Update quay.io/thanos/thanos Docker tag to v0.40.1

Reviewed-on: #661

apps/adguard/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: adguard/adguardhome
     newName: adguard/adguardhome
-    newTag: v0.107.67
+    newTag: v0.107.69
 
 namespace: adguard
 

apps/grafana/kustomization.yaml

@@ -17,5 +17,5 @@ helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 10.0.0
+    version: 10.1.4
     valuesFile: grafana.values.yaml

apps/homeassistant/base/deployment.yaml

@@ -34,4 +34,3 @@ spec:
         - name: config-dir
           persistentVolumeClaim:
             claimName: config
-

apps/homeassistant/base/ingress.yaml

@@ -1,17 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: homeassistant-ingress
+  name: homeassistant
 spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`home.kluster.moll.re`) && !Path(`/api/prometheus`)
+    - match: Host(`homeassistant.kluster.moll.re`)
       middlewares:
-        - name: homeassistant-websocket
+        - name: homeassistant
       kind: Rule
       services:
-        - name: homeassistant-web
+        - name: homeassistant
           port: 8123
   tls:
     certResolver: default-tls
@@ -19,7 +19,7 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: homeassistant-websocket
+  name: homeassistant
 spec:
   headers:
     customRequestHeaders:

apps/homeassistant/base/kustomization.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  # - namespace.yaml # not managed by kustomize but created as needed by the argo app. creates conflicts otherwise since both overlays share the same namespace
+  - ingress.yaml
+  - pvc.yaml
+  - service.yaml
+  - deployment.yaml
+  - servicemonitor.yaml
+
+
+images:
+  - name: homeassistant
+    newName: homeassistant/home-assistant
+    newTag: "2025.10"
+
+configurations:
+  # allow nameReference to work with different mentions of the same resource as well
+  - name_reference.yaml

apps/homeassistant/base/name_reference.yaml

@@ -0,0 +1,32 @@
+nameReference:
+  # Tie target Service metadata.name to other ingressroute fields
+  - kind: Service
+    fieldSpecs:
+      # rewrite the backend service name
+      - kind: IngressRoute
+        group: traefik.io
+        version: v1alpha1
+        path: spec/routes/services/name
+
+      # adapt the ingress url
+      # DOES NOT WORK
+      - kind: IngressRoute
+        group: traefik.io
+        version: v1alpha1
+        path: /spec/routes/match
+        create: false
+
+      # adapt any middleware names
+      - kind: IngressRoute
+        group: traefik.io
+        version: v1alpha1
+        path: spec/routes/middlewares/name
+
+  # Update deployment volume mounts according to name changes in the sealedsecret
+  - kind: SealedSecret
+    fieldSpecs:
+      # volume mounts:
+      - kind: Deployment
+        group: apps
+        version: v1
+        path: spec/template/spec/volumes/secret/secretName

apps/homeassistant/base/service.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: homeassistant-web
+  name: homeassistant
   labels:
     app: homeassistant
 spec:
@@ -10,4 +10,4 @@ spec:
   ports:
   - port: 8123
     targetPort: 8123
-    name: http
+    name: http

apps/homeassistant/kustomization.yaml

@@ -1,18 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: homeassistant
-
-resources: 
-  - namespace.yaml
-  - ingress.yaml
-  - pvc.yaml
-  - service.yaml
-  - deployment.yaml
-  - servicemonitor.yaml
-
-
-images:
-  - name: homeassistant
-    newName: homeassistant/home-assistant
-    newTag: "2025.10"

apps/homeassistant/overlays/flat/ingress.patch.yaml

@@ -0,0 +1,3 @@
+- op: replace
+  path: /spec/routes/0/match
+  value: Host(`home.kluster.moll.re`)

apps/homeassistant/overlays/flat/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+namespace: homeassistant
+nameSuffix: -flat
+labels:
+  - includeSelectors: true
+    pairs:
+      env: flat
+
+patches:
+  - path: ingress.patch.yaml
+    target:
+      kind: IngressRoute

apps/homeassistant/overlays/house/ingress.patch.yaml

@@ -0,0 +1,3 @@
+- op: replace
+  path: /spec/routes/0/match
+  value: Host(`home-house.kluster.moll.re`)

apps/homeassistant/overlays/house/kustomization.yaml

@@ -0,0 +1,28 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+  - wireguard-config.sealedsecret.yaml
+
+
+namespace: homeassistant
+nameSuffix: -house
+labels:
+  - includeSelectors: true
+    pairs:
+      env: house
+
+images:
+  - name: wireguard
+    newName: ghcr.io/linuxserver/wireguard
+    newTag: "1.0.20250521"
+
+patches:
+  - path: wireguard.deployment.yaml
+    target:
+      kind: Deployment
+      name: homeassistant
+  - path: ingress.patch.yaml
+    target:
+      kind: IngressRoute

apps/homeassistant/overlays/house/wireguard-config.sealedsecret.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  # WARNING - the originial secret was named wireguard-config-house, but we remove the suffix here, anticipating that it will be created by the kustomization overlay
+  name: wireguard-config
+  namespace: homeassistant
+spec:
+  encryptedData:
+    wireguard.conf: AgAz726k7X6IsabWUPX8kQ8r19mBq/N+YytlFS1gW2LUiYqc6H/O5/tqma5lLcazuxtsQhebeoitp2SkH7jTU8vRxn2tDWpyzcJr+BW4vKnghw5NhMbkNOzl7mvc7QIJk6rmRyD1umu33v6x8u3St9TVsUOI1zXJyXHxlbLdHVCORhgV79CGLjghpi23KyyFu6LzNrE5rhpB0Q7NzPUmbm5MHPNbtLsmImd/CZ9XjbyXSq0be8BgpUtGDE/NMx65G2+lLIw3EgbNwlirw/XKrM+pUIvEI6CxuNhbEM7KxCYlq2Du6bm7XsKHRzNu9oSfH+P4DaDoDt+M5k5miv4B8TIKXg7piy5mThXSTcVf5YpLJCiTfMDZOriG1ygr9gbJPYY1jumZA+vsZCvBx1o21BlNycWZWKBeYZZh47Hz9FGI/Smn8dOs5exZ34MrQtM4OuEqC/cJY8fdQ+nmGMezL0IKdbtpWgq5UqNH/wWv3F9kItB4KlSD4YtEGaY2z68BJG6t+9igSJCWmVca0EbOzhV0s5rI39ASVXOO50x774EEWUueoyfI+l5vwtQhc96I5Qn3kbFhwov0tHMg/IGBtS/7XdBBtOBx9KbcUHq1GlwWzQdw8WnRB6yyUVCqXyuExRhMPz5orqkTQwiUM2Fjse7xxnaEA0mbi0TVPKV/sFgWixvHqy3VAc1Jj6MEAWFAu+kPVlOFFCckEC5kPhNPFhBMeYX/3IblRjly/EHvrbrW/eFjNYE7bqpSCVhkB8bOXbJqt29V3+ffM1z/RkdSusgqdwid9CXhQw6SKAI/vcAqqxXdzcsbG1wsgP9bJ1Gk/i9ch8zUn7MwcFe6Tla86+xeiDIAmQmA7rhtmWhyyuxXdw+HXAFNhrbxHaUw3LZOExM+RzhWNepjSLnCBqnrtPkzFrHE02JKebWzX+IRZIOsEXJVhKTiSSjoB2v8h956kO+C7bdHz8GbxoJKJ7anrqFG13A//XLy5PvKr50qs/gQptrl9UtR7oj981bSDTVVa8h3OXbGLkZXly/qxsh5DlEjwnw2/2UqS+5yTT4FO/dNVtHryJ2tbc8ZuIHb6C/pQygqpseagthkm5T+Dv0T2xWpXFrvuktGNm58Cwg9bwNMcC6iofcjQP5JeNcat3RwzbJ9xwU4Nm8xLRMMc0ul6xUHRrL3ZjDfWHLuSuTp28HqXZ6xSKLlrRVjwZ6Mp/hhxj58SfVfLVIQxatGkwnIaHEFWE2n3S7m/iQO9tZIWCx5Yfs15atb1Ze8HjKjQ4o3sfaMD8Eokj9aFnXQQxpnOuSI3NLETe79QQ==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: wireguard-config-house
+      namespace: homeassistant
+    type: Opaque

apps/homeassistant/overlays/house/wireguard.deployment.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: homeassistant
+spec:
+  template:
+    spec:
+      containers:
+      - name: wireguard-sidecar
+        image: wireguard
+        securityContext:
+          privileged: true
+
+
+        volumeMounts:
+        - name: wireguard-config
+          mountPath: /config/wg_confs/
+
+      volumes:
+      - name: wireguard-config
+        secret:
+          secretName: wireguard-config
+
+

apps/immich/immich.postgres.yaml

@@ -32,8 +32,8 @@ spec:
 
   resources:
     limits:
-      cpu: 2
+      cpu: '2'
-      memory: 1024Mi
+      memory: 1Gi
     requests:
       cpu: 50m
       memory: 512Mi

apps/immich/kustomization.yaml

@@ -6,7 +6,7 @@ resources:
   - pvc.yaml
   - immich.postgres.yaml
   - postgres.sealedsecret.yaml
-  - servicemonitor.yaml
+  # - servicemonitor.yaml
 
 
 namespace: immich
@@ -15,20 +15,13 @@ namespace: immich
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.9.3
+    version: 0.10.1
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.143.1
+    newTag: v2.1.0
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.143.1
+    newTag: v2.1.0
-
-
-patches:
-  - path: patch-redis-pvc.yaml
-    target:
-      kind: StatefulSet
-      name: immich-redis-master

apps/immich/patch-redis-pvc.yaml

@@ -1,17 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: immich-redis-master
-spec:
-  volumeClaimTemplates:
-  - apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: redis-data
-    spec:
-      storageClassName: nfs-client
-      accessModes:
-        - ReadWriteMany
-      resources:
-        requests:
-          storage: 2Gi

apps/immich/renovate.json

@@ -1,10 +1,10 @@
 {
-    "packageRules": [
+  "packageRules": [
-      {
+    {
-        "matchDatasources": ["docker"],
+      "matchDatasources": ["docker"],
-        "matchPackagePrefixes": ["ghcr.io/immich-app/"],
+      "matchPackagePrefixes": ["ghcr.io/immich-app/"],
-        "groupName": "Immich containers",
+      "groupName": "Immich containers",
-        "groupSlug": "immich-app-images"
+      "groupSlug": "immich-app-images"
-      }
+    }
-    ]
+  ]
-  }
+}

apps/immich/values.yaml

@@ -4,26 +4,30 @@
 
 # These entries are shared between all the Immich components
 
-env:
+
-  REDIS_HOSTNAME: '{{ printf "%s-redis-master" .Release.Name }}'
+controllers:
-  DB_HOSTNAME: "immich-postgresql-rw"
+  main:
-  DB_USERNAME:
+    containers:
-    valueFrom:
+      main:
-      secretKeyRef:
+        env:
-        name: postgres-password
+          # some non-default vars
-        key: username
+          DB_HOSTNAME: "immich-postgresql-rw"
-  DB_DATABASE_NAME:
+          DB_USERNAME:
-    valueFrom:
+            valueFrom:
-      secretKeyRef:
+              secretKeyRef:
-        name: postgres-password
+                name: postgres-password
-        key: database
+                key: username
-  DB_PASSWORD:
+          DB_DATABASE_NAME:
-    valueFrom:
+            valueFrom:
-      secretKeyRef:
+              secretKeyRef:
-        name: postgres-password
+                name: postgres-password
-        key: password
+                key: database
-  IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}'
+          DB_PASSWORD:
-  IMMICH_METRICS: true
+            valueFrom:
+              secretKeyRef:
+                name: postgres-password
+                key: password
+          IMMICH_METRICS: true
 
 immich:
   metrics:
@@ -37,13 +41,15 @@ immich:
       existingClaim: data
 
 # Dependencies
-redis:
+valkey:
   enabled: true
-  architecture: standalone
+  persistence:
-  auth:
+    data:
-    enabled: false
+      enabled: true
-
+      size: 1Gi
-# Immich components
+      # Optional: Set this to persistentVolumeClaim to keep job queues persistent
+      type: emptyDir
+      accessMode: ReadWriteOnce
 
 server:
   enabled: true
@@ -56,7 +62,7 @@ machine-learning:
   persistence:
     cache:
       enabled: true
-      size: 200Gi
+      size: 10Gi
       # Optional: Set this to pvc to avoid downloading the ML models every start.
       type: emptyDir
       accessMode: ReadWriteMany

apps/paperless/kustomization.yaml

@@ -21,7 +21,7 @@ helmCharts:
   - name: redis
     releaseName: redis
     repo: https://charts.bitnami.com/bitnami
-    version: 22.0.7
+    version: 23.2.3
     valuesInline:
       auth:
         enabled: false

apps/recipes/kustomization.yaml

@@ -13,5 +13,5 @@ resources:
 
 images:
   - name: mealie
-    newTag: v3.3.2
+    newTag: v3.4.0
     newName: ghcr.io/mealie-recipes/mealie

default.nix

@@ -7,6 +7,7 @@ pkgs.mkShell {
     kubeseal
     yq
     jq
+    kubernetes-helm-wrapped
   ];
 
   env = {

infrastructure/argocd/kustomization.yaml

@@ -4,7 +4,7 @@ kind: Kustomization
 namespace: argocd
 resources:
   - namespace.yaml
-  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.1.8
+  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.1.9
   - ingress.yaml
   - argo-apps.application.yaml
   - bootstrap-repo.sealedsecret.yaml

infrastructure/authelia/kustomization.yaml

@@ -27,6 +27,6 @@ images:
 helmCharts:
   - name: authelia
     releaseName: authelia
-    version: 0.10.46
+    version: 0.10.47
     repo: https://charts.authelia.com
     valuesFile: authelia.values.yaml

infrastructure/external-dns/cronjob.yaml

@@ -9,55 +9,15 @@ spec:
   jobTemplate:
     spec:
       backoffLimit: 0
-
       template:
         spec:
-          initContainers:
-            - name: git
-              image: git
-              command: ["git"]
-              args:
-                - clone
-                - https://git.kluster.moll.re/remoll/dns.git
-                - /etc/octodns
-              volumeMounts:
-                - name: octodns-config
-                  mountPath: /etc/octodns
           containers:
-            - name: octodns
+            - name: dns
-              image: octodns
+              image: dns
               env:
-                # - name: CLOUDFLARE_ACCOUNT_ID
-                #   valueFrom:
-                #     secretKeyRef:
-                #       name: cloudflare-api
-                #       key: CLOUDFLARE_ACCOUNT_ID
                 - name: CLOUDFLARE_TOKEN
                   valueFrom:
                     secretKeyRef:
                       name: cloudflare-api
                       key: CLOUDFLARE_TOKEN
-                # - name: CLOUDFLARE_EMAIL
-                #   valueFrom:
-                #     secretKeyRef:
-                #       name: cloudflare-api
-                #       key: CLOUDFLARE_EMAIL
-
-              command: ["/bin/sh", "-c"]
-              args:
-                - >-
-                  cd /etc/octodns
-                  &&
-                  pip install -r ./requirements.txt
-                  &&
-                  octodns-sync --config-file ./config.yaml --doit
-                  &&
-                  echo "done..."
-              volumeMounts:
-                - name: octodns-config
-                  mountPath: /etc/octodns
-
-          volumes:
-          - name: octodns-config
-            emptyDir: {}
           restartPolicy: Never

infrastructure/external-dns/kustomization.yaml

@@ -9,10 +9,6 @@ resources:
   - cronjob.yaml
 
 images:
-  - name: octodns
+  - name: dns
-    newName: octodns/octodns # has all plugins
+    newName: git.kluster.moll.re/remoll/dns
-    newTag: "2025.08"
+    newTag: 0.0.2-build.100
-
-  - name: git
-    newName: alpine/git
-    newTag: "v2.49.1"

infrastructure/external-dns/renovate.json

@@ -0,0 +1,15 @@
+{
+  "hostRules": [
+    {
+      "hostType": "docker",
+      "matchHost": "git.kluster.moll.re"
+    }
+  ],
+  "packageRules": [
+    {
+      "matchDatasources": ["docker"],
+      "matchPackageNames": ["git.kluster.moll.re/remoll/dns"],
+      "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-build.(?<build>\\d+)$"
+    }
+  ]
+}

infrastructure/gitea/kustomization.yaml

@@ -23,6 +23,6 @@ helmCharts:
   - name: gitea
     namespace: gitea # needs to be set explicitly for svc to be referenced correctly
     releaseName: gitea
-    version: 12.3.0
+    version: 12.4.0
     valuesFile: gitea.values.yaml
     repo: https://dl.gitea.io/charts/

infrastructure/monitoring/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: monitoring
 resources: 
   - namespace.yaml
   # prometheus-operator crds
-  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.85.0
+  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.86.1
   # single prometheus instance with a thanos sidecar
   - prometheus.yaml
   - thanos-store.statefulset.yaml
@@ -17,17 +17,17 @@ resources:
 images:
   - name: thanos
     newName: quay.io/thanos/thanos
-    newTag: v0.39.2
+    newTag: v0.40.1
 
 
 helmCharts:
   - name: loki
     releaseName: loki
     repo: https://grafana.github.io/helm-charts
-    version: 6.42.0
+    version: 6.45.2
     valuesFile: loki.values.yaml
   - name: prometheus-node-exporter
     releaseName: prometheus-node-exporter
     repo: https://prometheus-community.github.io/helm-charts
-    version: 4.48.0
+    version: 4.49.1
     valuesFile: prometheus-node-exporter.values.yaml

infrastructure/pg-ha/kustomization.yaml

@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
   - name: cloudnative-pg
     releaseName: pg-controller
-    version: 0.26.0
+    version: 0.26.1
     valuesFile: values.yaml
     repo: https://cloudnative-pg.io/charts/

infrastructure/traefik-system/kustomization.yaml

@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 37.1.2
+    version: 37.2.0
     valuesFile: values.yaml
     repo: https://traefik.github.io/charts

infrastructure/traefik-system/servicemonitor.yaml

@@ -1,29 +1,13 @@
-# apiVersion: monitoring.coreos.com/v1
-# kind: ServiceMonitor
-# metadata:
-#   name: traefik-servicemonitor
-#   labels:
-#     app: traefik
-# spec:
-#   selector:
-#     matchLabels:
-#       app.kubernetes.io/name: traefik
-#   endpoints:
-#     - port: metrics
-#       path: /metrics
 apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
+kind: ServiceMonitor
 metadata:
-  name: traefik-podmonitor
+  name: traefik-servicemonitor
   labels:
     app: traefik
 spec:
   selector:
     matchLabels:
       app.kubernetes.io/name: traefik
-  namespaceSelector:
+  endpoints:
-    matchNames:
-      - traefik-system
-  podMetricsEndpoints:
     - port: metrics
       path: /metrics

infrastructure/traefik-system/values.yaml

@@ -101,6 +101,12 @@ ports:
       default: true
     exposedPort: 853
     protocol: TCP
+  metrics:
+    port: 9100
+    expose:
+      default: true
+    exposedPort: 9100
+
 
 
 
@@ -122,6 +128,5 @@ service:
   # Additional entries here will be added to the service spec.
   # Cannot contain type, selector or ports entries.
   spec:
-    # externalTrafficPolicy: Local
     loadBalancerIP: 192.168.3.1
-
+    externalTrafficPolicy: Local

kluster-deployments/homeassistant/application.yaml

@@ -1,18 +1,20 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: homeassistant-application
+  name: homeassistant-flat-application
   namespace: argocd
 spec:
   project: apps
   source:
     repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
     targetRevision: main
-    path: apps/homeassistant
+    path: apps/homeassistant/overlays/flat
   destination:
     server: https://kubernetes.default.svc
     namespace: homeassistant
   syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
     automated:
       prune: true
-      selfHeal: true
+      selfHeal: true

kluster-deployments/homeassistant/house.application.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: homeassistant-house-application
+  namespace: argocd
+spec:
+  project: apps
+  source:
+    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
+    targetRevision: main
+    path: apps/homeassistant/overlays/house
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: homeassistant
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: privileged
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      prune: true
+      selfHeal: true

kluster-deployments/homeassistant/kustomization.yaml

@@ -1,4 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- application.yaml
+- application.yaml
+- house.application.yaml

renovate.json

@@ -2,7 +2,8 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "dependencyDashboard": true,
   "extends": [
-    "local>remoll/k3s-infra//apps/immich/renovate.json"
+    "local>remoll/k3s-infra//apps/immich/renovate.json",
+    "local>remoll/k3s-infra//infrastructure/external-dns/renovate.json"
   ],
   "packageRules": [
     {