fix sealed secret

.gitignore

@@ -1 +1,2 @@
-*.secret.yaml
+*.secret.yaml
+charts/

README.md

@@ -8,16 +8,15 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+4SlRIV9wOKYZbBrPuW18K6GGjnDEviCYQvGQuKOm0
 ```
 
 ### Initial setup
-On a running (but otherwise bare) k3s instance run:
+On a running (and sealed-secrets installed) k3s instance run:
 ```
 kubectl apply -k infrastructure/argocd
 ```
 This will install argocd and CRDs in a dedicated namespace along with the app-of-apps configured under `kluster-deployments/`.
 
 The app-of-apps will bootstrap a fully featured cluster with the following components
-- postgres instance
+- postgres instance with backups
 - backup of all nfs PVCs using restic
-- traefik along with metallb as a publicly accessible reverse proxy
+- traefik (along with metallb as a publicly accessible reverse proxy)
 - an nfs-provisioner creating PVCs on-demand
-- the bitnami sealedsecrets-operator
-- a range of selfhosted apps
+- a range of selfhosted apps

apps/adguard/deployment.yaml

@@ -28,7 +28,7 @@ spec:
         env:
         - name: TZ
           value: Europe/Berlin
-        image: adguard/adguardhome:v0.107.7
+        image: adguard/adguardhome:v0.107.41
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3

apps/adguard/ingress.yaml

@@ -1,42 +1,15 @@
-# apiVersion: traefik.containo.us/v1alpha1
-# kind: Middleware
-# metadata:
-#   name: authentik-auth
-#   namespace: adguard
-# spec:
-#   forwardAuth:
-#     address: https://adguard.kluster.moll.re/outpost.goauthentik.io/auth/traefik
-#     trustForwardHeader: true
-#     authResponseHeaders:
-#       - X-authentik-username
-#       - X-authentik-groups
-#       - X-authentik-email
-#       - X-authentik-name
-#       - X-authentik-uid
-#       - X-authentik-jwt
-#       - X-authentik-meta-jwks
-#       - X-authentik-meta-outpost
-#       - X-authentik-meta-provider
-#       - X-authentik-meta-app
-#       - X-authentik-meta-version
-
-# ---
-
 apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
+kind: IngressRouteTCP
 metadata:
-  name: adguard-ingress
+  name: adguard-tls-ingress
   namespace: adguard
 spec:
   entryPoints:
-    - websecure
+    - dnsovertls
   routes:
-    - match: Host(`adguard.kluster.moll.re`)
-      kind: Rule
-      # middlewares:
-      #   - name: authentik-auth
+    - match: HostSNI(`adguard.kluster.moll.re`)
       services:
-        - name: adguard-home
-          port: 3000
+        - name: adguard-adguard-home-dns-tcp
+          port: 53
   tls:
     certResolver: default-tls

infrastructure/backup/base/cronjob.yaml

@@ -18,12 +18,15 @@ spec:
           # run after completion of initContainers
           - name: ntfy-command-send
             image: curlimages/curl
-            command: ["curl"]
+            command:
+              - /bin/sh
+              - -c
             args:
               - >-
+                curl
+                https://ntfy.kluster.moll.re/backup
                 -H "Title: ${OPERATION}"
                 -d "Finished successfully"
-                https://ntfy.kluster.moll.re/backup
             env:
               - name: OPERATION
                 value: "PLACEHOLDER"

infrastructure/backup/postgres/postgres.sealedsecret.yaml

@@ -15,7 +15,7 @@
       }
     },
     "encryptedData": {
-      "password": "AgBKXybtQWxHVX0UeQ9z5VOSJp9dadp+j+8VxBzyh37BdfLA9l5YppOWgK2RpmQmFmcrrxr7u2SgyJ4rP60n0r8LHLcmPTXAUJe5b07HTVOLn8Q4C9ObEkWVXBycmI5Kc8vHZ+OW8T3s/QqrnLIlQPOq56mjsWjO24O/72aUl4IzlrSq3NYPAMpQOwfgoam/4ZaHed6+Im40eQalkEWRlk5KOkSayWsrNJNccAhnZ8JapCP25pVVfz5xJc9286jNqTCgGt1Ez3xTXbd3LPI2QgeonIPU9zqlXeQgjS/UuAIuKyEW7ypD2/7lLoU1Yk4XMzIreVSrYgfy7ylnC++FPZBI+32/ocbEgpXPX9O/gb2tQLANVEn9BwVyPe3MW/vB63ryyfhtrPQbNJCJNnwKlsoS+HcVYBGAAtjdUYD4/2fKabH7Th2SlMIJvGBwhxpJo1bnblHoTUQ/Ao5gaUIcZC0qCnd9ZKVRKwtFsJrgqnEAapd9dNdDu9RBxVKAUa0TS+ahnXBaC87lvydb/9PxLz+J7E27oInt9coFEHpaZFNdt0QJXUqs3DF0JO7ll3wC+R1iDUWRY3NKf/bpiGgkwk3VtUkIXcW5biaD7lF8inrLVzktvQGET/CbYre5ws9qj5xF4NUYUivYexiP8isScnbrys671GizUjxFoPQpWotEHmZ9DNsIYOF3OvewKjDllpo1izKmY1Y="
+      "password": "AgBZViaCuD8Zm/nkDe95xVZXgeRVJ0zE64e8efigBrkM+XUT9ber034QY5USZWalJ8nC930FB5t4N96D+LyWWXiLrYQvnYHpsi+wxJd3H/EimQo1IJ7XKNHxRC226NGX8ugb9Lez71IZaldyK3tAX0yoQ5/j304+mzetP/535EKYjZ7NucYE7KMUDsb5JsAaswd2H5fIl61PK/lEVN9AJLIo9MKL0zbGDOJCh1WNG6bUn0oi825R9AT80QulXFl/qxBHQT8R/u1AIqJDnrhLf8CiMBCs60K4D/A/F3uFwzsfGF4t2tDrowbPnGL7abAfe+DeHW8WSQoiMQWe/rTb4mnaErRNWSWmSwOcFNtUt9QQG4LvH44RTLaXKxbNfZphsNtBYk+F8SPngOok8FxoyycwUwDbA5clCt/Kh9bMOfUQpXrPc/rfXR5FO23kxM8h2pfC7QYNej0k3LexcikdQrpqRj9yMAVMSI7xF35Tfc5buqasIDlgRxTSi2Pn/fAFIK3QqY7YQWZOYzuD3w6aTUx0trmHNTycmotKV/kbni/ZOMmf6NMGbZs5R3VbmA1vFtdp9YVD5dJ0t0aTXTdNuWjeC0+vQF0lnXPWonRYf65e8KOwcuDjTYU6ghDfQPngJ01FFoTgiF+X/1iZ+7uvIeIULak8dMIQz6CqfrCkahkimz5u2c+b3ZPlNnXRyPmZE/1JscLXaKuXvg=="
     }
   }
 }

infrastructure/renovate/cronjob.yaml

@@ -0,0 +1,26 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: renovate
+spec:
+  schedule: '@hourly'
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: renovate
+              # Update this to the latest available and then enable Renovate on
+              # the manifest
+              image: renovate/renovate:35
+              args:
+                - user/repo
+              # Environment Variables
+              env:
+                - name: LOG_LEVEL
+                  value: debug
+              envFrom:
+                - secretRef:
+                    name: renovate-env
+          restartPolicy: Never

infrastructure/renovate/env.sealedsecret.yaml

@@ -0,0 +1,28 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "renovate-env",
+    "namespace": "renovate",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "renovate-env",
+        "namespace": "renovate",
+        "creationTimestamp": null
+      },
+      "type": "Opaque"
+    },
+    "encryptedData": {
+      "RENOVATE_AUTODISCOVER": "AgCi+SttRaCTLc7WgBxUiYS56TFgY67zBsMDtRSYbCSXs1XpoTyzOiT0X1gRki8VkGUiI4KQSu/Tph5qbgLnmqrGi7SvzMYzz+vuvPNH9vTPHNnuu92deG1MOxzogybmu3utJyybImWCiv1r7huZuKOLnBhs+r3qC+tImQ6ZcBSvSvVzTQsX5MIed68Xhkx/ZJkoDMAI7MkqZsNsWZbbuQ2HSBpnAkcgUTey3nbO3168aV4Pa/fQhomyTp62v71lVmoYtPmElCrhJUCOlMSSqKxv8zNSCiZImJRTszb1+VeJF2OrfGh8PK6qVWBlY0COiy/VXuVPgJLzPmUJD5yv0qTWITh0c23N4KahNrTfx6l96ctQWY6pU9dJo8fnMLBR4RLxVnQiq8vVDrwFytzQkLtj1E1SP/DCKhk84b2ZfPji+y4teQN0L68VQeZJCvzsxzgkksqDfatOxMyAmx1prkuNM1AlUmYuba8mDvLeViSWxk1pS+qYiaZTAl5GSVHDWSCU02HmoQkmUsSfvEgHUna4Jp86io0GXAyTXjidJf+RpbQ+dTNXAL+m1/3HxhlSDG48idclJJ0oIedF/FzVD53B6QvkqGqAypYrHm4A61DZLSZrvTYE4GuHXKbF75rbvktnC07sTMm/a1tr4zym9Q7ngG3NtDA+WrCe4P/e8m+tO1GwRuC2OW2owWrhpAelAQEu0Ten",
+      "RENOVATE_ENDPOINT": "AgAZuBCJeukXw54Na4CR8hJT/OW4KnO7ztLk2IGFGknkwFv7olxfE8X/j9IDps+EKL5Sq0I27jq5ZYaAg8i7mmrF6IxeC25Ri2nhl9/vIzFs6h+UtbBe7Yqel7ysnQ/wZ9+cOfedOr0vO7s4edYAKwmmHNDwKFG/YwXs4XyfS/f5lMQ3W3Ecu0ML9z0wfzzzjbixaE4jPHEkTD6FegiP3tPN1xoU3hQO91Sv46hZ5eh7dDwXwH8BU6GUUb/nKeIGrKekQVrBxDt867A+sRiRtcSvhMxg7w9fFV+CyY4z9cehOUwh/Mf6BTANIoGXCFdWZcWP8RvnpkcDTaolhlKkBZ3CHbyGUPdtENVK/0mPyWC8lss2BXIl5bV7SGoTIlCxWLOdfP/RIGL+1FcpDg+n/H46jeDI+4vSWZapu8jGAaDTlDtwMvq3XbKHcpjBmIr8aKG++LU8gNrGf+lhulbFjn+VZC26+M/aGVrY1U7rOt7HTF/L1Q40k1J6IDbpsX08UiacQwvIpcgs6RZ0bdng2xY+3kEfdFVxwKGwHkL3LJrxb09P3WfSEDpV7aTh/dhXwVCfRJpiTeOopiZMRH4etXNmLPoZi2E+NZSAnYVV8BuQAS0ETopTu8WKK41+yr2r0PXbiYBLElji8ckfnMaA5//ocgwUqtaBTNs4duKRfUI6f1tunZWvlkwzzU++ib5pn81D35dYFrN9cM7I/+P6fCaUt2yYaJHzQtcNvrn0N/P6zYHI",
+      "RENOVATE_GIT_AUTHOR": "AgCtYOZW5mAfiMqhx4CZfPFCtT/MSMmnYOWG210yrac88zx1epHgMlaVoZ1eD9l5kIjOw86QoYLHCOXFm/aE88BbEmuCWG3fh+/sHiXgztBHwOaHBd9EkS48/aVRx/CeapNfjtqB9HpvdV4uD9/zxfRz9+f1kQiibW4cy5Jmbd69L1i4k1h4NW/9LdznBZGIaw4XM8At5sXYNfetQH/IG7OJCwZ+nG/ESfHayF2p0s44R+lkDVHNcy7193iznfFHZjgZ13dr3Sy14JNPmrRba0ySRkcsXW8+oiUckKqaW6SMFNxev5o0ys1S8dothyxDJIPeKfRLVnqkO7aWsQqpVQVFnXBCs1bA1A90gkpMow1qm2WDAa80qI79GZWbNWOyHUzt0Y7UcjPcVyiJjd2DhWBVA8vn9UGhj7FN2vU2L0zrB3DDTYP6dKmVCo61Z2P3RGP7+BFk7+bIb65cE+LZvDhM3ED94aTuZ+ol2pQWzp/Kxle6zGznS7NZ1Lb04997UKW8isrebmYsALh3ljXmcgB4X/jH8F29wqeAMsY0ystotzeRZ/rtB06qa7qmlBkYXBY5sV8GqohAxRotr6I+CKeFIf9wm4DBQaVMc7lJqstvuCA5G94Rh30QRGMInfRW0vaXukhLMpuOYtBSXLNjlYFRLxTT7tjUJdhyQqbdTNRHNIA4noABoXIXPCscpAGPhgNipoiOfadmsNZEhf/rBlAZtDTSOg19LV82RwfJ3lhB0eDp",
+      "RENOVATE_GIT_URL": "AgBzTC6keBSA+o7Ppfj/af7D+ebwpbDkIH7Vv8oRePPWvnbamtzcTmsamjW11Xn0w6eRGYZm6cnbP9GnGnjn6/VyCFpl+jTUm/pZNQjthpm4VEi3stvQtt9TdSnguWZILWbb60JwFQcBVNdyOlj+ow/yD39LgK28McOfSHg5zw93IX8OkqqHyI2VIZ53u5xtARTL04Hni6/KF8qY6rjukncV7pwn5y+zWvcfMICmBiazI1FJjuj6O3jznDffYmvOUOOaxCQK82OipY5zGg3sznjdJnXt6emAznO+i0NIc9xYl5qWWm9onXdjLxDzoLjxdQQNwQ2JNvROCeWs7E7LZzcUYhjfhNUBTRZb3Y1mqH4OcVKauEZcKhp5kFKM2gwI1SutGmZltMjCvbnEav7Hjp0ZQN4ybIP+yJVNNTpUtSw7sdu3Ectoe7rsSBOPgT8fQvLeWyqLL/cBxkOnmsVBmt7tTfgBmrodhYM/p2Fl1MFpxNQQsXDB7PdArs3s6ZQrgWmvvuZAk73knUxWL9vGZRJU6EbXb6clPrLNJlNz8xJjCvub4o2U8rykhTV6n/g/IgcO0GKm/vDijWgaktFS9zzQLWdpdyV2ptAbPm2o0CWW04WBxthhY8NOG7C2HcRWB9IvZByED2ghLDXA9Rzcn7VfP7Qo9ed7ZoJRlChwmY8kcFS2lccPvqKzV+oQq1cQkWpIyMzv+TZK0w==",
+      "RENOVATE_GIT_USERNAME": "AgBfBA0vZhMRs7SU2zMaVzYzCQ01q4wVBfU0YkYbs8WrWAPVl+1DWt+c7q5XaBU5QG3hXCZKiyXTq8nldTT06zXswd41DuYN473c3de2PJwuLpyC3Kxp40od7flcMiUOGznm8MlPtn/SteN4GDIifud7y0sawbvNsm5Mfqu6aqMRQamzhxnJw/hUXXd07O5G1A1QXYmSiWLKAGykjdOphad/OScW+gJ+gNjnh2RsFhrUxZqP7Lwa7echhTkMcVmfFX0BQFK7pRbAKqQwxFBWWRbFQvfdYTqOqkkYa4abEUzNz8rcVbsDTIGVJHUGxMWcy2CkqjeeAYFO96NIr34LQ92gF+in6EQVZhKmbdOWDFhV7mrV84Wew7qJLnzWVNOAacm+E1cSh1pWBX71SIJ9oTHm64Lz8T6+YLR/WxbETMKs+HoYBZRnyISOTMtnQFOyiC9rPhBpUFtC8Q7UuQlntiXubz/JtXxu1mbT1Rq69y9QDRObIE0597XxOrxMCuwCOWU27SrbQd3ne923d1UmSWpaN8O5DYuu5GTJQuG6C669uBzO6L9f2iL7ykLZTcs37i7rAzLqBjWKwCm6zyz2MdztXhllJNgblYB943Whx8Rw9GbAZnmapQ8DAd5fzPaR6FjhUuZ/C4XnmhsQ8h81iCssWiI/sXW1Jl68mP48/aMVXDJCar+9avMls+p7pYjt7g+/RHQ6SehqmA==",
+      "RENOVATE_PLATFORM": "AgAWNczM1n5N2YtAFClfIRRJ3l1iP34fSP/dx+ffbtDsfQJvp8EqJmAOIyrSXbcY9aqST6jGQvTaHpUMBbtaUXyakAn5sGC7CtAJYo5pJ6wKUygJ36q5uhpfj4ocyqNZuipBEVMbPcE3Jt+s0bnS1bmQRCQOSSm89nWf669gZGCfgVEvEYmHXGmXLgYbPTCBhjLLPyx5ZzeVoF+D+RG945a/GtOxChRAkm4eTFMJ6gzzSThbi3/9rFWohpXM6VJynpv8/X1sYEbaUuGh4sYSxYK9X9YGYR9vn+U5uPBvpBtsctvHY3JoLL/9pNKw9fu6JltBm8ynItV+I2nkssP4UROkVamu8Q8YzXuXYS+H5D5q74qy+J21QgKIKzxhQ08gvCbYH+1C2x0NSjZtjqKHutzhp6rLAEXQrMUS+1HwHxYzsxLJZzI2xwPNc829EwSWq/VkeS8jS7sUU1oKOikfbxpatvvMUX6t0VNDlsFoAbcTVrOwipTs6Cosu5ttiwr213KkuZ6eTWUnOxyZgLyNYBimuwhcvfEazmn/VG74qWTCRM2b7EtBcj/q997K7euMIEPAYfMZ1L3tr58szJ/ZSUYoe3x5W5DOAwv7Ut9gmtf4GlmajLkUmgP/bIInae8D/LweWXnPRb7PrQE46za7aNVcMBN6xLVeuIStA+g9dSsYpVfflhbGsuTAKo8g7oveaHOuPxKARg==",
+      "RENOVATE_TOKEN": "AgB2UWMGLKcFyG0PTMrykaZaUqFJmM5JEPYAMRxzMWR00JfAXjnArCkWFZtyQ/oc7YKmHUGE1D2ChFYJrxZzCyRwgukLf2w0vUh+lfS8Iv9bpZv6PHhGLSXw1IaBan7Bm1f1GN5ig1S4jrZNqCJI4Lc8w/Wb8Mtw8Zsk+toBMZjaa7bfhceoFKhFbaKRc8LDMCwatV0gGM8m8TPji5rpCAJJ2xd9HQdDkoAFu75aYV0qbXsE7MOm5cjjqrxKQWtevOWYi5tcbUvwQFm+1mAkpe/52a61j4Iu1hIqjTb8f6ONu8ut88UfpbYoiZNgtjASrbCYAiEK49qY3HAHcoYhnuWHdREQbxjOk2f/vx12QXEvs/1QzdK3CF67qctZ9QEWn6xI8MRKw/KiUWCXjh8WEQvdAhQ9MGLH1kWMLq/km+TQm6N6gDjbCo3kov/qhLl4iqMJYR0A4mqJGN9yJHG4kC3YcYmOElw0K8/P4zKR6HBJNCQU47+pvhOnaiiMyH9uOOek3Sad52mRdhFa9f7o/Suojlep0W17GETvyz5Z5W4YqxBk0qPcVc2dK8YkpQnAoZ8pJoJSX7N+mI3jsHyTT3swu6PR1sAL9owpV2lVcs3GWDN4I8IAmQ4ZuBXhfkRDnLq7EYhD0HyZ2w1ySfHc8P43PfTBrUFllkDuxpwv6LuimTuR6kgVAaSAvuIrOkfq53OhWtYWRJzt5JPxu+V40QpeSZXetLb/iqEY1lgVEYeKAEHc5SfPwtTN"
+    }
+  }
+}

infrastructure/renovate/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+- namespace.yaml
+- env.sealedsecret.yaml
+- cronjob.yaml
+
+namespace: renovate

infrastructure/renovate/namespace.yaml

@@ -0,0 +1,5 @@
+# namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

infrastructure/traefik-system/config.values.yaml

@@ -1,2 +0,0 @@
-name: traefik
-chart: traefik/traefik

infrastructure/traefik-system/configmap.yaml

@@ -2,7 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: traefik-config
-  namespace: traefik-system
 data:
   traefik.toml: |
     [ping]
@@ -69,6 +68,8 @@ data:
         address = ":9100"
       [entryPoints.traefik]
         address = ":9000"
+      [entryPoints.dnsovertls] # route dns over https to other pods but provide own certificate
+        address = ":853"
 
     [metrics]
       [metrics.influxDB2]

infrastructure/traefik-system/kustomization.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - pvc.yaml
+  - configmap.yaml
+
+namespace: traefik-system
+
+helmCharts:
+  - name: traefik
+    releaseName: traefik
+    version: 26.0.0
+    valuesFile: values.yaml
+    repo: https://helm.traefik.io/traefik
+  # - name: telegraf
+  #   releaseName: telegraf?
+  #   version: "?"
+  #   valuesFile: telegraf.values.yaml
+  #   repo: https://helm.influxdata.com/

infrastructure/traefik-system/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

infrastructure/traefik-system/pvc.yaml

@@ -1,13 +1,10 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  namespace: traefik-system
   name: traefik-certificate
 spec:
-  # storageClassName: fast
   capacity:
     storage: "10Mi"
-  # volumeMode: Filesystem
   accessModes:
     - ReadWriteOnce
   nfs:
@@ -17,13 +14,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  namespace: traefik-system
   name: traefik-certificate
 spec:
-  # storageClassName: fast
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
       storage: "10Mi"
   volumeName: traefik-certificate
+  storageClassName: ""

infrastructure/traefik-system/telegraf.config.values.yaml

@@ -1,2 +0,0 @@
-name: telegraf-traefik
-chart: influxdata/telegraf

infrastructure/traefik-system/values.yaml

@@ -1,11 +1,3 @@
-# Default values for Traefik
-image:
-  name: traefik
-  # defaults to appVersion
-  tag: ""
-  pullPolicy: IfNotPresent
-
-
 #
 # Configure the deployment
 #
@@ -90,8 +82,8 @@ pilot:
 experimental:
   http3:
     enabled: false
-  plugins:
-    enabled: false
+  # plugins:
+  #   enabled: false
 
   kubernetesGateway:
     enabled: false
@@ -158,12 +150,6 @@ volumes: []
   #     name: traefik-config
 
   
-# - name: public-cert
-#   mountPath: "/certs"
-#   type: secret
-# - name: '{{ printf "%s-configs" .Release.Name }}'
-#   mountPath: "/config"
-#   type: configMap
 
 # Additional volumeMounts to add to the Traefik container
 additionalVolumeMounts:
@@ -192,24 +178,17 @@ additionalArguments: []
 env:
   - name: TZ
     value: "Europe/Berlin"
-# - name: SOME_VAR
-#   value: some-var-value
-# - name: SOME_VAR_FROM_CONFIG_MAP
-#   valueFrom:
-#     configMapRef:
-#       name: configmap-name
-#       key: config-key
-# - name: SOME_SECRET
-#   valueFrom:
-#     secretKeyRef:
-#       name: secret-name
-#       key: secret-key
-
 
 
 
 # Configure ports
-ports: {} # leave unconfigured to use the values from the toml file
+ports:
+  # add a new one, the other ones are kept the same.
+  dnsovertls:
+    port: 853
+    expose: true
+    exposedPort: 853
+    protocol: TCP
 
 
 envFrom: []

kluster-deployments/kustomization.yaml

@@ -5,10 +5,15 @@ namespace: argocd
 
 
 resources:
+  # infrastructure
   - projects.yaml
   - nfs/
   - backup/
-  - argocd-imageupdate/
+  # - argocd-imageupdate/
+  - renovate/
+  - traefik/
+
+  # simple apps
   - whoami/
   - journal/
   - immich/

kluster-deployments/renovate/application.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: renovate-application
+  namespace: argocd
+
+spec:
+  project: infrastructure
+  source:
+    repoURL: https://github.com/moll-re/k3s-infra.git
+    targetRevision: main
+    path: infrastructure/renovate
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

kluster-deployments/renovate/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- application.yaml

kluster-deployments/traefik/application.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik-application
+  namespace: argocd
+
+spec:
+  project: infrastructure
+  source:
+    repoURL: https://github.com/moll-re/k3s-infra.git
+    targetRevision: main
+    path: infrastructure/traefik-system
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: traefik-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

kluster-deployments/traefik/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - application.yaml