refine snapcast deployment so piping between containers works

apps/adguard/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: adguard/adguardhome
     newName: adguard/adguardhome
-    newTag: v0.107.71
+    newTag: v0.107.69
 
 namespace: adguard
 

apps/audiobookshelf/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
   - name: audiobookshelf
     newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.31.0"
+    newTag: "2.30.0"

apps/avahi-reflector/daemonset.yaml

@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: avahi-reflector
+spec:
+  selector:
+    matchLabels:
+      app: avahi-reflector
+  template:
+    metadata:
+      labels:
+        app: avahi-reflector
+    spec:
+      hostNetwork: true
+      containers:
+        - name: avahi-reflector
+          image: avahi-reflector
+          securityContext:
+            privileged: true   # required for raw sockets
+          env:
+            - name: REFLECTOR_ENABLE_REFLECTOR
+              value: "yes"
+            - name: SERVER_ALLOW_INTERFACES
+              # use all interfaces
+              value: ""

apps/avahi-reflector/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: avahi
+
+resources:
+  - namespace.yaml
+  - daemonset.yaml
+  # - configmap.yaml
+
+images:
+  - name: avahi-reflector
+    newName: flungo/avahi
+    newTag: latest

apps/avahi-reflector/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged

apps/finance/kustomization.yaml

@@ -14,4 +14,4 @@ resources:
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 25.12.0
+    newTag: 25.11.0

apps/grafana/kustomization.yaml

@@ -17,5 +17,5 @@ helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 10.3.1
+    version: 10.2.0
     valuesFile: grafana.values.yaml

apps/homeassistant/base/kustomization.yaml

@@ -13,7 +13,7 @@ resources:
 images:
   - name: homeassistant
     newName: homeassistant/home-assistant
-    newTag: "2025.12"
+    newTag: "2025.11"
 
 configurations:
   # allow nameReference to work with different mentions of the same resource as well

apps/linkding/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: linkding
 images:
   - name: linkding
     newName: sissbruecker/linkding
-    newTag: "1.44.2"
+    newTag: "1.44.1"

apps/media/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
   - name: jellyfin/jellyfin
     newName: jellyfin/jellyfin
-    newTag: 10.11.5
+    newTag: 10.11.3

apps/minecraft/kustomization.yaml

@@ -18,7 +18,7 @@ images:
     newTag: java21
   - name: alpine
     newName: alpine
-    newTag: "3.23"
+    newTag: "3.22"
   - name: rsync
     newName: eeacms/rsync
     newTag: "3.0"

apps/musicassistant/deployment.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: musicassistant
+spec:
+  selector:
+    matchLabels:
+      app: musicassistant
+  template:
+    metadata:
+      labels:
+        app: musicassistant
+    spec:
+      containers:
+      - name: musicassistant
+        image: musicassistant
+        resources:
+          limits:
+            memory: "2Gi"
+            cpu: "2"
+          requests:
+            memory: "128Mi"
+            cpu: "250m"
+        ports:
+        # ports required for musicassistant
+        - containerPort: 80
+        - containerPort: 443
+        - containerPort: 8097
+        - containerPort: 8095
+          # name: musicassistant-web
+        - containerPort: 1704
+        - containerPort: 1705
+
+        env:
+        - name: TZ
+          value: Europe/Berlin
+        volumeMounts:
+        - name: data
+          mountPath: /data
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: data

apps/musicassistant/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: musicassistant-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`musicassistant.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: musicassistant-web
+      port: musicassistant-web
+
+  tls:
+    certResolver: default-tls

apps/musicassistant/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: musicassistant
+
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - service.yaml
+  # - ingress.yaml
+
+
+images:
+  - name: musicassistant
+    newName: ghcr.io/music-assistant/server
+    newTag: 2.6.0

apps/musicassistant/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/musicassistant/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/musicassistant/service.yaml

@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: musicassistant
+spec:
+  selector:
+    app: musicassistant
+  ports:
+  - port: 80
+    targetPort: 80
+    name: required-first
+  - port: 443
+    targetPort: 443
+    name: required-second
+  - port: 8097
+    targetPort: 8097
+    name: required-third
+  - port: 8095
+    targetPort: 8095
+    name: required-fourth
+  - port: 1704
+    targetPort: 1704
+    name: required-fifth
+  - port: 1705
+    targetPort: 1705
+    name: required-sixth
+  type: LoadBalancer
+  loadBalancerIP: 192.168.3.5
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: musicassistant-web
+spec:
+  selector:
+    app: musicassistant
+  ports:
+  - port: 8095
+    targetPort: 8095
+    name: musicassistant-web
+  type: ClusterIP

apps/paperless/kustomization.yaml

@@ -14,14 +14,14 @@ namespace: paperless
 images:
   - name: paperless
     newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.20.2"
+    newTag: "2.20.0"
 
 
 helmCharts:
   - name: redis
     releaseName: redis
     repo: https://charts.bitnami.com/bitnami
-    version: 24.0.8
+    version: 24.0.0
     valuesInline:
       auth:
         enabled: false

apps/recipes/kustomization.yaml

@@ -13,5 +13,5 @@ resources:
 
 images:
   - name: mealie
-    newTag: v3.7.0
+    newTag: v3.5.0
     newName: ghcr.io/mealie-recipes/mealie

apps/snapcast/README.md

@@ -0,0 +1,7 @@
+### Credentials
+Since this tries to run in an isolated network we can't rely on autodiscover and the spotify client needs to be tied to an account.
+
+This is achieved by registering the client on startup via oauth. The logs show an url which should be copied to a local browser. The successfull redirect needs to be forwarded back to the client, hence run:
+```
+k port-forward deployments/snapcast 5588:5588
+```

apps/snapcast/deployment.yaml

@@ -0,0 +1,109 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: snapcast
+spec:
+  selector:
+    matchLabels:
+      app: snapcast
+  template:
+    metadata:
+      labels:
+        app: snapcast
+    spec:
+      containers:
+      - name: snapcast
+        image: snapcast
+        resources:
+          limits:
+            memory: "2Gi"
+            cpu: "2"
+          requests:
+            memory: "128Mi"
+            cpu: "250m"
+        ports:
+        # snapcast ports
+        - containerPort: 1704
+        - containerPort: 1705
+        # web interface
+        - containerPort: 1780
+        - containerPort: 1788
+        # avahi
+        - containerPort: 5353
+        # airplay
+        - containerPort: 3689
+        - containerPort: 5000
+        - containerPort: 6000
+        - containerPort: 6001
+        - containerPort: 6002
+        - containerPort: 6003
+        - containerPort: 6004
+        - containerPort: 6005
+        - containerPort: 6006
+        - containerPort: 6007
+        - containerPort: 6008
+        - containerPort: 6009
+        - containerPort: 7000
+        - containerPort: 319
+        - containerPort: 320
+
+        env:
+        - name: TZ
+          value: Europe/Berlin
+        - name: AIRPLAY_CONFIG_ENABLED
+          value: "1"
+        - name: SPOTIFY_CONFIG_ENABLED
+          value: "0"
+        - name: PIPE_CONFIG_ENABLED
+          value: "1"
+        - name: PIPE_PATH
+          value: /mnt/pipe/spotipipe
+        - name: PIPE_SOURCE_NAME
+          value: "Librespot"
+        # - name: PIPE_MODE
+        #   value: "read"
+        - name: PIPE_EXTRA_ARGS
+          # see https://github.com/badaix/snapcast/issues/1248
+          value: "&sampleformat=44100:16:2"
+        volumeMounts:
+        - name: pipe
+          mountPath: /mnt/pipe
+
+
+      - name: librespot
+        image: librespot
+        resources:
+          limits:
+            memory: "2Gi"
+            cpu: "2"
+          requests:
+            memory: "128Mi"
+            cpu: "250m"
+        ports:
+        - containerPort: 5588 # default port for oauth callback
+        env:
+        - name: BACKEND
+          value: pipe
+        - name: DEVICE
+          value: /mnt/pipe/spotipipe
+        - name: DISABLE_DISCOVERY
+          value: Y
+        - name: AUTOPLAY
+          value: Y
+        # - name: VERBOSE
+        #   value: Y
+        # - name: PASSTHROUGH
+        #   value: Y
+        - name: ADDITIONAL_ARGUMENTS
+          value: "--enable-oauth --cache /cache"
+        volumeMounts:
+        - name: pipe
+          mountPath: /mnt/pipe
+        - name: credentials-cache
+          mountPath: /cache
+      volumes:
+      - name: pipe
+        emptyDir: {}
+      - name: credentials-cache
+        persistentVolumeClaim:
+          claimName: cache

apps/snapcast/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: snapcast
+
+resources:
+  - namespace.yaml
+  - deployment.yaml
+  - service.yaml
+  - pvc.yaml
+  - snapcast-config.secret.yaml
+
+images:
+  - name: snapcast
+    newName: ghcr.io/firefrei/snapcast/server
+    newTag: latest
+  - name: librespot
+    newName: giof71/librespot
+    newTag: latest

apps/snapcast/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/snapcast/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: cache
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/snapcast/service.yaml

@@ -0,0 +1,86 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: snapcast
+spec:
+  selector:
+    app: snapcast
+  ports:
+  - name: snapcast
+    port: 1704
+    targetPort: 1704
+    protocol: TCP
+  - name: snapcast-ctl
+    port: 1705
+    targetPort: 1705
+    protocol: TCP
+  - name: web
+    port: 1780
+    targetPort: 1780
+    protocol: TCP
+  - name: web-alt
+    port: 1788
+    targetPort: 1788
+    protocol: TCP
+  # - name: airplay-3689
+  #   port: 3689
+  #   targetPort: 3689
+  #   protocol: TCP
+  # - name: airplay-5000
+  #   port: 5000
+  #   targetPort: 5000
+  #   protocol: TCP
+  # - name: airplay-6000
+  #   port: 6000
+  #   targetPort: 6000
+  #   protocol: TCP
+  # - name: airplay-6001
+  #   port: 6001
+  #   targetPort: 6001
+  #   protocol: TCP
+  # - name: airplay-6002
+  #   port: 6002
+  #   targetPort: 6002
+  #   protocol: TCP
+  # - name: airplay-6003
+  #   port: 6003
+  #   targetPort: 6003
+  #   protocol: TCP
+  # - name: airplay-6004
+  #   port: 6004
+  #   targetPort: 6004
+  #   protocol: TCP
+  # - name: airplay-6005
+  #   port: 6005
+  #   targetPort: 6005
+  #   protocol: TCP
+  # - name: airplay-6006
+  #   port: 6006
+  #   targetPort: 6006
+  #   protocol: TCP
+  # - name: airplay-6007
+  #   port: 6007
+  #   targetPort: 6007
+  #   protocol: TCP
+  # - name: airplay-6008
+  #   port: 6008
+  #   targetPort: 6008
+  #   protocol: TCP
+  # - name: airplay-6009
+  #   port: 6009
+  #   targetPort: 6009
+  #   protocol: TCP
+  # - name: airplay-7000
+  #   port: 7000
+  #   targetPort: 7000
+  #   protocol: TCP
+  # - name: airplay-319
+  #   port: 319
+  #   targetPort: 319
+  #   protocol: UDP
+  # - name: airplay-320
+  #   port: 320
+  #   targetPort: 320
+  #   protocol: UDP
+  type: LoadBalancer
+  loadBalancerIP: 192.168.3.5

infrastructure/argocd/kustomization.yaml

@@ -4,7 +4,7 @@ kind: Kustomization
 namespace: argocd
 resources:
   - namespace.yaml
-  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.2.1
+  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.2.0
   - ingress.yaml
   - argo-apps.application.yaml
   - bootstrap-repo.sealedsecret.yaml

infrastructure/external-dns/kustomization.yaml

@@ -11,4 +11,4 @@ resources:
 images:
   - name: dns
     newName: git.kluster.moll.re/remoll/dns
-    newTag: 0.0.2-build.122
+    newTag: 0.0.2-build.113

infrastructure/metallb-system/kustomization.yaml

@@ -7,6 +7,6 @@ resources:
   # - namespace.yaml
   # namespace is already included in the remote kustomization
   # - github.com/metallb/metallb/config/native?ref=v0.15.2
-  - github.com/metallb/metallb/config/frr?ref=v0.15.3
+  - github.com/metallb/metallb/config/frr?ref=v0.15.2
   - ipaddresspool.yaml
 

infrastructure/monitoring/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: monitoring
 resources: 
   - namespace.yaml
   # prometheus-operator crds
-  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.87.1
+  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.86.2
   # single prometheus instance with a thanos sidecar
   - prometheus.yaml
   - thanos-store.statefulset.yaml
@@ -24,7 +24,7 @@ helmCharts:
   - name: loki
     releaseName: loki
     repo: https://grafana.github.io/helm-charts
-    version: 6.49.0
+    version: 6.46.0
     valuesFile: loki.values.yaml
   - name: prometheus-node-exporter
     releaseName: prometheus-node-exporter

infrastructure/pg-ha/kustomization.yaml

@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
   - name: cloudnative-pg
     releaseName: pg-controller
-    version: 0.27.0
+    version: 0.26.1
     valuesFile: values.yaml
     repo: https://cloudnative-pg.io/charts/

infrastructure/traefik-system/kustomization.yaml

@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 37.4.0
+    version: 37.3.0
     valuesFile: values.yaml
     repo: https://traefik.github.io/charts