Correct imagePullPolicy in farmos deployment.yaml.

Signed-off-by: James Blair <mail@jamesblair.net>

.github/workflows/lint-test.yml

@@ -1,5 +1,5 @@
+---
 name: Lint test helm charts
-
 on: push
 
 jobs:
@@ -7,14 +7,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Set up helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@v3
-        with:
-          version: v3.8.1
 
       - name: Run helm lint
-        run: helm lint grocy
+        run: |
+          helm lint jellyfin
+          helm lint gitea
+          helm lint invidious

.gitignore

@@ -1 +0,0 @@
-*.~undo-tree~

farmos/Chart.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v2
+appVersion: 3.4.5
+description: FarmOS Helm chart for Kubernetes
+name: farmos
+type: application
+version: "0.1.0"

farmos/README.org

@@ -0,0 +1,26 @@
+#+TITLE: Farmos farm management
+#+AUTHOR: James Blair
+#+EMAIL: mail@jamesblair.net
+#+DATE: <2025-08-23 Sat>
+
+[[https://github.com/farmos/farmos][FarmOS]] is a self hosted farm management service.
+
+I created this simplified helm chart for self-hosting farmos in a container on kubernetes. Complete the steps below to deploy this chart.
+
+#+NAME: Deploy farmos via helm
+#+begin_src tmux
+# Ensure farmos namespace exists
+sudo kubectl create namespace jamma-farmos
+
+# Create directories if they don't already exist
+mkdir --parent "/home/${USER}/Services/farmos"
+
+# Clone charts repository
+cd "/home/${USER}/Services/farmos" && git clone https://gitea.jamma.life/jmhbnz/charts.git
+
+# Ensure the repository is up to date
+cd charts/farmos && git pull
+
+# Install the chart
+helm upgrade --install -n jamma-farmos jamma-farmos .
+#+end_src

farmos/templates/deployment.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: farmos
+  labels:
+    app: farmos
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: farmos
+  template:
+    metadata:
+      labels:
+        app: farmos
+    spec:
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: "Always"
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          volumeMounts:
+            - name: data
+              mountPath: /opt/drupal/web/sites
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: farmos

farmos/templates/pvc.yaml

@@ -1,10 +1,15 @@
+---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: grocy
+  labels:
+    app: farmos
+  name: farmos
 spec:
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
-      storage: 2Gi
+      storage: 10Gi
+  storageClassName: local-path
+  volumeMode: Filesystem

farmos/templates/service.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: farmos
+  labels:
+    app: farmos
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app: farmos

farmos/values.yaml

@@ -0,0 +1,6 @@
+---
+replicaCount: 1
+
+image:
+  repository: docker.io/farmos/farmos
+  tag: "3.4.5"

gitea-runner/templates/deployment.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "gitea.fullname" . }}-runner
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-runner
+  template:
+    metadata:
+      labels:
+        app: gitea-runner
+      annotations:
+        checksum/secret: {{ tpl (toYaml .Values.runner.runnerToken.value) . | sha256sum }}
+    spec:
+      containers:
+        - image: "{{ .Values.image.repository }}/{{ .Values.image.name }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: GITEA_INSTANCE_URL
+              value: {{ .Values.runner.instanceURL }}
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "gitea.fullname" . }}-secrets
+                  key: token

gitea/.drone.yml

@@ -1,87 +0,0 @@
----
-kind: pipeline
-type: docker
-name: lint
-
-platform:
-  os: linux
-  arch: arm64
-
-steps:
-- name: helm lint
-  pull: always
-  image: alpine:3.16
-  commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-  - helm lint
-
-- name: helm template
-  pull: always
-  image: alpine:3.16
-  commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-  - helm dependency update
-  - helm template --debug gitea-helm .
-
-- name: verify readme
-  pull: always
-  image: alpine:3.16
-  commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make npm git
-  - make readme
-  - git diff --exit-code --name-only README.md
-
-- name: discord
-  pull: always
-  image: appleboy/drone-discord:1.2.4
-  environment:
-    DISCORD_WEBHOOK_ID:
-      from_secret: discord_webhook_id
-    DISCORD_WEBHOOK_TOKEN:
-      from_secret: discord_webhook_token
-  when:
-    status:
-    - changed
-    - failure
-
-
----
-kind: pipeline
-type: docker
-name: release-version
-
-platform:
-  os: linux
-  arch: arm64
-
-trigger:
-  event:
-  - tag
-
-steps:
-- name: generate-chart
-  pull: always
-  image: alpine:3.16
-  commands:
-    - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-    - apk add --no-cache curl
-    - helm dependency update
-    - helm package --version "${DRONE_TAG##v}" ./
-    - mkdir gitea
-    - mv gitea*.tgz gitea/
-    - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
-    - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
-
-- name: upload-chart
-  pull: always
-  image: plugins/s3:latest
-  settings:
-    bucket: gitea-artifacts
-    endpoint: https://ams3.digitaloceanspaces.com
-    access_key:
-      from_secret: aws_access_key_id
-    secret_key:
-      from_secret: aws_secret_access_key
-    source: gitea/*
-    target: /charts
-    strip_prefix: gitea/

gitea/Chart.yaml

@@ -1,6 +1,7 @@
+---
 apiVersion: v2
-appVersion: 1.18.0
+appVersion: 1.24.4
 description: Gitea Helm chart for Kubernetes
 name: gitea
 type: application
-version: "1.0.4"
+version: "1.1.27"

gitea/README.org

@@ -5,10 +5,13 @@
 
 [[https://github.com/go-gitea/gitea][Gitea]] is a painless self-hosted Git service.
 
-I created this simplified helm chart for self-hosting gitea in a container on ~k3s~ based on the excellent upstream [[https://gitea.com/gitea/helm-chart/][official helm chart]]. Complete the steps below to deploy this chart.
+I created this simplified helm chart for self-hosting gitea in a container on kubernetes based on the excellent upstream [[https://gitea.com/gitea/helm-chart/][official helm chart]]. Complete the steps below to deploy this chart.
 
 #+NAME: Deploy gitea via helm
-#+begin_src tmate
+#+begin_src tmux
+# Set deployment environment
+export environment=dev
+
 # Ensure gitea namespace exists
 sudo kubectl create namespace jamma-gitea
 
@@ -23,10 +26,5 @@ cd charts/gitea && git pull
 
 # Install the chart
 helm upgrade --install -n jamma-gitea jamma-gitea . \
-    --set "gitea.admin.password=${gitea_admin_password}" \
+    --set "gitea.admin.password=${gitea_admin_password}"
-    --set "ingress.hosts[0].host=gitea.jamma.dev" \
-    --set "ingress.hosts[0].paths[0].path=/" \
-    --set "ingress.hosts[0].paths[0].pathType=Prefix" \
-    --set "ingress.tls[0].hosts[0]=gitea.jamma.dev" \
-    --set "ingress.tls[0].secretName=tls-jamma-gitea"
 #+end_src

gitea/templates/config.yaml

@@ -53,14 +53,14 @@ stringData:
       env2ini::log "    + '${setting}'"
 
       if [[ -z "${section}" ]]; then
-        export "ENV_TO_INI____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+        export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
         return
       fi
 
       local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
       masked_section="${masked_section//-/_0X2D_}"
 
-      export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
+      export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
     }
 
     function env2ini::reload_preset_envs() {
@@ -134,15 +134,15 @@ stringData:
       #   - initially used to set up Gitea
       # Anyway, they won't harm existing app.ini files
 
-      export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+      export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
-      export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+      export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
-      export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+      export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
-      export ENV_TO_INI__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
+      export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
 
       env2ini::log "...Initial secrets generated\n"
     }
 
-    env | (grep ENV_TO_INI || [[ $? == 1 ]]) > /tmp/existing-envs
+    env | (grep GITEA || [[ $? == 1 ]]) > /tmp/existing-envs
     
     # MUST BE CALLED BEFORE OTHER CONFIGURATION
     env2ini::generate_initial_secrets
@@ -163,10 +163,10 @@ stringData:
       env2ini::log '  - oauth2.JWT_SECRET'
       env2ini::log '  - server.LFS_JWT_SECRET'
 
-      unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN
+      unset GITEA__SECURITY__INTERNAL_TOKEN
-      unset ENV_TO_INI__SECURITY__SECRET_KEY
+      unset GITEA__SECURITY__SECRET_KEY
-      unset ENV_TO_INI__OAUTH2__JWT_SECRET
+      unset GITEA__OAUTH2__JWT_SECRET
-      unset ENV_TO_INI__SERVER__LFS_JWT_SECRET
+      unset GITEA__SERVER__LFS_JWT_SECRET
     fi
 
-    environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI
+    environment-to-ini -o $GITEA_APP_INI   

gitea/templates/init.yaml

@@ -6,6 +6,11 @@ metadata:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
+  configure_gpg_environment.sh: |-
+    #!/usr/bin/env bash
+    set -eu
+
+    gpg --batch --import /raw/private.asc    
   init_directory_structure.sh: |-
     #!/usr/bin/env bash
 
@@ -26,7 +31,7 @@ stringData:
     {{- end }}
     mkdir -p /data/git/.ssh
     chmod -R 700 /data/git/.ssh
-    [ ! -d /data/gitea ] && mkdir -p /data/gitea/conf
+    [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
 
     # prepare temp directory structure
     mkdir -p "${GITEA_TEMP}"
@@ -35,6 +40,14 @@ stringData:
     {{- end }}
     chmod ug+rwx "${GITEA_TEMP}"
 
+    {{ if .Values.signing.enabled -}}
+    if [ ! -d "${GNUPGHOME}" ]; then
+      mkdir -p "${GNUPGHOME}"
+      chmod 700 "${GNUPGHOME}"
+      chown 1000:1000 "${GNUPGHOME}"
+    fi
+    {{- end }}    
+
   configure_gitea.sh: |-
     #!/usr/bin/env bash
 

gitea/templates/statefulset.yaml

@@ -39,6 +39,12 @@ spec:
       {{- if .Values.schedulerName }}
       schedulerName: "{{ .Values.schedulerName }}"
       {{- end }}
+      {{- if (or .Values.serviceAccount.create .Values.serviceAccount.name) }}
+      serviceAccountName: {{ include "gitea.serviceAccountName" . }}
+      {{- end }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{ .Values.priorityClassName }}"
+      {{- end }}
       {{- include "gitea.images.pullSecrets" . | nindent 6 }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -59,6 +65,10 @@ spec:
             {{- if .Values.statefulset.env }}
             {{- toYaml .Values.statefulset.env | nindent 12 }}
             {{- end }}
+            {{- if .Values.signing.enabled }}
+            - name: GNUPGHOME
+              value: {{ .Values.signing.gpgHome }}
+            {{- end }}
           volumeMounts:
             - name: init
               mountPath: /usr/sbin
@@ -72,6 +82,8 @@ spec:
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
             {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
         - name: init-app-ini
           image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -110,6 +122,40 @@ spec:
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
             {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
+        {{- if .Values.signing.enabled }}
+        - name: configure-gpg
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/configure_gpg_environment.sh"]
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
+            {{- $csc := deepCopy .Values.containerSecurityContext -}}
+            {{- if not (hasKey $csc "runAsUser") -}}
+            {{- $_ := set $csc "runAsUser" 1000 -}}
+            {{- end -}}
+            {{- toYaml $csc | nindent 12 }}
+          env:
+            - name: GNUPGHOME
+              value: {{ .Values.signing.gpgHome }}
+          volumeMounts:
+            - name: init
+              mountPath: /usr/sbin
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+            - name: gpg-private-key
+              mountPath: /raw
+              readOnly: true
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
+        {{- end }}
         - name: configure-gitea
           image: "{{ include "gitea.image" . }}"
           command: ["/usr/sbin/configure_gitea.sh"]
@@ -130,6 +176,10 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
+            {{- if .Values.image.rootless }}
+            - name: HOME
+              value: /data/gitea/git
+            {{- end }}
             {{- if .Values.gitea.ldap }}
             {{- range $idx, $value := .Values.gitea.ldap }}
             {{- if $value.existingSecret }}
@@ -198,6 +248,8 @@ spec:
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
       terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}
@@ -209,6 +261,10 @@ spec:
               value: {{ .Values.gitea.config.server.SSH_LISTEN_PORT | quote }}
             - name: SSH_PORT
               value: {{ .Values.gitea.config.server.SSH_PORT | quote }}
+            {{- if not .Values.image.rootless }}
+            - name: SSH_LOG_LEVEL
+              value: {{ .Values.gitea.ssh.logLevel | quote }}
+            {{- end }}
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
             - name: GITEA_CUSTOM
@@ -219,6 +275,10 @@ spec:
               value: /tmp/gitea
             - name: TMPDIR
               value: /tmp/gitea
+            {{- if .Values.image.rootless }}
+            - name: HOME
+              value: /data/gitea/git
+            {{- end }}
             {{- if .Values.signing.enabled }}
             - name: GNUPGHOME
               value: {{ .Values.signing.gpgHome }}
@@ -268,6 +328,10 @@ spec:
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
             {{- include "gitea.container-additional-mounts" . | nindent 12 }}
+      {{- with .Values.global.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -305,6 +369,15 @@ spec:
         {{- end }}
         - name: temp
           emptyDir: {}
+        {{- if .Values.signing.enabled }}
+        - name: gpg-private-key
+          secret:
+            secretName: {{ include "gitea.gpg-key-secret-name" . }}
+            items:
+              - key: privateKey
+                path: private.asc
+            defaultMode: 0100
+        {{- end }}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: data
           persistentVolumeClaim:

gitea/values.yaml

@@ -1,3 +1,4 @@
+---
 global:
   imageRegistry: ""
   imagePullSecrets: []
@@ -8,8 +9,8 @@ replicaCount: 1
 clusterDomain: cluster.local
 
 image:
-  registry: ""
+  registry: docker.gitea.com
-  repository: gitea/gitea
+  repository: gitea
   tag: ""
   pullPolicy: Always
   rootless: true
@@ -50,7 +51,7 @@ service:
     annotations: {}
 
 ingress:
-  enabled: true
+  enabled: false
   annotations:
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
@@ -72,9 +73,16 @@ ingress:
       hosts:
         - gitea.jamma.dev
 
+serviceAccount:
+  create: false
+  name: ""
+  automountServiceAccountToken: false
+  imagePullSecrets: []
+  annotations: {}
+  labels: {}
+
 resources:
   limits:
-    cpu: 1
     memory: 1Gi
   requests:
     cpu: 100m
@@ -115,6 +123,13 @@ extraInitVolumeMounts: []
 
 initPreScript: ""
 
+initContainers:
+  resources:
+    limits: {}
+    requests:
+      cpu: 100m
+      memory: 128Mi
+
 signing:
   enabled: false
   gpgHome: /data/git/.gnupg

grocy/Chart.yaml

@@ -1,24 +0,0 @@
-apiVersion: v2
-name: grocy
-description: A Helm chart for deploying the grocy erp system on kubernetes.
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "3.3.0"

grocy/README.org

@@ -1,14 +0,0 @@
-#+TITLE: Grocy household management
-#+AUTHOR: James Blair
-#+EMAIL: mail@jamesblair.net
-#+DATE: <2022-05-08 Sun 10:45>
-
-[[https://github.com/grocy/grocy][Grocy]] is a web-based self-hosted groceries & household management solution for your home, created by [[https://github.com/berrnd][@berrnd]].
-
-I created this helm chart for self-hosting grocy in a container on ~k3s~. Complete the steps below to deploy this chart.
-
-#+NAME: Deploy grocy via helm
-#+begin_src tmate
-# Clone charts repository
-git clone https://gitea.jamma.life/jmhbnz/charts.git
-#+end_src

grocy/templates/deployment.yaml

@@ -1,35 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: grocy
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      name: grocy
-  template:
-    metadata:
-      labels:
-        name: grocy
-    spec:
-      containers:
-      - name: grocy
-        imagePullPolicy: Always
-        image: ghcr.io/linuxserver/grocy:latest
-        ports:
-          - containerPort: 9283
-        volumeMounts:
-          - name: db
-            mountPath: /config
-        env:
-          - name: PUID
-            value: "1000"
-          - name: PGID
-            value: "1000"
-          - name: TZ
-            value: "Pacific/Auckland"
-      volumes:
-        - name: db
-          persistentVolumeClaim:
-            claimName: grocy

grocy/templates/ingress.yaml

@@ -1,32 +0,0 @@
----
-kind: Ingress
-apiVersion: networking.k8s.io/v1
-metadata:
-  name: grocy
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      more_set_headers "X-XSS-Protection: 1";
-      more_set_headers "X-Content-Type-Options: nosniff";
-      more_set_headers "X-Frame-Options: SAMEORIGIN";
-      more_set_headers "Content-Security-Policy: frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://nextcloud.jamma.life https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self' data: https://secure.gravatar.com; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com; form-action 'self'; upgrade-insecure-requests";
-      more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
-      more_set_headers "Permissions-Policy: geolocation=(none);midi=(self);notifications=(self);push=(self);sync-xhr=();microphone=(none);camera=(none);magnetometer=(none);gyroscope=(none);speaker=(self);vibrate=(self);fullscreen=(self);payment=(none);";
-      more_clear_headers "X-Powered-By";
-spec:
-  tls:
-    - hosts:
-        - grocy.jamma.life
-      secretName: tls-jamma-grocy
-  rules:
-  - host: grocy.jamma.life
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: grocy
-            port:
-              number: 80

grocy/templates/service.yaml

@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: grocy
-spec:
-  ports:
-    - name: http
-      port: 80
-      targetPort: 80
-  selector:
-    name: grocy

grocy/values.yaml

@@ -1 +0,0 @@
-replicaCount: 1

invidious/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: invidious
 description: A helm chart for deploying invidious youtube front-end on kubernetes.
-version: 1.1.2
+version: 1.1.3
 appVersion: 0.20.1
 dependencies:
   - name: postgresql

invidious/README.org

@@ -0,0 +1,44 @@
+#+TITLE: Invidious video frontend
+#+AUTHOR: James Blair
+#+EMAIL: mail@jamesblair.net
+#+DATE: <2023-01-11 Wed 16:30>
+
+[[https://github.com/iv-org/invidious][Invidious]] is an open source alternative front-end to YouTube.
+
+*Key features*
+
+- Lightweight
+- No ads
+- No tracking
+- No JavaScript required
+- Light/Dark themes
+- Customizable homepage
+- Subscriptions independent from Google
+- Notifications for all subscribed channels
+- Audio-only mode (with background play on mobile)
+
+I created this simplified helm chart for self-hosting invidious in a container on ~k3s~ based on the excellent upstream [[https://github.com/iv-org/invidious/tree/master/kubernetes][official helm chart]]. Complete the steps below to deploy this chart.
+
+#+NAME: Deploy invidious via helm
+#+begin_src tmux
+# Ensure invidious namespace exists
+sudo kubectl create namespace jamma-invidious
+
+# Create directories if they don't already exist
+mkdir --parent "/home/${USER}/Services/invidious"
+
+# Clone charts repository
+cd "/home/${USER}/Services/invidious" && git clone https://invidious.jamma.life/jmhbnz/charts.git
+
+# Ensure the repository is up to date
+cd charts/invidious && git pull
+
+# Install the chart
+helm upgrade --install -n jamma-invidious jamma-invidious . \
+    --set "ingress.hosts[0].host=invidious.jamma.dev" \
+    --set "ingress.hosts[0].paths[0].path=/" \
+    --set "ingress.hosts[0].paths[0].pathType=Prefix" \
+    --set "ingress.tls[0].hosts[0]=invidious.jamma.dev" \
+    --set "ingress.tls[0].secretName=tls-jamma-invidious" \
+    --set "config.hmac_key=$(openssl rand -hex 20)"
+#+end_src

invidious/values.yaml

@@ -16,7 +16,6 @@ resources:
     cpu: 100m
     memory: 128Mi
   limits:
-    cpu: 2
     memory: 1Gi
 
 securityContext:
@@ -53,3 +52,4 @@ config:
   full_refresh: false
   https_only: false
   domain:
+  hmac_key: placeholder

jellyfin/Chart.yaml

@@ -1,6 +1,7 @@
+---
 apiVersion: v2
 name: jellyfin
 description: A helm chart for deploying the jellyfin media server on kubernetes.
 type: application
-version: 0.1.6
+version: 0.2.7
-appVersion: "10.8.8-amd64"
+appVersion: "10.10.7"

jellyfin/README.org

@@ -8,7 +8,7 @@
 I created this helm chart for self-hosting jellyfin in a container on ~k3s~. Complete the steps below to deploy this chart.
 
 #+NAME: Deploy jellyfin via helm
-#+begin_src tmate
+#+begin_src tmux
 # Ensure jellyfin namespace exists
 sudo kubectl create namespace jamma-jellyfin
 
@@ -22,8 +22,5 @@ cd "/home/${USER}/Services/jellyfin" && git clone https://gitea.jamma.life/jmhbn
 cd charts/jellyfin && git pull
 
 # Install the chart
-helm upgrade --install -n jamma-jellyfin jamma-jellyfin . \
+helm upgrade --install -n jamma-jellyfin jamma-jellyfin .
-    --set "ingress.hosts[0]=jellyfin.jamma.dev" \
-    --set "ingress.tls[0].hosts[0]=jellyfin.jamma.dev" \
-    --set "ingress.tls[0].secretName=tls-jamma-jellyfin"
 #+end_src

jellyfin/values.yaml

@@ -1,9 +1,9 @@
-# Defaults for jellyfin
+---
 replicaCount: 1
 
 image:
   repository: jellyfin/jellyfin
-  tag: 10.8.8-amd64
+  tag: 10.10.7
   pullPolicy: IfNotPresent
 
 nameOverride: ""
@@ -14,27 +14,7 @@ service:
   port: 8096
 
 ingress:
-  enabled: true
+  enabled: false
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    kubernetes.io/tls-acme: "true"
-    nginx.ingress.kubernetes.io/proxy-body-size: 10G
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      more_clear_headers "X-Powered-By";
-      more_set_headers "X-XSS-Protection: 1";
-      more_set_headers "X-Frame-Options: SAMEORIGIN";
-      more_set_headers "X-Content-Type-Options: nosniff";
-      more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
-      more_set_headers "Permissions-Policy: geolocation=(none);midi=(self);notifications=(self);push=(self);sync-xhr=();microphone=(none);camera=(none);magnetometer=(none);gyroscope=(none);speaker=(self);vibrate=(self);fullscreen=(self);payment=(none);";
-      more_set_headers "Content-Security-Policy: base-uri 'none'; manifest-src 'self'; connect-src 'self' wss: ws: https://mb3admin.com; font-src 'self' data: ; form-action 'self'; frame-ancestors 'self'; worker-src 'self' blob:; frame-src 'self'; img-src data: https: http:; media-src 'self' blob: data:; object-src 'none'; script-src 'self' https://www.gstatic.com; style-src 'self' 'unsafe-inline'";
-  path: /
-  hosts:
-    - jellyfin.jamma.dev
-  tls:
-   - secretName: tls-jamma-jellyfin
-     hosts:
-       - jellyfin.jamma.dev
 
 persistence:
   config:
@@ -59,7 +39,6 @@ persistence:
 
 resources:
   limits:
-   cpu: 10
     memory: 12Gi
   requests:
     cpu: 100m

wordpress/README.org

@@ -8,7 +8,7 @@
 I created this helm chart for self-hosting wordpress in a container on ~k3s~. Complete the steps below to deploy this chart.
 
 #+NAME: Deploy wordpress via helm
-#+begin_src tmate
+#+begin_src tmux
 # Ensure wordpress namespace exists
 kubectl create namespace jamma-wordpress