trying some steam containers

Reviewed-on: #181

.gitmodules

@@ -1,6 +0,0 @@
-[submodule "infrastructure/external-dns/octodns"]
-	path = infrastructure/external-dns/octodns
-	url = ssh://git@git.kluster.moll.re:2222/remoll/dns.git
-[submodule "apps/monitoring/dashboards"]
-	path = apps/monitoring/dashboards
-	url = ssh://git@git.kluster.moll.re:2222/remoll/grafana-dashboards.git

apps/adguard/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: adguard/adguardhome
     newName: adguard/adguardhome
-    newTag: v0.107.48
+    newTag: v0.107.52
 
 namespace: adguard
 

apps/audiobookshelf/deployment.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: audiobookshelf
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: audiobookshelf
+  template:
+    metadata:
+      labels:
+        app: audiobookshelf
+    spec:
+      containers:
+        - name: audiobookshelf
+          image: audiobookshelf
+          ports:
+            - containerPort: 80
+            
+          env:
+          - name: TZ
+            value: Europe/Berlin
+          - name: CONFIG_PATH
+            value: /data/config
+          - name: METADATA_PATH
+            value: /data/metadata
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "200Mi"
+            limits:
+              cpu: "2"
+              memory: "1Gi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: audiobookshelf-data
+

apps/audiobookshelf/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: audiobookshelf-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`audiobookshelf.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: audiobookshelf-web
+      port: 80
+
+  tls:
+    certResolver: default-tls 

apps/audiobookshelf/kustomization.yaml

@@ -1,17 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-
-namespace: homepage
-
 resources: 
   - namespace.yaml
+  - pvc.yaml
   - deployment.yaml
   - service.yaml
-  - configmap.yaml
   - ingress.yaml
 
+namespace: audiobookshelf
 
 images:
-  - name: homepage
-    newName: ghcr.io/gethomepage/homepage
-    newTag: v0.8.12
+  - name: audiobookshelf
+    newName: ghcr.io/advplyr/audiobookshelf
+    newTag: "2.13.4"

apps/audiobookshelf/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: audiobookshelf-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

apps/audiobookshelf/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: audiobookshelf-web
+spec:
+  selector:
+    app: audiobookshelf
+  ports:
+  - port: 80
+    targetPort: 80

apps/files/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: files
 images:
   - name: ocis
     newName: owncloud/ocis
-    newTag: "5.0.3"
+    newTag: "5.0.7"

apps/finance/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 24.5.0
+    newTag: 24.9.0

apps/games/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: games
+
+resources: 
+  - namespace.yaml
+
+helmCharts:
+  - name: games-on-whales
+    releaseName: games-on-whales
+    version: 2.0.0
+    valuesFile: values.yaml
+    repo: https://angelnu.github.io/helm-charts
+

apps/games/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 

apps/games/values.yaml

@@ -0,0 +1,143 @@
+#
+# IMPORTANT NOTE
+#
+# This chart inherits from our common library chart. You can check the default values/options here:
+# https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml
+#
+
+ingress:
+  # -- Enable and configure ingress settings for the chart under this key.
+  # @default -- See values.yaml
+  main:
+    enabled: false
+
+service:
+  # -- Enable and configure TCP service settings for the chart under this key.
+  # @default -- See values.yaml
+  main: {}
+  # type: LoadBalancer
+  # loadBalancerIP: 192.168.1.129
+
+  # -- Enable and configure UDP service settings for the chart under this key.
+  # @default -- See values.yaml
+  udp: {}
+  # type: LoadBalancer
+  # loadBalancerIP: 192.168.1.129
+
+# -- Configure persistence settings for the chart under this key.
+# @default -- See values.yaml
+persistence:
+  home:
+    enabled: true
+    type: emptyDir
+    mountPath: /home/retro
+
+# -- (object) Pass GPU resources to Xorg, steam and retroarch containers
+# See Custom configuration section in the Readme
+graphic_resources:
+
+sunshine:
+  image:
+    # -- sunshine image repository
+    repository: ghcr.io/games-on-whales/sunshine
+    # -- sunshine image tag
+    tag: 1.0.0
+    # -- sunshine image pull policy
+    pullPolicy: IfNotPresent
+  # -- sunshine web interface user
+  user: admin
+  # -- sunshine web interface pasword
+  password: admin
+  # -- sunshine log level
+  logLevel: info
+  # -- sunshine additional env settings
+  env: {}
+xorg:
+  image:
+    # -- xorg image repository
+    repository: ghcr.io/games-on-whales/xorg
+    # -- xorg image tag
+    tag: 1.0.0
+    # -- xorg image pull policy
+    pullPolicy: IfNotPresent
+  # -- xorg display ID
+  # display: :99
+  # -- xorg refresh rate
+  # refreshrate: 60
+  # -- xorg resolution
+  resolution: 1920x1080
+pulseaudio:
+  image:
+    # -- pulseaudio image repository
+    repository: ghcr.io/games-on-whales/pulseaudio
+    # -- pulseaudio image tag
+    tag: 1.0.0
+    # -- pulseaudio image pull policy
+    pullPolicy: IfNotPresent
+retroarch:
+  # -- enable/disable retroarch container
+  enabled: true
+  image:
+    # -- retroarch image repository
+    repository: ghcr.io/games-on-whales/retroarch
+    # -- retroarch image tag
+    tag: 1.0.0
+    # -- retroarch image pull policy
+    pullPolicy: IfNotPresent
+  # -- retroarch log level
+  logLevel: info
+  # -- retroarch extra volume mounts
+  volumeMounts: []
+steam:
+  # -- enable/disable steam container
+  enabled: true
+  image:
+    # -- steam image repository
+    repository: ghcr.io/games-on-whales/steam
+    # -- steam image tag
+    tag: 1.0.0
+    # -- steam image pull policy
+    pullPolicy: IfNotPresent
+  # -- enable proton log
+  protonLog: 1
+  # -- steam extra volume mounts
+  volumeMounts: []
+firefox:
+  # -- enable/disable firefox container
+  enabled: true
+  image:
+    # -- image repository
+    repository: andrewmackrodt/firefox-x11
+    # -- image tag
+    tag: 125.0.2-r1
+    # -- image pull policy
+    pullPolicy: IfNotPresent
+  # -- firefox log level
+  logLevel: info
+  # -- firefox extra volume mounts
+  volumeMounts: []
+mkhomeretrodirs:
+  image:
+    # -- image repository
+    repository: busybox
+    # -- image tag
+    tag: 1.36.1
+    # -- image pull policy
+    pullPolicy: IfNotPresent
+
+# -- Configure pulse audio settings
+# @default -- See values.yaml
+pulse:
+  config:
+    default.pa: |-
+      .fail
+          load-module module-null-sink sink_name=sunshine
+          set-default-sink sunshine
+          load-module module-native-protocol-unix auth-anonymous=1 socket=/tmp/pulse/pulse-socket
+    client.conf: |-
+      default-sink = sink-sunshine-stereo
+      autospawn = no
+      daemon-binary = /bin/true
+    daemon.conf: |-
+      exit-idle-time = -1
+      flat-volumes = yes

apps/homeassistant/kustomization.yaml

@@ -15,4 +15,4 @@ resources:
 images:
   - name: homeassistant/home-assistant
     newName: homeassistant/home-assistant
-    newTag: "2024.5"
+    newTag: "2024.9"

apps/homeassistant/service.yaml

@@ -2,6 +2,8 @@ apiVersion: v1
 kind: Service
 metadata:
   name: homeassistant-web
+  labels:
+    app: homeassistant
 spec:
   selector:
     app: homeassistant

apps/homepage/configmap.yaml

@@ -1,98 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: config
-  labels:
-    app.kubernetes.io/name: homepage
-data:
-  kubernetes.yaml: "" #|
-  #  mode: cluster
-  settings.yaml: |
-    title: "Homepage"
-    background: https://images.unsplash.com/photo-1547327132-5d20850c62b5?q=80&w=3870&auto=format&fit=crop
-    cardBlur: sm
-  #settings.yaml: |
-  #  providers:
-  #    longhorn:
-  #      url: https://longhorn.my.network
-  custom.css: ""
-  custom.js: ""
-  bookmarks.yaml: |
-    - Developer:
-        - Github:
-            - abbr: GH
-              href: https://github.com/moll-re
-  services.yaml: |
-    - Media:
-        - Jellyfin backend:
-            href: https://media-backend.kluster.moll.re
-            ping: media-backend.kluster.moll.re
-        - Jellyfin vue:
-            href: https://media.kluster.moll.re
-            ping: media.kluster.moll.re
-        - Immich:
-            href: https://immich.kluster.moll.re
-            ping: immich.kluster.moll.re
-
-    - Productivity:
-        - OwnCloud:
-            href: https://ocis.kluster.moll.re
-            ping: ocis.kluster.moll.re
-        - ToDo:
-            href: https://todos.kluster.moll.re
-            ping: todos.kluster.moll.re
-        - Finance:
-            href: https://finance.kluster.moll.re
-            ping: finance.kluster.moll.re
-
-    - Home:
-        - Home Assistant:
-            href: https://home.kluster.moll.re
-            ping: home.kluster.moll.re
-        - Grafana:
-            href: https://grafana.kluster.moll.re
-            ping: grafana.kluster.moll.re
-        - Recipes:
-            href: https://recipes.kluster.moll.re
-            ping: recipes.kluster.moll.re
-    
-    - Infra:
-        - Gitea:
-            href: https://git.kluster.moll.re
-            ping: git.kluster.moll.re
-        - ArgoCD:
-            href: https://argocd.kluster.moll.re
-            ping: argocd.kluster.moll.re
-
-  widgets.yaml: |
-    # - kubernetes:
-    #     cluster:
-    #       show: true
-    #       cpu: true
-    #       memory: true
-    #       showLabel: true
-    #       label: "cluster"
-    #     nodes:
-    #       show: true
-    #       cpu: true
-    #       memory: true
-    #       showLabel: true
-    - search:
-        provider: duckduckgo
-    - openmeteo:
-        label: Zürich # optional
-        latitude: 47.24236
-        longitude: 8.30439
-        units: metric # or imperial
-        cache: 30 # Time in minutes to cache API responses, to stay within limits
-        format: # optional, Intl.NumberFormat options
-            maximumFractionDigits: 1
-    - datetime:
-        locale: de
-        format:
-          dateStyle: long
-          timeStyle: short
-    - adguard:
-        url: http://adguard-home-web.adguard-home:3000
-
-  docker.yaml: ""

apps/homepage/deployment.yaml

@@ -1,64 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: homepage
-  labels:
-    app.kubernetes.io/name: homepage
-spec:
-  revisionHistoryLimit: 3
-  replicas: 1
-  strategy:
-    type: RollingUpdate
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: homepage
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: homepage
-    spec:
-      # serviceAccountName: homepage
-      # automountServiceAccountToken: true
-      dnsPolicy: ClusterFirst
-      # enableServiceLinks: true
-      containers:
-        - name: homepage
-          image: homepage
-          imagePullPolicy: Always
-          ports:
-            - name: http
-              containerPort: 3000
-              protocol: TCP
-          volumeMounts:
-            - mountPath: /app/config/custom.js
-              name: config
-              subPath: custom.js
-            - mountPath: /app/config/custom.css
-              name: config
-              subPath: custom.css
-            - mountPath: /app/config/bookmarks.yaml
-              name: config
-              subPath: bookmarks.yaml
-            - mountPath: /app/config/docker.yaml
-              name: config
-              subPath: docker.yaml
-            - mountPath: /app/config/kubernetes.yaml
-              name: config
-              subPath: kubernetes.yaml
-            - mountPath: /app/config/services.yaml
-              name: config
-              subPath: services.yaml
-            - mountPath: /app/config/settings.yaml
-              name: config
-              subPath: settings.yaml
-            - mountPath: /app/config/widgets.yaml
-              name: config
-              subPath: widgets.yaml
-            - mountPath: /app/config/logs
-              name: logs
-      volumes:
-        - name: config
-          configMap:
-            name: config
-        - name: logs
-          emptyDir: {}

apps/homepage/ingress.yaml

@@ -1,16 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: homepage-ingressroute
-
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`start.kluster.moll.re`)
-      kind: Rule
-      services:
-        - name: homepage-web
-          port: 3000
-  tls:
-    certResolver: default-tls

apps/homepage/service.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: homepage-web
-  labels:
-    app.kubernetes.io/name: homepage
-spec:
-  type: ClusterIP
-  ports:
-    - port: 3000
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    app.kubernetes.io/name: homepage

apps/immich/kustomization.yaml

@@ -7,18 +7,27 @@ resources:
   - postgres.yaml
   - postgres.sealedsecret.yaml
 
+
 namespace: immich
 
+
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.6.0
+    version: 0.7.2
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.103.1
+    newTag: v1.116.2
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.103.1
+    newTag: v1.116.2
+
+
+patches:
+  - path: patch-redis-pvc.yaml
+    target:
+      kind: StatefulSet
+      name: immich-redis-master

apps/immich/patch-redis-pvc.yaml

@@ -0,0 +1,17 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: immich-redis-master
+spec:
+  volumeClaimTemplates:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: redis-data
+    spec:
+      storageClassName: nfs-client
+      accessModes:
+        - ReadWriteMany
+      resources:
+        requests:
+          storage: 2Gi

apps/immich/postgres.yaml

@@ -1,4 +1,3 @@
-
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
@@ -13,18 +12,24 @@ spec:
       secret:
         name: postgres-password
 
+  # Enable the VECTORS extension
+      postInitSQL:
+        - CREATE EXTENSION IF NOT EXISTS "vectors";
+
   postgresql:
     shared_preload_libraries:
       - "vectors.so"
 
+  # Persistent storage configuration
   storage:
-    size: 1Gi
+    size: 2Gi
     pvcTemplate:
-      storageClassName: ""
+      accessModes:
+        - ReadWriteOnce
       resources:
         requests:
-          storage: "1Gi"
-      volumeName: immich-postgres
-
+          storage: 2Gi
+      storageClassName: nfs-client
+      volumeMode: Filesystem
   monitoring:
     enablePodMonitor: true

apps/immich/pvc.yaml

@@ -1,40 +1,11 @@
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: immich-nfs
-spec:
-  capacity:
-    storage: "50Gi"
-  accessModes:
-    - ReadWriteOnce
-  nfs:
-    path: /kluster/immich
-    server: 192.168.1.157
----
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: immich-nfs
+  name: data
 spec:
-  storageClassName: ""
+  storageClassName: "nfs-client"
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
-      storage: "50Gi"
-  volumeName: immich-nfs
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: immich-postgres
-spec:
-  capacity:
-    storage: "1Gi"
-  accessModes:
-    - ReadWriteOnce
-  nfs:
-    path: /kluster/immich-postgres
-    server: 192.168.1.157
-# later used by cnpg
+      storage: "100Gi"

apps/immich/values.yaml

@@ -22,16 +22,19 @@ env:
       secretKeyRef:
         name: postgres-password
         key: password
-  IMMICH_WEB_URL: '{{ printf "http://%s-web:3000" .Release.Name }}'
   IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}'
+  IMMICH_METRICS: true
 
 immich:
+  metrics:
+    # Enabling this will create the service monitors needed to monitor immich with the prometheus operator
+    enabled: true
   persistence:
     # Main data store for all photos shared between different components.
     library:
       # Automatically creating the library volume is not supported by this chart
       # You have to specify an existing PVC to use
-      existingClaim: immich-nfs
+      existingClaim: data
 
 # Dependencies
 
@@ -52,16 +55,6 @@ server:
     main:
       enabled: false
 
-microservices:
-  enabled: true
-  persistence:
-    geodata-cache:
-      enabled: true
-      size: 1Gi
-      # Optional: Set this to pvc to avoid downloading the geodata every start.
-      type: emptyDir
-      accessMode: ReadWriteMany
-
 machine-learning:
   enabled: true
   persistence:

apps/media/deployment.yaml

@@ -18,6 +18,9 @@ spec:
           limits:
             memory: "2Gi"
             cpu: "2"
+          requests:
+            memory: "128Mi"
+            cpu: "250m"
         ports:
         - containerPort: 8096
           name: jellyfin

apps/media/ingress.yaml

@@ -1,24 +1,5 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
-metadata:
-  name: jellyfin-vue-ingress
-  namespace: media
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`media.kluster.moll.re`)
-      middlewares:
-        - name: jellyfin-websocket
-      kind: Rule
-      services:
-        - name: jellyfin-web
-          port: 80
-  tls:
-    certResolver: default-tls
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
 metadata:
   name: jellyfin-backend-ingress
   namespace: media
@@ -26,7 +7,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`media-backend.kluster.moll.re`) && !Path(`/metrics`)
+    - match: Host(`media.kluster.moll.re`) && !Path(`/metrics`)
       middlewares:
         - name: jellyfin-websocket
         - name: jellyfin-server-headers

apps/media/jellyfin.servicemonitor.yaml

@@ -1,17 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: jellyfin
-  labels:
-    metrics: prometheus
-spec:
-  selector:
-    matchLabels:
-      app: jellyfin-server-service
-  endpoints:
-  - path: /metrics
-    targetPort: jellyfin
-
-# this exposes metrics on port 8096 as enabled in the jellyfin config
-# https://jellyfin.org/docs/general/networking/monitoring/
-# the metrics are available at /metrics but blocked by the ingress

apps/media/kustomization.yaml

@@ -5,16 +5,11 @@ namespace: media
 resources: 
   - namespace.yaml
   - pvc.yaml
-  - server.deployment.yaml
-  - server.service.yaml
-  - web.deployment.yaml
-  - web.service.yaml
+  - deployment.yaml
+  - service.yaml
   - ingress.yaml
 
 images:
   - name: jellyfin/jellyfin
     newName: jellyfin/jellyfin
-    newTag: 10.8.13
-  - name: ghcr.io/jellyfin/jellyfin-vue
-    newName: ghcr.io/jellyfin/jellyfin-vue
-    newTag: stable-rc.0.3.1
+    newTag: 10.9.11

apps/media/web.deployment.yaml

@@ -1,27 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: jellyfin-web
-spec:
-  selector:
-    matchLabels:
-      app: jellyfin-web
-  template:
-    metadata:
-      labels:
-        app: jellyfin-web
-    spec:
-      containers:
-      - name: jellyfin-web
-        image: ghcr.io/jellyfin/jellyfin-vue
-        resources:
-          limits:
-            memory: "128Mi"
-            cpu: "30m"
-        ports:
-        - containerPort: 80
-        env:
-        - name: TZ
-          value: Europe/Berlin
-        - name: DEFAULT_SERVERS
-          value: "https://media-backend.kluster.moll.re"

apps/media/web.service.yaml

@@ -1,12 +0,0 @@
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: jellyfin-web
-spec:
-  selector:
-    app: jellyfin-web
-  ports:
-    - protocol: TCP
-      port: 80
-      targetPort: 80

apps/minecraft/README.md

@@ -0,0 +1,7 @@
+## Sending a command
+```
+kubectl exec -it -n minecraft deploy/minecraft-server -- /bin/bash
+mc-send-to-console /help
+# or directly
+kubectl exec -it -n minecraft deploy/minecraft-server -- mc-send-to-console /help
+```

apps/minecraft/curseforge.sealedsecret.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: curseforge-api
+  namespace: minecraft
+spec:
+  encryptedData:
+    key: AgBYeAiejdmxDBorvgnxQX5YvUhR3NId2vfWybMKlc27e6D/bKglLNyZMk70xSnFAPjcDmZ20mYjFPYvDOr9T6IU/REJ8QlzoKAn0xW779R4SkIxRToT+dJv+OM2avgQ9uqp7vja29xeXMjYAnQML+QGZKcrT8mE04G/Ty8rdUiv3yUXK5HFAR3SUF35aVLdlthLjpRkv1s0R7GAP4L2pNzBJNV3i37viceUSSjU0zpOa23fsQOkPAs67AIukAJBqh/hyF/hR9H1GeYZNTI3OcHcvC2iNk/XGstvv0Zy6ApzoebsfWGdsbVn+QUI0EBw+mSTPqpl71cbkz0v4S4XAVndosxWpe6AIgm5MBTU0FXIyGyoFDe1aMPq8BXiQikYVwB48oVNh9KF0xXX5AOG0whB/FEsL3OJsiNQvQ3R/Hru43JBn64oxjVtLfM3E7u8v/xr1VQahX8dylDmb4s5EV01U6O4y19Ou4td1eEMlhpJb0fBPDRUYuWxZAEDGmp+U4tAakyPed11VkcZPPn9fKAAcv8sGs3TYAbbF18hqsBnv2Wd+i7ZEvKwmdmfR/T0r1TJGsvKI7jaW0QtH256XrSxQp7a52qMKMVQWOSKw2k27t/IkRhxT2Prw4GfJvaVr4RozUaBf3LV/hfDWlDfmM2zg3X9W8HkzjotGg021OLxsa0Wzmhffvb8h4bvZwxeq3U1xaJocqXui7z0rT2pF4z3wYHR/lPtexHcOA2M8gfBGKb1rBKh+kW+N+/ZfVLNI0mokg5vrTO2nR2rb4c=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: curseforge-api
+      namespace: minecraft
+    type: Opaque

apps/minecraft/job.yaml

@@ -0,0 +1,57 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: start-server
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+      - name: minecraft-server
+        image: minecraft
+        resources:
+          limits:
+            memory: "10000Mi"
+            cpu: "5"
+          requests:
+            memory: "1500Mi"
+            cpu: "500m"
+        ports:
+        - containerPort: 25565
+        env:
+        - name: EULA
+          value: "TRUE"
+        - name: TYPE
+          value: "AUTO_CURSEFORGE"
+        - name: CF_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: curseforge-api
+              key: key
+        - name: CF_PAGE_URL
+          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5413446"
+        - name: VERSION
+          value: "1.18.2"
+        - name: INIT_MEMORY
+          value: "1G"
+        - name: MAX_MEMORY
+          value: "8G"
+        - name: MOTD
+          value: "VaultHunters baby!"
+        - name: ENABLE_RCON
+          value: "false"
+        - name: CREATE_CONSOLE_IN_PIPE
+          value: "true"
+        - name: ONLINE_MODE
+          value: "true"
+        - name: ENABLE_AUTOSTOP
+          value: "true"
+        
+        volumeMounts:
+        - name: minecraft-data
+          mountPath: /data
+
+      volumes:
+      - name: minecraft-data
+        persistentVolumeClaim:
+          claimName: minecraft-data

apps/minecraft/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: minecraft
+
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - job.yaml
+  - service.yaml
+  - curseforge.sealedsecret.yaml
+
+
+images:
+  - name: minecraft
+    newName: itzg/minecraft-server
+    newTag: java21

apps/minecraft/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/minecraft/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: minecraft-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/minecraft/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: minecraft-server
+spec:
+  selector:
+    app: minecraft-server
+  ports:
+  - port: 25565
+    targetPort: 25565
+  type: LoadBalancer
+  loadBalancerIP: 192.168.3.4

apps/monitoring/grafana-admin.sealedsecret.yaml

@@ -7,8 +7,8 @@ metadata:
   namespace: monitoring
 spec:
   encryptedData:
-    password: AgBe8isrCWd5MuaQq5CpA+P3fDizCCDo23BVauaBJLuMRIYbVwpfahaJW7Ocj3LTXwdeVVPBrOk2D6vESUXu6I0EWc3y/NFN4ZezScxMcjmeaAb+z1zWwdH0FynTPJYOxv1fis1FDTkXDmGy3FXo5NDK9ET899TtulKFkh7UqSxdrRWbD3pegJgqKGPIqDCTAxZN/ssiccfWGS4lHqQBJkXn8DeampcKwjOCvgaBdilF03GoSfpgsqa2Iw2SfTDEobWBWVMMK/RB3/Oi/YJkGwMW3ECUxvTDam8gb0RFA1xjWXoYTLVVP5fK7q7x63ns51HebloxAP1GBrt138N/iDrfbGfjNP8Lx0NFl5y5bTgYN/z8DVTOFf90xxWe+YYERdwllg0Ci1JLNbA+NszXTD4L/HC7a8XuBfjRzxMTeymNjR76jzfPkH6v1EvesOduTfSrahPgS0qS+eGOier1rHxj3EBRhOScY1ut5Bq4oJMNId9nMVbVa6xyq2HyxuJHXV+j6h5FGHmEXn9gIR7wGp8RhtPhKgVGLrHcbHZ5Th2E7eomz1T2NK/ezNP8ZhcwOj/lyGywlW0vhU798zpWhMf57k2OPeuMlfs8Y8y74epBdyBjsrMR4EDctF8RZR3vraxENiMJ6kk1gqKj04ir6HwL7blqwiybIFFnJrp2j7MzgjS4SQ687qMX5Zf5XT03aEE+9W9Epy73tT7zVQKdENCQlcm5
-    user: AgAdiOivMn0d+nYjYycMZz9QSiS/9QqwHPJQMHkE7/IOou+CJtBknlETNtdv84KZgBQTucufYqu3LR3djOBpdnQsYbIXDxPFgRZQ11pwu/sO2EGifDk218yyzzfZMvx1FL7JL4LI1rKoiHycZowCwsAjEtlICVOOYv1/Plki+6MHXiAGG4r/yUhugGx3VLLX+Poq8oaTeHndgSsFXJege8SfgYR4TsC7pQgsM1UQEFncGIhJYTD2ashmUxFJ+7CJjHqPR0lFRrZXmFvPwTYTCMT+tnSHnCFWtTht8cEi1NxA4kD/eKEX0rOol15EUZnFUws2WqWI634TbyGwZ7km/Yw4XoDxiQR4ar6ulkqb/djcc3cWDYE7PF1m1c+r3iog85S5CSfZ5EvdCHHrbPN9uO2gmoRQWiR5qI70YMxBSnkeLZWN05O1vUuopdXFDTafY7YskxLEdIGHGqFUpUrJZOvBB0zNBdHGgYxFzb5pNmMCC5LPlOuoKjV4yskh9Tgovz06aAvsPxn2WWx6NOJambeziKB5OmSKvPsFofViyGBekVAWSWtt9yJe6lu5OKpBEiA6xhGhQ4ZryTXu9wvVALuPSIwBFITv85sIxjJb80qhJ51wb12QgzLLcPby0HSanyBI1M4jfsXWpK8gIAbDNO+eD7z3PhD9Y/5hPqYKXZ37Geyq23xiyxG8XDj6cL+Ie6k8XipayI4=
+    password: AgAwMLnsYN1y8JQSqgGQbNG/8jKensTDsEw6ogITdkhDRlJcg8HQ5t7a6xLzNCrLHLJiQW8YOoyLT4lvFkBRMOa2EYcrDvBiRD0PjygWLIscKa7dA+jpAUf/icD9zsiDnTym2yf+VUANcmEgE6DiNvlcsrcmYqiR4pKVUTDlKPNOjOpTJ3nXETb3/sbt69E0JSGwtkvusYQSXKLU9KLbciihv+ycdkdlC9xy9myd4+vYZYXSh/eAvyZeb/hsmdSX7yaASmupMvet6Qsdt99PNzFQxtbQH+LQvYalVZ8bjWZQvCN/p0bA4H15otKBfe8rtEwVthgvyEvo6TK0Mg0pFY/b3AOGFmImnT3rDmgG6S8KTZH0Jce17ksFqvELQmHjqHuYpQsPDl44glM8kWRJ9Mf/Z424LRwZlJNVcOkuVl4qFqPUjzd2rWIyF0RaD0BE012C0ThJxKn2l17lVJbNtdUiR3qNpW01ot2m0CgKd2kXbjDmgRgAll4WgrukfCIn9ZnE0gVCFLJuK3MOQAaipFYy/bDO0izwl9T8nldgcI8OfiC3NTk2O+Es5jJRXu0oJGaC3HrTB7wXiwOoELvAsxLTPxKBiN9mCHCMtZX0PEtrio0dFRQ6Pi5xPng0KVT0I9dvGNsPdhPETNOB913WEvbgP8Gt3cj016nCzk51eUsYbXPpNL2B4kmbIhecqW/8kwKQPwYjVlBSXj3NxjzwMY6PvOl1
+    user: AgBqmjCYGMqy5zBE+vhtsynOvhWdHWDJDyl1D+laBtLjXTJwzRbNTdunHYo1ekwyqQ6Cr5pi4YMiLxAl1LIHF+Lfsp2QlY+ResAGzp9WgSBtNQDX3EmLDQofeWxMUDdMtMsE9wiKLCfNGDkRDsGquXTz+YFq03m1vH9cB8Bp+1ClWOTui+/Ce0MZlWsJZX1W8WXH7XTirtwUo0s53pc4AplUUH97ZEK3KSIxWa3gLCn0sAPDDLPX+JVA2xtpMq1XuVFiFifjzEtG2h0dejiF35FtSAR+rR4YmEfimk3QpRDfOqV5QUxvjCG+dTV49upSevF2mvbHW+o+lB6vEc6l9cZXvlbnMdaep3NmOsJcJ8wQIdFpFK4iVzFOTKSEbzLPlZ/J+sjS5vDXsfthorIO2faMA1iIf+I663zNxQU5btaK4TNYOZQlrFVjAmioRLkDhGZ6tDUPX/zMv+Crt+0HCwyEyhmvFZckDvezTZrxARSXXMKBVcvjHCyUNkz7ubZRiMU0PGM7fYuHr659e+XMRvj+LFA68ZaEIzCQpCFJenWWYAXgUdRG4LQ1LP2MwvRHpkOYSoRkHIpX7jOfhX82A60h/ta/CdbWifqNyL9OecvE3FKsZu/Kr0taw9W6nm6FBhQLgFkOnFrqp9dWnxfHruXuDBgcn0iE8nR7Ht2zS7hfQPeR4a3Y0xK3Plqbzdrb9HKnWQQhf14=
   template:
     metadata:
       creationTimestamp: null

apps/monitoring/grafana.pvc.yaml

@@ -1,25 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: grafana-nfs
-spec:
-  capacity:
-    storage: "1Gi"
-  accessModes:
-    - ReadWriteOnce
-  nfs:
-    path: /export/kluster/grafana
-    server: 192.168.1.157
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: grafana-nfs
-spec:
-  storageClassName: ""
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: "1Gi"
-  volumeName: grafana-nfs

apps/monitoring/grafana.values.yaml

@@ -31,7 +31,7 @@ datasources:
     datasources:
       - name: Thanos
         type: prometheus
-        url: http://thanos-querier.prometheus.svc:9090
+        url: http://thanos-querier.prometheus.svc:10902
         isDefault: true
       - name: Prometheus
         type: prometheus

apps/monitoring/influxdb.pvc.yaml

@@ -1,25 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: influxdb-nfs
-spec:
-  capacity:
-    storage: "10Gi"
-  accessModes:
-    - ReadWriteOnce
-  nfs:
-    path: /export/kluster/influxdb
-    server: 192.168.1.157
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: influxdb-nfs
-spec:
-  storageClassName: ""
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: "10Gi"
-  volumeName: influxdb-nfs

apps/monitoring/influxdb.values.yaml

@@ -1,26 +0,0 @@
-## Create default user through docker entrypoint
-## Defaults indicated below
-##
-adminUser:
-  organization: "influxdata"
-  bucket: "default"
-  user: "admin"
-  retention_policy: "0s"
-  ## Leave empty to generate a random password and token.
-  ## Or fill any of these values to use fixed values.
-  password: ""
-  token: ""
-
-
-## Persist data to a persistent volume
-##
-persistence:
-  enabled: true
-  ## If true will use an existing PVC instead of creating one
-  useExisting: true
-  ## Name of existing PVC to be used in the influx deployment
-  name: influxdb-nfs
-
-
-ingress:
-  enabled: false

apps/monitoring/kustomization.yaml

@@ -5,16 +5,16 @@ namespace: monitoring
 
 resources: 
   - namespace.yaml
-  - grafana.pvc.yaml
-  # - influxdb.pvc.yaml
   - grafana.ingress.yaml
   - grafana-admin.sealedsecret.yaml
-  - dashboards/
+  # grafana dashboards are provisioned from a git repository
+  # in the initial bootstrap of the app of apps, the git repo won't be available, so this sync will initially fail
+  - https://git.kluster.moll.re/remoll/grafana-dashboards//?timeout=10&ref=main
 
 
 helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 7.3.9
+    version: 8.5.1
     valuesFile: grafana.values.yaml

apps/monitoring/telegraf-speedtest.values.yaml

@@ -1,52 +0,0 @@
-env:
-  - name: HOSTNAME
-    value: "telegraf-speedtest"
-
-service:
-  enabled: false
-rbac:
-  # Specifies whether RBAC resources should be created
-  create: false
-
-serviceAccount:
-  # Specifies whether a ServiceAccount should be created
-  create: false
-
-
-## Exposed telegraf configuration
-## For full list of possible values see `/docs/all-config-values.yaml` and `/docs/all-config-values.toml`
-## ref: https://docs.influxdata.com/telegraf/v1.1/administration/configuration/
-config:
-  agent:
-    interval: "2h"
-    round_interval: true
-    metric_batch_size: 1000
-    metric_buffer_limit: 10000
-    collection_jitter: "0s"
-    flush_interval: "10s"
-    flush_jitter: "0s"
-    precision: ""
-    debug: false
-    quiet: false
-    logfile: ""
-    hostname: "$HOSTNAME"
-    omit_hostname: false
-  processors:
-    - enum:
-        mapping:
-          field: "status"
-          dest: "status_code"
-          value_mappings:
-            healthy: 1
-            problem: 2
-            critical: 3
-  outputs:
-    - influxdb_v2:
-        urls:
-          - "http://influxdb-influxdb2.monitoring:80"
-        token: We64mk4L4bqYCL77x3fAUSYfOse9Kktyf2eBLyrryG9c3-y8PQFiKPIh9EvSWuq78QSQz6hUcsm7XSFR2Zj1MA==
-        organization: "influxdata"
-        bucket: "homeassistant"
-  inputs:
-    - internet_speed:
-        enable_file_download: false

apps/ntfy/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: binwiederhier/ntfy
     newName: binwiederhier/ntfy
-    newTag: v2.10.0
+    newTag: v2.11.0

apps/recipes/kustomization.yaml

@@ -12,5 +12,5 @@ resources:
 
 images:
   - name: mealie
-    newTag: v1.6.0
+    newTag: v1.12.0
     newName: ghcr.io/mealie-recipes/mealie

apps/steam/deployment.yaml

@@ -0,0 +1,106 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: steam-headless
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: steam-headless
+  template:
+    metadata:
+      labels:
+        app: steam-headless
+    spec:
+      hostNetwork: true
+      securityContext:
+        fsGroup: 1000
+      nodeSelector:
+        gpu: full
+      containers:
+      - name: steam-headless
+        securityContext:
+          privileged: true
+        image: josh5/steam-headless:latest
+        resources: #Change CPU and Memory below
+          requests:
+            memory: "4G"
+            cpu: "1"
+          limits:
+            memory: "12G"
+            cpu: "4"
+        # set nodeSelector to the node label that matches the node you want to run the pod on
+        volumeMounts:
+        - name: home-dir
+          mountPath: /home/default/
+        - name: games-dir
+          mountPath: /mnt/games/
+        - name: input-devices
+          mountPath: /dev/input/
+        - name: dshm
+          mountPath: /dev/shm
+        - name: dri
+          mountPath: /dev/dri/
+        env: #Environmental Vars
+        - name: NAME
+          value: 'SteamHeadless'
+        - name: TZ
+          value: 'Europe/Zurich'
+        - name: USER_LOCALES
+          value: 'en_US.UTF-8 UTF-8'
+        - name: DISPLAY
+          value: ':55'
+        - name: SHM_SIZE
+          value: '2G'
+        - name: PUID
+          value: '1000'
+        - name: PGID
+          value: '1000'
+        - name: UMASK
+          value: '000'
+        - name: USER_PASSWORD
+          value: 'password' #changeme
+        - name: MODE
+          value: 'primary'
+        - name: WEB_UI_MODE
+          value: 'vnc'
+        - name: ENABLE_VNC_AUDIO
+          value: 'false'
+        - name: PORT_NOVNC_WEB
+          value: '8083'
+        - name: ENABLE_SUNSHINE
+          value: 'true'
+        - name: SUNSHINE_USER
+          value: 'sam'
+        - name: SUNSHINE_PASS
+          value: 'password'
+        - name: ENABLE_EVDEV_INPUTS
+          value: 'false'
+        ports:
+        # novnc
+        - containerPort: 8083
+        # moonlight webui
+        - containerPort: 47990
+        # moonlight stream
+        - containerPort: 47989
+        - containerPort: 47984
+        - containerPort: 48010
+        - containerPort: 47998
+        - containerPort: 47999
+        - containerPort: 47800
+      volumes:
+      - name: home-dir
+        persistentVolumeClaim:
+          claimName: home
+      - name: games-dir
+        persistentVolumeClaim:
+          claimName: games
+      - name: input-devices
+        hostPath:
+          path: /dev/input/
+      - name: dri
+        hostPath:
+          path: /dev/dri/
+      - name: dshm
+        emptyDir:
+          medium: Memory

apps/steam/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: steam
+
+resources: 
+  - namespace.yaml
+  - deployment.yaml
+  - service.yaml
+  - pvc.yaml
+
+

apps/steam/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 

apps/steam/pvc.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: games
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: "25Gi"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: home
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: "5Gi"

apps/steam/service.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: steam-vnc
+spec:
+  selector:
+    app: steam-headless
+  ports:
+  - port: 8083
+    targetPort: 8083
+    name: novnc
+  - port: 47990
+    targetPort: 47990
+    name: moonlight-web
+  - port: 47989
+    targetPort: 47989
+    name: moonlight0
+  - port: 47984
+    targetPort: 47984
+    name: moonlight1
+  - port: 48010
+    targetPort: 48010
+    name: moonlight2
+    protocol: UDP
+  - port: 47998
+    targetPort: 47998
+    name: moonlight3
+    protocol: UDP
+  - port: 47999
+    targetPort: 47999
+    name: moonlight4
+    protocol: UDP
+  - port: 47800
+    targetPort: 47800
+    name: moonlight5
+    protocol: UDP
+  type: LoadBalancer
+  loadBalancerIP: 192.168.3.5

infrastructure/backup/backblaze-credentials.sealedsecret.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: backblaze-credentials
+  namespace: backup
+spec:
+  encryptedData:
+    bucket-id: AgBwwjlkGjskxMXXpXrnfcT9fJGgDXtbOO/6WcpqsX0exoADw31dADjLTHztiddsGYipiGFf2DBWge69UEnL04NXIzh/xTwWtWaqlz6yOJm/89FMQE1mfbrrLc7tk98TO3oS8i+IDAnkUiYyvDXJexgJg56QLY595PXkpplYit2bAk43mAB02yUZAK0gMs3KRDIvhHFsMq8Uiqx78En5KGGXwEg6KbVDyNvI2k8suEyy+C0yNO/M6dlczoUQiIJbllQzbqIzuxbOp609PfvGFAYHuPlz1kwsg+feZJ3kNsHYi4hWvpd64BWb30iO9J3dAYfW6d7C61t3S5uabmnd9E7bMYZA/OppD8SCknBFalXF91BUiJao9qBVd/BB7TCZOzhdzhxTW+FhgARcA+GIfg+nIzgBqHfAfQQmAOO2RZnsWrvMysyZaUpODvU8kSsLWZJ3CESVRVU3BHmJZpyxjX/s6QEXShQXZaLq54zoFJULZU/kbom5yFNNDWW5sKbURPvbKJcf/J9QabY5toO4yOwDk96Sr/FI+CHHvMh8/amigva0Upq6naiTHXMf4BR6+w3VKP5ALn5cbD5jG7EpUA/j1roMoLn68GMAtTJDLvSq2BGeJENWrUpOmjWZHDKZy8DEKorJk/Wbp46ksteSALE8eXpi4DRKXYDPvDb57EhzoJGQ9NMXgAvU9+1vw2nyTZE4gAWKpg0JkiHglu4Om79HfuGuewzJXlY=
+    key-id: AgBe4Iytjw9CkT7CqqNLHWyG4F8F+R6m8W1fnQZdGJvLy7D81+nB2ZDMCUZgUQV/mppGnXCkSxHyelcyTYCswQ9bD8hZsAIiQACq39v2UFxdORFEgNMj4bTWPo65fwhSK2giozPqN/4lzPopP91uyq1Z0gQaiqn/HDtbfNjq+Nu9kPmV06O1NUj1f7QqvfsMK+Xadv0G+DAA+ClGaq1q3fZPDkl2MSDdbEPGq+fLPK2DSdYu9fr1bc9TPyaU5JDFvGrCg8Nyigugi4wVGjQFtVwR1QsHAADmnoDAdXoj1Sz65QO5F+zNaDZWvnLnVFxAFrXJHihilc4ilAc8hSpE6YHQm7dGO5gGejLRNaaCspb/fPJD1g2XlnkckhFCSwd9sHNrXb07BZk8gFTHfndEC0t2UyUNloYpXsfap6fvehPK91ey35jbxDk9zYdgKZ7bz/tY0450CkofSbhisf2DwS3prt5YCEDaXasrpUqlk4dSbmLaGm6aee8lM5VpO8qYE56nvXY7qr0yB6z/NGWuLX3oH3fV+C8hH1P4mxDjvVEFdtewlF50Bf9WFoE7KpboSvmChZhBfjOkbtsGmQE41ZuNoYVupetXn6IfvYo6MzGoG6dTRVpJ5S2KLQDtsUljQfXJDFCSYwo87DD2dGBEn/z9GFCIPAYNO2ewzU4RUgcXPuDD4I2tdNIC+xdEBZq7BaWn/46Yfc1+FAWUA9VWEL/9kz5tK6hFD3Ww
+    key-secret: AgBcKSHdXHeNBzkZRtbaOEZra7AAWVlzmubaQoklECr14gKNL7rTReqX87qQObjQjmGKXtnJlKXIVHGDuiuHGkqfxQ9PCxccvpA3/7LdbFZnZtlFDWpAv+VB6Tp7H7Quho/GeAo8u6de0BXz85lz7+RyDCssBpuuzpchMgOlcEmhhfgQM5E6ye7bD6LpAZWcay3PV6FW2xTrJvLobpCcJordye6iTdSySPKdk6zflkon9h1KuQT+njmW4cfTQg/u7iS/NDQYcHdCpDHRLCor4GkVmi7NW8q+WuYhUSGWBy55SGvcUobhUL7GEHFJZpKmyrBOwSbwiWUDoN+NjI2TR5xvG0Ldjd/Hj32Vk29I+xSnj/O7pZj5ho35qExlZ/WCe42i0VHjzHFbOoU1MkqB+Skm24L1cLufhyNBtA8NNN3GWZhkcozpe164gpx4H/Vfe0UyzxUn4VJIws/IXYiLb4DgDkGrV+wzigN2QfSgTgs6syQkSs4UJ4gUZeN0jsyq0YHIhq1VZ8qPtLH310d8LZLxpTjZdO0obBwJfnHkg3blwSABEt5756C5DvjKmvO1pjG+JX/PJ0yAINL9Sc+FsY7TnGlItVzD830NcZ3Gg9C4Tg4xBEHybUWCSl1rJjwMvmUvVKNcIzLBHPAOyle1VLTZ37zb13MnhwNwdUtBu7+RZTy9wVO26iqemXTtFVj13kgZkJsyLjM6bo2y2wvFmjBCV9EKQtm87ROStM7iKB46
+    repository-string: AgAEYSqT6VR4OKW9/ZDgjYV+rm4tK3uucZsQG2u7W+8rRO0Rowkuba1AbybjgTE+G3q8si/GtlgsB1J8suvztHcVLNxg0y0Olb40pn2sZjKd85Q8AzsM0pFMkzme1lvnwu1Bcgd6Ck+FCr4CuUnh+UvJM5iWhAoSHJtdBb/EKw2F1BhewAqMXSX4oWM7V/T8RTtW2wBUk4wgX4ia+gCBPMpTo6i00ZtSpRB3Ub9VfGJfRmiXZA7oh5j3yN9nJlXonbJYBp4DNWod76CF7s35HBnSzS7YfIV80R4lH4xAPgRbZ0tvPWkTLMhSBX8rJCEnxT7DjL2lS7WfyboLdL4Uy8WmP7n2difZSr7p2iic6SCP44YgQ8JY5UgXh2QZENQ6oLvjK/PpFTjQ4bfw3E1/dakg1EdCYc/6DPyK3YekccUe/pXvVBrazpgObxXWeKKT6RMDeYWLUXTBHWhJ5OaJHHePD5t9IM65FlFTtkuUFbxExTi/u+RczBlWWcy10Yow3I3LGrDPJ/PfBy4RPfHCeQDQ+WoLJkNT20nu5mBXEYYKgNvgdn4yogifSiNG8vsNpo4dO89aHppbnHdmdp7F9asfbn27btEoFoHzIFku/mEnY5srs+Smrhhzy0+iPKge9LOuW33Gi4oJban1UYFvLAjq8YsZGkbIO82r2p+v15UjwU3girWPl1KBUc8WzLJtnqBvRPWS1ul6/X9JIdmmrHJjC0KlcGiVMU/Ls9ljnQj7dgLXuDW7JzuK3MhTWV3Y2kS39ze3TskCKcbL
+  template:
+    metadata:
+      creationTimestamp: null
+      name: backblaze-credentials
+      namespace: backup
+    type: Opaque

infrastructure/backup/cronjobs-base/cronjob.yaml

@@ -46,14 +46,27 @@ spec:
                 name: backup-nfs-access
 
             env:
-              - name: RESTIC_REPOSITORY
-                value: rest:http://rclone-gcloud:8000/kluster
-                # lives in the same namespace
+              # secrets live in the same namespace as per kustomization.yaml
               - name: RESTIC_PASSWORD
                 valueFrom:
                   secretKeyRef:
                     name: restic-gdrive-credentials
                     key: restic-password
+              - name: RESTIC_REPOSITORY
+                valueFrom:
+                  secretKeyRef:
+                    name: backblaze-credentials
+                    key: repository-string
+              - name: AWS_ACCESS_KEY_ID
+                valueFrom:
+                  secretKeyRef:
+                    name: backblaze-credentials
+                    key: key-id
+              - name: AWS_ACCESS_KEY
+                valueFrom:
+                  secretKeyRef:
+                    name: backblaze-credentials
+                    key: key-secret
           volumes:
             - name: backup-nfs-access
               persistentVolumeClaim:

infrastructure/backup/cronjobs-overlays/prune/restic-commands.yaml

@@ -17,10 +17,12 @@ spec:
             # RESTIC_ARGS Can be for instance: --verbose --dry-run
             # RESTIC_REPOSITORY is set in the secret
               - >-
+                  restic unlock
+                  &&
                   restic forget
                   -r $(RESTIC_REPOSITORY)
                   --verbose=2
-                  --keep-daily 7 --keep-weekly 5
+                  --keep-daily 7 --keep-weekly 10
                   --prune
           containers:
           - name: ntfy-command-send

infrastructure/backup/kustomization.yaml

@@ -8,7 +8,6 @@ resources:
   - namespace.yaml
   - pvc.yaml
   - restic-password.sealedsecret.yaml
-  - rclone-config.sealedsecret.yaml
-  - rclone-gcloud.deployment.yaml
+  - backblaze-credentials.sealedsecret.yaml
   - cronjobs-overlays/prune/
   - cronjobs-overlays/backup/

infrastructure/external-dns/kustomization.yaml

@@ -11,8 +11,8 @@ resources:
 images:
   - name: octodns
     newName: octodns/octodns # has all plugins
-    newTag: "2024.04"
+    newTag: "2024.08"
 
   - name: git
     newName: alpine/git
-    newTag: "2.43.0"
+    newTag: "v2.45.2"

infrastructure/gitea/README.md

@@ -0,0 +1,31 @@
+# Using gitea actions
+The actions deployment allows to use gitea actions from repositories within this instance.
+
+### Building docker images
+Docker builds use the kubernetes runner to build the images. For this to work, the pipeline needs to be able to access the kube-api. A service-account is created for this purpose.
+
+To use the correct docker builder use the following action
+```yaml
+    ...
+
+    - name: Create Kubeconfig
+      run: |
+        mkdir $HOME/.kube
+        echo "${{ secrets.BUILDX_KUBECONFIG }}" > $HOME/.kube/config
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+      with:
+        driver: kubernetes
+        driver-opts: |
+          namespace=act-runner
+          qemu.install=true
+
+    ...
+
+    - name: Build and push
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        <other config>
+```

infrastructure/gitea/actions.deployment.yaml

@@ -1,24 +1,23 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: actions-runner
+  labels:
+    app: act-runner
+  name: act-runner
 spec:
+  replicas: 1
   selector:
     matchLabels:
-      app: actions-runner
+      app: act-runner
   template:
     metadata:
       labels:
-        app: actions-runner
+        app: act-runner
     spec:
-      hostname: kube-runner
+      restartPolicy: Always
       containers:
-      - name: actions-runner
-        image: actions-runner
-        resources:
-          requests:
-            memory: "128Mi"
-            cpu: "500m"
+      - name: runner
+        image: vegardit/gitea-act-runner:dind-latest
         env:
         - name: GITEA_INSTANCE_URL
           value: "https://git.kluster.moll.re"
@@ -27,5 +26,35 @@ spec:
             secretKeyRef:
               name: actions-runner-secret
               key: runner-token
-        - name: GITEA_RUNNER_LABELS
-          value: k8s
+        - name: ACTIONS_RUNNER_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: GITEA_RUNNER_UID
+          value: '1000'
+        - name: GITEA_RUNNER_GID
+          value: '1000'
+        - name: GITEA_RUNNER_JOB_CONTAINER_PRIVILEGED
+          value: 'true'
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: runner-data
+          mountPath: /data
+      volumes:
+      - name: runner-data
+        persistentVolumeClaim:
+          claimName: runner-data
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: runner-data
+spec:
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: "nfs-client"
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteMany

infrastructure/gitea/actions.sealedsecret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: gitea
 spec:
   encryptedData:
-    runner-token: AgBHwek/Aj/0oOnI/bnZ4FgtRoeJw4tIKvcDzBhaPdQ7bMVHyHUKYUNP7lkPgZrIN+7rhMY7C/j13iGWx4iTdhTgipLiJvyZ70pXKLSix4IpcypJTElggWkW0JW79x1HyJfBtn9iJiHnEZXPi7sEnyKhA0asAOR0ae8NS6mxxei0TIImaPaC2RHL6MOi40xsXpHz2ZaVhDQaTSRWjv0U6+WkCGcueqM2HLYfF1gqqkzGCjjhdOTK1CKvIvApZ5n8x6x94IiywCXJraDCwLz+acF2c2vA/Jb/3p7TwyyRZ5uIF5LZufhTJ6+5sFJSReHYxO4CpPA8KvM880vtiEjN7LxVo/Jruj2459OvjviKZS03ZwLHHrjanom1+HA9Sx2ffRLiR5ayGkfj/6kvpIRt5x1F7BbPp+a0LXuxJX+1nGDyEa1D1WzVKvZASav6/v7cXcom/nKGO91Zb8qHlOv7ZTs5guGQ9G9VCOHOG8szwpW3ZmQwWfFoWsShzqbDqszBYOGeIjIiDllLzTZ8A9dv9J2ELngZ1IPGIkfpQNEW8hsbNXTYhdVIrkh7BIFkRWfYDNWxqZd4iE6XllQcT1rqndusgiNEJX2r+P4nT8dPewATXQ79wzvZU3kB+VHzM8cLymlVGADi7v/qTY9RcrhuE0oMLzHRShr6JU05VfLGbMsttrYKmW7smvBp3lRJitO5A8+r8cRniS1+Xr8mIx87vCvnoWSH6BKkl9pCdDeCGylAWfkJN9UpkaKg
+    runner-token: AgAUU0jMe3bhoaOdqRZjRzvuQyRMagahDQtX2eqoJ78xihMPkL2yK5MZoCbcps2+xq2zSBgtdwA8xAMyVC4aKkeqYaPSlvBcvuGbcEsnGYJB1Fmjqn2CbvF4nbfaio+XMBmhZXW+GiPWmeiID6LhMwZghzVmcLEuqSmBJ0uB203j0wqsz/k9haL5zZ3vZRE0ofNFceDiVE55TrvTBiLQf1H6R9kFSaRRvcuCH8desX3OmkcSZ0PktULM7KElF9pX1gndrbwiEL5XK60KzE9URl2qpTK/mRrN88ZBa6IuX7u7M579yD3d7yS/JgYi2TL8s3Z69v8JF/nF1ha19xJFhEp1iiyS40xo8cuGHbfVzDSExbJ9fQMpG+1w8ZmyiARXT0EMjuz7tBSruKlr21R6lvwyri71Zg6cUKoVcmQlcmEW7Y6TkH4dsOGlpBX2KsLai7ObGgsQePZ7BHaMTEl54omtdsNsQaquElKhhhBVLEGGQgbP/YZ0wT244mgQkjuMLjVxAM1IWsu4THUY16F+bphzw4xYesZTYYCJUpNO3FDvcsyqlMgPlLMnO3CZyt+Y1avrfz/id5eJUxlVFx9y5htzXA1GaBgrnoRkrpv2OVRFIxatASGbbQgqcDIWx3VXfjVF32fnzVUNtiTZ+pvC/UcyAvFZmaZIrdbK42cA85O1FaOThHJg+8rpc4RXWOOiVg8+8BAQUd/c9bdPJeYLavDefaI5O9DZT4UqiQioBCET2yZPIhwm9JBT
   template:
     metadata:
       creationTimestamp: null

infrastructure/gitea/drone-kube-runner.deployment.yaml

@@ -1,84 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: drone-runner
----
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: drone-runner
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/log
-  verbs:
-  - get
-  - create
-  - delete
-  - list
-  - watch
-  - update
-
----
-
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: drone-runner
-subjects:
-- kind: ServiceAccount
-  name: drone-runner
-roleRef:
-  kind: Role
-  name: drone-runner
-  apiGroup: rbac.authorization.k8s.io
-
----
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: drone-runner
-  labels:
-    app.kubernetes.io/name: drone-runner
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: drone-runner
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: drone-runner
-    spec:
-      serviceAccountName: drone-runner
-      containers:
-      - name: runner
-        image: drone/drone-runner-kube:latest
-        ports:
-        - containerPort: 3000
-        env:
-        - name: DRONE_RPC_HOST
-          value: drone-server:80
-        - name: DRONE_RPC_PROTO
-          value: http
-        - name: DRONE_RPC_SECRET
-          valueFrom:
-            secretKeyRef:
-              name: drone-server-secret
-              key: rpc_secret
-        - name: DRONE_NAMESPACE_DEFAULT
-          value: gitea
-        # - name: DRONE_NAMESPACE_RULES
-        #   value: "drone-runner:*"
-        - name: DRONE_SERVICE_ACCOUNT_DEFAULT
-          value: drone-runner

infrastructure/gitea/drone-server.deployment.yaml

@@ -1,117 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: drone-server
-  labels:
-    app: drone-server
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: drone-server
-  template:
-    metadata:
-      labels:
-        app: drone-server
-    spec:
-      containers:
-      - name: drone
-        image: drone/drone:latest
-        env:
-          - name: DRONE_SERVER_PORT # because the deployment is called drone-server, override this var again!
-            value: ":80"
-          - name: DRONE_GITEA_SERVER
-            value: https://git.kluster.moll.re
-          - name: DRONE_USER_CREATE
-            value: username:remoll,admin:true
-          - name: DRONE_GITEA_CLIENT_ID
-            valueFrom:
-              secretKeyRef:
-                name: drone-server-secret
-                key: client_id
-          - name: DRONE_GITEA_CLIENT_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: drone-server-secret
-                key: client_secret
-          - name: DRONE_RPC_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: drone-server-secret
-                key: rpc_secret
-          - name: DRONE_SERVER_HOST
-            value: drone.kluster.moll.re
-          - name: DRONE_SERVER_PROTO
-            value: https
-        resources:
-          requests:
-            memory: "1Gi"
-            cpu: 1.5
-        volumeMounts:
-        - mountPath: /data
-          name: drone-data-nfs
-      volumes:
-      - name: drone-data-nfs
-        persistentVolumeClaim:
-          claimName: drone-data-nfs
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: drone-server
-  labels:
-    app: drone-server
-
-spec:
-  type: ClusterIP
-  ports:
-  - port: 80
-    name: http
-  selector:
-    app: drone-server
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: drone-server-ingress
-
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`drone.kluster.moll.re`)
-    kind: Rule
-    services:
-    - name: drone-server
-      port: 80
-  tls:
-    certResolver: default-tls
-
-
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: drone-data-nfs
-spec:
-  capacity:
-    storage: "1Gi"
-  accessModes:
-    - ReadWriteOnce
-  nfs:
-    path: /export/kluster/drone
-    server: 192.168.1.157
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: drone-data-nfs
-spec:
-  storageClassName: ""
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: "1Gi"
-  volumeName: drone-data-nfs

infrastructure/gitea/drone-server.sealedsecret.yaml

@@ -1,23 +0,0 @@
-{
-  "kind": "SealedSecret",
-  "apiVersion": "bitnami.com/v1alpha1",
-  "metadata": {
-    "name": "drone-server-secret",
-    "namespace": "gitea",
-    "creationTimestamp": null
-  },
-  "spec": {
-    "template": {
-      "metadata": {
-        "name": "drone-server-secret",
-        "namespace": "gitea",
-        "creationTimestamp": null
-      }
-    },
-    "encryptedData": {
-      "client_id": "AgA53a7kGJ6zZcx2ooTvTNwxaW2FvfzHJnxg6co54+HXinTJKsc4+GJ1PtdIbsZ7Dgu/sLi/4X90fT+PT2sgEx9jIilmHPdJeRtwV1UID3Y46A7cJlfcAKwNOFzp2PWvBvizbNp7tbJwxeAYnVX8GfN6fi700QxBGqAI3u8qQvLpU6UGW2RM96gCXI7s1QhE1Le6TgoESy5HX95pB7csDRNSwVE02OWfDHKEjH8QD8UvBB9xct6uwDfu7KrsJiNJvWMP6arvpfhy/X+UtCTFmj5wmFYL7oc6vSiCkq+QyHgQTEHTmGpEjEGKcQxPQaus3KhbhcxQBYLMEMYRlLPH0AEAA4dzbSpoVXM3LuIe9FppgrTCknK1uRB8wyrHUeInWO8mG7UraV6m5PUS+UYODMvfjwY3PyiGhTSf6LgMlhMl8e+2rb+OsWphT8Pbeom33PucrYaRFr9RpQkJSwE6HU3JEh25YLfIJ7caqRND8C/p8kD679C8UMcNpBN8WS4Cswn5jzmwbeJNM5DGp9yQVZNx7Bv3dHzx9i3ShjJ6QQnR/zWJZ/dWLy6weGYmdZMMXRAO8CCdruvcX5YyeieXZfchSIlZ/GqqBHptdcLpwLiZsfmyTWeBvk5pMAsZaKJ1tfWpQ84s4epzMoieTfhTueGXmeRKX+DJBBcriU+5YoqNxpU1lPL+LoInorJSKN7c3ouFx78N3GDOCq7mlWI94lY0bIs5zhrfUN137ITCcED62AJ7vks=",
-      "client_secret": "AgDQXU7x6RLhE9Hc+goeR2+3rW316SLLLA8tfqx3tsykL+vxhRkY5UCEaak3Rgei0k14jB/Rmme+/O/D1/5tc/i885+sGn0yjU7Jo4L5nkIssUOHlmRSGkRJDb9ABPauFXAjap9KLix9bd8ewI7R0lS3tOK9ZhThYhcfDUqV9qkkbSHzwNptkH7gYWt9qzG/rqqqpFP+PCtjzKVve4LCBgaxetcnh1t+d5oh7VAFnSI9Bt1G/DRzi+K3YZ+YG5+XKevBp06GMiLUMiv/eUvmOfAB/KO79LnNVbOcRsAHfnqLbXgNjFzspr5xDiGMC/ma1245LavywqXDp0S9jjNEe48i51PPQMwHWV8XEovsM6LHcteluNogt+VkL4mOnmP+sba/V3NO51rt1WXl+ca+U4kBq4dLMsdpWUKemz9BlIRC4etEXjwKJ5DznT7u6GUTrXx2RCm1j0OYWM++P10SdyD6tGjKnZf88a33Wrwm8Y7c47JrPTlP4PqLq9gzvD310uVfs1vGYGULaToGy+D/th8qiWWlu7BIfwqlIj8lruVnOhQ4GeEZmUAsqYf8JfsBwuDc0Y+8qbwjFrr2z+5x+2XBL8KGZVopyme45SHijlBZs7YsJqTBsg5oW09grM8/oO731GtzSYmpat2VZlaILuTjALqo/cu//kxwmqh7UX+jnTJ/2N3bKKSAfHWbHDeHeS2XJ+eKaI4onNYW9J70EfAP3vOpU+zmQ8rOzJuJjRt0HarLwzc5CXb1Xhlgsaoj7zKXPQMnqIDngg==",
-      "rpc_secret": "AgAcJNCFtOhK28vnLredkTgsVpnMPwaXss5NT5ysc0IbVid2vWRk2CTjBZc5DzjxxLwI1Ok88MFXHP08ZGCYy4rIbwoi7Ei1OEevGWfaI4n5CvAxr4ZamQHSfIX9dVAm9BSSx2M/mDtCKqVEGJEzyHCedrxf6LXM/YTNgjD43BuCZZMu35mRsHItpYFZQSttlHiUvR8y2YKrhV2P7fiWRD3cCVao8ldzKfGuvRfal8ByGoxpsYLj2D9CdtPvRF/TQsWUJJWwzbI9DmbW1MMI4/b26Jfa5TBvHxS1MQxFJpSXuMIengO+b0bi7WaR36y/FrKSNxIrQDHI7XCb00yYaSfj3RkSBVoAD0a2p8vNupHCqsKBoaWd8tMv/wGP8wbBk4DgGeQiTIvfhbQZU/Q2/LVDDficjXVn3IuKP/cqgGVf6lUh5YsUSs8qwpMil7XySiHvaZn+iFAnsXoejd4S2e/pbRvyaxP1aa7TCxnINjpU7IrnUEUiI4glQmAte3MqZWLXcc0Uk3Qz9PP0cD+V8qCOryrPMP2kTAI8LT/K4DgcEMAEGes4Vx1l0oBMF0xJvhM2kZXcEcf0NzuQJvYTgZpQF5xp0TchezLshmEUSIkII9NvAvn+iEYJeHsJUDijjmBloSYe4+QTgdYh6FakVUwYI5U4ztDNrvgqhWjExfbn8HxaFzsNTsuzGoYs+jwXH8Wk2z1Q1oQjDdO5YTjmdqvkSTdin/5CiuCDHaQX6a4gNQ=="
-    }
-  }
-}

infrastructure/gitea/gitea.values.yaml

@@ -119,7 +119,7 @@ gitea:
       TYPE: level
     indexer:
       ISSUE_INDEXER_TYPE: bleve
-      REPO_INDEXER_ENABLED: true
+      REPO_INDEXER_ENABLED: false
 
 
 

infrastructure/gitea/kustomization.yaml

@@ -5,24 +5,18 @@ resources:
   - gitea.pvc.yaml
   - gitea.ingress.yaml
   - gitea.servicemonitor.yaml
-  - drone-kube-runner.deployment.yaml
-  - drone-server.deployment.yaml
-  - drone-server.sealedsecret.yaml
   - actions.deployment.yaml
   - actions.sealedsecret.yaml
+  # - actions.rbac.yaml
+
 
 namespace: gitea
 
-images:
-  - name: actions-runner
-    newName: ghcr.io/christopherhx/gitea-actions-runner
-    newTag: v0.0.11
-
 
 helmCharts:
   - name: gitea
     namespace: gitea # needs to be set explicitly for svc to be referenced correctly
     releaseName: gitea
-    version: 10.1.4
+    version: 10.4.1
     valuesFile: gitea.values.yaml
     repo: https://dl.gitea.io/charts/

infrastructure/gitea/namespace.yaml

@@ -2,3 +2,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 

infrastructure/gitea/postgres.yaml

@@ -0,0 +1,28 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: gitea-postgres
+spec:
+  instances: 1
+  imageName: ghcr.io/tensorchord/cloudnative-pgvecto.rs:16.2
+  bootstrap:
+    initdb:
+      import:
+        type: monolith
+        databases:
+          
+
+    # Persistent storage configuration
+  storage:
+    size: 10Gi
+    pvcTemplate:
+      accessModes:
+        - ReadWriteOnce
+      resources:
+        requests:
+          storage: 10Gi
+      storageClassName: nfs-client
+      volumeMode: Filesystem
+  
+  monitoring:
+    enablePodMonitor: true

infrastructure/metallb-system/kustomization.yaml

@@ -10,6 +10,6 @@ namespace: metallb-system
 helmCharts:
   - name: metallb
     repo: https://metallb.github.io/metallb
-    version: 0.14.5
+    version: 0.14.8
     releaseName: metallb
     valuesFile: values.yaml

infrastructure/metallb-system/namespace.yaml

@@ -2,3 +2,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 

infrastructure/pg-ha/kustomization.yaml

@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
   - name: cloudnative-pg
     releaseName: pg-controller
-    version: 0.21.0
+    version: 0.22.0
     valuesFile: values.yaml
     repo: https://cloudnative-pg.io/charts/

infrastructure/prometheus/kustomization.yaml

@@ -17,4 +17,4 @@ resources:
 images:
   - name: thanos
     newName: quay.io/thanos/thanos
-    newTag: v0.34.1
+    newTag: v0.36.1

infrastructure/prometheus/prometheus.yaml

@@ -4,7 +4,7 @@ metadata:
   name: prometheus
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-knd: ClusterRole
+kind: ClusterRole
 metadata:
   name: prometheus
 rules:
@@ -52,26 +52,17 @@ spec:
     requests:
       memory: 400Mi
   retention: 730d
-  retentionSize: 50Gi
+  retentionSize: 3GiB
   serviceAccountName: prometheus
   enableAdminAPI: false
   serviceMonitorNamespaceSelector: {}
   serviceMonitorSelector: {}
   thanos:
-    version: v0.33.0
+    version: v0.34.1
     objectStorageConfig:
       # loads the config from a secret named thanos-objstore-config in the same namespace
       key: thanos.yaml
       name: thanos-objstore-config
-  volumeClaimTemplate:
-    metadata:
-      name: prometheus-data
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 50Gi
 ---
 apiVersion: v1
 kind: Service

infrastructure/prometheus/thanos-objstore-config.sealedsecret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: prometheus
 spec:
   encryptedData:
-    thanos.yaml: AgAvZbqz5bYVzhbpfYXKoVHt+wKKuOI2C8pBCkBxuBcORoEf2f6eGVYS+aaojipQk8LaYP2yw/ffRmucKuAH0mVmZllRkVoZTOP7L1ciDmrOpbfrfPtoMJagFY90HKd1FZcI45C64MUYvqHCvF40Jk6rEii9aSmOPj9WyGqh5GrqCO24tt1Prk3o+ZS6Z2tlPRF1PdBpyZcQYYMnSuTgA4aCVuXQF/H5rR1luP85jzJAESp1VEV+xEOUY98ZLaA071fySndFZEn6YflfpixqNWFkloYENMfGL+x9jc/zbvbLyG4Q4FG5etz331GQe29OW7uIibXXGwdKO+a6Wd7a6I9ygA5+V8UdeT9mvB2AZRV6aY3aHifOgTTDDg/9YkXfUnmEwowhzsx7mtumxHOmHssFsWmRCX04wHz596/8/RyqmQrShCdGjtVkhVcEuJPPacC6awj9AZOQcW86uatZgnvnNJPlHjgSYFGxnHS89AWRgY68IF6h4Xhs8CpIcVoujK8Oi05vL3Ypi3g/r0iJ65tbYVo3LfyTnSk4pUgERJHGCPpBmiSo4DG+K9pA+cYyqjgZZGXaGKzLNCUDrBEWg5nY5gNMCyjTEeoQUurz2uPLD07Jme9KUd0a1TpoEsUOvfyyiM1DKW30XTKvIfm5m3voBatV+3oX1XfqyZEqkS7+VtWzqRqYAr0y5MEnBTpIMXQBa8M5SlVvcpaovKk1A6ZzNZExfF77o71v650axcLT3U+sxV8IIRS7y+BDRJGYiXaX0EFOIlIe+YDGFbf2k1kUi1kbhHBQEPCQkTgt79yTLEyXNAGrpNUsNYivWIQ+8GPM6+wDY9NjS2QLFKBt5sPe0VjqxzCeSoUY6rDgmR8rEtWpqOHWfuD5IuyCerzxmh0kMr9vVKjEjfJoSjES2MQRM5wOdVLHJSc=
+    thanos.yaml: AgByW/LKzPh0QeNsHR8Us4bJ/0chIQErhfh5plY1tjqiZyNLlxZ+NygYYzVggW02k4gAsKs68trbLBbeTTEhpKYP8hUphNb13lrgp07wYpOQjUF57i6RjPM2QNJpO0qLSk/nOPIOtR3XKn+nXxdJDmh3j5y0zxVz5O7MLh7adwOaHlyWTLMJjI1cda8YljDp2FYs24lHHMw4gXAYUecGDJNQqw5Xy9IiGh8kBbcKe3j6bVCj1yxPbHszmvZ2s+Q+mnndXnoeLMhwjZhMF8/PETxmSZ2bs41k3lHm/2rcPQCJsl9CuJEGKhu6ndKrVhtury4/US/FheEOoGF0YZk/AQMHII/mxy8haPNxtQTDs4rfYz/BA8cMMZll44wxOY9gAOmhm3sG6GI9wcB1Z65p98xSuDaInknO80l07vwMAAvmrZbT53Fmefrxl+jE1pImcGEsL0MfP621nTXlOBW9keF+6aUOubrwjPKKSXdqZU21acNbaIeRQSJyaOBStAKLfnPFmaryGisgNu0hCk/WmszZ0/s/ilvdMdAD6kKoiKL/NWfXtHATh/fnd76bKfSzNQk6e+WWfomToYVU0HRgAaWnIzjB9Q4tjxkbRwteEodU+K1BvD4xQ0sfQB2vHlDjQGC3pjIUFCWG0SzQGb7oe6+X2CJpcNIBHwF661iELJpJkg8dLsPtwb+8Rj6BL+ZtyVKYv18nDNON0WVpwJb/IHHSmxfYD5b/q6fATCFj55IXK5Nr4VO65a2Sv5Iv0/TTUVkwb8dkMmwfs5qcQiZ4oKWx8Ol6GkjDZrFARUtHQ/9KiZ9xDj3tPic2TeQfKr27sgc4lEL8RSxaRKHkkxIAioea3YgFfBm7ZfoxMlzJnQ1vI2vDvJcRXhWKSGdXiKOddwLSVMZFsSRRi9AxH87Sjt7j1wvsA7xgBqc=
   template:
     metadata:
       creationTimestamp: null

infrastructure/prometheus/thanos-query.deployment.yaml

@@ -53,15 +53,3 @@ spec:
       protocol: TCP
       port: 10901
       targetPort: grpc
-metadata:
-  labels:
-    app: thanos-querier
-  name: thanos-querier
-spec:
-  ports:
-  - port: 9090
-    protocol: TCP
-    targetPort: http
-    name: http
-  selector:
-    app: thanos-querier

infrastructure/prometheus/thanos-store.statefulset.yaml

@@ -1,33 +1,32 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
-  name: thanos-store-gateway
+  name: thanos-store
   labels:
-    app: thanos-store-gateway
+    app: thanos-store
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: thanos-store-gateway
-  serviceName: thanos-store-gateway
+      app: thanos-store
   template:
     metadata:
       labels:
-        app: thanos-store-gateway
+        app: thanos-store
         thanos-store-api: "true"
     spec:
       containers:
         - name: thanos
           image: thanos
           args:
-          - "store"
-          - "--log.level=debug"
-          - "--data-dir=/data"
-          - "--grpc-address=0.0.0.0:10901"
-          - "--http-address=0.0.0.0:10902"
-          - "--objstore.config-file=/etc/secret/thanos.yaml"
-          - "--index-cache-size=500MB"
-          - "--chunk-pool-size=500MB"
+          - store
+          - --log.level=debug
+          - --data-dir=/data
+          - --grpc-address=0.0.0.0:10901
+          - --http-address=0.0.0.0:10902
+          - --objstore.config-file=/etc/secret/thanos.yaml
+          - --index-cache-size=500MB
+          - --chunk-pool-size=500MB
           ports:
           - name: http
             containerPort: 10902
@@ -61,7 +60,6 @@ metadata:
     app.kubernetes.io/name: thanos-store
   name: thanos-store
 spec:
-  clusterIP: None
   ports:
   - name: grpc
     port: 10901
@@ -70,4 +68,4 @@ spec:
     port: 10902
     targetPort: 10902
   selector:
-    app: thanos-store-gateway
+    app: thanos-store

infrastructure/renovate/kustomization.yaml

@@ -11,4 +11,4 @@ resources:
 images:
   - name: renovate/renovate
     newName: renovate/renovate
-    newTag: "37"
+    newTag: "38"

infrastructure/sealedsecrets/kustomization.yaml

@@ -9,4 +9,4 @@ resources:
 images:
   - name: controller
     newName: docker.io/bitnami/sealed-secrets-controller
-    newTag: 0.26.2
+    newTag: 0.27.1

infrastructure/traefik-system/configmap.yaml

@@ -74,11 +74,13 @@ data:
         address = ":9000"
       
       [entryPoints.dnsovertls]
-        address = ":853"
+        address = ":8853"
         # route dns over https to other pods but provide own certificate
 
+
     [metrics]
       [metrics.prometheus]
+      # metrics are enabled and scraping is ensured through a servicemonitor
       entryPoint = "metrics"
       addEntryPointsLabels = true
       addServicesLabels = true

infrastructure/traefik-system/kustomization.yaml

@@ -5,14 +5,14 @@ resources:
   - pvc.yaml
   - configmap.yaml
   - servicemonitor.yaml
-  - https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-  - https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+  - https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+  - https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 
 namespace: traefik-system
 
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 27.0.2
+    version: 31.1.1
     valuesFile: values.yaml
     repo: https://traefik.github.io/charts

infrastructure/traefik-system/namespace.yaml

@@ -2,3 +2,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 

infrastructure/traefik-system/pvc.yaml

@@ -1,25 +1,11 @@
 apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: traefik-certificate
-spec:
-  capacity:
-    storage: "10Mi"
-  accessModes:
-    - ReadWriteOnce
-  nfs:
-    path: /export/kluster/traefik/certs
-    server: 192.168.1.157
----
-apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: traefik-certificate
+  name: certs
 spec:
+  storageClassName: "nfs-client"
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
-      storage: "10Mi"
-  volumeName: traefik-certificate
-  storageClassName: ""
+      storage: "50Mi"

infrastructure/traefik-system/telegraf.values.yaml

@@ -1,151 +0,0 @@
-## Default values.yaml for Telegraf
-## This is a YAML-formatted file.
-## ref: https://hub.docker.com/r/library/telegraf/tags/
-
-replicaCount: 1
-image:
-  repo: "telegraf"
-  tag: "1.24"
-  pullPolicy: IfNotPresent
-podAnnotations: {}
-podLabels: {}
-imagePullSecrets: []
-## Configure args passed to Telegraf containers
-args: []
-# The name of a secret in the same kubernetes namespace which contains values to
-# be added to the environment (must be manually created)
-# This can be useful for auth tokens, etc.
-
-# envFromSecret: "telegraf-tokens"
-env:
-  - name: HOSTNAME
-    value: "telegraf-polling-service"
-# An older "volumeMounts" key was previously added which will likely
-# NOT WORK as you expect. Please use this newer configuration.
-
-volumes:
-- name: traefik-logs
-  persistentVolumeClaim:
-    claimName: traefik-logs
-mountPoints:
-- name: traefik-logs
-  mountPath: /traefik_logs
-
-
-## Node labels for pod assignment
-## ref: https://kubernetes.io/docs/user-guide/node-selection/
-nodeSelector: {}
-## Affinity for pod assignment
-## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-##
-affinity: # to read the traefik logs the pod must be on the same node as traefik
-  podAffinity:
-    requiredDuringSchedulingIgnoredDuringExecution:
-    - labelSelector:
-        matchExpressions: # matches labels: app.kubernetes.io/name=traefik
-        - key: app.kubernetes.io/name
-          operator: In
-          values:
-          - traefik
-      topologyKey: "kubernetes.io/hostname"
-
-## Tolerations for pod assignment
-## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-##
-tolerations: []
-# - key: "key"
-#   operator: "Equal|Exists"
-#   value: "value"
-#   effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
-
-service:
-  enabled: false
-  type: ClusterIP
-  annotations: {}
-rbac:
-  # Specifies whether RBAC resources should be created
-  create: true
-  # Create only for the release namespace or cluster wide (Role vs ClusterRole)
-  clusterWide: false
-  # Rules for the created rule
-  rules: []
-# When using the prometheus input to scrape all pods you need extra rules set to the ClusterRole to be
-# able to scan the pods for scraping labels. The following rules have been taken from:
-# https://github.com/helm/charts/blob/master/stable/prometheus/templates/server-clusterrole.yaml#L8-L46
-#    - apiGroups:
-#        - ""
-#      resources:
-#        - nodes
-#        - nodes/proxy
-#        - nodes/metrics
-#        - services
-#        - endpoints
-#        - pods
-#        - ingresses
-#        - configmaps
-#      verbs:
-#        - get
-#        - list
-#        - watch
-#    - apiGroups:
-#        - "extensions"
-#      resources:
-#        - ingresses/status
-#        - ingresses
-#      verbs:
-#        - get
-#        - list
-#        - watch
-#    - nonResourceURLs:
-#        - "/metrics"
-#      verbs:
-#        - get
-
-serviceAccount:
-  # Specifies whether a ServiceAccount should be created
-  create: true
-  # The name of the ServiceAccount to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name:
-  # Annotations for the ServiceAccount
-  annotations: {}
-## Exposed telegraf configuration
-## For full list of possible values see `/docs/all-config-values.yaml` and `/docs/all-config-values.toml`
-## ref: https://docs.influxdata.com/telegraf/v1.1/administration/configuration/
-config:
-  agent:
-    interval: "10s"
-    round_interval: true
-    metric_batch_size: 1000
-    metric_buffer_limit: 10000
-    collection_jitter: "0s"
-    flush_interval: "10s"
-    flush_jitter: "0s"
-    precision: ""
-    debug: false
-    quiet: false
-    logfile: ""
-    hostname: "$HOSTNAME"
-    omit_hostname: true
-  # processors:
-  #   - enum:
-  #       mapping:
-  #         field: "status"
-  #         dest: "status_code"-+
-  #         value_mappings:
-  #           healthy: 1
-  #           problem: 2
-  #           critical: 3
-  outputs:
-    - influxdb_v2:
-        urls:
-          - "http://influxdb-influxdb2.monitoring:80"
-        token: N_jNm1hZTfyhJneTJj2G357mQ7EJdNzdvebjSJX6JkbyaXNup_IAqeYowblMgV8EjLypNvauTl27ewJvI_rbqQ==
-        organization: "influxdata"
-        bucket: "kluster"
-        # retention_policy: "2w"
-  inputs:
-    - docker_log:
-        endpoint: "unix:///var/run/docker.sock"
-        from_beginning: false
-        container_name_include: ["traefik"]

infrastructure/traefik-system/values.yaml

@@ -7,60 +7,15 @@ deployment:
   kind: Deployment
   # Number of pods of the deployment (only applies when kind == Deployment)
   replicas: 1
-  # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)
-  # revisionHistoryLimit: 1
-  # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down
-  terminationGracePeriodSeconds: 60
-  # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available
-  minReadySeconds: 0
-  # Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
-  annotations: {}
-  # Additional deployment labels (e.g. for filtering deployment by custom labels)
-  labels: {}
-  # Additional pod annotations (e.g. for mesh injection or prometheus scraping)
-  podAnnotations: {}
-  # Additional Pod labels (e.g. for filtering Pod by custom labels)
-  podLabels: {}
-  # Additional containers (e.g. for metric offloading sidecars)
-  additionalContainers: []
-    # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
-    # - name: socat-proxy
-    # image: alpine/socat:1.0.5
-    # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
-    # volumeMounts:
-    #   - name: dsdsocket
-    #     mountPath: /socket
+
   # Additional volumes available for use with initContainers and additionalContainers
   additionalVolumes:
-    # - name: traefik-logs
-    #   persistentVolumeClaim:
-    #     claimName: traefik-logs
-    - name: traefik-certificate
+    - name: certs
       persistentVolumeClaim:
-        claimName: traefik-certificate
+        claimName: certs
     - name: traefik-config
       configMap:
         name: traefik-config
-    # - name: dsdsocket
-    #   hostPath:
-    #     path: /var/run/statsd-exporter
-  # Additional initContainers (e.g. for setting file permission as shown below)
-  initContainers: []
-    # The "volume-permissions" init container is required if you run into permission issues.
-    # Related issue: https://github.com/traefik/traefik/issues/6972
-    # - name: volume-permissions
-    #   image: busybox:1.31.1
-    #   command: ["sh", "-c", "chmod -Rv 600 /data/*"]
-    #   volumeMounts:
-    #     - name: data
-    #       mountPath: /data
-  # Use process namespace sharing
-  shareProcessNamespace: false
-  # Custom pod DNS policy. Apply if `hostNetwork: true`
-  # dnsPolicy: ClusterFirstWithHostNet
-  # Additional imagePullSecrets
-  imagePullSecrets: []
-    # - name: myRegistryKeySecretName
 
 
 # Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
@@ -78,7 +33,7 @@ pilot:
   # Toggle Pilot Dashboard
   # dashboard: false
 
-# Enable experimental features
+# Enable experimental featureskdes+
 experimental:
   http3:
     enabled: false
@@ -99,11 +54,6 @@ experimental:
 ingressRoute:
   dashboard:
     enabled: false
-    # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
-    annotations: {}
-    # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
-    labels: {}
-
 
 
 #
@@ -114,65 +64,26 @@ providers:
     enabled: true
     allowCrossNamespace: false
     allowExternalNameServices: true
-    allowEmptyServices: false
-    # ingressClass: traefik-internal
-    # labelSelector: environment=production,method=traefik
-    namespaces: []
-      # - "default"
-
   kubernetesIngress:
     enabled: true
     allowExternalNameServices: true
-    allowEmptyServices: false
     ingressClass: traefik
     # labelSelector: environment=production,method=traefik
-    namespaces: []
-      # - "default"
-    # IP used for Kubernetes Ingress endpoints
-    publishedService:
-      enabled: false
-      # Published Kubernetes Service to copy status from. Format: namespace/servicename
-      # By default this Traefik service
-      # pathOverride: ""
-
-
-# Add volumes to the traefik pod. The volume name will be passed to tpl.
-# This can be used to mount a cert pair or a configmap that holds a config.toml file.
-# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
-# additionalArguments:
-# - "--providers.file.filename=/config/dynamic.toml"
-# - "--ping"
-# - "--ping.entrypoint=web"
-volumes: []
-  # - name: traefik-config
-  #   mountPath: /config
-  #   configMap:
-  #     name: traefik-config
 
   
 
 # Additional volumeMounts to add to the Traefik container
 additionalVolumeMounts:
-#   - name: traefik-logs
-#     mountPath: /var/log/traefik
-#     nfs:
-#       server: 192.168.1.157
-#       path: /kluster/traefik
-#   # For instance when using a logshipper for access logs
-  # - name: traefik-logs
-  #   # claimName: traefik-logs
-  #   mountPath: /var/log/traefik
-  - name: traefik-certificate
+  - name: certs
     # claimName: traefik-certificate
     mountPath: /certs
   - name: traefik-config
     mountPath: /config
 
 
-globalArguments:
+additionalArguments:
   - "--configfile=/config/traefik.toml"
 
-additionalArguments: []
 
 # Environment variables to be passed to Traefik's binary
 env:
@@ -185,18 +96,13 @@ env:
 ports:
   # add a new one, the other ones are kept the same.
   dnsovertls:
-    port: 853
-    expose: true
+    port: 8853
+    expose:
+      default: true
     exposedPort: 853
     protocol: TCP
 
 
-envFrom: []
-# - configMapRef:
-#     name: config-map-name
-# - secretRef:
-#     name: secret-name
-
 
 tlsOptions: {}
 
@@ -218,3 +124,4 @@ service:
   spec:
     # externalTrafficPolicy: Local
     loadBalancerIP: 192.168.3.1
+

kluster-deployments/audiobookshelf/application.yaml

@@ -1,18 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: homepage-application
+  name: audiobookshelf-application
   namespace: argocd
-
 spec:
   project: apps
   source:
     repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
     targetRevision: main
-    path: apps/homepage
+    path: apps/audiobookshelf
   destination:
     server: https://kubernetes.default.svc
-    namespace: homepage
+    namespace: audiobookshelf
   syncPolicy:
     automated:
       prune: true

kluster-deployments/audiobookshelf/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - application.yaml

kluster-deployments/kustomization.yaml

@@ -24,14 +24,15 @@ resources:
 
   # simple apps
   - adguard/
+  - audiobookshelf/
   - eth-physics/
   - files/
   - finance/
   - homeassistant/
-  - homepage/application.yaml
   - immich/
   - journal/
   - media/
+  - minecraft/application.yaml
   - monitoring/
   - ntfy/
   - recipes/

kluster-deployments/minecraft/application.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: minecraft-application
+  namespace: argocd
+spec:
+  project: apps
+  source:
+    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
+    targetRevision: main
+    path: apps/minecraft
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: minecraft
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: false