Update Helm release prometheus-node-exporter to v4.49.1

Reviewed-on: #621

.envrc

@@ -0,0 +1 @@
+use nix

.gitignore

@@ -4,3 +4,6 @@ main.key
 
 # Helm Chart files
 charts/
+
+# Nix and local environment files
+.direnv/

README.md

@@ -1,7 +1,7 @@
 # Kluster setup and IaaC using argoCD
 
 
-### Initial setup
+### Description
 #### Requirements:
 - A running k3s instance
 - `sealedsecrets` deployed
@@ -27,21 +27,61 @@ The app-of-apps will bootstrap a fully featured cluster with the following compo
     - immich
     - ...
 
-#### Recap
-- install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
+## Setup instructions
+1. install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
     ```bash
     kubectl apply -k infrastructure/sealedsecrets
     kubectl apply -f infrastructure/sealedsecrets/main.key
     kubectl delete pod -n kube-system -l name=sealed-secrets-controller
     ```
-- install argocd
+1. install argocd and the app-of-apps bundled with it
     ```bash
     kubectl apply -k infrastructure/argocd
     ```
-- wait...
+
+
+> NOTE: The argocd kustomization already mentions some CRDs available only after the full bootstrapping (traefik). Some might fail to apply right away. Since the argo application is managed through argo as well, they will become available as all kluster applications are rolled out.
 
 
 ### Adding an application
-todo
+1. todo
+1. Don't forget to add the status badge.
 
 
+
+### Status
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=authelia-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/authelia-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=backup-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/backup-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=external-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/external-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=external-dns-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/external-dns-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=gitea-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/gitea-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=metallb-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/metallb-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=monitoring-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/monitoring-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=nfs-provisioner-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/nfs-provisioner-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=pg-ha-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/pg-ha-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=renovate-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/renovate-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=sealedsecrets-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/sealedsecrets-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=traefik-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/traefik-application)
+
+
+---
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=adguard-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/adguard-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=audiobookshelf-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/audiobookshelf-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=code-server-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/code-server-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=files-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/files-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=finance-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/finance-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=grafana-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/grafana-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=homeassistant-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/homeassistant-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=immich-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/immich-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=kitchenowl-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/kitchenowl-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=linkding-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/linkding-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=media-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/media-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=minecraft-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/minecraft-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=ntfy-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/ntfy-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=paperless-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/paperless-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=recipes-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/recipes-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=rss-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/rss-application)
+---
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=journal-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/journal-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=physics-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/physics-application)
+

apps/adguard/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: adguard/adguardhome
     newName: adguard/adguardhome
-    newTag: v0.107.62
+    newTag: v0.107.67
 
 namespace: adguard
 

apps/audiobookshelf/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
   - name: audiobookshelf
     newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.23.0"
+    newTag: "2.29.0"

apps/code-server/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: code-server
 images:
   - name: code-server
     newName: ghcr.io/coder/code-server
-    newTag: 4.100.2-fedora
+    newTag: 4.104.3-fedora

apps/files/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: files
 images:
   - name: ocis
     newName: owncloud/ocis
-    newTag: "7.1.3"
+    newTag: "7.3.0"

apps/finance/actualbudget.deployment.yaml

@@ -21,6 +21,9 @@ spec:
           env:
             - name: TZ
               value: Europe/Berlin
+          envFrom:
+            - secretRef:
+                name: actualbudget-oidc
           volumeMounts:
             - name: data
               mountPath: /data

apps/finance/kustomization.yaml

@@ -9,8 +9,9 @@ resources:
   - actualbudget.deployment.yaml
   - actualbudget.service.yaml
   - actualbudget.ingress.yaml
+  - oidc.sealedsecret.yaml
 
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 25.5.0
+    newTag: 25.10.0

apps/finance/oidc.sealedsecret.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: actualbudget-oidc
+  namespace: finance
+spec:
+  encryptedData:
+    ACTUAL_OPENID_AUTH_METHOD: AgAhPqooAS/7R9S/X3KGfSfs3ClN38J9CEfkUTYAUvKGEehQ2Tz3thPNvhvnbz/gKRc7C172jgxoxaGMiVXi40Qa+I7Y8JVHefjoSd8NuubzQZU8ZK5KlYRgc5OnoPM3RLarHyZ2DFw5Q/ngv3sp1c5dSI4/604KSQPxVAFCnb/lnSkOsBggDRymWvYclx1NrLIClpLAFwHgCOm6g1kHCvtGIdBLxKOHsiRJm62+UyHt0GLkR0QFTDXBQxoBm9QR9kLjQqw/QqcOIVx1by0RHoHBI6HDEEIQVH3UgWqlMmIwm+a4KQeBEdEfWLn9YC8MGSdlQRlaZoi5ltFT2c/DWuMuRStnaOWbsMQVR+y6yJ2UNBe29uVQh6877iqfmAJvT6gXic73zI7Vkq6IFQ7veQPBaTi22HP/sxiElGI8rY0LtRHD4TctKSePaOPvsgrv8k8SpB5qYAft7UonbTPWzzRSSc4Y3Z4fQiD0x/uhtTqTTtukx39nzM2TjVGcJThWaxUGa07w1fjTafieFVwwreURBUpRK92X2NY3ovOdA9c1WrHfqIzVtpcnfQyCeA5D4XT2sBFk0+crwEm1GmtscjPkGnyctNMUSmkHd+QKw8EAmWxKge4+7rfOrZp5ZK7cBFJcB4gVQcxnm3bXr0qZyiA1udaxmSxVflQR2AjduvhKuE73AGPi0bJki5TvKJp6bavTotYfdMY=
+    ACTUAL_OPENID_CLIENT_ID: AgA6X0uYaU1n4XSXVntmT4+NgahYkkMVx61OZP8ExnSMkRPlwQfErhNHrwKsTsnD8OzP3svhxBe5bwaI8O1OKF0k5pQWG0DbRfmBrwiep9nBsKPt+fQm0AJUsZ2sQNShusmsSEumBKbMD0CMPklVMq18tLpOIh/YaXM34lsOutW0SIx7HWWQsyLmoolEoRVdkKvDhoh3FXjKqzGYlr1uKuqYG7pJPsxEpsTs2pZTUIlB2gVcEqb/ZXxgkj01GDYzB519swIOfYdISj7oCR8VG90M9iDrgmxsPkWozMDxFjNo5JR2dB9wvP7ptFex8JonbZZXYZD7tE+36U8iys6Cjh6JGwr9luN1AxYYSkRrNWJd2CuID+8ujWptoTvRSO0RwiVVp5LhXe1l2GxLsS2UVtO+nbWH6DGMJei4DQ+LAxDXFR8FAvi7615cneN0umQfF4ZMUJirvxHA3tFN42tbnRmSCbLAZLNLhQq8VbRmkYOAN6LCzSKYlyhSyA3NM2HjRTFkXGUhOPL+3tPZJB4v0QlEhlhy1Ffxh2mbUXgmQ+ZHGUsBXEHfc/Gba6gJhsj6S2DkiAeZUW6euY5/v4vpveWsS+YS+BxH441//8mOJnrpsWrcQbM5yCk4WMnmpETy/VFEkc3dqYfVWHDfvwAeqjVfXAovXBmwOoCASG6qDf0P7FdeLFTHUNuahyNhBzhBAQ/yNpOkbzKTJFBWwnM=
+    ACTUAL_OPENID_CLIENT_SECRET: AgAbJinP4E8rbGAw7BTfh/GB3XxQOfHiLFrgaikQbUIsmZu+Y6ktK7aJdcX2/g6yhHXX6z8p4xoYTaGgkpo8H0XWvUDT4ohqJVdJSWZgNx8MyzisVKi+51BEpslL4JvGo/ISjXT0hNeYGzFXlHnnr3LX+fuTVh3dKtk4t8nmR8SqaCCIyvKiBPmX/1QWo4Vrfw7OLpVlfGP0i3J7FrhjNgKMRWcQKQC4Ohk+NLHHghdtqzuFB8eKwcuBZmynKCVyblOhwZSL5WnyJPskWLMjNEizWuCubDdyHVY3ZqYLDe5dgoi7Gop5/xY7FEuEkmTL0g7LpKo4RkEKRLjsZwWtW+xN6HRRt7zGoUdIpo20ZnTtEH8C/qcxjHKUycFvzKLnk6ntq5rEdK2/MhBtMfd3a8pb4vpT9JNra1AWsB7zCUv4yc/FT0RpkL+1r1CVva4o+tzM8ojnm4o0ch6qsGb0IOYZvJx6sF7c6aj7c41YQK3ZrQF3bhhhEHYyWOBjy1V4T/GJPZ9CbhGG0PIsSvpW7d5pG5jNAwU/Xo6FL/vVUPwmSq/hCqYMSSSKNiMH/q/vzKyu5B5aQbNDAumzsLRqD/auJz8nAaUoLNBVHq+7zTs3wV7pEayY22teq/MN5PRtYOQLE5Ck60gv9Q70cfhgvTeK+eX4h9BbhfijCV/EiSYhLP7meeIpE80icdLUSkNROfW+0sf3RNbW5q3JX8PsW0h29VJgREJdlziLj2cCshe+ww==
+    ACTUAL_OPENID_DISCOVERY_URL: AgAQVZX6r8SPkwwBR1dmUF/ahuZKkGSsU/GULe5PF7Nm75UadtjPb5aHAZjWE59MdV61DQZDa4KJz1/fW4xDUrJBuUElIRQH4oyMTQG12MSMauQpLd25SVU8ex2NYyerbd85j521FSxujP0l3941KGsENLt5wCx/idXu47txhAHgS81mj3CLfWzT5yyG+V1i48a24xK905v+ft5ZKuNLOxvVb6yZSBt1j/3egx49eB49CRk/dxYQtPpSw8Zb6KgaN+skjq5HTH/Neb4J92nlJ1aFPVKbFLbtxyIHDSoO35U8ODHEJVGKBbZjjfrrjCpmQYnZPEWN9s+xj2NAXZ7qANcJfbFEF/3bOiKZhc0jLM5MyhiMZoytn4FvGM8zxINC3z8zqaWJm1wiMXEUH3/FLUa2UWeHKQB14h0f5XGwytb3s/nPCoBnHhtOK1y4utJ2APsQhRsxySZjgYNRaRCarp8PntY7yB7VHYlv5Mitx+qBWcAUmcKp1I4NTnm1LORRGzIFcrJJKtQfqcW7GNuZDA3AiLGyOMVigcA93GnPbppor5BItE9FK/BKqrR4Bz31jXSO8S7pjhi3JxBIKEMmMZRVbyelJ9o7gTpqrBvO7KZ5v/L+mlE0J8D2LZoEWPqxfa/BE+QZfwIS3wDWQl1GTruaAM4u0bp4i9GkyK3hPVXnml3dNMElSG3GvNqHhhy1Boo1cHXHbQ5YzbkGgzL9fLkigVQCi0FKItyBxdGsui9U0OU5LNi0EGKBibs22mdDkp6f051GWeMidtSwz9j5
+    ACTUAL_OPENID_SERVER_HOSTNAME: AgB+C31GqtPKbMifuTFYhwOgUwXph+RQYdnVQaVIaDiveE6Lydl/2HnTyFQIi2mhrbiCpDgegXuvGBoM7WHxlPepny5E66lY/cAdFaFDGMARqMXCRLVmvkt3U1IyNn9zPCPil0x+eAv2S/ETLm8Nj2OL9utxkdNBHub9xiGrE0d7qBeBfK1FNmainthYQUpnCsR7jowmmvYGuEyDwfG+suUooDdb5zaWmCJZRYk1jKD3zlu21N0sfciBJ/GpTdz/2V+NXqJJqs3r2zoB2GJPQ64pMuZHZ+yw8bYUkg7/QOHD2ofWmtzNOGGtiNRHAG8MtvF6ovc4Hgv5uu+4x413UP6pSIJsrHrXSHYP+mvu+ya3gNUn6YK2qymezrqbvUF/n7LoaDzTRqa0PmemtdskuABiwfqrdiOarxaWjomkXqnrBK6VkJ8PhOMDMv/j/c6zlXdhpnqlUyxMcjBjqicfNBWN8UByDIEw4D0rhibzOS4fIKjNHrmXHv39GNJsY90avhZqq42oTMJL0vcaj3v4pBZJdJ05TOvY7PQ/iUwnnczGqOtpAQtBKfCV2+PXp9o/64wOGc0Br322kSpzjIleWP9VWVgbqvwMjUGtlL+xTkCaOFpiYETxUim09c745WDc+YgU55rd5i/5t20wiKy7RSYnHvYOwvdjAlEgAnD0YZBXOQkL51nL9P+nOMAYBE0HiM1vYsd8R6h6Fk+G2gcs/2CLgwglqOtMwAm9A9+5qSqyMak6Z68=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: actualbudget-oidc
+      namespace: finance

apps/grafana/grafana.values.yaml

@@ -85,13 +85,14 @@ grafana.ini:
   auth.generic_oauth:
     name: Authelia
     enabled: true
-    allow_sign_up: true
+    icon: signin
     client_id: grafana
     client_secret: ${AUTH_GRAFANA_CLIENT_SECRET}
     scopes: openid profile email groups
+    empty_scopes: false
     auth_url: https://auth.kluster.moll.re/api/oidc/authorization
     token_url: https://auth.kluster.moll.re/api/oidc/token
-    api_url: https://auth.kluster.moll.re/api/oidc/authorization/userinfo
+    api_url: https://auth.kluster.moll.re/api/oidc/userinfo
     tls_skip_verify_insecure: true
     auto_login: true
     use_pkce: true

apps/grafana/kustomization.yaml

@@ -17,5 +17,5 @@ helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 9.2.1
+    version: 10.1.2
     valuesFile: grafana.values.yaml

apps/homeassistant/base/deployment.yaml

@@ -34,4 +34,3 @@ spec:
         - name: config-dir
           persistentVolumeClaim:
             claimName: config
-

apps/homeassistant/base/ingress.yaml

@@ -1,17 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: homeassistant-ingress
+  name: homeassistant
 spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`home.kluster.moll.re`) && !Path(`/api/prometheus`)
+    - match: Host(`homeassistant.kluster.moll.re`)
       middlewares:
-        - name: homeassistant-websocket
+        - name: homeassistant
       kind: Rule
       services:
-        - name: homeassistant-web
+        - name: homeassistant
           port: 8123
   tls:
     certResolver: default-tls
@@ -19,7 +19,7 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: homeassistant-websocket
+  name: homeassistant
 spec:
   headers:
     customRequestHeaders:

apps/homeassistant/base/kustomization.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  # - namespace.yaml # not managed by kustomize but created as needed by the argo app. creates conflicts otherwise since both overlays share the same namespace
+  - ingress.yaml
+  - pvc.yaml
+  - service.yaml
+  - deployment.yaml
+  - servicemonitor.yaml
+
+
+images:
+  - name: homeassistant
+    newName: homeassistant/home-assistant
+    newTag: "2025.10"
+
+configurations:
+  # allow nameReference to work with different mentions of the same resource as well
+  - name_reference.yaml

apps/homeassistant/base/name_reference.yaml

@@ -0,0 +1,32 @@
+nameReference:
+  # Tie target Service metadata.name to other ingressroute fields
+  - kind: Service
+    fieldSpecs:
+      # rewrite the backend service name
+      - kind: IngressRoute
+        group: traefik.io
+        version: v1alpha1
+        path: spec/routes/services/name
+
+      # adapt the ingress url
+      # DOES NOT WORK
+      - kind: IngressRoute
+        group: traefik.io
+        version: v1alpha1
+        path: /spec/routes/match
+        create: false
+
+      # adapt any middleware names
+      - kind: IngressRoute
+        group: traefik.io
+        version: v1alpha1
+        path: spec/routes/middlewares/name
+
+  # Update deployment volume mounts according to name changes in the sealedsecret
+  - kind: SealedSecret
+    fieldSpecs:
+      # volume mounts:
+      - kind: Deployment
+        group: apps
+        version: v1
+        path: spec/template/spec/volumes/secret/secretName

apps/homeassistant/base/service.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: homeassistant-web
+  name: homeassistant
   labels:
     app: homeassistant
 spec:

apps/homeassistant/kustomization.yaml

@@ -1,18 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: homeassistant
-
-resources: 
-  - namespace.yaml
-  - ingress.yaml
-  - pvc.yaml
-  - service.yaml
-  - deployment.yaml
-  - servicemonitor.yaml
-
-
-images:
-  - name: homeassistant
-    newName: homeassistant/home-assistant
-    newTag: "2025.5"

apps/homeassistant/overlays/flat/ingress.patch.yaml

@@ -0,0 +1,3 @@
+- op: replace
+  path: /spec/routes/0/match
+  value: Host(`home.kluster.moll.re`)

apps/homeassistant/overlays/flat/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+namespace: homeassistant
+nameSuffix: -flat
+labels:
+  - includeSelectors: true
+    pairs:
+      env: flat
+
+patches:
+  - path: ingress.patch.yaml
+    target:
+      kind: IngressRoute

apps/homeassistant/overlays/house/ingress.patch.yaml

@@ -0,0 +1,3 @@
+- op: replace
+  path: /spec/routes/0/match
+  value: Host(`home-house.kluster.moll.re`)

apps/homeassistant/overlays/house/kustomization.yaml

@@ -0,0 +1,28 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+  - wireguard-config.sealedsecret.yaml
+
+
+namespace: homeassistant
+nameSuffix: -house
+labels:
+  - includeSelectors: true
+    pairs:
+      env: house
+
+images:
+  - name: wireguard
+    newName: ghcr.io/linuxserver/wireguard
+    newTag: "1.0.20250521"
+
+patches:
+  - path: wireguard.deployment.yaml
+    target:
+      kind: Deployment
+      name: homeassistant
+  - path: ingress.patch.yaml
+    target:
+      kind: IngressRoute

apps/homeassistant/overlays/house/wireguard-config.sealedsecret.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  # WARNING - the originial secret was named wireguard-config-house, but we remove the suffix here, anticipating that it will be created by the kustomization overlay
+  name: wireguard-config
+  namespace: homeassistant
+spec:
+  encryptedData:
+    wireguard.conf: AgAz726k7X6IsabWUPX8kQ8r19mBq/N+YytlFS1gW2LUiYqc6H/O5/tqma5lLcazuxtsQhebeoitp2SkH7jTU8vRxn2tDWpyzcJr+BW4vKnghw5NhMbkNOzl7mvc7QIJk6rmRyD1umu33v6x8u3St9TVsUOI1zXJyXHxlbLdHVCORhgV79CGLjghpi23KyyFu6LzNrE5rhpB0Q7NzPUmbm5MHPNbtLsmImd/CZ9XjbyXSq0be8BgpUtGDE/NMx65G2+lLIw3EgbNwlirw/XKrM+pUIvEI6CxuNhbEM7KxCYlq2Du6bm7XsKHRzNu9oSfH+P4DaDoDt+M5k5miv4B8TIKXg7piy5mThXSTcVf5YpLJCiTfMDZOriG1ygr9gbJPYY1jumZA+vsZCvBx1o21BlNycWZWKBeYZZh47Hz9FGI/Smn8dOs5exZ34MrQtM4OuEqC/cJY8fdQ+nmGMezL0IKdbtpWgq5UqNH/wWv3F9kItB4KlSD4YtEGaY2z68BJG6t+9igSJCWmVca0EbOzhV0s5rI39ASVXOO50x774EEWUueoyfI+l5vwtQhc96I5Qn3kbFhwov0tHMg/IGBtS/7XdBBtOBx9KbcUHq1GlwWzQdw8WnRB6yyUVCqXyuExRhMPz5orqkTQwiUM2Fjse7xxnaEA0mbi0TVPKV/sFgWixvHqy3VAc1Jj6MEAWFAu+kPVlOFFCckEC5kPhNPFhBMeYX/3IblRjly/EHvrbrW/eFjNYE7bqpSCVhkB8bOXbJqt29V3+ffM1z/RkdSusgqdwid9CXhQw6SKAI/vcAqqxXdzcsbG1wsgP9bJ1Gk/i9ch8zUn7MwcFe6Tla86+xeiDIAmQmA7rhtmWhyyuxXdw+HXAFNhrbxHaUw3LZOExM+RzhWNepjSLnCBqnrtPkzFrHE02JKebWzX+IRZIOsEXJVhKTiSSjoB2v8h956kO+C7bdHz8GbxoJKJ7anrqFG13A//XLy5PvKr50qs/gQptrl9UtR7oj981bSDTVVa8h3OXbGLkZXly/qxsh5DlEjwnw2/2UqS+5yTT4FO/dNVtHryJ2tbc8ZuIHb6C/pQygqpseagthkm5T+Dv0T2xWpXFrvuktGNm58Cwg9bwNMcC6iofcjQP5JeNcat3RwzbJ9xwU4Nm8xLRMMc0ul6xUHRrL3ZjDfWHLuSuTp28HqXZ6xSKLlrRVjwZ6Mp/hhxj58SfVfLVIQxatGkwnIaHEFWE2n3S7m/iQO9tZIWCx5Yfs15atb1Ze8HjKjQ4o3sfaMD8Eokj9aFnXQQxpnOuSI3NLETe79QQ==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: wireguard-config-house
+      namespace: homeassistant
+    type: Opaque

apps/homeassistant/overlays/house/wireguard.deployment.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: homeassistant
+spec:
+  template:
+    spec:
+      containers:
+      - name: wireguard-sidecar
+        image: wireguard
+        securityContext:
+          privileged: true
+
+
+        volumeMounts:
+        - name: wireguard-config
+          mountPath: /config/wg_confs/
+
+      volumes:
+      - name: wireguard-config
+        secret:
+          secretName: wireguard-config
+
+

apps/immich/immich.postgres.yaml

@@ -0,0 +1,39 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: immich-postgresql
+spec:
+  instances: 1
+  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:16-0.3.0
+
+  bootstrap:
+    initdb:
+      owner: immich
+      database: immich
+      secret:
+        name: postgres-password
+      dataChecksums: true
+      postInitApplicationSQL:
+        - ALTER USER immich WITH SUPERUSER;
+        - CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
+        - CREATE EXTENSION IF NOT EXISTS "cube";
+        - CREATE EXTENSION IF NOT EXISTS "earthdistance";
+
+  postgresql:
+    shared_preload_libraries:
+      - "vchord.so"
+
+  storage:
+    size: 5Gi
+    storageClass: nfs-client
+
+  monitoring:
+    enablePodMonitor: true
+
+  resources:
+    limits:
+      cpu: 2
+      memory: 1024Mi
+    requests:
+      cpu: 50m
+      memory: 512Mi

apps/immich/kustomization.yaml

@@ -4,7 +4,7 @@ resources:
   - namespace.yaml
   - ingress.yaml
   - pvc.yaml
-  - postgres.yaml
+  - immich.postgres.yaml
   - postgres.sealedsecret.yaml
   - servicemonitor.yaml
 
@@ -22,9 +22,9 @@ helmCharts:
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.132.3
+    newTag: v1.144.1
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.132.3
+    newTag: v1.144.1
 
 
 patches:

apps/immich/values.yaml

@@ -6,7 +6,7 @@
 
 env:
   REDIS_HOSTNAME: '{{ printf "%s-redis-master" .Release.Name }}'
-  DB_HOSTNAME: "immich-postgres-rw"
+  DB_HOSTNAME: "immich-postgresql-rw"
   DB_USERNAME:
     valueFrom:
       secretKeyRef:
@@ -56,7 +56,7 @@ machine-learning:
   persistence:
     cache:
       enabled: true
-      size: 10Gi
+      size: 200Gi
       # Optional: Set this to pvc to avoid downloading the ML models every start.
       type: emptyDir
       accessMode: ReadWriteMany

apps/kitchenowl/kustomization.yaml

@@ -14,4 +14,4 @@ namespace: kitchenowl
 images:
   - name: kitchenowl
     newName: tombursch/kitchenowl
-    newTag: v0.6.15
+    newTag: v0.7.4

apps/linkding/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: linkding
 images:
   - name: linkding
     newName: sissbruecker/linkding
-    newTag: "1.40.0"
+    newTag: "1.44.1"

apps/minecraft/job.yaml

@@ -42,7 +42,7 @@ spec:
               name: curseforge-api
               key: key
         - name: CF_PAGE_URL
-          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5925838"
+          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/6807187"
         - name: VERSION
           value: "1.18.2"
         - name: INIT_MEMORY

apps/minecraft/kustomization.yaml

@@ -18,7 +18,7 @@ images:
     newTag: java21
   - name: alpine
     newName: alpine
-    newTag: "3.21"
+    newTag: "3.22"
   - name: rsync
     newName: eeacms/rsync
-    newTag: "2.6"
+    newTag: "3.0"

apps/ntfy/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: binwiederhier/ntfy
     newName: binwiederhier/ntfy
-    newTag: v2.11.0
+    newTag: v2.14.0

apps/paperless/kustomization.yaml

@@ -14,14 +14,14 @@ namespace: paperless
 images:
   - name: paperless
     newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.16.2"
+    newTag: "2.18.4"
 
 
 helmCharts:
   - name: redis
     releaseName: redis
     repo: https://charts.bitnami.com/bitnami
-    version: 21.1.8
+    version: 23.2.2
     valuesInline:
       auth:
         enabled: false

apps/recipes/kustomization.yaml

@@ -13,5 +13,5 @@ resources:
 
 images:
   - name: mealie
-    newTag: v2.8.0
+    newTag: v3.3.2
     newName: ghcr.io/mealie-recipes/mealie

apps/stump/kustomization.yaml

@@ -14,4 +14,4 @@ namespace: stump
 images:
   - name: stump
     newName: aaronleopold/stump
-    newTag: "0.0.10"
+    newTag: "0.0.12"

default.nix

@@ -0,0 +1,15 @@
+{ pkgs ? import <nixpkgs> {} }:
+pkgs.mkShell {
+  name = "infra-shell";
+
+
+  buildInputs = with pkgs; [
+    kubeseal
+    yq
+    jq
+  ];
+
+  env = {
+  };
+
+}

infrastructure/argocd/argocd.configmap.yaml

@@ -3,9 +3,9 @@ kind: ConfigMap
 metadata:
   name: argocd-cm
 data:
+  # enable helm when using kustomize
   kustomize.buildOptions: --enable-helm
-  # switch to annotation based resource tracking as per
-  # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_tracking/
-  application.resourceTrackingMethod: annotation+label
   # disable admin user - use oidc
   admin.enabled: "false"
+  # show neat status badges in the UI or as embeds
+  statusbadge.enabled: "true"

infrastructure/argocd/kustomization.yaml

@@ -4,7 +4,7 @@ kind: Kustomization
 namespace: argocd
 resources:
   - namespace.yaml
-  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v2.13.3
+  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.1.9
   - ingress.yaml
   - argo-apps.application.yaml
   - bootstrap-repo.sealedsecret.yaml

infrastructure/authelia/README.md

@@ -6,5 +6,3 @@ k exec -it  -n authelia deployments/authelia -- authelia crypto hash generate pb
 ```
 
 give the client the hash, store the secret in `authelia-oidc.secret.yaml` and seal it.
-
-}cnnhzH|Mf/yLn(v4rF#>KnGMgUS+TY

infrastructure/authelia/authelia-oidc.sealedsecret.yaml

@@ -7,14 +7,16 @@ metadata:
   namespace: authelia
 spec:
   encryptedData:
-    client.argocd: AgBWKTgzqy1UjMClw8+9MKCZAM53ErvunxeIMkyPkOvioGN5+QuvtT3rSCNJentXEhIK3V1mt0kYNb0yLei+W8o2Vgr/wqvPfA+JbtgfPKuHg1eayTXDB7TPXG8MzONM75pPEq6nTSz7YOfu5AU0OjX/3D4E8lBD3hCfEteAA6tbxplD0P17yEzQTspPbXh+YNRY8/BmRr4xbp3aDdekeYfrZ8HQaYOCs6vl3JH4SvYoPGxrsSS2muZEPESmWBBC72NcFVnpNG4i106qxwvMlfOwKz4+FQsHMZAdRYmXayefwMWTxOC4MN1VUE3S6FDZlU5Zds52qOF1bO8w0cLyFaILtcPkjV0w+7eCUhrYx3CzyaCnVAHBBwvUt3VZ+g7RESI+Qc0CDV5IwTpj0R0Z4K8ieGMr/gEU83Wm5Hv66aneZppAJV5E8BixIdFTAoZlLNXg3Q6R6I8PrcnTlF9IzBbrWBrE1MuYgvzIIZm4+lohV+jhJcOPgRANxVkDwAz1Sk3AfHFwKtxtzwjvpOyr+R49+I14GGyKtUcZjHioSUSiTqV4JOYvFmSDXsy5CrzFdO4zCn5jMhkGRWztBJY9nN1Ui5yODag2S7TVsCgcYNF0tItaNMHmhkez/NoWFDUvcNwr/+hGC+DQN0xoZTO3vskyW0RGKjBSnoI5QUnuJqFJsRymh7VpRvMr2C+0Tvk1nEoOoRmA65aRJScgp/acZl4UXhwOjyIpSNzai9kvIj5PVVf6+78z11h5c9w+vF1IDKCDGGgjrnXBeHFGoty35UVGOGOXQoQbLXyYu9ZWN6i6garwl5ATwea8oaUB1h1xweoqSz6xrHcLmjqWLbm8Me4eSA3TjvsD8gtnhAfnVAETxBT3UQ==
-    client.gitea: AgBEIzadyU5+RT5nKUII3EPXfi4yl52FzvQQxEfX8T5845fAQh0/8ay/E3oXKjH/MvsnPWvIwBfAG3DZ6LBVt39SOA3+5csbcwgQn8ZSigfriowkGJKiSu/UhqloiCuIvzZwu7CrTUaAdrWdMOpYvVPts0TYUUdA5tcPGYyw4Sd4Z5hi22+NeMoCdMl67iag31I0PLEWl92WQcQ/V/sOKuLm0p8TEIZaPyCHLBwUPbD7Hvka6JhrkmkybnOJfmQLrHAblPptVlIOVwER3e3Wrzvh6YfOq3KUtFboeyLRRafOy4j5j0dWXj21WLznomH644ioUeysAG6gP/HZthuNMTUydz2dsWtIu5J82jP9bbjUibZeQIHjS1Y1eqPSd9lJWNjWBb69xuDIewLZ75rfOuTdVp83+iGkha2yhc8OEHBaXRFO3zDL/eYSuBGxLRtSR30WSHD6sgGmrGzSShAlM7MnuSU8tqeHtmLuKH85ls89HvVvgn6ZVj5+P6dmHctFM1tp8Q97nUeZZGbThT0DztKExNTdb1yCsb9m8lDxX7avGfBYvx7ntqBdxz5CurbFvEYi/9C98EYZycaurjUIRBjEgbT7vHkIIvJBy1JDVZYDFzNGkvZ0oOhehANvx9UNKeb32iCV3ypGE7oXF0/WFdFImSZWfTHVpqOUN+LJTnZylkwcyByp8Ut4R7xS5by/bBV846LK985fzCRWldHk0U7xli1FUvqHMvocOTsrwVjWtE0C9X+GDQMAJEP7z5xWlMCEePjEZq2/OPHXiRlDZ/rQfQS5zpkIZAK/vaiRCZ/arpN0RslwOzIDnnyFJB0jqhIsXf1JUDZUis7yLtnyaVh3I9a0EXrPu49ItBk7XdSNMYJ9Hg==
-    client.grafana: AgAuT9f75mVVegFb5kC7v0wq/myoG6JlN8DLvY2tBqqCJ3pDMaFkVSALustQvUxpQ3UDFndKk3vF3rL/ot2h4R5dQO82guqR5rnyi7dGgf4+guV31V+Pz+cMKMNGDzvP6gq1+ePuGgR8Q70OKKk28Neiv1zd0quzKNY+Fmi3nYVonnKt7SDRrMgHdrak1jTyyBCDCl3k1S/kCjSsBUOfZuPDWxbSyKi8UvizwEm7QmK4ifsdA4IyaO6R5u/B9aQP4/eeb9uXaoBZVDWsrqi0ZHBavCnyJ79rYwDx+6ThsEbwYYsJ00omGts/1EPZL+1EpdJ97biIzapXpvlTRQwcxOZ0sXnA+5ig0Bs25u+T012HNZndYLcqmRsgKk+Iz7YjPRddaIFFEhttgubxCk/dMvzcchkOFI36gEC2TQCX7B7EcBAi6lQG7I7BVV0UrqmNhrzYCeY8AyNd9k6dNj+NslHfxM9QFIJmK8UnX4tx3OSJQJLaXN2ZG7TcPxv+Hn5z6A+PTE8+iwJ4mZmjxoVbyN+PYwz0m+uDqS4iDrd689NjFNy2lUxoCTtoYHs/U+GNOFD67YjT7DE9PbuS5zWlHCYM/W+5Hfasqs3/NgpbX6P44ZIMUBSdcgD/TEKyjP/ttjXG3FKVO/RkrJCNyUSHQKRlMJrzwEfwze3YQ1XKw5xLzDN8dTb1fkeDSE0EuGCtqH2S7cZE/3/w16PJ/ba5WR3v3CC99WQMMdeXLGP6C8PGq7Z/WErXlNLLPCsQKIMqlhoupm/r65SEcgf+OBI1iUG2dFNdB4VwFIU9UwHm2t3gcnU9Lq3DGQaOQusIHJgVF7UuamogkTfmCt6vxxIxXyPodiebZ520TeGgKIxvwTftxl+miw==
-    client.kitchenowl: AgAb9vWFHkiFgsHs+1nrq65n+kT03igRLq3KWIvDg6EokA2TDXYb4KwYBZa1xcFwgT1iiLge71Y6spMRVkJdLAjRCaPCtSTGygzlZ7z9NFkn5O9YuWgkp+cPr62ElHpx9umKEx+Ug4vgyvrBk9eLWxdZZsiJZL6GcjUbMe/Mx2429mveg0kyfKg3XjraeU7xcHWwAj9PbjeRnhEewvr+9sdv3H1wA45E2+pZ9cZ+ETl9wXXNquUzUFSp8IOxzXwx34aDqjdnMbEgU3k2TEe3N9wU+r9vuzn4kesh0zEGkEfXhKtnGNSXFheU+aa/5cTfIp/GPfx3+dJ54LLWfVGU9X+COI70zvTEtAhgJptkWqJ7dVp6SLgQotvg3bTNohof1/6JDPKQvGvkQ3ALYMXYDd27NrmP3ZSJYdNGev0yDr6MXyNlv8SglnsRIpfMmPyl913/10DbvB5b0Tiy2xzmmODpG6Gk6EQquaJ2g+imaV8VPSdDOoRK+rDg2AH5KKRn8vxH7d/NRsmOmCxadqmyyWBbl9onu+TzSnjnPxyc2cl3EeqaaciXyh/eu3Ar27DVu1l6Iorv+N34Bttdti0TZgeeMD6/Y7eAXTry482ix26UOYmTH5+mGoGVAkh5BuWO2fR52vuEHV1T1VYVRK3+PX1OIeWEoEdPMvDokELc4W1Av4lVDKcacvNzuMZ1gpiXmdCNnYfDq9CbW00rS1/LPPUIdIyOfHg2q/OgxtkjiPUwWQCTc5NO8FPlQ2B4ZsJ51vfxl2zx19w9tgQVi7C7T7Iek/2Svz8QMiZtf9N3W8CoUp2RXktV+Z2yI3FWG55IzicRbVLWpeidRxuJTEdm8emgHSiMpDM9Uejv7pAs3QkLRX2+og==
-    client.linkding: AgChIcLDfhCZshqJgG+H5exbWt29ms882BkAgDAopvbhbXE/e+I0tVw2FNDZWmKbI+i/Hlrvj4Bputn7pUcoAZf5W8FUJ2nOMhJjtjwMF6O0QzBje0Xrzi9eK91XWA3PRxbPOzBZYWlmWvwelYw0hCgfp1XRn3aXkPcpsZFV8Bb2KSXDSk39+UqIm1I4rR9hCXPMkorTUZOa/NYpDr4ieenbRS8PeeWATPzSxn0hN+RnXHnoUrKdO03px/2mYS4SYJrgZ2DrkGN7uz3/ARwqxxKcMBQeQCe0S3Udsw0tvvJbjeHJIQ3fzIz+BZdbKLgVuJa0ZNQxmuDVBFY+60d89nR6wKsyoRgC8y/sEHRpztUjiJC7WBiiJ/g80luMuo/7ZTIvu6u1I/eugsopJKUONv23cowdqthyzlsnKCsBTgfdzXuFy5YYoL7GPcybdpUcOA8upr15dE8vsN3UJEYJCZkw1V4iedzHVGPpo6tts4sewnzplH93QpwbVywMcSl1k8oeHqbdmh0srJ54hBFboyNRr2eQT+b43oFJZtQb3hhuZyO/uXKx44jeBoVYkmKCVldBBDE0FdQpAk2m6dtvXae37Eu7xHiWxY/KDzVxBzJn4NWboQRiTM9HQ7pLuAKgG+Ec1+nwfBgq3G9jZrdIN4/tWNvuBRuPrUTt7pwGJ7RCbMgSz9xbVFCxwBx8GwaNRFOH3/RoMdVwlUntRELYN7+pU9S0FS/VPnbVxOZbJI3ZHFj9n8qZ3lBD3SiHB4rNnirQf34CuEfnLigpSdskKdOsekXQybxVq68T63Ntf/yn/t0+nV5VdqpW0stqRBQaUq3yEqfAn0/HQ7nTgSbHf4ZsTMsAU+CSAewnig6qKTcS7a7Lrw==
-    client.paperless: AgA4weCcn9z4H2WIqADKRpOMkCmA/6pci0SCKsTcS2nf6XuRG0pFufVqrVTe5jYIfAymKJs+Yzlf6V5ViE+3U/PhtBgHC1zifYBVkC0lSUUKx2YWkmrnSylAZZIYArC+kdNXU7pwIS4i8eCxeB8NhTtHBMXdfPig5kH/G6/FaL5RZ52Ly3jf3h2UP3JrWbk4dYijZbjvHsGNJMyDJ5cW2DtgMmFNMte2ScBuGpgF2tDiVKW7Zq2aEpVtVXvWjF2euuL39EFvLzPAIXeG4TaagBCnFfMVVxyrS8Dk63CiWQzTSaeBDbUhRuOGAYD0GELhSxpsKjOgm5AaOk/sJBjoAliFtSyejO30tP+5PBC+FE4RlJM5dMjHU8/9T/tBSOus3k7xWmExc5Eavf8yeXVmNeTJfC+Sji6QZxG5P9xisKXgn7EX+T4aKpeJ2FxAtL7NKgnrKeoztiHV2vJH6TepGjFejf5VJRjOP2QAJkX0ApnUVfhww4CjhBFo20zRYyI591ZMbw8PxlRFmAsXhL9XeaXQcl7nq2P2N0IdodtR9xMVlvpkuv11AZnzXjC8GfWgPE9vmDz5RW7Eo4WzWDaFVBL8Sjx+NZllV/qVHlJfbGgqgKmtzJWUZUATE9y9YwOG8PSKmw7fbIHccJ1o1HOG7BWIOQ/QIo94uQQWI0Z5ESRgaCsbf2oBX8HyYFdMA0s9sS9OdD1NWDTb1mVnhA8Pjq4XatA2PGlRPWBVD8YpjbeuNQXR4RuSuUvuKGOOO4Jsv0/ZXc4cUmPB3VWNzQO/0iNt8MOsZWjtQNiDBLZ3xVjRWo/p+Q7P+o1YCThuLxwdmyvAxkioRfR0DJY+ZrkErVnTv1CfLdS4ejf7ZYXcgsh5ZC8Kww==
-    client.recipes: AgC3w8qEgD9fru8tJRi3mYSDbJVq5oG++x8XfeRKAQPXFtMKdFYAvn3zGPc4viavPnvE1mkHWSn0ECC+YKEThiXlI9ok1CKnspLrzi6oQlReCUnyJdu9e49xgV7kb5/SQsZbDlVmtluTi8j8y9AIUows/HsMjXgoNrG6RodAsWp5cauCgLBrqMk9nPuQVH1jTNFm27rMrJahLTjr/z/5chdiU6sjPH9EIDnaLEP3o8/ACpPTtwF4PYQszUVT3Uhn4YlekqAYMfEolBYsPLSDQyiDr1fwO3/4YUHNSO/+bN+7vscS+x8zozb750Oi9c1ARc8ENn6AiM3ZEd32ZJKqfqJ3+CxsXsuG7VjfHu3+gc4uqLTbwZ+BVacSoA7JObsoQEbWdCGWTNo5FMXrhIv+BKDB59eLKXTOlBfVTLlbh0P7tSR57fhSpBomcvvnQ+MtfSS9hDFMNiPhb135c8hjJcbMZ6xdQz6HARVtP5nVuPyDafbez6A+VT9sUDt29+oNf5qpk25526Q4GI/YlyvXH+3RT5q8syYuSIZsmh92qD5ZltffW5kRooCeskAryiyWdgyqjMAekR1dZR9wqvzRraDpY/neLvrpUAPl7U6kdlzuIdaJFTnXmNKc1wK5NaeAEf4wwO6H/ibWEzIJKQJcTlmi+0J1SfHcCULYZ5ASeAkSRUxpdVk16LCTHWbyHYFOYmGsmeMmRTYylB/FdOuUEZWrO5B99xw5baSvLN842v2JnwR27Mha3RvS0teSgbuXgG5kWWGGZs9oibsNaaNz9p1MPw/HR4M6PmfEJRsaz+cX02bVUVzdaXhoTZ/D0DoNe8lB+Ofupjl7jAGzEJpGbwK7cB1gnITa4blqyszrKg1dg2L+ZA==
-    client.todos: AgBaZOU3D5ZEi2iZud0kLIgZVVNwWjreEDMiadtgZ99S236SOckGlqTes+6gcTcMUQe6CFcxatx8sXamGd9xtIwyZa/5jns4Ju0L4Tozf57uQS1CPY10wyLlPc/a/thn6dItfh5l0Fr+vQBmV0dlEJ12UM9iIH/w9raaf0VkDP/XbZw6PZ0lVoJp6u8LrjMIf5+pdlPOSytFNzB0EbWfQYGObD/zgt45V48+gE9jLolLIEz7QPMrUg0dj1RjWJE+dWXzv+4gCsRi/64gPUdkOZS4YWIlFP08jcDChzbqhVkqUXz3AOQOxF7+2NpD966dxWiYRQfDfFwb+V4vK8C4+DlQL8p22MxWt6iOhxpSoXVVlCInYxxhjpk/gpECqfu6gKlEexg+ekccAvkKVmBX9TbOjsurYFjL3JfuL057fjWIpvZhkQjJCQJiCgVGPtyVhoCzsKeyVDNJvXs6dYp8CMrRAcn/fdo4wI0/tva723ub++AsKSsXCRT+d+03FnBbjRrxSQdDiP4xYY6BqNfjwHGYSoULxtop5t2qt7PzFlpCxNjRe4NrkENCw8xDDSRrg4CLmazPi1Xs+MDeEP3cpi9sRzQx9u2JrvvHmsTeHjVY/MQHb072nLa6xAiUQoXQLMlzxJuwx0U5DmsMe6o8FfKaLikcS4CDKEAddLDI25z2XUBA9J7BTXdhtHB012S1COhouRqn333uKF/BnABI32/Afj9qsDy8VQ3iZyTKpLQUOrOzKKTenXy0b3VV9Vw3DoDPhEb9//fGrVoLdbXDpYaJScza9qg7QWmLqO8Cbk/83t1C28LWqZKWyMtq+QFQ1ANIbi53BopX8zBQargctEVielkpN5HqVCAIow0nQcGmZdZClg==
+    client.actualbudget: AgCfKgV0f3oEB+04Xk7qg3bE4omsXQQxTga/5O38714RNSSeYtcBTcVGbfu7jfOmuVOX8OXQPIWhcHRVnHdOyd75mEpAmYyHw5M9RfqoRHWRPgzu2lBIMHxrFXoy6Vr5b7UXAfpdKPcQddERFqSy+uklO1npwbPHh1YMdDxLGA7l+HQo+rVnShiUbFUJeuhUoZAsluO4awBWmG1jyiwVRjlc1MiQFnvy/lZHnJJ7PAGgZxtoKfG2zATuFaJXHLPuqhV/fPclegKCbY6FdaQUmiQqZqH2tQlsTNOykozY1/VToLJNQw4RZwhS1mA3giM+zPOzdwWtxZg9LLWzm9oZjNbJU0LZX6E2tmQ6vZl9UBRfVx5Vx1ermNTLmWkvFybX870uRRRTF79N83v5q2QbM4hVgSkKZwwplzodoveoQYtpPL6oJZFxiPBR8VoBtIG4gUHUiMmdKJg4Fs+IsvECOE87JmZHsHVgRhNcCi6uZrobk1D9CFCsyIJog0h/U5zxlMHc8GcTR+p+zvkawooD12n4TB/2lOm+yL3/VPx0j8Y1H2xuYk7EorMGsYiQ+Q//HNZkpGsTRlVYTQp3napvsbvBK+Ekh8tPHsIWGSQueK8k6T1wTAUQaBhWdorwKre8oeBpdG4BgX17MRmeYs+vkJx/sKGhBMHIx2wFROXZIWBzo37nHHRIfjSFkIcxZGwPLoQ9YSVn44XCRQh7zE2ZRzQKV+d5Hs70GHiaFwzZs+sd7wDd211p027AYdLIiDpBwO/f0bgQzvBMBNWZ83InGa9s+r2LruxVj+wD0dnw73SgEiZR2TvFdBpj2T+YMCcMnIVwulpm94cWhEIFgRQwIKmwdfTWB7HdN84Jf+bi4SgRcvpRVw==
+    client.argocd: AgDArHcXxQMBvhBY0hwOYqal31JlFna7GQg6s41+XAUTsb1ahFeCCFfLv/WI993y5NMvH3CpnJtPFiunc1JT4yxLTZROKVrSrwjjrDKRuVt57lb8lz6gtNR3ucvpTXjqEO6FXTNL6w+j+ZIWybrdBUheQCj41aYvQ7TP3lTyLcxQSL/UpWLKnXW+jkibqsDqVVaGG26gNniOBg2GoI1bWHvZ+ZUBy/eZflOH9lgLo1vMNw9M+fP9EeuU3CDj717zS00n8X/vDAxGJF7AIVbllqNRX0NilgKwYCfoS79fuUYhzYSI1jYMPCQvdlTLa4bA88wfkomZstVgVtWxel0IaulDOnDgKYonkRqlCDYw+oMC/d4k3xKTEugfV9Ihx9isYZYv4+31v6QTkXFFj5VQlWSDDPllmV1XWfAdRDwT6CVhg5tKWOPWb/YHZJz+idDPEGn5qiklJ7Ar9YEJfuzkfAjCaq4XBjDFKyTfZGeTuLjbq6HnigKlQFdSNOG64QzBbQu6tmR5otipQDbquxhzGRDdCP3uPFy/CXNOn1J2UrGZamWdQzrO6lQQBypFHGAV4ltRrQcp72krPIeL4hPLr8WbUwbUFtESSN2aOYWqs+hnAmcxqy3hqEcouky1K+drgqsAgTp4EkRRwnQXHGrAi3bEeoPqoS8Ec0xfgs529322acKyjOLEObqtNuC/3hg5kNL2fu58MJeoJ1Q2U9pvbAsCrpHJHd9DmHbVwC6orBfL1P50USvTsFm+UikdJpfesLxEGDiUKSU2Al6ntHzswcB304J2Zdb8zrIZaFXs+bmSUoT1Ml+/PqySZc04Fgt7uNBh48nKsl2OlmdGKiKXafxTVBewYWJd6uDkji375i+Ji/5rEg==
+    client.gitea: AgAs4pl1bs8nqBsenxhMHhq9mtCcbjMZpNeTNyUrWSRzUkJx9uoiQJ+plJgQ/xHl7vDbslLxDPF8Rx6rEns+tDdbaIp9LU8YADHqMbctV2PB+pp4wTkWSUamquA6Khrrgr4xQxCbzthL9/2QQJOBBNJsIFcJDfyFZZm5lzsrzVZ+lCpWmnSH5YUpdVAHbjyOZw+Oi+tnO6Zg/8lxjKEf20SFVCAKDly/VK6j8SvT9jzisBHL+uoxZ58fyKd7C3KWVJegBIuT9pIvxXc0jg+t5ltcXQcHyZfmk4mH8nWN96KWDTe42IRA6EGyxiruppAzQoKuNKisUj7grqsE3YbCmq3g4/Mp43FUlz0gqOmI4pwaV8BckVbyMNEyMxKGar6ymz5nWit5hX86U1jmvMrUcKsROJlm7DsyC258PgLwFspnbBhTEN7fJ7iEsTR4PdGPUTQ9rH3F42t3aYe3kCXXNz1wovwKmSt5Ex5S7UenVKfuZ2HvsAuZ+nZYW7zgVW9kf1PLz5jE5NYoieatmdk2O7gBUcXQBNqVwgvCmuiJbyv6jIz+Cyn753tOSZRqgrGH1i8B7EUzKsaQJcTTc+SZY7HVw9ohilirC4vrgSx9amYMCGxkOKhBEPVYSRN4N+Yt1A+ZsmiToAsotiQ4uzYY+UXQ3hAuiPzP7vJXDHAdPQZASwI4UdiMa26d3f/FqJJthnFnkg9GFvD4T2dqduepYsnxqN9t3IDYgQYba0vAIzmdmZW8UlyBise9yb5RfsJRmwvxG7yykRAoM+j2Fs070kBCF+ohTg9pWOEmry7HNu+fvMyUMKja7Bjm3gE+MAjgXquoILIW+ZeZud15yb0NkV4LQ78K/8YuYiGXC3aD+hv5IJmJjQ==
+    client.grafana: AgBemPXmz04WdYAS9DerbbkoriqYiFwvvZfNYdfXo9eMwMGBnO17jTwlsKx5Vq+dB0UVqm16HutV41bB3BAtp8cSeFw0kivMdzVC2I0ZZ+bDWNzEKhCSdcH01THvvuoaeNWYusPuS8/cjbk/I551Im3EMSkryVjrErgvV5barf7Ox8+z5pSob+LfGGs0JJL5kOawGYEdjj3PGrYo/X0zA6EculcVyFiUJGf8ueQMshoTfUEUc0sR0LA+/ZN6LHG1ZjQ/Q6H8firrogf7luJ7Hp3S7vc/WFI3L1aE5E+u/tlDo6AelIgha+3lWtQXwwTiiiWRoxRDxU5pfJ5lUwHY9dxWefRNpQaNDZdthykLV2MZp9RW4Vfq8sZ7AnnSVQVH0wtsZLQG/m5EDb/mbBAnxLVZOFntyVtKQZ5UnMPbs0G/7tD0alkVBBR8iE4S+QMyUq9QVkGU6Tso3W1VrUdz8UfKIXGaf2eyeOzqNqXM81uYpRw4Tmv0XrDPrQ2QZ5ASd1VAnHxu9NoNOj4FEGvIJb9PaZAOHwYV8VW00uoqWYuabbo1T4uSAKijsf4ekdCvCfkBzcJsF3r8FWHbsCKcCLYp1mm7bQS5YUfa3FRWGQGbZvHI1SYrCTJzB2eZvTieIRts25CsQrBu4OOQGEpaUBLLOSaKi9Aa4yN01vOpxCcBtDdz9MdcNFFpt5hvHBTOef/lBvXOtLF1NGuFqczhpptfAM0zKqqdoYNs0d15vErdTaaUYliaW1xj01XJYwB6L4JM+YQZaOIfMv0APGzylcM+h9jCfQa2k5Kkgmz6RJoupdknddiji7LfZsmSSegE5a1DGrME7QDXa5hJ5OjSw7+5FIByaTcRBwpusr4mY0Q4q0DAdw==
+    client.kitchenowl: AgA9v0zIBn//VmvUgu4yLhALCWP7Wiu0Q4lPgrqXOIoLYdAX1jh+7cpI4oIKak+MBtCfxnd+os5xFEG0Mvg8qs6/RxgoCFcEyzjHfU65sNol0/x8ZTXQSHLpyZxy85fK4oKaHyvolDW3nnpoy2nrw+NJvwQTPquqVzCMswAE37MoNiU64OXyJU1VJFDo9VNwzzxhz02xczEk5Gh/LeVDPk+EPKzXupct0BM4GN3PZnbsvO/46i8alem7D9JIPvB7+tWzmXnXKoQ+3os6Xbwqu4wDH1cJZYFd/VOXQWk3badO3QYlewF0qEbSLLxXnvdJbR3JaA6IMiZJQUDTypZ5Z84phdAzG9v+e7DGlr4bHPEGV3DZPWCg2rWHjleDuCNJlIQP+9Di/piiTRe6rsz9lI1oncYCVPwjxtS2tpKZO6HJ7mMiENivsRLpAq1xiclCbQ6UERpBb+fmTv8a6GCIer6GzhaioN/MLthaMRuIGTjKlwaeC5EPswY5Cj5pYWXB6xhGRjTtvMyKEtWt8VbOtgESkgq0ES0yYuP37ZcKWWJjTiVii4JR1JVW8hdmXxzw8iQ6eq27fi7fyEJhIDoozwvorohqktlzqGCnIXiUN/gUgFQiMdOSHYVh8BrFCq6MbXDq1AxnoKov2h5YBlj2FqrubVpLWIJWBp+xbTDNIFkIpmzOE8uKigeCAyMxeqEd/SLylDl/2wD4XiaMVXpUucGkWW3asNvYjXTUbxHHL610ricaaYS/0adK4YLUpgr+1jE5gNKwA5j3DliDuVZSNpppzdCvWD3vr2kTOvnJhH8IyGNAs5CZmsYNtd2VKoHHhPFXnO8iU2XT3DP6qez9vN4SCPkwhlyH7NaqMhxiYnYkcLXBIw==
+    client.linkding: AgCeuXqdo0hFi0fsV+Lu6D5nPwOj4CuqrwIEZwlIubWi9/IOsXIOgJlMAH69yLymd0yXnA36hJU2/s7sXVj7bwpahNZXqAVFhfUCjP2ab95VXpawPFg7PpnjEPlODCkDnFffOf6DqYHQ5XRWfq0fTah+I18BkZWAbhCYD9qeYMRu/juluqiExP2yi63D2l5uDJpnM9QxxzH66toqPCqvFQ1tVWGEpNh4O6k4qB+t/1vj6DBcawbjVLINoiUahHgaHmkOzidZEo2shrBrLMZu/pUcR1sSjXCMHpcbSZC6zQUFkiDQ+K+cOrz7XE/vam6oYdwf/ks+kowWDKGDAyT6k0rRU3E0tW+PDRa61ffF7c9lWQDtqNUFJL5GhB2QcG58w1lWS97vdPdHNqOIrgBM8SUGaevshwl2HLsV7q5xRidgI9m3Z+OKwCaszC0HDQD7rRCwOhutvh9IP/FR1G2NhsWscjXocM9Sf2vMLiZU2RDVx281jc/EqgeMZ958O7LLR2ZfhDOBra+N0UZlhQfFdwCMSgyPpJ5HjAPia2ecON1LHi4XPqxMEEpMxtirSNSwrcvoM8OgxcOeYpdEX96TuZxtPiKjboy8h1WBMS3QD6b5F7C7LTrHu/BlluZigA4dfDEtn95XsHS7w4lGgWy9ukCRhXdjDQo/FAekFsGSuDDyBp7ecK1bpkvXaZBiaRVjq6eV7293rZdNzsk1kzhoIg67KFzBrDx1wofvJWTN6+pQOCD+f4LEvo0cL6YqWmDSW6SnfZV9/NaBq6B61YUwOACXVhAkZ9VVAN76RPl+KHth3FNTXvStjxnHfj0SMuPByemwG1MZ2SrZ6phcIQz8TJb8TS5l/fmaDH/QfLSFvvHv5gKi1Q==
+    client.paperless: AgDVOPvaQwEd8qrzFj3NTcGW6luSiSwGLmQOGiKps7DNZYiIn4FBdII1I+J78h+B4wmZ3LnLrju8YAZ3s7G3aTvV+YJHxMhlAc7rO0wkq/IUeDzGb/AM4POusm58T2o0a8zD3z4C+iHYuE/gjT+lquUKxgKP4IYPXM6Ni7lhmewJ5PCyoznoTeYnRVwjsZomip37M8/h4hOID19HZpPWMGMXtMTWrNzgmbeiVFRTqIgqqKMnASuMfeauxfCl2u+C3OvaYxgIRyP4BNzmU7itFTcOgmaFd40V0RkaALFBiU82ot1L46FZSMeqIEjprvTIdCSlNITFweYvoYhNSA0+/kUAy21uyJFqnoFW6COT9RfHFgGvi13lk++ZrPJKIMGhK29z3dC5HsEf3Rb0W+BQ6yNFEc+LTL2/ejxZwTtymzkXftVj6U9xa+BjDjgXk45H3ZAy0uWfQnm2RGBTYN7+MEccRpYp3aMh73jH1aBQIPt0lQTwmbc5rh9pTdqu1/c3NDS6OO3H2cx/AIbyPTq0pdX9w61UHVbR+E9I25wrjqJeZIRe66MerlngFxiPJKygEnuN1Nz+1feECQoq59P4FbykI51NZO64gK647QhEsbMN1nCmKFOLcT96Rjf1JQruhgoO0ljhAB8JRK3oEBIfjJtJIC+gtFaPzgldr0spr7Q7+rmgkNJIggwMSlr+/UXycB5a58cIhS0cuAUm/UOLKCIQ3xjE9OuUdQA5J2eaO/54GSLCnSdOYuiXzEQuV2VRWST+RhRmVnSqugF6d/xWfkC/ahsXo1o8ZIWFabNaHQzYmofRybK0LNc/rN0t6z2Lv0aWdGlm32eyAcUfUIMsuSKK+rDozgAmXQdz4QEghWQm5Sz3Jw==
+    client.recipes: AgBn5K5p5Nq5D9ishKI04kDR5uCvKuy4DN3vHuFwP2j3tWqrfJ9YfWGUBL4oE1Mod4071habqZaoP7nIHCWv8eoMwke9G2qFfJ7VZi0ezXeY1aTXDxn2qnPNf4MXYIVfbD5ZSU0nVPOETuJ2vsHg1R/pnfjMU1Ha9L/67ZnDsqona4259zCF5AfCV/kVsZWslAV8YrxDSlCobm2Vw202Me6CV6rFon6HmkZlO7on7LYfBL2tCHr4N1A1EOvVvF0Ua6vDexOJ0sGVjQWADEXy31H1a3c9lDizb1xqvCIcKXAYNKKGxiNrLh7TlWsK6dUX7OLUw/uDTryKwtwOl/GYfYJEX2wy3pK9PNWjjOUrpv4VoaGOKmObXQ/pIafI27r8WPTvPvm71YgUcsi1D+71a/iMWy7tXbHpvEB13qwn6/2zUSGcuGlaC8P91jRVi6xtnTg2XcvcgjeT4bTnpAEOYUZKBLqIP9qmLvxxsuVrvQoMisylYIyJzAAE+JJSYj019dP6JKgBKV6u6rPW7AkoT3Wsxkr8bwcvNSigW3c+PtbU8fvws8VY1HHTviNOflEwZePfGw+CfroS9y7hEQH2stNHaZ+5zXwjQ9+FLH4BlzbggavfL+AYY7zE5eOrL2WrD7c/1qMcDD4rxwrNwsz3mqZ9GXpe6PCxxU/W0RtLqMERx54b17ILC4Jq++XxzDyGZdUAzA8vYLhxQo/wgeWn7df6CVOM3acWbHeLAmPBM5FWKmEC1OShpzI/LmYFbLkosaAeLOWACeyl67GIwR573juRcr/6ITuUOgGXSdR5jMiqVT9Gu7x7pDkNJN+8Q4oAXITtfEaqb23M5KhtZuaZAWZgsdRpDTgPQNB2u4sBSYQluXsR3w==
+    client.todos: AgDYtDtvcP0MXbzE60kLauD8piAsfJwSDNWexsFQyezMc9vEtq8UGza198mE59eNGeUgm8crZBqlfBbKCY2luB1dq+GrkTkZHCXztR2nKTxt0X0B7LJV4DVYwlNuji7HMJ/XR/ynfjVbGi4rtoZ7MXJYOhxoLPDCt7umwG2jIMhbmuBMf8q1EpUmgFtUxTNY7i5JQAvmlCp8rgdwdAePSHCeTS4KdPTyvaj3zN/EJSX7lnc1m1D11Xld8klBsde+zrdPjm+UJQFqKu2pHXMdM19G8tqSijNcCuCGkhjQkOrMv8VhudPs6kR2whPOXtSmr9X6gNXgZ024o79fz4hBlx47MrriVW4Th2f43Q5ISJ1KoXYgjXHMF5Dt0+C1ej/0x5DBokUapNAjBZsKEe1fBI2h52G+IFpvxMAHh6T2nIHPRaYGCznxuPeqWErachhQT5QXOI/7DBCO1h/GJo9KJ5UfkMTT6Qzis1RjU/t6cbXO2PoKrFPOjqYRcTIAQFUp7ylJ4Ep85gRidd0NONfc82y+LUZAwbzYTZ3ipckirsihFBW2IMjRD46+3LT9CzdJscr/kYPA7zbTrxxMPqPiDSKAyK3LPRm25u6cKQD8vM3+n6S5gYI2svlogR0zCcJiW8+8rIPk0kUzITioSYFUP6jXvuYNfdmq2VJPk5SNK9grMG/RM3Y4XDnWuMR8lUl3oA9/HMCviVzbJwgjSQNO4n1qsLIvuDr40KWSfaKH/UCm5zaf9jIDXzXRsXeHtSHsPfr+cN3WgsP35Do1CgHPzB0tihCfesFPAk5Jt0keg77G0O76rJsq0c4u0a4vtcSk4i40wVnb1wr+GUKXweR53LdJ7j6X/MFUs4KB4s1M4A9a0J0t9A==
+    client.vaultwarden: AgC5Gimoj3+qhKQuDijPFX1niOpCx6b4MUHgRttOPKFYz19HgFzsbkuPiCcA0AsnaGSwS2wwOTv29ywpGeFzjGRk0vBUGYX6aCbGIkjs7GRvmIovLs5uHcgPsoRp1OOAH7eDdFGGSpQN+4312pLoKKmjp9cwFIAHaAs5IavCXIv8/Fk6h2sLslHqoO0LVP24qkilqV22IxRSV5mKxg1A5FW2mDUxWwSkditJYoQ89Bze6GbI6xIHHo6NZD5uaBzf7kGZyUPz77zFPTfBatmjJpVkqdvvBnCQF65qrZAXy5Rw1trYyEgGMM0vFaBm2R9YWrLfv7w1nhNNP/Gq0/XwDrz/KywMXujjp8jbOKUJmN02RJrinYYSV8Z3AXZ80V3pgVsCjPLnaY7LHa+l+f45RW3A7B1e58qUEeb/wCPXRP0ng72gIcbX7rTl926XrzK6d2Bkw0scKIIXoYYAtJ+AbzfKJCx4FsoUxTlXslhO+HAT3aM5ofwR/dgUnbQKRnTjGa9R7FwpUOLizxfZYcjUTDT3+Bgjx1eiShxveVD+v6JjjPvmWn370J/1t8CnxL4l7ylXj9YsL+4z2j/s9xNsN1HiuETBYQcZXw9kgcXaEhLRnIsbwpsa5Hw4PODujPUkwkc+VN34V1BNq891h1JvxHq57SAKf36cLosybHTIWaIRaLktgAdntj7/5vmQGtjnEvekXk6f82CEzEaOJvqE8jV62Q1KYiOjKi1r5dXmZ3xqwsh9nuluC+YBVhbI3fxKJ/xkKiMhpkF7S9JHIOCFuyAAqf/IS08fC+Rm51U2ImECeoTiyhKAm5q+Vco81IjzRnwiBHj02Zug4FIX7n8qgWLEr/f5643y3fkCpo5uY9TSQ/HK3Q==
   template:
     metadata:
       creationTimestamp: null

infrastructure/authelia/authelia.values.yaml

@@ -75,7 +75,7 @@ configMap:
 
     local:
       enabled: true
-      file: /config/db.sqlite3
+      path: /config/db.sqlite3
 
 
   identity_validation:
@@ -122,8 +122,12 @@ configMap:
             - 'profile'
             - 'groups'
             - 'email'
-          userinfo_signed_response_alg: 'none'
-          token_endpoint_auth_method: 'client_secret_post'
+          response_types:
+            - 'code'
+          grant_types:
+            - 'authorization_code'
+          access_token_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
           consent_mode: 'implicit'
         - client_id: 'recipes'
           client_name: 'Recipes'
@@ -232,13 +236,56 @@ configMap:
           authorization_policy: 'one_factor'
           redirect_uris:
             - 'https://kitchen.kluster.moll.re/signin/redirect'
-            - kitchenowl:///signin/redirect
+            - kitchenowl:/signin/redirect
             # mobile app as well
           scopes:
             - openid
             - email
             - profile
-
+        - client_id: 'actualbudget'
+          client_name: 'Actual Budget'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.actualbudget'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: false
+          pkce_challenge_method: ''
+          redirect_uris:
+            - 'https://actualbudget.kluster.moll.re/openid/callback'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'groups'
+            - 'email'
+          response_types:
+            - 'code'
+          grant_types:
+            - 'authorization_code'
+          access_token_signed_response_alg: 'none'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+        - client_id: 'vaultwarden'
+          client_name: 'VaultWarden'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.vaultwarden'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: false
+          pkce_challenge_method: ''
+          redirect_uris:
+            - 'https://passwords.kluster.moll.re/identity/connect/oidc-signin'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'groups'
+            - 'email'
+          response_types:
+            - 'code'
+          grant_types:
+            - 'authorization_code'
+          access_token_signed_response_alg: 'none'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
 
   # notifier
   # is set through a secret

infrastructure/authelia/kustomization.yaml

@@ -27,6 +27,6 @@ images:
 helmCharts:
   - name: authelia
     releaseName: authelia
-    version: 0.10.10
+    version: 0.10.47
     repo: https://charts.authelia.com
     valuesFile: authelia.values.yaml

infrastructure/external-dns/cronjob.yaml

@@ -9,55 +9,15 @@ spec:
   jobTemplate:
     spec:
       backoffLimit: 0
-
       template:
         spec:
-          initContainers:
-            - name: git
-              image: git
-              command: ["git"]
-              args:
-                - clone
-                - https://git.kluster.moll.re/remoll/dns.git
-                - /etc/octodns
-              volumeMounts:
-                - name: octodns-config
-                  mountPath: /etc/octodns
           containers:
-            - name: octodns
-              image: octodns
+            - name: dns
+              image: dns
               env:
-                # - name: CLOUDFLARE_ACCOUNT_ID
-                #   valueFrom:
-                #     secretKeyRef:
-                #       name: cloudflare-api
-                #       key: CLOUDFLARE_ACCOUNT_ID
                 - name: CLOUDFLARE_TOKEN
                   valueFrom:
                     secretKeyRef:
                       name: cloudflare-api
                       key: CLOUDFLARE_TOKEN
-                # - name: CLOUDFLARE_EMAIL
-                #   valueFrom:
-                #     secretKeyRef:
-                #       name: cloudflare-api
-                #       key: CLOUDFLARE_EMAIL
-
-              command: ["/bin/sh", "-c"]
-              args:
-                - >-
-                  cd /etc/octodns
-                  &&
-                  pip install -r ./requirements.txt
-                  &&
-                  octodns-sync --config-file ./config.yaml --doit
-                  &&
-                  echo "done..."
-              volumeMounts:
-                - name: octodns-config
-                  mountPath: /etc/octodns
-
-          volumes:
-          - name: octodns-config
-            emptyDir: {}
           restartPolicy: Never

infrastructure/external-dns/kustomization.yaml

@@ -9,10 +9,6 @@ resources:
   - cronjob.yaml
 
 images:
-  - name: octodns
-    newName: octodns/octodns # has all plugins
-    newTag: "2025.05"
-
-  - name: git
-    newName: alpine/git
-    newTag: "v2.47.2"
+  - name: dns
+    newName: git.kluster.moll.re/remoll/dns
+    newTag: 0.0.2-build.68

infrastructure/external-dns/renovate.json

@@ -0,0 +1,14 @@
+{
+  "hostRules": [
+    {
+      "hostType": "docker",
+      "matchHost": "git.kluster.moll.re"
+    }
+  ],
+  "packageRules": [
+    {
+      "matchDatasources": ["docker"],
+      "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-build.(?<build>\\d+)$"
+    }
+  ]
+}

infrastructure/gitea/kustomization.yaml

@@ -23,6 +23,6 @@ helmCharts:
   - name: gitea
     namespace: gitea # needs to be set explicitly for svc to be referenced correctly
     releaseName: gitea
-    version: 12.0.0
+    version: 12.4.0
     valuesFile: gitea.values.yaml
     repo: https://dl.gitea.io/charts/

infrastructure/metallb-system/ipaddresspool.yaml

@@ -2,7 +2,6 @@ apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
   name: default
-  namespace: metallb-system
 spec:
   addresses:
     - 192.168.3.0/24
@@ -10,5 +9,8 @@ spec:
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
-  name: empty
-  namespace: metallb-system
+  name: default
+# selector is left empty on purpose to match all IPAddressPools
+# spec:
+#   ipAddressPools:
+#   - default

infrastructure/metallb-system/kustomization.yaml

@@ -1,15 +1,12 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: 
-  - namespace.yaml
-  - ipaddresspool.yaml
 
 namespace: metallb-system
 
+resources:
+  # - namespace.yaml
+  # namespace is already included in the remote kustomization
+  # - github.com/metallb/metallb/config/native?ref=v0.15.2
+  - github.com/metallb/metallb/config/frr?ref=v0.15.2
+  - ipaddresspool.yaml
 
-helmCharts:
-  - name: metallb
-    repo: https://metallb.github.io/metallb
-    version: 0.14.9
-    releaseName: metallb
-    valuesFile: values.yaml

infrastructure/metallb-system/namespace.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: placeholder
-  labels:
-    pod-security.kubernetes.io/enforce: privileged 
+  name: metallb-system
+  # labels:
+    # pod-security.kubernetes.io/enforce: privileged

infrastructure/monitoring/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: monitoring
 resources: 
   - namespace.yaml
   # prometheus-operator crds
-  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.82.2
+  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.85.0
   # single prometheus instance with a thanos sidecar
   - prometheus.yaml
   - thanos-store.statefulset.yaml
@@ -17,17 +17,17 @@ resources:
 images:
   - name: thanos
     newName: quay.io/thanos/thanos
-    newTag: v0.38.0
+    newTag: v0.39.2
 
 
 helmCharts:
   - name: loki
     releaseName: loki
     repo: https://grafana.github.io/helm-charts
-    version: 6.30.1
+    version: 6.44.0
     valuesFile: loki.values.yaml
   - name: prometheus-node-exporter
     releaseName: prometheus-node-exporter
     repo: https://prometheus-community.github.io/helm-charts
-    version: 4.46.1
+    version: 4.49.1
     valuesFile: prometheus-node-exporter.values.yaml

infrastructure/monitoring/loki.values.yaml

@@ -30,7 +30,6 @@ loki:
     filesystem:
       chunks_directory: /var/loki/chunks
       rules_directory: /var/loki/rules
-      admin_api_directory: /var/loki/admin
 
 minio:
   enabled: false

infrastructure/passwords/configmap.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config
+data:
+  DOMAIN: "https://passwords.kluster.moll.re"
+  SIGNUPS_ALLOWED: "false"
+  INVITATIONS_ALLOWED: "true" # not sure about that?
+  ADMIN_TOKEN: null # not set in order to disable the admin interface
+  SHOW_PASSWORD_HINT: "false"
+
+  SSO_ENABLED: "true"
+  SSO_ONLY: "true" # disable email+Master password authentication
+  SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: "true"
+  # remaining SSO_ variables are set in a secret

infrastructure/passwords/deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: passwords
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: passwords
+  template:
+    metadata:
+      labels:
+        app: passwords
+    spec:
+      containers:
+        - name: passwords
+          image: vaultwarden
+          ports:
+            - containerPort: 80
+          envFrom:
+            - configMapRef:
+                name: config
+            - secretRef:
+                name: oidc-client-secret
+            - secretRef:
+                name: smtp-secret
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "200Mi"
+            limits:
+              cpu: "2"
+              memory: "4Gi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: vaultwarden-data

infrastructure/passwords/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: passwords-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`passwords.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: passwords-web
+      port: 80
+
+  tls:
+    certResolver: default-tls

infrastructure/passwords/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - configmap.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+  - oidc.sealedsecret.yaml
+  - smtp.sealedsecret.yaml
+
+namespace: passwords
+
+images:
+  - name: vaultwarden
+    newName: vaultwarden/server
+    newTag: testing # required for SSO support

infrastructure/passwords/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

infrastructure/passwords/oidc.sealedsecret.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: oidc-client-secret
+  namespace: passwords
+spec:
+  encryptedData:
+    SSO_AUTHORITY: AgCuaACGgTZhrOv5FDVbPIzVusjzvbwgrogCt1kZJsX7K3G1vCWZDRzPMJ06k0Ofb5Yvby/AcKx0UyPJwWDmhlk7geuYzG1G1pBk97fNTOzac7ZheCZ68LFshalT5F6dMJBSMTRz+uG3N+MztCyvCcKUxYUIkGbopf7is12FJhEIKNbrQe4C5H2SVHSIZ8udE4Nv2HqertLVKE9Z7CNmq4KV3UBAGqJEqBkITsN/qhgpHOjY1dQKK5myL89BYERQGBdoqKSUYJOZiEoINwj161QtG/H2Y9n6xlAVO4irsva/6m1BjA/7wfWAK8RJGX8N1e9axlxgIUH7HAA/bh+riLKvQea23NRqT9bsIOy+FRNEqTWXM4FiNxtmufi9gRHnLyQhrSQAB4Zuyzelsqn+aKDlCFGkE3NLuquychWly24pLtNa+9UPPOm0BZhbOzXOObXJOzbFIoBqxcKkwen3ca1YjyqOK1DryJevjczLVuWY+NprnjlH6BgdTyqPnI+FyXhLRa3nJCafkVfNaIJW8n1+P0hKiEwGVXiyU0fR40DaueBR8F8jr5MKlEFvdwJ8/IvkfMZUsccPVYIYw08Ama+vFrJidPvicM8gNpkqoU2TnSEEjBk0eX9jd6ahiwffE9s01uQFjcr6rNL+SiYXJCpp/Ti8v0iJ4C5ID9h0GS7v4IBOUYCGRYfWrYUlp3LFMB6Saq4a4DhTlxC3cORn0ini8dUPJLq0x8n1rzGt
+    SSO_CLIENT_ID: AgB1oES4V0P53fkAch+aDkCHd6seVExYMGCU72H8Slky0j4FZ5LjtBpzGxro8sxxr/Ri2wEc1f+TC2hHWbdtUNwE3SwA0McPODS0nmmxPkSj1ZRHlVQtG9TkFdEHEeWJnECHX0y6hp/qbdYxF+2Pgz9YQtbdi8r49H2iwqfD/8/ojMzlvpdOJRdE+K/aYQ8Q08GBZCusLm8vCW+bDn6U9+aj72SCH0i91xoPWI6P9v96mcWOipK0COhYl32ypz5GLaNpyIhDccJvrAzVKZ0tGX01t6+JT2f0lZc2jjVosTk0nPhLTQdLYJC1TboPtqwzaRWwV/lm+St07cSaaxMT0CHqmoxwiqazNNgkgPzddOaduTpbid2I1rH/2jYKD8uY5UKTZYa+wxXF8KQBMCyRw2k1bdebvc20z53T0UtmRkquKXVq1WyOTZEH4bhqVapuMjyAF9vzR7Juga6lF9P68Er8lYr5MGeimslyRUVfrqdA4VTFO6sALHyrpkuYdHIwEi5ZlNb2pRzqaBFeQaaJYgiXPZMhcIRIfEOU8JQ5FWu++OzM75RF2YA1Ww70SZxHANn/K/ksyAqhZNgNFRm++6YQKfBI6z+N6ObjJPJE3J/WCHGCmVCQRa7lg73THqPXeqvfoSDgH8nTHamg8AshAKWxJuTD9mPXN4TqbxBuXuQBa9UGu/HNBMpYo2hHEHYIr42XZwScpo5qvo4RUQ==
+    SSO_CLIENT_SECRET: AgBzGmskaj/eliwfsOzdRb1PdiSJC9vLr7CyCAqQ4QmxVXOSVbiJu39ud2alH+Rx8UZ51l5Wd9CkyizyVpD8AgREk8fpE8V0cRlDplj/OmGSJ5VtNyLLJko13PkPAB2scexapZ/PxZpJEkH5ONPvzvVKC8liUoz1XoEQEWAgDkSiRqgt1aVm4v1Fvl0Ift3eJtkWkU6xGrL7OwTnV/nCaNt6w7Fd/37uWYgosGvQivcy11/QoppgVARCWrFl9ZjjsimV5i2hfoRXvd+saUuMvRfD95+POB6+hRK0fvbnARXW0ePj7W9oWG9fAhSA7S/J0cnx3zFjpJ8QBvaHYXJ+rsDHsxlqRSFUVXgMGZ5cISTzIjPWaVRv5cU3WK0vEeT2gPHsebTX6JgguzT728rZA2r7BuMZF20f89GeV21iYksABWMC1MYwGfScBPHfyDqxhgc39wxZTdH5gz9/DhuHd5+0iLjwIwqsStqVu6W1SqpuFd0psfyVNFY0DkDS28gcliRPSNF0bJEA7QIsDl5NVAl1fXEG4QrJMQx6i5BTrfI6HDYW0nq3fT/fPlSipmbUf4OWQVTrEmot5UvFDowBemZNG2Z2+vgAE0bbnQKeqAifUr7KMUGf9bmj42r8x1TLiDAyI9h5iSU/y4WHLpzxg2GNgkLQ0mKcAJ/xHnaWNti/dr2pwzCSx2Apmvps8/AVuYP+unRxmlstYl1ko+esv4agfbg/43H2/dkNeA+5iQw=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: oidc-client-secret
+      namespace: passwords
+    type: Opaque

infrastructure/passwords/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: vaultwarden-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

infrastructure/passwords/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: passwords-web
+spec:
+  selector:
+    app: passwords
+  ports:
+  - port: 80
+    targetPort: 80

infrastructure/passwords/smtp.sealedsecret.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: smtp-secret
+  namespace: passwords
+spec:
+  encryptedData:
+    SMTP_FROM: AgAbhbyTdArio1wEn4/zj+AK4YaLyMtMkaPFqtVOU8UWAtEg8ko/tIXHj7nn/NVQt6sS2O9x02ShoVJC1HXqzG8reMLkzZg5cb0wtCSNpzHnLH2voH1p4KrgnHo1AznIkXoajcOHjWSYQ2/rAeCmuuEfPZ7jOWNMN2c5GWqm0mXsfqAUVxznC8sHCmIVdeHUcSaLRpwnvr2fjSrOqh+AI6df3tzCpQjfu+zf4Z2JSgvAPLCyCzj9NDDFqawpRRHinhbXk34ZYO00CrjCMqnxaBev7qXmPeDx4eTPR8WNyMzdO2Yx5vmmXNay+QhoO3eP6leQQyaGtYkQSep35wMyA46MmM+A4nQCMIFPFzBGAqle32L+u6KP5D9GWtmiGXWmdM8LOf2qt1wKiEfEZXldtc3hoKjM4NTb+0wgUXE+ZpVOQiorGta6jhAwJYhTDPO0rP6lC31G9EQ9bI5N+OpZpRK+EELNPrjEfTIfPUMg40B9DG3WK5yXTmC3DvHsCj25dnKokNvxcaZ3EhG6+k/5Z5zTESAMWuGepr34ROE5a0+zRLcOfVD9S5QwpqIxi8GJJuJvI/SAjUEPLY7pPsBLYKMl3zAGgAcI8yjAWhurgVS1DKhufTmp+hh+JypyLnCc4hUJIXaRwSJrBhezsajkxMmORboHM/d19SmUorzczo2i54LtTTTIRfAWui/EWc3QCSbfoPF6asESXD45M/yblI++EVfc
+    SMTP_HOST: AgA2KfKxxUvzHrkbL4ZDUU/TuylhnhRSm3OGVSVGt54OFJqBuh4fCA2PSPzw84Kh46zJjX8vh5fjzN00gfHfqtm0K4W1D+i+UAz/JAIcQVAjPyjgVNPZUSNSrZrV2CDRMJ8HhbVYx8xiRb2kHV+HTjtINccdxjxR+OpfMn1lb+aA3zoI8yv9s2pkVrt1+T1GepXm9KMCd+rS3XSx2w9ujkPTaT3MwY66l/1i6agpY3MtNVXt+Y8pK9yx5mhjNRAnyfbCZfHzaswKGfDetOzkfmSy3ddP22uHOjbEKp99yQPxgY0bNwGhA137oUAgzmWu0Yn9z3KFz0G2as/tKTQT5240aJlHzFSsWfbW4Y4DQahQzbF45aS61SlKAsSXzPc/kyEE/Tizuh3eACY6yfw6Zs+R1y5Y27oS5/GNyAYdk/acM/C0nO3da5qBL0ItzMKYy3kufbOvDwt9na0uWV32JusYAeP81e9LRcxO7+a/oFlmwBtFMLExXWQEHwIIwWFC6RGlF0OOfZN9mXsqr1IDlRvDWN4b/YXkFQJBpySByxQ0xYUeHOAFSacGC8rPq68Scc7djyq8mTh87plBQzo4FL/rAch61Mmlp4VVsN6hyJ50CC1qfzsZ0bcFd+lh45T+lSg5OSGrw14F/01dhS5EoH5DVv6Ug9UY+0q0w1iST+6KH4/nxTJe/lBF9eAQEU+FHvyUfVZksHua0jdCQKSxXzLp
+    SMTP_PASSWORD: AgBf3JVFUU16IVhPBcYkzZY4Qn5tNRahtsGygd8E6WGAxw90MY9/gmm+LWAEAYWc4ZNonCZiGR+JegkN4nmmxpiseYShW2Dp3rH33BOmVSAvnQttTCq4zV8jEk52Y49hmpIvEVh9nO6UVP4KujnEqz7rnL6I6dIsdkyXdDjZTnSgZlkn7FaAkfEdmpRtYH31qYOa8TyL0Q7PIzr/sJGn0YKvSH7a6w0FJ9RV0+t4pNuqLpiPltMX9B7RLLNm+TgzO37oA3cePAAtUR0PXFW8GnCB0KcAeoqZFc4UAzhwp9FX6oa7KUfvoWAq0RHzJfdAa8laVJtZcWP1lLOgyW6z7PeoUahjFscfDisp2aRl4jAIV5ZaOe3ZAYGOMFR0VyIt1vCaYKtdplSzlNVlGj8jvLY1rg5VVnXHNheaqmL1xAhB8uCCIcRKquCSU0wvd6YBKrUIDJX9d9IXkLvVfvAhdBnTLSkMHJErxWvu2dRm5HqiiGrvRjJewIz4n8rwUapykKX8ujlu9mf6sGxGuVbaOU+gZrNSIffz5GUewf38ZHcidAiPVsA6WnX93ZDVfZk0xObrzUQ+s4dmlZMrQFgvhv9Q2zJP0cEtMnGPsTy8klC4FeYVEWJyAXCyt3+2MbUZYf2H+yCOnHeRkzOejrrfvEep3BF8dzKmYnrmNClP2skZEPr2afttUo8a5CTs6gX6mckplUqHz2R4oi8/kispJf8Y
+    SMTP_PORT: AgCYfANfQLW15FIgRb0AQoBXJ7mOBh8vb59eelZdm1aX66GlXMQOIi9yAIm/2fe1xOsYui+6do4JV7xlvYBOkC8JJ3MNZLdTrepRf6ejuM8QI7V7L2lXsRrPIqLEJOfO/rn3tHnuWbfXOw7UdSvt7x2BoB1XWGZuigsa66FGkTSCMlqKhJJngeSu5VeFGpSc4LANL/XGnXNc4tQdpZN9AjpPdSUTpexgY10Zd4ppvBR174XidRabe4WDs9H6uZj92Bpht3axq0fEYRwkDiNPQLFx8kkOKCU98xV7RVyqT8UnRE/Q+eng26lGNMa+c3bbN/6MYUmSe2RU2Ymaz2AJqMOBn72Y4blDMgOdrZEz/ITiOE3zzZG890qFq/lfLueIEwd7LmBpAZMDzsKYWs+7UI1EKAfavWIO9BUoH9JbVkUgAQ7YtPXLCxUeBvMTci5YlZKmNyhMP2fWnqYvhZXJNZYJqHEbtTQGAoLuD/5xupVhB0ouguwkjRvGwLHpQncbFfybhWIflcVjAgHH3AelKyhWNDLNZatIVqWIfmEcZpj1CbNbO3Pzb/kSa57cNZc0S/N/rrYQKR8vK6vpXxrmC5MouhdH0x45ONA2GqXHehqgdNayN8T6y3xfY7UqSUbksM2smWFY0gxqBoFdEkosSyvFPpqQnAzbiJWlsQDmSTmj0dodENotHQhRdrZSEuhFGkI7MVaW
+    SMTP_SECURITY: AgApP3Kzb1qAZCassr3Q2YPCcc4zi0Py0ezXnixHF0GXVjbyEjjw+5EZ6LmtE4In+hu7HXhYKqwVi50VXmtb1sI17wK3hF8EXa+4jSZtAo/PKKKh4CkVVFqwIjyvtdnokXIJUkSHDMnIWLFG9Lblr5qib8tUyeyJH6vzbC7ai/nXZ7amGTJOx2HLKPal7QM1y7TAdeee1IFdlg05vJ/Dp2+EY13DLWwNvTr5+DgBVDGKALwHu54KnuKJCuXtptZvS1PuVL+55sEByUikU00u8ZZ0GVSNIJFHfYjtYMHWbw1gUiKvUb0GngEQ58/v8QPTsZNTDWcUjONy1ncGGQT7mrsarCZvY5EzJmWQgkzrLcEKOtQfSEJZvUAaxTa3WgvfUchhMAkLYN4Bml+wajQfnjmyKpPsMc11n4yQ0O+5pu17lIImtLiMA2+g1dSDs0mr6+AQIjOw6TDwU7u/7qM1xTUUvWBiOHaT4xnDi6TYOEHiQmGLXVz1TYCX1RX7Y0RtHkZHPTPACs+zY6VfWEaxFgK0r8+aykgRGMZLSsw+MVwzgxWt96iLQLpcO1qVhLpbOKFFdtxbava3FiSRlLdGHRX12WVcFmn2gun0SsxF2HAg5fT2Kt7aC9qSVoxH5ExtDg2uVFVpeltFPZ3UyyOLhXhwGF1VJR4tCts/MJKD0pWOpKCe92LMm4FGjt4ytWlMErbcfIbtCy1oqQ==
+    SMTP_USERNAME: AgAWUwitsOQ1MGS4mJ4UzNsLvL8sgtVuMlua6sTdukpFPfZEcZaHBgWzw+Rv0HKCn8ebjp4dfGzmr/cIiMRGRe/ZbA8f6FMQg4lIlmHIJ1EbpGmfRL9m2bJRfl/aNifxTZD6Qgk4JBzlZIlwI6d9xB51sjFAPnEJmTM4AhC7bAhtTGHWLLdn33bXW/+aBWEz465cQdksTrketrHbz6O/Z77bL6Zh+zNwS7AwoQ2bUg/g9ORjRBirYJcojEYdQeDeBNWN3VUrbWENF/ouISvgSJFKeka/G2a9lMNbraSSLlru2xZOLdM5OTald+mi+VgdTDARiJFPL5tyhdUMe+8ZpIG1t2dUEasZZernXpoHyOckijufN92zyxfdXJu0RPIkC1w9zH5ArpoYjCxIzHz6e/wMvjqfEPbE7FtMfGHlzZZCikjt2+8+sDJ/mApgqYKNo68v6773ou6P0HTrti9fM8e2jlZ/nfe3xnzQL2XNjIC5wBc+f825y0U37QduoEeDCE+R3Uihxjq7dAg0omeNeKXChUJkPaX7QvDr1TnXaqSZZgoXZ3U0WujF9Z6A34CwAjJY0ao55ggwai0w0FyFOdUDv5P/bQU+1ex5l5m94MG3KwLmy9Pb3xyDXzpB9oWIskaBzN+v1XdWSRoRzzoZHV/KFJ1HYn1m4yww/JgAxTqiq4pNPKdxDGX+pL4e7U0SmuEPIRw85PpA
+  template:
+    metadata:
+      creationTimestamp: null
+      name: smtp-secret
+      namespace: passwords
+    type: Opaque

infrastructure/pg-ha/kustomization.yaml

@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
   - name: cloudnative-pg
     releaseName: pg-controller
-    version: 0.24.0
+    version: 0.26.1
     valuesFile: values.yaml
     repo: https://cloudnative-pg.io/charts/

infrastructure/renovate/kustomization.yaml

@@ -11,4 +11,4 @@ resources:
 images:
   - name: renovate/renovate
     newName: renovate/renovate
-    newTag: "40"
+    newTag: "41"

infrastructure/sealedsecrets/kustomization.yaml

@@ -9,4 +9,4 @@ resources:
 images:
   - name: controller
     newName: docker.io/bitnami/sealed-secrets-controller
-    newTag: 0.29.0
+    newTag: 0.32.2

infrastructure/traefik-system/configmap.yaml

@@ -71,7 +71,7 @@ data:
         address = ":9100"
 
       [entryPoints.traefik]
-        address = ":9000"
+        address = ":8080"
 
       [entryPoints.dnsovertls]
         address = ":8853"

infrastructure/traefik-system/kustomization.yaml

@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 35.4.0
+    version: 37.2.0
     valuesFile: values.yaml
     repo: https://traefik.github.io/charts

infrastructure/traefik-system/values.yaml

@@ -23,8 +23,7 @@ ingressClass:
   # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
   enabled: true
   isDefaultClass: true
-  # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
-  fallbackApiVersion: ""
+
 
 # Activate Pilot integration
 pilot:
@@ -67,7 +66,8 @@ providers:
   kubernetesIngress:
     enabled: true
     allowExternalNameServices: true
-    ingressClass: traefik
+    # Ingresses missing the annotation, having an empty value, or the value traefik are processed by default.
+    # ingressClass: traefik
     # labelSelector: environment=production,method=traefik
 
 

kluster-deployments/argocd/application.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd-application
+  namespace: argocd
+spec:
+  project: infrastructure
+  source:
+    repoURL: git@github.com:moll-re/bootstrap-k3s-infra.git
+    targetRevision: main
+    path: infrastructure/argocd
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: false
+      # since other argo projects are added to this namespace (but not managed in this repo), they should not be deleted even though they are not referenced in this manifest
+      selfHeal: true

kluster-deployments/argocd/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - application.yaml

kluster-deployments/homeassistant/application.yaml

@@ -1,18 +1,20 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: homeassistant-application
+  name: homeassistant-flat-application
   namespace: argocd
 spec:
   project: apps
   source:
     repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
     targetRevision: main
-    path: apps/homeassistant
+    path: apps/homeassistant/overlays/flat
   destination:
     server: https://kubernetes.default.svc
     namespace: homeassistant
   syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
     automated:
       prune: true
       selfHeal: true

kluster-deployments/homeassistant/house.application.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: homeassistant-house-application
+  namespace: argocd
+spec:
+  project: apps
+  source:
+    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
+    targetRevision: main
+    path: apps/homeassistant/overlays/house
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: homeassistant
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: privileged
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      prune: true
+      selfHeal: true

kluster-deployments/homeassistant/kustomization.yaml

@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - application.yaml
+- house.application.yaml

kluster-deployments/kustomization.yaml

@@ -9,6 +9,9 @@ resources:
   # - bootstrap-repo.sealedsecret.yaml already set for app of apps
   - gitea-repo.sealedsecret.yaml
 
+  # let argocd manage its own namespace
+  - argocd/
+
   # infrastructure apps
   - projects.yaml
   - nfs-provisioner/
@@ -22,6 +25,7 @@ resources:
   - external-services/
   - monitoring/application.yaml
   - authelia/
+  - passwords/
 
   # simple apps
   - adguard/

kluster-deployments/passwords/application.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: passwords-application
+  namespace: argocd
+spec:
+  project: infrastructure
+  source:
+    repoURL: git@github.com:moll-re/bootstrap-k3s-infra.git
+    targetRevision: main
+    path: infrastructure/passwords
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: passwords
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+  ignoreDifferences:
+    - group: apps/v1
+      kind: Deployment
+      jsonPointers:
+        - /metadata/annotations

kluster-deployments/passwords/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - application.yaml

renovate.json

@@ -2,7 +2,8 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "dependencyDashboard": true,
   "extends": [
-    "local>remoll/k3s-infra//apps/immich/renovate.json"
+    "local>remoll/k3s-infra//apps/immich/renovate.json",
+    "local>remoll/k3s-infra//infrastructure/external-dns/renovate.json"
   ],
   "packageRules": [
     {