity.
# DISCOVER_AGENT_NODE_AFFINITY: |
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: myKey
# operator: DoesNotExist
# (Optional) Discover Agent Pod Labels.
# DISCOVER_AGENT_POD_LABELS: "key1=value1,key2=value2"
# Disable automatic orchestration when new devices are discovered
ROOK_DISABLE_DEVICE_HOTPLUG: "false"
# The duration between discovering devices in the rook-discover daemonset.
ROOK_DISCOVER_DEVICES_INTERVAL: "60m"
# DISCOVER_DAEMON_RESOURCES: |
# - name: DISCOVER_DAEMON_RESOURCES
# resources:
# limits:
# memory: 512Mi
# requests:
# cpu: 100m
# memory: 128Mi
# (Optional) Burst to use while communicating with the kubernetes apiserver.
# CSI_KUBE_API_BURST: "10"
# (Optional) QPS to use while communicating with the kubernetes apiserver.
# CSI_KUBE_API_QPS: "5.0"
# Whether to create all Rook pods to run on the host network, for example in environments where a CNI is not enabled
ROOK_ENFORCE_HOST_NETWORK: "false"
# RevisionHistoryLimit value for all deployments created by rook.
# ROOK_REVISION_HISTORY_LIMIT: "3"
# Custom label to identify node hostname. If not set `kubernetes.io/hostname` will be used
ROOK_CUSTOM_HOSTNAME_LABEL: ""
---
# OLM: BEGIN OPERATOR DEPLOYMENT
apiVersion: apps/v1
kind: Deployment
metadata:
name: rook-ceph-operator
namespace: rook-ceph # namespace:operator
labels:
operator: rook
storage-backend: ceph
app.kubernetes.io/name: rook-ceph
app.kubernetes.io/instance: rook-ceph
app.kubernetes.io/component: rook-ceph-operator
app.kubernetes.io/part-of: rook-ceph-operator
spec:
selector:
matchLabels:
app: rook-ceph-operator
strategy:
type: Recreate
replicas: 1
template:
metadata:
labels:
app: rook-ceph-operator
spec:
tolerations:
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 5
serviceAccountName: rook-ceph-system
containers:
- name: rook-ceph-operator
image: docker.io/rook/ceph:v1.17.4
args: ["ceph", "operator"]
securityContext:
runAsNonRoot: true
runAsUser: 2016
runAsGroup: 2016
capabilities:
drop: ["ALL"]
volumeMounts:
- mountPath: /var/lib/rook
name: rook-config
- mountPath: /etc/ceph
name: default-config-dir
env:
# If the operator should only watch for cluster CRDs in the same namespace, set this to "true".
# If this is not set to true, the operator will watch for cluster CRDs in all namespaces.
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false"
# Whether to start pods as privileged that mount a host path, which includes the Ceph mon, osd pods and csi provisioners(if logrotation is on).
# Set this to true if SELinux is enabled (e.g. OpenShift) to workaround the anyuid issues.
# For more details see https://github.com/rook/rook/issues/1314#issuecomment-355799641
- name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
value: "false"
# Provide customised regex as the values using comma. For eg. regex for rbd based volume, value will be like "(?i)rbd[0-9]+".
# In case of more than one regex, use comma to separate between them.
# Default regex will be "(?i)dm-[0-9]+,(?i)rbd[0-9]+,(?i)nbd[0-9]+"
# Add regex expression after putting a comma to blacklist a disk
# If value is empty, the default regex will be used.
- name: DISCOVER_DAEMON_UDEV_BLACKLIST
value: "(?i)dm-[0-9]+,(?i)rbd[0-9]+,(?i)nbd[0-9]+"
# Time to wait until the node controller will move Rook pods to other
# nodes after detecting an unreachable node.
# Pods affected by this setting are:
# mgr, rbd, mds, rgw, nfs, PVC based mons and osds, and ceph toolbox
# The value used in this variable replaces the default value of 300 secs
# added automatically by k8s as Toleration for
# <node.kubernetes.io/unreachable>
# The total amount of time to reschedule Rook pods in healthy nodes
# before detecting a <not ready node> condition will be the sum of:
# --> node-monitor-grace-period: 40 seconds (k8s kube-controller-manager flag)
# --> ROOK_UNREACHABLE_NODE_TOLERATION_SECONDS: 5 seconds
- name: ROOK_UNREACHABLE_NODE_TOLERATION_SECONDS
value: "5"
# The name of the node to pass with the downward API
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# The pod name to pass with the downward API
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
# The pod namespace to pass with the downward API
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# Recommended resource requests and limits, if desired
#resources:
# limits:
# memory: 512Mi
# requests:
# cpu: 200m
# memory: 128Mi
# Uncomment it to run lib bucket provisioner in multithreaded mode
#- name: LIB_BUCKET_PROVISIONER_THREADS
# value: "5"
# Uncomment these two settings to run the operator on the host network
# hostNetwork: true
# dnsPolicy: ClusterFirstWithHostNet
volumes:
- name: rook-config
emptyDir: {}
- name: default-config-dir
emptyDir: {}
# OLM: END OPERATOR DEPLOYMENT

4
manifest/04-ceph/get-secret.sh Executable file
View File

@@ -0,0 +1,4 @@
#!/usr/bin/env bash
kubectl -n rook-ceph get secret rook-ceph-dashboard-password -o jsonpath="{['data']['password']}" | base64 --decode && echo

135
manifest/04-ceph/storage/cephfs/filesystem.yaml Normal file
View File

@@ -0,0 +1,135 @@
#################################################################################################################
# Create a filesystem with settings with replication enabled for a production environment.
# A minimum of 3 OSDs on different nodes are required in this example.
# If one mds daemon per node is too restrictive, see the podAntiAffinity below.
# kubectl create -f filesystem.yaml
#################################################################################################################
apiVersion: ceph.rook.io/v1
kind: CephFilesystem
metadata:
name: cephfs
namespace: rook-ceph # namespace:cluster
spec:
# The metadata pool spec. Must use replication.
metadataPool:
replicated:
size: 3
requireSafeReplicaSize: true
parameters:
# Inline compression mode for the data pool
# Further reference: https://docs.ceph.com/docs/master/rados/configuration/bluestore-config-ref/#inline-compression
compression_mode:
none
# gives a hint (%) to Ceph in terms of expected consumption of the total cluster capacity of a given pool
# for more info: https://docs.ceph.com/docs/master/rados/operations/placement-groups/#specifying-expected-pool-size
#target_size_ratio: ".5"
# The list of data pool specs. Can use replication or erasure coding.
dataPools:
- name: replicated
failureDomain: host
replicated:
size: 3
# Disallow setting pool with replica 1, this could lead to data loss without recovery.
# Make sure you're *ABSOLUTELY CERTAIN* that is what you want
requireSafeReplicaSize: true
parameters:
# Inline compression mode for the data pool
# Further reference: https://docs.ceph.com/docs/master/rados/configuration/bluestore-config-ref/#inline-compression
compression_mode:
none
# gives a hint (%) to Ceph in terms of expected consumption of the total cluster capacity of a given pool
# for more info: https://docs.ceph.com/docs/master/rados/operations/placement-groups/#specifying-expected-pool-size
#target_size_ratio: ".5"
# Whether to preserve filesystem after CephFilesystem CRD deletion
preserveFilesystemOnDelete: true
# The metadata service (mds) configuration
metadataServer:
# The number of active MDS instances
activeCount: 1
# Whether each active MDS instance will have an active standby with a warm metadata cache for faster failover.
# If false, standbys will be available, but will not have a warm cache.
activeStandby: true
# The affinity rules to apply to the mds deployment
placement:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: role
# operator: In
# values:
# - mds-node
# topologySpreadConstraints:
# tolerations:
# - key: mds-node
# operator: Exists
# podAffinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- rook-ceph-mds
## Add this if you want to allow mds daemons for different filesystems to run on one
## node. The value in "values" must match .metadata.name.
# - key: rook_file_system
# operator: In
# values:
# - myfs
# topologyKey: kubernetes.io/hostname will place MDS across different hosts
topologyKey: kubernetes.io/hostname
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- rook-ceph-mds
# topologyKey: */zone can be used to spread MDS across different AZ
topologyKey: topology.kubernetes.io/zone
# A key/value list of annotations
# annotations:
# key: value
# A key/value list of labels
# labels:
# key: value
# resources:
# The requests and limits set here, allow the filesystem MDS Pod(s) to use half of one CPU core and 1 gigabyte of memory
# limits:
# memory: "1024Mi"
# requests:
# cpu: "500m"
# memory: "1024Mi"
priorityClassName: system-cluster-critical
livenessProbe:
disabled: false
startupProbe:
disabled: false
# Filesystem mirroring settings
# mirroring:
# enabled: true
# # list of Kubernetes Secrets containing the peer token
# # for more details see: https://docs.ceph.com/en/latest/dev/cephfs-mirroring/#bootstrap-peers
# # Add the secret name if it already exists else specify the empty list here.
# peers:
# secretNames:
# - secondary-cluster-peer
# # specify the schedule(s) on which snapshots should be taken
# # see the official syntax here https://docs.ceph.com/en/latest/cephfs/snap-schedule/#add-and-remove-schedules
# snapshotSchedules:
# - path: /
# interval: 24h # daily snapshots
# # The startTime should be mentioned in the format YYYY-MM-DDTHH:MM:SS
# # If startTime is not specified, then by default the start time is considered as midnight UTC.
# # see usage here https://docs.ceph.com/en/latest/cephfs/snap-schedule/#usage
# # startTime: 2022-07-15T11:55:00
# # manage retention policies
# # see syntax duration here https://docs.ceph.com/en/latest/cephfs/snap-schedule/#add-and-remove-retention-policies
# snapshotRetention:
# - path: /
# duration: "h 24"

44
manifest/04-ceph/storage/cephfs/storageclass.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: rook-cephfs
provisioner: rook-ceph.cephfs.csi.ceph.com # csi-provisioner-name
parameters:
# clusterID is the namespace where the rook cluster is running
# If you change this namespace, also change the namespace below where the secret namespaces are defined
clusterID: rook-ceph # namespace:cluster
# CephFS filesystem name into which the volume shall be created
fsName: myfs
# Ceph pool into which the volume shall be created
# Required for provisionVolume: "true"
pool: myfs-replicated
# The secrets contain Ceph admin credentials. These are generated automatically by the operator
# in the same namespace as the cluster.
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph # namespace:cluster
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph # namespace:cluster
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph # namespace:cluster
# (optional) Set it to true to encrypt each volume with encryption keys
# from a key management system (KMS)
# encrypted: "true"
# (optional) Use external key management system (KMS) for encryption key by
# specifying a unique ID matching a KMS ConfigMap. The ID is only used for
# correlation to configmap entry.
# encryptionKMSID: <kms-config-id>
# (optional) The driver can use either ceph-fuse (fuse) or ceph kernel client (kernel)
# If omitted, default volume mounter will be used - this is determined by probing for ceph-fuse
# or by setting the default mounter explicitly via --volumemounter command-line argument.
# mounter: kernel
reclaimPolicy: Delete
allowVolumeExpansion: true
mountOptions:
# uncomment the following line for debugging
#- debug

10
manifest/04-ceph/storage/rbd/blockstorage.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: ceph.rook.io/v1
kind: CephBlockPool
metadata:
name: blockstorage
namespace: rook-ceph
spec:
failureDomain: host
replicated:
size: 3
requireSafeReplicaSize: true

7
manifest/04-ceph/storage/rgw/bucket-claim.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
name: ceph-bucket
spec:
generateBucketName: ceph-bkt
storageClassName: rook-ceph-bucket

21
manifest/04-ceph/storage/rgw/bucket-external-access.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
name: rook-ceph-rgw-my-store-external
namespace: rook-ceph
labels:
app: rook-ceph-rgw
rook_cluster: rook-ceph
rook_object_store: my-store
spec:
ports:
- name: rgw
port: 80
protocol: TCP
targetPort: 80
selector:
app: rook-ceph-rgw
rook_cluster: rook-ceph
rook_object_store: my-store
sessionAffinity: None
type: NodePort

9
manifest/04-ceph/storage/rgw/bucket.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: rook-ceph-bucket
provisioner: rook-ceph.ceph.rook.io/bucket
reclaimPolicy: Delete
parameters:
objectStoreName: my-store
objectStoreNamespace: rook-ceph

52
manifest/04-ceph/storage/rgw/ingress.yaml Normal file
View File

@@ -0,0 +1,52 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: cors
namespace: rook-ceph
spec:
headers:
accessControlAllowMethods:
- "GET"
- "POST"
- "OPTIONS"
- "PUT"
accessControlAllowHeaders:
- "*"
accessControlAllowOriginList:
- "*"
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: talos-s3-certificate
namespace: rook-ceph
spec:
secretName: talos-s3-skrd-fun-tls
dnsNames:
- "talos-s3.skrd.fun"
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bucket-access
namespace: rook-ceph
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd, rook-ceph-cors@kubernetescrd
spec:
ingressClassName: traefik
rules:
- host: talos-s3.skrd.fun
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rook-ceph-rgw-my-store
port:
number: 80
tls:
- secretName: talos-s3-skrd-fun-tls

19
manifest/04-ceph/storage/rgw/objectstore.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: ceph.rook.io/v1
kind: CephObjectStore
metadata:
name: my-store
namespace: rook-ceph
spec:
metadataPool:
failureDomain: host
replicated:
size: 3
dataPool:
failureDomain: host
erasureCoded:
dataChunks: 2
codingChunks: 1
preservePoolsOnDelete: true
gateway:
port: 80
instances: 1

38
manifest/05-postgres/cnpg.yml
View File

@@ -11,29 +11,15 @@ spec:
secret: secret:
name: cnpg-secret name: cnpg-secret
storage: storage:
pvcTemplate: storageClass: cnpg-storage
accessModes: size: 1Gi
- ReadWriteOnce walStorage:
resources: storageClass: cnpg-storage
requests: size: 1Gi
storage: 20Gi
storageClassName: cnpg-storage
affinity: affinity:
enablePodAntiAffinity: true enablePodAntiAffinity: true
topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname
podAntiAffinityType: required podAntiAffinityType: required
backup:
retentionPolicy: "7d"
barmanObjectStore:
destinationPath: "s3://backups/"
endpointURL: "https://minio-api.skrd.fun"
s3Credentials:
accessKeyId:
name: aws-creds
key: ACCESS_KEY
secretAccessKey:
name: aws-creds
key: SECRET_KEY
managed: managed:
services: services:
additional: additional:
@@ -43,3 +29,17 @@ spec:
name: "cnpg-cluster-open" name: "cnpg-cluster-open"
spec: spec:
type: LoadBalancer type: LoadBalancer
roles:
- name: preinversion
ensure: present
login: true
superuser: false
passwordSecret:
name: preinversion-secret
- name: laravel
ensure: present
inherit: false
login: true
superuser: false
passwordSecret:
name: laravel-secret

21
manifest/05-postgres/storage.yml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cnpg-storage
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
pool: blockstorage
imageFormat: "2"
imageFeatures: layering
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: ext4
allowVolumeExpansion: true
reclaimPolicy: Delete

46
manifest/06-external-ingress/sites/actual.yml Normal file
View File

@@ -0,0 +1,46 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: actual-certificate
namespace: external-services
spec:
secretName: actual-skrd-fun-tls
dnsNames:
- "actual.skrd.fun"
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
---
kind: Service
apiVersion: v1
metadata:
name: actual
namespace: external-services
spec:
type: ExternalName
ports:
- port: 5006
externalName: 192.168.103.13
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: actual-ingress
namespace: external-services
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
spec:
ingressClassName: traefik
rules:
- host: actual.skrd.fun
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: actual
port:
number: 5006
tls:
- secretName: actual-skrd-fun-tls

22
manifest/06-external-ingress/sites/gametabs.yml
View File

@@ -32,15 +32,15 @@ metadata:
spec: spec:
ingressClassName: traefik ingressClassName: traefik
rules: rules:
- host: gametabs.skrd.fun - host: gametabs.skrd.fun
http: http:
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: gametabs name: gametabs
port: port:
number: 80 number: 80
tls: tls:
- secretName: gametabs-skrd-fun-tls - secretName: gametabs-skrd-fun-tls

34
manifest/06-external-ingress/sites/portainer.yml → manifest/06-external-ingress/sites/komodo.yml
View File

@@ -1,12 +1,12 @@
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
name: portainer-certificate name: komodo-certificate
namespace: external-services namespace: external-services
spec: spec:
secretName: portainer-skrd-fun-tls secretName: komodo-skrd-fun-tls
dnsNames: dnsNames:
- "portainer.skrd.fun" - "komodo.skrd.fun"
issuerRef: issuerRef:
name: letsencrypt-prod name: letsencrypt-prod
kind: ClusterIssuer kind: ClusterIssuer
@@ -14,33 +14,33 @@ spec:
kind: Service kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
name: portainer name: komodo
namespace: external-services namespace: external-services
spec: spec:
type: ExternalName type: ExternalName
ports: ports:
- port: 9000 - port: 9120
externalName: 192.168.102.1 externalName: 192.168.102.1
--- ---
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
name: portainer-ingress name: komodo-ingress
namespace: external-services namespace: external-services
annotations: annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-allow-local-only@kubernetescrd, default-redirect-https@kubernetescrd traefik.ingress.kubernetes.io/router.middlewares: default-allow-local-only@kubernetescrd, default-redirect-https@kubernetescrd
spec: spec:
ingressClassName: traefik ingressClassName: traefik
rules: rules:
- host: portainer.skrd.fun - host: komodo.skrd.fun
http: http:
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: portainer name: komodo
port: port:
number: 9000 number: 9120
tls: tls:
- secretName: portainer-skrd-fun-tls - secretName: komodo-skrd-fun-tls

46
manifest/06-external-ingress/sites/moka.yml Normal file
View File

@@ -0,0 +1,46 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: moka-certificate
namespace: external-services
spec:
secretName: moka-skrd-fun-tls
dnsNames:
- "moka.skrd.fun"
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
---
kind: Service
apiVersion: v1
metadata:
name: moka
namespace: external-services
spec:
type: ExternalName
ports:
- port: 80
externalName: 192.168.103.19
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: moka-ingress
namespace: external-services
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
spec:
ingressClassName: traefik
rules:
- host: moka.skrd.fun
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: moka
port:
number: 80
tls:
- secretName: moka-skrd-fun-tls

2
manifest/06-external-ingress/sites/pihole.yml
View File

@@ -22,7 +22,7 @@ spec:
- port: 80 - port: 80
externalName: 192.168.3.5 externalName: 192.168.3.5
--- ---
apiVersion: traefik.containo.us/v1alpha1 apiVersion: traefik.io/v1alpha1
kind: Middleware kind: Middleware
metadata: metadata:
name: pihole-rewrite name: pihole-rewrite

12
manifest/07-ddns/ddns.yml
View File

@@ -16,21 +16,17 @@ spec:
- name: ddns - name: ddns
image: favonia/cloudflare-ddns:latest image: favonia/cloudflare-ddns:latest
env: env:
- name: PUID - name: CLOUDFLARE_API_TOKEN
value: "1000"
- name: PGID
value: "1000"
- name: IP6_PROVIDER
value: "none"
- name: CF_API_TOKEN
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: ddns-secret name: ddns-secret
key: api_token key: api_token
- name: DOMAINS - name: DOMAINS
value: "local.skrd.fun,direct.skrd.fun" value: "direct.skrd.fun"
- name: PROXIED - name: PROXIED
value: "false" value: "false"
- name: IPV6_PROVIDER
value: "none"
securityContext: securityContext:
capabilities: capabilities:
drop: ["ALL"] drop: ["ALL"]

3
manifest/08-dashboard/port-forward.sh
View File

@@ -1,3 +0,0 @@
#!/usr/bin/env bash
kubectl -n kubernetes-dashboard port-forward svc/kubernetes-dashboard-kong-proxy 8443:443

0
manifest/03-longhorn/ingress.yml → manifest/99-longhorn/ingress.yml
View File

0
manifest/03-longhorn/longhorn.yml → manifest/99-longhorn/longhorn.yml
View File

0
manifest/04-minio/.gitignore → manifest/99-minio/.gitignore vendored
View File

0
manifest/04-minio/ingress.yml → manifest/99-minio/ingress.yml
View File

0
manifest/04-minio/minio.yml → manifest/99-minio/minio.yml
View File

0
manifest/04-minio/namespace.yml → manifest/99-minio/namespace.yml
View File

0
manifest/04-minio/secret.yml.example → manifest/99-minio/secret.yml.example
View File

0
manifest/04-minio/values.yaml.example → manifest/99-minio/values.yaml.example
View File

26
manifest/99-tubearchivist/storage.yml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: v1
kind: Pod
metadata:
name: ubuntu
labels:
app: ubuntu
spec:
containers:
- image: ubuntu
command:
- "sleep"
- "604800"
imagePullPolicy: IfNotPresent
name: ubuntu
volumeMounts:
- mountPath: /my-nfs-data
name: test-volume
restartPolicy: Always
volumes:
- name: test-volume
nfs:
server: 192.168.1.102
path: /1582b800/docker/tubearchivist
readOnly: true
mountOptions:
- nfsvers=4.1

50
proxmox/homeassistant/.gitignore vendored Normal file
View File

@@ -0,0 +1,50 @@
# Created by https://gitignore.org
# Terraform.gitignore
# Local .terraform directories
.terraform/
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
crash.*.log
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
*.tfvars
*.tfvars.json
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Ignore transient lock info files created by terraform apply
.terraform.tfstate.lock.info
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc
# Optional: ignore graph output files generated by `terraform graph`
# *.dot
# Optional: ignore plan files saved before destroying Terraform configuration
# Uncomment the line below if you want to ignore planout files.
# planout
aircon.json

44
proxmox/homeassistant/.terraform.lock.hcl generated Normal file
View File

@@ -0,0 +1,44 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/bpg/proxmox" {
version = "0.86.0"
constraints = "0.86.0"
hashes = [
"h1:0OH908XIuDk42UTevFCfMMEnDdbsqNzSZBLGqjoj8S0=",
"zh:09b627b92a59848769fadfc3d8103eebf070a3800144bf03cb93f44472327f44",
"zh:0e19eb7f1047d541e50b97d7ac440ea73685d0c28ed2dbe64217cbe2f0b353e0",
"zh:20f1e70091ff3056876618c93afd79527c8995f955d153993e8fbb10fa42593b",
"zh:3920315be565976f5a9da0803f8f1a108221282f1bc9e21160669d793af4e0c8",
"zh:5133b2a2027428d3926eaa3bcdc0ab65a75305d54f6cbc7c54cce746dfddbc8e",
"zh:514c588b04738d55c9e6b1c5a4e3fb1ef4041dfb809d2268f14d29839ecfba59",
"zh:55916034025b4833bd6a93bb5948dfb7d00830a772ef74fa70898c6f7de0da0b",
"zh:58b485a4b0bde56ca7032fca0ac09cb4c6ff2579e06cf4f2a311bb695baa0df1",
"zh:75ebe44e6da4108af5fe02a9cd99ed0189985b486a2a56594952098d161ceb3d",
"zh:a8c870bfb5958a3d49d639db3c2761cfb453c6a6f95e5e241890922b11c8a4d8",
"zh:c2df2748b9be47a6c3e613667c64874d5cb1d3fbb5b985d6eb9c3af5af298454",
"zh:c3059668f4f81e450e555a47310e7042044b335f131643262fd51f9ba96f2214",
"zh:ddbbb23910666f70cf4a9587ba57b45f5f58c53a1f8d7cee1d6f90a3d3ef38ef",
"zh:e430138b897edcd3b64e4309db34ac872526187782626aa074d8d1647a0abfa8",
"zh:f26e0763dbe6a6b2195c94b44696f2110f7f55433dc142839be16b9697fa5597",
]
}
provider "registry.terraform.io/hashicorp/local" {
version = "2.5.3"
hashes = [
"h1:1Nkh16jQJMp0EuDmvP/96f5Unnir0z12WyDuoR6HjMo=",
"zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927",
"zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e",
"zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b",
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
"zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf",
"zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d",
"zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09",
"zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f",
"zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1",
"zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6",
"zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47",
"zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82",
]
}

98
proxmox/homeassistant/README.md Normal file
View File

@@ -0,0 +1,98 @@
# Home Assistant Installation
These files allow you to deploy a Home Assistant OS virtual machine on Proxmox using Terraform.
Terraform handles the creation of the VM based on the pre-built `.qcow2` image of Home Assistant OS.
All further configuration (such as the proxy settings) is done directly from the Home Assistant web interface.
## Terraform Execution
To create the VM with Terraform, the configuration must be defined in the `terraform.tfvars` file.
You can use `terraform.tfvars.example` as a base.
Then run the following commands:
1. Initialize Terraform:
```bash
terraform init
```
2. Review the plan:
```bash
terraform plan
```
3. Apply the plan:
```bash
terraform apply
```
The process will create a new VM on the configured Proxmox node using the uploaded `.qcow2` image.
Once created, Home Assistant OS will boot automatically and obtain an IP via DHCP.
Access the web interface at:
[http://homeassistant.local:8123](http://homeassistant.local:8123)
That should work given that Pi-hole is already runing on the network
## Home Assistant Configuration
After the initial setup (creating your user and restoring backups if applicable),
you must adjust the HTTP configuration to properly support a reverse proxy such as Traefik.
To edit Home Assistants configuration file `configuration.yaml`, first install the File Editor add-on:
1. Open the Home Assistant web interface.
2. Go to `Settings` -> `Add-ons` -> `Add-on Store`.
3. Search for File Editor and click Install.
4. Once installed, click Start and optionally enable Show in sidebar.
Then use the File Editor to open `/config/configuration.yaml`
Add the following section
```yaml
http:
use_x_forwarded_for: true
trusted_proxies:
- "192.168.0.0/16"
```
Finally:
1. Go to `Settings` -> `System` -> `Check configuration` to validate the file.
2. Restart Home Assistant Core via `Settings` -> `System` -> `Restart`.
This ensures Home Assistant correctly interprets requests forwarded through your proxy, preserving real client IPs and maintaining secure access.
## AC Integraion
To control the air conditioner that uses the NetHome Plus app, install HACS (Home Assistant Community Store) and the Midea AC LAN integration.
### Step 1 - Install HACS
Follow the documentation at [HACS](https://hacs.xyz/docs/use/)
### Step 2 — Install Midea AC LAN Integration
Follow the documentation at [midea_ac_lan](https://github.com/wuwentao/midea_ac_lan/tree/master)
> Important: recent Midea / NetHome Plus API changes limit how tokens can be obtained.
> Keep a backup file containing your current tokens — it will be necessary if API access becomes restricted in the future.
> Tokens can be found via SSH at: `/config/.storage/midea_ac_lan`
## Reinstallation
If a full reinstall is needed, simply destroy and recreate the Terraform resources:
```bash
terraform destroy
```
Then run:
```bash
terraform apply
```
to provision a clean instance again.

58
proxmox/homeassistant/main.tf Normal file
View File

@@ -0,0 +1,58 @@
terraform {
required_providers {
proxmox = {
source = "bpg/proxmox"
version = "0.86.0"
}
}
}
data "local_file" "proxmox_ssh_private_key" {
filename = var.proxmox_ssh_privkey_path
}
provider "proxmox" {
endpoint = var.proxmox_endpoint
username = var.proxmox_user
password = var.proxmox_password
insecure = true
ssh {
agent = true
username = var.proxmox_ssh_username
private_key = trimspace(data.local_file.proxmox_ssh_private_key.content)
}
}
resource "proxmox_virtual_environment_vm" "homeassistant" {
name = "homeassistant"
node_name = var.proxmox_node
agent { enabled = true }
bios = "ovmf"
cpu {
cores = 2
type = "host"
}
memory {
dedicated = 8096
}
efi_disk {
datastore_id = var.vm_datastore
}
disk {
datastore_id = var.vm_datastore
import_from = "${var.proxmox_datastore}:import/haos_ova-16.3.qcow2"
interface = "virtio0"
size = 100
}
network_device {
bridge = var.bridge
}
}

7
proxmox/homeassistant/terraform.tfvars.example Normal file
View File

@@ -0,0 +1,7 @@
proxmox_endpoint = "https://192.168.1.1:8006"
proxmox_user = "terraform@pam"
proxmox_password = "secret"
proxmox_node = "pve"
proxmox_ssh_username = "terraform"
proxmox_ssh_privkey_path = "/home/user/.ssh/id_ed25519"

11
proxmox/homeassistant/variables.tf Normal file
View File

@@ -0,0 +1,11 @@
variable "proxmox_endpoint" {}
variable "proxmox_user" {}
variable "proxmox_password" { sensitive = true }
variable "proxmox_node" { default = "pve" }
variable "proxmox_ssh_username" {}
variable "proxmox_ssh_privkey_path" {}
variable "proxmox_datastore" { default = "local" }
variable "bridge" { default = "vmbr0" }
variable "vm_datastore" { default = "local-vm" }

58
proxmox/pihole/README.md Normal file
View File

@@ -0,0 +1,58 @@
# Pi-hole instalation
These files allow you to install Pi-hole in an idempotent way. Terraform creates
the VM on Proxmox, and Ansible installs Pi-hole unattended, using the configuration
defined in `pihole.toml`.
## Terraform execution
To create the VM with Terraform, the configuration must be defined in the `terraform.tfvars`
file. You can use `terraform.tfvars.example` as a base.
Then to execute the following commands:
1. Intialize terraform
```bash
terraform init
```
2. Review the plan
```bash
terraform plan
```
3. Apply the plan.
This step might take a few minutes but if it takes significantly longer,
there may be an issue with cloud-init.
```bash
terraform apply
```
After execution, the `ansible` folder should contain a new `inventory.yaml` file.
## Ansible execution
To install Pi-hole with Ansible, make sure the `inventory.yaml` file exists,
and adjust `pihole.toml` if needed.
Then run:
```bash
ansible-playbook install.yaml
```
## Reinstallation
If you need to reinstall everything in the same environment,
destroy and recreate the Terraform resources using:
```bash
terraform destroy
```
## Reference
[Unattended Pi-hole v6 Setup with Ansible](https://www.paulcourt.co.uk/articles/2025/unattended-pihole-ansible)
[Configure a VM with Cloud-Init](https://registry.terraform.io/providers/bpg/proxmox/latest/docs/guides/cloud-init)

1
proxmox/pihole/ansible/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
pihole.toml

3
proxmox/pihole/ansible/ansible.cfg Normal file
View File

@@ -0,0 +1,3 @@
[defaults]
inventory = ./inventory.yaml
host_key_checking = False

38
proxmox/pihole/ansible/install.yaml Normal file
View File

@@ -0,0 +1,38 @@
- name: Install Pihole
hosts: all
become: true
tasks:
- name: Update packages
apt:
update_cache: true
upgrade: safe
- name: Install curl
apt:
name: curl
- name: Create pihole directory
file:
path: /etc/pihole
state: directory
force: false
- name: Load pihole pre-configuration
copy:
src: pihole.toml
dest: /etc/pihole/pihole.toml
- name: Download install script
get_url:
url: https://install.pi-hole.net
dest: /tmp/install_pihole.sh
mode: "0755"
- name: Install pihole
command: /tmp/install_pihole.sh --unattended
args:
creates: "/usr/local/bin/pihole"
- name: Update gravity lists
command: pihole -g

8
proxmox/pihole/ansible/inventory.yaml Executable file
View File

@@ -0,0 +1,8 @@
all:
children:
servers:
hosts:
pihole:
ansible_host: 192.168.3.1
ansible_user: ubuntu
ansible_ssh_private_key_file: /home/ryuuji/.ssh/id_ed25519

1674
proxmox/pihole/ansible/pihole.toml.example Normal file
View File

File diff suppressed because it is too large Load Diff

47
proxmox/pihole/terraform/.gitignore vendored Normal file
View File

@@ -0,0 +1,47 @@
# Created by https://gitignore.org
# Terraform.gitignore
# Local .terraform directories
.terraform/
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
crash.*.log
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
*.tfvars
*.tfvars.json
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Ignore transient lock info files created by terraform apply
.terraform.tfstate.lock.info
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc
# Optional: ignore graph output files generated by `terraform graph`
# *.dot
# Optional: ignore plan files saved before destroying Terraform configuration
# Uncomment the line below if you want to ignore planout files.
# planout

44
proxmox/pihole/terraform/.terraform.lock.hcl generated Normal file
View File

@@ -0,0 +1,44 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/bpg/proxmox" {
version = "0.86.0"
constraints = "0.86.0"
hashes = [
"h1:0OH908XIuDk42UTevFCfMMEnDdbsqNzSZBLGqjoj8S0=",
"zh:09b627b92a59848769fadfc3d8103eebf070a3800144bf03cb93f44472327f44",
"zh:0e19eb7f1047d541e50b97d7ac440ea73685d0c28ed2dbe64217cbe2f0b353e0",
"zh:20f1e70091ff3056876618c93afd79527c8995f955d153993e8fbb10fa42593b",
"zh:3920315be565976f5a9da0803f8f1a108221282f1bc9e21160669d793af4e0c8",
"zh:5133b2a2027428d3926eaa3bcdc0ab65a75305d54f6cbc7c54cce746dfddbc8e",
"zh:514c588b04738d55c9e6b1c5a4e3fb1ef4041dfb809d2268f14d29839ecfba59",
"zh:55916034025b4833bd6a93bb5948dfb7d00830a772ef74fa70898c6f7de0da0b",
"zh:58b485a4b0bde56ca7032fca0ac09cb4c6ff2579e06cf4f2a311bb695baa0df1",
"zh:75ebe44e6da4108af5fe02a9cd99ed0189985b486a2a56594952098d161ceb3d",
"zh:a8c870bfb5958a3d49d639db3c2761cfb453c6a6f95e5e241890922b11c8a4d8",
"zh:c2df2748b9be47a6c3e613667c64874d5cb1d3fbb5b985d6eb9c3af5af298454",
"zh:c3059668f4f81e450e555a47310e7042044b335f131643262fd51f9ba96f2214",
"zh:ddbbb23910666f70cf4a9587ba57b45f5f58c53a1f8d7cee1d6f90a3d3ef38ef",
"zh:e430138b897edcd3b64e4309db34ac872526187782626aa074d8d1647a0abfa8",
"zh:f26e0763dbe6a6b2195c94b44696f2110f7f55433dc142839be16b9697fa5597",
]
}
provider "registry.terraform.io/hashicorp/local" {
version = "2.5.3"
hashes = [
"h1:1Nkh16jQJMp0EuDmvP/96f5Unnir0z12WyDuoR6HjMo=",
"zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927",
"zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e",
"zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b",
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
"zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf",
"zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d",
"zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09",
"zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f",
"zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1",
"zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6",
"zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47",
"zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82",
]
}

127
proxmox/pihole/terraform/main.tf Normal file
View File

@@ -0,0 +1,127 @@
terraform {
required_providers {
proxmox = {
source = "bpg/proxmox"
version = "0.86.0"
}
}
}
data "local_file" "ssh_public_key" {
filename = var.ssh_pubkey_path
}
data "local_file" "proxmox_ssh_private_key" {
filename = var.proxmox_ssh_privkey_path
}
provider "proxmox" {
endpoint = var.proxmox_endpoint
username = var.proxmox_user
password = var.proxmox_password
insecure = true
ssh {
agent = true
username = var.proxmox_ssh_username
private_key = trimspace(data.local_file.proxmox_ssh_private_key.content)
}
}
resource "proxmox_virtual_environment_download_file" "ubuntu_cloud_image" {
content_type = "import"
datastore_id = var.proxmox_datastore
node_name = var.proxmox_node
url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img"
file_name = "noble-server-cloudimg-amd64.qcow2"
}
resource "proxmox_virtual_environment_file" "user_data_cloud_config" {
content_type = "snippets"
datastore_id = var.proxmox_datastore
node_name = var.proxmox_node
source_raw {
data = <<-EOF
#cloud-config
hostname: ${var.vm_name}
timezone: America/Santiago
users:
- default
- name: ubuntu
groups:
- sudo
shell: /bin/bash
ssh_authorized_keys:
- ${trimspace(data.local_file.ssh_public_key.content)}
sudo: ALL=(ALL) NOPASSWD:ALL
package_update: true
packages:
- qemu-guest-agent
- net-tools
- curl
runcmd:
- systemctl enable qemu-guest-agent
- systemctl start qemu-guest-agent
- echo "done" > /tmp/cloud-config.done
EOF
file_name = "user-data-cloud-config.yaml"
}
}
resource "proxmox_virtual_environment_vm" "pihole" {
name = var.vm_name
node_name = var.proxmox_node
agent { enabled = true }
cpu {
cores = 1
type = "host"
}
memory {
dedicated = 2048
}
disk {
datastore_id = var.vm_datastore
import_from = proxmox_virtual_environment_download_file.ubuntu_cloud_image.id
interface = "virtio0"
iothread = true
discard = "on"
size = 20
}
initialization {
datastore_id = var.vm_datastore
ip_config {
ipv4 {
address = "${var.vm_address}/${var.vm_cidr}"
gateway = var.vm_gateway
}
}
user_data_file_id = proxmox_virtual_environment_file.user_data_cloud_config.id
}
network_device {
bridge = var.bridge
}
}
resource "local_file" "ansible_inventory" {
filename = "${path.module}/../ansible/inventory.yaml"
content = <<-YAML
all:
children:
servers:
hosts:
${var.vm_name}:
ansible_host: ${var.vm_address}
ansible_user: ubuntu
ansible_ssh_private_key_file: ${var.ssh_privkey_path}
YAML
depends_on = [proxmox_virtual_environment_vm.pihole]
}

14
proxmox/pihole/terraform/terraform.tfvars.example Normal file
View File

@@ -0,0 +1,14 @@
proxmox_endpoint = "https://192.168.1.1:8006"
proxmox_user = "terraform@pam"
proxmox_password = "secret"
proxmox_node = "pve"
proxmox_ssh_username = "terraform"
proxmox_ssh_privkey_path = "/home/user/.ssh/id_ed25519"
ssh_pubkey_path = "/home/user/.ssh/id_ed25519.pub"
ssh_privkey_path = "/home/user/.ssh/id_ed25519"
vm_address = "192.168.3.1"
vm_cidr = "16"
vm_gateway = "192.168.1.1"

19
proxmox/pihole/terraform/variables.tf Normal file
View File

@@ -0,0 +1,19 @@
variable "proxmox_endpoint" {}
variable "proxmox_user" {}
variable "proxmox_password" { sensitive = true }
variable "proxmox_node" { default = "pve" }
variable "proxmox_ssh_username" {}
variable "proxmox_ssh_privkey_path" {}
variable "proxmox_datastore" { default = "local" }
variable "vm_name" { default = "pihole" }
variable "vm_datastore" { default = "local-vm" }
variable "vm_address" {}
variable "vm_cidr" {}
variable "vm_gateway" {}
variable "ssh_pubkey_path" {}
variable "ssh_privkey_path" {}
variable "bridge" { default = "vmbr0" }

3
stacks/.gitignore vendored
View File

@@ -1,2 +1 @@
*.env .env
!*.env.example

13
stacks/actual.yml
View File

@@ -1,13 +0,0 @@
services:
actual_server:
image: docker.io/actualbudget/actual-server:latest
networks:
macvlan_192_168_3_0:
ipv4_address: 192.168.3.13
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/actual:/data
restart: unless-stopped
networks:
macvlan_192_168_3_0:
external: true

1
stacks/actual/.env.example Normal file
View File

@@ -0,0 +1 @@
DATA_DIR="./data"

15
stacks/actual/compose.traefik.yml Normal file
View File

@@ -0,0 +1,15 @@
services:
actual_server:
labels:
- "traefik.enable=true"
- "traefik.http.routers.actual-web.rule=Host(`actual.skrd.fun`)"
- "traefik.http.routers.actual-web.entrypoints=web"
- "traefik.http.routers.actual-web.middlewares=redirect-to-https@file"
- "traefik.http.routers.actual.rule=Host(`actual.skrd.fun`)"
- "traefik.http.routers.actual.entrypoints=websecure"
- "traefik.http.routers.actual.tls.certresolver=cf"
- "traefik.http.services.actual.loadbalancer.server.port=5006"
networks:
default:
name: traefik
external: true

6
stacks/actual/compose.yml Normal file
View File

@@ -0,0 +1,6 @@
services:
actual_server:
image: ghcr.io/actualbudget/actual:v26.2.0
restart: unless-stopped
volumes:
- ${DATA_DIR}:/data

15
stacks/adguard.yml
View File

@@ -1,15 +0,0 @@
version: "3"
services:
adguard:
image: adguard/adguardhome
restart: unless-stopped
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/adguard/data:/opt/adguardhome/work
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/adguard/config:/opt/adguardhome/conf
networks:
macvlan_192_168_3_0:
ipv4_address: 192.168.3.1
networks:
macvlan_192_168_3_0:
external: true

6
stacks/ddns.env.example
View File

@@ -1,6 +0,0 @@
PUID=1000
PGID=1000
IP6_PROVIDER=none
CF_API_TOKEN=EXAMPLE
DOMAINS=local.skrd.fun,direct.skrd.fun
PROXIED=false

14
stacks/ddns.yml
View File

@@ -1,14 +0,0 @@
version: "3"
services:
cloudflare-ddns:
image: favonia/cloudflare-ddns:latest
restart: always
cap_add:
- SETUID
- SETGID
cap_drop:
- all
read_only: true
security_opt:
- no-new-privileges:true
env_file: stack.env

2
stacks/ddns/.env.example Normal file
View File

@@ -0,0 +1,2 @@
API_TOKEN=secret
DOMAINS=

12
stacks/ddns/compose.yml Normal file
View File

@@ -0,0 +1,12 @@
services:
cloudflare-ddns:
image: favonia/cloudflare-ddns:1.15.1
restart: always
user: "1000:1000"
read_only: true
cap_drop: [all]
security_opt: [no-new-privileges:true]
environment:
CLOUDFLARE_API_TOKEN: ${API_TOKEN}
DOMAINS: ${DOMAINS}
PROXIED: false

6
stacks/feed-the-beast.env.example
View File

@@ -1,6 +0,0 @@
TYPE="AUTO_CURSEFORGE"
CF_API_KEY="SECRET"
CF_PAGE_URL="https://www.curseforge.com/minecraft/modpacks/create-astral"
MEMORY="10G"
EULA="TRUE"
ONLINE_MODE="TRUE"

18
stacks/feed-the-beast.yml
View File

@@ -1,18 +0,0 @@
version: "3"
services:
feed_the_beast:
image: itzg/minecraft-server
tty: true
stdin_open: true
restart: unless-stopped
env_file: stack.env
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/feed-the-beast/data:/data
networks:
macvlan_192_168_3_0:
ipv4_address: 192.168.3.5
networks:
macvlan_192_168_3_0:
external: true

43
stacks/fireflyiii.yml
View File

@@ -1,43 +0,0 @@
services:
app:
image: fireflyiii/core:latest
restart: unless-stopped
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/firefly_iii/upload:/var/www/html/storage/upload
env_file: stack.env
networks:
firefly_iii:
macvlan_192_168_3_0:
ipv4_address: 192.168.3.15
depends_on:
- db
db:
image: mariadb:lts
restart: unless-stopped
env_file: stack.env
networks:
- firefly_iii
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/firefly_iii/db:/var/lib/mysql
cron:
#
# To make this work, set STATIC_CRON_TOKEN in your .env file or as an environment variable and replace REPLACEME below
# The STATIC_CRON_TOKEN must be *exactly* 32 characters long
#
image: alpine
restart: unless-stopped
env_file: stack.env
command: sh -c "
apk add tzdata
&& ln -s /usr/share/zoneinfo/${TZ} /etc/localtime
| echo \"0 3 * * * wget -qO- http://app:8080/api/v1/cron/REPLACEME;echo\"
| crontab -
&& crond -f -L /dev/stdout"
networks:
- firefly_iii
networks:
firefly_iii:
macvlan_192_168_3_0:
external: true

14
stacks/gametabs.yml
View File

@@ -1,14 +0,0 @@
version: "3"
services:
gametabs:
image: nginx
restart: unless-stopped
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/gametabs:/usr/share/nginx/html
networks:
macvlan_192_168_3_0:
ipv4_address: 192.168.3.6
networks:
macvlan_192_168_3_0:
external: true

1
stacks/gametabs/.env.example Normal file
View File

@@ -0,0 +1 @@
DATA_DIR=./gametabs

16
stacks/gametabs/compose.traefik.yml Normal file
View File

@@ -0,0 +1,16 @@
services:
gametabs:
labels:
- "traefik.enable=true"
- "traefik.http.routers.gametabs-web.rule=Host(`gametabs.skrd.fun`)"
- "traefik.http.routers.gametabs-web.entrypoints=web"
- "traefik.http.routers.gametabs-web.middlewares=redirect-to-https@file"
- "traefik.http.routers.gametabs.rule=Host(`gametabs.skrd.fun`)"
- "traefik.http.routers.gametabs.entrypoints=websecure"
- "traefik.http.routers.gametabs.tls.certresolver=cf"
- "traefik.http.services.gametabs.loadbalancer.server.port=80"
networks:
default:
name: traefik
external: true

6
stacks/gametabs/compose.yml Normal file
View File

@@ -0,0 +1,6 @@
services:
gametabs:
image: nginx
restart: unless-stopped
volumes:
- ${DATA_DIR}:/usr/share/nginx/html

8
stacks/gitea.env.example
View File

@@ -1,8 +0,0 @@
CONFIG_FILE=/config/config.yaml
GITEA_INSTANCE_URL="https://git.skrd.fun"
GITEA_RUNNER_REGISTRATION_TOKEN="SECRET"
GITEA_RUNNER_NAME="gitea-runner-1"
POSTGRES_PASSWORD="SECRET"
POSTGRES_DB="gitea"
POSTGRES_USER="gitea"

46
stacks/gitea.yml
View File

@@ -1,46 +0,0 @@
version: "3"
services:
gitea:
image: gitea/gitea:latest
restart: unless-stopped
environment:
- USER_UID=1000
- USER_GID=1000
networks:
gitea_network:
macvlan_192_168_3_0:
ipv4_address: 192.168.3.3
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/gitea/data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
depends_on:
- gitea-db
runner:
image: gitea/act_runner:latest
restart: unless-stopped
env_file: stack.env
networks:
- gitea_network
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/gitea/runner/config:/config
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/gitea/runner/data:/data
- /var/run/docker.sock:/var/run/docker.sock
depends_on:
- gitea
gitea-db:
image: postgres:16
restart: unless-stopped
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/gitea/db:/var/lib/postgresql/data
networks:
- gitea_network
env_file: stack.env
networks:
gitea_network:
macvlan_192_168_3_0:
external: true

12
stacks/gitea/.env.example Normal file
View File

@@ -0,0 +1,12 @@
DATA_ROOT="./gitea"
USER_UID=1000
USER_GID=1000
GITEA_RUNNER_REGISTRATION_TOKEN=sercret
POSTGRES_PASSWORD=secret
POSTGRES_DB=gitea
POSTGRES_USER=gitea
INSTANCE_URL="https://gitea.skrd.fun"

30
stacks/gitea/compose.traefik.yml Normal file
View File

@@ -0,0 +1,30 @@
services:
gitea:
networks:
- internal
- proxy
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.gitea-web.rule=Host(`git.skrd.fun`)"
- "traefik.http.routers.gitea-web.entrypoints=web"
- "traefik.http.routers.gitea-web.middlewares=redirect-to-https@file"
- "traefik.http.routers.gitea.rule=Host(`git.skrd.fun`)"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.routers.gitea.tls.certresolver=cf"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
runner:
networks:
- internal
gitea-db:
networks:
- internal
networks:
internal:
name: gitea
proxy:
name: traefik
external: true

38
stacks/gitea/compose.yml Normal file
View File

@@ -0,0 +1,38 @@
services:
gitea:
image: gitea/gitea:1.25.4
restart: unless-stopped
environment:
USER_UID: ${USER_UID}
USER_GID: ${USER_GID}
volumes:
- ${DATA_ROOT}/data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
depends_on:
- gitea-db
runner:
image: gitea/act_runner:0.2.13
restart: unless-stopped
environment:
CONFIG_FILE: /config/config.yaml
GITEA_INSTANCE_URL: "${INSTANCE_URL}"
GITEA_RUNNER_NAME: "gitea-runner-1"
GITEA_RUNNER_REGISTRATION_TOKEN: "${GITEA_RUNNER_REGISTRATION_TOKEN}"
volumes:
- ${DATA_ROOT}/runner/config:/config
- ${DATA_ROOT}/runner/data:/data
- /var/run/docker.sock:/var/run/docker.sock
depends_on:
- gitea
gitea-db:
image: postgres:16
restart: unless-stopped
volumes:
- ${DATA_ROOT}/db:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}"
POSTGRES_DB: "${POSTGRES_DB}"
POSTGRES_USER: "${POSTGRES_USER}"

8
stacks/immich.env.example
View File

@@ -1,8 +0,0 @@
DB_PASSWORD=SECRET
DB_USERNAME=postgres
DB_DATABASE_NAME=immich
POSTGRES_PASSWORD=SECRET
POSTGRES_USER=postgres
POSTGRES_DB=immich
POSTGRES_INITDB_ARGS="--data-checksums"

51
stacks/immich.yml
View File

@@ -1,51 +0,0 @@
services:
immich-server:
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
restart: unless-stopped
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/immich/upload:/usr/src/app/upload
- /etc/localtime:/etc/localtime:ro
networks:
immich_network:
macvlan_192_168_3_0:
ipv4_address: 192.168.3.12
env_file: stack.env
depends_on:
- redis
- database
immich-machine-learning:
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
restart: unless-stopped
networks:
immich_network:
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/immich/model-cache:/cache
redis:
image: docker.io/redis:6.2-alpine@sha256:328fe6a5822256d065debb36617a8169dbfbd77b797c525288e465f56c1d392b
restart: unless-stopped
networks:
immich_network:
healthcheck:
test: redis-cli ping || exit 1
database:
image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
restart: unless-stopped
networks:
immich_network:
env_file: stack.env
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/immich/postgres:/var/lib/postgresql/data
healthcheck:
test: pg_isready --dbname='immich' --username='postgres' || exit 1; Chksum="$$(psql --dbname='immich' --username='postgres' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
interval: 5m
start_interval: 30s
start_period: 5m
command: ["postgres", "-c" ,"shared_preload_libraries=vectors.so", "-c", 'search_path="$$user", public, vectors', "-c", "logging_collector=on", "-c", "max_wal_size=2GB", "-c", "shared_buffers=512MB", "-c", "wal_compression=on"]
networks:
immich_network:
macvlan_192_168_3_0:
external: true

9
stacks/immich/.env.example Normal file
View File

@@ -0,0 +1,9 @@
UPLOAD_LOCATION=./immich/upload
DB_DATA_LOCATION=./immich/postgres
TZ=America/Santiago
IMMICH_VERSION=v2
DB_PASSWORD=secret
DB_USERNAME=postgres
DB_DATABASE_NAME=immich

34
stacks/immich/compose.traefik.yml Normal file
View File

@@ -0,0 +1,34 @@
services:
immich-server:
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.immich-web.rule=Host(`photos.skrd.fun`)"
- "traefik.http.routers.immich-web.entrypoints=web"
- "traefik.http.routers.immich-web.middlewares=redirect-to-https@file"
- "traefik.http.routers.immich.rule=Host(`photos.skrd.fun`)"
- "traefik.http.routers.immich.entrypoints=websecure"
- "traefik.http.routers.immich.tls.certresolver=cf"
- "traefik.http.services.immich.loadbalancer.server.port=2283"
networks:
- internal
- proxy
immich-machine-learning:
networks:
- internal
redis:
networks:
- internal
database:
networks:
- internal
networks:
internal:
name: immich
proxy:
name: traefik
external: true

49
stacks/immich/compose.yml Normal file
View File

@@ -0,0 +1,49 @@
services:
immich-server:
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
volumes:
- ${UPLOAD_LOCATION}:/data
- /etc/localtime:/etc/localtime:ro
env_file:
- .env
depends_on:
- redis
- database
restart: unless-stopped
healthcheck:
disable: false
immich-machine-learning:
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
volumes:
- model-cache:/cache
env_file:
- .env
restart: always
healthcheck:
disable: false
redis:
image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
healthcheck:
test: redis-cli ping || exit 1
restart: always
database:
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_INITDB_ARGS: "--data-checksums"
DB_STORAGE_TYPE: "HDD"
volumes:
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/immich2/extra:/tmp/extra
shm_size: 128mb
restart: always
healthcheck:
disable: false
volumes:
model-cache:

21
stacks/jellyfin.yml
View File

@@ -1,21 +0,0 @@
version: '3.5'
services:
jellyfin:
image: jellyfin/jellyfin
restart: 'unless-stopped'
user: 1000:1000
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/jellyfin/config:/config
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/jellyfin/cache:/cache
- /srv/dev-disk-by-uuid-5392509c-5ccd-4d8f-8719-60064c4404d6/anime:/data/anime
- /srv/dev-disk-by-uuid-c7a96ee1-c08e-48b1-8afa-79c75380d142/movies:/data/movies
- /srv/dev-disk-by-uuid-c7a96ee1-c08e-48b1-8afa-79c75380d142/tv:/data/tv
environment:
- JELLYFIN_PublishedServerUrl=https://jelly.skrd.fun
networks:
macvlan_192_168_3_0:
ipv4_address: 192.168.3.11
networks:
macvlan_192_168_3_0:
external: true

6
stacks/jellyfin/.env.example Normal file
View File

@@ -0,0 +1,6 @@
DATA_ROOT="./data"
MEDIA_ANIME="./anime"
MEDIA_MOVIES="./movies"
MEDIA_TV="./tv"
SERVER_URL="localhost"

15
stacks/jellyfin/compose.traefik.yml Normal file
View File

@@ -0,0 +1,15 @@
services:
jellyfin:
labels:
- "traefik.enable=true"
- "traefik.http.routers.jellyfin-web.rule=Host(`jelly.skrd.fun`)"
- "traefik.http.routers.jellyfin-web.entrypoints=web"
- "traefik.http.routers.jellyfin-web.middlewares=redirect-to-https@file"
- "traefik.http.routers.jellyfin.rule=Host(`jelly.skrd.fun`)"
- "traefik.http.routers.jellyfin.entrypoints=websecure"
- "traefik.http.routers.jellyfin.tls.certresolver=cf"
- "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
networks:
default:
name: traefik
external: true

13
stacks/jellyfin/compose.yml Normal file
View File

@@ -0,0 +1,13 @@
services:
jellyfin:
image: jellyfin/jellyfin:10
restart: "unless-stopped"
user: 1000:1000
volumes:
- ${DATA_ROOT}/config:/config
- ${DATA_ROOT}/cache:/cache
- ${MEDIA_ANIME}:/data/anime
- ${MEDIA_MOVIES}:/data/movies
- ${MEDIA_TV}:/data/tv
environment:
- JELLYFIN_PublishedServerUrl=${SERVER_URL}

2
stacks/kavita/.env.example Normal file
View File

@@ -0,0 +1,2 @@
DATA_ROOT="/srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker"
MEDIA_BOOKS="/srv/dev-disk-by-uuid-5392509c-5ccd-4d8f-8719-60064c4404d6/books"

16
stacks/kavita/compose.traefik.yml Normal file
View File

@@ -0,0 +1,16 @@
services:
kavita:
labels:
- "traefik.enable=true"
- "traefik.http.routers.books-web.rule=Host(`books.skrd.fun`)"
- "traefik.http.routers.books-web.entrypoints=web"
- "traefik.http.routers.books-web.middlewares=redirect-to-https@file"
- "traefik.http.routers.books.rule=Host(`books.skrd.fun`)"
- "traefik.http.routers.books.entrypoints=websecure"
- "traefik.http.routers.books.tls.certresolver=cf"
- "traefik.http.services.books.loadbalancer.server.port=5000"
networks:
default:
name: traefik
external: true

7
stacks/kavita/compose.yml Normal file
View File

@@ -0,0 +1,7 @@
services:
kavita:
image: jvmilazz0/kavita:0.7.8
restart: unless-stopped
volumes:
- "${MEDIA_BOOKS}:/books"
- "${DATA_ROOT}/kavita/config:/kavita/config"

24
stacks/minecraft.yml
View File

@@ -1,24 +0,0 @@
version: "3"
services:
mc:
image: itzg/minecraft-server
tty: true
stdin_open: true
restart: unless-stopped
environment:
type: "paper"
eula: "true"
online_mode: "false"
enable_autopause: "true"
jvm_dd_opts: "disable.watchdog:true"
debug_autopause: "true"
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/minecraft/data:/data
networks:
macvlan_192_168_3_0:
ipv4_address: 192.168.3.9
networks:
macvlan_192_168_3_0:
external: true

11
stacks/miniflux/.env.example Normal file
View File

@@ -0,0 +1,11 @@
POSTGRES_USER="miniflux"
POSTGRES_PASSWORD="secret"
POSTGRES_DB="miniflux"
DATA_DIR="./database"
DATABASE_URL="postgres://miniflux:secret@db/miniflux?sslmode=disable"
ADMIN_USERNAME="ryuuji"
ADMIN_PASSWORD="secret"
BASE_URL="https://rss.skrd.fun"

25
stacks/miniflux/compose.traefik.yml Normal file
View File

@@ -0,0 +1,25 @@
services:
miniflux:
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.rss-web.rule=Host(`rss.skrd.fun`)"
- "traefik.http.routers.rss-web.entrypoints=web"
- "traefik.http.routers.rss-web.middlewares=redirect-to-https@file"
- "traefik.http.routers.rss.rule=Host(`rss.skrd.fun`)"
- "traefik.http.routers.rss.entrypoints=websecure"
- "traefik.http.routers.rss.tls.certresolver=cf"
- "traefik.http.services.rss.loadbalancer.server.port=8080"
networks:
- internal
- proxy
db:
networks:
- internal
networks:
internal:
name: miniflux
proxy:
name: traefik
external: true

25
stacks/miniflux/compose.yml Normal file
View File

@@ -0,0 +1,25 @@
services:
miniflux:
image: miniflux/miniflux:2.2.17
depends_on:
db:
condition: service_healthy
environment:
DATABASE_URL: ${DATABASE_URL}
RUN_MIGRATIONS: 1
CREATE_ADMIN: 1
ADMIN_USERNAME: ${ADMIN_USERNAME}
ADMIN_PASSWORD: ${ADMIN_PASSWORD}
BASE_URL: ${BASE_URL}
db:
image: postgres:18
environment:
POSTGRES_USER: ${POSTGRES_USER}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
POSTGRES_DB: ${POSTGRES_DB}
volumes:
- ${DATA_DIR}:/var/lib/postgresql
healthcheck:
test: ["CMD", "pg_isready", "-U", "${POSTGRES_USER}"]
interval: 10s
start_period: 30s

22
stacks/navidrome.yml
View File

@@ -1,22 +0,0 @@
version: "3"
services:
navidrome:
image: deluan/navidrome:latest
user: 1000:1000
restart: unless-stopped
environment:
ND_MUSICFOLDER: "/store"
ND_BASEURL: "https:://navi.skrd.fun"
ND_AUTOIMPORTPLAYLISTS: false
ND_ENABLESHARING: true
networks:
macvlan_192_168_3_0:
ipv4_address: 192.168.3.10
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/navidrome:/data
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/music:/store/music:ro
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/ost:/store/ost:ro
networks:
macvlan_192_168_3_0:
external: true

4
stacks/navidrome/.env.example Normal file
View File

@@ -0,0 +1,4 @@
BASE_URL="http://localhost"
DATA_DIR="./data"
MEDIA_MUSIC="./music"

16
stacks/navidrome/compose.traefik.yml Normal file
View File

@@ -0,0 +1,16 @@
services:
navidrome:
labels:
- "traefik.enable=true"
- "traefik.http.routers.navidrome-web.rule=Host(`navi.skrd.fun`)"
- "traefik.http.routers.navidrome-web.entrypoints=web"
- "traefik.http.routers.navidrome-web.middlewares=redirect-to-https@file"
- "traefik.http.routers.navidrome.rule=Host(`navi.skrd.fun`)"
- "traefik.http.routers.navidrome.entrypoints=websecure"
- "traefik.http.routers.navidrome.tls.certresolver=cf"
- "traefik.http.services.navidrome.loadbalancer.server.port=4533"
networks:
default:
name: traefik
external: true

10
stacks/navidrome/compose.yml Normal file
View File

@@ -0,0 +1,10 @@
services:
navidrome:
image: deluan/navidrome:0.60.3
user: 1000:1000
restart: unless-stopped
environment:
ND_BASEURL: ${BASE_URL}
volumes:
- ${DATA_DIR}:/data
- ${MEDIA_MUSIC}:/music:ro

19
stacks/npm.yml
View File

@@ -1,19 +0,0 @@
version: '3.8'
services:
nginx-proxy-manager:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
volumes:
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/npm/data:/data
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/npm/letsencrypt:/etc/letsencrypt
- /srv/dev-disk-by-uuid-1582b800-1f82-407a-a3aa-3460b3390127/docker/npm/ca.crt:/etc/my_ca.crt
networks:
proxy_network:
macvlan_192_168_3_0:
ipv4_address: 192.168.103.2
networks:
proxy_network:
external: true
macvlan_192_168_3_0:
external: true

Some files were not shown because too many files have changed in this diff Show More