refine snapcast deployment so piping between containers works

Reviewed-on: #700

apps/adguard/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: adguard/adguardhome
     newName: adguard/adguardhome
-    newTag: v0.107.67
+    newTag: v0.107.69
 
 namespace: adguard
 

apps/audiobookshelf/ingress.yaml

@@ -9,9 +9,20 @@ spec:
   routes:
   - match: Host(`audiobookshelf.kluster.moll.re`)
     kind: Rule
+    middlewares:
+    - name: buffering
     services:
     - name: audiobookshelf-web
       port: 80
 
   tls:
-    certResolver: default-tls 
+    certResolver: default-tls
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: buffering
+spec:
+  buffering:
+    maxRequestBodyBytes: 10000000000 # approx 10gb
+    memRequestBodyBytes: 1048576

apps/audiobookshelf/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
   - name: audiobookshelf
     newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.29.0"
+    newTag: "2.30.0"

apps/avahi-reflector/daemonset.yaml

@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: avahi-reflector
+spec:
+  selector:
+    matchLabels:
+      app: avahi-reflector
+  template:
+    metadata:
+      labels:
+        app: avahi-reflector
+    spec:
+      hostNetwork: true
+      containers:
+        - name: avahi-reflector
+          image: avahi-reflector
+          securityContext:
+            privileged: true   # required for raw sockets
+          env:
+            - name: REFLECTOR_ENABLE_REFLECTOR
+              value: "yes"
+            - name: SERVER_ALLOW_INTERFACES
+              # use all interfaces
+              value: ""

apps/avahi-reflector/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: avahi
+
+resources:
+  - namespace.yaml
+  - daemonset.yaml
+  # - configmap.yaml
+
+images:
+  - name: avahi-reflector
+    newName: flungo/avahi
+    newTag: latest

apps/avahi-reflector/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged

apps/files/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: files
 images:
   - name: ocis
     newName: owncloud/ocis
-    newTag: "7.3.0"
+    newTag: "7.3.1"

apps/finance/kustomization.yaml

@@ -14,4 +14,4 @@ resources:
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 25.10.0
+    newTag: 25.11.0

apps/grafana/kustomization.yaml

@@ -17,5 +17,5 @@ helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 10.1.0
+    version: 10.2.0
     valuesFile: grafana.values.yaml

apps/homeassistant/base/deployment.yaml

@@ -34,4 +34,3 @@ spec:
         - name: config-dir
           persistentVolumeClaim:
             claimName: config
-

apps/homeassistant/base/ingress.yaml

@@ -1,17 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: homeassistant-ingress
+  name: homeassistant
 spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`home.kluster.moll.re`) && !Path(`/api/prometheus`)
+    - match: Host(`homeassistant.kluster.moll.re`)
       middlewares:
-        - name: homeassistant-websocket
+        - name: homeassistant
       kind: Rule
       services:
-        - name: homeassistant-web
+        - name: homeassistant
           port: 8123
   tls:
     certResolver: default-tls
@@ -19,7 +19,7 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: homeassistant-websocket
+  name: homeassistant
 spec:
   headers:
     customRequestHeaders:

apps/homeassistant/base/kustomization.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  # - namespace.yaml # not managed by kustomize but created as needed by the argo app. creates conflicts otherwise since both overlays share the same namespace
+  - ingress.yaml
+  - pvc.yaml
+  - service.yaml
+  - deployment.yaml
+  - servicemonitor.yaml
+
+
+images:
+  - name: homeassistant
+    newName: homeassistant/home-assistant
+    newTag: "2025.11"
+
+configurations:
+  # allow nameReference to work with different mentions of the same resource as well
+  - name_reference.yaml

apps/homeassistant/base/name_reference.yaml

@@ -0,0 +1,32 @@
+nameReference:
+  # Tie target Service metadata.name to other ingressroute fields
+  - kind: Service
+    fieldSpecs:
+      # rewrite the backend service name
+      - kind: IngressRoute
+        group: traefik.io
+        version: v1alpha1
+        path: spec/routes/services/name
+
+      # adapt the ingress url
+      # DOES NOT WORK
+      - kind: IngressRoute
+        group: traefik.io
+        version: v1alpha1
+        path: /spec/routes/match
+        create: false
+
+      # adapt any middleware names
+      - kind: IngressRoute
+        group: traefik.io
+        version: v1alpha1
+        path: spec/routes/middlewares/name
+
+  # Update deployment volume mounts according to name changes in the sealedsecret
+  - kind: SealedSecret
+    fieldSpecs:
+      # volume mounts:
+      - kind: Deployment
+        group: apps
+        version: v1
+        path: spec/template/spec/volumes/secret/secretName

apps/homeassistant/base/service.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: homeassistant-web
+  name: homeassistant
   labels:
     app: homeassistant
 spec:
@@ -10,4 +10,4 @@ spec:
   ports:
   - port: 8123
     targetPort: 8123
-    name: http
+    name: http

apps/homeassistant/kustomization.yaml

@@ -1,18 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: homeassistant
-
-resources: 
-  - namespace.yaml
-  - ingress.yaml
-  - pvc.yaml
-  - service.yaml
-  - deployment.yaml
-  - servicemonitor.yaml
-
-
-images:
-  - name: homeassistant
-    newName: homeassistant/home-assistant
-    newTag: "2025.10"

apps/homeassistant/overlays/flat/ingress.patch.yaml

@@ -0,0 +1,3 @@
+- op: replace
+  path: /spec/routes/0/match
+  value: Host(`home.kluster.moll.re`)

apps/homeassistant/overlays/flat/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+namespace: homeassistant
+nameSuffix: -flat
+labels:
+  - includeSelectors: true
+    pairs:
+      env: flat
+
+patches:
+  - path: ingress.patch.yaml
+    target:
+      kind: IngressRoute

apps/homeassistant/overlays/house/ingress.patch.yaml

@@ -0,0 +1,3 @@
+- op: replace
+  path: /spec/routes/0/match
+  value: Host(`home-house.kluster.moll.re`)

apps/homeassistant/overlays/house/kustomization.yaml

@@ -0,0 +1,28 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+  - wireguard-config.sealedsecret.yaml
+
+
+namespace: homeassistant
+nameSuffix: -house
+labels:
+  - includeSelectors: true
+    pairs:
+      env: house
+
+images:
+  - name: wireguard
+    newName: ghcr.io/linuxserver/wireguard
+    newTag: "1.0.20250521"
+
+patches:
+  - path: wireguard.deployment.yaml
+    target:
+      kind: Deployment
+      name: homeassistant
+  - path: ingress.patch.yaml
+    target:
+      kind: IngressRoute

apps/homeassistant/overlays/house/wireguard-config.sealedsecret.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  # WARNING - the originial secret was named wireguard-config-house, but we remove the suffix here, anticipating that it will be created by the kustomization overlay
+  name: wireguard-config
+  namespace: homeassistant
+spec:
+  encryptedData:
+    wireguard.conf: AgAz726k7X6IsabWUPX8kQ8r19mBq/N+YytlFS1gW2LUiYqc6H/O5/tqma5lLcazuxtsQhebeoitp2SkH7jTU8vRxn2tDWpyzcJr+BW4vKnghw5NhMbkNOzl7mvc7QIJk6rmRyD1umu33v6x8u3St9TVsUOI1zXJyXHxlbLdHVCORhgV79CGLjghpi23KyyFu6LzNrE5rhpB0Q7NzPUmbm5MHPNbtLsmImd/CZ9XjbyXSq0be8BgpUtGDE/NMx65G2+lLIw3EgbNwlirw/XKrM+pUIvEI6CxuNhbEM7KxCYlq2Du6bm7XsKHRzNu9oSfH+P4DaDoDt+M5k5miv4B8TIKXg7piy5mThXSTcVf5YpLJCiTfMDZOriG1ygr9gbJPYY1jumZA+vsZCvBx1o21BlNycWZWKBeYZZh47Hz9FGI/Smn8dOs5exZ34MrQtM4OuEqC/cJY8fdQ+nmGMezL0IKdbtpWgq5UqNH/wWv3F9kItB4KlSD4YtEGaY2z68BJG6t+9igSJCWmVca0EbOzhV0s5rI39ASVXOO50x774EEWUueoyfI+l5vwtQhc96I5Qn3kbFhwov0tHMg/IGBtS/7XdBBtOBx9KbcUHq1GlwWzQdw8WnRB6yyUVCqXyuExRhMPz5orqkTQwiUM2Fjse7xxnaEA0mbi0TVPKV/sFgWixvHqy3VAc1Jj6MEAWFAu+kPVlOFFCckEC5kPhNPFhBMeYX/3IblRjly/EHvrbrW/eFjNYE7bqpSCVhkB8bOXbJqt29V3+ffM1z/RkdSusgqdwid9CXhQw6SKAI/vcAqqxXdzcsbG1wsgP9bJ1Gk/i9ch8zUn7MwcFe6Tla86+xeiDIAmQmA7rhtmWhyyuxXdw+HXAFNhrbxHaUw3LZOExM+RzhWNepjSLnCBqnrtPkzFrHE02JKebWzX+IRZIOsEXJVhKTiSSjoB2v8h956kO+C7bdHz8GbxoJKJ7anrqFG13A//XLy5PvKr50qs/gQptrl9UtR7oj981bSDTVVa8h3OXbGLkZXly/qxsh5DlEjwnw2/2UqS+5yTT4FO/dNVtHryJ2tbc8ZuIHb6C/pQygqpseagthkm5T+Dv0T2xWpXFrvuktGNm58Cwg9bwNMcC6iofcjQP5JeNcat3RwzbJ9xwU4Nm8xLRMMc0ul6xUHRrL3ZjDfWHLuSuTp28HqXZ6xSKLlrRVjwZ6Mp/hhxj58SfVfLVIQxatGkwnIaHEFWE2n3S7m/iQO9tZIWCx5Yfs15atb1Ze8HjKjQ4o3sfaMD8Eokj9aFnXQQxpnOuSI3NLETe79QQ==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: wireguard-config-house
+      namespace: homeassistant
+    type: Opaque

apps/homeassistant/overlays/house/wireguard.deployment.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: homeassistant
+spec:
+  template:
+    spec:
+      containers:
+      - name: wireguard-sidecar
+        image: wireguard
+        securityContext:
+          privileged: true
+
+
+        volumeMounts:
+        - name: wireguard-config
+          mountPath: /config/wg_confs/
+
+      volumes:
+      - name: wireguard-config
+        secret:
+          secretName: wireguard-config
+
+

apps/immich/immich.postgres.yaml

@@ -32,8 +32,8 @@ spec:
 
   resources:
     limits:
-      cpu: 2
-      memory: 1024Mi
+      cpu: '2'
+      memory: 1Gi
     requests:
       cpu: 50m
       memory: 512Mi

apps/immich/ingress.yaml

@@ -18,7 +18,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`immich.kluster.moll.re`)
+    - match: Host(`immich.kluster.moll.re`) || Host(`photos.kluster.moll.re`)
       kind: Rule
       services:
         - name: immich-server

apps/immich/kustomization.yaml

@@ -6,7 +6,7 @@ resources:
   - pvc.yaml
   - immich.postgres.yaml
   - postgres.sealedsecret.yaml
-  - servicemonitor.yaml
+  # - servicemonitor.yaml
 
 
 namespace: immich
@@ -15,20 +15,13 @@ namespace: immich
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.9.3
+    version: 0.10.3
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.143.1
+    newTag: v2.3.1
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.143.1
-
-
-patches:
-  - path: patch-redis-pvc.yaml
-    target:
-      kind: StatefulSet
-      name: immich-redis-master
+    newTag: v2.3.1

apps/immich/patch-redis-pvc.yaml

@@ -1,17 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: immich-redis-master
-spec:
-  volumeClaimTemplates:
-  - apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: redis-data
-    spec:
-      storageClassName: nfs-client
-      accessModes:
-        - ReadWriteMany
-      resources:
-        requests:
-          storage: 2Gi

apps/immich/renovate.json

@@ -1,10 +1,10 @@
 {
-    "packageRules": [
-      {
-        "matchDatasources": ["docker"],
-        "matchPackagePrefixes": ["ghcr.io/immich-app/"],
-        "groupName": "Immich containers",
-        "groupSlug": "immich-app-images"
-      }
-    ]
-  }
+  "packageRules": [
+    {
+      "matchDatasources": ["docker"],
+      "matchPackagePrefixes": ["ghcr.io/immich-app/"],
+      "groupName": "Immich containers",
+      "groupSlug": "immich-app-images"
+    }
+  ]
+}

apps/immich/servicemonitor.yaml

@@ -6,9 +6,9 @@ spec:
   endpoints:
   - port: metrics-api
     scheme: http
-  - port: metrics-ms
-    scheme: http
+    path: /metrics
   selector:
     matchLabels:
-      app.kubernetes.io/name: server
+      # app.kubernetes.io/name: server
       app.kubernetes.io/service: immich-server
+      app.kubernetes.io/instance: immich

apps/immich/values.yaml

@@ -4,26 +4,30 @@
 
 # These entries are shared between all the Immich components
 
-env:
-  REDIS_HOSTNAME: '{{ printf "%s-redis-master" .Release.Name }}'
-  DB_HOSTNAME: "immich-postgresql-rw"
-  DB_USERNAME:
-    valueFrom:
-      secretKeyRef:
-        name: postgres-password
-        key: username
-  DB_DATABASE_NAME:
-    valueFrom:
-      secretKeyRef:
-        name: postgres-password
-        key: database
-  DB_PASSWORD:
-    valueFrom:
-      secretKeyRef:
-        name: postgres-password
-        key: password
-  IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}'
-  IMMICH_METRICS: true
+
+controllers:
+  main:
+    containers:
+      main:
+        env:
+          # some non-default vars
+          DB_HOSTNAME: "immich-postgresql-rw"
+          DB_USERNAME:
+            valueFrom:
+              secretKeyRef:
+                name: postgres-password
+                key: username
+          DB_DATABASE_NAME:
+            valueFrom:
+              secretKeyRef:
+                name: postgres-password
+                key: database
+          DB_PASSWORD:
+            valueFrom:
+              secretKeyRef:
+                name: postgres-password
+                key: password
+          IMMICH_METRICS: true
 
 immich:
   metrics:
@@ -37,13 +41,15 @@ immich:
       existingClaim: data
 
 # Dependencies
-redis:
+valkey:
   enabled: true
-  architecture: standalone
-  auth:
-    enabled: false
-
-# Immich components
+  persistence:
+    data:
+      enabled: true
+      size: 1Gi
+      # Optional: Set this to persistentVolumeClaim to keep job queues persistent
+      type: emptyDir
+      accessMode: ReadWriteOnce
 
 server:
   enabled: true
@@ -56,7 +62,7 @@ machine-learning:
   persistence:
     cache:
       enabled: true
-      size: 200Gi
+      size: 10Gi
       # Optional: Set this to pvc to avoid downloading the ML models every start.
       type: emptyDir
       accessMode: ReadWriteMany

apps/kitchenowl/ingress.yaml

@@ -8,10 +8,22 @@ spec:
     - websecure
   routes:
   - match: Host(`kitchen.kluster.moll.re`)
+    middlewares:
+      - name: kitchenowl
     kind: Rule
     services:
     - name: kitchenowl-web
       port: 8080
 
   tls:
-    certResolver: default-tls 
+    certResolver: default-tls
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: kitchenowl
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+      Upgrade: "websocket"

apps/media/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
   - name: jellyfin/jellyfin
     newName: jellyfin/jellyfin
-    newTag: 10.10.7
+    newTag: 10.11.3

apps/musicassistant/deployment.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: musicassistant
+spec:
+  selector:
+    matchLabels:
+      app: musicassistant
+  template:
+    metadata:
+      labels:
+        app: musicassistant
+    spec:
+      containers:
+      - name: musicassistant
+        image: musicassistant
+        resources:
+          limits:
+            memory: "2Gi"
+            cpu: "2"
+          requests:
+            memory: "128Mi"
+            cpu: "250m"
+        ports:
+        # ports required for musicassistant
+        - containerPort: 80
+        - containerPort: 443
+        - containerPort: 8097
+        - containerPort: 8095
+          # name: musicassistant-web
+        - containerPort: 1704
+        - containerPort: 1705
+
+        env:
+        - name: TZ
+          value: Europe/Berlin
+        volumeMounts:
+        - name: data
+          mountPath: /data
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: data

apps/musicassistant/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: musicassistant-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`musicassistant.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: musicassistant-web
+      port: musicassistant-web
+
+  tls:
+    certResolver: default-tls

apps/musicassistant/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: musicassistant
+
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - service.yaml
+  # - ingress.yaml
+
+
+images:
+  - name: musicassistant
+    newName: ghcr.io/music-assistant/server
+    newTag: 2.6.0

apps/musicassistant/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/musicassistant/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/musicassistant/service.yaml

@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: musicassistant
+spec:
+  selector:
+    app: musicassistant
+  ports:
+  - port: 80
+    targetPort: 80
+    name: required-first
+  - port: 443
+    targetPort: 443
+    name: required-second
+  - port: 8097
+    targetPort: 8097
+    name: required-third
+  - port: 8095
+    targetPort: 8095
+    name: required-fourth
+  - port: 1704
+    targetPort: 1704
+    name: required-fifth
+  - port: 1705
+    targetPort: 1705
+    name: required-sixth
+  type: LoadBalancer
+  loadBalancerIP: 192.168.3.5
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: musicassistant-web
+spec:
+  selector:
+    app: musicassistant
+  ports:
+  - port: 8095
+    targetPort: 8095
+    name: musicassistant-web
+  type: ClusterIP

apps/ntfy/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: binwiederhier/ntfy
     newName: binwiederhier/ntfy
-    newTag: v2.14.0
+    newTag: v2.15.0

apps/paperless/kustomization.yaml

@@ -14,14 +14,14 @@ namespace: paperless
 images:
   - name: paperless
     newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.18.4"
+    newTag: "2.20.0"
 
 
 helmCharts:
   - name: redis
     releaseName: redis
     repo: https://charts.bitnami.com/bitnami
-    version: 22.0.7
+    version: 24.0.0
     valuesInline:
       auth:
         enabled: false

apps/recipes/kustomization.yaml

@@ -13,5 +13,5 @@ resources:
 
 images:
   - name: mealie
-    newTag: v3.3.2
+    newTag: v3.5.0
     newName: ghcr.io/mealie-recipes/mealie

apps/snapcast/README.md

@@ -0,0 +1,7 @@
+### Credentials
+Since this tries to run in an isolated network we can't rely on autodiscover and the spotify client needs to be tied to an account.
+
+This is achieved by registering the client on startup via oauth. The logs show an url which should be copied to a local browser. The successfull redirect needs to be forwarded back to the client, hence run:
+```
+k port-forward deployments/snapcast 5588:5588
+```

apps/snapcast/deployment.yaml

@@ -0,0 +1,109 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: snapcast
+spec:
+  selector:
+    matchLabels:
+      app: snapcast
+  template:
+    metadata:
+      labels:
+        app: snapcast
+    spec:
+      containers:
+      - name: snapcast
+        image: snapcast
+        resources:
+          limits:
+            memory: "2Gi"
+            cpu: "2"
+          requests:
+            memory: "128Mi"
+            cpu: "250m"
+        ports:
+        # snapcast ports
+        - containerPort: 1704
+        - containerPort: 1705
+        # web interface
+        - containerPort: 1780
+        - containerPort: 1788
+        # avahi
+        - containerPort: 5353
+        # airplay
+        - containerPort: 3689
+        - containerPort: 5000
+        - containerPort: 6000
+        - containerPort: 6001
+        - containerPort: 6002
+        - containerPort: 6003
+        - containerPort: 6004
+        - containerPort: 6005
+        - containerPort: 6006
+        - containerPort: 6007
+        - containerPort: 6008
+        - containerPort: 6009
+        - containerPort: 7000
+        - containerPort: 319
+        - containerPort: 320
+
+        env:
+        - name: TZ
+          value: Europe/Berlin
+        - name: AIRPLAY_CONFIG_ENABLED
+          value: "1"
+        - name: SPOTIFY_CONFIG_ENABLED
+          value: "0"
+        - name: PIPE_CONFIG_ENABLED
+          value: "1"
+        - name: PIPE_PATH
+          value: /mnt/pipe/spotipipe
+        - name: PIPE_SOURCE_NAME
+          value: "Librespot"
+        # - name: PIPE_MODE
+        #   value: "read"
+        - name: PIPE_EXTRA_ARGS
+          # see https://github.com/badaix/snapcast/issues/1248
+          value: "&sampleformat=44100:16:2"
+        volumeMounts:
+        - name: pipe
+          mountPath: /mnt/pipe
+
+
+      - name: librespot
+        image: librespot
+        resources:
+          limits:
+            memory: "2Gi"
+            cpu: "2"
+          requests:
+            memory: "128Mi"
+            cpu: "250m"
+        ports:
+        - containerPort: 5588 # default port for oauth callback
+        env:
+        - name: BACKEND
+          value: pipe
+        - name: DEVICE
+          value: /mnt/pipe/spotipipe
+        - name: DISABLE_DISCOVERY
+          value: Y
+        - name: AUTOPLAY
+          value: Y
+        # - name: VERBOSE
+        #   value: Y
+        # - name: PASSTHROUGH
+        #   value: Y
+        - name: ADDITIONAL_ARGUMENTS
+          value: "--enable-oauth --cache /cache"
+        volumeMounts:
+        - name: pipe
+          mountPath: /mnt/pipe
+        - name: credentials-cache
+          mountPath: /cache
+      volumes:
+      - name: pipe
+        emptyDir: {}
+      - name: credentials-cache
+        persistentVolumeClaim:
+          claimName: cache

apps/snapcast/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: snapcast
+
+resources:
+  - namespace.yaml
+  - deployment.yaml
+  - service.yaml
+  - pvc.yaml
+  - snapcast-config.secret.yaml
+
+images:
+  - name: snapcast
+    newName: ghcr.io/firefrei/snapcast/server
+    newTag: latest
+  - name: librespot
+    newName: giof71/librespot
+    newTag: latest

apps/snapcast/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/snapcast/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: cache
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/snapcast/service.yaml

@@ -0,0 +1,86 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: snapcast
+spec:
+  selector:
+    app: snapcast
+  ports:
+  - name: snapcast
+    port: 1704
+    targetPort: 1704
+    protocol: TCP
+  - name: snapcast-ctl
+    port: 1705
+    targetPort: 1705
+    protocol: TCP
+  - name: web
+    port: 1780
+    targetPort: 1780
+    protocol: TCP
+  - name: web-alt
+    port: 1788
+    targetPort: 1788
+    protocol: TCP
+  # - name: airplay-3689
+  #   port: 3689
+  #   targetPort: 3689
+  #   protocol: TCP
+  # - name: airplay-5000
+  #   port: 5000
+  #   targetPort: 5000
+  #   protocol: TCP
+  # - name: airplay-6000
+  #   port: 6000
+  #   targetPort: 6000
+  #   protocol: TCP
+  # - name: airplay-6001
+  #   port: 6001
+  #   targetPort: 6001
+  #   protocol: TCP
+  # - name: airplay-6002
+  #   port: 6002
+  #   targetPort: 6002
+  #   protocol: TCP
+  # - name: airplay-6003
+  #   port: 6003
+  #   targetPort: 6003
+  #   protocol: TCP
+  # - name: airplay-6004
+  #   port: 6004
+  #   targetPort: 6004
+  #   protocol: TCP
+  # - name: airplay-6005
+  #   port: 6005
+  #   targetPort: 6005
+  #   protocol: TCP
+  # - name: airplay-6006
+  #   port: 6006
+  #   targetPort: 6006
+  #   protocol: TCP
+  # - name: airplay-6007
+  #   port: 6007
+  #   targetPort: 6007
+  #   protocol: TCP
+  # - name: airplay-6008
+  #   port: 6008
+  #   targetPort: 6008
+  #   protocol: TCP
+  # - name: airplay-6009
+  #   port: 6009
+  #   targetPort: 6009
+  #   protocol: TCP
+  # - name: airplay-7000
+  #   port: 7000
+  #   targetPort: 7000
+  #   protocol: TCP
+  # - name: airplay-319
+  #   port: 319
+  #   targetPort: 319
+  #   protocol: UDP
+  # - name: airplay-320
+  #   port: 320
+  #   targetPort: 320
+  #   protocol: UDP
+  type: LoadBalancer
+  loadBalancerIP: 192.168.3.5

default.nix

@@ -7,6 +7,7 @@ pkgs.mkShell {
     kubeseal
     yq
     jq
+    kubernetes-helm-wrapped
   ];
 
   env = {

infrastructure/argocd/kustomization.yaml

@@ -4,7 +4,7 @@ kind: Kustomization
 namespace: argocd
 resources:
   - namespace.yaml
-  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.1.8
+  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.2.0
   - ingress.yaml
   - argo-apps.application.yaml
   - bootstrap-repo.sealedsecret.yaml

infrastructure/authelia/kustomization.yaml

@@ -27,6 +27,6 @@ images:
 helmCharts:
   - name: authelia
     releaseName: authelia
-    version: 0.10.46
+    version: 0.10.49
     repo: https://charts.authelia.com
     valuesFile: authelia.values.yaml

infrastructure/external-dns/cronjob.yaml

@@ -9,55 +9,15 @@ spec:
   jobTemplate:
     spec:
       backoffLimit: 0
-
       template:
         spec:
-          initContainers:
-            - name: git
-              image: git
-              command: ["git"]
-              args:
-                - clone
-                - https://git.kluster.moll.re/remoll/dns.git
-                - /etc/octodns
-              volumeMounts:
-                - name: octodns-config
-                  mountPath: /etc/octodns
           containers:
-            - name: octodns
-              image: octodns
+            - name: dns
+              image: dns
               env:
-                # - name: CLOUDFLARE_ACCOUNT_ID
-                #   valueFrom:
-                #     secretKeyRef:
-                #       name: cloudflare-api
-                #       key: CLOUDFLARE_ACCOUNT_ID
                 - name: CLOUDFLARE_TOKEN
                   valueFrom:
                     secretKeyRef:
                       name: cloudflare-api
                       key: CLOUDFLARE_TOKEN
-                # - name: CLOUDFLARE_EMAIL
-                #   valueFrom:
-                #     secretKeyRef:
-                #       name: cloudflare-api
-                #       key: CLOUDFLARE_EMAIL
-
-              command: ["/bin/sh", "-c"]
-              args:
-                - >-
-                  cd /etc/octodns
-                  &&
-                  pip install -r ./requirements.txt
-                  &&
-                  octodns-sync --config-file ./config.yaml --doit
-                  &&
-                  echo "done..."
-              volumeMounts:
-                - name: octodns-config
-                  mountPath: /etc/octodns
-
-          volumes:
-          - name: octodns-config
-            emptyDir: {}
           restartPolicy: Never

infrastructure/external-dns/kustomization.yaml

@@ -9,10 +9,6 @@ resources:
   - cronjob.yaml
 
 images:
-  - name: octodns
-    newName: octodns/octodns # has all plugins
-    newTag: "2025.08"
-
-  - name: git
-    newName: alpine/git
-    newTag: "v2.49.1"
+  - name: dns
+    newName: git.kluster.moll.re/remoll/dns
+    newTag: 0.0.2-build.113

infrastructure/external-dns/renovate.json

@@ -0,0 +1,15 @@
+{
+  "hostRules": [
+    {
+      "hostType": "docker",
+      "matchHost": "git.kluster.moll.re"
+    }
+  ],
+  "packageRules": [
+    {
+      "matchDatasources": ["docker"],
+      "matchPackageNames": ["git.kluster.moll.re/remoll/dns"],
+      "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-build.(?<build>\\d+)$"
+    }
+  ]
+}

infrastructure/gitea/kustomization.yaml

@@ -23,6 +23,6 @@ helmCharts:
   - name: gitea
     namespace: gitea # needs to be set explicitly for svc to be referenced correctly
     releaseName: gitea
-    version: 12.3.0
+    version: 12.4.0
     valuesFile: gitea.values.yaml
     repo: https://dl.gitea.io/charts/

infrastructure/monitoring/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: monitoring
 resources: 
   - namespace.yaml
   # prometheus-operator crds
-  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.85.0
+  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.86.2
   # single prometheus instance with a thanos sidecar
   - prometheus.yaml
   - thanos-store.statefulset.yaml
@@ -17,17 +17,17 @@ resources:
 images:
   - name: thanos
     newName: quay.io/thanos/thanos
-    newTag: v0.39.2
+    newTag: v0.40.1
 
 
 helmCharts:
   - name: loki
     releaseName: loki
     repo: https://grafana.github.io/helm-charts
-    version: 6.42.0
+    version: 6.46.0
     valuesFile: loki.values.yaml
   - name: prometheus-node-exporter
     releaseName: prometheus-node-exporter
     repo: https://prometheus-community.github.io/helm-charts
-    version: 4.48.0
+    version: 4.49.2
     valuesFile: prometheus-node-exporter.values.yaml

infrastructure/pg-ha/kustomization.yaml

@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
   - name: cloudnative-pg
     releaseName: pg-controller
-    version: 0.26.0
+    version: 0.26.1
     valuesFile: values.yaml
     repo: https://cloudnative-pg.io/charts/

infrastructure/renovate/kustomization.yaml

@@ -11,4 +11,4 @@ resources:
 images:
   - name: renovate/renovate
     newName: renovate/renovate
-    newTag: "41"
+    newTag: "42"

infrastructure/sealedsecrets/kustomization.yaml

@@ -9,4 +9,4 @@ resources:
 images:
   - name: controller
     newName: docker.io/bitnami/sealed-secrets-controller
-    newTag: 0.32.2
+    newTag: 0.33.1

infrastructure/traefik-system/configmap.yaml

@@ -66,6 +66,11 @@ data:
         [entryPoints.websecure.forwardedHeaders]
           insecure = true
           # forward ip headers no matter where they come from
+        [entryPoints.websecure.transport.respondingTimeouts]
+          readTimeout  = "0"
+          # writeTimeout = "300s"
+          # idleTimeout  = "180s"
+
 
       [entryPoints.metrics]
         address = ":9100"

infrastructure/traefik-system/kustomization.yaml

@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 37.1.2
+    version: 37.3.0
     valuesFile: values.yaml
     repo: https://traefik.github.io/charts

infrastructure/traefik-system/servicemonitor.yaml

@@ -1,29 +1,13 @@
-# apiVersion: monitoring.coreos.com/v1
-# kind: ServiceMonitor
-# metadata:
-#   name: traefik-servicemonitor
-#   labels:
-#     app: traefik
-# spec:
-#   selector:
-#     matchLabels:
-#       app.kubernetes.io/name: traefik
-#   endpoints:
-#     - port: metrics
-#       path: /metrics
 apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
+kind: ServiceMonitor
 metadata:
-  name: traefik-podmonitor
+  name: traefik-servicemonitor
   labels:
     app: traefik
 spec:
   selector:
     matchLabels:
       app.kubernetes.io/name: traefik
-  namespaceSelector:
-    matchNames:
-      - traefik-system
-  podMetricsEndpoints:
+  endpoints:
     - port: metrics
       path: /metrics

infrastructure/traefik-system/values.yaml

@@ -101,6 +101,12 @@ ports:
       default: true
     exposedPort: 853
     protocol: TCP
+  metrics:
+    port: 9100
+    expose:
+      default: true
+    exposedPort: 9100
+
 
 
 
@@ -122,6 +128,5 @@ service:
   # Additional entries here will be added to the service spec.
   # Cannot contain type, selector or ports entries.
   spec:
-    # externalTrafficPolicy: Local
     loadBalancerIP: 192.168.3.1
-
+    externalTrafficPolicy: Local

kluster-deployments/homeassistant/application.yaml

@@ -1,18 +1,20 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: homeassistant-application
+  name: homeassistant-flat-application
   namespace: argocd
 spec:
   project: apps
   source:
     repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
     targetRevision: main
-    path: apps/homeassistant
+    path: apps/homeassistant/overlays/flat
   destination:
     server: https://kubernetes.default.svc
     namespace: homeassistant
   syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
     automated:
       prune: true
-      selfHeal: true
+      selfHeal: true

kluster-deployments/homeassistant/house.application.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: homeassistant-house-application
+  namespace: argocd
+spec:
+  project: apps
+  source:
+    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
+    targetRevision: main
+    path: apps/homeassistant/overlays/house
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: homeassistant
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: privileged
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      prune: true
+      selfHeal: true

kluster-deployments/homeassistant/kustomization.yaml

@@ -1,4 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- application.yaml
+- application.yaml
+- house.application.yaml

renovate.json

@@ -2,7 +2,8 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "dependencyDashboard": true,
   "extends": [
-    "local>remoll/k3s-infra//apps/immich/renovate.json"
+    "local>remoll/k3s-infra//apps/immich/renovate.json",
+    "local>remoll/k3s-infra//infrastructure/external-dns/renovate.json"
   ],
   "packageRules": [
     {