add headscale

Reviewed-on: #423

apps/adguard/configmap.yaml

@@ -27,7 +27,10 @@ data:
       ratelimit_whitelist: []
       refuse_any: true
       upstream_dns:
-        - https://dns10.quad9.net/dns-query
+        - tls://1.1.1.1
+        - tls://dns.google
+        - tls://p0.freedns.controld.com
+        - tls://dns.quad9.net
       upstream_dns_file: ""
       bootstrap_dns:
         - 9.9.9.10
@@ -35,8 +38,7 @@ data:
         - 2620:fe::10
         - 2620:fe::fe:10
       fallback_dns: []
-      all_servers: false
+      upstream_mode: load_balance
-      fastest_addr: false
       fastest_timeout: 1s
       allowed_clients: []
       disallowed_clients: []
@@ -72,6 +74,8 @@ data:
       dns64_prefixes: []
       serve_http3: false
       use_http3_upstreams: false
+      serve_plain_dns: true
+      hostsfile_enabled: true
     tls:
       enabled: false
       server_name: ""
@@ -88,12 +92,14 @@ data:
       private_key_path: ""
       strict_sni_check: false
     querylog:
+      dir_path: ""
       ignored: []
       interval: 2160h
       size_memory: 1000
       enabled: true
       file_enabled: true
     statistics:
+      dir_path: ""
       ignored: []
       interval: 24h
       enabled: true
@@ -110,6 +116,10 @@ data:
         url: https://someonewhocares.org/hosts/zero/hosts
         name: Dan Pollock's List
         id: 1684963532
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt
+        name: Peter Lowe's Blocklist
+        id: 1735824753
     whitelist_filters: []
     user_rules: []
     dhcp:
@@ -134,13 +144,36 @@ data:
       blocking_ipv6: ""
       blocked_services:
         schedule:
-          time_zone: UTC
+          time_zone: Europe/Berlin
-        ids: []
+          sun:
+            start: 18h
+            end: 23h59m
+          mon:
+            start: 18h
+            end: 23h59m
+          tue:
+            start: 18h
+            end: 23h59m
+          wed:
+            start: 18h
+            end: 23h59m
+          thu:
+            start: 18h
+            end: 23h59m
+          fri:
+            start: 18h
+            end: 23h59m
+          sat:
+            start: 18h
+            end: 23h59m
+        ids:
+          - reddit
       protection_disabled_until: null
       safe_search:
         enabled: false
         bing: true
         duckduckgo: true
+        ecosia: true
         google: true
         pixabay: true
         yandex: true
@@ -149,11 +182,13 @@ data:
       parental_block_host: family-block.dns.adguard.com
       safebrowsing_block_host: standard-block.dns.adguard.com
       rewrites: []
+      safe_fs_patterns:
+        - /opt/adguardhome/data/userfilters/*
       safebrowsing_cache_size: 1048576
       safesearch_cache_size: 1048576
       parental_cache_size: 1048576
       cache_time: 30
-      filters_update_interval: 24
+      filters_update_interval: 168
       blocked_response_ttl: 10
       filtering_enabled: true
       parental_enabled: true
@@ -168,6 +203,7 @@ data:
         hosts: true
       persistent: []
     log:
+      enabled: true
       file: ""
       max_backups: 0
       max_size: 100
@@ -179,4 +215,4 @@ data:
       group: ""
       user: ""
       rlimit_nofile: 0
-    schema_version: 27
+    schema_version: 29

apps/adguard/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: adguard/adguardhome
     newName: adguard/adguardhome
-    newTag: v0.107.53
+    newTag: v0.107.61
 
 namespace: adguard
 

apps/audiobookshelf/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
   - name: audiobookshelf
     newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.16.2"
+    newTag: "2.20.0"

apps/code-server/deployment.yaml

@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: code-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: code-server
+  template:
+    metadata:
+      labels:
+        app: code-server
+    spec:
+      containers:
+        - name: code-server
+          image: code-server
+          ports:
+            - containerPort: 8080
+          env:
+          - name: TZ
+            value: Europe/Berlin
+          - name: CONFIG_PATH
+            value: /data/config
+          - name: METADATA_PATH
+            value: /data/metadata
+          volumeMounts:
+            - name: data
+              mountPath: /home/coder
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "100Mi"
+            limits:
+              cpu: "6"
+              memory: "16Gi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: code-server-data
+

apps/code-server/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: audiobookshelf-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`code.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: code-server-web
+      port: 8080
+
+  tls:
+    certResolver: default-tls 

apps/code-server/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+
+namespace: code-server
+
+images:
+  - name: code-server
+    newName: ghcr.io/coder/code-server
+    newTag: 4.99.3-fedora

apps/code-server/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: code-server-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

apps/code-server/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: code-server-web
+spec:
+  selector:
+    app: code-server
+  ports:
+  - port: 8080
+    targetPort: 8080
+  type: LoadBalancer

apps/files/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: files
 images:
   - name: ocis
     newName: owncloud/ocis
-    newTag: "5.0.8"
+    newTag: "7.1.2"

apps/finance/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 24.11.0
+    newTag: 25.4.0

apps/grafana/grafana-admin.sealedsecret.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: grafana-admin-secret
+  namespace: grafana
+spec:
+  encryptedData:
+    password: AgAU6g/CwKj+1gPpt4DLvLsS0YCvJdVHWw4W4bRhibE9brVvcJtGB3D9MTJrSLVVwusaE6OR59og7oW5ge3yTd/9bbclXYLrxEi7OwvkQjCvo8MfD8yhJO9nV4Xs9Mjk2Z4SHGYuq6wvcssuJrpz5f0XEC7ocTRA+u0UaE+/b4FrYF71uyKGvj8GSXgLZUjGPFsGfPzwJn7cLBmlclVHx1xGbFpUc042m5Mulpn0QolFQnOwZiW4PL8pQyz1MXVRwCsz0RJd5apZL3XJ4X7BLMoAp+diHQ2xi3zoU9VScp+J2QgvFdRKgDa6v7Jz1f+HCwq5W/DoegwFXBrcMIfF2YrnvTnc1PCVwD9IHOeylO7J2hfi8teQiqTvvRlVgdBTLqoqlVovemf5k6ke6JfjTwnsJjTNnL7MKN5Qt0o7N2XRZ3ba9jp8cKbI7fyFQKaU2QEf2PIkp82kEnixmpA1aATgeA3W4E5Km7sKHUEB81+pwnOe54tzD2ShgQX/+UiswhWYTT+gdZKL1udBBemUDC0z9PSJNTPTy+hq+G4CIzVQUYxlioM3c+3geF7YLU8yXisj84pk44GN9KX3z5x+M2+LZL7agAWPUjxtrP2V+id7dNJQfCm0aSMeo57dVfb4zlBUAAgKIKjX+j1KqCVqE9zEO2F/QX7mY6MJTP2me3wmY7JAVRJ7d6bbkyyoDhs8JErLYLp0A+Eh+qx8nWgM9ErPVSA0
+    user: AgB8ZLG2EuERjg1nKdH/xadbUuIR2c8a9gF5fE8ctrp4DNDLLuuqmjyoHRiWpkrtfnE1yKg1rPP+asV9Lj5iVmE9J+OB3QUOeFS4MHciBNj7pa68zfFgnHP4kxMX6aXyKRQrYruYjHwfzCpOM1zyTEphuGlnokjQXxjF/mZsoM2NWn7WGReqfxqH95tJXfs9AUC5vVv/PHqd+KKRZH7+G1AnWVJ7RFQHedR7wyftO4/rkm8deMuZWtOLl25fAOyOr7+hSqT69s9/uTKSLJXjobSqtulqsR+v5lkwx2ThNKzmcEcuoenKG6lk8XLRSIscccZH3JTPh6IknQWUOC4nmYj+XUxE8Go0RX/4eL+D/6FrYrtp0gr3HOCLAGU4vAHMeKfJoyqykJVnvY6QY6bFgaziyOlWaoEHpg6g0vHHDwyX7HIDcQfJZGOLH9dhrWJ2sOkzyuuxfqWEgz/M2eBW4EUAudHwfTLPocSMUI+D6fjeciMojet5uxWMP7ZHh/E061f5+Vfk6CKYd9Kpi69Xah8KEyyHYP5NImkdIwjgllaEAd/FBE2+QJyTVZlUQC7y9ObagDMCUFaFbTS5QOLh5BOJDL5buEYFWG0IhoH47SC/pKeEOQH//uvoo27K9zvxTOQN1YOTrxCozmexMOsTIdhvU0dOnJDBrThSHKYLCeIokDOgUUT52FqDH51RoLoK3UkyGbMoq+M=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: grafana-admin-secret
+      namespace: grafana
+    type: Opaque

apps/grafana/grafana-auth.sealedsecret.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: grafana-auth
+  namespace: grafana
+spec:
+  encryptedData:
+    client_secret: AgCEdC1/ERlPQyQP+bd9gcW33Yrvl4uRbx+RF5AY4vYAquOzxmLTygMl/WZlB5wlCE5idIHgto6/fUWVZrQbmfClRqsW2pFoddKQAtS9cQNXwMjLCm7e0lXk9GM9O3ZwktmklFbCu8XewHmefGHhoJ28vPxPMaINv1fM4zYKvNz5RHf0dJfTHgxb68wRYjAbE/eJpRcVE3a29Yw6Gfa8Mb+cFI7RTHvjuv9LBgWqM6b3qvvJ4wYR2WKuiQrnJ5xAtHpMAI/2R80qq151wlaZueDZ1PwjRBHURkmPTmwZnrMrmIugNge7Tpww+ArZlG9kDfSu1aTJidbXbcpN6fyt1qARTCYrBlbn60PTYLnPL/NObvMCpjS6DsYsYz7MJ7WoOupu46Ib5paZHmak+CilC6lb9LjJj4EKfRsagZmWT07JavhHBW/tqjB3GToccIz4fOAOdA9aU51J4wCL2ctp2SgzCEKe2EaBK/f9nDd9ASmmon9PDwRDVtG8yTukrNcZHNzodi09Af81DB0RNa36Z3Sjt5xu94paN+mjiOWGf2JduVEq+60NbPvDbPE9e1aVH3DdQcij2WGZaTE8dAGLSsLoOkIq3m2E+Mbk1Re1gI9H18xJM72ivb5uDe7pzReyvO5DY4Pfq8JgQhPxWcDq9ScmWS6Bb+jdCKytFq5NafSAl+akPbbwN+1GFu33if/P5D9I2TwOA8V1wyVU
+  template:
+    metadata:
+      creationTimestamp: null
+      name: grafana-auth
+      namespace: grafana
+    type: Opaque

apps/grafana/grafana.values.yaml

@@ -35,13 +35,17 @@ datasources:
   datasources.yaml:
     apiVersion: 1
     datasources:
-      - name: Thanos
-        type: prometheus
-        url: http://thanos-querier.prometheus.svc:10902
-        isDefault: true
       - name: Prometheus
         type: prometheus
-        url: http://prometheus.prometheus.svc:9090
+        url: http://prometheus.monitoring.svc:9090
+        isDefault: true
+      - name: Thanos
+        type: prometheus
+        url: http://thanos-querier.monitoring.svc:10902
+        isDefault: false
+      - name: Loki
+        type: loki
+        url: http://loki.monitoring.svc:3100
         isDefault: false
 
 dashboardProviders:
@@ -90,4 +94,5 @@ grafana.ini:
     api_url: https://auth.kluster.moll.re/api/oidc/authorization/userinfo
     tls_skip_verify_insecure: true
     auto_login: true
-    use_pkce: true
+    use_pkce: true
+    role_attribute_path: contains(groups[*], 'apps_admin') && 'Admin' || 'Editor'

apps/grafana/kustomization.yaml

@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
-namespace: monitoring
+namespace: grafana
 
 resources: 
   - namespace.yaml
@@ -17,5 +17,5 @@ helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 8.5.12
+    version: 8.12.1
     valuesFile: grafana.values.yaml

apps/homeassistant/deployment.yaml

@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
         - name: homeassistant
-          image: homeassistant/home-assistant
+          image: homeassistant
           ports:
             - containerPort: 8123
           env:

apps/homeassistant/kustomization.yaml

@@ -13,6 +13,6 @@ resources:
 
 
 images:
-  - name: homeassistant/home-assistant
+  - name: homeassistant
     newName: homeassistant/home-assistant
-    newTag: "2024.11"
+    newTag: "2025.4"

apps/immich/kustomization.yaml

@@ -6,6 +6,7 @@ resources:
   - pvc.yaml
   - postgres.yaml
   - postgres.sealedsecret.yaml
+  - servicemonitor.yaml
 
 
 namespace: immich
@@ -14,20 +15,20 @@ namespace: immich
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.8.4
+    version: 0.9.2
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.119.1
+    newTag: v1.130.3
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.119.1
+    newTag: v1.130.3
 
 
 patches:
   - path: patch-redis-pvc.yaml
     target:
       kind: StatefulSet
-      name: immich-redis-master
+      name: immich-redis-master

apps/immich/servicemonitor.yaml

@@ -0,0 +1,14 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: immich-service-monitor
+spec:
+  endpoints:
+  - port: metrics-api
+    scheme: http
+  - port: metrics-ms
+    scheme: http
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: server
+      app.kubernetes.io/service: immich-server

apps/immich/values.yaml

@@ -37,10 +37,6 @@ immich:
       existingClaim: data
 
 # Dependencies
-
-postgresql:
-  enabled: false
-
 redis:
   enabled: true
   architecture: standalone

apps/kitchenowl/deployment.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kitchenowl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kitchenowl
+  template:
+    metadata:
+      labels:
+        app: kitchenowl
+    spec:
+      containers:
+        - name: kitchenowl
+          image: kitchenowl
+          ports:
+            - containerPort: 8080
+          env:
+          - name: TZ
+            value: Europe/Berlin
+          envFrom:
+            - configMapRef:
+                name: kitchenowl-config
+            - secretRef:
+                name: kitchenowl-oauth
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "100Mi"
+            limits:
+              cpu: "100m"
+              memory: "1Gi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: kitchenowl-data
+

apps/kitchenowl/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kitchenowl-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`kitchen.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: kitchenowl-web
+      port: 8080
+
+  tls:
+    certResolver: default-tls 

apps/kitchenowl/kitchenowl-config.configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kitchenowl-config
+data:
+  FRONT_URL: https://kitchen.kluster.moll.re
+  DISABLE_USERNAME_PASSWORD_LOGIN: "true"

apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: kitchenowl-oauth
+  namespace: kitchenowl
+spec:
+  encryptedData:
+    JWT_SECRET_KEY: AgAclRIJS25ACVe4NqLQbAree6c6WpTBHnLpe3ZQJ0ScHG/EbW/ooABZj7y1ABAn/mCc+hBYXYHm81FNUfUtSuLKi2UlORbTCsfmisYH49WX0Lpku9LTM/8az9tjE0tjUUrJZcRUuJfdNJMDPQx7IPjUQ7sKk/exFnkPEbK98+AElXyHpPKXd9dxiCgll0n+ksbF9BDUR8KY8IB2Zvh4cXPww578qe/9XYnxLV8uY9K8KPvhl7NI40SIaL4PX8KmsDlBh1bpOR/OxhIwAGEZDQp/KROy6msrIOYW4SHM9nlSUSD4WvV8UjcbV1oNnYpE1usFOuxSfQlJ1zlFepKUv40JykyunvQv9nqVbEogsrS4o5N3gNEaB9yyFSHIlevp32LVpAuZu3cNplmT+Zg7+ODpCWIcVgmOAeapvB+X7H4ScbKVcYLAzrRFDtnS4Vo1M+RERhr0AuMU/tz0lGs99oRkCw2ZIg015R125u0VcRNqzgCtbBM5BFiKiP2kYrHn02Q6o5tRWxDQfrfb0mnfD5c/gM4+btlfM6DZMpr/l1kLlm8PDEpPGbkhK1XiAyJ4erHPDMLcmZXrSyxX9R1g8n7vnLnkqx5LkGmnltQI2FM7StxC6IrMlxY0nPnkq1lHhTz7yCpQJNXgfXZLVvov+f6jlD6WJhYHZCL/hIFfx3ybjGYZwJ0m84lH0OQJQw5dtsbPVqqoYZIPieqdRmHw7M7TTmFuQJXD94lZj5gsln1sMqs=
+    OIDC_CLIENT_ID: AgDOxWtGCiFrIP5aWHimrR6bu0uMS1/i1v1Kzo1lIR3j3zlw/Da2oCPNx1ZuhNAp9UMIs2euc8mtrWkyv4R6pcci+IxXiGzlQNBSkMfWu4DwhwlEdnVyCVehfE00t0ytBxX6NeLfS1b8JOtH9yo3e22fdaeTwn/iwGLNwi1BJxMmzk9pVp7jzXH09Zia8UvUmXw5GyGpIOIiGcIfaXkr1ZnY2l30jTw8eS7HaouzfWHWTpNXkMLN3qim4vs/B1Sgz/y9tUyVo/qMhWLdEcVklYHT7xHx03SPD7RtK+zdYZCqvDtj+tsdpYHt05zeGV+wflNQuiocjwP8TW7vhtbjKrf9lQIxB5CErju178ELOVrpsPBAYMgdEl7qZeKdSpydIwe3VbOg3XJ7O/Ps1KSnRYwrCvgE4ZCMm3geHyJxSiKRhBcuVYz5JkNd5ylD0Eq9NL5RCqJ4szL9NaGNPbzkvcdZzAnbTYFTzyqZ+XHX/BUFisXl5bKNHtaqAsOK8woGYnxJiawKRrwDUmHXU4RB3QiPCPhHSLU7OkvU+XDhyQqLa8bKEQzj9dUf4bX3Savk4noiRsXMYJznAlgMPo0Q4taxVIoyQHELYwIIdP5YRuw27B9wKUR7e2hhu4FTOEcyhwuFql3OuAjq8HJCDX6+COkL2WYFFxWBnbSCYEdzfbMBCHjrUUonijcQluU2VbaHODNMAvB16MRKapAW
+    OIDC_CLIENT_SECRET: AgAylnSUXwInlh/WvyCiFz+8asbCSZA6kk84Rt6l7bHVYw34c58lJHsZK2OvOIlHuaMe/ewnTqxVd0hI1Azl+wd/5NygMYlntKquq0vuzlhLrGc3u+0SOn9N2P6quA3slF9KR94CYsDx9ogy+EsEoA1yrsydB8S0g9W8syraR1MtpM0ZkcJ/D78OZ6qzyXUuBNAZc+iX/r96NvoMiGNYavgG7npOJh/pkKNYPuNkt4zpbAFjVyoCfgZd4V2nmZ6dhEVy8odW+jcsMn6OJ1OZVlPb1beq49lBEcaJqk83ZtKbq2evtBYHw9YAnENVq92ecenw/YL5LXUhOxeN0M9Amo99/O6pQwwrT1mtZqhTTeTIZTAxqmJKgyxGhE4DJUR/s71bc7K9hd2WvdAYnCyVC2uGa0MwXp4V7UuaN9GerldT8lcFxOpRnD7yroqVTqebjAJIkIinp5NNZ2ZP/LCiCwKKHHT19Pchn615WOPTofC6es/spIdQ8a1Nf2J5YzvRjsduFS55U6tMaC7cuV8kqKH9xTTf/sDHt+68wVEAO9koAe1zpO+zR2Pq3VuCnvcDGIwXopXjvyjfujEEhEWZl51PVJLZqtkP5Wg2wHvlgjJBbbIGTrqh4xa9pK7wLDM2hUFx1q/YKqwfP0EGVTc96G8Wermj0DtIqclqFLr54DtxVe+Rr8J4edG6YQ26/seYsrZ1Oq2PejHQt8u9EzQYAtYYlBsw2ujCWys6KrbhaVr3
+    OIDC_ISSUER: AgA2JPd5axkL5YIRA95qm/iH8wgM2J0AjKjgGClWabYJ3UKIk0hi/L/zR+1Pw9Z+6amYXj7Q0FxLqCcNYG+H5ABxnqUi7Gl8gvfVbegaO3q5QiO27g18RMDssNHDSun8PPaxHBvBD68hxgsaXntu8sZavCGdwEK0TzLJi7eH/4jtHlofzfYgaCsGqeOBgvs/q87PVJ/qxazXlY9e7abbRAKl9ZMY7Wga58/IU2HhWwYMvI53yQyGMcKf3XiI9iNHgIcj1+TmlgQo+PRKyopNfzgFbey7on8woQXphY+ioqQ0hyworpxAVoWlvzKKopt1xBDr4zxzkzbWyxtjwPVOOH3iyenZz8tZa/JkNYWxkWHbh0KCs9yUIji3D3shQOFM/NtE17THsQm3NgpZ2lg9ET1v6uXqwfOLiQ+J1JQLwNFnYeruH2lK4EGt2nDCq2VycOIjW4kMpiJ4LiT8gap9HwYjTpAn+opicYn5e9fmpgiHdMPvrsG1m9edg0cbwdSpEelliHnAUfKsxMV2e1fLsga6yrhBLSXIQs8rbURRa6wqVvGoLB86a9Q5Rm94Jfm0Sa9v5LMGRYvqO5LbLrjrR8e/2r17pHQE8ynMQCAW1yVTe09FcgRwYhDUohfThtjIh16sdoC97eUel7fo/POt3atP69JsCIBZstprhVtBIBssmavpIotVqi8F2/yUkhrZR26mH3gsOxkNTEk6XzHHtJRu0cU+BmObTvYgMi3DHg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: kitchenowl-oauth
+      namespace: kitchenowl
+    type: Opaque

apps/kitchenowl/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - pvc.yaml
+  - kitchenowl-oauth.sealedsecret.yaml
+  - kitchenowl-config.configmap.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+
+namespace: kitchenowl
+
+images:
+  - name: kitchenowl
+    newName: tombursch/kitchenowl
+    newTag: v0.6.11

apps/kitchenowl/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/kitchenowl/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: kitchenowl-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/kitchenowl/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kitchenowl-web
+spec:
+  selector:
+    app: kitchenowl
+  ports:
+  - port: 8080
+    targetPort: 8080

apps/linkding/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: linkding
 images:
   - name: linkding
     newName: sissbruecker/linkding
-    newTag: "1.36.0"
+    newTag: "1.39.1"

apps/media/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
   - name: jellyfin/jellyfin
     newName: jellyfin/jellyfin
-    newTag: 10.10.1
+    newTag: 10.10.7

apps/minecraft/curseforge.sealedsecret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: minecraft
 spec:
   encryptedData:
-    key: AgBYeAiejdmxDBorvgnxQX5YvUhR3NId2vfWybMKlc27e6D/bKglLNyZMk70xSnFAPjcDmZ20mYjFPYvDOr9T6IU/REJ8QlzoKAn0xW779R4SkIxRToT+dJv+OM2avgQ9uqp7vja29xeXMjYAnQML+QGZKcrT8mE04G/Ty8rdUiv3yUXK5HFAR3SUF35aVLdlthLjpRkv1s0R7GAP4L2pNzBJNV3i37viceUSSjU0zpOa23fsQOkPAs67AIukAJBqh/hyF/hR9H1GeYZNTI3OcHcvC2iNk/XGstvv0Zy6ApzoebsfWGdsbVn+QUI0EBw+mSTPqpl71cbkz0v4S4XAVndosxWpe6AIgm5MBTU0FXIyGyoFDe1aMPq8BXiQikYVwB48oVNh9KF0xXX5AOG0whB/FEsL3OJsiNQvQ3R/Hru43JBn64oxjVtLfM3E7u8v/xr1VQahX8dylDmb4s5EV01U6O4y19Ou4td1eEMlhpJb0fBPDRUYuWxZAEDGmp+U4tAakyPed11VkcZPPn9fKAAcv8sGs3TYAbbF18hqsBnv2Wd+i7ZEvKwmdmfR/T0r1TJGsvKI7jaW0QtH256XrSxQp7a52qMKMVQWOSKw2k27t/IkRhxT2Prw4GfJvaVr4RozUaBf3LV/hfDWlDfmM2zg3X9W8HkzjotGg021OLxsa0Wzmhffvb8h4bvZwxeq3U1xaJocqXui7z0rT2pF4z3wYHR/lPtexHcOA2M8gfBGKb1rBKh+kW+N+/ZfVLNI0mokg5vrTO2nR2rb4c=
+    key: AgDG6apUvB38rB9tH+/ya5Af/32IUJjHiEGZFdYYqesuqyPB/qf99EtC/7CwqD6bDQQPVycJVcxwZuF8QtYfPXzv//yMkqEUJ2G1/Q5J8I6bjNGLR636UhliUpCkH1QDOspWJUjwKDVxlFN9l0g9UajvxnqLyGzbWPeay0sJEBvAY8ltEZpLP21V+GD+HgPk3HIfSFFBMsULS6GPCjMaFxkxQb6cG3K4Ej4NHCHRGOmax+4Rk7lwMyAHlXLlrwj/ytxrnHDWrugLIJE9KKmJn6UVNTuk6olgkhleg2PixV7oOiDVyu9ZQP8wbdppzRix6dnIcFEYJ1ZDK1rNF5QErYO0gBytiJnSsdFO0jUMsdBrho2FgUc5GgIdmgXWJJz3lrGFqXaRVvbPsBZTUAsQRh2+4IfqfWmAkEjBcjs1K8WWJfS+rO9e02KoHBT4decdsd8Qfr5EFdPIzMrkUoRMI9CJnIa5u2nR08Hhd9iojbL64FZ26kXMODtEdKmlo+HwjufLX5rYJVSfOyZYzivd/kgKA87YTFaMLKej07w3ofGrPYSoCnmLfJyoQdNyJhdonBDsgM1GgRWQZDpgJ1df0SB02A5lZ4V7lHWr8KlANv9YLuMoZnVehsH1NZjNQHDInIRiTLahEBbjcJzQz4vU1UWG100ATszEYKOUVkzPnTgkqKYU99ZQ23bHP8z7iAWQeumb6V84NTi6jNITBvU4yTFLuAiI3nW34Vb1mFVLwfWqMjEYX8gBB4yMSaVshB/japfkyXU0pYg4mK9gsB4=
   template:
     metadata:
       creationTimestamp: null

apps/minecraft/job.yaml

@@ -4,6 +4,9 @@ metadata:
   name: start-server
 spec:
   template:
+    metadata:
+      labels:
+        app: minecraft-server
     spec:
       restartPolicy: OnFailure
       containers:
@@ -11,7 +14,7 @@ spec:
         image: minecraft
         resources:
           limits:
-            memory: "10000Mi"
+            memory: "11000Mi"
             cpu: "5"
           requests:
             memory: "1500Mi"
@@ -29,13 +32,13 @@ spec:
               name: curseforge-api
               key: key
         - name: CF_PAGE_URL
-          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5413446"
+          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5925838"
         - name: VERSION
           value: "1.18.2"
         - name: INIT_MEMORY
           value: "1G"
         - name: MAX_MEMORY
-          value: "8G"
+          value: "10G"
         - name: MOTD
           value: "VaultHunters baby!"
         - name: ENABLE_RCON
@@ -43,7 +46,7 @@ spec:
         - name: CREATE_CONSOLE_IN_PIPE
           value: "true"
         - name: ONLINE_MODE
-          value: "true"
+          value: "false"
         - name: ENABLE_AUTOSTOP
           value: "true"
         

apps/monitoring/grafana-admin.sealedsecret.yaml

@@ -1,17 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: grafana-admin-secret
-  namespace: monitoring
-spec:
-  encryptedData:
-    password: AgAwMLnsYN1y8JQSqgGQbNG/8jKensTDsEw6ogITdkhDRlJcg8HQ5t7a6xLzNCrLHLJiQW8YOoyLT4lvFkBRMOa2EYcrDvBiRD0PjygWLIscKa7dA+jpAUf/icD9zsiDnTym2yf+VUANcmEgE6DiNvlcsrcmYqiR4pKVUTDlKPNOjOpTJ3nXETb3/sbt69E0JSGwtkvusYQSXKLU9KLbciihv+ycdkdlC9xy9myd4+vYZYXSh/eAvyZeb/hsmdSX7yaASmupMvet6Qsdt99PNzFQxtbQH+LQvYalVZ8bjWZQvCN/p0bA4H15otKBfe8rtEwVthgvyEvo6TK0Mg0pFY/b3AOGFmImnT3rDmgG6S8KTZH0Jce17ksFqvELQmHjqHuYpQsPDl44glM8kWRJ9Mf/Z424LRwZlJNVcOkuVl4qFqPUjzd2rWIyF0RaD0BE012C0ThJxKn2l17lVJbNtdUiR3qNpW01ot2m0CgKd2kXbjDmgRgAll4WgrukfCIn9ZnE0gVCFLJuK3MOQAaipFYy/bDO0izwl9T8nldgcI8OfiC3NTk2O+Es5jJRXu0oJGaC3HrTB7wXiwOoELvAsxLTPxKBiN9mCHCMtZX0PEtrio0dFRQ6Pi5xPng0KVT0I9dvGNsPdhPETNOB913WEvbgP8Gt3cj016nCzk51eUsYbXPpNL2B4kmbIhecqW/8kwKQPwYjVlBSXj3NxjzwMY6PvOl1
-    user: AgBqmjCYGMqy5zBE+vhtsynOvhWdHWDJDyl1D+laBtLjXTJwzRbNTdunHYo1ekwyqQ6Cr5pi4YMiLxAl1LIHF+Lfsp2QlY+ResAGzp9WgSBtNQDX3EmLDQofeWxMUDdMtMsE9wiKLCfNGDkRDsGquXTz+YFq03m1vH9cB8Bp+1ClWOTui+/Ce0MZlWsJZX1W8WXH7XTirtwUo0s53pc4AplUUH97ZEK3KSIxWa3gLCn0sAPDDLPX+JVA2xtpMq1XuVFiFifjzEtG2h0dejiF35FtSAR+rR4YmEfimk3QpRDfOqV5QUxvjCG+dTV49upSevF2mvbHW+o+lB6vEc6l9cZXvlbnMdaep3NmOsJcJ8wQIdFpFK4iVzFOTKSEbzLPlZ/J+sjS5vDXsfthorIO2faMA1iIf+I663zNxQU5btaK4TNYOZQlrFVjAmioRLkDhGZ6tDUPX/zMv+Crt+0HCwyEyhmvFZckDvezTZrxARSXXMKBVcvjHCyUNkz7ubZRiMU0PGM7fYuHr659e+XMRvj+LFA68ZaEIzCQpCFJenWWYAXgUdRG4LQ1LP2MwvRHpkOYSoRkHIpX7jOfhX82A60h/ta/CdbWifqNyL9OecvE3FKsZu/Kr0taw9W6nm6FBhQLgFkOnFrqp9dWnxfHruXuDBgcn0iE8nR7Ht2zS7hfQPeR4a3Y0xK3Plqbzdrb9HKnWQQhf14=
-  template:
-    metadata:
-      creationTimestamp: null
-      name: grafana-admin-secret
-      namespace: monitoring
-    type: Opaque

apps/monitoring/grafana-auth.sealedsecret.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: grafana-auth
-  namespace: monitoring
-spec:
-  encryptedData:
-    client_secret: AgCcKsnS3u2eI+fNVC9hAZ3QRFOHFErAzs5aQgX51CSdJwM03SZUoTyrDi5JPcHUVyS3MbevFH5piMhDTARMI3bLOjYlcwMbpf77JCPa7o95Y9asA/FW3lXicYt3biN9xBXJBz7Ws3fVRtEzyf6DmbGedT9gaX8aPwrUVbP19RdyJiuu76oB1A/jdUkX4K+X6kVvmoP/BWdypk/kdQJrzBNt00DIXF4NHfYey36AuhpBtqYZs4faA/tBXMXLE4RxPNtcHwNfVjnRj3v3qzNufD1fnweJvLq2UfLMrQjoR9XDVnM0zkpautylkI7yrvcoEH7ljnf6b1FMogOEZUfH1BIdqTd/WwrrlCqE58OPfJWthIfN+pQ8LvdHsGo3jc9gXvfXS2cStyhP06eTZ4D79kG+RtDQGOsD/Wpx7EcM6hbB3+dIjcs3wEAIGjpIVtY9JayW8YeRnFApMuhDST1+hscm+LdoGvaSTlAuGzv9BbVrPX/Fo9XKeYHlbG/x71Er+vF8WbW0wUa46MHLvbEy376XIdJDYi+vjl4eqznZ6YhvPbawhoKXT8ZcKUcUAjVcMue/O/jCSPZplbn3vdSCeqPTiqVqDw9PTMIeWFUepgPMxiGpFRAqdwIecFBnYItq0dXoGlFrZpo0S6AECgZjxzUR5EgdkdPlDDs2CN+d9yP7f2S+gmL7AIlQr74NW1GrTGw2x/rD4IJhunh7
-  template:
-    metadata:
-      creationTimestamp: null
-      name: grafana-auth
-      namespace: monitoring
-    type: Opaque

apps/paperless/deployment.yaml

@@ -55,7 +55,7 @@ spec:
               memory: "200Mi"
             limits:
               cpu: "2"
-              memory: "1Gi"
+              memory: "4Gi"
       volumes:
         - name: data
           persistentVolumeClaim:

apps/paperless/kustomization.yaml

@@ -14,14 +14,14 @@ namespace: paperless
 images:
   - name: paperless
     newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.13.4"
+    newTag: "2.15.3"
 
 
 helmCharts:
   - name: redis
     releaseName: redis
     repo: https://charts.bitnami.com/bitnami
-    version: 20.1.5
+    version: 20.13.0
     valuesInline:
       auth:
         enabled: false

apps/recipes/kustomization.yaml

@@ -13,5 +13,5 @@ resources:
 
 images:
   - name: mealie
-    newTag: nightly
+    newTag: v2.8.0
     newName: ghcr.io/mealie-recipes/mealie

apps/todos/deployment.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: todos
+  labels:
+    app: todos
+spec:
+  selector:
+    matchLabels:
+      app: todos
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: todos
+    spec:
+      containers:
+      - name: todos
+        image: todos
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+          limits:
+            cpu: 200m
+            memory: 200Mi
+
+        ports:
+        - containerPort: 3456
+          name: web
+        volumeMounts:
+        - name: data
+          mountPath: /db
+        - name: config
+          mountPath: /app/vikunja/config.yml
+          subPath: config.yml
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: data
+      - name: config
+        secret:
+          secretName: todos-config

apps/todos/ingress.yaml

@@ -7,15 +7,11 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`todos.kluster.moll.re`) && PathPrefix(`/api/v1`)
+
+    - match: Host(`todos.kluster.moll.re`)
       kind: Rule
       services:
-        - name: todos-api
+        - name: todos-web
           port: 3456
-    - match: Host(`todos.kluster.moll.re`) && PathPrefix(`/`)
-      kind: Rule
-      services:
-        - name: todos-frontend
-          port: 80
   tls:
     certResolver: default-tls

apps/todos/kustomization.yaml

@@ -6,13 +6,13 @@ namespace: todos
 resources:
   - namespace.yaml
   - pvc.yaml
+  - todos-config.sealedsecret.yaml
+  - deployment.yaml
+  - service.yaml
   - ingress.yaml
 
 
-# helmCharts:
+images:
-#   - name: vikunja
+  - name: todos
-#     version: 0.1.5
+    newName: vikunja/vikunja
-#     repo: https://charts.oecis.io
+    newTag: 0.24.6
-#     valuesFile: values.yaml
-#     releaseName: todos
-# managed by argocd directly

apps/todos/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: todos-web
+spec:
+  selector:
+    app: todos
+  ports:
+  - name: todos
+    port: 3456
+    targetPort: 3456

apps/todos/todos-config.sealedsecret.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: todos-config
+  namespace: todos
+spec:
+  encryptedData:
+    config.yml: AgBRKmf5GSn6EcCH4r+I/lJkNiwZp0Pa/TFloYlPzqJ1aQWrTRDCLiljHYs1n/PTBWWv5SdWj+3Uvx4M+tzTXpRTp1dWomJ1C8pUDpf4N7SSZeAMoJxz5/mSUpA1YsYwiy/jhOzSsaeC80JX9WTXhCE5cnox/OUjcDf62vVg/7kgy8tHYpCSRmTGMah82642gP0/rlLpp+ctb29oYttmL0fWafHMRHgZYwkO1Ol7tmfbVOfr/bQljTQD3h/f0+ef2s3kDNtAkXSBAwHo6TfukB5bZi+pj3q3TLHAWU/belC38RZtIYW7trJf20WzbxxWKcS7rnQ8GHJqpbNgoWdnBQgP5OGHzySnQrdIAWLvOxw3JdJ8S1ZMbZfWASGpeIdfTI1p99Bhu1MGE3nnAzUCM93sLySE/mjjGDPdA9+Q7orgLGX3ct+w4deu1ABLR/HWxFYvPah11xs+MyzBFVh2rRj+MMzSWwQmbo+widmHWnzx6fjTiLd8eyGmvz1M9hBwFjqUTjbAR70S4xx2ALlYqAtbmJUk07PmTdTMhvokvaY5NX7Ylahx2oFE2q/FxMBwvPZVyI9tSbrZHEK9a67QaXnnwyfSqj3nErNkpdAa/zSJ9M6SG5cJrJvZCBn5cFg6pxtY65wZoj0GWMZ5kF2oqxDuekdjitWGMTp5q6ROJYSs/o3Lc/Abga9pSZYEtNrHr68tJuSeO61s9TjUftbkxkJ97/dwTfVQOd7aJui2EDp8NVcZg0CkEOgI7tt0nOEsll30RWS46QJwUbJM34FD646bpEk50K/GsIvFovKjZjtoCjeKczGdMpYS2XFwEMb8UjgSATxcVYjSWwvx+7prEChvoyVcg8Bi8ZEGcBVxSAD9fJu8PtyPBeijs7ZVwVyGGxiSafd3gAPU8spSuvbEDl/VZAKy9k2vrI2c/gtTqwaIasnBHudIbbNqDHlTlH8dk0z+kuNg/AzqheZWireMvBvgQ3TlHan0RN6+vVpZCY5XbzWkj/DEmoor8UfeuYt3GD7/JHniAorMPj61n2od7TLXmLunPG/B/zNpJCgJ8LgtUriDDZno99IDCXaZ/MO2+jppMaKizl83axxrv9HUTYDDgtX4RqLLdutd4i/AsOe0GgayFrOjUtDVOL6MKhX7dRJfbNsL5IcGEVZ1cdzcjjazoDpSlDdMC6E1XNS1NWprqUpmfjFPtFk1FWW3oRF3iEYUimngYvy6oTx3d70EZ+eOdEvp6A+aHbmG6fyEQb3AKYhMIOsn4AbKpDLjTsHiqWNGwT9ummS5kOLhnWBBB4ohDpCl4UMCtP61+1lhtx//Jne8QFAoq31MMFcCO2X3b2JfD6egLDc8Vwju6NHNy7jrmkponKqKxQPSs0w9Aj2biUBuFkMCiAik0Cf1fPk59bjJqs2ypwURDPAs1ShPoSU=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: todos-config
+      namespace: todos
+    type: Opaque

apps/todos/values.yaml

@@ -1,51 +0,0 @@
-######################
-# VIKUNJA COMPONENTS #
-######################
-# You can find the default values that this `values.yaml` overrides, in the comment at the top of this file.
-api:
-  enabled: true
-  image:
-    tag: 0.22.1
-  persistence:
-    # This is your Vikunja data will live, you can either let
-    # the chart create a new PVC for you or provide an existing one.
-    data:
-      enabled: true
-      existingClaim: data
-      accessMode: ReadWriteOnce
-      size: 10Gi
-      mountPath: /app/vikunja/files
-
-  ingress:
-    main:
-      enabled: false
-
-  configMaps:
-    # The configuration for Vikunja's api.
-    # https://vikunja.io/docs/config-options/
-    config:
-      enabled: true
-      data:
-        config.yml: |
-          service:
-              frontendUrl: https://todos.kluster.moll.re
-          database:
-            type: sqlite
-            path: /app/vikunja/files/vikunja.db
-          registration: false
-  env:
-
-frontend:
-  enabled: true
-  image:
-    tag: 0.22.1
-  ingress:
-    main:
-      enabled: false
-
-postgresql:
-  enabled: false
-redis:
-  enabled: false
-typesense:
-  enabled: false

infrastructure/argocd/argocd-cmd-params.configmap.yaml

@@ -3,4 +3,6 @@ kind: ConfigMap
 metadata:
   name: argocd-cmd-params-cm
 data:
-  server.insecure: "true"
+  # server.insecure: "true"
+  # DID NOT FIX RELOAD LOOPS
+  # application.namespaces: "*"

infrastructure/argocd/argocd-oauth.configmap.yaml

@@ -12,13 +12,11 @@ data:
     # If you want to store sensitive data in another Kubernetes Secret, instead of argocd-secret. ArgoCD knows to check the keys under data in your Kubernetes Secret for a corresponding key whenever a value in a configmap or secret starts with $, then your Kubernetes Secret name and : (colon).
     clientSecret: $argocd-oauth:client-secret
 
-    skipAudienceCheckWhenTokenHasNoAudience: true
 
     # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
     requestedScopes: ["openid", "profile", "email", "groups"]
 
     # Optional set of OIDC claims to request on the ID token.
     requestedIDTokenClaims: {"groups": {"essential": true}}
-    allowedAudiences:
+
-    - argocd
   

infrastructure/argocd/argocd-rbac.configmap.yaml

@@ -6,4 +6,6 @@ data:
   policy.csv: |
     # use oidc group apps_admin as admin group in argocd
     g, apps_admin, role:admin
-  policy.default: role:readonly
+    g, argocd, role:readonly
+  # all other user that might have entered via oidc, are blocked: deny everything
+  policy.default: deny

infrastructure/argocd/argocd.configmap.yaml

@@ -7,3 +7,4 @@ data:
   # switch to annotation based resource tracking as per
   # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_tracking/
   application.resourceTrackingMethod: annotation+label
+  admin.enabled: "false"

infrastructure/argocd/ingress.yaml

@@ -10,8 +10,8 @@ spec:
     - kind: Rule
       match: Host(`argocd.kluster.moll.re`)
       services:
-      - name: argocd-server
+        - name: argocd-server
-        port: 80
+          port: 443
-
+          scheme: https
   tls:
-    certResolver: default-tls
+    certResolver: default-tls

infrastructure/argocd/kustomization.yaml

@@ -4,14 +4,15 @@ kind: Kustomization
 namespace: argocd
 resources:
   - namespace.yaml
-  - https://raw.githubusercontent.com/argoproj/argo-cd/v2.12.6/manifests/install.yaml
+  - https://raw.githubusercontent.com/argoproj/argo-cd/v2.13.3/manifests/install.yaml
   - ingress.yaml
   - argo-apps.application.yaml
   - bootstrap-repo.sealedsecret.yaml
   - argocd-oauth.sealedsecret.yaml
+  - servicemonitor.yaml
+  # DID NOT FIX RELOAD LOOPS
+  # - github.com/argoproj/argo-cd/examples/k8s-rbac/argocd-server-applications?ref=master
 
-components:
-  - https://github.com/argoproj-labs/argocd-extensions/manifests
 
 patches:
   - path: argocd.configmap.yaml

infrastructure/argocd/servicemonitor.yaml

@@ -0,0 +1,77 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-metrics
+  endpoints:
+  - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-server-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-server-metrics
+  endpoints:
+  - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-repo-server-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-repo-server
+  endpoints:
+  - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-applicationset-controller-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-applicationset-controller
+  endpoints:
+  - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-dex-server
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-dex-server
+  endpoints:
+    - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-redis-haproxy-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-redis-ha-haproxy
+  endpoints:
+  - port: http-exporter-port

infrastructure/authelia/README.md

@@ -0,0 +1,10 @@
+### Adding clients
+
+Generate a new secret + hash:
+```
+k exec -it  -n authelia deployments/authelia -- authelia crypto hash generate pbkdf2
+```
+
+give the client the hash, store the secret in `authelia-oidc.secret.yaml` and seal it.
+
+}cnnhzH|Mf/yLn(v4rF#>KnGMgUS+TY

infrastructure/authelia/authelia-internal.sealedsecret.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: authelia-internal
+  namespace: authelia
+spec:
+  encryptedData:
+    identity_providers.oidc.hmac.key: AgBiAFMdVNGubsvfYu9oi6SE1AF8ZmiSbiSPjZhrSjpw8J8vN0Zjm/4TQX+I+qD7GQu0zO72D2hF/26fBZrLx2N1IJAj0va1NYEkmGgAaYa3lVC948n5OzyNPpOwfFCMBKo/BJwh0VeZ0wa7gm6L7+Gfk+YutGmkNa7Cuf+F/e8LxlT0MHlyoj+YGzeNEWkm2uUv73f74ND+a15AnBkvGMfm5A8vt/EdN3IOqD8EUCwRpf+lqhrJe9Mwp28kHp4NdO2W97I40BWA7LFXQco7CuhjNafHkpaNMZ1bkbYLjlpqyC6Xs7bCZU9wMIPOHL9cGt2QvfQG5gMWrJmJsyes9qadBk/TKmqPi3iPH2DzUYO2vMETI765RVrL6IVOwxXc663JxfpZVQTiCSXz8oCVYZ7Ka7gcjXSPTMSxwD2cBVG9KDwjntYaXTairO/Kyx0HiPbbXzhENYkqY7oZvJde/l83l5TvPi+M4/a0Pa8COq8voRw+Fkrfw/qhPDn4AZnuanceOLog3xfrXw0Z45rZ34unovKP+3NjTdBUX5YB8OgGd5tXc4Ur6oK8nxt5IhQ1EzJkh1VEUU8pbDaw9EX1xCKZxVk86MEzW7zqFZWRve5Sp34CJdwHcUk8hLs2PweEzyvibLJIACn1mQoM6nC+Wep5iYXjUzQ9qobItzKFpw/mGsceCu8VqNoBtQBws+I47EF2NkzT45szvxF9tvSzmgmRBHtzES11bqePopHvye4310pywFYJ/WeiWOLEn1IEd4rrTJ6zIoqU1QH9qHShT4SoT0uC5wqz+Tgl64OdMIHKwQLcWih7A5lcDMv+jPV1Xvd52g3EYx13epNTPHtHwi4sBlFi1VuDrwXgTAlnpvM6N5Ij0qNNK5NMcWHerbLyOaMzng1pOtRfYA5UKGG4KYQd49vh5Fw9mHsk9/lelT+iyTs4GhA=
+    identity_validation.reset_password.jwt.hmac.key: AgCOsW1JBwnAB7BEIkEwqTLNHX5N/HrqHoxz7axdr3ppES7BnPKGRak846aKHrUVEykAV470SCgdwomTh/KBVAvHtml9L8h+FBu24rDbqZjHnL/BVy+2SkukNoVq6A2vDQRI521HBZntQQljhG0XTFTMMyI7tUhhM/PwmzeyZpKsDPcw6EJAMk9ERxdYtM7iaYEIAAcn0N2NPI7+I/A7nMKYpx4oGr79tobQyM1aDQF2VFwlRq1vqCrkEzBtPUPa9SrfnFE2GrIJlIR3xh/h5SmXCaAjF0uZFjPBPMrHSU4XtZVqtmwIEXpXFqjf+M6N5LTA5rKEviHV5oSJ4sDbMC1GMzwYw8u1Z2gvi/sP87ncbtSbW6ereAXC/5i7/bkOiyBlwVbNV+YcY6RlHG6DzEO/4Fqx9ET6XJhms1TcNb8Cp/VA7NS79IYbtnnZozefHnZAKQa7k/SR8tUVcVET2LhW6/j4QhxhFsASbws/yaZkEKdQnDqCpDlMkXKWxAt/7wlu/URTKlYTtCV5tvhrDj14Hdvs2CtpbXsYuf9FEn6OkRjFFXtr2c8tlOgh63qLoDfgmc+NlfLmkOGEtfEi9KCt9UY4qBAh2bc0PkkKod5JhMoiBUCwc2H8WlXAeUj2v7UmB5fvaP+IbeNKGf6+v8adVW3m7tckFeARG71QHkv049EKVfNyIP+CvBhEFZwTMNtzYGhr280zpEuvKowVXYlLp9pSBA/3vEIFcsnNzQfg2eFzsETOVtHXd7KnPoRKk29fTXmgIKdMThaSgvs72LoGdiYpYPaVrRKgCeqCah697bsOo6q2gv/jAeofRkcoaUx3sMb8nZJ3fnijr5Z5DFq6PM2VyJy8PlgfoIKO/w1nkQ==
+    oidc.jwks.key: AgCuYKmdCv3LcmH8zpNAuS5oeHjf/cEmcAlGjRfv2CtfXmlYhcysDLeo2Cyn9kMUEPyRwxhQ/b9G6ZfkfuIh83v4j8PFBitoyaAmDNLmhn/tEjxUG4ddRZ+X1m+Skqs/QyGSt8w4iCBv2tzVV8v9mbbh0GSEk4Nz/tOi8oyUBF/RF0Pgan7JubQ9E7uT2c2rD+hVeWJx9dL6Vv6z/OdbNEjpDvlMNjpQBqMj7H0dMXSnMIxoQHXn2TduI/2qoc84qfNf8diGaG9DN/lrm4rebPwQZvwkidSKEGCCca8ICwXEN2b2q2TijiaVGJPtpd+R9n3BDa8SHi94ptwxuWwHEQBA5QlkK5TMUT8SGLzUIJK5Z/sX7QQcTxxSX2pySA+3eKveBIiHJeLjiuABkioo9uZMoWsp/piwZBQy5xB7yF2WIGz6cAg1Y098Khw8ZYrnYrJSHG35/Ai9270eiJOvdXDvOdiXEbxUhI6EGwypl1E18AevE3Pe6OcthEfwErbYdEevSNSfUNthC6gFh/PM8qCEi9ZpX1IrbDq/4lyPltKNbhev7OJuci2CF4kc/kMu9Swdih2p4UV/FOHk6z0hfpjxuqXBwdQYcNOZvyZgnGNjb0fqtrKN953A8Skb8+g1XeWzOVxRYGLi/M/oUaWiy2ksLgxlEhKgSzlQ2al0qMBTdr+I+W3bm1HjITocnEFHR54x7+i6V9LydtWXqy08xH1p4LXi56+PtoUQ6901nE8vyofVcuoV1tqqrnVv+L7XHqsM2qGgdvsYlYBttt3zBy/JbOTcUhVe0KIjRGtuAF2MPJWSxcyFc0crfC7dYmKllV3sKO+MowyDjDQ7OQ3MxgPufLKMRJUAB1XsX5BUE5HyQketKHE5hYWzLR+PmQPShq6wc/Er36jPBLkGUsNVJhUdPewbEzZEcqeBdDsncXUwZjcjAlclWpM1VYxT71BLBT0SUL6YyoeesW0RZ+LG/reD9klfYQM5vfhXTDax5crOcp5BIo8T7mJEYIFBvUU0ruAi3Ur7GqgSCCE8AAcILTeqex22KP6JcFUB7nzFsn3PlUv1lJ+TJutmUe3aGXjVMQGD2B3s5cMHCcqMD302gj39gLVsCV4gQo2hb+UeZcfz7X2ltJ0H6ch/CHeLZbBQoCreVVDWBcoMl4tncdbrkdFK0Bo1tCjY+MScsYATswn4/fbEIKALBVO4gS/WI4NcbGl6HXyNnJvbYv+6l48EHcTHtMqER1hur7Wkso3YpC5zHx7RVfnuCTXP9kWPcCCr1VMj4Uth86LB5xi4FIs3X8DvoyOTVgUyu4T9tedldhMurOh8qt/kqxdxjKkREFk80sH2kb61xPypY/779hLXG9PeDHLFyETYgdHiJWSv8UhizVVOBErjKUljWZ2y5zZam8DNKI6QRislPE++pYsqQw2Pe0iyjjcSWMAriCVJW1klkgmOkEoweFjD98CIUWJUcJx/as1YOIc+QqtVRKH/1AA/CuPrPJWfPXzGBfNFXveQB/G9lvJ4MNfVLNdAz5kUv6bGnGaAyR2LFTl/ficNZv8IFBQvHi91CLe0PjMoq32SO/wCJMX9f7yESWgFnCWS/HfuzWJR+f30hbsM/JbE8hXQQ8/VPgzgRkaKPz3XW9j4w6Wb2mBX3GAYtRtGUKfWsOJWIOjKDlqd73HiIM31MUsiDMgo4DdSV9ocEuH+Y8EiAgtK8P1nSUp2Y6wRVZ5dMz471GC/qAtZS2eYEYzbe57sX2i+pjmA790O28fZauEipPs4d8tbUyef+wPD+aJLyYLRX+R19IU5y+Hk7VdFoi/o+5roDyqAESYfOKhY2dRV6MjLvgbb0g4spJBPefFppKxEW46pi/zMniqUmel+czm704i9/Hr8LrZHUwHQqPN+iLqLTvQQo9Uj0xNzeM+fF4BG+QpYPPl8hNlRFcz/H486i7z1qIRjDvCHko5nQx6nMjJgY3DVyCV6w92NvWKsuWtJ5S+LyCe3Mt2z3R+l7JVntf0xPcAaUjruEnPC9jkpiD7GtZJaeqqm9X6NwanPrTD9KRw3czDyN00H51tmqut/St0O9ThpCNDDO06TrtvWIGmbO3zuBLawOnYniISNhpwpCO1jfV5J8zg8iv57LclG1O7LcwqAbLg6fdYNRnViIn3FRmwrIunSjcL+KbQP6sPQRHqiRxUbO0jp8v48wfzrxc1V4hzvrzlMQzIFRwqGKRjRaHzsBVjln1Ec8Bbg3bvVVCr60rVNVQEy40ldTz22nNjecAUp88v5DXqslHgwD1jEA7rDAmjAIpdN0fVOZBHKxalXVzq/cYssuAMg8NgJXCoLvi+mZj+iR8LsV4OtrSd8nJSCADrVrLJwccHjRo0GnPBD3jJFchy77gPN+8OnzRXPVVuuMSOjrxfAfrjwCUkj3KybOH3MMLu5NUFz27DcpLRxBqACQOtSOshkuuJuk1FXIexssFMZvO2StYecv5R880WX0LqZwKNTJRqQOXTGaV1VWNEexSu4iegOtaX0UZQNyDyHygNU9JXsve4u/2Sd6VyTy/i69XouFCY21DE/fonqBGuIen+TqxshpPJGy3HZJ7Y044rFCcWyTjzz8XH5s836CUWmwri+DsGeT/L/E3C+zR17ImU1Na4IA8f11ThR5aaomfTEwbNseFr8L51dJrgQl/QgRJrViHwowLDVClCbhszVKFg7i0ERRjSNNxZ9tUluOyCHSeg4wP1DOERumYwj5oV9I0isAOpG5cCDUDMrrZP831YmeUgJsH5aciRZmho9/p+Q0R+s7v0PA2HKtRNOfIm1VWSL7y185LKvYO6DPfZNDnOFobwg9ANP7H7kdE1GOlsnEQYWTFlc8wtRLfENNCHlBUwrIGJUoNPlSHVG3PXGz4vah6wwJD/QBH+9TKtLvdV1+2T4+cdCIn08MbdlHDKvWLraMtmSOTJKNJxtXOuXfdAuGYIoqyc1Em7nbV/Oo4de/n1zWkrwZPeTx7d9D1Io/ana8+2LlJEjrIltr4IzdnuCtImbANCDA45VFmlq87s+2lYdbKDvDMNUviw//s80G3qTT3VpGFnnyEF6TsJzpTJ7PrpE1A0PMufNbg8kJTMBifBU+XzoBDTqBwPzim4VqwazuScOqzwZDTgLdQhGzeo1bKIJKHrLOEgZm1KCp+tjPPhnhK0zIGUjqB+UL2+3IvHDmVr9ly7buGub+kuyBiXnoIr4B6bwa7cpFgNU9zmTng+hFlTDgfSLBlz+69knYDlEpgE6BsVfTcXFpfVgS/eRHH04OrYB0t7kwUD0Ku+Ljpn6nd/x7/gcDOGaiQH7TpW1qKTF8E5+sfbn7f8j6fGYRT7dDQ0n4ljZ8qAYsPw3k+hY1MBIiNqAfQKpwTc88yB6EmB7Ul1N28tsLTuEGCCHtXvhTaQLTFzTVoKdtn5B8eNJDqOdBc5+g0qPgp1W8cVESH9nc80pcGo382GND/QllOEmmaKEasYEzPeMJAcPM4UxMuXF7SnadQweoCTIPXuQyZW+eKlMW4RlC5DHQ1m4NymrN6GFptQtTiG5v182BR2ibp4NogkEyZhHeMCtGXZV6QgGbnoJ24ii0vY4iO/08YgXOxDLcH83vvdiya/WxO/75rRVH052z0doEC4jLUleLEs398o59LBEolHSyPYOemzHLOkSB7w6acxiuujb9nujMuE2im5httFXKhq0cu6ytxlVKtKbVwB1y5lZigpTAh9FZXki8OBNIEa1FwtrYsoLz4hJP2CyRqUrHCY9WmCDTOUFTq7NrltBL2+wFvbPAtJbrzM0ALJYNaOb7J5N8R8sP3voXaL5DEEFoS57+xSvtx+lIOCNweJqzzZMoxZ2p9JL6qaJxG+EJIGTeHhWMxX9UJTJJACgB2W/cZyCaD43E5XIxSC6czgdOgwii27fFAJKJabmj+FsSwYBMiyHiFE=
+    session.encryption.key: AgB6LuT3btnwlDtP19iS6TAA6hz5t2gtXn93/sKI+ANzRvDtAUEJf934pWS0xhWu8Zfqwe5YuPy6Hb7CYG1Xk76Z3IFAEKcENcAA4Ngl6f80yBPgaL+6pzkeHyouYhpuRFenPoCcoa60OuusnDBUvBO0v6Mtqd39nACDJwdrJH0VzoLiWlMPzNsqJSkX+qNumrFlahqEtpswgoQBFtgljfMh8jCfAiqtwwe4Gx77B3GHNDuRQ7tSKhq5pSPUfDE9i/a1fb5yd1z8mlDkbivb0/yhvBsUi7stV9TE7HpBcsxtd6vSzt+MgXsflFfHZ9HU7oVVS0PuDzeDEXac9r2XDA96eUdhz/9NF3d9BvBMZqsi4YlF9tvsODNR7BofF5axxuRb2sptVwM5HuexXhG6S2PPpjLWi0BnY2P4Y12rXUhtYTisKgk7J1H5kZ1XYdjySFIQpMnWvdQD4TDmvqCi2YbnDts5labuFPQmgdrguRbqb1W94Pwg3SOuhJdsNJkfvXFBOOPf2eJBdGsrv4hOFiWt87pNh5Idzi9DAsV9CHZyLwxchwSpNre3yb1TnrTUE9xuQexY/xviAKAc1XjLsKyapryyAtv1AF6UnZMECDyElyenWblPBlWyOYTAWk8yiYl11C/2cipP6+pv8/XpbHKaQKGVQLIQdixXVGKRZwChTo5b3wliSJD2FXiC7ZkWfjOHlgXa+1DNYEoAlUfIU+IMdTP+x82QIjeYRH5wmhujd0JrYu4AygU1Zg==
+    storage.encryption.key: AgBOR7VfqNstwSBQ3pZIuHUo6m6bcbqTRluZ+G52d2djiyYm2E6FEfzeNrVgPSyw/9CuWXnzzQRyyGVvwP9FwtF6wWqNByhtY4sHd4xoHLEv3L4ZNRvNCf/iCGw0yI46k7nGifvIGw7BNWMkzGVOY+926aa9CAahxh27nQf0dztuFM3DPX4ASKpJ7c3IRGbMi0x0gPTU+Z1/3JLlhn+WvM95UpbPq75LHSzo4A2YfdluZEOpvvo8M5NnPgvHIvRC3tjZuXsDJwRQhqLVa8oFdrjJ7DvMonScKyv4IF/fttd4K0h+g/WZqCRix1dw/7LburKVicYBLl4IQJDIDORKXIUqU1M7i28UVF6DBe/r6jBTGDJcqv9Zor5hoQHuswyC0p+2+sm0EGUvGJLGJ4aqq5UBSsZyD98vMwGT3H3sofIqESHJo4O6rOSo+NFag2P/E1Ij2PFN2+wJTMRJ467CPnzEC85/mm3Tii+NRRb4CKEuxh+zfmVB/Bpny+7zjL7atS3BFR95PbI1jM5yI4uu1uHaVJaXjI3nQKYKjYetS3POOdxae5YRs8CywtZWkv+wUnlbPlzB7XRObQ2yzwNj8tZL8/846TykafDsvPB51B4wAnY8w1LaxNYBTZHQGco/rO7fUNEbuwPyDcbDtUaNxbUD7Yfu1pUY2fay0YtTLDlm1FEZePm9LLKQVj2K703Hu4YA2F/wKhcWKfjtijaC6z8KTaPQiVpjhA==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: authelia-internal
+      namespace: authelia
+    type: Opaque

infrastructure/authelia/authelia-smtp.sealedsecret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: authelia
 spec:
   encryptedData:
-    smtp.yml: AgAHiNwse+aFYVoun500VoUTUKg22yDSn+cD9pLO4HKG26nqmOxkiTSi5BELpzWouqHXiHNwYLEKPv13ZFJX6AFfFskspBfe+svLvLSzEvtH8kNCSJar0G5jcACEk27xcCxTN0nhmjc6L9lmZF8UUth7l5Mrsl0EG+79pCNYhUtjy16g7HdbmYgmgrY6d7VWCen2R4HZK4A9zPx+8HEsoMzUD0mG+uKKKfmqYaxJ563Gzp7trDcQRXd4tmea9MM8t+bk9TYCDvBj9JbsNuIdzFk8MArlvlesDYqiJj/8wny49NoVyX8vvGVDF3Y5s+OmKA9+MoBIYNc4oT4FLcc14wpnMnk5WgbKtTYfExcGTdTWuTTVWPsF18dvbKTU3C6dnf2kh9T8CydIdu27jwrBbChWffxNbh5nlLlQT3Xvogai8o6qhMn+EqTnw/u93OIxNzPEooVP349VVW/mlhGX3od/IlVzXiIlQIxL5EP2pRCXL2T1KONvkpbClJ/BTuwfjRZTXz3ZaRhaTPdBAZ+bpkRkt+kEAecjqaf9EF+pHy+dOaR4tIrwBWBbrAy47iV4e/Q60B97bRHzgo9N1uaYonGmyzmyVc9TXIkhf7PIlu/cSyDaHKdobVx0AA0p2usi5D1QYMcS9fngXyM1U9imO6QiYopysxQ9gJL8rfuySRJ/YQ6JJ71fLdMxsiQ0r21D7v7LEdJK5SKLovpnmPgk4PBoL9E4ZPE6g5zRXZFj1IxpKkOqRMpyBzBvas9Q1OFFs0Y79kGtyWIXb7Z2HGYmMU1us9Pm95xVF/V34sAtMIEz7qi+SaXQHFvyqbaiJ48U8qHhHL5y+lt9e8PGmQo0tRWfHMejs5BCcFAEZKDiif6zUEsjV/WC9WKO9NUjvRiu0CYCq5z9QzKaZQqWo0LPeM6DMY8pT3w4OqpJ/OLyMfbdoWT/uQ1JW5npApGifL0lhWRIkQHCG7oZA/BkJfbiexV8jwtToS+UX/s9HkbkuQ/O4zDte8qg/Xzh5TOj5AxlAPN6wGCwd6t1RTSITSKVMnTpFabkEvPYnGeiyWU8TrckvaKmhRUNoj2ZWQCCffHKp/bimEHxRqFnW6B+cu35reTjFc2dqp12EhCBR727G0EARx3Gt/LSdPh8OYt+Bs0rLaHiUrCJh4HRBJPmg0PARVwDL7OWx6pwtclnrALmfELKKaopy6yFctDogOtkvxHbL8DNhJqNuQJo6ttzlHhz4bnQcWb2K92HIw==
+    smtp.yml: AgCfZqHvV3N/S7C3BCeBZv5erYNnbc3yuhYswXBxJUmvfWt/oyEi0VM9830cV740zF532ZteMaEC47Yer1dm1zwBb8degsSPOnivTU3HVN1MQKMxB0T9roN7ytXnS48dIVLlZAy5/7AqU/+F081zJeGW/8lsQKJ7QVa3zG7BDGJmaExxttrB5ZsSiVmFldSQap1FNIcPFU1O4N1w59r29IsUNbOVpnb4NqONBBh7Lt/RoUwYVmdMT8OxOAtgovft1z+KuZN2ZnvBlm3EgY70wAWTs/tSmZLWuDGa8yo0M6LPIjO9zlc+l1YuI25AqGHDuhGU+H+gQWZhtIglwKHtU8oUuDchWxQpb4tJSokpyegkWrpty8vBEEGK9CtLk13EmPUHTPicv9XYgwxvROeXB7+6/gQC8Yc/PzjjZwSrNo8SC/rF4VJY9jXMJ2nS7UkubcfdOY/bKhu1jZENrav7Zd/z5hiy2stg2LFJ2rnzIrSKeYWN3ygR24KRGh/7Bpwz6LhCkPdrfJJyymA+Azwq06CoyyPTLkYRMpTdkzx8zLNCvfQfmEKYRxRcXVBDfSr/Wn/9QNmCAG/rp1Ep23xRYegQRTUyGD2JVVSjE0WcMRRnqb70IYfEPk4w5TS14RcO2/59Lvs+1mF8g9JfLhrxOjLDAvnSKjN5KZ3PgLdpqbkcVjUb0Hs18SAilmZhs5cQtNR++LqYePIe1r7R3V9IPIvPudCs7/2BrLLpuREhTdQIiA3catZ6kLZgHuh/KswFEDAcZ1NisSNvZZLAKTHupIe7XjBp+0zGHLZ7hgbA/Ojf4e6M4RLjqR41Uix+stkKuwWwdoXs/YAf2GUl6+4fb/8iPVUwPA7XHf92ALxv5neNEDlo4awXvuBQG8XdmaCqkYXBe1GE+vgmzfQhr1gjcO1VxvpsAJXT9/Ak1whQbs8kLfwxDfGp3CYQxx+eaxxm4Q2xumeQYXHFyhNZ5d5XOpmlx9EovRwM/uGoZdslykZ27ZbKRMYcqwhJ16CS/y5ptMcEbB1RkqodM55UCslR/fo+9aJejX0x8V91U2bm8eFrDFhFJsM6Z6oClxOXeAbSoE8m4KclRWTtF4+CIXq+qszdWzwqrHBWvKAtVwGo3L08Sxw24ajT9Rw1Ay2kvb4xO2SVzIRhHdzIFpF6iSiDqBJsSH7SL0kP1C07j3vl95qZBp01BW8BUnVxFyqOVMvVnXMaNQZdFrsq4MVEsxDftgciF9oE8rVv4Q==
   template:
     metadata:
       creationTimestamp: null

infrastructure/authelia/authelia.values.yaml

@@ -1,4 +1,3 @@
-
 ingress:
   enabled: false
 
@@ -6,45 +5,59 @@ ingress:
 pod:
   kind: 'Deployment'
   replicas: 1
-  extraVolumes:
-    - name: config-ldap
-      secret:
-        secretName: authelia-ldap
-    - name: config-oidc
-      secret:
-        secretName: authelia-oidc
-    - name: config-smtp
-      secret:
-        secretName: authelia-smtp
 
-  extraVolumeMounts:
+
-    - name: config-ldap
-      mountPath: /extra-config/ldap.yml
-      readOnly: true
-    - name: config-oidc
-      mountPath: /extra-config/oidc.yml
-      readOnly: true
-    - name: config-smtp
-      mountPath: /extra-config/smtp.yml
-      readOnly: true
-      
 
 ##
 ## Authelia Config Map Generator
 ##
 configMap:
-
+  key: 'configuration.yaml'
-  # Enable the configMap source for the Authelia config.
+  # include sub-maps wich OVERRIDE the values generated by the helm chart
-  # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config.
-  disabled: false
-  key: 'configuration.yml'
-  # do not use a pre-existing configMap
-  # BUT, include sub-maps wich OVERRIDE the values generated by the helm chart
   extraConfigs:
-    - /extra-config/ldap.yml
+    - /secrets/authelia-smtp/smtp.yml
-    - /extra-config/oidc.yml
+
-    - /extra-config/smtp.yml
+
-  
+  # many of the values remain default from the helm chart
+  authentication_backend:
+    ldap:
+      enabled: true
+      implementation: 'custom'
+      address: 'ldap://lldap:3890'
+      base_dn: 'DC=moll,DC=re'
+      additional_users_dn: 'OU=people'
+      users_filter: "(&({username_attribute}={input})(objectClass=person))"
+      additional_groups_dn: 'OU=groups'
+      groups_filter: "(member={dn})"
+
+      ## The username of the admin user.
+      user: 'uid=authelia,ou=people,dc=moll,dc=re'
+      password:
+        # ## Disables this secret and leaves configuring it entirely up to you.
+        # disabled: false
+
+        # ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the
+        # ## secret_value option below.
+        # secret_name: ~
+
+        # ## The value of a generated secret when using the ~ secret_name.
+        # value: ''
+
+        # ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise
+        # ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath'
+        # ## value, '{secret_name}' is the secret_name above, and '{path}' is this value.
+        path: 'authentication.ldap.password.txt'
+        secret_name: authelia-ldap
+
+      attributes:
+        display_name: displayName
+        username: uid
+        group_name: cn
+        mail: mail
+    file:
+      enabled: false
+
+
   session:
     inactivity: '2d'
     expiration: '7d'
@@ -52,37 +65,195 @@ configMap:
     cookies:
       - name: authelia_session
         domain: auth.kluster.moll.re
+    encryption_key:
+      secret_name: authelia-internal
+
+
   storage:
     encryption_key:
-      value: 'authelia-encryption-key'
+      secret_name: authelia-internal
+
     local:
       enabled: true
       file: /config/db.sqlite3
 
 
-##
+  identity_validation:
-## Authelia Secret Configuration.
+    reset_password:
-##
+      secret:
-secret:
+        secret_name: authelia-internal
-
+        path: 'identity_validation.reset_password.jwt.hmac.key'
-  disabled: false
-
-  existingSecret: ''
 
 
-certificates:
+  identity_providers:
-  # don't use the pre-existing secret
+    oidc:
-  existingSecret: ''
+      enabled: true
+      hmac_secret:
+        secret_name: authelia-internal
+        path: 'identity_providers.oidc.hmac.key'
+
+      # lifespans:
+      #   access_token: '1 hour'
+      #   authorize_code: '1 minute'
+      #   id_token: '1 hour'
+      #   refresh_token: '1 hour and 30 minutes'
+
+      jwks:
+        - algorithm: 'RS256'
+          key:
+            path: '/secrets/authelia-internal/oidc.jwks.key'
+
+      cors:
+        allowed_origins_from_client_redirect_uris: true
+      
+      clients:
+        - client_id: 'grafana'
+          client_name: 'Grafana'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.grafana'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: true
+          pkce_challenge_method: 'S256'
+          redirect_uris:
+            - 'https://grafana.kluster.moll.re/login/generic_oauth'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'groups'
+            - 'email'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_post'
+          consent_mode: 'implicit'
+        - client_id: 'recipes'
+          client_name: 'Recipes'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.recipes'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: true
+          pkce_challenge_method: 'S256'
+          redirect_uris:
+            - 'https://recipes.kluster.moll.re/login'
+          scopes:
+            - 'openid'
+            - 'email'
+            - 'profile'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'gitea'
+          client_name: 'Gitea'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.gitea'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://git.kluster.moll.re/user/oauth2/authelia/callback'
+          scopes:
+            - 'openid'
+            - 'email'
+            - 'profile'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'argocd'
+          client_name: 'Argo CD'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.argocd'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://argocd.kluster.moll.re/auth/callback'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_post'
+          consent_mode: 'implicit'
+        - client_id: 'paperless'
+          client_name: 'Paperless'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.paperless'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://paperless.kluster.moll.re/accounts/oidc/authelia/login/callback/'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'email'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'linkding'
+          client_name: 'LinkDing'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.linkding'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://linkding.kluster.moll.re/oidc/callback/'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_post'
+          consent_mode: 'implicit'
+        - client_id: 'todos'
+          client_name: 'Todos'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.todos'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://todos.kluster.moll.re/auth/openid/authelia'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'kitchenowl'
+          client_name: 'KitchenOwl'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.kitchenowl'
+          public: false
+          token_endpoint_auth_method: 'client_secret_post'
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://kitchen.kluster.moll.re/signin/redirect'
+            - kitchenowl:///signin/redirect
+            # mobile app as well
+          scopes:
+            - openid
+            - email
+            - profile
+
+
+  # notifier
+  # is set through a secret
+
 
-##
-## Authelia Persistence Configuration.
-##
-## Useful in scenarios where you need persistent storage.
-## Auth Provider Use Case: file; we recommend you use the ldap provider instead.
-## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead.
-## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false).
-##
 persistence:
   enabled: true
   storageClass: 'nfs-client'
 
+
+secret:
+  mountPath: '/secrets'
+  additionalSecrets:
+    # the oidc client secrets referenced in the oidc config
+    authelia-oidc: {}
+    authelia-internal: {}
+    authelia-ldap: {}
+    authelia-smtp: {}

infrastructure/authelia/kustomization.yaml

@@ -14,6 +14,7 @@ resources:
   - authelia-ldap.sealedsecret.yaml
   - authelia-oidc.sealedsecret.yaml
   - authelia-smtp.sealedsecret.yaml
+  - authelia-internal.sealedsecret.yaml
   - ingress.yaml
 
 
@@ -26,6 +27,6 @@ images:
 helmCharts:
   - name: authelia
     releaseName: authelia
-    version: 0.9.9
+    version: 0.10.4
     repo: https://charts.authelia.com
     valuesFile: authelia.values.yaml

infrastructure/external-dns/kustomization.yaml

@@ -11,8 +11,8 @@ resources:
 images:
   - name: octodns
     newName: octodns/octodns # has all plugins
-    newTag: "2024.09"
+    newTag: "2025.04"
 
   - name: git
     newName: alpine/git
-    newTag: "v2.45.2"
+    newTag: "v2.47.2"

infrastructure/gitea/gitea.values.yaml

@@ -1,3 +1,6 @@
+strategy:
+  type: Recreate
+
 
 ## @section Service
 service:
@@ -56,7 +59,8 @@ ingress:
 resources:
   limits:
     cpu: 1
-    memory: 1Gi
+    memory: 5Gi
+    # high memory should be allowed to handle package uploads
   requests:
     cpu: 100m
     memory: 128Mi
@@ -96,6 +100,7 @@ gitea:
     email: "gitea@delete.me"
   
   metrics:
+    # service monitor is configured manually
     enabled: true
 
   ## @param gitea.config  Configuration for the Gitea server,ref: [config-cheat-sheet](https://docs.gitea.io/en-us/config-cheat-sheet/)
@@ -116,6 +121,10 @@ gitea:
     indexer:
       ISSUE_INDEXER_TYPE: bleve
       REPO_INDEXER_ENABLED: false
+    service:
+      DISABLE_REGISTRATION: true
+    oauth2_client:
+      ENABLE_AUTO_REGISTRATION: true
 
   oauth:
     - name: authelia
@@ -125,7 +134,9 @@ gitea:
       existingSecret: gitea-oauth
       required-claim-name: groups
       required-claim-value: gitea
+      group-claim-name: groups
       admin-group: apps_admin
+  
 
   
   # since we want to reuse the postgres secret, we cannot directly use it in

infrastructure/gitea/kustomization.yaml

@@ -23,6 +23,6 @@ helmCharts:
   - name: gitea
     namespace: gitea # needs to be set explicitly for svc to be referenced correctly
     releaseName: gitea
-    version: 10.5.0
+    version: 11.0.1
     valuesFile: gitea.values.yaml
     repo: https://dl.gitea.io/charts/

infrastructure/gitea/postgres-password.sealedsecret.yaml

@@ -7,9 +7,9 @@ metadata:
   namespace: gitea
 spec:
   encryptedData:
-    database: AgB8FeAX7Dx/SO/deoqeIRNPMe7DwgKtwFznjntm9TNnEJQDLVVu+D80eolcrTTOhlZJZgtKvpM9xgw7DLtKG+ARACaPYgaMW2m4V/B87Z3xAU0DCF16sv9LVIfNA8KyQZWYthEcWLpqoB0zVFBrb2PxI8QIV22QkNG4oITMCv/Xjf7P+pTa6iWWSLdPcR2tQVfkHsdWWJvtLcrLkI7i+sWjQOW8tgV8QAcQr5JcxEjSgb3X1J3R1EEVHsPAqQcdpUB7eQ7T9SbIaIpTXw05Tant42GMgALVx2J5TAzqLPdaVaUlKVRoN26eVthYhY9qKbskXkXZp/0Sa/RxXoVHt1jMyZFicMzp5w5yC3DZd9gTtsZOrn21NS1QAVh6twB2bxtf7EHjpS5AyvhaF9qbbGkZtUh4IhFSOpd6bMGZLZqQMcH+Ih9b+jv0j3cLBLY0Bzsj4u5yLvoqhOBcxLoVnW3N3x248y3ZUWkO7hPwP+Lo5FOX/cmK9VHvn5ZhNWNNO9xv0LYSzhqnAvVyTgvAGLDTrZbnp36Q+JkqlhrhFQoQkXRQ2HHNU5CC+o59OL0RnshJg4UUed1ETmOPCJmcPZdKNvfUiW1PUB2AwDeWhRyN6wjwzreioSN6qHrxctXpEQohTwzGeG+rgG0tj9V3yHn1Er1j0pR6S9VJBkaQ0qnaInSthxSC5MkXTKXFmW8YfHQqXKmQcQ==
+    database: AgDONZUiFyHQLH3lq7vBovX5fqIDdxViQr8PFAh3hnHM8PqJpZ5MCkBL65hVuKmQ6EgrMj+0smPbfk9Rfwq42wFw+i2cgTgN69G9iMwp47+ng5GADPiQ2tIJQNFfqz9VQP0mmu9VXnckoBU0HXQmV21jkK2AKk5YHVLmIhu++1g8LjjYSBMP8iYiritOuyHbOn8OP26FmqBvnTCGg4pFzd/WIhsj7Zz9BeP+AOP/BTA+VZCOqBJJDzztHp9xYamcWslDX2snQG1Iw/rs4zyBVx+sWWPJgkiLmY1aRDnVYmwkh9RC81usrtrC9FZ6VYoxsufGj+Ie25hbbUukqKFuwk3V0dbZTRGa+4xHr7535fDYSxFm8/dkAyh8yM03VUy/2dhrtv9qWM1Yu50tcEoe/YoBdwItyNk/AELjfCvfXzwDttzsl85QVtSil+V6WRhpiQlH5EGhqSMzH9eduAddMrIEMQiSqn9J/vME5j7fJhgFs0bP7kqB9UKT6yTIU8QchRRUUYZwEFevLox01dRtJDoa8DVuO1G2LDZVUEoHrfEvFwzRGhuBH9B2yXAZLXgXbOreoiPi76xI0fw9VNXJ90KYcpwuMv8MykdNWQLsyCraf/WJIXMpm+UEVMqArJnscky0K1YHX6eQeQx0BU5hEeIAZucOwimSv2jJLqlBK/heiMgfp0pWu2lIu+tQ4AarkFsWNdbiBA==
-    password: AgB+i/mSHnQJnBpRu1cGwKzqrqoSzKfbGkxWTv57ozmiVkEendzudwKu+3MJQh9fHrBwUa0Cu2OqIzGqMQIwDKC5+LDiYAnDOfacu/VBX6mWVABIeg8fqU/PRqym/sGxJtcmwPdo8H8zJm+/vyPpLv4dkYYjHFkAhF3QShq1qMhfeaB/vd6ZNjQEfvCWX14V2F/RTq8skuwQkVQJoz9OsaF+KiTmKC7R1aeZaTUUCFIWGGIq9V2k3O7VAITGJanAT5IYo+epQf2HLsC2xyIUs9prk1rF0yUishgc2bsb4joPULl/G2VUgafH9SKQ37TFqZi2z20gVutrkLyuCMk25tW7m+z4+YCC/dJ9aW/31sFUwSnVhdYh6gwsnNP5GzSguAoOq+6izVD8hV2QzfdIYPrIZyADI7HY9o4LK8YuRS5KgJdaCU3kWYY+tVTSvkGFCWu5q/pBihBG2bN83asTHZcnkocMEvCaTsbPq2CN8/WCRZJs84M6CEzCioNmuGAmUU+fEF/MVEZtTI+6yCrJkOEHdVywtdLufNPGFut97XF+YvJZ1UZ6AW546JGmlmEMFukNHi1XDBm/mWL8e1H6xwLe6I9rwL6YTDrji3IixdERS+a6tq2vcksU5EjW9x9WYt6ctZD/cfhEFAvpssJLCs2vmjNgMhmilPoTppvXyUYnE4bCZuVFRrO/a+ogjXUU2nkqnyKQsA==
+    password: AgAp0473gvkk/8OFkxg59+LArAD7v8rRryOuYnScxkhJxSngXnnLXYr2iaeOMgjWryOPtWEWa0F6+hDaTtsp+vhg0X8rtdvyonV/I/I/K5rV70N/bao+kIf5LfcntZ6RjGaQtaeHjh15tY3LxmJ3PdJpDcLJXn1+iBsfTnEEsBFDKolD2RcXwH+74feX+Q8bG7KkAo4r0OfEaO/KC2FCC8vg/AHgzNUFL08mnK7DPgNjgNc3MYk/+Ey91LfvMD9NfuO1xrlsV6gy12gVwZV14kfAqHL4DvifmaHY14hScJC3tK6HqmSitKmNRcJZ3Ad2y7rS63X6DeaXmKFpDDYk69ubfVWBT5CWaBHfYHCWJqJITtoJq4PdLp7xRchRrZblqLUKnTrs8Dmry4qapa/uAma4k84ZSnFl6XeM8n8ZYpx3Tx91fwsYLCWiGX7AblFsEmzsT7jf0wTri7HYyNcF1s5YhL59ZO7iGzruAJRDA4BMrXWFrNjsDQrCR4FTYDIr4cR05mi9nPd2C5dAzZtARpBQZgr/lruE3GKgalYF0oxIJGYKcDbCO5pntAPpL/7rbhdjVtvpUg2d+wJYkVIn6zTaOmr0TCnMOzFPzwwbxrr7U8opfYcjep2XeVOfHKfitrgKwFCwO/CsbP+ao0b6PT7K9KGqrI5lVrEAO+pOU6s3Omgm3AJGzGEIzIXCnkeD2dYsRrfyHM0zQ23+iUyUk8x3XIItFe7cq34X935y+bbViqAQ
-    username: AgCS0tZPssPP8LFwMdTWrXd64oYKb/vmEH8ir+fnc7MgnPkW9kop+hF2X7/KIWTVNe1MAkreW40DxZ6/T4UO7gGTGv52BItcQp87Rr+RMZ5Y720bhivBC33zmDXlWR7TQDMqo733cdcWRnMDvCSvzKV1Mn18iF0VqhOlDZITcyConmKIWcuzzElt90iYtC9o3UIYw6crBD6l9ikrFwU1wH9mL+FdvM8fWG83qkbJGoaqjxj5FEgMXwXFUWVzUqC8dEe8wiHcyq7eeFpyXrF7/WtAiZOwPBy6EG4zFQoRSihR+qme+pZdXP+fHVzGrcBsMxjW4l16R1MmyS9PLpA3r+LdX81K7XHPEctNihrV4U1Dmb2fkANcP2SV95Moftb160WRkfR1cElHxOJs0kaKbZ0P4k74U2UFaZSVIEw85fYm1TE0C5qnpFKktOhOhSKcia+XGG58TQLuosQCYH+P1OZ1LbFfj9O/NBmqWnH2dBIRCC5Ba6b+nNpOQaSztMeEOCSCdYmglS9MmP34zzFjusZ8hAj7ebe25gCo1UCSxYR/xEjrGQsyXY9VB9IPjVO8F7Ms9ex3KITYoib5HcMFCvDUOKl3SOmsJmzf/ahufHXRr/NdPFAoqLU6sehcNAx8LKp/795h3N3PBqol/y9Kv4xbAquz8/qY0giHJfaWcKP/LuVZ81s6MvQlnqn/UWXWzQgNo/RbZw==
+    username: AgBInyjzij13Ea3HB2CPXENjd6g5dJ3j3p3hgbO7oT5ld/GFgcwgjkduq5D8edouDzKEcoPMrAAS0XX46d9l618ZMxxKGdNq+Yw8intpziaI5AB9xDPesP5+mjXw08Clf5GfTMQW9SqYbNVm+GGwIKo05P3Z+cLtv8l8jqqJbMmEMQ9Ir/gRgPVbpPKFC4zX4BTuIKpaRrPiyraD2hmGXrvDaFBIt8lSmLyEh3UclW5cTBJQIRnstBv8mbIRDf4zS/bJtQPknncVASBVVHynEauMTqd4+sPdG/8y7KYsrH3rfrXWLEecmiu9E7mgxw7M6qur8qoi88KX3Ydjngy56mj3nQQ8k1knc8I50cg6yT42Z6vaKeAoqtDzkxEvOlIzXZVwikPAuIf7B7VPZSE6qz7Xgo4QQ5FGONE5JnFGLosqSqEMnBtOXEZgHCrOerJo2f3Mw1fkaJ2OLnd93w97IODIM3LU8bVsRFbjiRYPbZiM2H5f6Rnsw3M7/qlkdmXyda4xnOeSp3i39UfSrtIAJO8HPo9lk+ANOBO7Q8SBAkFXH8V2Hva4NSKtPwmBZjtOGeUDB7Nfv2KT4jvQRBdlpfLtDMDzBmq2sL7ua2Uq5u6FDy0tAmWeU4m3GGSNlheVQZSfAW3+icvs/WlqotAloTy12Dq/H6DgcRI0W2V0bRxoIQ3z6N+cAHbL892g8wdPUFu9mSBZhA==
   template:
     metadata:
       creationTimestamp: null

infrastructure/gitea/postgres.yaml

@@ -4,7 +4,7 @@ metadata:
   name: gitea-postgres
 spec:
   instances: 1
-  imageName: ghcr.io/cloudnative-pg/postgresql:11
+  imageName: ghcr.io/cloudnative-pg/postgresql:16
   bootstrap:
     initdb:
       owner: gitea

infrastructure/headscale/deployment.yaml

@@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name:  headscale
+  labels:
+    app:  headscale
+spec:
+  selector:
+    matchLabels:
+      app: headscale
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: headscale
+    spec:
+      shareProcessNamespace: true
+      serviceAccountName: default
+      containers:
+      - name: headplane
+        image: headplane
+        env:
+        # Set these if the pod name for Headscale is not static
+        # We will use the downward API to get the pod name instead
+        - name: HEADPLANE_LOAD_ENV_OVERRIDES
+          value: 'true'
+        - name: 'HEADPLANE_INTEGRATION__KUBERNETES__POD_NAME'
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        ports:
+        - containerPort: 3000
+        volumeMounts:
+        - name: headscale-config
+          mountPath: /etc/headscale/config.yaml
+          subPath: config.yaml
+        - name: headplane-config
+          mountPath: /etc/headplane/config.yaml
+          subPath: config.yaml
+        - name: headplane-data
+          mountPath: /var/lib/headplane
+
+      - name: headscale
+        image: headscale
+        args: ["serve"]
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+          limits:
+            cpu: 100m
+            memory: 100Mi
+        # env:
+        ports:
+        - containerPort: 8080
+        volumeMounts:
+        - name: headscale-config
+          mountPath: /etc/headscale/config.yaml
+          subPath: config.yaml
+        - mountPath: /persistence
+          name: headscale-data
+
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: headscale-config
+        configMap:
+          name: headscale-config
+      - name: headscale-data
+        persistentVolumeClaim:
+          claimName: headscale-data
+
+      - name: headplane-config
+        configMap:
+          name: headplane-config
+      - name: headplane-data
+        persistentVolumeClaim:
+          claimName: headplane-data

infrastructure/headscale/headplane-config.configmap.yaml

@@ -0,0 +1,99 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: headplane-config
+data:
+  config.yaml: |
+    # Configuration for the Headplane server and web application
+    server:
+      host: "0.0.0.0"
+      port: 3000
+
+      # The secret used to encode and decode web sessions
+      # Ensure that this is exactly 32 characters long
+      cookie_secret: "<change_me_to_something_secure!>"
+
+      # Should the cookies only work over HTTPS?
+      # Set to false if running via HTTP without a proxy
+      # (I recommend this is true in production)
+      cookie_secure: true
+
+    # Headscale specific settings to allow Headplane to talk
+    # to Headscale and access deep integration features
+    headscale:
+      # The URL to your Headscale instance
+      # (All API requests are routed through this URL)
+      # (THIS IS NOT the gRPC endpoint, but the HTTP endpoint)
+      #
+      # IMPORTANT: If you are using TLS this MUST be set to `https://`
+      url: "http://0.0.0.0:8080"
+
+      # If you use the TLS configuration in Headscale, and you are not using
+      # Let's Encrypt for your certificate, pass in the path to the certificate.
+      # (This has no effect `url` does not start with `https://`)
+      # tls_cert_path: "/var/lib/headplane/tls.crt"
+
+      # Optional, public URL if they differ
+      # This affects certain parts of the web UI
+      # public_url: "https://headscale.example.com"
+
+      # Path to the Headscale configuration file
+      # This is optional, but HIGHLY recommended for the best experience
+      # If this is read only, Headplane will show your configuration settings
+      # in the Web UI, but they cannot be changed.
+      config_path: "/etc/headscale/config.yaml"
+
+      # Headplane internally validates the Headscale configuration
+      # to ensure that it changes the configuration in a safe way.
+      # If you want to disable this validation, set this to false.
+      config_strict: true
+
+    # Integration configurations for Headplane to interact with Headscale
+    # Only one of these should be enabled at a time or you will get errors
+    integration:
+      kubernetes:
+        enabled: true
+        # Validates the manifest for the Pod to ensure all of the criteria
+        # are set correctly. Turn this off if you are having issues with
+        # shareProcessNamespace not being validated correctly.
+        validate_manifest: true
+        # This should be the name of the Pod running Headscale and Headplane.
+        # If this isn't static you should be using the Kubernetes Downward API
+        # to set this value (refer to docs/Integrated-Mode.md for more info).
+        pod_name: "headscale"
+
+
+
+    # # OIDC Configuration for simpler authentication
+    # # (This is optional, but recommended for the best experience)
+    # oidc:
+    #   issuer: "https://accounts.google.com"
+    #   client_id: "your-client-id"
+
+    #   # The client secret for the OIDC client
+    #   # Either this or `client_secret_path` must be set for OIDC to work
+    #   client_secret: "<your-client-secret>"
+    #   # You can alternatively set `client_secret_path` to read the secret from disk.
+    #   # The path specified can resolve environment variables, making integration
+    #   # with systemd's `LoadCredential` straightforward:
+    #   # client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
+
+    #   disable_api_key_login: false
+    #   token_endpoint_auth_method: "client_secret_post"
+
+    #   # If you are using OIDC, you need to generate an API key
+    #   # that can be used to authenticate other sessions when signing in.
+    #   #
+    #   # This can be done with `headscale apikeys create --expiration 999d`
+    #   headscale_api_key: "<your-headscale-api-key>"
+
+    #   # Optional, but highly recommended otherwise Headplane
+    #   # will attempt to automatically guess this from the issuer
+    #   #
+    #   # This should point to your publicly accessibly URL
+    #   # for your Headplane instance with /admin/oidc/callback
+    #   redirect_uri: "http://localhost:3000/admin/oidc/callback"
+
+    #   # Stores the users and their permissions for Headplane
+    #   # This is a path to a JSON file, default is specified below.
+    #   user_storage_file: "/var/lib/headplane/users.json"

infrastructure/headscale/headscale-config.configmap.yaml

@@ -0,0 +1,376 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: headscale-config
+data:
+  config.yaml: |
+    server_url: http://127.0.0.1:8080
+
+    # Address to listen to / bind to on the server
+    #
+    # For production:
+    listen_addr: 0.0.0.0:8080
+
+    # Address to listen to /metrics and /debug, you may want
+    # to keep this endpoint private to your internal network
+    metrics_listen_addr: 127.0.0.1:9090
+
+    # Address to listen for gRPC.
+    # gRPC is used for controlling a headscale server
+    # remotely with the CLI
+    # Note: Remote access _only_ works if you have
+    # valid certificates.
+    #
+    # For production:
+    # grpc_listen_addr: 0.0.0.0:50443
+    grpc_listen_addr: 127.0.0.1:50443
+
+    # Allow the gRPC admin interface to run in INSECURE
+    # mode. This is not recommended as the traffic will
+    # be unencrypted. Only enable if you know what you
+    # are doing.
+    grpc_allow_insecure: false
+
+    # The Noise section includes specific configuration for the
+    # TS2021 Noise protocol
+    noise:
+      # The Noise private key is used to encrypt the traffic between headscale and
+      # Tailscale clients when using the new Noise-based protocol. A missing key
+      # will be automatically generated.
+      private_key_path: /var/lib/headscale/noise_private.key
+
+    # List of IP prefixes to allocate tailaddresses from.
+    # Each prefix consists of either an IPv4 or IPv6 address,
+    # and the associated prefix length, delimited by a slash.
+    # It must be within IP ranges supported by the Tailscale
+    # client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
+    # See below:
+    # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
+    # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
+    # Any other range is NOT supported, and it will cause unexpected issues.
+    prefixes:
+      v4: 100.64.0.0/10
+      v6: fd7a:115c:a1e0::/48
+
+      # Strategy used for allocation of IPs to nodes, available options:
+      # - sequential (default): assigns the next free IP from the previous given IP.
+      # - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).
+      allocation: sequential
+
+    # DERP is a relay system that Tailscale uses when a direct
+    # connection cannot be established.
+    # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
+    #
+    # headscale needs a list of DERP servers that can be presented
+    # to the clients.
+    derp:
+      server:
+        # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
+        # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
+        enabled: false
+
+        # Region ID to use for the embedded DERP server.
+        # The local DERP prevails if the region ID collides with other region ID coming from
+        # the regular DERP config.
+        region_id: 999
+
+        # Region code and name are displayed in the Tailscale UI to identify a DERP region
+        region_code: "headscale"
+        region_name: "Headscale Embedded DERP"
+
+        # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
+        # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
+        #
+        # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
+        stun_listen_addr: "0.0.0.0:3478"
+
+        # Private key used to encrypt the traffic between headscale DERP and
+        # Tailscale clients. A missing key will be automatically generated.
+        private_key_path: /var/lib/headscale/derp_server_private.key
+
+        # This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,
+        # it enables the creation of your very own DERP map entry using a locally available file with the parameter DERP.paths
+        # If you enable the DERP server and set this to false, it is required to add the DERP server to the DERP map using DERP.paths
+        automatically_add_embedded_derp_region: true
+
+        # For better connection stability (especially when using an Exit-Node and DNS is not working),
+        # it is possible to optionally add the public IPv4 and IPv6 address to the Derp-Map using:
+        ipv4: 1.2.3.4
+        ipv6: 2001:db8::1
+
+      # List of externally available DERP maps encoded in JSON
+      urls:
+        - https://controlplane.tailscale.com/derpmap/default
+
+      # Locally available DERP map files encoded in YAML
+      #
+      # This option is mostly interesting for people hosting
+      # their own DERP servers:
+      # https://tailscale.com/kb/1118/custom-derp-servers/
+      #
+      # paths:
+      #   - /etc/headscale/derp-example.yaml
+      paths: []
+
+      # If enabled, a worker will be set up to periodically
+      # refresh the given sources and update the derpmap
+      # will be set up.
+      auto_update_enabled: true
+
+      # How often should we check for DERP updates?
+      update_frequency: 24h
+
+    # Disables the automatic check for headscale updates on startup
+    disable_check_updates: false
+
+    # Time before an inactive ephemeral node is deleted?
+    ephemeral_node_inactivity_timeout: 30m
+
+    database:
+      # Database type. Available options: sqlite, postgres
+      # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
+      # All new development, testing and optimisations are done with SQLite in mind.
+      type: sqlite
+
+      # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
+      debug: false
+
+      # GORM configuration settings.
+      gorm:
+        # Enable prepared statements.
+        prepare_stmt: true
+
+        # Enable parameterized queries.
+        parameterized_queries: true
+
+        # Skip logging "record not found" errors.
+        skip_err_record_not_found: true
+
+        # Threshold for slow queries in milliseconds.
+        slow_threshold: 1000
+
+      # SQLite config
+      sqlite:
+        path: /persistence/db.sqlite
+
+        # Enable WAL mode for SQLite. This is recommended for production environments.
+        # https://www.sqlite.org/wal.html
+        write_ahead_log: true
+
+        # Maximum number of WAL file frames before the WAL file is automatically checkpointed.
+        # https://www.sqlite.org/c3ref/wal_autocheckpoint.html
+        # Set to 0 to disable automatic checkpointing.
+        wal_autocheckpoint: 1000
+
+
+    ### TLS configuration
+    #
+    ## Let's encrypt / ACME
+    #
+    # headscale supports automatically requesting and setting up
+    # TLS for a domain with Let's Encrypt.
+    #
+    # URL to ACME directory
+    acme_url: https://acme-v02.api.letsencrypt.org/directory
+
+    # Email to register with ACME provider
+    acme_email: ""
+
+    # Domain name to request a TLS certificate for:
+    tls_letsencrypt_hostname: ""
+
+    # Path to store certificates and metadata needed by
+    # letsencrypt
+    # For production:
+    tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+
+    # Type of ACME challenge to use, currently supported types:
+    # HTTP-01 or TLS-ALPN-01
+    # See: docs/ref/tls.md for more information
+    tls_letsencrypt_challenge_type: HTTP-01
+    # When HTTP-01 challenge is chosen, letsencrypt must set up a
+    # verification endpoint, and it will be listening on:
+    # :http = port 80
+    tls_letsencrypt_listen: ":http"
+
+    ## Use already defined certificates:
+    tls_cert_path: ""
+    tls_key_path: ""
+
+    log:
+      # Output formatting for logs: text or json
+      format: text
+      level: info
+
+    ## Policy
+    # headscale supports Tailscale's ACL policies.
+    # Please have a look to their KB to better
+    # understand the concepts: https://tailscale.com/kb/1018/acls/
+    policy:
+      # The mode can be "file" or "database" that defines
+      # where the ACL policies are stored and read from.
+      mode: file
+      # If the mode is set to "file", the path to a
+      # HuJSON file containing ACL policies.
+      path: ""
+
+    ## DNS
+    #
+    # headscale supports Tailscale's DNS configuration and MagicDNS.
+    # Please have a look to their KB to better understand the concepts:
+    #
+    # - https://tailscale.com/kb/1054/dns/
+    # - https://tailscale.com/kb/1081/magicdns/
+    # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
+    #
+    # Please note that for the DNS configuration to have any effect,
+    # clients must have the `--accept-dns=true` option enabled. This is the
+    # default for the Tailscale client. This option is enabled by default
+    # in the Tailscale client.
+    #
+    # Setting _any_ of the configuration and `--accept-dns=true` on the
+    # clients will integrate with the DNS manager on the client or
+    # overwrite /etc/resolv.conf.
+    # https://tailscale.com/kb/1235/resolv-conf
+    #
+    # If you want stop Headscale from managing the DNS configuration
+    # all the fields under `dns` should be set to empty values.
+    dns:
+      # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
+      magic_dns: true
+
+      # Defines the base domain to create the hostnames for MagicDNS.
+      # This domain _must_ be different from the server_url domain.
+      # `base_domain` must be a FQDN, without the trailing dot.
+      # The FQDN of the hosts will be
+      # `hostname.base_domain` (e.g., _myhost.example.com_).
+      base_domain: example.com
+
+      # List of DNS servers to expose to clients.
+      nameservers:
+        global:
+          - 1.1.1.1
+          - 1.0.0.1
+          - 2606:4700:4700::1111
+          - 2606:4700:4700::1001
+
+          # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+          # "abc123" is example NextDNS ID, replace with yours.
+          # - https://dns.nextdns.io/abc123
+
+        # Split DNS (see https://tailscale.com/kb/1054/dns/),
+        # a map of domains and which DNS server to use for each.
+        split:
+          {}
+          # foo.bar.com:
+          #   - 1.1.1.1
+          # darp.headscale.net:
+          #   - 1.1.1.1
+          #   - 8.8.8.8
+
+      # Set custom DNS search domains. With MagicDNS enabled,
+      # your tailnet base_domain is always the first search domain.
+      search_domains: []
+
+      # Extra DNS records
+      # so far only A and AAAA records are supported (on the tailscale side)
+      # See: docs/ref/dns.md
+      extra_records: []
+      #   - name: "grafana.myvpn.example.com"
+      #     type: "A"
+      #     value: "100.64.0.3"
+      #
+      #   # you can also put it in one line
+      #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
+      #
+      # Alternatively, extra DNS records can be loaded from a JSON file.
+      # Headscale processes this file on each change.
+      # extra_records_path: /var/lib/headscale/extra-records.json
+
+    # Unix socket used for the CLI to connect without authentication
+    # Note: for production you will want to set this to something like:
+    unix_socket: /var/run/headscale/headscale.sock
+    unix_socket_permission: "0770"
+    #
+    # headscale supports experimental OpenID connect support,
+    # it is still being tested and might have some bugs, please
+    # help us test it.
+    # OpenID Connect
+    # oidc:
+    #   only_start_if_oidc_is_available: true
+    #   issuer: "https://your-oidc.issuer.com/path"
+    #   client_id: "your-oidc-client-id"
+    #   client_secret: "your-oidc-client-secret"
+    #   # Alternatively, set `client_secret_path` to read the secret from the file.
+    #   # It resolves environment variables, making integration to systemd's
+    #   # `LoadCredential` straightforward:
+    #   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
+    #   # client_secret and client_secret_path are mutually exclusive.
+    #
+    #   # The amount of time from a node is authenticated with OpenID until it
+    #   # expires and needs to reauthenticate.
+    #   # Setting the value to "0" will mean no expiry.
+    #   expiry: 180d
+    #
+    #   # Use the expiry from the token received from OpenID when the user logged
+    #   # in, this will typically lead to frequent need to reauthenticate and should
+    #   # only been enabled if you know what you are doing.
+    #   # Note: enabling this will cause `oidc.expiry` to be ignored.
+    #   use_expiry_from_token: false
+    #
+    #   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
+    #   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
+    #
+    #   scope: ["openid", "profile", "email", "custom"]
+    #   extra_params:
+    #     domain_hint: example.com
+    #
+    #   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
+    #   # authentication request will be rejected.
+    #
+    #   allowed_domains:
+    #     - example.com
+    #   # Note: Groups from keycloak have a leading '/'
+    #   allowed_groups:
+    #     - /headscale
+    #   allowed_users:
+    #     - alice@example.com
+    #
+    #   # Optional: PKCE (Proof Key for Code Exchange) configuration
+    #   # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
+    #   # by preventing authorization code interception attacks
+    #   # See https://datatracker.ietf.org/doc/html/rfc7636
+    #   pkce:
+    #     # Enable or disable PKCE support (default: false)
+    #     enabled: false
+    #     # PKCE method to use:
+    #     # - plain: Use plain code verifier
+    #     # - S256: Use SHA256 hashed code verifier (default, recommended)
+    #     method: S256
+    #
+    #   # Map legacy users from pre-0.24.0 versions of headscale to the new OIDC users
+    #   # by taking the username from the legacy user and matching it with the username
+    #   # provided by the OIDC. This is useful when migrating from legacy users to OIDC
+    #   # to force them using the unique identifier from the OIDC and to give them a
+    #   # proper display name and picture if available.
+    #   # Note that this will only work if the username from the legacy user is the same
+    #   # and there is a possibility for account takeover should a username have changed
+    #   # with the provider.
+    #   # When this feature is disabled, it will cause all new logins to be created as new users.
+    #   # Note this option will be removed in the future and should be set to false
+    #   # on all new installations, or when all users have logged in with OIDC once.
+    #   map_legacy_users: false
+
+    # Logtail configuration
+    # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
+    # to instruct tailscale nodes to log their activity to a remote server.
+    logtail:
+      # Enable logtail for this headscales clients.
+      # As there is currently no support for overriding the log server in headscale, this is
+      # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
+      enabled: false
+
+    # Enabling this option makes devices prefer a random port for WireGuard traffic over the
+    # default static port 41641. This option is intended as a workaround for some buggy
+    # firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
+    randomize_client_port: false

infrastructure/headscale/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: headscale-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`headscale.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: headscale-web
+      port: 8080
+
+  tls:
+    certResolver: default-tls 

infrastructure/headscale/kustomization.yaml

@@ -0,0 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: headscale
+
+resources:
+  - namespace.yaml
+  - headscale-config.configmap.yaml
+  - headplane-config.configmap.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - serviceaccount.yaml
+  - service.yaml
+  - ingress.yaml
+
+images:
+  - name: headscale
+    newName: headscale/headscale # has all plugins
+    newTag: v0.25.1
+  - name: headplane
+    newName: ghcr.io/tale/headplane
+    newTag: "0.5.10"

infrastructure/headscale/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 

infrastructure/headscale/pvc.yaml

@@ -0,0 +1,23 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: headscale-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: headplane-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

infrastructure/headscale/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: headscale-web
+spec:
+  selector:
+    app: headscale
+  ports:
+  - port: 8080
+    targetPort: 8080

infrastructure/headscale/serviceaccount.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: headplane-agent
+  # namespace: default # Adjust namespace as needed
+rules:
+- apiGroups: ['']
+  resources: ['pods']
+  verbs: ['get', 'list']
+- apiGroups: ['apps']
+  resources: ['deployments']
+  verbs: ['get', 'list']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: headplane-agent
+  # namespace: default # Adjust namespace as needed
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: headplane-agent
+subjects:
+- kind: ServiceAccount
+  name: default # If you use a different service account, change this
+  # namespace: default # Adjust namespace as needed

infrastructure/metallb-system/kustomization.yaml

@@ -10,6 +10,6 @@ namespace: metallb-system
 helmCharts:
   - name: metallb
     repo: https://metallb.github.io/metallb
-    version: 0.14.8
+    version: 0.14.9
     releaseName: metallb
     valuesFile: values.yaml

infrastructure/monitoring/kustomization.yaml

@@ -0,0 +1,33 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: monitoring
+
+resources: 
+  - namespace.yaml
+  # prometheus-operator crds
+  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.82.0
+  # single prometheus instance with a thanos sidecar
+  - prometheus.yaml
+  - thanos-store.statefulset.yaml
+  - thanos-query.deployment.yaml
+  - thanos-objstore-config.sealedsecret.yaml
+
+
+images:
+  - name: thanos
+    newName: quay.io/thanos/thanos
+    newTag: v0.38.0
+
+
+helmCharts:
+  - name: loki
+    releaseName: loki
+    repo: https://grafana.github.io/helm-charts
+    version: 6.29.0
+    valuesFile: loki.values.yaml
+  - name: prometheus-node-exporter
+    releaseName: prometheus-node-exporter
+    repo: https://prometheus-community.github.io/helm-charts
+    version: 4.45.2
+    valuesFile: prometheus-node-exporter.values.yaml

infrastructure/monitoring/loki.values.yaml

@@ -0,0 +1,86 @@
+loki:
+  commonConfig:
+    replication_factor: 1
+  schemaConfig:
+    configs:
+      - from: "2024-04-01"
+        store: tsdb
+        object_store: filesystem
+        schema: v13
+        index:
+          prefix: loki_index_
+          period: 24h
+  auth_enabled: false
+  pattern_ingester:
+    enabled: true
+  limits_config:
+    allow_structured_metadata: true
+    volume_enabled: true
+    retention_period: 672h # 28 days retention
+  ruler:
+    enable_api: true
+  storage:
+    bucketNames:
+      # don't care since we use the filesystem
+      chunks: NOTUSED
+      ruler: NOTUSED
+      admin: NOTUSED
+
+    type: filesystem
+    filesystem:
+      chunks_directory: /var/loki/chunks
+      rules_directory: /var/loki/rules
+      admin_api_directory: /var/loki/admin
+
+minio:
+  enabled: false
+      
+deploymentMode: SingleBinary
+
+singleBinary:
+  replicas: 1
+  persistence:
+    # -- Enable StatefulSetAutoDeletePVC feature
+    enableStatefulSetAutoDeletePVC: true
+    # -- Enable persistent disk
+    enabled: true
+    # -- Size of persistent disk
+    size: 10Gi
+    # -- Storage class to be used.
+    # If defined, storageClassName: <storageClass>.
+    # If set to "-", storageClassName: "", which disables dynamic provisioning.
+    # If empty or set to null, no storageClassName spec is
+    # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS, and OpenStack).
+    storageClass: nfs-client
+
+
+# -- Section for configuring optional Helm test
+helm:
+  enabled: false
+
+
+# Zero out replica counts of other deployment modes
+backend:
+  replicas: 0
+read:
+  replicas: 0
+write:
+  replicas: 0
+ingester:
+  replicas: 0
+querier:
+  replicas: 0
+queryFrontend:
+  replicas: 0
+queryScheduler:
+  replicas: 0
+distributor:
+  replicas: 0
+compactor:
+  replicas: 0
+indexGateway:
+  replicas: 0
+bloomCompactor:
+  replicas: 0
+bloomGateway:
+  replicas: 0

infrastructure/monitoring/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 

infrastructure/monitoring/prometheus-node-exporter.values.yaml

@@ -0,0 +1,18 @@
+prometheus:
+  monitor:
+    enabled: true
+
+    jobLabel: "node-exporter"
+    selectorOverride:
+      app.kubernetes.io/name: prometheus-node-exporter
+      app.kubernetes.io/part-of: prometheus-node-exporter
+
+
+  
+resources:
+  limits:
+    cpu: 200m
+    memory: 50Mi
+  requests:
+    cpu: 100m
+    memory: 30Mi

infrastructure/monitoring/prometheus.yaml

@@ -39,7 +39,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: prometheus
-  namespace: prometheus # needs to be the same as in the kustomization.yaml
+  namespace: monitoring # needs to be the same as in the kustomization.yaml
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: Prometheus

infrastructure/monitoring/thanos-objstore-config.sealedsecret.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: thanos-objstore-config
+  namespace: monitoring
+spec:
+  encryptedData:
+    thanos.yaml: AgAqlul2V1idfgbWvq/0ljSFlxOOsQmwlGd+jRvDDyi1nlR8woHrp7lW6AxJ/8mBtb5htCuJzLgx+HVrN/EN+fRn5xG3D5+8xs4jWBOQ49MgLSAjJavFPcVY5xiBpGaw/N8aotlbfv6Wa2/+cmiAzVDPwnOj5zCS/EU58Tu2YFeVSbMUlu0NFAeyBW0DVT2enuVLToP4Ge4T0U9F99NHOh2zlVG82iI+4RxCu/WBkOU/urVleGwCYkcr/ItmXiwRXbwnWUtEUf28Q4ArpuZXFkKZUMoIwOjkXgOn/ySBLVvf0yy1+WOcYAIX9ouxu6i4T1GAZO9RnKeMJOIyebI3EOMA2dxQFpQg2/XhhHz2Ds2oDX/yr7vXbZJGyiCvTnnFUvFALKWIjRXXWphdqHDk6iP8tFIKVFsn7UxgMVFRcs6DmcMpBgFOcjpHr4HFZap5G9hI3cscmkNfwU+JOXkDEGRpZkkECza4wlQln8Wptq1qa+I+DSclqLOcvoEvNCJCIIgh5tINJ0KiZcrBvymUZZ9VduH4TFHR/UQK7M7It892TDNUlIp2UDWiuQ2DJysOJXmvSiNo8PGWSyDJwKJPhaWqXz9RUsb4D8gq/a+0qC7DOICrJEUj7WL8dwaKoQa32Cf+wopwrjFWSE7pAfiBJo+Dqa9jHIDv2hVsdU8NXqiFK35XHyUT4i0KWc+UZg4ObotGxYMvRtJuc3S7ZGTJ4YKDP5iThuNSuNd1pd1YjirpvVtL2o5BYh2i55F3DfVREofYpBCjK1e43mHOwEUYZ7Ff6p1+S0PXZnkL53xHMiiW3yr0v1g2ZYk7vzkENb9epzm24fNX/4ZiJdb0glEJmB674bgDSeh9PA5q8nJIKk6vsbrzfaAYWIn5Ai9MPbAVfg9pPkMyy9ydd+SqecujkWm++4dHqB1WJUg=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: thanos-objstore-config
+      namespace: monitoring
+    type: Opaque

infrastructure/pg-ha/README.md

@@ -1,3 +1,23 @@
 # Rebuilding the kluster
 
-When rebuilding the kluster from scratch, the CNPG containers 
+When rebuilding the kluster from scratch, the CNPG containers will be considered as new and will be set up according to their `initdb` config.
+
+Since most of the clusters here are formally defined as a fresh clusters, the following will happen:
+- in the relevant PVC the `pgdata` folder will be renamed to `pgdata-old`
+- a fresh `pgdata` folder will be created
+- a database with RBAC as defined in the `initdb` config will be created
+
+This is problematic since the PVC content is the actual state of the database in the present setup. In order to get back to a functional state, some manual intervention is therefore required.
+
+1. Bootstrap the kubernetes cluster
+2. Wait for the CNPG containers to be up and running - they will be setup fresh at this point
+3. follow the procedure from [https://cloudnative-pg.io/documentation/1.20/declarative_hibernation/](https://cloudnative-pg.io/documentation/1.20/declarative_hibernation/):
+    - hibernate the postgresql cluster
+    - wait for the pod to be shut down
+    - copy the `pgdata-old` content to the `pgdata` folder
+    - de-hibernate the postgresql cluster
+4. The database should now be in a functional state
+
+
+
+Also see https://argo-cd.readthedocs.io/en/stable/operator-manual/applicationset/Controlling-Resource-Modification/#preserving-changes-made-to-an-applications-annotations-and-labels

infrastructure/pg-ha/kustomization.yaml

@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
   - name: cloudnative-pg
     releaseName: pg-controller
-    version: 0.22.0
+    version: 0.23.2
     valuesFile: values.yaml
     repo: https://cloudnative-pg.io/charts/

infrastructure/prometheus/kustomization.yaml

@@ -1,20 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: prometheus
-
-resources: 
-  - namespace.yaml
-  # prometheus-operator crds
-  - https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.70.0/bundle.yaml
-  - prometheus.yaml
-  - thanos-objstore-config.sealedsecret.yaml
-  # thanos deployment from kube-thanos project
-  - thanos-store.statefulset.yaml
-  - thanos-query.deployment.yaml
-
-
-images:
-  - name: thanos
-    newName: quay.io/thanos/thanos
-    newTag: v0.36.1

infrastructure/prometheus/thanos-objstore-config.sealedsecret.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: thanos-objstore-config
-  namespace: prometheus
-spec:
-  encryptedData:
-    thanos.yaml: AgByW/LKzPh0QeNsHR8Us4bJ/0chIQErhfh5plY1tjqiZyNLlxZ+NygYYzVggW02k4gAsKs68trbLBbeTTEhpKYP8hUphNb13lrgp07wYpOQjUF57i6RjPM2QNJpO0qLSk/nOPIOtR3XKn+nXxdJDmh3j5y0zxVz5O7MLh7adwOaHlyWTLMJjI1cda8YljDp2FYs24lHHMw4gXAYUecGDJNQqw5Xy9IiGh8kBbcKe3j6bVCj1yxPbHszmvZ2s+Q+mnndXnoeLMhwjZhMF8/PETxmSZ2bs41k3lHm/2rcPQCJsl9CuJEGKhu6ndKrVhtury4/US/FheEOoGF0YZk/AQMHII/mxy8haPNxtQTDs4rfYz/BA8cMMZll44wxOY9gAOmhm3sG6GI9wcB1Z65p98xSuDaInknO80l07vwMAAvmrZbT53Fmefrxl+jE1pImcGEsL0MfP621nTXlOBW9keF+6aUOubrwjPKKSXdqZU21acNbaIeRQSJyaOBStAKLfnPFmaryGisgNu0hCk/WmszZ0/s/ilvdMdAD6kKoiKL/NWfXtHATh/fnd76bKfSzNQk6e+WWfomToYVU0HRgAaWnIzjB9Q4tjxkbRwteEodU+K1BvD4xQ0sfQB2vHlDjQGC3pjIUFCWG0SzQGb7oe6+X2CJpcNIBHwF661iELJpJkg8dLsPtwb+8Rj6BL+ZtyVKYv18nDNON0WVpwJb/IHHSmxfYD5b/q6fATCFj55IXK5Nr4VO65a2Sv5Iv0/TTUVkwb8dkMmwfs5qcQiZ4oKWx8Ol6GkjDZrFARUtHQ/9KiZ9xDj3tPic2TeQfKr27sgc4lEL8RSxaRKHkkxIAioea3YgFfBm7ZfoxMlzJnQ1vI2vDvJcRXhWKSGdXiKOddwLSVMZFsSRRi9AxH87Sjt7j1wvsA7xgBqc=
-  template:
-    metadata:
-      creationTimestamp: null
-      name: thanos-objstore-config
-      namespace: prometheus
-    type: Opaque

infrastructure/renovate/cronjob.yaml

@@ -3,7 +3,7 @@ kind: CronJob
 metadata:
   name: renovate
 spec:
-  schedule: '0,30 * * * *'
+  schedule: '0 */2 * * *'
   concurrencyPolicy: Forbid
   jobTemplate:
     spec:

infrastructure/renovate/kustomization.yaml

@@ -11,4 +11,4 @@ resources:
 images:
   - name: renovate/renovate
     newName: renovate/renovate
-    newTag: "38"
+    newTag: "39"

infrastructure/sealedsecrets/kustomization.yaml

@@ -9,4 +9,4 @@ resources:
 images:
   - name: controller
     newName: docker.io/bitnami/sealed-secrets-controller
-    newTag: 0.27.1
+    newTag: 0.29.0

infrastructure/traefik-system/kustomization.yaml

@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 33.0.0
+    version: 35.0.1
     valuesFile: values.yaml
     repo: https://traefik.github.io/charts

kluster-deployments/authelia/application.yaml

@@ -16,3 +16,8 @@ spec:
     automated:
       prune: true
       selfHeal: true
+  ignoreDifferences:
+    - group: apps/v1
+      kind: Deployment
+      jsonPointers:
+        - /metadata/annotations

kluster-deployments/grafana/application.yaml

@@ -1,22 +1,20 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: prometheus-application
+  name: grafana-application
   namespace: argocd
-
 spec:
-  project: infrastructure
+  project: apps
   source:
-    repoURL: git@github.com:moll-re/bootstrap-k3s-infra.git
+    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
     targetRevision: main
-    path: infrastructure/prometheus
+    path: apps/grafana
   destination:
     server: https://kubernetes.default.svc
-    namespace: monitoring
+    namespace: grafana
   syncPolicy:
     automated:
       prune: true
       selfHeal: true
     syncOptions:
-    - Replace=true
+      - Replace=true
-    # because the prom crds exceed the default 256Ki limit

kluster-deployments/kitchenowl/application.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kitchenowl-application
+  namespace: argocd
+spec:
+  project: apps
+  source:
+    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
+    targetRevision: main
+    path: apps/kitchenowl/
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kitchenowl
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

kluster-deployments/kitchenowl/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- application.yaml

kluster-deployments/kustomization.yaml

@@ -20,7 +20,7 @@ resources:
   - traefik/
   - external-dns/
   - external-services/
-  - prometheus/application.yaml
+  - monitoring/application.yaml
   - authelia/
 
   # simple apps
@@ -29,16 +29,17 @@ resources:
   - eth-physics/
   - files/
   - finance/
+  - grafana/
   - homeassistant/
   - immich/
   - journal/
+  - kitchenowl/
   - linkding/
   - media/
   - minecraft/application.yaml
-  - monitoring/
   - ntfy/
   - paperless/
   - recipes/
   - rss/
-  - whoami/
   - todos/
+  - whoami/

kluster-deployments/monitoring/application.yaml

@@ -3,12 +3,13 @@ kind: Application
 metadata:
   name: monitoring-application
   namespace: argocd
+
 spec:
-  project: apps
+  project: infrastructure
   source:
-    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
+    repoURL: git@github.com:moll-re/bootstrap-k3s-infra.git
     targetRevision: main
-    path: apps/monitoring
+    path: infrastructure/monitoring
   destination:
     server: https://kubernetes.default.svc
     namespace: monitoring
@@ -16,3 +17,6 @@ spec:
     automated:
       prune: true
       selfHeal: true
+    syncOptions:
+      - Replace=true
+      # because the prometheus-operator CRDs are too large

kluster-deployments/todos/application.yaml

@@ -13,20 +13,6 @@ spec:
       prune: true
       selfHeal: true
   sources:
-    - repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
-      targetRevision: main
-      # path: apps/todos
-      ref: values
-    - repoURL: kolaente.dev/vikunja
-      path: vikunja
-      chart: vikunja
-      # corresponds to oci://kolaente.dev/vikunja/vikunja
-      targetRevision: 0.4.3
-      helm:
-        releaseName: todos
-        valueFiles:
-          - $values/apps/todos/values.yaml
-    # creates the namespace etc.
     - repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
       targetRevision: main
       path: apps/todos