Update Helm release loki to v6.45.2

Reviewed-on: #621

.envrc

@@ -0,0 +1 @@
+use nix

.gitignore

@@ -3,4 +3,7 @@
 main.key
 
 # Helm Chart files
-charts/
+charts/
+
+# Nix and local environment files
+.direnv/

README.md

@@ -40,11 +40,12 @@ The app-of-apps will bootstrap a fully featured cluster with the following compo
     ```
 
 
-> NOTE: The argocd kustomization already mentions some CRDs available only after the full bootstrapping (traefik). You might have to apply the last step twice
+> NOTE: The argocd kustomization already mentions some CRDs available only after the full bootstrapping (traefik). Some might fail to apply right away. Since the argo application is managed through argo as well, they will become available as all kluster applications are rolled out.
+
 
 ### Adding an application
-todo
+1. todo
-
+1. Don't forget to add the status badge.
 
 
 

apps/code-server/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: code-server
 images:
   - name: code-server
     newName: ghcr.io/coder/code-server
-    newTag: 4.104.2-fedora
+    newTag: 4.104.3-fedora

apps/files/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: files
 images:
   - name: ocis
     newName: owncloud/ocis
-    newTag: "7.2.0"
+    newTag: "7.3.0"

apps/finance/kustomization.yaml

@@ -14,4 +14,4 @@ resources:
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 25.9.0
+    newTag: 25.10.0

apps/grafana/kustomization.yaml

@@ -17,5 +17,5 @@ helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 10.0.0
+    version: 10.1.4
     valuesFile: grafana.values.yaml

apps/homeassistant/base/deployment.yaml

@@ -34,4 +34,3 @@ spec:
         - name: config-dir
           persistentVolumeClaim:
             claimName: config
-

apps/homeassistant/base/ingress.yaml

@@ -1,17 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: homeassistant-ingress
+  name: homeassistant
 spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`home.kluster.moll.re`) && !Path(`/api/prometheus`)
+    - match: Host(`homeassistant.kluster.moll.re`)
       middlewares:
-        - name: homeassistant-websocket
+        - name: homeassistant
       kind: Rule
       services:
-        - name: homeassistant-web
+        - name: homeassistant
           port: 8123
   tls:
     certResolver: default-tls
@@ -19,7 +19,7 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: homeassistant-websocket
+  name: homeassistant
 spec:
   headers:
     customRequestHeaders:

apps/homeassistant/base/kustomization.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  # - namespace.yaml # not managed by kustomize but created as needed by the argo app. creates conflicts otherwise since both overlays share the same namespace
+  - ingress.yaml
+  - pvc.yaml
+  - service.yaml
+  - deployment.yaml
+  - servicemonitor.yaml
+
+
+images:
+  - name: homeassistant
+    newName: homeassistant/home-assistant
+    newTag: "2025.10"
+
+configurations:
+  # allow nameReference to work with different mentions of the same resource as well
+  - name_reference.yaml

apps/homeassistant/base/name_reference.yaml

@@ -0,0 +1,32 @@
+nameReference:
+  # Tie target Service metadata.name to other ingressroute fields
+  - kind: Service
+    fieldSpecs:
+      # rewrite the backend service name
+      - kind: IngressRoute
+        group: traefik.io
+        version: v1alpha1
+        path: spec/routes/services/name
+
+      # adapt the ingress url
+      # DOES NOT WORK
+      - kind: IngressRoute
+        group: traefik.io
+        version: v1alpha1
+        path: /spec/routes/match
+        create: false
+
+      # adapt any middleware names
+      - kind: IngressRoute
+        group: traefik.io
+        version: v1alpha1
+        path: spec/routes/middlewares/name
+
+  # Update deployment volume mounts according to name changes in the sealedsecret
+  - kind: SealedSecret
+    fieldSpecs:
+      # volume mounts:
+      - kind: Deployment
+        group: apps
+        version: v1
+        path: spec/template/spec/volumes/secret/secretName

apps/homeassistant/base/service.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: homeassistant-web
+  name: homeassistant
   labels:
     app: homeassistant
 spec:
@@ -10,4 +10,4 @@ spec:
   ports:
   - port: 8123
     targetPort: 8123
-    name: http
+    name: http

apps/homeassistant/kustomization.yaml

@@ -1,18 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: homeassistant
-
-resources: 
-  - namespace.yaml
-  - ingress.yaml
-  - pvc.yaml
-  - service.yaml
-  - deployment.yaml
-  - servicemonitor.yaml
-
-
-images:
-  - name: homeassistant
-    newName: homeassistant/home-assistant
-    newTag: "2025.9"

apps/homeassistant/overlays/flat/ingress.patch.yaml

@@ -0,0 +1,3 @@
+- op: replace
+  path: /spec/routes/0/match
+  value: Host(`home.kluster.moll.re`)

apps/homeassistant/overlays/flat/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+namespace: homeassistant
+nameSuffix: -flat
+labels:
+  - includeSelectors: true
+    pairs:
+      env: flat
+
+patches:
+  - path: ingress.patch.yaml
+    target:
+      kind: IngressRoute

apps/homeassistant/overlays/house/ingress.patch.yaml

@@ -0,0 +1,3 @@
+- op: replace
+  path: /spec/routes/0/match
+  value: Host(`home-house.kluster.moll.re`)

apps/homeassistant/overlays/house/kustomization.yaml

@@ -0,0 +1,28 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+  - wireguard-config.sealedsecret.yaml
+
+
+namespace: homeassistant
+nameSuffix: -house
+labels:
+  - includeSelectors: true
+    pairs:
+      env: house
+
+images:
+  - name: wireguard
+    newName: ghcr.io/linuxserver/wireguard
+    newTag: "1.0.20250521"
+
+patches:
+  - path: wireguard.deployment.yaml
+    target:
+      kind: Deployment
+      name: homeassistant
+  - path: ingress.patch.yaml
+    target:
+      kind: IngressRoute

apps/homeassistant/overlays/house/wireguard-config.sealedsecret.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  # WARNING - the originial secret was named wireguard-config-house, but we remove the suffix here, anticipating that it will be created by the kustomization overlay
+  name: wireguard-config
+  namespace: homeassistant
+spec:
+  encryptedData:
+    wireguard.conf: AgAz726k7X6IsabWUPX8kQ8r19mBq/N+YytlFS1gW2LUiYqc6H/O5/tqma5lLcazuxtsQhebeoitp2SkH7jTU8vRxn2tDWpyzcJr+BW4vKnghw5NhMbkNOzl7mvc7QIJk6rmRyD1umu33v6x8u3St9TVsUOI1zXJyXHxlbLdHVCORhgV79CGLjghpi23KyyFu6LzNrE5rhpB0Q7NzPUmbm5MHPNbtLsmImd/CZ9XjbyXSq0be8BgpUtGDE/NMx65G2+lLIw3EgbNwlirw/XKrM+pUIvEI6CxuNhbEM7KxCYlq2Du6bm7XsKHRzNu9oSfH+P4DaDoDt+M5k5miv4B8TIKXg7piy5mThXSTcVf5YpLJCiTfMDZOriG1ygr9gbJPYY1jumZA+vsZCvBx1o21BlNycWZWKBeYZZh47Hz9FGI/Smn8dOs5exZ34MrQtM4OuEqC/cJY8fdQ+nmGMezL0IKdbtpWgq5UqNH/wWv3F9kItB4KlSD4YtEGaY2z68BJG6t+9igSJCWmVca0EbOzhV0s5rI39ASVXOO50x774EEWUueoyfI+l5vwtQhc96I5Qn3kbFhwov0tHMg/IGBtS/7XdBBtOBx9KbcUHq1GlwWzQdw8WnRB6yyUVCqXyuExRhMPz5orqkTQwiUM2Fjse7xxnaEA0mbi0TVPKV/sFgWixvHqy3VAc1Jj6MEAWFAu+kPVlOFFCckEC5kPhNPFhBMeYX/3IblRjly/EHvrbrW/eFjNYE7bqpSCVhkB8bOXbJqt29V3+ffM1z/RkdSusgqdwid9CXhQw6SKAI/vcAqqxXdzcsbG1wsgP9bJ1Gk/i9ch8zUn7MwcFe6Tla86+xeiDIAmQmA7rhtmWhyyuxXdw+HXAFNhrbxHaUw3LZOExM+RzhWNepjSLnCBqnrtPkzFrHE02JKebWzX+IRZIOsEXJVhKTiSSjoB2v8h956kO+C7bdHz8GbxoJKJ7anrqFG13A//XLy5PvKr50qs/gQptrl9UtR7oj981bSDTVVa8h3OXbGLkZXly/qxsh5DlEjwnw2/2UqS+5yTT4FO/dNVtHryJ2tbc8ZuIHb6C/pQygqpseagthkm5T+Dv0T2xWpXFrvuktGNm58Cwg9bwNMcC6iofcjQP5JeNcat3RwzbJ9xwU4Nm8xLRMMc0ul6xUHRrL3ZjDfWHLuSuTp28HqXZ6xSKLlrRVjwZ6Mp/hhxj58SfVfLVIQxatGkwnIaHEFWE2n3S7m/iQO9tZIWCx5Yfs15atb1Ze8HjKjQ4o3sfaMD8Eokj9aFnXQQxpnOuSI3NLETe79QQ==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: wireguard-config-house
+      namespace: homeassistant
+    type: Opaque

apps/homeassistant/overlays/house/wireguard.deployment.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: homeassistant
+spec:
+  template:
+    spec:
+      containers:
+      - name: wireguard-sidecar
+        image: wireguard
+        securityContext:
+          privileged: true
+
+
+        volumeMounts:
+        - name: wireguard-config
+          mountPath: /config/wg_confs/
+
+      volumes:
+      - name: wireguard-config
+        secret:
+          secretName: wireguard-config
+
+

apps/immich/immich.postgres.yaml

@@ -32,8 +32,8 @@ spec:
 
   resources:
     limits:
-      cpu: 2
+      cpu: '2'
-      memory: 1024Mi
+      memory: 1Gi
     requests:
       cpu: 50m
       memory: 512Mi

apps/immich/kustomization.yaml

@@ -6,7 +6,7 @@ resources:
   - pvc.yaml
   - immich.postgres.yaml
   - postgres.sealedsecret.yaml
-  - servicemonitor.yaml
+  # - servicemonitor.yaml
 
 
 namespace: immich
@@ -15,20 +15,13 @@ namespace: immich
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.9.3
+    version: 0.10.1
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.143.1
+    newTag: v2.0.1
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.143.1
+    newTag: v2.0.1
-
-
-patches:
-  - path: patch-redis-pvc.yaml
-    target:
-      kind: StatefulSet
-      name: immich-redis-master

apps/immich/patch-redis-pvc.yaml

@@ -1,17 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: immich-redis-master
-spec:
-  volumeClaimTemplates:
-  - apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: redis-data
-    spec:
-      storageClassName: nfs-client
-      accessModes:
-        - ReadWriteMany
-      resources:
-        requests:
-          storage: 2Gi

apps/immich/values.yaml

@@ -4,26 +4,30 @@
 
 # These entries are shared between all the Immich components
 
-env:
+
-  REDIS_HOSTNAME: '{{ printf "%s-redis-master" .Release.Name }}'
+controllers:
-  DB_HOSTNAME: "immich-postgresql-rw"
+  main:
-  DB_USERNAME:
+    containers:
-    valueFrom:
+      main:
-      secretKeyRef:
+        env:
-        name: postgres-password
+          # some non-default vars
-        key: username
+          DB_HOSTNAME: "immich-postgresql-rw"
-  DB_DATABASE_NAME:
+          DB_USERNAME:
-    valueFrom:
+            valueFrom:
-      secretKeyRef:
+              secretKeyRef:
-        name: postgres-password
+                name: postgres-password
-        key: database
+                key: username
-  DB_PASSWORD:
+          DB_DATABASE_NAME:
-    valueFrom:
+            valueFrom:
-      secretKeyRef:
+              secretKeyRef:
-        name: postgres-password
+                name: postgres-password
-        key: password
+                key: database
-  IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}'
+          DB_PASSWORD:
-  IMMICH_METRICS: true
+            valueFrom:
+              secretKeyRef:
+                name: postgres-password
+                key: password
+          IMMICH_METRICS: true
 
 immich:
   metrics:
@@ -37,13 +41,15 @@ immich:
       existingClaim: data
 
 # Dependencies
-redis:
+valkey:
   enabled: true
-  architecture: standalone
+  persistence:
-  auth:
+    data:
-    enabled: false
+      enabled: true
-
+      size: 1Gi
-# Immich components
+      # Optional: Set this to persistentVolumeClaim to keep job queues persistent
+      type: emptyDir
+      accessMode: ReadWriteOnce
 
 server:
   enabled: true
@@ -56,7 +62,7 @@ machine-learning:
   persistence:
     cache:
       enabled: true
-      size: 200Gi
+      size: 10Gi
       # Optional: Set this to pvc to avoid downloading the ML models every start.
       type: emptyDir
       accessMode: ReadWriteMany

apps/linkding/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: linkding
 images:
   - name: linkding
     newName: sissbruecker/linkding
-    newTag: "1.43.0"
+    newTag: "1.44.1"

apps/paperless/kustomization.yaml

@@ -21,7 +21,7 @@ helmCharts:
   - name: redis
     releaseName: redis
     repo: https://charts.bitnami.com/bitnami
-    version: 22.0.7
+    version: 23.2.2
     valuesInline:
       auth:
         enabled: false

apps/recipes/kustomization.yaml

@@ -13,5 +13,5 @@ resources:
 
 images:
   - name: mealie
-    newTag: v3.3.1
+    newTag: v3.3.2
     newName: ghcr.io/mealie-recipes/mealie

default.nix

@@ -0,0 +1,16 @@
+{ pkgs ? import <nixpkgs> {} }:
+pkgs.mkShell {
+  name = "infra-shell";
+
+
+  buildInputs = with pkgs; [
+    kubeseal
+    yq
+    jq
+    kubernetes-helm-wrapped
+  ];
+
+  env = {
+  };
+
+}

infrastructure/argocd/kustomization.yaml

@@ -4,7 +4,7 @@ kind: Kustomization
 namespace: argocd
 resources:
   - namespace.yaml
-  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.1.8
+  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.1.9
   - ingress.yaml
   - argo-apps.application.yaml
   - bootstrap-repo.sealedsecret.yaml

infrastructure/authelia/authelia-oidc.sealedsecret.yaml

@@ -7,15 +7,16 @@ metadata:
   namespace: authelia
 spec:
   encryptedData:
-    client.actualbudget: AgBkqA3lAi7ofkC47b1OlqFGQQ7TG2xJ71uT33fvXCuibkOdvpGyk5eeY2YGh4gqH9zPt739Vcee+y2w+DW/rrqoIPZqO1tx2wgNVT8H/ll8eFe3+3gBIylYXe0JQ2+AhonAjJgUuOKlTfv3tOiNavZEiDM4bVqv+5QfIRAy//YNr9p+G4/grLzc3+yfvGR9DaFrldaPDsg49m0rR2KXGL417V47WL/d1/7tDdoPEYYsmd3iB+RT3L1pQlGIGpieswcI6LETb2HuS/lelL9pC3yA8zBYq1jVW43LF/E99affv3VBdVZckHn9Ad5juKICXqxphp8Op2ynOzW0QNMdMjVahWPbNAAn27cTP5RZDodTmQGbPrK49R00IjzKKU4bDxtAwOpZKVJq3ArIh3j2ETycn/FhMIpLGEAGpMl+ZO077aznJl77nOAkjSXioOkNiPh32gKg5b3jVwry//8g4vTS6AEkNQkMrRey12p42MnT+CHDwgqAu0pDVAM0QvE8g+hhX8tENNN6IalRar/mNAa/lFcm1mXPVEv0ST+7YfQPm5vMY/BNixlpPTN3qd3KJje/Ahv7xHhNWnkez/+G++/l/mUjgVUsoD9cJ+p/87JZOKLiPEbxINFNcoJfO4XJrua6BwtwiGhsdVv61myC408AiBJ7akir2IMe/b/O54xZ+H0SHKlXc1lqRyQS83awcZj9tBAQut2B4IY9yNaudQyce82qMuH/X8pEWrNxfcxgnBCbAMJ24ZU1yWNFO3wqRaWO1MxOny8iefUosZI1wjYuDyzTcMqnq4rEoKEF/Q6NV/N+Rr2NNOiXR1/NjAfsk0CKIdSrERMazzM58omAxULlCgZGTw6i29Xulj4ToLXNhKAJqw==
+    client.actualbudget: AgCfKgV0f3oEB+04Xk7qg3bE4omsXQQxTga/5O38714RNSSeYtcBTcVGbfu7jfOmuVOX8OXQPIWhcHRVnHdOyd75mEpAmYyHw5M9RfqoRHWRPgzu2lBIMHxrFXoy6Vr5b7UXAfpdKPcQddERFqSy+uklO1npwbPHh1YMdDxLGA7l+HQo+rVnShiUbFUJeuhUoZAsluO4awBWmG1jyiwVRjlc1MiQFnvy/lZHnJJ7PAGgZxtoKfG2zATuFaJXHLPuqhV/fPclegKCbY6FdaQUmiQqZqH2tQlsTNOykozY1/VToLJNQw4RZwhS1mA3giM+zPOzdwWtxZg9LLWzm9oZjNbJU0LZX6E2tmQ6vZl9UBRfVx5Vx1ermNTLmWkvFybX870uRRRTF79N83v5q2QbM4hVgSkKZwwplzodoveoQYtpPL6oJZFxiPBR8VoBtIG4gUHUiMmdKJg4Fs+IsvECOE87JmZHsHVgRhNcCi6uZrobk1D9CFCsyIJog0h/U5zxlMHc8GcTR+p+zvkawooD12n4TB/2lOm+yL3/VPx0j8Y1H2xuYk7EorMGsYiQ+Q//HNZkpGsTRlVYTQp3napvsbvBK+Ekh8tPHsIWGSQueK8k6T1wTAUQaBhWdorwKre8oeBpdG4BgX17MRmeYs+vkJx/sKGhBMHIx2wFROXZIWBzo37nHHRIfjSFkIcxZGwPLoQ9YSVn44XCRQh7zE2ZRzQKV+d5Hs70GHiaFwzZs+sd7wDd211p027AYdLIiDpBwO/f0bgQzvBMBNWZ83InGa9s+r2LruxVj+wD0dnw73SgEiZR2TvFdBpj2T+YMCcMnIVwulpm94cWhEIFgRQwIKmwdfTWB7HdN84Jf+bi4SgRcvpRVw==
-    client.argocd: AgAMeMuApKfbUmJ7qxTVuiFCoQvQnVY9e914jZJzZVoD7NNghd+GoI/kl9JuaTGd8FXC9Snp+Pdduvw88PNlR+ZLDQChh9z04BbYm0jOhu+6mxMl9klVc5kbEUILC8nA2Oad0KshnFuRt8PucbM3Adk5P8WwsH0+R0QCQqze36d5pZrNT3XsVHFzkEO69TVNmNDtde04UnlGKlXhtsZHVF0QXU+O0knNPK8Gav4NEAP0GiPSA4Hx49rpu3PzyISi0vUnW4jZQYP2hnD8arR4pAjehuHzkjt8A4sP635KaQ3kEE/6VL6eBLxzFeht31p7/owMAqvjA3Z2TwHc0Eo8zqzQdYIejDvBcm3p/iIECBJUffRRKT6ijlJnzmL8dFVRDkWGN3D2eg7xELQyoQfQLo8m8v3o5rRLDMxGin/dP/7DqL4GLRRIJMIcg3VMNqdSbi7ESlZ0zWZaFQ/3GQKy6y7ooqQS/nn+2stVo6RRuwAlPkpyTa29wOu4fjIsuQ4O9CQrBXowk+4xO1FqWVMUcPGfrLx32IcIC9iZ+QAb1goh1eADnl9D5eKJjWouStvA/i+YlRayHrIBn6XwRgcLaz3ydlZUtwt/HhheeB/N0jRRFD7Tf7SWMdOtyEnngglOmOoiytU0F8B+jNW2OPfPU3CP2AkKvLQ0El9kbLQHYpnpNfbjq6Fjj7b6l8LPo58WBua8uQBwghKL0d6NnjdRymLylJdMUJvGF/9F8rW+1VRndyVyuNRPUXFJv9wqklLQYu7+dtAphsnhO17LdGomjCkP51VtFloWNH49aBWj0p6scsMVahzU2lhzwWOSLh7iK3lm5Pyhkwl2GPR3ayQG8adSE6BaswtmdEpKYEbvi5kWy4In/Q==
+    client.argocd: AgDArHcXxQMBvhBY0hwOYqal31JlFna7GQg6s41+XAUTsb1ahFeCCFfLv/WI993y5NMvH3CpnJtPFiunc1JT4yxLTZROKVrSrwjjrDKRuVt57lb8lz6gtNR3ucvpTXjqEO6FXTNL6w+j+ZIWybrdBUheQCj41aYvQ7TP3lTyLcxQSL/UpWLKnXW+jkibqsDqVVaGG26gNniOBg2GoI1bWHvZ+ZUBy/eZflOH9lgLo1vMNw9M+fP9EeuU3CDj717zS00n8X/vDAxGJF7AIVbllqNRX0NilgKwYCfoS79fuUYhzYSI1jYMPCQvdlTLa4bA88wfkomZstVgVtWxel0IaulDOnDgKYonkRqlCDYw+oMC/d4k3xKTEugfV9Ihx9isYZYv4+31v6QTkXFFj5VQlWSDDPllmV1XWfAdRDwT6CVhg5tKWOPWb/YHZJz+idDPEGn5qiklJ7Ar9YEJfuzkfAjCaq4XBjDFKyTfZGeTuLjbq6HnigKlQFdSNOG64QzBbQu6tmR5otipQDbquxhzGRDdCP3uPFy/CXNOn1J2UrGZamWdQzrO6lQQBypFHGAV4ltRrQcp72krPIeL4hPLr8WbUwbUFtESSN2aOYWqs+hnAmcxqy3hqEcouky1K+drgqsAgTp4EkRRwnQXHGrAi3bEeoPqoS8Ec0xfgs529322acKyjOLEObqtNuC/3hg5kNL2fu58MJeoJ1Q2U9pvbAsCrpHJHd9DmHbVwC6orBfL1P50USvTsFm+UikdJpfesLxEGDiUKSU2Al6ntHzswcB304J2Zdb8zrIZaFXs+bmSUoT1Ml+/PqySZc04Fgt7uNBh48nKsl2OlmdGKiKXafxTVBewYWJd6uDkji375i+Ji/5rEg==
-    client.gitea: AgAhsbmgb1LaYsCtd85vEu6dkwdzlIt9rfliyrjFxAmLwstrlhY1IXXrtd1f25sjWmxpiRnUmPgSaaeBpd2YEOFI2tDh3rwUW84q77ynmcIOGKEHpfQicVurvOuj2YNFE91hBf4A18QYRSLDZyCg4yJ/Ult5vS88mNSfaSrDkknjnNfV4+PZzM1JAfILQtWEMmG89vyIr75Ix+i6IkHdKu5YZK/2aOS+vX5LYiOGp7qVXkkKDCvbk8KNe/2gqvaSDCSoRCdtzEP9SdqOY+Zvw1A6dMTP8EZQmXW3qsNn6m9J+bFw8C0SJ+ptG3teuzKKvfkuyUVRSoO2aXREmwzkENG7jQBy4y3BBDU+U4iF73e1LCFczXsXy590rHZ66Jx6OseKFoGn1Jw/ir12soNCU2dnkUfgdiqN8yvkRJ3O/h2BYC5r7IJqIxNiqY2R1EhTgiG4/DhAvTcy+iZlgk/YMqSGVFLJtOQiy41+Vej79f7kw3A2u8HGksTkL5zkGxYIY8EyM+/VR4wHtUsjJTiP8+VHFWw/v5sxnTWAAAIdRn10371F8FNqdD1dCs5U8Xop0/WwFYaix0/dLkI+tJxQvopObAY1G4RKmTy0GTgE4sBGgqjI+KKdVdh6gO26WxtF07MlL57IjfQMlMFYXyapnDRplZkTfDBioF7+8eOd1hajgKUFv3OqkEJnk4ifZzfjXlAAdXRzic6ppfb4w+0YkSluZUTdTFr/SWt9eUnLYz/dkZ8ZV5mV4KZHlvPvfCwBWR3F2JfT0WUKlvC8l8AJKwyBokZJZODKDxaaGvoMvKgj/e11YncDpY/vLP/QbE2onVQKaA25ukUZNFL3WTZR1igi2huRns+/066HdUOLzncGceyDKg==
+    client.gitea: AgAs4pl1bs8nqBsenxhMHhq9mtCcbjMZpNeTNyUrWSRzUkJx9uoiQJ+plJgQ/xHl7vDbslLxDPF8Rx6rEns+tDdbaIp9LU8YADHqMbctV2PB+pp4wTkWSUamquA6Khrrgr4xQxCbzthL9/2QQJOBBNJsIFcJDfyFZZm5lzsrzVZ+lCpWmnSH5YUpdVAHbjyOZw+Oi+tnO6Zg/8lxjKEf20SFVCAKDly/VK6j8SvT9jzisBHL+uoxZ58fyKd7C3KWVJegBIuT9pIvxXc0jg+t5ltcXQcHyZfmk4mH8nWN96KWDTe42IRA6EGyxiruppAzQoKuNKisUj7grqsE3YbCmq3g4/Mp43FUlz0gqOmI4pwaV8BckVbyMNEyMxKGar6ymz5nWit5hX86U1jmvMrUcKsROJlm7DsyC258PgLwFspnbBhTEN7fJ7iEsTR4PdGPUTQ9rH3F42t3aYe3kCXXNz1wovwKmSt5Ex5S7UenVKfuZ2HvsAuZ+nZYW7zgVW9kf1PLz5jE5NYoieatmdk2O7gBUcXQBNqVwgvCmuiJbyv6jIz+Cyn753tOSZRqgrGH1i8B7EUzKsaQJcTTc+SZY7HVw9ohilirC4vrgSx9amYMCGxkOKhBEPVYSRN4N+Yt1A+ZsmiToAsotiQ4uzYY+UXQ3hAuiPzP7vJXDHAdPQZASwI4UdiMa26d3f/FqJJthnFnkg9GFvD4T2dqduepYsnxqN9t3IDYgQYba0vAIzmdmZW8UlyBise9yb5RfsJRmwvxG7yykRAoM+j2Fs070kBCF+ohTg9pWOEmry7HNu+fvMyUMKja7Bjm3gE+MAjgXquoILIW+ZeZud15yb0NkV4LQ78K/8YuYiGXC3aD+hv5IJmJjQ==
-    client.grafana: AgB2SV+f10heiF3WsurC2+cFZP4d+IvjVE++cDzVRacTcatR2eI7dn23bDYZv8ThLtByI76VWgIIgC3443WeyA1cXFfwUU/yL0sVTUmWqkMLjNosCbW0m6MzIN4nfTwG2QgkeNG9bTpO4KXhteTnNOZ8YYBIfKLeBiePUF22B/SrDu3l9AgBi0myjC2uoYVnXY723x6URbrapS6E5tbQTO9NfEIL1fsNIKOEskepLNfVSo0Np6jhkn4FA8FKkKNbbHr+im2zZkuo4xgfdUY4NEHpe/SYpsng8v2dhhy2/S7FOFZfJLyunCfrz1Y5UFvhNiosLgfcbPaF/+2Z9heYLEnW07suklQAwyhmFhHwukkeO3zdbJNDJMd1KnNfCSU//OQjsAuwwmXmh9Dqz89A/cimtpk4AjbRw9Zj1whrJJCx3WcisLrEJr9KrxNSY8LAzFTTq5k1bipOCpXnov0ZOrOpzgBsrmOToVuqfExD1cPAlm6L11a2H+SGs0271LIzcekhCnCE11mOK88/z6nLSmyYZH4f8TVt9RU8YmNZzfEJr9JCLISsznIILdtroPbCj3ovp2Q4brT5FdsvhAHSiHL8XHvDwbPJF71p0P6u/P/2oAGmbHdr6nltYi7zKiHLe2ATxEm0dozh/0usayTOvl4jyJKsn3HQQrBrGt/fNPRRm3L/vtvBSfhlP6slwRl9NUcrW1Q4QhBPsQWAEf1xBUYGMephez/4wpOUgxpmLnMZlWa2IKKWUP9R6BuP095ts/YKVT6otScXHs7h6sarQEgMELPyISDTmqBFQvX4Hm/M3uLSuyKsC7g+MBbgIYZX+/2IeR5jLN7zIdv9FVFOmwi5ChFD1Gk+QrQz0qLIScwPN61xHQ==
+    client.grafana: AgBemPXmz04WdYAS9DerbbkoriqYiFwvvZfNYdfXo9eMwMGBnO17jTwlsKx5Vq+dB0UVqm16HutV41bB3BAtp8cSeFw0kivMdzVC2I0ZZ+bDWNzEKhCSdcH01THvvuoaeNWYusPuS8/cjbk/I551Im3EMSkryVjrErgvV5barf7Ox8+z5pSob+LfGGs0JJL5kOawGYEdjj3PGrYo/X0zA6EculcVyFiUJGf8ueQMshoTfUEUc0sR0LA+/ZN6LHG1ZjQ/Q6H8firrogf7luJ7Hp3S7vc/WFI3L1aE5E+u/tlDo6AelIgha+3lWtQXwwTiiiWRoxRDxU5pfJ5lUwHY9dxWefRNpQaNDZdthykLV2MZp9RW4Vfq8sZ7AnnSVQVH0wtsZLQG/m5EDb/mbBAnxLVZOFntyVtKQZ5UnMPbs0G/7tD0alkVBBR8iE4S+QMyUq9QVkGU6Tso3W1VrUdz8UfKIXGaf2eyeOzqNqXM81uYpRw4Tmv0XrDPrQ2QZ5ASd1VAnHxu9NoNOj4FEGvIJb9PaZAOHwYV8VW00uoqWYuabbo1T4uSAKijsf4ekdCvCfkBzcJsF3r8FWHbsCKcCLYp1mm7bQS5YUfa3FRWGQGbZvHI1SYrCTJzB2eZvTieIRts25CsQrBu4OOQGEpaUBLLOSaKi9Aa4yN01vOpxCcBtDdz9MdcNFFpt5hvHBTOef/lBvXOtLF1NGuFqczhpptfAM0zKqqdoYNs0d15vErdTaaUYliaW1xj01XJYwB6L4JM+YQZaOIfMv0APGzylcM+h9jCfQa2k5Kkgmz6RJoupdknddiji7LfZsmSSegE5a1DGrME7QDXa5hJ5OjSw7+5FIByaTcRBwpusr4mY0Q4q0DAdw==
-    client.kitchenowl: AgDDhHuXHy1bEVjoJkEJsqKGUmoVDT1cMYxB02J+pxQ3BrN2YfZDK4CDMCdG9srzSBD7tG9BsZ9Oja/8imV3cjsXGc90hW/L3doSqe583N9TcDayMNX/lYPgZUfA/7rva02fHyO5dKRSUtRHaR2MjqZdmxhG9EgQX0tIrgwoFIjnU3Jj5co0cWwnd68G8CMZn72DRX3rRRmYv2I9KW/FUva2tIViPVtnJ6DcpFt3eMUhBmW/XOJWsea1QtJ1Ab9d1P+Zi47O9X5eNkkQrlIYMAt52VlbfhLDnI/67WA88yI7OTlsvucFYlvakAbZSk4CFfO7X/cg3v8Yxb9cD8S4vMB+sx7r5g6JfL+psaifAmJDQl4CLmzohaxegiHGWj5k+rWJgO6z4wl7jmiEKQkRcqlE724U9/3tF288AItlZcDUX9UifexeP8bJFua7vm9/wZqLg6eF02BNo+oWzFLjNSWBaEkSAjYCqUkqayfIgbYdutB83tB1gR/LKmF1fEIje0q0dap/b0Jrtq6LRSyPDMXiNeZSiRB+/GpoqkHz05I0H6887dEMwOZMhu9v4YLRyhH7FjtjwOSOiw3CaNCTW97IC0Z6EnFoiOJ9gl7TXg9CbpiaRN3Ds3RonL9scspOnMnZ6zez3khQwZCoeDeXOsE5YBYCRJkTkbZzMFoFBpOEhb83IfsLYlTQBF/LHD6FbwwaNHZscZSueMqK/6iq4R9SLeSgaz+/KKTpQ+KZVmGUttv0feNxC37/1jqbQZ7xH8Ykt6/Hvba7JvDRHrxNzgsMYWcZXL9oLDfheHXPpuFYE5KfZzMNDqvdje4+C0aFlEI/Zj+ESCNRobqAFg3UFuUrgtMjbzfpgoMhnPYL9/Xqz2Xh4Q==
+    client.kitchenowl: AgA9v0zIBn//VmvUgu4yLhALCWP7Wiu0Q4lPgrqXOIoLYdAX1jh+7cpI4oIKak+MBtCfxnd+os5xFEG0Mvg8qs6/RxgoCFcEyzjHfU65sNol0/x8ZTXQSHLpyZxy85fK4oKaHyvolDW3nnpoy2nrw+NJvwQTPquqVzCMswAE37MoNiU64OXyJU1VJFDo9VNwzzxhz02xczEk5Gh/LeVDPk+EPKzXupct0BM4GN3PZnbsvO/46i8alem7D9JIPvB7+tWzmXnXKoQ+3os6Xbwqu4wDH1cJZYFd/VOXQWk3badO3QYlewF0qEbSLLxXnvdJbR3JaA6IMiZJQUDTypZ5Z84phdAzG9v+e7DGlr4bHPEGV3DZPWCg2rWHjleDuCNJlIQP+9Di/piiTRe6rsz9lI1oncYCVPwjxtS2tpKZO6HJ7mMiENivsRLpAq1xiclCbQ6UERpBb+fmTv8a6GCIer6GzhaioN/MLthaMRuIGTjKlwaeC5EPswY5Cj5pYWXB6xhGRjTtvMyKEtWt8VbOtgESkgq0ES0yYuP37ZcKWWJjTiVii4JR1JVW8hdmXxzw8iQ6eq27fi7fyEJhIDoozwvorohqktlzqGCnIXiUN/gUgFQiMdOSHYVh8BrFCq6MbXDq1AxnoKov2h5YBlj2FqrubVpLWIJWBp+xbTDNIFkIpmzOE8uKigeCAyMxeqEd/SLylDl/2wD4XiaMVXpUucGkWW3asNvYjXTUbxHHL610ricaaYS/0adK4YLUpgr+1jE5gNKwA5j3DliDuVZSNpppzdCvWD3vr2kTOvnJhH8IyGNAs5CZmsYNtd2VKoHHhPFXnO8iU2XT3DP6qez9vN4SCPkwhlyH7NaqMhxiYnYkcLXBIw==
-    client.linkding: AgC3GAgek9/3PvUSx3IEoqrf/kp7o8tMIZvf4cjv/mDOYKkwW5qvLbAHSdOfa+ZgpNNtZLC0jP9qYLJ1ULwZwTqQbq0PdNURag055u7w/dhIc5x/dGlu5p3mNGHWBFdwgZ8z4d1SEl05j1RfaM3OgtNwVBK9uqDLAwB6k3dry8MVLxq42+LeuhqaW3gqrecLDJsMlQtOlcuaz0IsVFPZvpFCVjGpLrw5wp5sEeInw9P6BJov5zNEi3YotoiOGuWmbrcGAcuw+wkql+lAVppQ0qx21XQqzwROu4TT2UmSIGkPC4tTykDR9tVUiikEIdnh9JuFXtDcMBmNMJUHoPVyiB7rMyCGRlkA5DkNp6zAccdJl1/E52TolbpXZC9qygZRCqavkDedEdJaGZVzV01Tv/UZrX8BBl0wljfZ/stweJG4QEuAp7oH4zyty22P21V7nd0EI4NUnVOFkZm0OY5DHF2EJx3fOpUzy4jr/Eys3Qr3mOeqlVAxGFI/kKdmWgZWkiGkQhGboJYshfdxgwZWwZ3csinfVMQqQKUt84OimGTbWhKd01LeeD6tPsB9KYdZt9S70JSY3bh1vRcvuR+hrq4ZBU1GfhGHMJOfs6kqijVHdScGqSFcTvOi3cVq1U3leppDCo8Iq3skJlGXQnrAqlzAf7RiV3vUob/fCe+IWPXppqZHk6ktuAjVp3e9kDigq0MJNsufXELTgTHVpLXxfh5yH9vxVOxPBg5iunRNM+mMm7BGzaJ2WNno+TA3I6v8HUK7LJ36I4ncKY/pYSBPIZ/AgKYHZwnS9fzMuDBV0jMnFkrw0O+2Wsh/Vfaptx4TCaQCYzoY28RbXepnieUrOOQjTevaJVp9/exHnqHRU14easU8Ng==
+    client.linkding: AgCeuXqdo0hFi0fsV+Lu6D5nPwOj4CuqrwIEZwlIubWi9/IOsXIOgJlMAH69yLymd0yXnA36hJU2/s7sXVj7bwpahNZXqAVFhfUCjP2ab95VXpawPFg7PpnjEPlODCkDnFffOf6DqYHQ5XRWfq0fTah+I18BkZWAbhCYD9qeYMRu/juluqiExP2yi63D2l5uDJpnM9QxxzH66toqPCqvFQ1tVWGEpNh4O6k4qB+t/1vj6DBcawbjVLINoiUahHgaHmkOzidZEo2shrBrLMZu/pUcR1sSjXCMHpcbSZC6zQUFkiDQ+K+cOrz7XE/vam6oYdwf/ks+kowWDKGDAyT6k0rRU3E0tW+PDRa61ffF7c9lWQDtqNUFJL5GhB2QcG58w1lWS97vdPdHNqOIrgBM8SUGaevshwl2HLsV7q5xRidgI9m3Z+OKwCaszC0HDQD7rRCwOhutvh9IP/FR1G2NhsWscjXocM9Sf2vMLiZU2RDVx281jc/EqgeMZ958O7LLR2ZfhDOBra+N0UZlhQfFdwCMSgyPpJ5HjAPia2ecON1LHi4XPqxMEEpMxtirSNSwrcvoM8OgxcOeYpdEX96TuZxtPiKjboy8h1WBMS3QD6b5F7C7LTrHu/BlluZigA4dfDEtn95XsHS7w4lGgWy9ukCRhXdjDQo/FAekFsGSuDDyBp7ecK1bpkvXaZBiaRVjq6eV7293rZdNzsk1kzhoIg67KFzBrDx1wofvJWTN6+pQOCD+f4LEvo0cL6YqWmDSW6SnfZV9/NaBq6B61YUwOACXVhAkZ9VVAN76RPl+KHth3FNTXvStjxnHfj0SMuPByemwG1MZ2SrZ6phcIQz8TJb8TS5l/fmaDH/QfLSFvvHv5gKi1Q==
-    client.paperless: AgAnr9ea5mnC5CyAUoyfdzThsMq+djYbaknoGS50haZOP9KkE3tj8+IU1fIBF+RM5IssgrDTTJlt1O0dbSEQeFZYeVmx70v3sfV89suc9mHAmTaMSMpLfA0T6Q5dzZVjkxuRj6Qc2d8qCdX04rXBBWQDmdAo+29kvdoSiBtYeFg5z3MwhjxqKCPm+Ep6u+6xdYbcxIZgSz+/C2o/Op5vstWUEqBT4RATHouqAOK4He8fgnbeMjM9MzXmR2Jb4X+rovpwsOlH4eyoYBexeSry7eYkOhe3o9S43Hr2QxyRK6lwAF12gU4r86fCq+wKk07TlY4/yf0L90R1xPRTCO5JtAO/jTDxhU7SpzYgdG2DSAXlCT/LIBOfLuUXi7XY+EfRveKpdmPYIVNWF6OM0MjtfQLn9Kgt2onFxwOvb0v0i8P6Ivs4hoy9CnZMsIG3avbNB/8WZ7gaf4WdrtLK0HNfNjSDmfTKsuggkdA8ZuJa+QQfjfPj0ozLz60PAdz8aXV/W84NC0isaJc+KYXcx+FkmNJNyv/Usvo8RvDb6XfzfDjf5LiZ+Ylk6E3gvBGrWstVDi3WJ5dUwIAcfrmFz70Uffkme/w+zxwsaZH4tqayhPxjGALzf6Y9XAa+EkuyfJKfLU5JuHm7jHSsO0fWyflsF7LrjytyFm9CUlVAdbIZmjsoYPlHy/M6QHVGAwtKTUB/QOTT/PphCc2ZOetGZ8kQx13lHBBfMGCO6ihyflUEzGRrTVo3Rd3FqvFRnS/2Vf9S6u03/9qRPS7hK62VtuNxKcGZLka6odoxOKxHk34+mMC1qO0uGLVbM5wYPxBw0Av5L+F13Q4SBa04RJd8OWkspd/T6Yv1PTRGDEUmLZXT0Jv/e2YKPw==
+    client.paperless: AgDVOPvaQwEd8qrzFj3NTcGW6luSiSwGLmQOGiKps7DNZYiIn4FBdII1I+J78h+B4wmZ3LnLrju8YAZ3s7G3aTvV+YJHxMhlAc7rO0wkq/IUeDzGb/AM4POusm58T2o0a8zD3z4C+iHYuE/gjT+lquUKxgKP4IYPXM6Ni7lhmewJ5PCyoznoTeYnRVwjsZomip37M8/h4hOID19HZpPWMGMXtMTWrNzgmbeiVFRTqIgqqKMnASuMfeauxfCl2u+C3OvaYxgIRyP4BNzmU7itFTcOgmaFd40V0RkaALFBiU82ot1L46FZSMeqIEjprvTIdCSlNITFweYvoYhNSA0+/kUAy21uyJFqnoFW6COT9RfHFgGvi13lk++ZrPJKIMGhK29z3dC5HsEf3Rb0W+BQ6yNFEc+LTL2/ejxZwTtymzkXftVj6U9xa+BjDjgXk45H3ZAy0uWfQnm2RGBTYN7+MEccRpYp3aMh73jH1aBQIPt0lQTwmbc5rh9pTdqu1/c3NDS6OO3H2cx/AIbyPTq0pdX9w61UHVbR+E9I25wrjqJeZIRe66MerlngFxiPJKygEnuN1Nz+1feECQoq59P4FbykI51NZO64gK647QhEsbMN1nCmKFOLcT96Rjf1JQruhgoO0ljhAB8JRK3oEBIfjJtJIC+gtFaPzgldr0spr7Q7+rmgkNJIggwMSlr+/UXycB5a58cIhS0cuAUm/UOLKCIQ3xjE9OuUdQA5J2eaO/54GSLCnSdOYuiXzEQuV2VRWST+RhRmVnSqugF6d/xWfkC/ahsXo1o8ZIWFabNaHQzYmofRybK0LNc/rN0t6z2Lv0aWdGlm32eyAcUfUIMsuSKK+rDozgAmXQdz4QEghWQm5Sz3Jw==
-    client.recipes: AgBuQOpnlwK9qgNWTmpO2c9V8IehsbpHUN6UrwWjZrixE2If4/9z5KhdOsV509HMKFzphZLvso0R19HVtU4eKjhtXE62guzRS6aClQzxtgYDUSSdC3nTuBkTn6TL/dZeJjU6G6t9jPZG1nAACSPLlrbSgfcMvtEat4rEssDO6gNw+lS87cJTDzbqxVWsmQ2xDcCqWtuHH6E4nfJa6BvIrJ/1pd0sEij2iWJgciIwg7y/g9yziFtJudfag0EBRpPSxNtdorYxRSYTxKF5VkHuZKenfiRgU1wxz0KcvSjqE/ZPpB4UpSiNQlQnvpI3GUz2XIbaRGdQl0Ak1NEhKs89BXzcE+7tC3A/qY0tJkJRg6ePImKn6NxxJ9MQHpsRk2mW6r317BGLkabsIhqpn5Sw4Xm5MBmvmWVReDyy8rAiCpSXO5tVUrBHT0TX3pxq+TuX5j70G7kJxVyUBsVK6FsjTIOtGsrNEGbv3FhMG8bxRmBt/4XH8OIc0H98acWhor/kEQIHlmnW6tQNuvKT9ukv9H+e9RnPW7D/r+kqf/ZghbssF/Xjo2mbkdpz5aFNuFQwM0SUbVplIwXJqgaYZOznatwH3m37NYe3bcKPIr4b35NnQM9RI4UeLCs3WYRfm8260n7bvKlv98MRTr0P37O4gZ3uf/Dff9UryVaO42VvMF4n68eixOYmSeZ0CrafXYaAmd4eTnKQkBR/KxLb+Gp3PMZm0pZJ8hS5+Rew24EMtxBkT0KvaKBlTePOQtU8WloaWuyCYtgJTCogBn0QZ5nvxFTtICDDSJQ0p2yKbw5Lf3QZhjYqbF/e1uir20+a2Ic0FVU/gjfzW4FI3+wawqKDBpxsa2bAkg/4Au9INGTYV0YMLX0gWg==
+    client.recipes: AgBn5K5p5Nq5D9ishKI04kDR5uCvKuy4DN3vHuFwP2j3tWqrfJ9YfWGUBL4oE1Mod4071habqZaoP7nIHCWv8eoMwke9G2qFfJ7VZi0ezXeY1aTXDxn2qnPNf4MXYIVfbD5ZSU0nVPOETuJ2vsHg1R/pnfjMU1Ha9L/67ZnDsqona4259zCF5AfCV/kVsZWslAV8YrxDSlCobm2Vw202Me6CV6rFon6HmkZlO7on7LYfBL2tCHr4N1A1EOvVvF0Ua6vDexOJ0sGVjQWADEXy31H1a3c9lDizb1xqvCIcKXAYNKKGxiNrLh7TlWsK6dUX7OLUw/uDTryKwtwOl/GYfYJEX2wy3pK9PNWjjOUrpv4VoaGOKmObXQ/pIafI27r8WPTvPvm71YgUcsi1D+71a/iMWy7tXbHpvEB13qwn6/2zUSGcuGlaC8P91jRVi6xtnTg2XcvcgjeT4bTnpAEOYUZKBLqIP9qmLvxxsuVrvQoMisylYIyJzAAE+JJSYj019dP6JKgBKV6u6rPW7AkoT3Wsxkr8bwcvNSigW3c+PtbU8fvws8VY1HHTviNOflEwZePfGw+CfroS9y7hEQH2stNHaZ+5zXwjQ9+FLH4BlzbggavfL+AYY7zE5eOrL2WrD7c/1qMcDD4rxwrNwsz3mqZ9GXpe6PCxxU/W0RtLqMERx54b17ILC4Jq++XxzDyGZdUAzA8vYLhxQo/wgeWn7df6CVOM3acWbHeLAmPBM5FWKmEC1OShpzI/LmYFbLkosaAeLOWACeyl67GIwR573juRcr/6ITuUOgGXSdR5jMiqVT9Gu7x7pDkNJN+8Q4oAXITtfEaqb23M5KhtZuaZAWZgsdRpDTgPQNB2u4sBSYQluXsR3w==
-    client.todos: AgCbiUqRaoP7jTPPmJvqrzPgOJKY2ffG6MPH64xiZXF7gw3Is0PHFYU2XNxBf0dm9zjnKNIF+pe8tE9/IVyO2cwJdxFrp/fJng/sTXBW+gGKc4I1CEexQYFQyEUFNGKs7jn+3diWs+tXmUyN5SmU8hwuriYg6UxqQmjZCBBEHpCkXAGF3nXGUemmS7EOud/PhnWT8wUhaUTyPt1qDTPpfRx9I2GUpQ+KJUPK5h75m0BGYsCdG9suzC5PjpFoySaUPdh+PbzxPhpV92QEZW43MmUkA/bEMcYQnyUO96SpgsM+JSLOXhvQN5rStmXqxxuW2b6WRiDHdd2RHuMwn3pExwEK8FPoMt58Wo8do6SAasz6icskhdzAE44FhNpMUxUhJRqU0M/ZKIygfq5/oYDYTfimlwD2w9jEhQ7PZSjOAdfhC/u4ISJzsqGpkbwRORfnPuYDR8FJ/W7euF9V904fH/YGrRgd1IQm6pILxAJ8ebeYqmF2DXuxcJKS9ba0t8kl/W2j987/36DZ+jvfolrldgeMOvQBr3WCoeDBhTL1ujiTkPaWVI6w2PcHK57+C97FiAxkDHQnpTs7Nk7/B/aI9/XN333zHWVD+DIYflbfF16wbt4tJ/o3DH5t0NNvg/e9n3YLinvup6LVpeDZXY8E6imKAdDMHJ1EiLFhb1Qe605XPqWKwlGK4EKLmHcsP1/F2C6h3IZruoYpatqa6rwzgbKTtjlCgHSpPd0ndieAEi2RtGTtAqc9kSNzxUK0aMn2rubCZ2YMPsN7rbNGY1v+ow9zLiiVOLkHHXsf35BFP9v+kjA3SsT8xX1Qgx51pAiWdxgmuj/z5Y/nhGAZEc8T7gkhECbrXB4c+MiNRNXh6jR6qPK4Hw==
+    client.todos: AgDYtDtvcP0MXbzE60kLauD8piAsfJwSDNWexsFQyezMc9vEtq8UGza198mE59eNGeUgm8crZBqlfBbKCY2luB1dq+GrkTkZHCXztR2nKTxt0X0B7LJV4DVYwlNuji7HMJ/XR/ynfjVbGi4rtoZ7MXJYOhxoLPDCt7umwG2jIMhbmuBMf8q1EpUmgFtUxTNY7i5JQAvmlCp8rgdwdAePSHCeTS4KdPTyvaj3zN/EJSX7lnc1m1D11Xld8klBsde+zrdPjm+UJQFqKu2pHXMdM19G8tqSijNcCuCGkhjQkOrMv8VhudPs6kR2whPOXtSmr9X6gNXgZ024o79fz4hBlx47MrriVW4Th2f43Q5ISJ1KoXYgjXHMF5Dt0+C1ej/0x5DBokUapNAjBZsKEe1fBI2h52G+IFpvxMAHh6T2nIHPRaYGCznxuPeqWErachhQT5QXOI/7DBCO1h/GJo9KJ5UfkMTT6Qzis1RjU/t6cbXO2PoKrFPOjqYRcTIAQFUp7ylJ4Ep85gRidd0NONfc82y+LUZAwbzYTZ3ipckirsihFBW2IMjRD46+3LT9CzdJscr/kYPA7zbTrxxMPqPiDSKAyK3LPRm25u6cKQD8vM3+n6S5gYI2svlogR0zCcJiW8+8rIPk0kUzITioSYFUP6jXvuYNfdmq2VJPk5SNK9grMG/RM3Y4XDnWuMR8lUl3oA9/HMCviVzbJwgjSQNO4n1qsLIvuDr40KWSfaKH/UCm5zaf9jIDXzXRsXeHtSHsPfr+cN3WgsP35Do1CgHPzB0tihCfesFPAk5Jt0keg77G0O76rJsq0c4u0a4vtcSk4i40wVnb1wr+GUKXweR53LdJ7j6X/MFUs4KB4s1M4A9a0J0t9A==
+    client.vaultwarden: AgC5Gimoj3+qhKQuDijPFX1niOpCx6b4MUHgRttOPKFYz19HgFzsbkuPiCcA0AsnaGSwS2wwOTv29ywpGeFzjGRk0vBUGYX6aCbGIkjs7GRvmIovLs5uHcgPsoRp1OOAH7eDdFGGSpQN+4312pLoKKmjp9cwFIAHaAs5IavCXIv8/Fk6h2sLslHqoO0LVP24qkilqV22IxRSV5mKxg1A5FW2mDUxWwSkditJYoQ89Bze6GbI6xIHHo6NZD5uaBzf7kGZyUPz77zFPTfBatmjJpVkqdvvBnCQF65qrZAXy5Rw1trYyEgGMM0vFaBm2R9YWrLfv7w1nhNNP/Gq0/XwDrz/KywMXujjp8jbOKUJmN02RJrinYYSV8Z3AXZ80V3pgVsCjPLnaY7LHa+l+f45RW3A7B1e58qUEeb/wCPXRP0ng72gIcbX7rTl926XrzK6d2Bkw0scKIIXoYYAtJ+AbzfKJCx4FsoUxTlXslhO+HAT3aM5ofwR/dgUnbQKRnTjGa9R7FwpUOLizxfZYcjUTDT3+Bgjx1eiShxveVD+v6JjjPvmWn370J/1t8CnxL4l7ylXj9YsL+4z2j/s9xNsN1HiuETBYQcZXw9kgcXaEhLRnIsbwpsa5Hw4PODujPUkwkc+VN34V1BNq891h1JvxHq57SAKf36cLosybHTIWaIRaLktgAdntj7/5vmQGtjnEvekXk6f82CEzEaOJvqE8jV62Q1KYiOjKi1r5dXmZ3xqwsh9nuluC+YBVhbI3fxKJ/xkKiMhpkF7S9JHIOCFuyAAqf/IS08fC+Rm51U2ImECeoTiyhKAm5q+Vco81IjzRnwiBHj02Zug4FIX7n8qgWLEr/f5643y3fkCpo5uY9TSQ/HK3Q==
   template:
     metadata:
       creationTimestamp: null

infrastructure/authelia/authelia.values.yaml

@@ -264,6 +264,28 @@ configMap:
           access_token_signed_response_alg: 'none'
           userinfo_signed_response_alg: 'none'
           token_endpoint_auth_method: 'client_secret_basic'
+        - client_id: 'vaultwarden'
+          client_name: 'VaultWarden'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.vaultwarden'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: false
+          pkce_challenge_method: ''
+          redirect_uris:
+            - 'https://passwords.kluster.moll.re/identity/connect/oidc-signin'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'groups'
+            - 'email'
+          response_types:
+            - 'code'
+          grant_types:
+            - 'authorization_code'
+          access_token_signed_response_alg: 'none'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
 
   # notifier
   # is set through a secret

infrastructure/authelia/kustomization.yaml

@@ -27,6 +27,6 @@ images:
 helmCharts:
   - name: authelia
     releaseName: authelia
-    version: 0.10.46
+    version: 0.10.47
     repo: https://charts.authelia.com
     valuesFile: authelia.values.yaml

infrastructure/external-dns/cronjob.yaml

@@ -9,55 +9,15 @@ spec:
   jobTemplate:
     spec:
       backoffLimit: 0
-
       template:
         spec:
-          initContainers:
-            - name: git
-              image: git
-              command: ["git"]
-              args:
-                - clone
-                - https://git.kluster.moll.re/remoll/dns.git
-                - /etc/octodns
-              volumeMounts:
-                - name: octodns-config
-                  mountPath: /etc/octodns
           containers:
-            - name: octodns
+            - name: dns
-              image: octodns
+              image: dns
               env:
-                # - name: CLOUDFLARE_ACCOUNT_ID
-                #   valueFrom:
-                #     secretKeyRef:
-                #       name: cloudflare-api
-                #       key: CLOUDFLARE_ACCOUNT_ID
                 - name: CLOUDFLARE_TOKEN
                   valueFrom:
                     secretKeyRef:
                       name: cloudflare-api
                       key: CLOUDFLARE_TOKEN
-                # - name: CLOUDFLARE_EMAIL
-                #   valueFrom:
-                #     secretKeyRef:
-                #       name: cloudflare-api
-                #       key: CLOUDFLARE_EMAIL
-
-              command: ["/bin/sh", "-c"]
-              args:
-                - >-
-                  cd /etc/octodns
-                  &&
-                  pip install -r ./requirements.txt
-                  &&
-                  octodns-sync --config-file ./config.yaml --doit
-                  &&
-                  echo "done..."
-              volumeMounts:
-                - name: octodns-config
-                  mountPath: /etc/octodns
-
-          volumes:
-          - name: octodns-config
-            emptyDir: {}
           restartPolicy: Never

infrastructure/external-dns/kustomization.yaml

@@ -9,10 +9,6 @@ resources:
   - cronjob.yaml
 
 images:
-  - name: octodns
+  - name: dns
-    newName: octodns/octodns # has all plugins
+    newName: git.kluster.moll.re/remoll/dns
-    newTag: "2025.08"
+    newTag: 0.0.2-build.100
-
-  - name: git
-    newName: alpine/git
-    newTag: "v2.49.1"

infrastructure/external-dns/renovate.json

@@ -0,0 +1,14 @@
+{
+  "hostRules": [
+    {
+      "hostType": "docker",
+      "matchHost": "git.kluster.moll.re"
+    }
+  ],
+  "packageRules": [
+    {
+      "matchDatasources": ["docker"],
+      "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-build.(?<build>\\d+)$"
+    }
+  ]
+}

infrastructure/gitea/kustomization.yaml

@@ -23,6 +23,6 @@ helmCharts:
   - name: gitea
     namespace: gitea # needs to be set explicitly for svc to be referenced correctly
     releaseName: gitea
-    version: 12.3.0
+    version: 12.4.0
     valuesFile: gitea.values.yaml
     repo: https://dl.gitea.io/charts/

infrastructure/monitoring/kustomization.yaml

@@ -24,7 +24,7 @@ helmCharts:
   - name: loki
     releaseName: loki
     repo: https://grafana.github.io/helm-charts
-    version: 6.41.1
+    version: 6.45.2
     valuesFile: loki.values.yaml
   - name: prometheus-node-exporter
     releaseName: prometheus-node-exporter

infrastructure/passwords/configmap.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config
+data:
+  DOMAIN: "https://passwords.kluster.moll.re"
+  SIGNUPS_ALLOWED: "false"
+  INVITATIONS_ALLOWED: "true" # not sure about that?
+  ADMIN_TOKEN: null # not set in order to disable the admin interface
+  SHOW_PASSWORD_HINT: "false"
+
+  SSO_ENABLED: "true"
+  SSO_ONLY: "true" # disable email+Master password authentication
+  SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: "true"
+  # remaining SSO_ variables are set in a secret

infrastructure/passwords/deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: passwords
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: passwords
+  template:
+    metadata:
+      labels:
+        app: passwords
+    spec:
+      containers:
+        - name: passwords
+          image: vaultwarden
+          ports:
+            - containerPort: 80
+          envFrom:
+            - configMapRef:
+                name: config
+            - secretRef:
+                name: oidc-client-secret
+            - secretRef:
+                name: smtp-secret
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "200Mi"
+            limits:
+              cpu: "2"
+              memory: "4Gi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: vaultwarden-data

infrastructure/passwords/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: passwords-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`passwords.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: passwords-web
+      port: 80
+
+  tls:
+    certResolver: default-tls

infrastructure/passwords/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - configmap.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+  - oidc.sealedsecret.yaml
+  - smtp.sealedsecret.yaml
+
+namespace: passwords
+
+images:
+  - name: vaultwarden
+    newName: vaultwarden/server
+    newTag: testing # required for SSO support

infrastructure/passwords/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

infrastructure/passwords/oidc.sealedsecret.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: oidc-client-secret
+  namespace: passwords
+spec:
+  encryptedData:
+    SSO_AUTHORITY: AgCuaACGgTZhrOv5FDVbPIzVusjzvbwgrogCt1kZJsX7K3G1vCWZDRzPMJ06k0Ofb5Yvby/AcKx0UyPJwWDmhlk7geuYzG1G1pBk97fNTOzac7ZheCZ68LFshalT5F6dMJBSMTRz+uG3N+MztCyvCcKUxYUIkGbopf7is12FJhEIKNbrQe4C5H2SVHSIZ8udE4Nv2HqertLVKE9Z7CNmq4KV3UBAGqJEqBkITsN/qhgpHOjY1dQKK5myL89BYERQGBdoqKSUYJOZiEoINwj161QtG/H2Y9n6xlAVO4irsva/6m1BjA/7wfWAK8RJGX8N1e9axlxgIUH7HAA/bh+riLKvQea23NRqT9bsIOy+FRNEqTWXM4FiNxtmufi9gRHnLyQhrSQAB4Zuyzelsqn+aKDlCFGkE3NLuquychWly24pLtNa+9UPPOm0BZhbOzXOObXJOzbFIoBqxcKkwen3ca1YjyqOK1DryJevjczLVuWY+NprnjlH6BgdTyqPnI+FyXhLRa3nJCafkVfNaIJW8n1+P0hKiEwGVXiyU0fR40DaueBR8F8jr5MKlEFvdwJ8/IvkfMZUsccPVYIYw08Ama+vFrJidPvicM8gNpkqoU2TnSEEjBk0eX9jd6ahiwffE9s01uQFjcr6rNL+SiYXJCpp/Ti8v0iJ4C5ID9h0GS7v4IBOUYCGRYfWrYUlp3LFMB6Saq4a4DhTlxC3cORn0ini8dUPJLq0x8n1rzGt
+    SSO_CLIENT_ID: AgB1oES4V0P53fkAch+aDkCHd6seVExYMGCU72H8Slky0j4FZ5LjtBpzGxro8sxxr/Ri2wEc1f+TC2hHWbdtUNwE3SwA0McPODS0nmmxPkSj1ZRHlVQtG9TkFdEHEeWJnECHX0y6hp/qbdYxF+2Pgz9YQtbdi8r49H2iwqfD/8/ojMzlvpdOJRdE+K/aYQ8Q08GBZCusLm8vCW+bDn6U9+aj72SCH0i91xoPWI6P9v96mcWOipK0COhYl32ypz5GLaNpyIhDccJvrAzVKZ0tGX01t6+JT2f0lZc2jjVosTk0nPhLTQdLYJC1TboPtqwzaRWwV/lm+St07cSaaxMT0CHqmoxwiqazNNgkgPzddOaduTpbid2I1rH/2jYKD8uY5UKTZYa+wxXF8KQBMCyRw2k1bdebvc20z53T0UtmRkquKXVq1WyOTZEH4bhqVapuMjyAF9vzR7Juga6lF9P68Er8lYr5MGeimslyRUVfrqdA4VTFO6sALHyrpkuYdHIwEi5ZlNb2pRzqaBFeQaaJYgiXPZMhcIRIfEOU8JQ5FWu++OzM75RF2YA1Ww70SZxHANn/K/ksyAqhZNgNFRm++6YQKfBI6z+N6ObjJPJE3J/WCHGCmVCQRa7lg73THqPXeqvfoSDgH8nTHamg8AshAKWxJuTD9mPXN4TqbxBuXuQBa9UGu/HNBMpYo2hHEHYIr42XZwScpo5qvo4RUQ==
+    SSO_CLIENT_SECRET: AgBzGmskaj/eliwfsOzdRb1PdiSJC9vLr7CyCAqQ4QmxVXOSVbiJu39ud2alH+Rx8UZ51l5Wd9CkyizyVpD8AgREk8fpE8V0cRlDplj/OmGSJ5VtNyLLJko13PkPAB2scexapZ/PxZpJEkH5ONPvzvVKC8liUoz1XoEQEWAgDkSiRqgt1aVm4v1Fvl0Ift3eJtkWkU6xGrL7OwTnV/nCaNt6w7Fd/37uWYgosGvQivcy11/QoppgVARCWrFl9ZjjsimV5i2hfoRXvd+saUuMvRfD95+POB6+hRK0fvbnARXW0ePj7W9oWG9fAhSA7S/J0cnx3zFjpJ8QBvaHYXJ+rsDHsxlqRSFUVXgMGZ5cISTzIjPWaVRv5cU3WK0vEeT2gPHsebTX6JgguzT728rZA2r7BuMZF20f89GeV21iYksABWMC1MYwGfScBPHfyDqxhgc39wxZTdH5gz9/DhuHd5+0iLjwIwqsStqVu6W1SqpuFd0psfyVNFY0DkDS28gcliRPSNF0bJEA7QIsDl5NVAl1fXEG4QrJMQx6i5BTrfI6HDYW0nq3fT/fPlSipmbUf4OWQVTrEmot5UvFDowBemZNG2Z2+vgAE0bbnQKeqAifUr7KMUGf9bmj42r8x1TLiDAyI9h5iSU/y4WHLpzxg2GNgkLQ0mKcAJ/xHnaWNti/dr2pwzCSx2Apmvps8/AVuYP+unRxmlstYl1ko+esv4agfbg/43H2/dkNeA+5iQw=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: oidc-client-secret
+      namespace: passwords
+    type: Opaque

infrastructure/passwords/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: vaultwarden-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

infrastructure/passwords/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: passwords-web
+spec:
+  selector:
+    app: passwords
+  ports:
+  - port: 80
+    targetPort: 80

infrastructure/passwords/smtp.sealedsecret.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: smtp-secret
+  namespace: passwords
+spec:
+  encryptedData:
+    SMTP_FROM: AgAbhbyTdArio1wEn4/zj+AK4YaLyMtMkaPFqtVOU8UWAtEg8ko/tIXHj7nn/NVQt6sS2O9x02ShoVJC1HXqzG8reMLkzZg5cb0wtCSNpzHnLH2voH1p4KrgnHo1AznIkXoajcOHjWSYQ2/rAeCmuuEfPZ7jOWNMN2c5GWqm0mXsfqAUVxznC8sHCmIVdeHUcSaLRpwnvr2fjSrOqh+AI6df3tzCpQjfu+zf4Z2JSgvAPLCyCzj9NDDFqawpRRHinhbXk34ZYO00CrjCMqnxaBev7qXmPeDx4eTPR8WNyMzdO2Yx5vmmXNay+QhoO3eP6leQQyaGtYkQSep35wMyA46MmM+A4nQCMIFPFzBGAqle32L+u6KP5D9GWtmiGXWmdM8LOf2qt1wKiEfEZXldtc3hoKjM4NTb+0wgUXE+ZpVOQiorGta6jhAwJYhTDPO0rP6lC31G9EQ9bI5N+OpZpRK+EELNPrjEfTIfPUMg40B9DG3WK5yXTmC3DvHsCj25dnKokNvxcaZ3EhG6+k/5Z5zTESAMWuGepr34ROE5a0+zRLcOfVD9S5QwpqIxi8GJJuJvI/SAjUEPLY7pPsBLYKMl3zAGgAcI8yjAWhurgVS1DKhufTmp+hh+JypyLnCc4hUJIXaRwSJrBhezsajkxMmORboHM/d19SmUorzczo2i54LtTTTIRfAWui/EWc3QCSbfoPF6asESXD45M/yblI++EVfc
+    SMTP_HOST: AgA2KfKxxUvzHrkbL4ZDUU/TuylhnhRSm3OGVSVGt54OFJqBuh4fCA2PSPzw84Kh46zJjX8vh5fjzN00gfHfqtm0K4W1D+i+UAz/JAIcQVAjPyjgVNPZUSNSrZrV2CDRMJ8HhbVYx8xiRb2kHV+HTjtINccdxjxR+OpfMn1lb+aA3zoI8yv9s2pkVrt1+T1GepXm9KMCd+rS3XSx2w9ujkPTaT3MwY66l/1i6agpY3MtNVXt+Y8pK9yx5mhjNRAnyfbCZfHzaswKGfDetOzkfmSy3ddP22uHOjbEKp99yQPxgY0bNwGhA137oUAgzmWu0Yn9z3KFz0G2as/tKTQT5240aJlHzFSsWfbW4Y4DQahQzbF45aS61SlKAsSXzPc/kyEE/Tizuh3eACY6yfw6Zs+R1y5Y27oS5/GNyAYdk/acM/C0nO3da5qBL0ItzMKYy3kufbOvDwt9na0uWV32JusYAeP81e9LRcxO7+a/oFlmwBtFMLExXWQEHwIIwWFC6RGlF0OOfZN9mXsqr1IDlRvDWN4b/YXkFQJBpySByxQ0xYUeHOAFSacGC8rPq68Scc7djyq8mTh87plBQzo4FL/rAch61Mmlp4VVsN6hyJ50CC1qfzsZ0bcFd+lh45T+lSg5OSGrw14F/01dhS5EoH5DVv6Ug9UY+0q0w1iST+6KH4/nxTJe/lBF9eAQEU+FHvyUfVZksHua0jdCQKSxXzLp
+    SMTP_PASSWORD: AgBf3JVFUU16IVhPBcYkzZY4Qn5tNRahtsGygd8E6WGAxw90MY9/gmm+LWAEAYWc4ZNonCZiGR+JegkN4nmmxpiseYShW2Dp3rH33BOmVSAvnQttTCq4zV8jEk52Y49hmpIvEVh9nO6UVP4KujnEqz7rnL6I6dIsdkyXdDjZTnSgZlkn7FaAkfEdmpRtYH31qYOa8TyL0Q7PIzr/sJGn0YKvSH7a6w0FJ9RV0+t4pNuqLpiPltMX9B7RLLNm+TgzO37oA3cePAAtUR0PXFW8GnCB0KcAeoqZFc4UAzhwp9FX6oa7KUfvoWAq0RHzJfdAa8laVJtZcWP1lLOgyW6z7PeoUahjFscfDisp2aRl4jAIV5ZaOe3ZAYGOMFR0VyIt1vCaYKtdplSzlNVlGj8jvLY1rg5VVnXHNheaqmL1xAhB8uCCIcRKquCSU0wvd6YBKrUIDJX9d9IXkLvVfvAhdBnTLSkMHJErxWvu2dRm5HqiiGrvRjJewIz4n8rwUapykKX8ujlu9mf6sGxGuVbaOU+gZrNSIffz5GUewf38ZHcidAiPVsA6WnX93ZDVfZk0xObrzUQ+s4dmlZMrQFgvhv9Q2zJP0cEtMnGPsTy8klC4FeYVEWJyAXCyt3+2MbUZYf2H+yCOnHeRkzOejrrfvEep3BF8dzKmYnrmNClP2skZEPr2afttUo8a5CTs6gX6mckplUqHz2R4oi8/kispJf8Y
+    SMTP_PORT: AgCYfANfQLW15FIgRb0AQoBXJ7mOBh8vb59eelZdm1aX66GlXMQOIi9yAIm/2fe1xOsYui+6do4JV7xlvYBOkC8JJ3MNZLdTrepRf6ejuM8QI7V7L2lXsRrPIqLEJOfO/rn3tHnuWbfXOw7UdSvt7x2BoB1XWGZuigsa66FGkTSCMlqKhJJngeSu5VeFGpSc4LANL/XGnXNc4tQdpZN9AjpPdSUTpexgY10Zd4ppvBR174XidRabe4WDs9H6uZj92Bpht3axq0fEYRwkDiNPQLFx8kkOKCU98xV7RVyqT8UnRE/Q+eng26lGNMa+c3bbN/6MYUmSe2RU2Ymaz2AJqMOBn72Y4blDMgOdrZEz/ITiOE3zzZG890qFq/lfLueIEwd7LmBpAZMDzsKYWs+7UI1EKAfavWIO9BUoH9JbVkUgAQ7YtPXLCxUeBvMTci5YlZKmNyhMP2fWnqYvhZXJNZYJqHEbtTQGAoLuD/5xupVhB0ouguwkjRvGwLHpQncbFfybhWIflcVjAgHH3AelKyhWNDLNZatIVqWIfmEcZpj1CbNbO3Pzb/kSa57cNZc0S/N/rrYQKR8vK6vpXxrmC5MouhdH0x45ONA2GqXHehqgdNayN8T6y3xfY7UqSUbksM2smWFY0gxqBoFdEkosSyvFPpqQnAzbiJWlsQDmSTmj0dodENotHQhRdrZSEuhFGkI7MVaW
+    SMTP_SECURITY: AgApP3Kzb1qAZCassr3Q2YPCcc4zi0Py0ezXnixHF0GXVjbyEjjw+5EZ6LmtE4In+hu7HXhYKqwVi50VXmtb1sI17wK3hF8EXa+4jSZtAo/PKKKh4CkVVFqwIjyvtdnokXIJUkSHDMnIWLFG9Lblr5qib8tUyeyJH6vzbC7ai/nXZ7amGTJOx2HLKPal7QM1y7TAdeee1IFdlg05vJ/Dp2+EY13DLWwNvTr5+DgBVDGKALwHu54KnuKJCuXtptZvS1PuVL+55sEByUikU00u8ZZ0GVSNIJFHfYjtYMHWbw1gUiKvUb0GngEQ58/v8QPTsZNTDWcUjONy1ncGGQT7mrsarCZvY5EzJmWQgkzrLcEKOtQfSEJZvUAaxTa3WgvfUchhMAkLYN4Bml+wajQfnjmyKpPsMc11n4yQ0O+5pu17lIImtLiMA2+g1dSDs0mr6+AQIjOw6TDwU7u/7qM1xTUUvWBiOHaT4xnDi6TYOEHiQmGLXVz1TYCX1RX7Y0RtHkZHPTPACs+zY6VfWEaxFgK0r8+aykgRGMZLSsw+MVwzgxWt96iLQLpcO1qVhLpbOKFFdtxbava3FiSRlLdGHRX12WVcFmn2gun0SsxF2HAg5fT2Kt7aC9qSVoxH5ExtDg2uVFVpeltFPZ3UyyOLhXhwGF1VJR4tCts/MJKD0pWOpKCe92LMm4FGjt4ytWlMErbcfIbtCy1oqQ==
+    SMTP_USERNAME: AgAWUwitsOQ1MGS4mJ4UzNsLvL8sgtVuMlua6sTdukpFPfZEcZaHBgWzw+Rv0HKCn8ebjp4dfGzmr/cIiMRGRe/ZbA8f6FMQg4lIlmHIJ1EbpGmfRL9m2bJRfl/aNifxTZD6Qgk4JBzlZIlwI6d9xB51sjFAPnEJmTM4AhC7bAhtTGHWLLdn33bXW/+aBWEz465cQdksTrketrHbz6O/Z77bL6Zh+zNwS7AwoQ2bUg/g9ORjRBirYJcojEYdQeDeBNWN3VUrbWENF/ouISvgSJFKeka/G2a9lMNbraSSLlru2xZOLdM5OTald+mi+VgdTDARiJFPL5tyhdUMe+8ZpIG1t2dUEasZZernXpoHyOckijufN92zyxfdXJu0RPIkC1w9zH5ArpoYjCxIzHz6e/wMvjqfEPbE7FtMfGHlzZZCikjt2+8+sDJ/mApgqYKNo68v6773ou6P0HTrti9fM8e2jlZ/nfe3xnzQL2XNjIC5wBc+f825y0U37QduoEeDCE+R3Uihxjq7dAg0omeNeKXChUJkPaX7QvDr1TnXaqSZZgoXZ3U0WujF9Z6A34CwAjJY0ao55ggwai0w0FyFOdUDv5P/bQU+1ex5l5m94MG3KwLmy9Pb3xyDXzpB9oWIskaBzN+v1XdWSRoRzzoZHV/KFJ1HYn1m4yww/JgAxTqiq4pNPKdxDGX+pL4e7U0SmuEPIRw85PpA
+  template:
+    metadata:
+      creationTimestamp: null
+      name: smtp-secret
+      namespace: passwords
+    type: Opaque

infrastructure/pg-ha/kustomization.yaml

@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
   - name: cloudnative-pg
     releaseName: pg-controller
-    version: 0.26.0
+    version: 0.26.1
     valuesFile: values.yaml
     repo: https://cloudnative-pg.io/charts/

infrastructure/traefik-system/kustomization.yaml

@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 37.1.2
+    version: 37.2.0
     valuesFile: values.yaml
     repo: https://traefik.github.io/charts

kluster-deployments/argocd/application.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd-application
+  namespace: argocd
+spec:
+  project: infrastructure
+  source:
+    repoURL: git@github.com:moll-re/bootstrap-k3s-infra.git
+    targetRevision: main
+    path: infrastructure/argocd
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: false
+      # since other argo projects are added to this namespace (but not managed in this repo), they should not be deleted even though they are not referenced in this manifest
+      selfHeal: true

kluster-deployments/argocd/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - application.yaml

kluster-deployments/homeassistant/application.yaml

@@ -1,18 +1,20 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: homeassistant-application
+  name: homeassistant-flat-application
   namespace: argocd
 spec:
   project: apps
   source:
     repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
     targetRevision: main
-    path: apps/homeassistant
+    path: apps/homeassistant/overlays/flat
   destination:
     server: https://kubernetes.default.svc
     namespace: homeassistant
   syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
     automated:
       prune: true
-      selfHeal: true
+      selfHeal: true

kluster-deployments/homeassistant/house.application.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: homeassistant-house-application
+  namespace: argocd
+spec:
+  project: apps
+  source:
+    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
+    targetRevision: main
+    path: apps/homeassistant/overlays/house
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: homeassistant
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: privileged
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      prune: true
+      selfHeal: true

kluster-deployments/homeassistant/kustomization.yaml

@@ -1,4 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- application.yaml
+- application.yaml
+- house.application.yaml

kluster-deployments/kustomization.yaml

@@ -9,6 +9,9 @@ resources:
   # - bootstrap-repo.sealedsecret.yaml already set for app of apps
   - gitea-repo.sealedsecret.yaml
 
+  # let argocd manage its own namespace
+  - argocd/
+
   # infrastructure apps
   - projects.yaml
   - nfs-provisioner/
@@ -22,6 +25,7 @@ resources:
   - external-services/
   - monitoring/application.yaml
   - authelia/
+  - passwords/
 
   # simple apps
   - adguard/

kluster-deployments/passwords/application.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: passwords-application
+  namespace: argocd
+spec:
+  project: infrastructure
+  source:
+    repoURL: git@github.com:moll-re/bootstrap-k3s-infra.git
+    targetRevision: main
+    path: infrastructure/passwords
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: passwords
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+  ignoreDifferences:
+    - group: apps/v1
+      kind: Deployment
+      jsonPointers:
+        - /metadata/annotations

kluster-deployments/passwords/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - application.yaml

renovate.json

@@ -2,7 +2,8 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "dependencyDashboard": true,
   "extends": [
-    "local>remoll/k3s-infra//apps/immich/renovate.json"
+    "local>remoll/k3s-infra//apps/immich/renovate.json",
+    "local>remoll/k3s-infra//infrastructure/external-dns/renovate.json"
   ],
   "packageRules": [
     {