Add Omni resources including Namespace, HelmRelease, PVC, and HTTPRoutes

ams0 · ams0 · commit 78d1cb381271 · 2026-03-11T21:31:43.000+01:00
diff --git a/ToDeploy.md b/ToDeploy.md
@@ -1,48 +1,59 @@
 ## To deploy
 
-- [X] Minecraft server
 - [ ] Move Minecraft to use [PaperMC](https://papermc.io/)
 - [ ] https://tailscale.com/docs/features/kubernetes-operator
-- [X] Dashy
-- [X] XWiki
-- [X] OpenWebUI
-- [X] stakater
 - [ ] BookStack
+- [ ] Omni https://github.com/siderolabs/omni/tree/main/deploy/helm/omni
+- [ ] https://alarik.io/docs
+- [ ] https://ozone.apache.org/
 - [ ] https://github.com/owncloud/helm-charts
 - [ ] n8n task runners https://docs.n8n.io/hosting/configuration/task-runners/#external-mode
-- [X] https://go-vikunja.github.io/helm-chart/
-- [X] https://goauthentik.io
 - [ ] https://github.com/openSUSE/osem/blob/master/INSTALL.md
-- [X] Keycloak
 - [ ] Nextcloud
 - [ ] Keycloak theme
-- [X] Openclaw
-- [X] Coder https://github.com/Azure-Samples/aks-kueue-sample/blob/main/coder/
-- [X] https://github.com/open-webui/helm-charts or https://www.librechat.ai
-- [X] Grafana/Prometheus
-- [X] Forgejo 
-- [X] Mailer and runners for ForgeJo
 - [ ] RustFS (https://s3.vps.kubespaces.cloud/)
 - [ ] Element Community (https://github.com/element-hq/ess-helm)
 - [ ] Pretalx
-- [X] Supabase
-- [ ] Harbor
 - [ ] Velero+restic to replace Borg
 - [ ] Restic Browser
 - [ ] Borgwarehouse / Backrest / https://github.com/axelhahn/restic-http-server-for-synology
-- [ ] https://github.com/hackmdio/CodiMD
 - [ ] https://github.com/documenso/documenso
 - [ ] Sync secrets from external source (like forgejo-smtp secret)
 - [ ] Cloud lab velero forgejo recovery lint traefik
 - [ ] BorgUI and alerts
-- [ ] ArgoCD w/ agents
 - [ ] Argo Workflows, Notifications
-- [ ] Garage Operator: https://github.com/rajsinghtech/garage-operator 
+- [ ] Garage Operator: https://github.com/rajsinghtech/garage-operator
 - [ ] NocoDB or Baserow (Airtable alternative)
 - [ ] Appwrite (Supabase alternative)
 - [ ] https://github.com/OvenMediaLabs/OvenMediaEngine
 - [ ] temporal.io
 - [ ] Kubernetes login with github
 
+## Deployed
+
+- [X] Actual (budgeting)
+- [X] Authentik
+- [X] ArgoCD w/ agents
+- [X] Coder
+- [X] CodiMD
+- [X] Dashy
+- [X] Forgejo
+- [X] Mailer and runners for Forgejo
+- [X] Garage (S3)
+- [X] Grafana/Prometheus
+- [X] Harbor
+- [X] Keycloak
+- [X] Matrix
+- [X] Minecraft server
+- [X] n8n
+- [X] Openclaw
+- [X] OpenWebUI
+- [X] Rancher
+- [X] Stakater
+- [X] Supabase
+- [X] Vikunja
+- [X] Waha
+- [X] XWiki
+
 
-More stuff to consider: https://github.com/MaximUltimatum/talos-homelab/
+More stuff to consider: https://github.com/MaximUltimatum/talos-homelab/
diff --git a/gitops/apps/kustomization.yaml b/gitops/apps/kustomization.yaml
@@ -19,4 +19,5 @@ resources:
   - xwiki
   - coder
   - vikunja
-  - waha
+  - waha
+  - omni
diff --git a/gitops/apps/omni/kustomization.yaml b/gitops/apps/omni/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - omni-ocirepository.yaml
+  - omni-pvc.yaml
+  - omni-helmrelease.yaml
+  - omni-httproute.yaml
diff --git a/gitops/apps/omni/namespace.yaml b/gitops/apps/omni/namespace.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: omni
+  labels:
+    name: omni
diff --git a/gitops/apps/omni/omni-helmrelease.yaml b/gitops/apps/omni/omni-helmrelease.yaml
@@ -0,0 +1,94 @@
+
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: omni
+  namespace: flux-system
+  labels:
+    app: omni
+spec:
+  interval: 10m
+  timeout: 5m
+  targetNamespace: omni
+  chartRef:
+    kind: OCIRepository
+    name: omni-ocirepo
+    namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    config:
+      account:
+        id: "" # TODO: generate once with `uuidgen` — never change after first deploy
+        name: cloudlab
+      auth:
+        auth0:
+          enabled: false
+        oidc:
+          enabled: true
+          providerURL: "https://authentik.vps.kubespaces.cloud/application/o/omni/"
+          clientID: "94lsxFCUSYJxZTun1wgvMKgFCXm6ExJxn7vKhAZH" # TODO: create OAuth2 app in Authentik
+          # clientSecret loaded via additionalConfigSources below
+        initialUsers:
+          - alessandro.vozza@linux.com
+      services:
+        api:
+          advertisedURL: "https://omni.vps.kubespaces.cloud"
+        kubernetesProxy:
+          advertisedURL: "https://omni-k8s.vps.kubespaces.cloud"
+        machineAPI:
+          advertisedURL: "https://omni-siderolink.vps.kubespaces.cloud"
+        siderolink:
+          joinTokensMode: strict
+          eventSinkPort: 8091
+          wireGuard:
+            advertisedEndpoint: "" # TODO: VPS_PUBLIC_IP:30180 (must be IP:PORT, not hostname)
+        workloadProxy:
+          enabled: false
+
+    # Load OIDC client secret from a Kubernetes secret
+    # kubectl create secret generic omni-oidc -n omni --from-literal=config.yaml=$'auth:\n  oidc:\n    clientSecret: YOUR_SECRET'
+    additionalConfigSources:
+      - existingSecret: omni-oidc
+
+    # GPG key for etcd encryption at rest
+    # (export GNUPGHOME=$(mktemp -d); gpg --batch --passphrase '' --quick-gen-key x; gpg -a --export-secret-key > omni.asc; rm -rf $GNUPGHOME)
+    # kubectl create secret generic omni-etcd-encryption-key -n omni --from-file=omni.asc=omni.asc
+    etcdEncryptionKey:
+      existingSecret: omni-etcd-encryption-key
+
+    persistence:
+      enabled: true
+      size: 10Gi
+
+    gatewayApi:
+      ui:
+        enabled: true
+        hostnames:
+          - omni.vps.kubespaces.cloud
+        parentRefs:
+          - name: gateway
+            namespace: istio-system
+            sectionName: http
+      kubernetesProxy:
+        enabled: true
+        hostnames:
+          - omni-k8s.vps.kubespaces.cloud
+        parentRefs:
+          - name: gateway
+            namespace: istio-system
+            sectionName: http
+      siderolinkApi:
+        enabled: true
+        hostnames:
+          - omni-siderolink.vps.kubespaces.cloud
+        parentRefs:
+          - name: gateway
+            namespace: istio-system
+            sectionName: http
diff --git a/gitops/apps/omni/omni-ocirepository.yaml b/gitops/apps/omni/omni-ocirepository.yaml
@@ -0,0 +1,13 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: omni-ocirepo
+  namespace: flux-system
+spec:
+  interval: 10m
+  layerSelector:
+    mediaType: "application/vnd.cncf.helm.chart.content.v1.tar+gzip"
+    operation: copy
+  url: oci://ghcr.io/siderolabs/charts/omni
+  ref:
+    semver: ">= 2.5.10"
diff --git a/gitops/apps/omni/omni-pvc.yaml b/gitops/apps/omni/omni-pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: omni-pvc
+  namespace: omni
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 10Gi
diff --git a/ingress/traefik/dynamic.yml b/ingress/traefik/dynamic.yml
@@ -18,6 +18,27 @@ http:
     # Each domain gets its own router so Traefik can request
     # individual certs dynamically when new domains are added.
     # To add a new domain: copy any router block, change the name and Host.
+    omni-siderolink:
+      rule: "Host(`omni-siderolink.vps.kubespaces.cloud`)"
+      entryPoints: [websecure]
+      service: backend-service
+      tls:
+        certResolver: letsencrypt
+
+    omni-k8s:
+      rule: "Host(`omni-k8s.vps.kubespaces.cloud`)"
+      entryPoints: [websecure]
+      service: backend-service
+      tls:
+        certResolver: letsencrypt
+
+    omni:
+      rule: "Host(`omni.vps.kubespaces.cloud`)"
+      entryPoints: [websecure]
+      service: backend-service
+      tls:
+        certResolver: letsencrypt
+
     waha:
       rule: "Host(`waha.vps.kubespaces.cloud`)"
       entryPoints: [websecure]

-Original file line number
+Diff line change
   - xwiki
   - coder
   - vikunja
 -  - waha
 +  - waha
 +  - omni