Personal homeserver with bridges deferred. Single host
matrix.{cluster.domain} with path-based routing: /_matrix, /_synapse,
/.well-known/matrix → Synapse; / → Element Web. Both share matrix-tls.
Stack: ananace/matrix-synapse + element-web charts, CNPG postgres
(LC_COLLATE=C), in-cluster alpine redis (no auth, replaces bitnami
subchart), mittwald-generated synapse-secrets for registration_shared/
macaroon/form_secret, custom idempotent signing-key init Job (replaces
chart's bitnami/kubectl publisher).
Sync waves:
-3 Namespace
-2 synapse-secrets (mittwald head-start), signing-key RBAC
-1 signing-key Job, CNPG Cluster, redis
0 Synapse, Element, Ingress
Synapse pod waits in extraCommands until synapse-secrets is populated,
then writes zz-overrides.yaml to override chart placeholders for the
three secret values without churning the chart-managed Secret on every
render. Resources tightened for 1-2 user scale: Synapse 256Mi/512Mi,
Postgres 64Mi/128Mi.
ArgoCD destination.namespace overridden to matrix via prototype-level
argocd overlay so both apps share the matrix ns instead of creating
unused matrix-synapse and element-web namespaces.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Extract domain, ingress class, TLS issuer, storage classes, S3 endpoints,
backup toggles, and forgejo node selector into env-data values. Each
prototype's app-data declares its subdomain alongside namespace; templates
compute host as <subdomain>.<cluster.domain>.
Schema is shape-only with safe defaults; production env-data sets values
explicitly. Backup CronJobs and external-secret prechecks gate on
backups.enabled and ocis.s3.external. Adds mkcert ClusterIssuer + precheck
Job for local-dev TLS, gated on cluster.tls.issuer == "mkcert".
forgejo argocd-deploy-key Job: REPO_URL/FORGEJO_URL moved to container env
vars to keep the script ytt-templatable; runtime behavior unchanged.
Production render verified byte-identical (excluding the deploy-key Job
env-var refactor and chart-volatile UUID ConfigMaps).
Migrate ~180 LOC of openssl/kubectl init Jobs to declarative Secret
manifests reconciled by mittwald/kubernetes-secret-generator (random
strings, SSH keypair) and cert-manager Certificates (RSA private key +
self-signed CA chain). mittwald only fills empty fields, so existing
populated Secrets keep their current values across the migration.
Changes:
- New prototype kubernetes-secret-generator (chart 3.4.1, mittwald helm
repo). Cluster-wide informer reconciler, no webhook -> cold-bootstrap
safe via ArgoCD retries.
- New cert-manager selfsigned ClusterIssuer (in-cluster trust root).
letsencrypt remains for public-DNS endpoints.
- forgejo: admin-secret Job replaced with a mittwald-annotated Secret
(hex-encoded 24-char password). Deploy-key Job split: mittwald
ssh-keypair Secret + slim Job that uploads pubkey to Forgejo and
copies privkey into the argocd repo Secret.
- ocis: 13 Secrets / 16 random fields now mittwald-managed (UUIDs
replaced with opaque random hex; ocis treats user-id as opaque). IDP
RSA signing key, LDAP self-signed CA, and LDAP server cert produced
by cert-manager. Per-Deployment ytt overlay remaps volume key paths
(tls.crt -> ldap-ca.crt, tls.key -> private-key.pem, etc.) since the
ocis chart mounts Secrets raw without items support. Old multi-secret
s3-secret-job replaced with a slim external-secret precheck Job that
only validates pre-created Hetzner S3/Storage Box credentials.
- Application sync-wave -10 on cert-manager and kubernetes-secret-
generator so they install before consumers. ArgoCD selfHeal handles
any residual races.
CLAUDE.md: remove the "all namespaces use privileged PodSecurity"
convention. Existing namespaces still carry the label and will be
audited separately.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Removes the full Nextcloud stack (PostgreSQL/CNPG, Valkey, Caddy sidecar)
and replaces it with oCIS at drive.tr1ceracop.de. oCIS is self-contained
(no external DB/cache needed) with S3ng storage backend on Hetzner Object
Storage (bucket: ocis-tr1ceracop). Chart sourced from git via vendir since
it is not published to a Helm repo.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Deploys Nextcloud using an FPM-alpine image with a Caddy sidecar for web serving.
Integrates with an external CloudNativePG cluster for PostgreSQL and a dedicated Valkey instance for caching. Configures S3-compatible object storage for file data.
Includes an initialization Job to create essential admin and Valkey secrets. Sets up Ingress for external access with automated TLS provisioning via cert-manager.
Configures local-path persistence for Nextcloud's core data to ensure state is maintained across pod restarts. Centralizes hostname configuration and migrates various Nextcloud settings to environment variables for streamlined management.
Adds ArgoCD ignore rules for `batch/Job` resource selectors and template labels, preventing spurious out-of-sync states caused by Kubernetes mutations and improving synchronization stability.
Enables CPU/memory visibility in k9s and kubectl top by deploying
the Kubernetes metrics-server via the metrics.k8s.io API.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds victoria-metrics-single, grafana, kube-state-metrics, and
node-exporter to the cluster. Enables metrics endpoints on traefik,
argocd, and cert-manager for scraping. Grafana available at
grafana.tr1ceracop.de with VictoriaMetrics as default datasource.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Configures `myks` for Helm chart rendering with `ytt` overlays to manage cluster applications.
Defines prototypes and environment-specific configurations for core applications including ArgoCD, Traefik, Cert-Manager, and Forgejo.
Adds comprehensive documentation covering cluster setup, GitOps structure, and development environment.
Integrates `direnv` for environment variable management, `gitignore` for file exclusion, and `sops` for secret encryption.
Includes rendered Kubernetes manifests and ArgoCD application resources for initial deployment.
