add headscale

Reviewed-on: #423

apps/adguard/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: adguard/adguardhome
     newName: adguard/adguardhome
-    newTag: v0.107.55
+    newTag: v0.107.61
 
 namespace: adguard
 

apps/audiobookshelf/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
   - name: audiobookshelf
     newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.17.7"
+    newTag: "2.20.0"

apps/code-server/deployment.yaml

@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: code-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: code-server
+  template:
+    metadata:
+      labels:
+        app: code-server
+    spec:
+      containers:
+        - name: code-server
+          image: code-server
+          ports:
+            - containerPort: 8080
+          env:
+          - name: TZ
+            value: Europe/Berlin
+          - name: CONFIG_PATH
+            value: /data/config
+          - name: METADATA_PATH
+            value: /data/metadata
+          volumeMounts:
+            - name: data
+              mountPath: /home/coder
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "100Mi"
+            limits:
+              cpu: "6"
+              memory: "16Gi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: code-server-data
+

apps/code-server/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: audiobookshelf-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`code.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: code-server-web
+      port: 8080
+
+  tls:
+    certResolver: default-tls 

apps/code-server/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+
+namespace: code-server
+
+images:
+  - name: code-server
+    newName: ghcr.io/coder/code-server
+    newTag: 4.99.3-fedora

apps/code-server/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/code-server/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: code-server-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

apps/code-server/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: code-server-web
+spec:
+  selector:
+    app: code-server
+  ports:
+  - port: 8080
+    targetPort: 8080
+  type: LoadBalancer

apps/files/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: files
 images:
   - name: ocis
     newName: owncloud/ocis
-    newTag: "7.0.0"
+    newTag: "7.1.2"

apps/finance/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 25.1.0
+    newTag: 25.4.0

apps/grafana/kustomization.yaml

@@ -17,5 +17,5 @@ helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 8.8.2
+    version: 8.12.1
     valuesFile: grafana.values.yaml

apps/homeassistant/kustomization.yaml

@@ -15,4 +15,4 @@ resources:
 images:
   - name: homeassistant
     newName: homeassistant/home-assistant
-    newTag: "2025.1"
+    newTag: "2025.4"

apps/immich/kustomization.yaml

@@ -15,20 +15,20 @@ namespace: immich
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.9.0
+    version: 0.9.2
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.124.2
+    newTag: v1.130.3
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.124.2
+    newTag: v1.130.3
 
 
 patches:
   - path: patch-redis-pvc.yaml
     target:
       kind: StatefulSet
-      name: immich-redis-master
+      name: immich-redis-master

apps/immich/values.yaml

@@ -37,10 +37,6 @@ immich:
       existingClaim: data
 
 # Dependencies
-
-postgresql:
-  enabled: false
-
 redis:
   enabled: true
   architecture: standalone

apps/kitchenowl/deployment.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kitchenowl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kitchenowl
+  template:
+    metadata:
+      labels:
+        app: kitchenowl
+    spec:
+      containers:
+        - name: kitchenowl
+          image: kitchenowl
+          ports:
+            - containerPort: 8080
+          env:
+          - name: TZ
+            value: Europe/Berlin
+          envFrom:
+            - configMapRef:
+                name: kitchenowl-config
+            - secretRef:
+                name: kitchenowl-oauth
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "100Mi"
+            limits:
+              cpu: "100m"
+              memory: "1Gi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: kitchenowl-data
+

apps/kitchenowl/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kitchenowl-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`kitchen.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: kitchenowl-web
+      port: 8080
+
+  tls:
+    certResolver: default-tls 

apps/kitchenowl/kitchenowl-config.configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kitchenowl-config
+data:
+  FRONT_URL: https://kitchen.kluster.moll.re
+  DISABLE_USERNAME_PASSWORD_LOGIN: "true"

apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: kitchenowl-oauth
+  namespace: kitchenowl
+spec:
+  encryptedData:
+    JWT_SECRET_KEY: AgAclRIJS25ACVe4NqLQbAree6c6WpTBHnLpe3ZQJ0ScHG/EbW/ooABZj7y1ABAn/mCc+hBYXYHm81FNUfUtSuLKi2UlORbTCsfmisYH49WX0Lpku9LTM/8az9tjE0tjUUrJZcRUuJfdNJMDPQx7IPjUQ7sKk/exFnkPEbK98+AElXyHpPKXd9dxiCgll0n+ksbF9BDUR8KY8IB2Zvh4cXPww578qe/9XYnxLV8uY9K8KPvhl7NI40SIaL4PX8KmsDlBh1bpOR/OxhIwAGEZDQp/KROy6msrIOYW4SHM9nlSUSD4WvV8UjcbV1oNnYpE1usFOuxSfQlJ1zlFepKUv40JykyunvQv9nqVbEogsrS4o5N3gNEaB9yyFSHIlevp32LVpAuZu3cNplmT+Zg7+ODpCWIcVgmOAeapvB+X7H4ScbKVcYLAzrRFDtnS4Vo1M+RERhr0AuMU/tz0lGs99oRkCw2ZIg015R125u0VcRNqzgCtbBM5BFiKiP2kYrHn02Q6o5tRWxDQfrfb0mnfD5c/gM4+btlfM6DZMpr/l1kLlm8PDEpPGbkhK1XiAyJ4erHPDMLcmZXrSyxX9R1g8n7vnLnkqx5LkGmnltQI2FM7StxC6IrMlxY0nPnkq1lHhTz7yCpQJNXgfXZLVvov+f6jlD6WJhYHZCL/hIFfx3ybjGYZwJ0m84lH0OQJQw5dtsbPVqqoYZIPieqdRmHw7M7TTmFuQJXD94lZj5gsln1sMqs=
+    OIDC_CLIENT_ID: AgDOxWtGCiFrIP5aWHimrR6bu0uMS1/i1v1Kzo1lIR3j3zlw/Da2oCPNx1ZuhNAp9UMIs2euc8mtrWkyv4R6pcci+IxXiGzlQNBSkMfWu4DwhwlEdnVyCVehfE00t0ytBxX6NeLfS1b8JOtH9yo3e22fdaeTwn/iwGLNwi1BJxMmzk9pVp7jzXH09Zia8UvUmXw5GyGpIOIiGcIfaXkr1ZnY2l30jTw8eS7HaouzfWHWTpNXkMLN3qim4vs/B1Sgz/y9tUyVo/qMhWLdEcVklYHT7xHx03SPD7RtK+zdYZCqvDtj+tsdpYHt05zeGV+wflNQuiocjwP8TW7vhtbjKrf9lQIxB5CErju178ELOVrpsPBAYMgdEl7qZeKdSpydIwe3VbOg3XJ7O/Ps1KSnRYwrCvgE4ZCMm3geHyJxSiKRhBcuVYz5JkNd5ylD0Eq9NL5RCqJ4szL9NaGNPbzkvcdZzAnbTYFTzyqZ+XHX/BUFisXl5bKNHtaqAsOK8woGYnxJiawKRrwDUmHXU4RB3QiPCPhHSLU7OkvU+XDhyQqLa8bKEQzj9dUf4bX3Savk4noiRsXMYJznAlgMPo0Q4taxVIoyQHELYwIIdP5YRuw27B9wKUR7e2hhu4FTOEcyhwuFql3OuAjq8HJCDX6+COkL2WYFFxWBnbSCYEdzfbMBCHjrUUonijcQluU2VbaHODNMAvB16MRKapAW
+    OIDC_CLIENT_SECRET: AgAylnSUXwInlh/WvyCiFz+8asbCSZA6kk84Rt6l7bHVYw34c58lJHsZK2OvOIlHuaMe/ewnTqxVd0hI1Azl+wd/5NygMYlntKquq0vuzlhLrGc3u+0SOn9N2P6quA3slF9KR94CYsDx9ogy+EsEoA1yrsydB8S0g9W8syraR1MtpM0ZkcJ/D78OZ6qzyXUuBNAZc+iX/r96NvoMiGNYavgG7npOJh/pkKNYPuNkt4zpbAFjVyoCfgZd4V2nmZ6dhEVy8odW+jcsMn6OJ1OZVlPb1beq49lBEcaJqk83ZtKbq2evtBYHw9YAnENVq92ecenw/YL5LXUhOxeN0M9Amo99/O6pQwwrT1mtZqhTTeTIZTAxqmJKgyxGhE4DJUR/s71bc7K9hd2WvdAYnCyVC2uGa0MwXp4V7UuaN9GerldT8lcFxOpRnD7yroqVTqebjAJIkIinp5NNZ2ZP/LCiCwKKHHT19Pchn615WOPTofC6es/spIdQ8a1Nf2J5YzvRjsduFS55U6tMaC7cuV8kqKH9xTTf/sDHt+68wVEAO9koAe1zpO+zR2Pq3VuCnvcDGIwXopXjvyjfujEEhEWZl51PVJLZqtkP5Wg2wHvlgjJBbbIGTrqh4xa9pK7wLDM2hUFx1q/YKqwfP0EGVTc96G8Wermj0DtIqclqFLr54DtxVe+Rr8J4edG6YQ26/seYsrZ1Oq2PejHQt8u9EzQYAtYYlBsw2ujCWys6KrbhaVr3
+    OIDC_ISSUER: AgA2JPd5axkL5YIRA95qm/iH8wgM2J0AjKjgGClWabYJ3UKIk0hi/L/zR+1Pw9Z+6amYXj7Q0FxLqCcNYG+H5ABxnqUi7Gl8gvfVbegaO3q5QiO27g18RMDssNHDSun8PPaxHBvBD68hxgsaXntu8sZavCGdwEK0TzLJi7eH/4jtHlofzfYgaCsGqeOBgvs/q87PVJ/qxazXlY9e7abbRAKl9ZMY7Wga58/IU2HhWwYMvI53yQyGMcKf3XiI9iNHgIcj1+TmlgQo+PRKyopNfzgFbey7on8woQXphY+ioqQ0hyworpxAVoWlvzKKopt1xBDr4zxzkzbWyxtjwPVOOH3iyenZz8tZa/JkNYWxkWHbh0KCs9yUIji3D3shQOFM/NtE17THsQm3NgpZ2lg9ET1v6uXqwfOLiQ+J1JQLwNFnYeruH2lK4EGt2nDCq2VycOIjW4kMpiJ4LiT8gap9HwYjTpAn+opicYn5e9fmpgiHdMPvrsG1m9edg0cbwdSpEelliHnAUfKsxMV2e1fLsga6yrhBLSXIQs8rbURRa6wqVvGoLB86a9Q5Rm94Jfm0Sa9v5LMGRYvqO5LbLrjrR8e/2r17pHQE8ynMQCAW1yVTe09FcgRwYhDUohfThtjIh16sdoC97eUel7fo/POt3atP69JsCIBZstprhVtBIBssmavpIotVqi8F2/yUkhrZR26mH3gsOxkNTEk6XzHHtJRu0cU+BmObTvYgMi3DHg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: kitchenowl-oauth
+      namespace: kitchenowl
+    type: Opaque

apps/kitchenowl/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - pvc.yaml
+  - kitchenowl-oauth.sealedsecret.yaml
+  - kitchenowl-config.configmap.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+
+namespace: kitchenowl
+
+images:
+  - name: kitchenowl
+    newName: tombursch/kitchenowl
+    newTag: v0.6.11

apps/kitchenowl/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/kitchenowl/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: kitchenowl-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/kitchenowl/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kitchenowl-web
+spec:
+  selector:
+    app: kitchenowl
+  ports:
+  - port: 8080
+    targetPort: 8080

apps/linkding/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: linkding
 images:
   - name: linkding
     newName: sissbruecker/linkding
-    newTag: "1.36.0"
+    newTag: "1.39.1"

apps/media/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
   - name: jellyfin/jellyfin
     newName: jellyfin/jellyfin
-    newTag: 10.10.3
+    newTag: 10.10.7

apps/minecraft/curseforge.sealedsecret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: minecraft
 spec:
   encryptedData:
-    key: AgBYeAiejdmxDBorvgnxQX5YvUhR3NId2vfWybMKlc27e6D/bKglLNyZMk70xSnFAPjcDmZ20mYjFPYvDOr9T6IU/REJ8QlzoKAn0xW779R4SkIxRToT+dJv+OM2avgQ9uqp7vja29xeXMjYAnQML+QGZKcrT8mE04G/Ty8rdUiv3yUXK5HFAR3SUF35aVLdlthLjpRkv1s0R7GAP4L2pNzBJNV3i37viceUSSjU0zpOa23fsQOkPAs67AIukAJBqh/hyF/hR9H1GeYZNTI3OcHcvC2iNk/XGstvv0Zy6ApzoebsfWGdsbVn+QUI0EBw+mSTPqpl71cbkz0v4S4XAVndosxWpe6AIgm5MBTU0FXIyGyoFDe1aMPq8BXiQikYVwB48oVNh9KF0xXX5AOG0whB/FEsL3OJsiNQvQ3R/Hru43JBn64oxjVtLfM3E7u8v/xr1VQahX8dylDmb4s5EV01U6O4y19Ou4td1eEMlhpJb0fBPDRUYuWxZAEDGmp+U4tAakyPed11VkcZPPn9fKAAcv8sGs3TYAbbF18hqsBnv2Wd+i7ZEvKwmdmfR/T0r1TJGsvKI7jaW0QtH256XrSxQp7a52qMKMVQWOSKw2k27t/IkRhxT2Prw4GfJvaVr4RozUaBf3LV/hfDWlDfmM2zg3X9W8HkzjotGg021OLxsa0Wzmhffvb8h4bvZwxeq3U1xaJocqXui7z0rT2pF4z3wYHR/lPtexHcOA2M8gfBGKb1rBKh+kW+N+/ZfVLNI0mokg5vrTO2nR2rb4c=
+    key: AgDG6apUvB38rB9tH+/ya5Af/32IUJjHiEGZFdYYqesuqyPB/qf99EtC/7CwqD6bDQQPVycJVcxwZuF8QtYfPXzv//yMkqEUJ2G1/Q5J8I6bjNGLR636UhliUpCkH1QDOspWJUjwKDVxlFN9l0g9UajvxnqLyGzbWPeay0sJEBvAY8ltEZpLP21V+GD+HgPk3HIfSFFBMsULS6GPCjMaFxkxQb6cG3K4Ej4NHCHRGOmax+4Rk7lwMyAHlXLlrwj/ytxrnHDWrugLIJE9KKmJn6UVNTuk6olgkhleg2PixV7oOiDVyu9ZQP8wbdppzRix6dnIcFEYJ1ZDK1rNF5QErYO0gBytiJnSsdFO0jUMsdBrho2FgUc5GgIdmgXWJJz3lrGFqXaRVvbPsBZTUAsQRh2+4IfqfWmAkEjBcjs1K8WWJfS+rO9e02KoHBT4decdsd8Qfr5EFdPIzMrkUoRMI9CJnIa5u2nR08Hhd9iojbL64FZ26kXMODtEdKmlo+HwjufLX5rYJVSfOyZYzivd/kgKA87YTFaMLKej07w3ofGrPYSoCnmLfJyoQdNyJhdonBDsgM1GgRWQZDpgJ1df0SB02A5lZ4V7lHWr8KlANv9YLuMoZnVehsH1NZjNQHDInIRiTLahEBbjcJzQz4vU1UWG100ATszEYKOUVkzPnTgkqKYU99ZQ23bHP8z7iAWQeumb6V84NTi6jNITBvU4yTFLuAiI3nW34Vb1mFVLwfWqMjEYX8gBB4yMSaVshB/japfkyXU0pYg4mK9gsB4=
   template:
     metadata:
       creationTimestamp: null

apps/minecraft/job.yaml

@@ -4,6 +4,9 @@ metadata:
   name: start-server
 spec:
   template:
+    metadata:
+      labels:
+        app: minecraft-server
     spec:
       restartPolicy: OnFailure
       containers:
@@ -11,7 +14,7 @@ spec:
         image: minecraft
         resources:
           limits:
-            memory: "10000Mi"
+            memory: "11000Mi"
             cpu: "5"
           requests:
             memory: "1500Mi"
@@ -29,13 +32,13 @@ spec:
               name: curseforge-api
               key: key
         - name: CF_PAGE_URL
-          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5413446"
+          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5925838"
         - name: VERSION
           value: "1.18.2"
         - name: INIT_MEMORY
           value: "1G"
         - name: MAX_MEMORY
-          value: "8G"
+          value: "10G"
         - name: MOTD
           value: "VaultHunters baby!"
         - name: ENABLE_RCON
@@ -43,7 +46,7 @@ spec:
         - name: CREATE_CONSOLE_IN_PIPE
           value: "true"
         - name: ONLINE_MODE
-          value: "true"
+          value: "false"
         - name: ENABLE_AUTOSTOP
           value: "true"
         

apps/paperless/kustomization.yaml

@@ -14,14 +14,14 @@ namespace: paperless
 images:
   - name: paperless
     newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.14.3"
+    newTag: "2.15.3"
 
 
 helmCharts:
   - name: redis
     releaseName: redis
     repo: https://charts.bitnami.com/bitnami
-    version: 20.6.2
+    version: 20.13.0
     valuesInline:
       auth:
         enabled: false

apps/recipes/kustomization.yaml

@@ -13,5 +13,5 @@ resources:
 
 images:
   - name: mealie
-    newTag: v2.4.2
+    newTag: v2.8.0
     newName: ghcr.io/mealie-recipes/mealie

infrastructure/authelia/README.md

@@ -0,0 +1,10 @@
+### Adding clients
+
+Generate a new secret + hash:
+```
+k exec -it  -n authelia deployments/authelia -- authelia crypto hash generate pbkdf2
+```
+
+give the client the hash, store the secret in `authelia-oidc.secret.yaml` and seal it.
+
+}cnnhzH|Mf/yLn(v4rF#>KnGMgUS+TY

infrastructure/authelia/authelia-oidc.sealedsecret.yaml

@@ -7,13 +7,14 @@ metadata:
   namespace: authelia
 spec:
   encryptedData:
-    client.argocd: AgAO/s+1K/QyLFsj44qAsgj+qS0qE7Q1De6cjc8UpsXDTQ7Y1SrP+NP8K7mZwGgQ1ItJN7bsIo79CFi4wLVEUOmAhu9dFwot665F0iwA8aUrcohk9xfqxqcv0A80i6mbchd60/GTaOTiQ6IFbeKBsxdv37NhvExHia9zdPFBVZoor5gmfZi1l8Aujge0dHqN0Qtg6R73b+abiJZS/h24HmETPJnRARK9aX1HSO8syBv2cxOuX3oYpVT8qvw+J2pgF7pD7YF8ZXG5v8VkXLn9vZ/EznTRNPguGC7YZgEXB9dvSJMcQ7KXNqtreKtSJk9V6EuhHHteHAlrCMdJ/UILUx+S1MLdSlnmoXHLU4oXITI688ZiGxtp0MyhknKPk/rRHV8To/lbEswy16j39ES4+vV7UgBVIvl4Ds51C39VC5G3gKL4xuEWbSuXv3oNbIPQzNZXGPkn77f4A7NQy2Wnp9G8RKtJSQqoWaOCNoytngyIkEy/Z6tbNFmafRvEKSSNLMVeH8nChpbqCwVBTrk1jASYFPW8sIlVh9zia2uihiHzIxdKOQXsvWMSGLdFSSiG0vlC+yeBb5PhWBA+0nAsKGO88a916E9B011w9qK/92GOcYaU/Kgyo6CnseVyJgSjv6d2IHxKTHnQtWpEQEHO2VEVfuqiISDz8rSCFbM5U91Qly947bRMCXXY8GuFnmlNJpqq7QPp6HRZBt4ZfRmkI/E5y7Nb/L/SfXDJsjSd0z4U0vJi1tYxIs0XnprhxjkuS88ZuqdEZaHxG8PMrACSltKzZhwBnjImb2LuOF3mUitngF2YQ5L4q5S7AcOU4fVHwoK+wONNCEjI63RiGo7DTm1AwM9lA5gM0pQSU9T1JqWtYcPZVg==
-    client.gitea: AgAbX2GgysUuAg3TLLK7Puhtl+L8x4cQOGo+3TP60DPms42Tw6oihHQpSTzIEetdaqJ/QWrdB2FQfzhKQVM0hQji2uVH34SyzvP5TepJJSURUZAHGRiwhb/E7S8ag/ybBWQ9OIQzMZBiOOyDULrhmjbtr/CbozwmvdTIKiXIBLxQbXA9PjcM76UyYZAr69wP9a6xOzwOZgQ2/aJbWEFnItreUaqY76FHzKwkcPkzwPPryD7jvpVoLC2ZsbFLCptKbaCpRuHNQgHblWB2dj5wkFRGmNyHH7mglq9A2FbB9uiAD+2K2tgYgSc4yGaeGIvu/Qbnioc4F9nTT4ZceEtMu+sn1gVWy3kKkUDOvCcGUALo759/FuyTQ8JKKJ/zLYHhCJ8IAYXFhALe+aQMZbcycbD9KU8Iepq1DCTsyjpbM9K5w0D5ZnBf3V9IemjtMNaCllDq1Io5mPQaxlyjsWIDgvXIP2KEGekSlnh5O2yNCQl0gLAKM245B0lxyRgr22lTH9AJacbIVevwdBq0B+iSm/JGJvWjwLzfL5D41HY0Z6ZLOLUFKnTHQGiRp2+g9ysg+38aOQ1PUAXlloXM6UVnEHdahyvuPmAfo34f8vSaSrT1b3Xp0MzxUwxzl0bXO9wQ/As41qpI/DKC45CFDl1yQ3/+LOggAF///peSyzUNYUvbqB2u5KWNrLulXO11IKffHYeiwfeINxB0B3Rzxpl2ZBm4k8cauArTneYYcic+DbweY3WjcFQPCtfQiiS56S1wQeF9xgZfL2WNQA3qnnsB4mYyCLxH/oJ2JiiKrISPUmEcERnU8rdUelZ+idiT4s4PDpOo34QK756nzTtyWGjU0pIm6PIpz35i4djMkUoNpLq7bcVcKw==
-    client.grafana: AgAtsKa6TPkGYqT3BcmbKnOnKG4xNd4N7tv7Vt81rh10KupR5z9c12y78uyKQZMyWb7PDDi58nIeWzTmtVmoSl06D8NCOfYrlbZQEl+NJsePX/kiwmlOnOrLBQ89uHHdlU7MCBPVDZNPY88xzkZg0pPnWYlKuvtNpV0Uq03gUosM5kV6zF10LRM4Twhpw9su5mDkwzyrALB0eALkmcktDpbayr0b0ZnK1X1HYuG9/GRTfa4uE5Jqbl+h3wV8cqUHt5drCVu3yGEP8palqTWh3LZoVFddDZ6EjX98FNGorpgvXzQrSwR3DHEovhER77MFgJu5vvVecgygPMHpQETb7VPpCoiY8WwjcJMElcFbVFgeih3mMxe0vgkf4AmyNmHvV52QT01+a2UJfwb2l7J+BJQS2qRLWX22eUJ3jWthFZp1bHxrgrizaqLmuR0WCabiWClS6+w5ecuuEnjZKhnNgGViUTZEo9r4Y+Hq34DbpSbQCPD+KFwjSy38cu585wHnMJHbmP4tVH0+zAA4sNzlcO+Dt2bqNZ5bIl+pq1y8qP6sABiRIxvHOhnXSHFhRQzUqrO7D/0WEHzsHNR/FyuJJ8gsE/ZS3gmMq1qaYAdLWanNPtJtcZxk03ZTGRmx+TRnoeTdGniyROACL2e78MX6gszjCpjIQWJOh/gDmMtO/r/0wu+OFUlKm6ynpm9hwjTfVXIAxVGQZP0GNzhxWekkB31og/XUHDDSARhfqozor5Og9vznx6t0wtOOzMXt0M6P7w7+kIEfLHSroKgY0D8QlXNmBQf1Aub7j6NjyF8xdQtxMhGmwbQ6AC4H8jUdzRy+zPCck70dA3hSwS9aaxDy+xD4zWAmZAzjAQS2lRbbdxpxh8L97A==
-    client.linkding: AgCUlf4WAphijd9Oy2x+WRZv28o5alDpfF9hiro8y/99jZb79HbODkS+Z48mFRypMmu6nsAp4NJmaM5Tc0kOXCfoqAkcw6AQ+noalSCzGpH+laPYRnvD4ccVbJlePIeQlnQZTipSTcNgoCvocIfi/5sgKFv22VKEyYuOEmZ3VfQ96CIbyitbyApw0JHi5x1kanw2QFE3dmumnNG075zQ/aJYucM4lrpDY8P2YhAbLNaJx5dB7SCeGoVvviDtuZFHskLFIIzV0fjBIhX6b6vfRgT4IQpaBTpEZcQ+tLLrEcL4jAPWzooDmpgCU0l1wg0Xf3FmV8aBpzs9oicvQauLVgKF8ouBMoECjB82sLAuI1pBUbOKOjxCnFTnL6kGbOZm77maddJ837Bd5BOO2spAhUYfQCuPg98ZyiNFSCKzf1XX7mDY1xeV3S6KizpULc1fimKoQL4EImKYWLI7GVnKUGvS2V8WVTQu/ZuPCTfpg+OSO0YOc3eZPqQ5immSK0Azt/PvHcoxiNYHajI7Jy3OvF6Fhv7HN/prHZJZMARRnMTgpPjvp5ZE+xA+F2FURllLtmNF3c3i8s4pM6xi0GSBsYWc03WNIk7aY1oENg4aEufOHnknuX8GiGQqdnKPPUuhiTK4k5iyqk7Lo9ntdu+WJQllUoNe6s9kSRua78wyYb684nKNfAFbyYXUW6oiWD6eYCSgyCj8xAGdBv41/Lz1jpUgSetvoHcDPjh/mDjGWRAgg1hqaIr++DRuFW7mEaXthoGsu3pM6JxVzge/mEfs/DM/vn5GEIFvSGuC3Nn9IGcyqeVWcTtlRh5AfTe1tNlohkYkNr96Fe+j/7MJLWgc59th8FEH2F5ygbPg9ay6c1rGjSYD2Q==
-    client.paperless: AgBJXjDVqEubR+5He9KVfmfHV4cH5DLtiLmBil5srrUTTlJpjBtD0OBA0Rj4qpZjrOHal/p0nfGQkgtvOmj5NWbplktEjmX4z7uRT8zjatK6zTjDHW2x2x9T7V0LCBQwkPtboBuxQ6tSc9yQQr15Ru6rT0BgvgDd5rOubnQQjK9AjxUe0VKeW0nGnZI0Zh9zIOiW+Yt6AFzheYgAfF4dsbBe1hTq7N4L2JK147YLI50GqFCL+vGYpz7MxcU3AzDi4eEP1ZmLga79eGvMelUSR4d1l3k6fjFQ8mCPPQ+PkMoWuu8FZ8pT0F+qdb2jB7GCqPedBmuzJNT127mqWMJN929n5j/towZjI9IDd+q3YXlfMEWSY74r8x/GUGSq8mB0/kS+iLyC+p6Rmu/aaW7GNkwZNtcuQkI346JBOnUSa0bT/ElXDNnRxxHGPCNQshrv3wTVoKgN7wxkVVXbX/MdXPE9NqWNRQK42TdROXpjWa/FVklraQ30XPy/SHBENbhXvmqlzrbMWmK9/auBKDB1tmLASUcO4iObOSFPUdQrj+pJ4oQFN1nlyX06i/X8ECENov2jwfpf5tW0sWoYVSPWuZOIOk2wEF3HXnzCtv/f41vMixtqhpWPRvasJ4UejsuatHaYNRj7uD2FjbpYItvT4QA0xepIR97jVWqc6bsN23AFUJIHJ+twOYpNIQJqJ+mx/g6Yzt7YOTM7X2VJO6dKwBhuXx3cRigU4nadZoTELT+Wh8i6n1lA/kD0+A3OuMjwuTrvutDTOHH5RjDwRWRw3m6LohWfdQIVvEkAM0RwwvcC9Yu9W0PH5ZpUGw3zpiqzgydtxTXEwi1IGS2rUKkdhkoShKJ/ODMZjjRxRX0H4zkelPUDGg==
-    client.recipes: AgCK/GYJr88kUCQ00YtksasTKChbCvSxxaIAa+08Xzgn2eRLmw0quTgqHS5yQrdj6SHNsI+tZifmUkfHXjDSP7SShhg4fe6T+r/AzZmYb6xFwvZGHF5nSmX5Xy94Lla/x0rOOTuk42kV6g6KJYD91VTLOYGMD0IjdZkI2NMFwXN0UIqOZD6SGhKav4WwZRk0GxjFwwW32NZH3+O1aqTCdBYsMzNFAJyur/Wj7ZpeFXZ0fdBHF+gk/RYOhIzGuoUJN9qeh1m/miT032jcapF2/bYGakufAl6gGtA13ssYcXqRZxqrOTHzvIo+/TULlXL5KJxA8cyTj696YsIc2svugvyrvJmHghZ3y1uVU7V7OjxRLTni8pO4boq11TTkiWdkDdSWmXm9lyXrTrHYstHs/KfdOxgshOXNktME0HOFsXdCJCD/dBRd8+Csqb+Xo4hy+m5ROIP1QP0lJeMId+yWL15xEb0CiEBw6LVLhtO3aZ1mYxJBwcjvBTllLhU1y3z8Ah0fOvcOdBx8ncRIn+tmVCgjJXwm5eBIku/74ubvR1avAB/C0qX1zQnWRWvmaE6/k58RlUrQHFWFI9OvJUSNushlUus6roEux7suZ6uhXJFfB8hM8okbIMuNJA99HdA9BHRr0ieoZALbQ5HZf/zFbKhGYYX3HcyExUgv6lxvwxlYJJfXtMPic3p4iPq3f3aLMyco8pDECKvoVlyAgU6RoCp2RDZeJ/bwaL2farGTy3HXHpw0jy6/6dZuQCD457v6a3f+eLBDbubaGXJsGF1msRyChdcc0JU2niKwKd454WJoWBLn3LVIsthtCLT5ZBY3yfttdjLUmocyPcYFy03LA1ogOztKjvXf0FjcofdcpIrfWenV3w==
-    client.todos: AgBSbi/vsGzl/L2/BAWefZZNySo9TEHHUlf/ilCgcQcPm53wmd5gFJUyVhjOheN1AUdiLw5UpeITig/A8UID4B/4UOfDeSfwLYUvPgTP/5OxtxjoonWkrR2YGjPmtdBd9WZJVZcjb1YABuXew3SoVfuObw4F8uAn3iojxrScaO7J+vUZSNUE2fbd8kJ0064v/Huoan0PheFbRFqSVcDKVg62byh5LIGVtmcwdcWz1v3aYIRRB04TyyHAlmihv8/N3ppTrz5HR98Q8WHOrORIF4liS1c80swAUeFNFuDHjxbN9yphF3Z7taoBSwSdqNgEWjAr5tnFVRO7A3VmbuMsM5y9ryitbPqPijB1GIqqwLz1Ucn+KF7eK8kdhyZWidrBVWCQ8E2EEQELcJnotZd49M7y505LDsZgl8drqPoXoUW2HdPXcZzNqaGrc1DNhEK1aUHtuE4jBwPNVjEV8D2cQ1mm/rzF1YPyUPQ+TvqXgLvPQx0tZU7vSVBEQDAK+bj3hkgivPPM67iiSt3rrX8Egp53Hg11jzIE1al/Zlfja14broOL9yCc0dUVMpOXrT71t7RjYiPNg8CsK4GM2nopGN4IzMhP/sFzSSlwq5YoDxV/mysAGLRBzL615Gv3QRNAubQocnPj4iOCMvpIZdDuBTmCrUzPEzppwbb+JHnNoFOYQBdJEImLicnsGAiAW4Jzns0kElCpCl7wp9b+GCoqmGpzkg6Vk/LU8UGVDCnhuXmtNA7EbT04jb9SxRXIUl4/fmpzQWAC5HGfoSoO1M4LKp46sS7es2Ts+ggXrGJhAYiDnX/EJxkl4OWzhJ4SFiLVbeqcIIIYslQkz4KP+haPvbjY419zEDDp1P/lBPtJp6Dj81B7xw==
+    client.argocd: AgBWKTgzqy1UjMClw8+9MKCZAM53ErvunxeIMkyPkOvioGN5+QuvtT3rSCNJentXEhIK3V1mt0kYNb0yLei+W8o2Vgr/wqvPfA+JbtgfPKuHg1eayTXDB7TPXG8MzONM75pPEq6nTSz7YOfu5AU0OjX/3D4E8lBD3hCfEteAA6tbxplD0P17yEzQTspPbXh+YNRY8/BmRr4xbp3aDdekeYfrZ8HQaYOCs6vl3JH4SvYoPGxrsSS2muZEPESmWBBC72NcFVnpNG4i106qxwvMlfOwKz4+FQsHMZAdRYmXayefwMWTxOC4MN1VUE3S6FDZlU5Zds52qOF1bO8w0cLyFaILtcPkjV0w+7eCUhrYx3CzyaCnVAHBBwvUt3VZ+g7RESI+Qc0CDV5IwTpj0R0Z4K8ieGMr/gEU83Wm5Hv66aneZppAJV5E8BixIdFTAoZlLNXg3Q6R6I8PrcnTlF9IzBbrWBrE1MuYgvzIIZm4+lohV+jhJcOPgRANxVkDwAz1Sk3AfHFwKtxtzwjvpOyr+R49+I14GGyKtUcZjHioSUSiTqV4JOYvFmSDXsy5CrzFdO4zCn5jMhkGRWztBJY9nN1Ui5yODag2S7TVsCgcYNF0tItaNMHmhkez/NoWFDUvcNwr/+hGC+DQN0xoZTO3vskyW0RGKjBSnoI5QUnuJqFJsRymh7VpRvMr2C+0Tvk1nEoOoRmA65aRJScgp/acZl4UXhwOjyIpSNzai9kvIj5PVVf6+78z11h5c9w+vF1IDKCDGGgjrnXBeHFGoty35UVGOGOXQoQbLXyYu9ZWN6i6garwl5ATwea8oaUB1h1xweoqSz6xrHcLmjqWLbm8Me4eSA3TjvsD8gtnhAfnVAETxBT3UQ==
+    client.gitea: AgBEIzadyU5+RT5nKUII3EPXfi4yl52FzvQQxEfX8T5845fAQh0/8ay/E3oXKjH/MvsnPWvIwBfAG3DZ6LBVt39SOA3+5csbcwgQn8ZSigfriowkGJKiSu/UhqloiCuIvzZwu7CrTUaAdrWdMOpYvVPts0TYUUdA5tcPGYyw4Sd4Z5hi22+NeMoCdMl67iag31I0PLEWl92WQcQ/V/sOKuLm0p8TEIZaPyCHLBwUPbD7Hvka6JhrkmkybnOJfmQLrHAblPptVlIOVwER3e3Wrzvh6YfOq3KUtFboeyLRRafOy4j5j0dWXj21WLznomH644ioUeysAG6gP/HZthuNMTUydz2dsWtIu5J82jP9bbjUibZeQIHjS1Y1eqPSd9lJWNjWBb69xuDIewLZ75rfOuTdVp83+iGkha2yhc8OEHBaXRFO3zDL/eYSuBGxLRtSR30WSHD6sgGmrGzSShAlM7MnuSU8tqeHtmLuKH85ls89HvVvgn6ZVj5+P6dmHctFM1tp8Q97nUeZZGbThT0DztKExNTdb1yCsb9m8lDxX7avGfBYvx7ntqBdxz5CurbFvEYi/9C98EYZycaurjUIRBjEgbT7vHkIIvJBy1JDVZYDFzNGkvZ0oOhehANvx9UNKeb32iCV3ypGE7oXF0/WFdFImSZWfTHVpqOUN+LJTnZylkwcyByp8Ut4R7xS5by/bBV846LK985fzCRWldHk0U7xli1FUvqHMvocOTsrwVjWtE0C9X+GDQMAJEP7z5xWlMCEePjEZq2/OPHXiRlDZ/rQfQS5zpkIZAK/vaiRCZ/arpN0RslwOzIDnnyFJB0jqhIsXf1JUDZUis7yLtnyaVh3I9a0EXrPu49ItBk7XdSNMYJ9Hg==
+    client.grafana: AgAuT9f75mVVegFb5kC7v0wq/myoG6JlN8DLvY2tBqqCJ3pDMaFkVSALustQvUxpQ3UDFndKk3vF3rL/ot2h4R5dQO82guqR5rnyi7dGgf4+guV31V+Pz+cMKMNGDzvP6gq1+ePuGgR8Q70OKKk28Neiv1zd0quzKNY+Fmi3nYVonnKt7SDRrMgHdrak1jTyyBCDCl3k1S/kCjSsBUOfZuPDWxbSyKi8UvizwEm7QmK4ifsdA4IyaO6R5u/B9aQP4/eeb9uXaoBZVDWsrqi0ZHBavCnyJ79rYwDx+6ThsEbwYYsJ00omGts/1EPZL+1EpdJ97biIzapXpvlTRQwcxOZ0sXnA+5ig0Bs25u+T012HNZndYLcqmRsgKk+Iz7YjPRddaIFFEhttgubxCk/dMvzcchkOFI36gEC2TQCX7B7EcBAi6lQG7I7BVV0UrqmNhrzYCeY8AyNd9k6dNj+NslHfxM9QFIJmK8UnX4tx3OSJQJLaXN2ZG7TcPxv+Hn5z6A+PTE8+iwJ4mZmjxoVbyN+PYwz0m+uDqS4iDrd689NjFNy2lUxoCTtoYHs/U+GNOFD67YjT7DE9PbuS5zWlHCYM/W+5Hfasqs3/NgpbX6P44ZIMUBSdcgD/TEKyjP/ttjXG3FKVO/RkrJCNyUSHQKRlMJrzwEfwze3YQ1XKw5xLzDN8dTb1fkeDSE0EuGCtqH2S7cZE/3/w16PJ/ba5WR3v3CC99WQMMdeXLGP6C8PGq7Z/WErXlNLLPCsQKIMqlhoupm/r65SEcgf+OBI1iUG2dFNdB4VwFIU9UwHm2t3gcnU9Lq3DGQaOQusIHJgVF7UuamogkTfmCt6vxxIxXyPodiebZ520TeGgKIxvwTftxl+miw==
+    client.kitchenowl: AgAb9vWFHkiFgsHs+1nrq65n+kT03igRLq3KWIvDg6EokA2TDXYb4KwYBZa1xcFwgT1iiLge71Y6spMRVkJdLAjRCaPCtSTGygzlZ7z9NFkn5O9YuWgkp+cPr62ElHpx9umKEx+Ug4vgyvrBk9eLWxdZZsiJZL6GcjUbMe/Mx2429mveg0kyfKg3XjraeU7xcHWwAj9PbjeRnhEewvr+9sdv3H1wA45E2+pZ9cZ+ETl9wXXNquUzUFSp8IOxzXwx34aDqjdnMbEgU3k2TEe3N9wU+r9vuzn4kesh0zEGkEfXhKtnGNSXFheU+aa/5cTfIp/GPfx3+dJ54LLWfVGU9X+COI70zvTEtAhgJptkWqJ7dVp6SLgQotvg3bTNohof1/6JDPKQvGvkQ3ALYMXYDd27NrmP3ZSJYdNGev0yDr6MXyNlv8SglnsRIpfMmPyl913/10DbvB5b0Tiy2xzmmODpG6Gk6EQquaJ2g+imaV8VPSdDOoRK+rDg2AH5KKRn8vxH7d/NRsmOmCxadqmyyWBbl9onu+TzSnjnPxyc2cl3EeqaaciXyh/eu3Ar27DVu1l6Iorv+N34Bttdti0TZgeeMD6/Y7eAXTry482ix26UOYmTH5+mGoGVAkh5BuWO2fR52vuEHV1T1VYVRK3+PX1OIeWEoEdPMvDokELc4W1Av4lVDKcacvNzuMZ1gpiXmdCNnYfDq9CbW00rS1/LPPUIdIyOfHg2q/OgxtkjiPUwWQCTc5NO8FPlQ2B4ZsJ51vfxl2zx19w9tgQVi7C7T7Iek/2Svz8QMiZtf9N3W8CoUp2RXktV+Z2yI3FWG55IzicRbVLWpeidRxuJTEdm8emgHSiMpDM9Uejv7pAs3QkLRX2+og==
+    client.linkding: AgChIcLDfhCZshqJgG+H5exbWt29ms882BkAgDAopvbhbXE/e+I0tVw2FNDZWmKbI+i/Hlrvj4Bputn7pUcoAZf5W8FUJ2nOMhJjtjwMF6O0QzBje0Xrzi9eK91XWA3PRxbPOzBZYWlmWvwelYw0hCgfp1XRn3aXkPcpsZFV8Bb2KSXDSk39+UqIm1I4rR9hCXPMkorTUZOa/NYpDr4ieenbRS8PeeWATPzSxn0hN+RnXHnoUrKdO03px/2mYS4SYJrgZ2DrkGN7uz3/ARwqxxKcMBQeQCe0S3Udsw0tvvJbjeHJIQ3fzIz+BZdbKLgVuJa0ZNQxmuDVBFY+60d89nR6wKsyoRgC8y/sEHRpztUjiJC7WBiiJ/g80luMuo/7ZTIvu6u1I/eugsopJKUONv23cowdqthyzlsnKCsBTgfdzXuFy5YYoL7GPcybdpUcOA8upr15dE8vsN3UJEYJCZkw1V4iedzHVGPpo6tts4sewnzplH93QpwbVywMcSl1k8oeHqbdmh0srJ54hBFboyNRr2eQT+b43oFJZtQb3hhuZyO/uXKx44jeBoVYkmKCVldBBDE0FdQpAk2m6dtvXae37Eu7xHiWxY/KDzVxBzJn4NWboQRiTM9HQ7pLuAKgG+Ec1+nwfBgq3G9jZrdIN4/tWNvuBRuPrUTt7pwGJ7RCbMgSz9xbVFCxwBx8GwaNRFOH3/RoMdVwlUntRELYN7+pU9S0FS/VPnbVxOZbJI3ZHFj9n8qZ3lBD3SiHB4rNnirQf34CuEfnLigpSdskKdOsekXQybxVq68T63Ntf/yn/t0+nV5VdqpW0stqRBQaUq3yEqfAn0/HQ7nTgSbHf4ZsTMsAU+CSAewnig6qKTcS7a7Lrw==
+    client.paperless: AgA4weCcn9z4H2WIqADKRpOMkCmA/6pci0SCKsTcS2nf6XuRG0pFufVqrVTe5jYIfAymKJs+Yzlf6V5ViE+3U/PhtBgHC1zifYBVkC0lSUUKx2YWkmrnSylAZZIYArC+kdNXU7pwIS4i8eCxeB8NhTtHBMXdfPig5kH/G6/FaL5RZ52Ly3jf3h2UP3JrWbk4dYijZbjvHsGNJMyDJ5cW2DtgMmFNMte2ScBuGpgF2tDiVKW7Zq2aEpVtVXvWjF2euuL39EFvLzPAIXeG4TaagBCnFfMVVxyrS8Dk63CiWQzTSaeBDbUhRuOGAYD0GELhSxpsKjOgm5AaOk/sJBjoAliFtSyejO30tP+5PBC+FE4RlJM5dMjHU8/9T/tBSOus3k7xWmExc5Eavf8yeXVmNeTJfC+Sji6QZxG5P9xisKXgn7EX+T4aKpeJ2FxAtL7NKgnrKeoztiHV2vJH6TepGjFejf5VJRjOP2QAJkX0ApnUVfhww4CjhBFo20zRYyI591ZMbw8PxlRFmAsXhL9XeaXQcl7nq2P2N0IdodtR9xMVlvpkuv11AZnzXjC8GfWgPE9vmDz5RW7Eo4WzWDaFVBL8Sjx+NZllV/qVHlJfbGgqgKmtzJWUZUATE9y9YwOG8PSKmw7fbIHccJ1o1HOG7BWIOQ/QIo94uQQWI0Z5ESRgaCsbf2oBX8HyYFdMA0s9sS9OdD1NWDTb1mVnhA8Pjq4XatA2PGlRPWBVD8YpjbeuNQXR4RuSuUvuKGOOO4Jsv0/ZXc4cUmPB3VWNzQO/0iNt8MOsZWjtQNiDBLZ3xVjRWo/p+Q7P+o1YCThuLxwdmyvAxkioRfR0DJY+ZrkErVnTv1CfLdS4ejf7ZYXcgsh5ZC8Kww==
+    client.recipes: AgC3w8qEgD9fru8tJRi3mYSDbJVq5oG++x8XfeRKAQPXFtMKdFYAvn3zGPc4viavPnvE1mkHWSn0ECC+YKEThiXlI9ok1CKnspLrzi6oQlReCUnyJdu9e49xgV7kb5/SQsZbDlVmtluTi8j8y9AIUows/HsMjXgoNrG6RodAsWp5cauCgLBrqMk9nPuQVH1jTNFm27rMrJahLTjr/z/5chdiU6sjPH9EIDnaLEP3o8/ACpPTtwF4PYQszUVT3Uhn4YlekqAYMfEolBYsPLSDQyiDr1fwO3/4YUHNSO/+bN+7vscS+x8zozb750Oi9c1ARc8ENn6AiM3ZEd32ZJKqfqJ3+CxsXsuG7VjfHu3+gc4uqLTbwZ+BVacSoA7JObsoQEbWdCGWTNo5FMXrhIv+BKDB59eLKXTOlBfVTLlbh0P7tSR57fhSpBomcvvnQ+MtfSS9hDFMNiPhb135c8hjJcbMZ6xdQz6HARVtP5nVuPyDafbez6A+VT9sUDt29+oNf5qpk25526Q4GI/YlyvXH+3RT5q8syYuSIZsmh92qD5ZltffW5kRooCeskAryiyWdgyqjMAekR1dZR9wqvzRraDpY/neLvrpUAPl7U6kdlzuIdaJFTnXmNKc1wK5NaeAEf4wwO6H/ibWEzIJKQJcTlmi+0J1SfHcCULYZ5ASeAkSRUxpdVk16LCTHWbyHYFOYmGsmeMmRTYylB/FdOuUEZWrO5B99xw5baSvLN842v2JnwR27Mha3RvS0teSgbuXgG5kWWGGZs9oibsNaaNz9p1MPw/HR4M6PmfEJRsaz+cX02bVUVzdaXhoTZ/D0DoNe8lB+Ofupjl7jAGzEJpGbwK7cB1gnITa4blqyszrKg1dg2L+ZA==
+    client.todos: AgBaZOU3D5ZEi2iZud0kLIgZVVNwWjreEDMiadtgZ99S236SOckGlqTes+6gcTcMUQe6CFcxatx8sXamGd9xtIwyZa/5jns4Ju0L4Tozf57uQS1CPY10wyLlPc/a/thn6dItfh5l0Fr+vQBmV0dlEJ12UM9iIH/w9raaf0VkDP/XbZw6PZ0lVoJp6u8LrjMIf5+pdlPOSytFNzB0EbWfQYGObD/zgt45V48+gE9jLolLIEz7QPMrUg0dj1RjWJE+dWXzv+4gCsRi/64gPUdkOZS4YWIlFP08jcDChzbqhVkqUXz3AOQOxF7+2NpD966dxWiYRQfDfFwb+V4vK8C4+DlQL8p22MxWt6iOhxpSoXVVlCInYxxhjpk/gpECqfu6gKlEexg+ekccAvkKVmBX9TbOjsurYFjL3JfuL057fjWIpvZhkQjJCQJiCgVGPtyVhoCzsKeyVDNJvXs6dYp8CMrRAcn/fdo4wI0/tva723ub++AsKSsXCRT+d+03FnBbjRrxSQdDiP4xYY6BqNfjwHGYSoULxtop5t2qt7PzFlpCxNjRe4NrkENCw8xDDSRrg4CLmazPi1Xs+MDeEP3cpi9sRzQx9u2JrvvHmsTeHjVY/MQHb072nLa6xAiUQoXQLMlzxJuwx0U5DmsMe6o8FfKaLikcS4CDKEAddLDI25z2XUBA9J7BTXdhtHB012S1COhouRqn333uKF/BnABI32/Afj9qsDy8VQ3iZyTKpLQUOrOzKKTenXy0b3VV9Vw3DoDPhEb9//fGrVoLdbXDpYaJScza9qg7QWmLqO8Cbk/83t1C28LWqZKWyMtq+QFQ1ANIbi53BopX8zBQargctEVielkpN5HqVCAIow0nQcGmZdZClg==
   template:
     metadata:
       creationTimestamp: null

infrastructure/authelia/authelia.values.yaml

@@ -12,7 +12,7 @@ pod:
 ## Authelia Config Map Generator
 ##
 configMap:
-  key: 'configuration.yml'
+  key: 'configuration.yaml'
   # include sub-maps wich OVERRIDE the values generated by the helm chart
   extraConfigs:
     - /secrets/authelia-smtp/smtp.yml
@@ -78,10 +78,6 @@ configMap:
       file: /config/db.sqlite3
 
 
-  # notifier:
-  # notifier is configured via the smtp secret and merged by authelia upon startup
-
-
   identity_validation:
     reset_password:
       secret:
@@ -227,6 +223,25 @@ configMap:
           userinfo_signed_response_alg: 'none'
           token_endpoint_auth_method: 'client_secret_basic'
           consent_mode: 'implicit'
+        - client_id: 'kitchenowl'
+          client_name: 'KitchenOwl'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.kitchenowl'
+          public: false
+          token_endpoint_auth_method: 'client_secret_post'
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://kitchen.kluster.moll.re/signin/redirect'
+            - kitchenowl:///signin/redirect
+            # mobile app as well
+          scopes:
+            - openid
+            - email
+            - profile
+
+
+  # notifier
+  # is set through a secret
 
 
 persistence:

infrastructure/authelia/kustomization.yaml

@@ -27,6 +27,6 @@ images:
 helmCharts:
   - name: authelia
     releaseName: authelia
-    version: 0.9.14
+    version: 0.10.4
     repo: https://charts.authelia.com
     valuesFile: authelia.values.yaml

infrastructure/external-dns/kustomization.yaml

@@ -11,8 +11,8 @@ resources:
 images:
   - name: octodns
     newName: octodns/octodns # has all plugins
-    newTag: "2024.09"
+    newTag: "2025.04"
 
   - name: git
     newName: alpine/git
-    newTag: "v2.47.1"
+    newTag: "v2.47.2"

infrastructure/gitea/kustomization.yaml

@@ -23,6 +23,6 @@ helmCharts:
   - name: gitea
     namespace: gitea # needs to be set explicitly for svc to be referenced correctly
     releaseName: gitea
-    version: 10.6.0
+    version: 11.0.1
     valuesFile: gitea.values.yaml
     repo: https://dl.gitea.io/charts/

infrastructure/headscale/deployment.yaml

@@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name:  headscale
+  labels:
+    app:  headscale
+spec:
+  selector:
+    matchLabels:
+      app: headscale
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: headscale
+    spec:
+      shareProcessNamespace: true
+      serviceAccountName: default
+      containers:
+      - name: headplane
+        image: headplane
+        env:
+        # Set these if the pod name for Headscale is not static
+        # We will use the downward API to get the pod name instead
+        - name: HEADPLANE_LOAD_ENV_OVERRIDES
+          value: 'true'
+        - name: 'HEADPLANE_INTEGRATION__KUBERNETES__POD_NAME'
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        ports:
+        - containerPort: 3000
+        volumeMounts:
+        - name: headscale-config
+          mountPath: /etc/headscale/config.yaml
+          subPath: config.yaml
+        - name: headplane-config
+          mountPath: /etc/headplane/config.yaml
+          subPath: config.yaml
+        - name: headplane-data
+          mountPath: /var/lib/headplane
+
+      - name: headscale
+        image: headscale
+        args: ["serve"]
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+          limits:
+            cpu: 100m
+            memory: 100Mi
+        # env:
+        ports:
+        - containerPort: 8080
+        volumeMounts:
+        - name: headscale-config
+          mountPath: /etc/headscale/config.yaml
+          subPath: config.yaml
+        - mountPath: /persistence
+          name: headscale-data
+
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: headscale-config
+        configMap:
+          name: headscale-config
+      - name: headscale-data
+        persistentVolumeClaim:
+          claimName: headscale-data
+
+      - name: headplane-config
+        configMap:
+          name: headplane-config
+      - name: headplane-data
+        persistentVolumeClaim:
+          claimName: headplane-data

infrastructure/headscale/headplane-config.configmap.yaml

@@ -0,0 +1,99 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: headplane-config
+data:
+  config.yaml: |
+    # Configuration for the Headplane server and web application
+    server:
+      host: "0.0.0.0"
+      port: 3000
+
+      # The secret used to encode and decode web sessions
+      # Ensure that this is exactly 32 characters long
+      cookie_secret: "<change_me_to_something_secure!>"
+
+      # Should the cookies only work over HTTPS?
+      # Set to false if running via HTTP without a proxy
+      # (I recommend this is true in production)
+      cookie_secure: true
+
+    # Headscale specific settings to allow Headplane to talk
+    # to Headscale and access deep integration features
+    headscale:
+      # The URL to your Headscale instance
+      # (All API requests are routed through this URL)
+      # (THIS IS NOT the gRPC endpoint, but the HTTP endpoint)
+      #
+      # IMPORTANT: If you are using TLS this MUST be set to `https://`
+      url: "http://0.0.0.0:8080"
+
+      # If you use the TLS configuration in Headscale, and you are not using
+      # Let's Encrypt for your certificate, pass in the path to the certificate.
+      # (This has no effect `url` does not start with `https://`)
+      # tls_cert_path: "/var/lib/headplane/tls.crt"
+
+      # Optional, public URL if they differ
+      # This affects certain parts of the web UI
+      # public_url: "https://headscale.example.com"
+
+      # Path to the Headscale configuration file
+      # This is optional, but HIGHLY recommended for the best experience
+      # If this is read only, Headplane will show your configuration settings
+      # in the Web UI, but they cannot be changed.
+      config_path: "/etc/headscale/config.yaml"
+
+      # Headplane internally validates the Headscale configuration
+      # to ensure that it changes the configuration in a safe way.
+      # If you want to disable this validation, set this to false.
+      config_strict: true
+
+    # Integration configurations for Headplane to interact with Headscale
+    # Only one of these should be enabled at a time or you will get errors
+    integration:
+      kubernetes:
+        enabled: true
+        # Validates the manifest for the Pod to ensure all of the criteria
+        # are set correctly. Turn this off if you are having issues with
+        # shareProcessNamespace not being validated correctly.
+        validate_manifest: true
+        # This should be the name of the Pod running Headscale and Headplane.
+        # If this isn't static you should be using the Kubernetes Downward API
+        # to set this value (refer to docs/Integrated-Mode.md for more info).
+        pod_name: "headscale"
+
+
+
+    # # OIDC Configuration for simpler authentication
+    # # (This is optional, but recommended for the best experience)
+    # oidc:
+    #   issuer: "https://accounts.google.com"
+    #   client_id: "your-client-id"
+
+    #   # The client secret for the OIDC client
+    #   # Either this or `client_secret_path` must be set for OIDC to work
+    #   client_secret: "<your-client-secret>"
+    #   # You can alternatively set `client_secret_path` to read the secret from disk.
+    #   # The path specified can resolve environment variables, making integration
+    #   # with systemd's `LoadCredential` straightforward:
+    #   # client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
+
+    #   disable_api_key_login: false
+    #   token_endpoint_auth_method: "client_secret_post"
+
+    #   # If you are using OIDC, you need to generate an API key
+    #   # that can be used to authenticate other sessions when signing in.
+    #   #
+    #   # This can be done with `headscale apikeys create --expiration 999d`
+    #   headscale_api_key: "<your-headscale-api-key>"
+
+    #   # Optional, but highly recommended otherwise Headplane
+    #   # will attempt to automatically guess this from the issuer
+    #   #
+    #   # This should point to your publicly accessibly URL
+    #   # for your Headplane instance with /admin/oidc/callback
+    #   redirect_uri: "http://localhost:3000/admin/oidc/callback"
+
+    #   # Stores the users and their permissions for Headplane
+    #   # This is a path to a JSON file, default is specified below.
+    #   user_storage_file: "/var/lib/headplane/users.json"

infrastructure/headscale/headscale-config.configmap.yaml

@@ -0,0 +1,376 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: headscale-config
+data:
+  config.yaml: |
+    server_url: http://127.0.0.1:8080
+
+    # Address to listen to / bind to on the server
+    #
+    # For production:
+    listen_addr: 0.0.0.0:8080
+
+    # Address to listen to /metrics and /debug, you may want
+    # to keep this endpoint private to your internal network
+    metrics_listen_addr: 127.0.0.1:9090
+
+    # Address to listen for gRPC.
+    # gRPC is used for controlling a headscale server
+    # remotely with the CLI
+    # Note: Remote access _only_ works if you have
+    # valid certificates.
+    #
+    # For production:
+    # grpc_listen_addr: 0.0.0.0:50443
+    grpc_listen_addr: 127.0.0.1:50443
+
+    # Allow the gRPC admin interface to run in INSECURE
+    # mode. This is not recommended as the traffic will
+    # be unencrypted. Only enable if you know what you
+    # are doing.
+    grpc_allow_insecure: false
+
+    # The Noise section includes specific configuration for the
+    # TS2021 Noise protocol
+    noise:
+      # The Noise private key is used to encrypt the traffic between headscale and
+      # Tailscale clients when using the new Noise-based protocol. A missing key
+      # will be automatically generated.
+      private_key_path: /var/lib/headscale/noise_private.key
+
+    # List of IP prefixes to allocate tailaddresses from.
+    # Each prefix consists of either an IPv4 or IPv6 address,
+    # and the associated prefix length, delimited by a slash.
+    # It must be within IP ranges supported by the Tailscale
+    # client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
+    # See below:
+    # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
+    # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
+    # Any other range is NOT supported, and it will cause unexpected issues.
+    prefixes:
+      v4: 100.64.0.0/10
+      v6: fd7a:115c:a1e0::/48
+
+      # Strategy used for allocation of IPs to nodes, available options:
+      # - sequential (default): assigns the next free IP from the previous given IP.
+      # - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).
+      allocation: sequential
+
+    # DERP is a relay system that Tailscale uses when a direct
+    # connection cannot be established.
+    # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
+    #
+    # headscale needs a list of DERP servers that can be presented
+    # to the clients.
+    derp:
+      server:
+        # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
+        # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
+        enabled: false
+
+        # Region ID to use for the embedded DERP server.
+        # The local DERP prevails if the region ID collides with other region ID coming from
+        # the regular DERP config.
+        region_id: 999
+
+        # Region code and name are displayed in the Tailscale UI to identify a DERP region
+        region_code: "headscale"
+        region_name: "Headscale Embedded DERP"
+
+        # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
+        # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
+        #
+        # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
+        stun_listen_addr: "0.0.0.0:3478"
+
+        # Private key used to encrypt the traffic between headscale DERP and
+        # Tailscale clients. A missing key will be automatically generated.
+        private_key_path: /var/lib/headscale/derp_server_private.key
+
+        # This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,
+        # it enables the creation of your very own DERP map entry using a locally available file with the parameter DERP.paths
+        # If you enable the DERP server and set this to false, it is required to add the DERP server to the DERP map using DERP.paths
+        automatically_add_embedded_derp_region: true
+
+        # For better connection stability (especially when using an Exit-Node and DNS is not working),
+        # it is possible to optionally add the public IPv4 and IPv6 address to the Derp-Map using:
+        ipv4: 1.2.3.4
+        ipv6: 2001:db8::1
+
+      # List of externally available DERP maps encoded in JSON
+      urls:
+        - https://controlplane.tailscale.com/derpmap/default
+
+      # Locally available DERP map files encoded in YAML
+      #
+      # This option is mostly interesting for people hosting
+      # their own DERP servers:
+      # https://tailscale.com/kb/1118/custom-derp-servers/
+      #
+      # paths:
+      #   - /etc/headscale/derp-example.yaml
+      paths: []
+
+      # If enabled, a worker will be set up to periodically
+      # refresh the given sources and update the derpmap
+      # will be set up.
+      auto_update_enabled: true
+
+      # How often should we check for DERP updates?
+      update_frequency: 24h
+
+    # Disables the automatic check for headscale updates on startup
+    disable_check_updates: false
+
+    # Time before an inactive ephemeral node is deleted?
+    ephemeral_node_inactivity_timeout: 30m
+
+    database:
+      # Database type. Available options: sqlite, postgres
+      # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
+      # All new development, testing and optimisations are done with SQLite in mind.
+      type: sqlite
+
+      # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
+      debug: false
+
+      # GORM configuration settings.
+      gorm:
+        # Enable prepared statements.
+        prepare_stmt: true
+
+        # Enable parameterized queries.
+        parameterized_queries: true
+
+        # Skip logging "record not found" errors.
+        skip_err_record_not_found: true
+
+        # Threshold for slow queries in milliseconds.
+        slow_threshold: 1000
+
+      # SQLite config
+      sqlite:
+        path: /persistence/db.sqlite
+
+        # Enable WAL mode for SQLite. This is recommended for production environments.
+        # https://www.sqlite.org/wal.html
+        write_ahead_log: true
+
+        # Maximum number of WAL file frames before the WAL file is automatically checkpointed.
+        # https://www.sqlite.org/c3ref/wal_autocheckpoint.html
+        # Set to 0 to disable automatic checkpointing.
+        wal_autocheckpoint: 1000
+
+
+    ### TLS configuration
+    #
+    ## Let's encrypt / ACME
+    #
+    # headscale supports automatically requesting and setting up
+    # TLS for a domain with Let's Encrypt.
+    #
+    # URL to ACME directory
+    acme_url: https://acme-v02.api.letsencrypt.org/directory
+
+    # Email to register with ACME provider
+    acme_email: ""
+
+    # Domain name to request a TLS certificate for:
+    tls_letsencrypt_hostname: ""
+
+    # Path to store certificates and metadata needed by
+    # letsencrypt
+    # For production:
+    tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+
+    # Type of ACME challenge to use, currently supported types:
+    # HTTP-01 or TLS-ALPN-01
+    # See: docs/ref/tls.md for more information
+    tls_letsencrypt_challenge_type: HTTP-01
+    # When HTTP-01 challenge is chosen, letsencrypt must set up a
+    # verification endpoint, and it will be listening on:
+    # :http = port 80
+    tls_letsencrypt_listen: ":http"
+
+    ## Use already defined certificates:
+    tls_cert_path: ""
+    tls_key_path: ""
+
+    log:
+      # Output formatting for logs: text or json
+      format: text
+      level: info
+
+    ## Policy
+    # headscale supports Tailscale's ACL policies.
+    # Please have a look to their KB to better
+    # understand the concepts: https://tailscale.com/kb/1018/acls/
+    policy:
+      # The mode can be "file" or "database" that defines
+      # where the ACL policies are stored and read from.
+      mode: file
+      # If the mode is set to "file", the path to a
+      # HuJSON file containing ACL policies.
+      path: ""
+
+    ## DNS
+    #
+    # headscale supports Tailscale's DNS configuration and MagicDNS.
+    # Please have a look to their KB to better understand the concepts:
+    #
+    # - https://tailscale.com/kb/1054/dns/
+    # - https://tailscale.com/kb/1081/magicdns/
+    # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
+    #
+    # Please note that for the DNS configuration to have any effect,
+    # clients must have the `--accept-dns=true` option enabled. This is the
+    # default for the Tailscale client. This option is enabled by default
+    # in the Tailscale client.
+    #
+    # Setting _any_ of the configuration and `--accept-dns=true` on the
+    # clients will integrate with the DNS manager on the client or
+    # overwrite /etc/resolv.conf.
+    # https://tailscale.com/kb/1235/resolv-conf
+    #
+    # If you want stop Headscale from managing the DNS configuration
+    # all the fields under `dns` should be set to empty values.
+    dns:
+      # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
+      magic_dns: true
+
+      # Defines the base domain to create the hostnames for MagicDNS.
+      # This domain _must_ be different from the server_url domain.
+      # `base_domain` must be a FQDN, without the trailing dot.
+      # The FQDN of the hosts will be
+      # `hostname.base_domain` (e.g., _myhost.example.com_).
+      base_domain: example.com
+
+      # List of DNS servers to expose to clients.
+      nameservers:
+        global:
+          - 1.1.1.1
+          - 1.0.0.1
+          - 2606:4700:4700::1111
+          - 2606:4700:4700::1001
+
+          # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+          # "abc123" is example NextDNS ID, replace with yours.
+          # - https://dns.nextdns.io/abc123
+
+        # Split DNS (see https://tailscale.com/kb/1054/dns/),
+        # a map of domains and which DNS server to use for each.
+        split:
+          {}
+          # foo.bar.com:
+          #   - 1.1.1.1
+          # darp.headscale.net:
+          #   - 1.1.1.1
+          #   - 8.8.8.8
+
+      # Set custom DNS search domains. With MagicDNS enabled,
+      # your tailnet base_domain is always the first search domain.
+      search_domains: []
+
+      # Extra DNS records
+      # so far only A and AAAA records are supported (on the tailscale side)
+      # See: docs/ref/dns.md
+      extra_records: []
+      #   - name: "grafana.myvpn.example.com"
+      #     type: "A"
+      #     value: "100.64.0.3"
+      #
+      #   # you can also put it in one line
+      #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
+      #
+      # Alternatively, extra DNS records can be loaded from a JSON file.
+      # Headscale processes this file on each change.
+      # extra_records_path: /var/lib/headscale/extra-records.json
+
+    # Unix socket used for the CLI to connect without authentication
+    # Note: for production you will want to set this to something like:
+    unix_socket: /var/run/headscale/headscale.sock
+    unix_socket_permission: "0770"
+    #
+    # headscale supports experimental OpenID connect support,
+    # it is still being tested and might have some bugs, please
+    # help us test it.
+    # OpenID Connect
+    # oidc:
+    #   only_start_if_oidc_is_available: true
+    #   issuer: "https://your-oidc.issuer.com/path"
+    #   client_id: "your-oidc-client-id"
+    #   client_secret: "your-oidc-client-secret"
+    #   # Alternatively, set `client_secret_path` to read the secret from the file.
+    #   # It resolves environment variables, making integration to systemd's
+    #   # `LoadCredential` straightforward:
+    #   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
+    #   # client_secret and client_secret_path are mutually exclusive.
+    #
+    #   # The amount of time from a node is authenticated with OpenID until it
+    #   # expires and needs to reauthenticate.
+    #   # Setting the value to "0" will mean no expiry.
+    #   expiry: 180d
+    #
+    #   # Use the expiry from the token received from OpenID when the user logged
+    #   # in, this will typically lead to frequent need to reauthenticate and should
+    #   # only been enabled if you know what you are doing.
+    #   # Note: enabling this will cause `oidc.expiry` to be ignored.
+    #   use_expiry_from_token: false
+    #
+    #   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
+    #   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
+    #
+    #   scope: ["openid", "profile", "email", "custom"]
+    #   extra_params:
+    #     domain_hint: example.com
+    #
+    #   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
+    #   # authentication request will be rejected.
+    #
+    #   allowed_domains:
+    #     - example.com
+    #   # Note: Groups from keycloak have a leading '/'
+    #   allowed_groups:
+    #     - /headscale
+    #   allowed_users:
+    #     - alice@example.com
+    #
+    #   # Optional: PKCE (Proof Key for Code Exchange) configuration
+    #   # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
+    #   # by preventing authorization code interception attacks
+    #   # See https://datatracker.ietf.org/doc/html/rfc7636
+    #   pkce:
+    #     # Enable or disable PKCE support (default: false)
+    #     enabled: false
+    #     # PKCE method to use:
+    #     # - plain: Use plain code verifier
+    #     # - S256: Use SHA256 hashed code verifier (default, recommended)
+    #     method: S256
+    #
+    #   # Map legacy users from pre-0.24.0 versions of headscale to the new OIDC users
+    #   # by taking the username from the legacy user and matching it with the username
+    #   # provided by the OIDC. This is useful when migrating from legacy users to OIDC
+    #   # to force them using the unique identifier from the OIDC and to give them a
+    #   # proper display name and picture if available.
+    #   # Note that this will only work if the username from the legacy user is the same
+    #   # and there is a possibility for account takeover should a username have changed
+    #   # with the provider.
+    #   # When this feature is disabled, it will cause all new logins to be created as new users.
+    #   # Note this option will be removed in the future and should be set to false
+    #   # on all new installations, or when all users have logged in with OIDC once.
+    #   map_legacy_users: false
+
+    # Logtail configuration
+    # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
+    # to instruct tailscale nodes to log their activity to a remote server.
+    logtail:
+      # Enable logtail for this headscales clients.
+      # As there is currently no support for overriding the log server in headscale, this is
+      # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
+      enabled: false
+
+    # Enabling this option makes devices prefer a random port for WireGuard traffic over the
+    # default static port 41641. This option is intended as a workaround for some buggy
+    # firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
+    randomize_client_port: false

infrastructure/headscale/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: headscale-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`headscale.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: headscale-web
+      port: 8080
+
+  tls:
+    certResolver: default-tls 

infrastructure/headscale/kustomization.yaml

@@ -0,0 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: headscale
+
+resources:
+  - namespace.yaml
+  - headscale-config.configmap.yaml
+  - headplane-config.configmap.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - serviceaccount.yaml
+  - service.yaml
+  - ingress.yaml
+
+images:
+  - name: headscale
+    newName: headscale/headscale # has all plugins
+    newTag: v0.25.1
+  - name: headplane
+    newName: ghcr.io/tale/headplane
+    newTag: "0.5.10"

infrastructure/headscale/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 

infrastructure/headscale/pvc.yaml

@@ -0,0 +1,23 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: headscale-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: headplane-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

infrastructure/headscale/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: headscale-web
+spec:
+  selector:
+    app: headscale
+  ports:
+  - port: 8080
+    targetPort: 8080

infrastructure/headscale/serviceaccount.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: headplane-agent
+  # namespace: default # Adjust namespace as needed
+rules:
+- apiGroups: ['']
+  resources: ['pods']
+  verbs: ['get', 'list']
+- apiGroups: ['apps']
+  resources: ['deployments']
+  verbs: ['get', 'list']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: headplane-agent
+  # namespace: default # Adjust namespace as needed
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: headplane-agent
+subjects:
+- kind: ServiceAccount
+  name: default # If you use a different service account, change this
+  # namespace: default # Adjust namespace as needed

infrastructure/monitoring/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: monitoring
 resources: 
   - namespace.yaml
   # prometheus-operator crds
-  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.79.2
+  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.82.0
   # single prometheus instance with a thanos sidecar
   - prometheus.yaml
   - thanos-store.statefulset.yaml
@@ -17,17 +17,17 @@ resources:
 images:
   - name: thanos
     newName: quay.io/thanos/thanos
-    newTag: v0.37.2
+    newTag: v0.38.0
 
 
 helmCharts:
   - name: loki
     releaseName: loki
     repo: https://grafana.github.io/helm-charts
-    version: 6.24.0
+    version: 6.29.0
     valuesFile: loki.values.yaml
   - name: prometheus-node-exporter
     releaseName: prometheus-node-exporter
     repo: https://prometheus-community.github.io/helm-charts
-    version: 4.43.1
+    version: 4.45.2
     valuesFile: prometheus-node-exporter.values.yaml

infrastructure/pg-ha/kustomization.yaml

@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
   - name: cloudnative-pg
     releaseName: pg-controller
-    version: 0.23.0
+    version: 0.23.2
     valuesFile: values.yaml
     repo: https://cloudnative-pg.io/charts/

infrastructure/sealedsecrets/kustomization.yaml

@@ -9,4 +9,4 @@ resources:
 images:
   - name: controller
     newName: docker.io/bitnami/sealed-secrets-controller
-    newTag: 0.27.3
+    newTag: 0.29.0

infrastructure/traefik-system/kustomization.yaml

@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 33.2.1
+    version: 35.0.1
     valuesFile: values.yaml
     repo: https://traefik.github.io/charts

kluster-deployments/kitchenowl/application.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kitchenowl-application
+  namespace: argocd
+spec:
+  project: apps
+  source:
+    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
+    targetRevision: main
+    path: apps/kitchenowl/
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kitchenowl
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

kluster-deployments/kitchenowl/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- application.yaml

kluster-deployments/kustomization.yaml

@@ -29,16 +29,17 @@ resources:
   - eth-physics/
   - files/
   - finance/
+  - grafana/
   - homeassistant/
   - immich/
   - journal/
+  - kitchenowl/
   - linkding/
   - media/
   - minecraft/application.yaml
-  - grafana/
   - ntfy/
   - paperless/
   - recipes/
   - rss/
-  - whoami/
   - todos/
+  - whoami/