Update Helm release grafana to v9.4.4

Reviewed-on: #496

README.md

@@ -1,7 +1,7 @@
 # Kluster setup and IaaC using argoCD
 
 
-### Initial setup
+### Description
 #### Requirements:
 - A running k3s instance
 - `sealedsecrets` deployed
@@ -27,21 +27,60 @@ The app-of-apps will bootstrap a fully featured cluster with the following compo
     - immich
     - ...
 
-#### Recap
-- install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
+## Setup instructions
+1. install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
     ```bash
     kubectl apply -k infrastructure/sealedsecrets
     kubectl apply -f infrastructure/sealedsecrets/main.key
     kubectl delete pod -n kube-system -l name=sealed-secrets-controller
     ```
-- install argocd
+1. install argocd and the app-of-apps bundled with it
     ```bash
     kubectl apply -k infrastructure/argocd
     ```
-- wait...
 
 
+> NOTE: The argocd kustomization already mentions some CRDs available only after the full bootstrapping (traefik). You might have to apply the last step twice
+
 ### Adding an application
 todo
 
 
+
+
+### Status
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=authelia-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/authelia-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=backup-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/backup-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=external-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/external-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=external-dns-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/external-dns-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=gitea-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/gitea-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=metallb-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/metallb-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=monitoring-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/monitoring-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=nfs-provisioner-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/nfs-provisioner-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=pg-ha-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/pg-ha-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=renovate-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/renovate-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=sealedsecrets-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/sealedsecrets-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=traefik-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/traefik-application)
+
+
+---
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=adguard-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/adguard-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=audiobookshelf-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/audiobookshelf-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=code-server-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/code-server-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=files-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/files-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=finance-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/finance-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=grafana-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/grafana-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=homeassistant-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/homeassistant-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=immich-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/immich-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=kitchenowl-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/kitchenowl-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=linkding-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/linkding-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=media-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/media-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=minecraft-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/minecraft-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=ntfy-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/ntfy-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=paperless-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/paperless-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=recipes-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/recipes-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=rss-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/rss-application)
+---
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=journal-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/journal-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=physics-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/physics-application)
+

apps/adguard/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: adguard/adguardhome
     newName: adguard/adguardhome
-    newTag: v0.107.61
+    newTag: v0.107.65
 
 namespace: adguard
 

apps/audiobookshelf/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
   - name: audiobookshelf
     newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.20.0"
+    newTag: "2.26.3"

apps/code-server/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: code-server
 images:
   - name: code-server
     newName: ghcr.io/coder/code-server
-    newTag: 4.99.3-fedora
+    newTag: 4.101.2-fedora

apps/files/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: files
 images:
   - name: ocis
     newName: owncloud/ocis
-    newTag: "7.1.2"
+    newTag: "7.2.0"

apps/finance/actualbudget.deployment.yaml

@@ -21,6 +21,9 @@ spec:
           env:
             - name: TZ
               value: Europe/Berlin
+          envFrom:
+            - secretRef:
+                name: actualbudget-oidc
           volumeMounts:
             - name: data
               mountPath: /data

apps/finance/kustomization.yaml

@@ -9,8 +9,9 @@ resources:
   - actualbudget.deployment.yaml
   - actualbudget.service.yaml
   - actualbudget.ingress.yaml
+  - oidc.sealedsecret.yaml
 
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 25.4.0
+    newTag: 25.7.1

apps/finance/oidc.sealedsecret.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: actualbudget-oidc
+  namespace: finance
+spec:
+  encryptedData:
+    ACTUAL_OPENID_AUTH_METHOD: AgAhPqooAS/7R9S/X3KGfSfs3ClN38J9CEfkUTYAUvKGEehQ2Tz3thPNvhvnbz/gKRc7C172jgxoxaGMiVXi40Qa+I7Y8JVHefjoSd8NuubzQZU8ZK5KlYRgc5OnoPM3RLarHyZ2DFw5Q/ngv3sp1c5dSI4/604KSQPxVAFCnb/lnSkOsBggDRymWvYclx1NrLIClpLAFwHgCOm6g1kHCvtGIdBLxKOHsiRJm62+UyHt0GLkR0QFTDXBQxoBm9QR9kLjQqw/QqcOIVx1by0RHoHBI6HDEEIQVH3UgWqlMmIwm+a4KQeBEdEfWLn9YC8MGSdlQRlaZoi5ltFT2c/DWuMuRStnaOWbsMQVR+y6yJ2UNBe29uVQh6877iqfmAJvT6gXic73zI7Vkq6IFQ7veQPBaTi22HP/sxiElGI8rY0LtRHD4TctKSePaOPvsgrv8k8SpB5qYAft7UonbTPWzzRSSc4Y3Z4fQiD0x/uhtTqTTtukx39nzM2TjVGcJThWaxUGa07w1fjTafieFVwwreURBUpRK92X2NY3ovOdA9c1WrHfqIzVtpcnfQyCeA5D4XT2sBFk0+crwEm1GmtscjPkGnyctNMUSmkHd+QKw8EAmWxKge4+7rfOrZp5ZK7cBFJcB4gVQcxnm3bXr0qZyiA1udaxmSxVflQR2AjduvhKuE73AGPi0bJki5TvKJp6bavTotYfdMY=
+    ACTUAL_OPENID_CLIENT_ID: AgA6X0uYaU1n4XSXVntmT4+NgahYkkMVx61OZP8ExnSMkRPlwQfErhNHrwKsTsnD8OzP3svhxBe5bwaI8O1OKF0k5pQWG0DbRfmBrwiep9nBsKPt+fQm0AJUsZ2sQNShusmsSEumBKbMD0CMPklVMq18tLpOIh/YaXM34lsOutW0SIx7HWWQsyLmoolEoRVdkKvDhoh3FXjKqzGYlr1uKuqYG7pJPsxEpsTs2pZTUIlB2gVcEqb/ZXxgkj01GDYzB519swIOfYdISj7oCR8VG90M9iDrgmxsPkWozMDxFjNo5JR2dB9wvP7ptFex8JonbZZXYZD7tE+36U8iys6Cjh6JGwr9luN1AxYYSkRrNWJd2CuID+8ujWptoTvRSO0RwiVVp5LhXe1l2GxLsS2UVtO+nbWH6DGMJei4DQ+LAxDXFR8FAvi7615cneN0umQfF4ZMUJirvxHA3tFN42tbnRmSCbLAZLNLhQq8VbRmkYOAN6LCzSKYlyhSyA3NM2HjRTFkXGUhOPL+3tPZJB4v0QlEhlhy1Ffxh2mbUXgmQ+ZHGUsBXEHfc/Gba6gJhsj6S2DkiAeZUW6euY5/v4vpveWsS+YS+BxH441//8mOJnrpsWrcQbM5yCk4WMnmpETy/VFEkc3dqYfVWHDfvwAeqjVfXAovXBmwOoCASG6qDf0P7FdeLFTHUNuahyNhBzhBAQ/yNpOkbzKTJFBWwnM=
+    ACTUAL_OPENID_CLIENT_SECRET: AgAbJinP4E8rbGAw7BTfh/GB3XxQOfHiLFrgaikQbUIsmZu+Y6ktK7aJdcX2/g6yhHXX6z8p4xoYTaGgkpo8H0XWvUDT4ohqJVdJSWZgNx8MyzisVKi+51BEpslL4JvGo/ISjXT0hNeYGzFXlHnnr3LX+fuTVh3dKtk4t8nmR8SqaCCIyvKiBPmX/1QWo4Vrfw7OLpVlfGP0i3J7FrhjNgKMRWcQKQC4Ohk+NLHHghdtqzuFB8eKwcuBZmynKCVyblOhwZSL5WnyJPskWLMjNEizWuCubDdyHVY3ZqYLDe5dgoi7Gop5/xY7FEuEkmTL0g7LpKo4RkEKRLjsZwWtW+xN6HRRt7zGoUdIpo20ZnTtEH8C/qcxjHKUycFvzKLnk6ntq5rEdK2/MhBtMfd3a8pb4vpT9JNra1AWsB7zCUv4yc/FT0RpkL+1r1CVva4o+tzM8ojnm4o0ch6qsGb0IOYZvJx6sF7c6aj7c41YQK3ZrQF3bhhhEHYyWOBjy1V4T/GJPZ9CbhGG0PIsSvpW7d5pG5jNAwU/Xo6FL/vVUPwmSq/hCqYMSSSKNiMH/q/vzKyu5B5aQbNDAumzsLRqD/auJz8nAaUoLNBVHq+7zTs3wV7pEayY22teq/MN5PRtYOQLE5Ck60gv9Q70cfhgvTeK+eX4h9BbhfijCV/EiSYhLP7meeIpE80icdLUSkNROfW+0sf3RNbW5q3JX8PsW0h29VJgREJdlziLj2cCshe+ww==
+    ACTUAL_OPENID_DISCOVERY_URL: AgAQVZX6r8SPkwwBR1dmUF/ahuZKkGSsU/GULe5PF7Nm75UadtjPb5aHAZjWE59MdV61DQZDa4KJz1/fW4xDUrJBuUElIRQH4oyMTQG12MSMauQpLd25SVU8ex2NYyerbd85j521FSxujP0l3941KGsENLt5wCx/idXu47txhAHgS81mj3CLfWzT5yyG+V1i48a24xK905v+ft5ZKuNLOxvVb6yZSBt1j/3egx49eB49CRk/dxYQtPpSw8Zb6KgaN+skjq5HTH/Neb4J92nlJ1aFPVKbFLbtxyIHDSoO35U8ODHEJVGKBbZjjfrrjCpmQYnZPEWN9s+xj2NAXZ7qANcJfbFEF/3bOiKZhc0jLM5MyhiMZoytn4FvGM8zxINC3z8zqaWJm1wiMXEUH3/FLUa2UWeHKQB14h0f5XGwytb3s/nPCoBnHhtOK1y4utJ2APsQhRsxySZjgYNRaRCarp8PntY7yB7VHYlv5Mitx+qBWcAUmcKp1I4NTnm1LORRGzIFcrJJKtQfqcW7GNuZDA3AiLGyOMVigcA93GnPbppor5BItE9FK/BKqrR4Bz31jXSO8S7pjhi3JxBIKEMmMZRVbyelJ9o7gTpqrBvO7KZ5v/L+mlE0J8D2LZoEWPqxfa/BE+QZfwIS3wDWQl1GTruaAM4u0bp4i9GkyK3hPVXnml3dNMElSG3GvNqHhhy1Boo1cHXHbQ5YzbkGgzL9fLkigVQCi0FKItyBxdGsui9U0OU5LNi0EGKBibs22mdDkp6f051GWeMidtSwz9j5
+    ACTUAL_OPENID_SERVER_HOSTNAME: AgB+C31GqtPKbMifuTFYhwOgUwXph+RQYdnVQaVIaDiveE6Lydl/2HnTyFQIi2mhrbiCpDgegXuvGBoM7WHxlPepny5E66lY/cAdFaFDGMARqMXCRLVmvkt3U1IyNn9zPCPil0x+eAv2S/ETLm8Nj2OL9utxkdNBHub9xiGrE0d7qBeBfK1FNmainthYQUpnCsR7jowmmvYGuEyDwfG+suUooDdb5zaWmCJZRYk1jKD3zlu21N0sfciBJ/GpTdz/2V+NXqJJqs3r2zoB2GJPQ64pMuZHZ+yw8bYUkg7/QOHD2ofWmtzNOGGtiNRHAG8MtvF6ovc4Hgv5uu+4x413UP6pSIJsrHrXSHYP+mvu+ya3gNUn6YK2qymezrqbvUF/n7LoaDzTRqa0PmemtdskuABiwfqrdiOarxaWjomkXqnrBK6VkJ8PhOMDMv/j/c6zlXdhpnqlUyxMcjBjqicfNBWN8UByDIEw4D0rhibzOS4fIKjNHrmXHv39GNJsY90avhZqq42oTMJL0vcaj3v4pBZJdJ05TOvY7PQ/iUwnnczGqOtpAQtBKfCV2+PXp9o/64wOGc0Br322kSpzjIleWP9VWVgbqvwMjUGtlL+xTkCaOFpiYETxUim09c745WDc+YgU55rd5i/5t20wiKy7RSYnHvYOwvdjAlEgAnD0YZBXOQkL51nL9P+nOMAYBE0HiM1vYsd8R6h6Fk+G2gcs/2CLgwglqOtMwAm9A9+5qSqyMak6Z68=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: actualbudget-oidc
+      namespace: finance

apps/grafana/grafana.values.yaml

@@ -85,13 +85,14 @@ grafana.ini:
   auth.generic_oauth:
     name: Authelia
     enabled: true
-    allow_sign_up: true
+    icon: signin
     client_id: grafana
     client_secret: ${AUTH_GRAFANA_CLIENT_SECRET}
     scopes: openid profile email groups
+    empty_scopes: false
     auth_url: https://auth.kluster.moll.re/api/oidc/authorization
     token_url: https://auth.kluster.moll.re/api/oidc/token
-    api_url: https://auth.kluster.moll.re/api/oidc/authorization/userinfo
+    api_url: https://auth.kluster.moll.re/api/oidc/userinfo
     tls_skip_verify_insecure: true
     auto_login: true
     use_pkce: true

apps/grafana/kustomization.yaml

@@ -17,5 +17,5 @@ helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 8.12.1
+    version: 9.4.4
     valuesFile: grafana.values.yaml

apps/homeassistant/kustomization.yaml

@@ -15,4 +15,4 @@ resources:
 images:
   - name: homeassistant
     newName: homeassistant/home-assistant
-    newTag: "2025.4"
+    newTag: "2025.7"

apps/immich/immich.postgres.yaml

@@ -0,0 +1,39 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: immich-postgresql
+spec:
+  instances: 1
+  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:16-0.3.0
+
+  bootstrap:
+    initdb:
+      owner: immich
+      database: immich
+      secret:
+        name: postgres-password
+      dataChecksums: true
+      postInitApplicationSQL:
+        - ALTER USER immich WITH SUPERUSER;
+        - CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
+        - CREATE EXTENSION IF NOT EXISTS "cube";
+        - CREATE EXTENSION IF NOT EXISTS "earthdistance";
+
+  postgresql:
+    shared_preload_libraries:
+      - "vchord.so"
+
+  storage:
+    size: 5Gi
+    storageClass: nfs-client
+
+  monitoring:
+    enablePodMonitor: true
+
+  resources:
+    limits:
+      cpu: 2
+      memory: 1024Mi
+    requests:
+      cpu: 50m
+      memory: 512Mi

apps/immich/kustomization.yaml

@@ -4,7 +4,7 @@ resources:
   - namespace.yaml
   - ingress.yaml
   - pvc.yaml
-  - postgres.yaml
+  - immich.postgres.yaml
   - postgres.sealedsecret.yaml
   - servicemonitor.yaml
 
@@ -15,16 +15,16 @@ namespace: immich
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.9.2
+    version: 0.9.3
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.130.3
+    newTag: v1.136.0
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.130.3
+    newTag: v1.136.0
 
 
 patches:

apps/immich/renovate.json

@@ -0,0 +1,10 @@
+{
+    "packageRules": [
+      {
+        "matchDatasources": ["docker"],
+        "matchPackagePrefixes": ["ghcr.io/immich-app/"],
+        "groupName": "Immich containers",
+        "groupSlug": "immich-app-images"
+      }
+    ]
+  }

apps/immich/values.yaml

@@ -6,7 +6,7 @@
 
 env:
   REDIS_HOSTNAME: '{{ printf "%s-redis-master" .Release.Name }}'
-  DB_HOSTNAME: "immich-postgres-rw"
+  DB_HOSTNAME: "immich-postgresql-rw"
   DB_USERNAME:
     valueFrom:
       secretKeyRef:
@@ -56,7 +56,7 @@ machine-learning:
   persistence:
     cache:
       enabled: true
-      size: 10Gi
+      size: 200Gi
       # Optional: Set this to pvc to avoid downloading the ML models every start.
       type: emptyDir
       accessMode: ReadWriteMany

apps/kitchenowl/kustomization.yaml

@@ -14,4 +14,4 @@ namespace: kitchenowl
 images:
   - name: kitchenowl
     newName: tombursch/kitchenowl
-    newTag: v0.6.11
+    newTag: v0.7.3

apps/linkding/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: linkding
 images:
   - name: linkding
     newName: sissbruecker/linkding
-    newTag: "1.39.1"
+    newTag: "1.41.0"

apps/minecraft/README.md

@@ -1,3 +1,11 @@
+## Setup
+Because minecraft is quite sensitive to io performance, we want the data to be stored on a local disk. But hostpath is not well supported in talos (and is not persistent), so we use an ephemeral volume instead. In order to do this, we create an emptyDir volume and mount it to the pod.
+
+We use an initContaier that copies the data to the local storage. Afterwards, copying from the local storage back to the persistent storage is handled by a preStop lifecycle event.
+
+This way, we can have the best of both worlds: fast local storage and persistent storage.
+
+
 ## Sending a command
 ```
 kubectl exec -it -n minecraft deploy/minecraft-server -- /bin/bash

apps/minecraft/job.yaml

@@ -9,6 +9,16 @@ spec:
         app: minecraft-server
     spec:
       restartPolicy: OnFailure
+      initContainers:
+      - name: copy-data-to-local
+        image: alpine
+        command: ["/bin/sh"]
+        args: ["-c", "cp -r /data/* /local-data/"]
+        volumeMounts:
+        - name: local-data
+          mountPath: /local-data
+        - name: minecraft-data
+          mountPath: /data
       containers:
       - name: minecraft-server
         image: minecraft
@@ -32,7 +42,7 @@ spec:
               name: curseforge-api
               key: key
         - name: CF_PAGE_URL
-          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5925838"
+          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/6807187"
         - name: VERSION
           value: "1.18.2"
         - name: INIT_MEMORY
@@ -49,12 +59,34 @@ spec:
           value: "false"
         - name: ENABLE_AUTOSTOP
           value: "true"
-        
+        - name: AUTOSTOP_TIMEOUT_EST
+          value: "1800" # stop 30 min after last disconnect
         volumeMounts:
-        - name: minecraft-data
+        - name: local-data
           mountPath: /data
 
+      - name: copy-data-to-persistent
+        image: rsync
+        command: ["/bin/sh"]
+        # args: ["-c", "sleep infinity"]
+        args: ["/run-rsync.sh"]
+        volumeMounts:
+        - name: local-data
+          mountPath: /local-data
+        - name: minecraft-data
+          mountPath: /persistent-data
+        - name: rsync-config
+          mountPath: /run-rsync.sh
+          subPath: run-rsync.sh
+
+
       volumes:
       - name: minecraft-data
         persistentVolumeClaim:
           claimName: minecraft-data
+      - name: local-data
+        emptyDir: {}
+      - name: rsync-config
+        configMap:
+          name: rsync-config
+          defaultMode: 0777

apps/minecraft/kustomization.yaml

@@ -8,6 +8,7 @@ resources:
   - pvc.yaml
   - job.yaml
   - service.yaml
+  - rsync.configmap.yaml
   - curseforge.sealedsecret.yaml
 
 
@@ -15,3 +16,9 @@ images:
   - name: minecraft
     newName: itzg/minecraft-server
     newTag: java21
+  - name: alpine
+    newName: alpine
+    newTag: "3.22"
+  - name: rsync
+    newName: eeacms/rsync
+    newTag: "2.7"

apps/minecraft/rsync.configmap.yaml

@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rsync-config
+data:
+  run-rsync.sh: |-
+    #!/bin/sh
+    set -eu
+    echo "Starting rsync..."
+
+    no_change_count=0
+
+    while [ "$no_change_count" -lt 3 ]; do
+      # use the i flag to get per line output of each change
+      rsync_output=$(rsync -avzi --delete /local-data/ /persistent-data/)
+      # echo "$rsync_output"
+
+      # in this format rsync outputs at least 4 lines:
+      # ---
+      # sending incremental file list
+      #
+      # sent 145,483 bytes  received 717 bytes  26,581.82 bytes/sec
+      # total size is 708,682,765  speedup is 4,847.35
+      # ---
+      # even though a non-zero number of bytes is sent, no changes were made
+
+      line_count=$(echo "$rsync_output" | wc -l)
+
+      if [ "$line_count" -eq 4 ]; then
+        echo "Rsync output was: $rsync_output"
+        no_change_count=$((no_change_count + 1))
+        echo "No changes detected. Incrementing no_change_count to $no_change_count."
+      else
+        no_change_count=0
+        echo "Changes detected. Resetting no_change_count to 0."
+      fi
+
+      echo "Rsync completed. Sleeping for 10 minutes..."
+      sleep 600
+    done
+
+    echo "No changes detected for 3 consecutive runs. Exiting."

apps/ntfy/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: binwiederhier/ntfy
     newName: binwiederhier/ntfy
-    newTag: v2.11.0
+    newTag: v2.13.0

apps/paperless/kustomization.yaml

@@ -14,14 +14,14 @@ namespace: paperless
 images:
   - name: paperless
     newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.15.3"
+    newTag: "2.17.1"
 
 
 helmCharts:
   - name: redis
     releaseName: redis
     repo: https://charts.bitnami.com/bitnami
-    version: 20.13.0
+    version: 21.2.14
     valuesInline:
       auth:
         enabled: false

apps/recipes/kustomization.yaml

@@ -13,5 +13,5 @@ resources:
 
 images:
   - name: mealie
-    newTag: v2.8.0
+    newTag: v3.0.2
     newName: ghcr.io/mealie-recipes/mealie

apps/stump/deployment.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: stump
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: stump
+
+  template:
+    metadata:
+      labels:
+        app: stump
+
+    spec:
+      containers:
+      - name: stump
+        image: stump
+
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "250m"
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        
+        ports:
+        - containerPort: 10801
+
+        envFrom:
+        - configMapRef:
+            name: stump-config
+
+        volumeMounts:
+        - name: stump-data
+          mountPath: /data
+        - name: stump-config
+          mountPath: /config
+        
+      volumes:
+      - name: stump-config
+        persistentVolumeClaim:
+          claimName: stump-config
+      - name: stump-data
+        persistentVolumeClaim:
+          claimName: stump-data

apps/stump/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: stump-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`stump.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: stump-web
+      port: 10801
+
+  tls:
+    certResolver: default-tls 

apps/stump/kustomization.yaml

@@ -0,0 +1,17 @@
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - pvc.yaml
+  - stump-config.configmap.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+
+namespace: stump
+
+images:
+  - name: stump
+    newName: aaronleopold/stump
+    newTag: "0.0.11"

apps/stump/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/stump/pvc.yaml

@@ -0,0 +1,23 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: stump-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: stump-config
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

apps/stump/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: stump-web
+spec:
+  selector:
+    app: stump
+  ports:
+  - port: 10801
+    targetPort: 10801

apps/stump/stump-config.configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stump-config
+data:
+  STUMP_ENABLE_UPLOAD: "true"
+  STUMP_CONFIG_DIR: /config
+  ENABLE_KOREADER_SYNC: "true"

infrastructure/argocd/argocd.configmap.yaml

@@ -3,8 +3,9 @@ kind: ConfigMap
 metadata:
   name: argocd-cm
 data:
+  # enable helm when using kustomize
   kustomize.buildOptions: --enable-helm
-  # switch to annotation based resource tracking as per
-  # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_tracking/
-  application.resourceTrackingMethod: annotation+label
+  # disable admin user - use oidc
   admin.enabled: "false"
+  # show neat status badges in the UI or as embeds
+  statusbadge.enabled: "true"

infrastructure/argocd/kustomization.yaml

@@ -4,14 +4,12 @@ kind: Kustomization
 namespace: argocd
 resources:
   - namespace.yaml
-  - https://raw.githubusercontent.com/argoproj/argo-cd/v2.13.3/manifests/install.yaml
+  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.0.12
   - ingress.yaml
   - argo-apps.application.yaml
   - bootstrap-repo.sealedsecret.yaml
   - argocd-oauth.sealedsecret.yaml
   - servicemonitor.yaml
-  # DID NOT FIX RELOAD LOOPS
-  # - github.com/argoproj/argo-cd/examples/k8s-rbac/argocd-server-applications?ref=master
 
 
 patches:

infrastructure/authelia/README.md

@@ -6,5 +6,3 @@ k exec -it  -n authelia deployments/authelia -- authelia crypto hash generate pb
 ```
 
 give the client the hash, store the secret in `authelia-oidc.secret.yaml` and seal it.
-
-}cnnhzH|Mf/yLn(v4rF#>KnGMgUS+TY

infrastructure/authelia/authelia-oidc.sealedsecret.yaml

@@ -7,14 +7,15 @@ metadata:
   namespace: authelia
 spec:
   encryptedData:
-    client.argocd: AgBWKTgzqy1UjMClw8+9MKCZAM53ErvunxeIMkyPkOvioGN5+QuvtT3rSCNJentXEhIK3V1mt0kYNb0yLei+W8o2Vgr/wqvPfA+JbtgfPKuHg1eayTXDB7TPXG8MzONM75pPEq6nTSz7YOfu5AU0OjX/3D4E8lBD3hCfEteAA6tbxplD0P17yEzQTspPbXh+YNRY8/BmRr4xbp3aDdekeYfrZ8HQaYOCs6vl3JH4SvYoPGxrsSS2muZEPESmWBBC72NcFVnpNG4i106qxwvMlfOwKz4+FQsHMZAdRYmXayefwMWTxOC4MN1VUE3S6FDZlU5Zds52qOF1bO8w0cLyFaILtcPkjV0w+7eCUhrYx3CzyaCnVAHBBwvUt3VZ+g7RESI+Qc0CDV5IwTpj0R0Z4K8ieGMr/gEU83Wm5Hv66aneZppAJV5E8BixIdFTAoZlLNXg3Q6R6I8PrcnTlF9IzBbrWBrE1MuYgvzIIZm4+lohV+jhJcOPgRANxVkDwAz1Sk3AfHFwKtxtzwjvpOyr+R49+I14GGyKtUcZjHioSUSiTqV4JOYvFmSDXsy5CrzFdO4zCn5jMhkGRWztBJY9nN1Ui5yODag2S7TVsCgcYNF0tItaNMHmhkez/NoWFDUvcNwr/+hGC+DQN0xoZTO3vskyW0RGKjBSnoI5QUnuJqFJsRymh7VpRvMr2C+0Tvk1nEoOoRmA65aRJScgp/acZl4UXhwOjyIpSNzai9kvIj5PVVf6+78z11h5c9w+vF1IDKCDGGgjrnXBeHFGoty35UVGOGOXQoQbLXyYu9ZWN6i6garwl5ATwea8oaUB1h1xweoqSz6xrHcLmjqWLbm8Me4eSA3TjvsD8gtnhAfnVAETxBT3UQ==
-    client.gitea: AgBEIzadyU5+RT5nKUII3EPXfi4yl52FzvQQxEfX8T5845fAQh0/8ay/E3oXKjH/MvsnPWvIwBfAG3DZ6LBVt39SOA3+5csbcwgQn8ZSigfriowkGJKiSu/UhqloiCuIvzZwu7CrTUaAdrWdMOpYvVPts0TYUUdA5tcPGYyw4Sd4Z5hi22+NeMoCdMl67iag31I0PLEWl92WQcQ/V/sOKuLm0p8TEIZaPyCHLBwUPbD7Hvka6JhrkmkybnOJfmQLrHAblPptVlIOVwER3e3Wrzvh6YfOq3KUtFboeyLRRafOy4j5j0dWXj21WLznomH644ioUeysAG6gP/HZthuNMTUydz2dsWtIu5J82jP9bbjUibZeQIHjS1Y1eqPSd9lJWNjWBb69xuDIewLZ75rfOuTdVp83+iGkha2yhc8OEHBaXRFO3zDL/eYSuBGxLRtSR30WSHD6sgGmrGzSShAlM7MnuSU8tqeHtmLuKH85ls89HvVvgn6ZVj5+P6dmHctFM1tp8Q97nUeZZGbThT0DztKExNTdb1yCsb9m8lDxX7avGfBYvx7ntqBdxz5CurbFvEYi/9C98EYZycaurjUIRBjEgbT7vHkIIvJBy1JDVZYDFzNGkvZ0oOhehANvx9UNKeb32iCV3ypGE7oXF0/WFdFImSZWfTHVpqOUN+LJTnZylkwcyByp8Ut4R7xS5by/bBV846LK985fzCRWldHk0U7xli1FUvqHMvocOTsrwVjWtE0C9X+GDQMAJEP7z5xWlMCEePjEZq2/OPHXiRlDZ/rQfQS5zpkIZAK/vaiRCZ/arpN0RslwOzIDnnyFJB0jqhIsXf1JUDZUis7yLtnyaVh3I9a0EXrPu49ItBk7XdSNMYJ9Hg==
-    client.grafana: AgAuT9f75mVVegFb5kC7v0wq/myoG6JlN8DLvY2tBqqCJ3pDMaFkVSALustQvUxpQ3UDFndKk3vF3rL/ot2h4R5dQO82guqR5rnyi7dGgf4+guV31V+Pz+cMKMNGDzvP6gq1+ePuGgR8Q70OKKk28Neiv1zd0quzKNY+Fmi3nYVonnKt7SDRrMgHdrak1jTyyBCDCl3k1S/kCjSsBUOfZuPDWxbSyKi8UvizwEm7QmK4ifsdA4IyaO6R5u/B9aQP4/eeb9uXaoBZVDWsrqi0ZHBavCnyJ79rYwDx+6ThsEbwYYsJ00omGts/1EPZL+1EpdJ97biIzapXpvlTRQwcxOZ0sXnA+5ig0Bs25u+T012HNZndYLcqmRsgKk+Iz7YjPRddaIFFEhttgubxCk/dMvzcchkOFI36gEC2TQCX7B7EcBAi6lQG7I7BVV0UrqmNhrzYCeY8AyNd9k6dNj+NslHfxM9QFIJmK8UnX4tx3OSJQJLaXN2ZG7TcPxv+Hn5z6A+PTE8+iwJ4mZmjxoVbyN+PYwz0m+uDqS4iDrd689NjFNy2lUxoCTtoYHs/U+GNOFD67YjT7DE9PbuS5zWlHCYM/W+5Hfasqs3/NgpbX6P44ZIMUBSdcgD/TEKyjP/ttjXG3FKVO/RkrJCNyUSHQKRlMJrzwEfwze3YQ1XKw5xLzDN8dTb1fkeDSE0EuGCtqH2S7cZE/3/w16PJ/ba5WR3v3CC99WQMMdeXLGP6C8PGq7Z/WErXlNLLPCsQKIMqlhoupm/r65SEcgf+OBI1iUG2dFNdB4VwFIU9UwHm2t3gcnU9Lq3DGQaOQusIHJgVF7UuamogkTfmCt6vxxIxXyPodiebZ520TeGgKIxvwTftxl+miw==
-    client.kitchenowl: AgAb9vWFHkiFgsHs+1nrq65n+kT03igRLq3KWIvDg6EokA2TDXYb4KwYBZa1xcFwgT1iiLge71Y6spMRVkJdLAjRCaPCtSTGygzlZ7z9NFkn5O9YuWgkp+cPr62ElHpx9umKEx+Ug4vgyvrBk9eLWxdZZsiJZL6GcjUbMe/Mx2429mveg0kyfKg3XjraeU7xcHWwAj9PbjeRnhEewvr+9sdv3H1wA45E2+pZ9cZ+ETl9wXXNquUzUFSp8IOxzXwx34aDqjdnMbEgU3k2TEe3N9wU+r9vuzn4kesh0zEGkEfXhKtnGNSXFheU+aa/5cTfIp/GPfx3+dJ54LLWfVGU9X+COI70zvTEtAhgJptkWqJ7dVp6SLgQotvg3bTNohof1/6JDPKQvGvkQ3ALYMXYDd27NrmP3ZSJYdNGev0yDr6MXyNlv8SglnsRIpfMmPyl913/10DbvB5b0Tiy2xzmmODpG6Gk6EQquaJ2g+imaV8VPSdDOoRK+rDg2AH5KKRn8vxH7d/NRsmOmCxadqmyyWBbl9onu+TzSnjnPxyc2cl3EeqaaciXyh/eu3Ar27DVu1l6Iorv+N34Bttdti0TZgeeMD6/Y7eAXTry482ix26UOYmTH5+mGoGVAkh5BuWO2fR52vuEHV1T1VYVRK3+PX1OIeWEoEdPMvDokELc4W1Av4lVDKcacvNzuMZ1gpiXmdCNnYfDq9CbW00rS1/LPPUIdIyOfHg2q/OgxtkjiPUwWQCTc5NO8FPlQ2B4ZsJ51vfxl2zx19w9tgQVi7C7T7Iek/2Svz8QMiZtf9N3W8CoUp2RXktV+Z2yI3FWG55IzicRbVLWpeidRxuJTEdm8emgHSiMpDM9Uejv7pAs3QkLRX2+og==
-    client.linkding: AgChIcLDfhCZshqJgG+H5exbWt29ms882BkAgDAopvbhbXE/e+I0tVw2FNDZWmKbI+i/Hlrvj4Bputn7pUcoAZf5W8FUJ2nOMhJjtjwMF6O0QzBje0Xrzi9eK91XWA3PRxbPOzBZYWlmWvwelYw0hCgfp1XRn3aXkPcpsZFV8Bb2KSXDSk39+UqIm1I4rR9hCXPMkorTUZOa/NYpDr4ieenbRS8PeeWATPzSxn0hN+RnXHnoUrKdO03px/2mYS4SYJrgZ2DrkGN7uz3/ARwqxxKcMBQeQCe0S3Udsw0tvvJbjeHJIQ3fzIz+BZdbKLgVuJa0ZNQxmuDVBFY+60d89nR6wKsyoRgC8y/sEHRpztUjiJC7WBiiJ/g80luMuo/7ZTIvu6u1I/eugsopJKUONv23cowdqthyzlsnKCsBTgfdzXuFy5YYoL7GPcybdpUcOA8upr15dE8vsN3UJEYJCZkw1V4iedzHVGPpo6tts4sewnzplH93QpwbVywMcSl1k8oeHqbdmh0srJ54hBFboyNRr2eQT+b43oFJZtQb3hhuZyO/uXKx44jeBoVYkmKCVldBBDE0FdQpAk2m6dtvXae37Eu7xHiWxY/KDzVxBzJn4NWboQRiTM9HQ7pLuAKgG+Ec1+nwfBgq3G9jZrdIN4/tWNvuBRuPrUTt7pwGJ7RCbMgSz9xbVFCxwBx8GwaNRFOH3/RoMdVwlUntRELYN7+pU9S0FS/VPnbVxOZbJI3ZHFj9n8qZ3lBD3SiHB4rNnirQf34CuEfnLigpSdskKdOsekXQybxVq68T63Ntf/yn/t0+nV5VdqpW0stqRBQaUq3yEqfAn0/HQ7nTgSbHf4ZsTMsAU+CSAewnig6qKTcS7a7Lrw==
-    client.paperless: AgA4weCcn9z4H2WIqADKRpOMkCmA/6pci0SCKsTcS2nf6XuRG0pFufVqrVTe5jYIfAymKJs+Yzlf6V5ViE+3U/PhtBgHC1zifYBVkC0lSUUKx2YWkmrnSylAZZIYArC+kdNXU7pwIS4i8eCxeB8NhTtHBMXdfPig5kH/G6/FaL5RZ52Ly3jf3h2UP3JrWbk4dYijZbjvHsGNJMyDJ5cW2DtgMmFNMte2ScBuGpgF2tDiVKW7Zq2aEpVtVXvWjF2euuL39EFvLzPAIXeG4TaagBCnFfMVVxyrS8Dk63CiWQzTSaeBDbUhRuOGAYD0GELhSxpsKjOgm5AaOk/sJBjoAliFtSyejO30tP+5PBC+FE4RlJM5dMjHU8/9T/tBSOus3k7xWmExc5Eavf8yeXVmNeTJfC+Sji6QZxG5P9xisKXgn7EX+T4aKpeJ2FxAtL7NKgnrKeoztiHV2vJH6TepGjFejf5VJRjOP2QAJkX0ApnUVfhww4CjhBFo20zRYyI591ZMbw8PxlRFmAsXhL9XeaXQcl7nq2P2N0IdodtR9xMVlvpkuv11AZnzXjC8GfWgPE9vmDz5RW7Eo4WzWDaFVBL8Sjx+NZllV/qVHlJfbGgqgKmtzJWUZUATE9y9YwOG8PSKmw7fbIHccJ1o1HOG7BWIOQ/QIo94uQQWI0Z5ESRgaCsbf2oBX8HyYFdMA0s9sS9OdD1NWDTb1mVnhA8Pjq4XatA2PGlRPWBVD8YpjbeuNQXR4RuSuUvuKGOOO4Jsv0/ZXc4cUmPB3VWNzQO/0iNt8MOsZWjtQNiDBLZ3xVjRWo/p+Q7P+o1YCThuLxwdmyvAxkioRfR0DJY+ZrkErVnTv1CfLdS4ejf7ZYXcgsh5ZC8Kww==
-    client.recipes: AgC3w8qEgD9fru8tJRi3mYSDbJVq5oG++x8XfeRKAQPXFtMKdFYAvn3zGPc4viavPnvE1mkHWSn0ECC+YKEThiXlI9ok1CKnspLrzi6oQlReCUnyJdu9e49xgV7kb5/SQsZbDlVmtluTi8j8y9AIUows/HsMjXgoNrG6RodAsWp5cauCgLBrqMk9nPuQVH1jTNFm27rMrJahLTjr/z/5chdiU6sjPH9EIDnaLEP3o8/ACpPTtwF4PYQszUVT3Uhn4YlekqAYMfEolBYsPLSDQyiDr1fwO3/4YUHNSO/+bN+7vscS+x8zozb750Oi9c1ARc8ENn6AiM3ZEd32ZJKqfqJ3+CxsXsuG7VjfHu3+gc4uqLTbwZ+BVacSoA7JObsoQEbWdCGWTNo5FMXrhIv+BKDB59eLKXTOlBfVTLlbh0P7tSR57fhSpBomcvvnQ+MtfSS9hDFMNiPhb135c8hjJcbMZ6xdQz6HARVtP5nVuPyDafbez6A+VT9sUDt29+oNf5qpk25526Q4GI/YlyvXH+3RT5q8syYuSIZsmh92qD5ZltffW5kRooCeskAryiyWdgyqjMAekR1dZR9wqvzRraDpY/neLvrpUAPl7U6kdlzuIdaJFTnXmNKc1wK5NaeAEf4wwO6H/ibWEzIJKQJcTlmi+0J1SfHcCULYZ5ASeAkSRUxpdVk16LCTHWbyHYFOYmGsmeMmRTYylB/FdOuUEZWrO5B99xw5baSvLN842v2JnwR27Mha3RvS0teSgbuXgG5kWWGGZs9oibsNaaNz9p1MPw/HR4M6PmfEJRsaz+cX02bVUVzdaXhoTZ/D0DoNe8lB+Ofupjl7jAGzEJpGbwK7cB1gnITa4blqyszrKg1dg2L+ZA==
-    client.todos: AgBaZOU3D5ZEi2iZud0kLIgZVVNwWjreEDMiadtgZ99S236SOckGlqTes+6gcTcMUQe6CFcxatx8sXamGd9xtIwyZa/5jns4Ju0L4Tozf57uQS1CPY10wyLlPc/a/thn6dItfh5l0Fr+vQBmV0dlEJ12UM9iIH/w9raaf0VkDP/XbZw6PZ0lVoJp6u8LrjMIf5+pdlPOSytFNzB0EbWfQYGObD/zgt45V48+gE9jLolLIEz7QPMrUg0dj1RjWJE+dWXzv+4gCsRi/64gPUdkOZS4YWIlFP08jcDChzbqhVkqUXz3AOQOxF7+2NpD966dxWiYRQfDfFwb+V4vK8C4+DlQL8p22MxWt6iOhxpSoXVVlCInYxxhjpk/gpECqfu6gKlEexg+ekccAvkKVmBX9TbOjsurYFjL3JfuL057fjWIpvZhkQjJCQJiCgVGPtyVhoCzsKeyVDNJvXs6dYp8CMrRAcn/fdo4wI0/tva723ub++AsKSsXCRT+d+03FnBbjRrxSQdDiP4xYY6BqNfjwHGYSoULxtop5t2qt7PzFlpCxNjRe4NrkENCw8xDDSRrg4CLmazPi1Xs+MDeEP3cpi9sRzQx9u2JrvvHmsTeHjVY/MQHb072nLa6xAiUQoXQLMlzxJuwx0U5DmsMe6o8FfKaLikcS4CDKEAddLDI25z2XUBA9J7BTXdhtHB012S1COhouRqn333uKF/BnABI32/Afj9qsDy8VQ3iZyTKpLQUOrOzKKTenXy0b3VV9Vw3DoDPhEb9//fGrVoLdbXDpYaJScza9qg7QWmLqO8Cbk/83t1C28LWqZKWyMtq+QFQ1ANIbi53BopX8zBQargctEVielkpN5HqVCAIow0nQcGmZdZClg==
+    client.actualbudget: AgBkqA3lAi7ofkC47b1OlqFGQQ7TG2xJ71uT33fvXCuibkOdvpGyk5eeY2YGh4gqH9zPt739Vcee+y2w+DW/rrqoIPZqO1tx2wgNVT8H/ll8eFe3+3gBIylYXe0JQ2+AhonAjJgUuOKlTfv3tOiNavZEiDM4bVqv+5QfIRAy//YNr9p+G4/grLzc3+yfvGR9DaFrldaPDsg49m0rR2KXGL417V47WL/d1/7tDdoPEYYsmd3iB+RT3L1pQlGIGpieswcI6LETb2HuS/lelL9pC3yA8zBYq1jVW43LF/E99affv3VBdVZckHn9Ad5juKICXqxphp8Op2ynOzW0QNMdMjVahWPbNAAn27cTP5RZDodTmQGbPrK49R00IjzKKU4bDxtAwOpZKVJq3ArIh3j2ETycn/FhMIpLGEAGpMl+ZO077aznJl77nOAkjSXioOkNiPh32gKg5b3jVwry//8g4vTS6AEkNQkMrRey12p42MnT+CHDwgqAu0pDVAM0QvE8g+hhX8tENNN6IalRar/mNAa/lFcm1mXPVEv0ST+7YfQPm5vMY/BNixlpPTN3qd3KJje/Ahv7xHhNWnkez/+G++/l/mUjgVUsoD9cJ+p/87JZOKLiPEbxINFNcoJfO4XJrua6BwtwiGhsdVv61myC408AiBJ7akir2IMe/b/O54xZ+H0SHKlXc1lqRyQS83awcZj9tBAQut2B4IY9yNaudQyce82qMuH/X8pEWrNxfcxgnBCbAMJ24ZU1yWNFO3wqRaWO1MxOny8iefUosZI1wjYuDyzTcMqnq4rEoKEF/Q6NV/N+Rr2NNOiXR1/NjAfsk0CKIdSrERMazzM58omAxULlCgZGTw6i29Xulj4ToLXNhKAJqw==
+    client.argocd: AgAMeMuApKfbUmJ7qxTVuiFCoQvQnVY9e914jZJzZVoD7NNghd+GoI/kl9JuaTGd8FXC9Snp+Pdduvw88PNlR+ZLDQChh9z04BbYm0jOhu+6mxMl9klVc5kbEUILC8nA2Oad0KshnFuRt8PucbM3Adk5P8WwsH0+R0QCQqze36d5pZrNT3XsVHFzkEO69TVNmNDtde04UnlGKlXhtsZHVF0QXU+O0knNPK8Gav4NEAP0GiPSA4Hx49rpu3PzyISi0vUnW4jZQYP2hnD8arR4pAjehuHzkjt8A4sP635KaQ3kEE/6VL6eBLxzFeht31p7/owMAqvjA3Z2TwHc0Eo8zqzQdYIejDvBcm3p/iIECBJUffRRKT6ijlJnzmL8dFVRDkWGN3D2eg7xELQyoQfQLo8m8v3o5rRLDMxGin/dP/7DqL4GLRRIJMIcg3VMNqdSbi7ESlZ0zWZaFQ/3GQKy6y7ooqQS/nn+2stVo6RRuwAlPkpyTa29wOu4fjIsuQ4O9CQrBXowk+4xO1FqWVMUcPGfrLx32IcIC9iZ+QAb1goh1eADnl9D5eKJjWouStvA/i+YlRayHrIBn6XwRgcLaz3ydlZUtwt/HhheeB/N0jRRFD7Tf7SWMdOtyEnngglOmOoiytU0F8B+jNW2OPfPU3CP2AkKvLQ0El9kbLQHYpnpNfbjq6Fjj7b6l8LPo58WBua8uQBwghKL0d6NnjdRymLylJdMUJvGF/9F8rW+1VRndyVyuNRPUXFJv9wqklLQYu7+dtAphsnhO17LdGomjCkP51VtFloWNH49aBWj0p6scsMVahzU2lhzwWOSLh7iK3lm5Pyhkwl2GPR3ayQG8adSE6BaswtmdEpKYEbvi5kWy4In/Q==
+    client.gitea: AgAhsbmgb1LaYsCtd85vEu6dkwdzlIt9rfliyrjFxAmLwstrlhY1IXXrtd1f25sjWmxpiRnUmPgSaaeBpd2YEOFI2tDh3rwUW84q77ynmcIOGKEHpfQicVurvOuj2YNFE91hBf4A18QYRSLDZyCg4yJ/Ult5vS88mNSfaSrDkknjnNfV4+PZzM1JAfILQtWEMmG89vyIr75Ix+i6IkHdKu5YZK/2aOS+vX5LYiOGp7qVXkkKDCvbk8KNe/2gqvaSDCSoRCdtzEP9SdqOY+Zvw1A6dMTP8EZQmXW3qsNn6m9J+bFw8C0SJ+ptG3teuzKKvfkuyUVRSoO2aXREmwzkENG7jQBy4y3BBDU+U4iF73e1LCFczXsXy590rHZ66Jx6OseKFoGn1Jw/ir12soNCU2dnkUfgdiqN8yvkRJ3O/h2BYC5r7IJqIxNiqY2R1EhTgiG4/DhAvTcy+iZlgk/YMqSGVFLJtOQiy41+Vej79f7kw3A2u8HGksTkL5zkGxYIY8EyM+/VR4wHtUsjJTiP8+VHFWw/v5sxnTWAAAIdRn10371F8FNqdD1dCs5U8Xop0/WwFYaix0/dLkI+tJxQvopObAY1G4RKmTy0GTgE4sBGgqjI+KKdVdh6gO26WxtF07MlL57IjfQMlMFYXyapnDRplZkTfDBioF7+8eOd1hajgKUFv3OqkEJnk4ifZzfjXlAAdXRzic6ppfb4w+0YkSluZUTdTFr/SWt9eUnLYz/dkZ8ZV5mV4KZHlvPvfCwBWR3F2JfT0WUKlvC8l8AJKwyBokZJZODKDxaaGvoMvKgj/e11YncDpY/vLP/QbE2onVQKaA25ukUZNFL3WTZR1igi2huRns+/066HdUOLzncGceyDKg==
+    client.grafana: AgB2SV+f10heiF3WsurC2+cFZP4d+IvjVE++cDzVRacTcatR2eI7dn23bDYZv8ThLtByI76VWgIIgC3443WeyA1cXFfwUU/yL0sVTUmWqkMLjNosCbW0m6MzIN4nfTwG2QgkeNG9bTpO4KXhteTnNOZ8YYBIfKLeBiePUF22B/SrDu3l9AgBi0myjC2uoYVnXY723x6URbrapS6E5tbQTO9NfEIL1fsNIKOEskepLNfVSo0Np6jhkn4FA8FKkKNbbHr+im2zZkuo4xgfdUY4NEHpe/SYpsng8v2dhhy2/S7FOFZfJLyunCfrz1Y5UFvhNiosLgfcbPaF/+2Z9heYLEnW07suklQAwyhmFhHwukkeO3zdbJNDJMd1KnNfCSU//OQjsAuwwmXmh9Dqz89A/cimtpk4AjbRw9Zj1whrJJCx3WcisLrEJr9KrxNSY8LAzFTTq5k1bipOCpXnov0ZOrOpzgBsrmOToVuqfExD1cPAlm6L11a2H+SGs0271LIzcekhCnCE11mOK88/z6nLSmyYZH4f8TVt9RU8YmNZzfEJr9JCLISsznIILdtroPbCj3ovp2Q4brT5FdsvhAHSiHL8XHvDwbPJF71p0P6u/P/2oAGmbHdr6nltYi7zKiHLe2ATxEm0dozh/0usayTOvl4jyJKsn3HQQrBrGt/fNPRRm3L/vtvBSfhlP6slwRl9NUcrW1Q4QhBPsQWAEf1xBUYGMephez/4wpOUgxpmLnMZlWa2IKKWUP9R6BuP095ts/YKVT6otScXHs7h6sarQEgMELPyISDTmqBFQvX4Hm/M3uLSuyKsC7g+MBbgIYZX+/2IeR5jLN7zIdv9FVFOmwi5ChFD1Gk+QrQz0qLIScwPN61xHQ==
+    client.kitchenowl: AgDDhHuXHy1bEVjoJkEJsqKGUmoVDT1cMYxB02J+pxQ3BrN2YfZDK4CDMCdG9srzSBD7tG9BsZ9Oja/8imV3cjsXGc90hW/L3doSqe583N9TcDayMNX/lYPgZUfA/7rva02fHyO5dKRSUtRHaR2MjqZdmxhG9EgQX0tIrgwoFIjnU3Jj5co0cWwnd68G8CMZn72DRX3rRRmYv2I9KW/FUva2tIViPVtnJ6DcpFt3eMUhBmW/XOJWsea1QtJ1Ab9d1P+Zi47O9X5eNkkQrlIYMAt52VlbfhLDnI/67WA88yI7OTlsvucFYlvakAbZSk4CFfO7X/cg3v8Yxb9cD8S4vMB+sx7r5g6JfL+psaifAmJDQl4CLmzohaxegiHGWj5k+rWJgO6z4wl7jmiEKQkRcqlE724U9/3tF288AItlZcDUX9UifexeP8bJFua7vm9/wZqLg6eF02BNo+oWzFLjNSWBaEkSAjYCqUkqayfIgbYdutB83tB1gR/LKmF1fEIje0q0dap/b0Jrtq6LRSyPDMXiNeZSiRB+/GpoqkHz05I0H6887dEMwOZMhu9v4YLRyhH7FjtjwOSOiw3CaNCTW97IC0Z6EnFoiOJ9gl7TXg9CbpiaRN3Ds3RonL9scspOnMnZ6zez3khQwZCoeDeXOsE5YBYCRJkTkbZzMFoFBpOEhb83IfsLYlTQBF/LHD6FbwwaNHZscZSueMqK/6iq4R9SLeSgaz+/KKTpQ+KZVmGUttv0feNxC37/1jqbQZ7xH8Ykt6/Hvba7JvDRHrxNzgsMYWcZXL9oLDfheHXPpuFYE5KfZzMNDqvdje4+C0aFlEI/Zj+ESCNRobqAFg3UFuUrgtMjbzfpgoMhnPYL9/Xqz2Xh4Q==
+    client.linkding: AgC3GAgek9/3PvUSx3IEoqrf/kp7o8tMIZvf4cjv/mDOYKkwW5qvLbAHSdOfa+ZgpNNtZLC0jP9qYLJ1ULwZwTqQbq0PdNURag055u7w/dhIc5x/dGlu5p3mNGHWBFdwgZ8z4d1SEl05j1RfaM3OgtNwVBK9uqDLAwB6k3dry8MVLxq42+LeuhqaW3gqrecLDJsMlQtOlcuaz0IsVFPZvpFCVjGpLrw5wp5sEeInw9P6BJov5zNEi3YotoiOGuWmbrcGAcuw+wkql+lAVppQ0qx21XQqzwROu4TT2UmSIGkPC4tTykDR9tVUiikEIdnh9JuFXtDcMBmNMJUHoPVyiB7rMyCGRlkA5DkNp6zAccdJl1/E52TolbpXZC9qygZRCqavkDedEdJaGZVzV01Tv/UZrX8BBl0wljfZ/stweJG4QEuAp7oH4zyty22P21V7nd0EI4NUnVOFkZm0OY5DHF2EJx3fOpUzy4jr/Eys3Qr3mOeqlVAxGFI/kKdmWgZWkiGkQhGboJYshfdxgwZWwZ3csinfVMQqQKUt84OimGTbWhKd01LeeD6tPsB9KYdZt9S70JSY3bh1vRcvuR+hrq4ZBU1GfhGHMJOfs6kqijVHdScGqSFcTvOi3cVq1U3leppDCo8Iq3skJlGXQnrAqlzAf7RiV3vUob/fCe+IWPXppqZHk6ktuAjVp3e9kDigq0MJNsufXELTgTHVpLXxfh5yH9vxVOxPBg5iunRNM+mMm7BGzaJ2WNno+TA3I6v8HUK7LJ36I4ncKY/pYSBPIZ/AgKYHZwnS9fzMuDBV0jMnFkrw0O+2Wsh/Vfaptx4TCaQCYzoY28RbXepnieUrOOQjTevaJVp9/exHnqHRU14easU8Ng==
+    client.paperless: AgAnr9ea5mnC5CyAUoyfdzThsMq+djYbaknoGS50haZOP9KkE3tj8+IU1fIBF+RM5IssgrDTTJlt1O0dbSEQeFZYeVmx70v3sfV89suc9mHAmTaMSMpLfA0T6Q5dzZVjkxuRj6Qc2d8qCdX04rXBBWQDmdAo+29kvdoSiBtYeFg5z3MwhjxqKCPm+Ep6u+6xdYbcxIZgSz+/C2o/Op5vstWUEqBT4RATHouqAOK4He8fgnbeMjM9MzXmR2Jb4X+rovpwsOlH4eyoYBexeSry7eYkOhe3o9S43Hr2QxyRK6lwAF12gU4r86fCq+wKk07TlY4/yf0L90R1xPRTCO5JtAO/jTDxhU7SpzYgdG2DSAXlCT/LIBOfLuUXi7XY+EfRveKpdmPYIVNWF6OM0MjtfQLn9Kgt2onFxwOvb0v0i8P6Ivs4hoy9CnZMsIG3avbNB/8WZ7gaf4WdrtLK0HNfNjSDmfTKsuggkdA8ZuJa+QQfjfPj0ozLz60PAdz8aXV/W84NC0isaJc+KYXcx+FkmNJNyv/Usvo8RvDb6XfzfDjf5LiZ+Ylk6E3gvBGrWstVDi3WJ5dUwIAcfrmFz70Uffkme/w+zxwsaZH4tqayhPxjGALzf6Y9XAa+EkuyfJKfLU5JuHm7jHSsO0fWyflsF7LrjytyFm9CUlVAdbIZmjsoYPlHy/M6QHVGAwtKTUB/QOTT/PphCc2ZOetGZ8kQx13lHBBfMGCO6ihyflUEzGRrTVo3Rd3FqvFRnS/2Vf9S6u03/9qRPS7hK62VtuNxKcGZLka6odoxOKxHk34+mMC1qO0uGLVbM5wYPxBw0Av5L+F13Q4SBa04RJd8OWkspd/T6Yv1PTRGDEUmLZXT0Jv/e2YKPw==
+    client.recipes: AgBuQOpnlwK9qgNWTmpO2c9V8IehsbpHUN6UrwWjZrixE2If4/9z5KhdOsV509HMKFzphZLvso0R19HVtU4eKjhtXE62guzRS6aClQzxtgYDUSSdC3nTuBkTn6TL/dZeJjU6G6t9jPZG1nAACSPLlrbSgfcMvtEat4rEssDO6gNw+lS87cJTDzbqxVWsmQ2xDcCqWtuHH6E4nfJa6BvIrJ/1pd0sEij2iWJgciIwg7y/g9yziFtJudfag0EBRpPSxNtdorYxRSYTxKF5VkHuZKenfiRgU1wxz0KcvSjqE/ZPpB4UpSiNQlQnvpI3GUz2XIbaRGdQl0Ak1NEhKs89BXzcE+7tC3A/qY0tJkJRg6ePImKn6NxxJ9MQHpsRk2mW6r317BGLkabsIhqpn5Sw4Xm5MBmvmWVReDyy8rAiCpSXO5tVUrBHT0TX3pxq+TuX5j70G7kJxVyUBsVK6FsjTIOtGsrNEGbv3FhMG8bxRmBt/4XH8OIc0H98acWhor/kEQIHlmnW6tQNuvKT9ukv9H+e9RnPW7D/r+kqf/ZghbssF/Xjo2mbkdpz5aFNuFQwM0SUbVplIwXJqgaYZOznatwH3m37NYe3bcKPIr4b35NnQM9RI4UeLCs3WYRfm8260n7bvKlv98MRTr0P37O4gZ3uf/Dff9UryVaO42VvMF4n68eixOYmSeZ0CrafXYaAmd4eTnKQkBR/KxLb+Gp3PMZm0pZJ8hS5+Rew24EMtxBkT0KvaKBlTePOQtU8WloaWuyCYtgJTCogBn0QZ5nvxFTtICDDSJQ0p2yKbw5Lf3QZhjYqbF/e1uir20+a2Ic0FVU/gjfzW4FI3+wawqKDBpxsa2bAkg/4Au9INGTYV0YMLX0gWg==
+    client.todos: AgCbiUqRaoP7jTPPmJvqrzPgOJKY2ffG6MPH64xiZXF7gw3Is0PHFYU2XNxBf0dm9zjnKNIF+pe8tE9/IVyO2cwJdxFrp/fJng/sTXBW+gGKc4I1CEexQYFQyEUFNGKs7jn+3diWs+tXmUyN5SmU8hwuriYg6UxqQmjZCBBEHpCkXAGF3nXGUemmS7EOud/PhnWT8wUhaUTyPt1qDTPpfRx9I2GUpQ+KJUPK5h75m0BGYsCdG9suzC5PjpFoySaUPdh+PbzxPhpV92QEZW43MmUkA/bEMcYQnyUO96SpgsM+JSLOXhvQN5rStmXqxxuW2b6WRiDHdd2RHuMwn3pExwEK8FPoMt58Wo8do6SAasz6icskhdzAE44FhNpMUxUhJRqU0M/ZKIygfq5/oYDYTfimlwD2w9jEhQ7PZSjOAdfhC/u4ISJzsqGpkbwRORfnPuYDR8FJ/W7euF9V904fH/YGrRgd1IQm6pILxAJ8ebeYqmF2DXuxcJKS9ba0t8kl/W2j987/36DZ+jvfolrldgeMOvQBr3WCoeDBhTL1ujiTkPaWVI6w2PcHK57+C97FiAxkDHQnpTs7Nk7/B/aI9/XN333zHWVD+DIYflbfF16wbt4tJ/o3DH5t0NNvg/e9n3YLinvup6LVpeDZXY8E6imKAdDMHJ1EiLFhb1Qe605XPqWKwlGK4EKLmHcsP1/F2C6h3IZruoYpatqa6rwzgbKTtjlCgHSpPd0ndieAEi2RtGTtAqc9kSNzxUK0aMn2rubCZ2YMPsN7rbNGY1v+ow9zLiiVOLkHHXsf35BFP9v+kjA3SsT8xX1Qgx51pAiWdxgmuj/z5Y/nhGAZEc8T7gkhECbrXB4c+MiNRNXh6jR6qPK4Hw==
   template:
     metadata:
       creationTimestamp: null

infrastructure/authelia/authelia.values.yaml

@@ -75,7 +75,7 @@ configMap:
 
     local:
       enabled: true
-      file: /config/db.sqlite3
+      path: /config/db.sqlite3
 
 
   identity_validation:
@@ -122,8 +122,12 @@ configMap:
             - 'profile'
             - 'groups'
             - 'email'
-          userinfo_signed_response_alg: 'none'
-          token_endpoint_auth_method: 'client_secret_post'
+          response_types:
+            - 'code'
+          grant_types:
+            - 'authorization_code'
+          access_token_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
           consent_mode: 'implicit'
         - client_id: 'recipes'
           client_name: 'Recipes'
@@ -232,13 +236,34 @@ configMap:
           authorization_policy: 'one_factor'
           redirect_uris:
             - 'https://kitchen.kluster.moll.re/signin/redirect'
-            - kitchenowl:///signin/redirect
+            - kitchenowl:/signin/redirect
             # mobile app as well
           scopes:
             - openid
             - email
             - profile
-
+        - client_id: 'actualbudget'
+          client_name: 'Actual Budget'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.actualbudget'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: false
+          pkce_challenge_method: ''
+          redirect_uris:
+            - 'https://actualbudget.kluster.moll.re/openid/callback'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'groups'
+            - 'email'
+          response_types:
+            - 'code'
+          grant_types:
+            - 'authorization_code'
+          access_token_signed_response_alg: 'none'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
 
   # notifier
   # is set through a secret

infrastructure/authelia/kustomization.yaml

@@ -27,6 +27,6 @@ images:
 helmCharts:
   - name: authelia
     releaseName: authelia
-    version: 0.10.4
+    version: 0.10.42
     repo: https://charts.authelia.com
     valuesFile: authelia.values.yaml

infrastructure/external-dns/kustomization.yaml

@@ -11,8 +11,8 @@ resources:
 images:
   - name: octodns
     newName: octodns/octodns # has all plugins
-    newTag: "2025.04"
+    newTag: "2025.07"
 
   - name: git
     newName: alpine/git
-    newTag: "v2.47.2"
+    newTag: "v2.49.1"

infrastructure/gitea/gitea.values.yaml

@@ -170,5 +170,7 @@ postgresql:
   enabled: false
 postgresql-ha:
   enabled: false
-redis-cluster:
+valkey:
+  enabled: false
+valkey-cluster:
   enabled: false

infrastructure/gitea/kustomization.yaml

@@ -23,6 +23,6 @@ helmCharts:
   - name: gitea
     namespace: gitea # needs to be set explicitly for svc to be referenced correctly
     releaseName: gitea
-    version: 11.0.1
+    version: 12.1.2
     valuesFile: gitea.values.yaml
     repo: https://dl.gitea.io/charts/

infrastructure/metallb-system/ipaddresspool.yaml

@@ -2,7 +2,6 @@ apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
   name: default
-  namespace: metallb-system
 spec:
   addresses:
     - 192.168.3.0/24
@@ -10,5 +9,8 @@ spec:
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
-  name: empty
-  namespace: metallb-system
+  name: default
+# selector is left empty on purpose to match all IPAddressPools
+# spec:
+#   ipAddressPools:
+#   - default

infrastructure/metallb-system/kustomization.yaml

@@ -1,15 +1,12 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: 
-  - namespace.yaml
-  - ipaddresspool.yaml
 
 namespace: metallb-system
 
+resources:
+  # - namespace.yaml
+  # namespace is already included in the remote kustomization
+  # - github.com/metallb/metallb/config/native?ref=v0.15.2
+  - github.com/metallb/metallb/config/frr?ref=v0.15.2
+  - ipaddresspool.yaml
 
-helmCharts:
-  - name: metallb
-    repo: https://metallb.github.io/metallb
-    version: 0.14.9
-    releaseName: metallb
-    valuesFile: values.yaml

infrastructure/metallb-system/namespace.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: placeholder
-  labels:
-    pod-security.kubernetes.io/enforce: privileged 
+  name: metallb-system
+  # labels:
+    # pod-security.kubernetes.io/enforce: privileged

infrastructure/monitoring/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: monitoring
 resources: 
   - namespace.yaml
   # prometheus-operator crds
-  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.82.0
+  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.84.0
   # single prometheus instance with a thanos sidecar
   - prometheus.yaml
   - thanos-store.statefulset.yaml
@@ -17,17 +17,17 @@ resources:
 images:
   - name: thanos
     newName: quay.io/thanos/thanos
-    newTag: v0.38.0
+    newTag: v0.39.2
 
 
 helmCharts:
   - name: loki
     releaseName: loki
     repo: https://grafana.github.io/helm-charts
-    version: 6.29.0
+    version: 6.31.0
     valuesFile: loki.values.yaml
   - name: prometheus-node-exporter
     releaseName: prometheus-node-exporter
     repo: https://prometheus-community.github.io/helm-charts
-    version: 4.45.2
+    version: 4.47.3
     valuesFile: prometheus-node-exporter.values.yaml

infrastructure/pg-ha/kustomization.yaml

@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
   - name: cloudnative-pg
     releaseName: pg-controller
-    version: 0.23.2
+    version: 0.24.0
     valuesFile: values.yaml
     repo: https://cloudnative-pg.io/charts/

infrastructure/renovate/kustomization.yaml

@@ -11,4 +11,4 @@ resources:
 images:
   - name: renovate/renovate
     newName: renovate/renovate
-    newTag: "39"
+    newTag: "41"

infrastructure/sealedsecrets/kustomization.yaml

@@ -9,4 +9,4 @@ resources:
 images:
   - name: controller
     newName: docker.io/bitnami/sealed-secrets-controller
-    newTag: 0.29.0
+    newTag: 0.30.0

infrastructure/traefik-system/configmap.yaml

@@ -71,7 +71,7 @@ data:
         address = ":9100"
 
       [entryPoints.traefik]
-        address = ":9000"
+        address = ":8080"
 
       [entryPoints.dnsovertls]
         address = ":8853"

infrastructure/traefik-system/kustomization.yaml

@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 35.0.1
+    version: 36.3.0
     valuesFile: values.yaml
     repo: https://traefik.github.io/charts

infrastructure/traefik-system/values.yaml

@@ -23,8 +23,7 @@ ingressClass:
   # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
   enabled: true
   isDefaultClass: true
-  # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
-  fallbackApiVersion: ""
+
 
 # Activate Pilot integration
 pilot:
@@ -67,7 +66,8 @@ providers:
   kubernetesIngress:
     enabled: true
     allowExternalNameServices: true
-    ingressClass: traefik
+    # Ingresses missing the annotation, having an empty value, or the value traefik are processed by default.
+    # ingressClass: traefik
     # labelSelector: environment=production,method=traefik
 
 

kluster-deployments/kustomization.yaml

@@ -41,5 +41,6 @@ resources:
   - paperless/
   - recipes/
   - rss/
+  - stump/
   - todos/
   - whoami/

kluster-deployments/stump/application.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: stump-application
+
+spec:
+  project: apps
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: stump
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+    - repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
+      targetRevision: main
+      path: apps/stump

kluster-deployments/stump/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - application.yaml

renovate.json

@@ -1,4 +1,14 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "dependencyDashboard": true
+  "dependencyDashboard": true,
+  "extends": [
+    "local>remoll/k3s-infra//apps/immich/renovate.json"
+  ],
+  "packageRules": [
+    {
+      "matchUpdateTypes": ["patch"],
+      "automerge": true,
+      "ignoreTests": true
+    }
+  ]
 }