Merge pull request 'Update octodns/octodns Docker tag to v2025.05' (#440) from renovate/octodns-octodns-2025.x into main

Reviewed-on: #440

apps/adguard/configmap.yaml

@@ -27,7 +27,10 @@ data:
       ratelimit_whitelist: []
       refuse_any: true
       upstream_dns:
-        - https://dns10.quad9.net/dns-query
+        - tls://1.1.1.1
+        - tls://dns.google
+        - tls://p0.freedns.controld.com
+        - tls://dns.quad9.net
       upstream_dns_file: ""
       bootstrap_dns:
         - 9.9.9.10
@@ -35,8 +38,7 @@ data:
         - 2620:fe::10
         - 2620:fe::fe:10
       fallback_dns: []
-      all_servers: false
-      fastest_addr: false
+      upstream_mode: load_balance
       fastest_timeout: 1s
       allowed_clients: []
       disallowed_clients: []
@@ -72,6 +74,8 @@ data:
       dns64_prefixes: []
       serve_http3: false
       use_http3_upstreams: false
+      serve_plain_dns: true
+      hostsfile_enabled: true
     tls:
       enabled: false
       server_name: ""
@@ -88,12 +92,14 @@ data:
       private_key_path: ""
       strict_sni_check: false
     querylog:
+      dir_path: ""
       ignored: []
       interval: 2160h
       size_memory: 1000
       enabled: true
       file_enabled: true
     statistics:
+      dir_path: ""
       ignored: []
       interval: 24h
       enabled: true
@@ -110,6 +116,10 @@ data:
         url: https://someonewhocares.org/hosts/zero/hosts
         name: Dan Pollock's List
         id: 1684963532
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt
+        name: Peter Lowe's Blocklist
+        id: 1735824753
     whitelist_filters: []
     user_rules: []
     dhcp:
@@ -134,13 +144,36 @@ data:
       blocking_ipv6: ""
       blocked_services:
         schedule:
-          time_zone: UTC
-        ids: []
+          time_zone: Europe/Berlin
+          sun:
+            start: 18h
+            end: 23h59m
+          mon:
+            start: 18h
+            end: 23h59m
+          tue:
+            start: 18h
+            end: 23h59m
+          wed:
+            start: 18h
+            end: 23h59m
+          thu:
+            start: 18h
+            end: 23h59m
+          fri:
+            start: 18h
+            end: 23h59m
+          sat:
+            start: 18h
+            end: 23h59m
+        ids:
+          - reddit
       protection_disabled_until: null
       safe_search:
         enabled: false
         bing: true
         duckduckgo: true
+        ecosia: true
         google: true
         pixabay: true
         yandex: true
@@ -149,11 +182,13 @@ data:
       parental_block_host: family-block.dns.adguard.com
       safebrowsing_block_host: standard-block.dns.adguard.com
       rewrites: []
+      safe_fs_patterns:
+        - /opt/adguardhome/data/userfilters/*
       safebrowsing_cache_size: 1048576
       safesearch_cache_size: 1048576
       parental_cache_size: 1048576
       cache_time: 30
-      filters_update_interval: 24
+      filters_update_interval: 168
       blocked_response_ttl: 10
       filtering_enabled: true
       parental_enabled: true
@@ -168,6 +203,7 @@ data:
         hosts: true
       persistent: []
     log:
+      enabled: true
       file: ""
       max_backups: 0
       max_size: 100
@@ -179,4 +215,4 @@ data:
       group: ""
       user: ""
       rlimit_nofile: 0
-    schema_version: 27
+    schema_version: 29

apps/adguard/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: adguard/adguardhome
     newName: adguard/adguardhome
-    newTag: v0.107.52
+    newTag: v0.107.61
 
 namespace: adguard
 

apps/audiobookshelf/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
   - name: audiobookshelf
     newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.13.4"
+    newTag: "2.21.0"

apps/code-server/deployment.yaml

@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: code-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: code-server
+  template:
+    metadata:
+      labels:
+        app: code-server
+    spec:
+      containers:
+        - name: code-server
+          image: code-server
+          ports:
+            - containerPort: 8080
+          env:
+          - name: TZ
+            value: Europe/Berlin
+          - name: CONFIG_PATH
+            value: /data/config
+          - name: METADATA_PATH
+            value: /data/metadata
+          volumeMounts:
+            - name: data
+              mountPath: /home/coder
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "100Mi"
+            limits:
+              cpu: "6"
+              memory: "16Gi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: code-server-data
+

apps/code-server/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: audiobookshelf-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`code.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: code-server-web
+      port: 8080
+
+  tls:
+    certResolver: default-tls 

apps/code-server/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+
+namespace: code-server
+
+images:
+  - name: code-server
+    newName: ghcr.io/coder/code-server
+    newTag: 4.99.3-fedora

apps/code-server/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: code-server-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

apps/code-server/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: code-server-web
+spec:
+  selector:
+    app: code-server
+  ports:
+  - port: 8080
+    targetPort: 8080
+  type: LoadBalancer

apps/files/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: files
 images:
   - name: ocis
     newName: owncloud/ocis
-    newTag: "5.0.7"
+    newTag: "7.1.2"

apps/finance/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 24.9.0
+    newTag: 25.4.0

apps/grafana/grafana-admin.sealedsecret.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: grafana-admin-secret
+  namespace: grafana
+spec:
+  encryptedData:
+    password: AgAU6g/CwKj+1gPpt4DLvLsS0YCvJdVHWw4W4bRhibE9brVvcJtGB3D9MTJrSLVVwusaE6OR59og7oW5ge3yTd/9bbclXYLrxEi7OwvkQjCvo8MfD8yhJO9nV4Xs9Mjk2Z4SHGYuq6wvcssuJrpz5f0XEC7ocTRA+u0UaE+/b4FrYF71uyKGvj8GSXgLZUjGPFsGfPzwJn7cLBmlclVHx1xGbFpUc042m5Mulpn0QolFQnOwZiW4PL8pQyz1MXVRwCsz0RJd5apZL3XJ4X7BLMoAp+diHQ2xi3zoU9VScp+J2QgvFdRKgDa6v7Jz1f+HCwq5W/DoegwFXBrcMIfF2YrnvTnc1PCVwD9IHOeylO7J2hfi8teQiqTvvRlVgdBTLqoqlVovemf5k6ke6JfjTwnsJjTNnL7MKN5Qt0o7N2XRZ3ba9jp8cKbI7fyFQKaU2QEf2PIkp82kEnixmpA1aATgeA3W4E5Km7sKHUEB81+pwnOe54tzD2ShgQX/+UiswhWYTT+gdZKL1udBBemUDC0z9PSJNTPTy+hq+G4CIzVQUYxlioM3c+3geF7YLU8yXisj84pk44GN9KX3z5x+M2+LZL7agAWPUjxtrP2V+id7dNJQfCm0aSMeo57dVfb4zlBUAAgKIKjX+j1KqCVqE9zEO2F/QX7mY6MJTP2me3wmY7JAVRJ7d6bbkyyoDhs8JErLYLp0A+Eh+qx8nWgM9ErPVSA0
+    user: AgB8ZLG2EuERjg1nKdH/xadbUuIR2c8a9gF5fE8ctrp4DNDLLuuqmjyoHRiWpkrtfnE1yKg1rPP+asV9Lj5iVmE9J+OB3QUOeFS4MHciBNj7pa68zfFgnHP4kxMX6aXyKRQrYruYjHwfzCpOM1zyTEphuGlnokjQXxjF/mZsoM2NWn7WGReqfxqH95tJXfs9AUC5vVv/PHqd+KKRZH7+G1AnWVJ7RFQHedR7wyftO4/rkm8deMuZWtOLl25fAOyOr7+hSqT69s9/uTKSLJXjobSqtulqsR+v5lkwx2ThNKzmcEcuoenKG6lk8XLRSIscccZH3JTPh6IknQWUOC4nmYj+XUxE8Go0RX/4eL+D/6FrYrtp0gr3HOCLAGU4vAHMeKfJoyqykJVnvY6QY6bFgaziyOlWaoEHpg6g0vHHDwyX7HIDcQfJZGOLH9dhrWJ2sOkzyuuxfqWEgz/M2eBW4EUAudHwfTLPocSMUI+D6fjeciMojet5uxWMP7ZHh/E061f5+Vfk6CKYd9Kpi69Xah8KEyyHYP5NImkdIwjgllaEAd/FBE2+QJyTVZlUQC7y9ObagDMCUFaFbTS5QOLh5BOJDL5buEYFWG0IhoH47SC/pKeEOQH//uvoo27K9zvxTOQN1YOTrxCozmexMOsTIdhvU0dOnJDBrThSHKYLCeIokDOgUUT52FqDH51RoLoK3UkyGbMoq+M=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: grafana-admin-secret
+      namespace: grafana
+    type: Opaque

apps/grafana/grafana-auth.sealedsecret.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: grafana-auth
+  namespace: grafana
+spec:
+  encryptedData:
+    client_secret: AgCEdC1/ERlPQyQP+bd9gcW33Yrvl4uRbx+RF5AY4vYAquOzxmLTygMl/WZlB5wlCE5idIHgto6/fUWVZrQbmfClRqsW2pFoddKQAtS9cQNXwMjLCm7e0lXk9GM9O3ZwktmklFbCu8XewHmefGHhoJ28vPxPMaINv1fM4zYKvNz5RHf0dJfTHgxb68wRYjAbE/eJpRcVE3a29Yw6Gfa8Mb+cFI7RTHvjuv9LBgWqM6b3qvvJ4wYR2WKuiQrnJ5xAtHpMAI/2R80qq151wlaZueDZ1PwjRBHURkmPTmwZnrMrmIugNge7Tpww+ArZlG9kDfSu1aTJidbXbcpN6fyt1qARTCYrBlbn60PTYLnPL/NObvMCpjS6DsYsYz7MJ7WoOupu46Ib5paZHmak+CilC6lb9LjJj4EKfRsagZmWT07JavhHBW/tqjB3GToccIz4fOAOdA9aU51J4wCL2ctp2SgzCEKe2EaBK/f9nDd9ASmmon9PDwRDVtG8yTukrNcZHNzodi09Af81DB0RNa36Z3Sjt5xu94paN+mjiOWGf2JduVEq+60NbPvDbPE9e1aVH3DdQcij2WGZaTE8dAGLSsLoOkIq3m2E+Mbk1Re1gI9H18xJM72ivb5uDe7pzReyvO5DY4Pfq8JgQhPxWcDq9ScmWS6Bb+jdCKytFq5NafSAl+akPbbwN+1GFu33if/P5D9I2TwOA8V1wyVU
+  template:
+    metadata:
+      creationTimestamp: null
+      name: grafana-auth
+      namespace: grafana
+    type: Opaque

apps/grafana/grafana.values.yaml

@@ -16,6 +16,12 @@ serviceMonitor:
   ##
   enabled: false
 
+envValueFrom:
+  AUTH_GRAFANA_CLIENT_SECRET:
+    secretKeyRef:
+      name: grafana-auth
+      key: client_secret
+
 ingress:
   enabled: false
 
@@ -29,13 +35,17 @@ datasources:
   datasources.yaml:
     apiVersion: 1
     datasources:
-      - name: Thanos
-        type: prometheus
-        url: http://thanos-querier.prometheus.svc:10902
-        isDefault: true
       - name: Prometheus
         type: prometheus
-        url: http://prometheus.prometheus.svc:9090
+        url: http://prometheus.monitoring.svc:9090
+        isDefault: true
+      - name: Thanos
+        type: prometheus
+        url: http://thanos-querier.monitoring.svc:10902
+        isDefault: false
+      - name: Loki
+        type: loki
+        url: http://loki.monitoring.svc:3100
         isDefault: false
 
 dashboardProviders:
@@ -67,3 +77,22 @@ grafana.ini:
   default_theme: dark
   unified_alerting:
     enabled: false
+  analytics:
+    check_for_updates: false
+  server:
+    domain: grafana.kluster.moll.re
+    root_url: https://grafana.kluster.moll.re
+  auth.generic_oauth:
+    name: Authelia
+    enabled: true
+    allow_sign_up: true
+    client_id: grafana
+    client_secret: ${AUTH_GRAFANA_CLIENT_SECRET}
+    scopes: openid profile email groups
+    auth_url: https://auth.kluster.moll.re/api/oidc/authorization
+    token_url: https://auth.kluster.moll.re/api/oidc/token
+    api_url: https://auth.kluster.moll.re/api/oidc/authorization/userinfo
+    tls_skip_verify_insecure: true
+    auto_login: true
+    use_pkce: true
+    role_attribute_path: contains(groups[*], 'apps_admin') && 'Admin' || 'Editor'

apps/grafana/kustomization.yaml

@@ -1,12 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
-namespace: monitoring
+namespace: grafana
 
 resources: 
   - namespace.yaml
   - grafana.ingress.yaml
   - grafana-admin.sealedsecret.yaml
+  - grafana-auth.sealedsecret.yaml
   # grafana dashboards are provisioned from a git repository
   # in the initial bootstrap of the app of apps, the git repo won't be available, so this sync will initially fail
   - https://git.kluster.moll.re/remoll/grafana-dashboards//?timeout=10&ref=main
@@ -16,5 +17,5 @@ helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 8.5.1
+    version: 8.14.1
     valuesFile: grafana.values.yaml

apps/homeassistant/deployment.yaml

@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
         - name: homeassistant
-          image: homeassistant/home-assistant
+          image: homeassistant
           ports:
             - containerPort: 8123
           env:

apps/homeassistant/kustomization.yaml

@@ -13,6 +13,6 @@ resources:
 
 
 images:
-  - name: homeassistant/home-assistant
+  - name: homeassistant
     newName: homeassistant/home-assistant
-    newTag: "2024.9"
+    newTag: "2025.4"

apps/immich/ingress.yaml

@@ -1,14 +1,5 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
-metadata:
-  name: stripprefix
-spec:
-  stripPrefix:
-    prefixes:
-      - /api
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
 metadata:
   name: websocket
 spec:
@@ -21,19 +12,18 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-    name: immich-ingressroute
+  name: immich-ingressroute
 
 spec:
-    entryPoints:
-        - websecure
-    routes:
-        - match: Host(`immich.kluster.moll.re`)
-          kind: Rule
-          services:
-              - name: immich-server
-                port: 3001
-                passHostHeader: true
-          middlewares:
-              - name: websocket
-    tls:
-        certResolver: default-tls
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`immich.kluster.moll.re`)
+      kind: Rule
+      services:
+        - name: immich-server
+          port: 2283
+      middlewares:
+        - name: websocket
+  tls:
+    certResolver: default-tls

apps/immich/kustomization.yaml

@@ -6,6 +6,7 @@ resources:
   - pvc.yaml
   - postgres.yaml
   - postgres.sealedsecret.yaml
+  - servicemonitor.yaml
 
 
 namespace: immich
@@ -14,16 +15,16 @@ namespace: immich
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.7.2
+    version: 0.9.2
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.116.2
+    newTag: v1.132.3
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.116.2
+    newTag: v1.132.3
 
 
 patches:

apps/immich/servicemonitor.yaml

@@ -0,0 +1,14 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: immich-service-monitor
+spec:
+  endpoints:
+  - port: metrics-api
+    scheme: http
+  - port: metrics-ms
+    scheme: http
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: server
+      app.kubernetes.io/service: immich-server

apps/immich/values.yaml

@@ -37,10 +37,6 @@ immich:
       existingClaim: data
 
 # Dependencies
-
-postgresql:
-  enabled: false
-
 redis:
   enabled: true
   architecture: standalone

apps/kitchenowl/deployment.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kitchenowl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kitchenowl
+  template:
+    metadata:
+      labels:
+        app: kitchenowl
+    spec:
+      containers:
+        - name: kitchenowl
+          image: kitchenowl
+          ports:
+            - containerPort: 8080
+          env:
+          - name: TZ
+            value: Europe/Berlin
+          envFrom:
+            - configMapRef:
+                name: kitchenowl-config
+            - secretRef:
+                name: kitchenowl-oauth
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "100Mi"
+            limits:
+              cpu: "100m"
+              memory: "1Gi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: kitchenowl-data
+

apps/kitchenowl/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kitchenowl-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`kitchen.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: kitchenowl-web
+      port: 8080
+
+  tls:
+    certResolver: default-tls 

apps/kitchenowl/kitchenowl-config.configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kitchenowl-config
+data:
+  FRONT_URL: https://kitchen.kluster.moll.re
+  DISABLE_USERNAME_PASSWORD_LOGIN: "true"

apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: kitchenowl-oauth
+  namespace: kitchenowl
+spec:
+  encryptedData:
+    JWT_SECRET_KEY: AgAclRIJS25ACVe4NqLQbAree6c6WpTBHnLpe3ZQJ0ScHG/EbW/ooABZj7y1ABAn/mCc+hBYXYHm81FNUfUtSuLKi2UlORbTCsfmisYH49WX0Lpku9LTM/8az9tjE0tjUUrJZcRUuJfdNJMDPQx7IPjUQ7sKk/exFnkPEbK98+AElXyHpPKXd9dxiCgll0n+ksbF9BDUR8KY8IB2Zvh4cXPww578qe/9XYnxLV8uY9K8KPvhl7NI40SIaL4PX8KmsDlBh1bpOR/OxhIwAGEZDQp/KROy6msrIOYW4SHM9nlSUSD4WvV8UjcbV1oNnYpE1usFOuxSfQlJ1zlFepKUv40JykyunvQv9nqVbEogsrS4o5N3gNEaB9yyFSHIlevp32LVpAuZu3cNplmT+Zg7+ODpCWIcVgmOAeapvB+X7H4ScbKVcYLAzrRFDtnS4Vo1M+RERhr0AuMU/tz0lGs99oRkCw2ZIg015R125u0VcRNqzgCtbBM5BFiKiP2kYrHn02Q6o5tRWxDQfrfb0mnfD5c/gM4+btlfM6DZMpr/l1kLlm8PDEpPGbkhK1XiAyJ4erHPDMLcmZXrSyxX9R1g8n7vnLnkqx5LkGmnltQI2FM7StxC6IrMlxY0nPnkq1lHhTz7yCpQJNXgfXZLVvov+f6jlD6WJhYHZCL/hIFfx3ybjGYZwJ0m84lH0OQJQw5dtsbPVqqoYZIPieqdRmHw7M7TTmFuQJXD94lZj5gsln1sMqs=
+    OIDC_CLIENT_ID: AgDOxWtGCiFrIP5aWHimrR6bu0uMS1/i1v1Kzo1lIR3j3zlw/Da2oCPNx1ZuhNAp9UMIs2euc8mtrWkyv4R6pcci+IxXiGzlQNBSkMfWu4DwhwlEdnVyCVehfE00t0ytBxX6NeLfS1b8JOtH9yo3e22fdaeTwn/iwGLNwi1BJxMmzk9pVp7jzXH09Zia8UvUmXw5GyGpIOIiGcIfaXkr1ZnY2l30jTw8eS7HaouzfWHWTpNXkMLN3qim4vs/B1Sgz/y9tUyVo/qMhWLdEcVklYHT7xHx03SPD7RtK+zdYZCqvDtj+tsdpYHt05zeGV+wflNQuiocjwP8TW7vhtbjKrf9lQIxB5CErju178ELOVrpsPBAYMgdEl7qZeKdSpydIwe3VbOg3XJ7O/Ps1KSnRYwrCvgE4ZCMm3geHyJxSiKRhBcuVYz5JkNd5ylD0Eq9NL5RCqJ4szL9NaGNPbzkvcdZzAnbTYFTzyqZ+XHX/BUFisXl5bKNHtaqAsOK8woGYnxJiawKRrwDUmHXU4RB3QiPCPhHSLU7OkvU+XDhyQqLa8bKEQzj9dUf4bX3Savk4noiRsXMYJznAlgMPo0Q4taxVIoyQHELYwIIdP5YRuw27B9wKUR7e2hhu4FTOEcyhwuFql3OuAjq8HJCDX6+COkL2WYFFxWBnbSCYEdzfbMBCHjrUUonijcQluU2VbaHODNMAvB16MRKapAW
+    OIDC_CLIENT_SECRET: AgAylnSUXwInlh/WvyCiFz+8asbCSZA6kk84Rt6l7bHVYw34c58lJHsZK2OvOIlHuaMe/ewnTqxVd0hI1Azl+wd/5NygMYlntKquq0vuzlhLrGc3u+0SOn9N2P6quA3slF9KR94CYsDx9ogy+EsEoA1yrsydB8S0g9W8syraR1MtpM0ZkcJ/D78OZ6qzyXUuBNAZc+iX/r96NvoMiGNYavgG7npOJh/pkKNYPuNkt4zpbAFjVyoCfgZd4V2nmZ6dhEVy8odW+jcsMn6OJ1OZVlPb1beq49lBEcaJqk83ZtKbq2evtBYHw9YAnENVq92ecenw/YL5LXUhOxeN0M9Amo99/O6pQwwrT1mtZqhTTeTIZTAxqmJKgyxGhE4DJUR/s71bc7K9hd2WvdAYnCyVC2uGa0MwXp4V7UuaN9GerldT8lcFxOpRnD7yroqVTqebjAJIkIinp5NNZ2ZP/LCiCwKKHHT19Pchn615WOPTofC6es/spIdQ8a1Nf2J5YzvRjsduFS55U6tMaC7cuV8kqKH9xTTf/sDHt+68wVEAO9koAe1zpO+zR2Pq3VuCnvcDGIwXopXjvyjfujEEhEWZl51PVJLZqtkP5Wg2wHvlgjJBbbIGTrqh4xa9pK7wLDM2hUFx1q/YKqwfP0EGVTc96G8Wermj0DtIqclqFLr54DtxVe+Rr8J4edG6YQ26/seYsrZ1Oq2PejHQt8u9EzQYAtYYlBsw2ujCWys6KrbhaVr3
+    OIDC_ISSUER: AgA2JPd5axkL5YIRA95qm/iH8wgM2J0AjKjgGClWabYJ3UKIk0hi/L/zR+1Pw9Z+6amYXj7Q0FxLqCcNYG+H5ABxnqUi7Gl8gvfVbegaO3q5QiO27g18RMDssNHDSun8PPaxHBvBD68hxgsaXntu8sZavCGdwEK0TzLJi7eH/4jtHlofzfYgaCsGqeOBgvs/q87PVJ/qxazXlY9e7abbRAKl9ZMY7Wga58/IU2HhWwYMvI53yQyGMcKf3XiI9iNHgIcj1+TmlgQo+PRKyopNfzgFbey7on8woQXphY+ioqQ0hyworpxAVoWlvzKKopt1xBDr4zxzkzbWyxtjwPVOOH3iyenZz8tZa/JkNYWxkWHbh0KCs9yUIji3D3shQOFM/NtE17THsQm3NgpZ2lg9ET1v6uXqwfOLiQ+J1JQLwNFnYeruH2lK4EGt2nDCq2VycOIjW4kMpiJ4LiT8gap9HwYjTpAn+opicYn5e9fmpgiHdMPvrsG1m9edg0cbwdSpEelliHnAUfKsxMV2e1fLsga6yrhBLSXIQs8rbURRa6wqVvGoLB86a9Q5Rm94Jfm0Sa9v5LMGRYvqO5LbLrjrR8e/2r17pHQE8ynMQCAW1yVTe09FcgRwYhDUohfThtjIh16sdoC97eUel7fo/POt3atP69JsCIBZstprhVtBIBssmavpIotVqi8F2/yUkhrZR26mH3gsOxkNTEk6XzHHtJRu0cU+BmObTvYgMi3DHg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: kitchenowl-oauth
+      namespace: kitchenowl
+    type: Opaque

apps/kitchenowl/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - pvc.yaml
+  - kitchenowl-oauth.sealedsecret.yaml
+  - kitchenowl-config.configmap.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+
+namespace: kitchenowl
+
+images:
+  - name: kitchenowl
+    newName: tombursch/kitchenowl
+    newTag: v0.6.11

apps/kitchenowl/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/kitchenowl/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: kitchenowl-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/kitchenowl/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kitchenowl-web
+spec:
+  selector:
+    app: kitchenowl
+  ports:
+  - port: 8080
+    targetPort: 8080

apps/linkding/deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: linkding
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: linkding
+  template:
+    metadata:
+      labels:
+        app: linkding
+    spec:
+      containers:
+        - name: linkding
+          image: linkding
+          ports:
+            - containerPort: 9090
+          env:
+          - name: TZ
+            value: Europe/Berlin
+          envFrom:
+            - secretRef:
+                name: oauth-config
+
+          volumeMounts:
+            - name: linkding-data
+              mountPath: /etc/linkding/data
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "200Mi"
+            limits:
+              cpu: "1"
+              memory: "1Gi"
+      volumes:
+        - name: linkding-data
+          persistentVolumeClaim:
+            claimName: data

apps/linkding/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: linkding-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`linkding.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: linkding-web
+      port: 9090
+
+  tls:
+    certResolver: default-tls 

apps/linkding/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - ingress.yaml
+  - service.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - oauth.sealedsecret.yaml
+
+namespace: linkding
+
+images:
+  - name: linkding
+    newName: sissbruecker/linkding
+    newTag: "1.39.1"

apps/linkding/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/linkding/oauth.sealedsecret.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: oauth-config
+  namespace: linkding
+spec:
+  encryptedData:
+    LD_ENABLE_OIDC: AgBfiwAdh1RD8gpzzVnF6y3c8kn5NFbms0T74pmj1aaFD0uQd/dqIxrvZxiBMzgqdrrVUCxRlpG3tiJYMpDEVXQPwRj8uuAizYFEP4uuGFpCtErjb+Y+aOdXSPRCVPbIqROiE+qswNT5KkJm6rR3FPckWipiQdzfpoq+G00MARKqzo4sNrx8+JzgoBFbS/tVPej3VdmDy8iceeVCQ2dJs+roRw+jOfCxqiUjHH5SyoZPnCTlmTZcwr3F9gBGEWGyEl0FNVgL/ku7WEL2COeIIE/2r4RWPqZU4DkPtIv/J4Dosxuw7EQnC5kzTgJGB/TF9Mn/FcS7iYQZKATvWzjC/cTdwZ+aG1qZGz87wM4fxQ05GhgEUkVOlGgxlzxk9BUL3l9Xsaa1KTivaQ4dvB/jm3j12b9rPfO2CXB4jPK7Pk1vKbr5icPXa8dyFY4hiJ1PYh/295a7ZM02n3ao4uHw8KSaxK9GxsCFBxr59q+6ZpjOGnTHZvKGfJHn3jEcIT8k89J5gqrlWjLqR50TEJj3jPZ3QDPN/u1Bf0wAoIOGK7jpnwIXQpacudU2pxZNWC2KtdZbcF9QzuOqKVFABmabdCkBtLa34cyZdweBaCfLRg1Ic0yxrWGzctnwM0Rfd+OzsEpLB7GHKllV597znF5QiK3rQrl5TmgHf0jC1OmMsBkNYCRo2AhYsBN5nli0dgD1y028rsW6
+    OIDC_OP_AUTHORIZATION_ENDPOINT: AgBYHGF/D1tzWRy2issyi3oZjYK/m5cuwdlHuqboPBBHybfTwCkvSfWAL8FSGAgoLYWZEwwoGr5GDSCnAWfhoYwVgCxWw7y4IohCkUSrwbzTVwJxoRTeWIilzwAdH2zX3mZJVHTYCQiLTCjv+MPRsF5FZP4+STtgfecK5Fjgb3sIfZa/yazbN6jf7bdaR91yX2iddeZn7B80aQvu3jOkujPX9yCJz/H+1BN35CtC7KLhFrKgw6uvfQi3g90On5uBHwrC53ve4rEvcOgi575WBA3fDYW4RxNb8yxxocQOuqNRa3jUa/RIjOnX9tFoG/QIXY89DUSsgpAZFWIlV4np4KOe4V+xWT1khz2TPRDaakDumkNmE/sAjpYfGX13+88A0N/hO9o2aXJhEXOFZ5eulyAwDdIodMg6lQTG43OhdSZLFfR5TrnzkVR1pIzwPMutgf8jai4dyYK+SV+oyGeZosNpD484gzhjMGkz8Djs7/cADcvJVmGfWWYvjenlfvFC5lK7F+355o9L38fUeG2lhRw8NsPWuzsiH7m6GaSEfEPcdqj/AohArtUnf9cfF04tocPwCuNLeIgR42W+cfapD9g14sN9v4Z7g/5IQSqL2EhNR9xQMoIT9BkBEhI9JR518Yds/Z89Lg0HsMw6UCrkg6um1If80gjHyRa7JrfxzepKifWNn9/suHlhecaeXcSOKMCCFYDtHyvO4/gCe8/PXjyVc/SUZNBDJsDOikVvVJfKqDlEkimfl+BISzkMv5ALxGDHMRc=
+    OIDC_OP_JWKS_ENDPOINT: AgAg+6Ty8o++uc+UfaVNtJviu1A771rtazn9pj7KafqgIx1xNuPtUBwGEScfku8glUy0bS8r7MyMNlUe3sIYfnDKQmmHBVHFoiJ0IjLZP/pV51A4fT2DUrFv9pnIemqjFD2jew5ToXhuHwUc+Y3LvX8M8aPpB/J+DjIIvgKQe2faHyWt4c24jOZaH56xJhI114LIXD0A7Qvq4O7UfpIUNfYSMojTH7VURptL18Mh1YRKJmil1PmRIstX9Smr3ltAG9Rw032v9ISdDmV+OyuhPo1Wk3AU85RdOQ9hZGMSFXQXFEqQUp/N76n875KDUMT4W57//YGFRUrm8w4oB+PlkjGV2pG7DNYVxUZEmi5UXwY8fTI+KljAZHSk/YOSku+gc75hWYXX6s3g/R6/IWmr9sV5O5N0bc3guQ96nnRmjuzb3HebM0hPfPS+6/xn29erTDETs1bvfCQ9oWNMomDsH4FVz5gC+zwrUvUD3Af3TVsU5g+lfOE83+pmMMWcJFn8Z0uldud0jR27o/ftKgBDmUaGi3zCQWJrYxtXehBy9fo0K7QpbYnLHvNnXVX9fGQ0PZNMc8N0wYZUDuhOv114lqfbVR5dHYoger4iT0xC+SHcWGgvyjqb4YI7bfnY+bnh8TLfuI/ttw1l7/ev79/yvjrtgPuBwN9ygUxENLR2Ur1Cc/u72d+ST4NIg5esth+y9Z2JdP/3+nlYctnyakWhEkUyBPK+5Iyacv29t1bMXoesB6Ub5WsXaw==
+    OIDC_OP_TOKEN_ENDPOINT: AgBRpyDYbQlq7dcqJ2Gd+CfSRZRgvpuUsIngAXX85dt0dChYhQ/YvnFl9r3GqsXNBrWQBa0uE7t+uXxo+oobjgfSibq28kQBL92PM/s7OctINTJBN3q0Gdv43vnliS69/WR21kZkLuAmPne1nL+FZJXavIUF8N6CX3gKb4WMdv+Rl4AAmUo9vsB1C7mxDcS1CppUeJ8KdF5qkb8Xag28Lv2rDA7W9Ne+tNGFi4q/UWqdU76iUxrHu/Kfg6RD0rYlOaW+0b3A5Rvj5oU8ho1Z/eIsA9NaZNYBQjtGAk9fiD2EB9IcFi6kYv5zGZsRcPTzMv/35Wh+lV8I3mDRGcfkmzQsZ8Hcfx7c3zpemZqvY7LMgrvO5AatWKYZUFPsTcaT/mVFmAaVuq5PqeuCQhqekug3rdQxxf2n1cWMMnbptf4g19oTFKx3FtXImpPk97Iv9RbMATKHE/nnfin5/7PtQNn9VBBW785hzzB7cs+IiEzdjGu7MnFlKaGEoS94eZtgLSEmpIMeXFW6V0rXHQ6J+CUjBjiEpAh6LKsh4De+IrWFuzAYH0jwowuY2r4VX3jx+Yv8SFEJ5AfDYbvx8qX1zy1dGfsQvrAai298QCOTizLmeuJLMIC0qlNLZWrYhf8XzF2/N8/bC0R0Pyr+6Jxo8HrtHyFcnl8ckHycWosCOkQmQIbX+vOffOpQ6vYUkHM4MqIAiTl6G+bxjtxBZUTXvqX1sKCEO7pccL8gJZQ+ICN9nP785JAd4eW2JeGW
+    OIDC_OP_USER_ENDPOINT: AgBD4amxFPHYQR6JWjNTsPM63NNI+f9DgZ9+whv5f3bUo7KNtB05vAYYQtAdMYJR+5499S6t0BYwOi4cNxQVJyga1bKogqih3EI/QlJeLvoFvDFj2wEMmCkT5MS+qemtPJwXK7JTHzUFX74b+S/a30/mvWKkMRHzc+G+E678/RDIScFJFssfJVMJB4Kp9T4y+v9jJAKZRixkx2lOR48JR5umXwxm+xQGaexeJOv0MZY4Am4P/nJcWM+Gk1Ka/ih+VAJRLsu9dgvShytQ1OHaAPMRu6H7Wb2bLrzpz4rTcGbZA3aTgHfItjWQpBV3fhNvyNW8QRbRFSyxHBC4snqW5Bl77u4KdMicwL/0x1JhwP6cx+/TVEyZ2n+5Y5PyOW+E7LXtiZGZ/eRw3xVLxvrFDwY0EBMqAUWHyQjwlZLctjxgBud5XDtT4athaNq5hnCELMepRI05kF+o5ECxKWoFXN5rXrwrlcgftCV9PTZbP8pkxyau8O28C4YX07J65G9ntV3VIg9tAXww6X68YHIQEdAgjNOI1soWt15q582OlhXBTTKAf/QU7mrSCn5FH0Q4Z7VLIsJwMz0orGB69Qxo/lLF7z+pQEE4PArceoLi7cffQV/+VzUBOACDdfKFiN3LTDuoMm6lvkAOdmzXccmXlEGvNEwLR+8Ac26Ld4fAnEFSLIJpwQHheIQRY19qbN5+cOa+RmuOroxWWA2P/8uSlp4kXVvAmPJOt8PprI3h8iRG5zBv+J8kE8wpI1scJdDr
+    OIDC_RP_CLIENT_ID: AgCOGuVP8BVfAT5FRmmJLptdv+8vtppOgpzJ2LXU3vR3sjQE4MLKgWwoAyrnkAa2IMrsmkg5+pyHBDlp1AMba3OTVZmhyEVLrFe/vCiL45hEaW2l6kiwlIW3nZnoJlGG2Ugj4SX8YCQGlyr19vEFcPdieWlKpHfda/EP4xYhXMSzXCxFCtT7uGjgnBlrV0uXeFCezYGzvmA4SbDli7fvGv5H85cwgUlMdSn2ZIP3DAxQ8gP0ETF6KaOK5QVP0e/7kw9SK3oo4XHE2c8AjHLFFnmz/uf07+7LuOunSqunolbVy+Lm2mHHnzx+0PBmMYvl7FHY/TkBZaVjVaZtrELbFYaraop8iE6hFMvOYNa/1BFY1x0aeRfPb0jt5IPnuebllnEh4P7JUQxef4Bqbjp8u7P+uOBWnQbeMEp5F3rWE8qy09NnjsKPz87Jw9pb0aPgXWLKVHjJpArhcb6gTJLESCw9kgT+c0pYI0s3BYmwNkJ+6wxflvTLb5z3YyY5/+8/s3PgDz6Hj4tyA8tBru/KQwnBVMw0GhF5YwlZ4SYHPwVX+ZMj9UQc6swNsrxKLqs5Ci7KjvzEDUJ4/aW+rv8naoCiebIJrbmLB8iSqNGh90s1S9BJsQaWXbKYday3spt0eg+tH/iQgAnUAjd9RK3TxkkmWVjmeUc/rOltsbaIvy6/WdyKnF8/f9B03Pm5eal73yC7reFyGYiXvA==
+    OIDC_RP_CLIENT_SECRET: AgA+Q9osGcUgiGsyPfHph3vGiNBjmL7pK3JlaE4PoI+eGsvb+3Ozf9KnfHSMm2R0fq/eukFn6i25MZ/mKYliVSIcjWbnGDFSysiCAwirKTUXoFUo87zmguNUPr8Rr45m1AIaJb31T4MKeFQRHSg715rs/6fKlbejUWUBZuMTN1DXkWr+00atj0JmmZPScSfRmwKNsHnoZCUWFE/DaFChpoCU4fCp5vL9P2LcdzsY84vue8y7Trg0e/LpEi6+DzSoxurE9jwjoUauXmZnOSW3jFgy+u5c9Oa3RC+IB/UUsmHI8eUVOXGdQsSFufrAMd1uyPRa2g+aCX0zX5boZC9dTGqaT+D/6xXnMFsvw5K+K4Y/QZ+j9ZHx0232sPCFVi2HaYHV51c2Xi6tizy+/0J27/4gvaVREXw94pmsaI5rt9sNDHoKw6LwkPO8heqkYzfIWhAg5vKswDn/MWAVTIzIubdTvrDjVWxoJ2FM9sCUsai/X7rj6QUiVTgbWuYYO0hMrT2Q9y05n68hWOmpqmna4/JGIE+N48h0/wAHLsLeV4ZNLJdJhQovOSkYsB5FIYPTuihFASLhE+uf8VBwSfYlwcWORz7dssAYvCJAx3huYZCSHrT4WPtLt4Ok/IuplXvVbZ/d6NISqE/g+BiNmN7r4DZQ/QbN4TD9t6BQESKkTqPHYIiVtZHdalgPFFSS8JP2wv50mSh/imjlX51ruHGQbVbIfZnfJGwLEL0KN/Zn3BMrNtMgCqEs3itnGQQnBchQ
+  template:
+    metadata:
+      creationTimestamp: null
+      name: oauth-config
+      namespace: linkding
+    type: Opaque

apps/linkding/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/linkding/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: linkding-web
+  labels:
+    app: linkding
+spec:
+  selector:
+    app: linkding
+  ports:
+  - port: 9090
+    targetPort: 9090
+    name: http

apps/media/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
   - name: jellyfin/jellyfin
     newName: jellyfin/jellyfin
-    newTag: 10.9.11
+    newTag: 10.10.7

apps/minecraft/README.md

@@ -1,3 +1,11 @@
+## Setup
+Because minecraft is quite sensitive to io performance, we want the data to be stored on a local disk. But hostpath is not well supported in talos (and is not persistent), so we use an ephemeral volume instead. In order to do this, we create an emptyDir volume and mount it to the pod.
+
+We use an initContaier that copies the data to the local storage. Afterwards, copying from the local storage back to the persistent storage is handled by a preStop lifecycle event.
+
+This way, we can have the best of both worlds: fast local storage and persistent storage.
+
+
 ## Sending a command
 ```
 kubectl exec -it -n minecraft deploy/minecraft-server -- /bin/bash

apps/minecraft/curseforge.sealedsecret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: minecraft
 spec:
   encryptedData:
-    key: AgBYeAiejdmxDBorvgnxQX5YvUhR3NId2vfWybMKlc27e6D/bKglLNyZMk70xSnFAPjcDmZ20mYjFPYvDOr9T6IU/REJ8QlzoKAn0xW779R4SkIxRToT+dJv+OM2avgQ9uqp7vja29xeXMjYAnQML+QGZKcrT8mE04G/Ty8rdUiv3yUXK5HFAR3SUF35aVLdlthLjpRkv1s0R7GAP4L2pNzBJNV3i37viceUSSjU0zpOa23fsQOkPAs67AIukAJBqh/hyF/hR9H1GeYZNTI3OcHcvC2iNk/XGstvv0Zy6ApzoebsfWGdsbVn+QUI0EBw+mSTPqpl71cbkz0v4S4XAVndosxWpe6AIgm5MBTU0FXIyGyoFDe1aMPq8BXiQikYVwB48oVNh9KF0xXX5AOG0whB/FEsL3OJsiNQvQ3R/Hru43JBn64oxjVtLfM3E7u8v/xr1VQahX8dylDmb4s5EV01U6O4y19Ou4td1eEMlhpJb0fBPDRUYuWxZAEDGmp+U4tAakyPed11VkcZPPn9fKAAcv8sGs3TYAbbF18hqsBnv2Wd+i7ZEvKwmdmfR/T0r1TJGsvKI7jaW0QtH256XrSxQp7a52qMKMVQWOSKw2k27t/IkRhxT2Prw4GfJvaVr4RozUaBf3LV/hfDWlDfmM2zg3X9W8HkzjotGg021OLxsa0Wzmhffvb8h4bvZwxeq3U1xaJocqXui7z0rT2pF4z3wYHR/lPtexHcOA2M8gfBGKb1rBKh+kW+N+/ZfVLNI0mokg5vrTO2nR2rb4c=
+    key: AgDG6apUvB38rB9tH+/ya5Af/32IUJjHiEGZFdYYqesuqyPB/qf99EtC/7CwqD6bDQQPVycJVcxwZuF8QtYfPXzv//yMkqEUJ2G1/Q5J8I6bjNGLR636UhliUpCkH1QDOspWJUjwKDVxlFN9l0g9UajvxnqLyGzbWPeay0sJEBvAY8ltEZpLP21V+GD+HgPk3HIfSFFBMsULS6GPCjMaFxkxQb6cG3K4Ej4NHCHRGOmax+4Rk7lwMyAHlXLlrwj/ytxrnHDWrugLIJE9KKmJn6UVNTuk6olgkhleg2PixV7oOiDVyu9ZQP8wbdppzRix6dnIcFEYJ1ZDK1rNF5QErYO0gBytiJnSsdFO0jUMsdBrho2FgUc5GgIdmgXWJJz3lrGFqXaRVvbPsBZTUAsQRh2+4IfqfWmAkEjBcjs1K8WWJfS+rO9e02KoHBT4decdsd8Qfr5EFdPIzMrkUoRMI9CJnIa5u2nR08Hhd9iojbL64FZ26kXMODtEdKmlo+HwjufLX5rYJVSfOyZYzivd/kgKA87YTFaMLKej07w3ofGrPYSoCnmLfJyoQdNyJhdonBDsgM1GgRWQZDpgJ1df0SB02A5lZ4V7lHWr8KlANv9YLuMoZnVehsH1NZjNQHDInIRiTLahEBbjcJzQz4vU1UWG100ATszEYKOUVkzPnTgkqKYU99ZQ23bHP8z7iAWQeumb6V84NTi6jNITBvU4yTFLuAiI3nW34Vb1mFVLwfWqMjEYX8gBB4yMSaVshB/japfkyXU0pYg4mK9gsB4=
   template:
     metadata:
       creationTimestamp: null

apps/minecraft/job.yaml

@@ -4,14 +4,27 @@ metadata:
   name: start-server
 spec:
   template:
+    metadata:
+      labels:
+        app: minecraft-server
     spec:
       restartPolicy: OnFailure
+      initContainers:
+      - name: copy-data-to-local
+        image: alpine
+        command: ["/bin/sh"]
+        args: ["-c", "cp -r /data/* /local-data/"]
+        volumeMounts:
+        - name: local-data
+          mountPath: /local-data
+        - name: minecraft-data
+          mountPath: /data
       containers:
       - name: minecraft-server
         image: minecraft
         resources:
           limits:
-            memory: "10000Mi"
+            memory: "11000Mi"
             cpu: "5"
           requests:
             memory: "1500Mi"
@@ -29,13 +42,13 @@ spec:
               name: curseforge-api
               key: key
         - name: CF_PAGE_URL
-          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5413446"
+          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5925838"
         - name: VERSION
           value: "1.18.2"
         - name: INIT_MEMORY
           value: "1G"
         - name: MAX_MEMORY
-          value: "8G"
+          value: "10G"
         - name: MOTD
           value: "VaultHunters baby!"
         - name: ENABLE_RCON
@@ -43,15 +56,37 @@ spec:
         - name: CREATE_CONSOLE_IN_PIPE
           value: "true"
         - name: ONLINE_MODE
-          value: "true"
+          value: "false"
         - name: ENABLE_AUTOSTOP
           value: "true"
-        
+        - name: AUTOSTOP_TIMEOUT_EST
+          value: "1800" # stop 30 min after last disconnect
         volumeMounts:
-        - name: minecraft-data
+        - name: local-data
           mountPath: /data
 
+      - name: copy-data-to-persistent
+        image: rsync
+        command: ["/bin/sh"]
+        # args: ["-c", "sleep infinity"]
+        args: ["/run-rsync.sh"]
+        volumeMounts:
+        - name: local-data
+          mountPath: /local-data
+        - name: minecraft-data
+          mountPath: /persistent-data
+        - name: rsync-config
+          mountPath: /run-rsync.sh
+          subPath: run-rsync.sh
+
+
       volumes:
       - name: minecraft-data
         persistentVolumeClaim:
           claimName: minecraft-data
+      - name: local-data
+        emptyDir: {}
+      - name: rsync-config
+        configMap:
+          name: rsync-config
+          defaultMode: 0777

apps/minecraft/kustomization.yaml

@@ -8,6 +8,7 @@ resources:
   - pvc.yaml
   - job.yaml
   - service.yaml
+  - rsync.configmap.yaml
   - curseforge.sealedsecret.yaml
 
 
@@ -15,3 +16,9 @@ images:
   - name: minecraft
     newName: itzg/minecraft-server
     newTag: java21
+  - name: alpine
+    newName: alpine
+    newTag: "3.21"
+  - name: rsync
+    newName: eeacms/rsync
+    newTag: "2.6"

apps/minecraft/rsync.configmap.yaml

@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rsync-config
+data:
+  run-rsync.sh: |-
+    #!/bin/sh
+    set -eu
+    echo "Starting rsync..."
+
+    no_change_count=0
+
+    while [ "$no_change_count" -lt 3 ]; do
+      # use the i flag to get per line output of each change
+      rsync_output=$(rsync -avzi --delete /local-data/ /persistent-data/)
+      # echo "$rsync_output"
+
+      # in this format rsync outputs at least 4 lines:
+      # ---
+      # sending incremental file list
+      #
+      # sent 145,483 bytes  received 717 bytes  26,581.82 bytes/sec
+      # total size is 708,682,765  speedup is 4,847.35
+      # ---
+      # even though a non-zero number of bytes is sent, no changes were made
+
+      line_count=$(echo "$rsync_output" | wc -l)
+
+      if [ "$line_count" -eq 4 ]; then
+        echo "Rsync output was: $rsync_output"
+        no_change_count=$((no_change_count + 1))
+        echo "No changes detected. Incrementing no_change_count to $no_change_count."
+      else
+        no_change_count=0
+        echo "Changes detected. Resetting no_change_count to 0."
+      fi
+
+      echo "Rsync completed. Sleeping for 10 minutes..."
+      sleep 600
+    done
+
+    echo "No changes detected for 3 consecutive runs. Exiting."

apps/monitoring/grafana-admin.sealedsecret.yaml

@@ -1,17 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: grafana-admin-secret
-  namespace: monitoring
-spec:
-  encryptedData:
-    password: AgAwMLnsYN1y8JQSqgGQbNG/8jKensTDsEw6ogITdkhDRlJcg8HQ5t7a6xLzNCrLHLJiQW8YOoyLT4lvFkBRMOa2EYcrDvBiRD0PjygWLIscKa7dA+jpAUf/icD9zsiDnTym2yf+VUANcmEgE6DiNvlcsrcmYqiR4pKVUTDlKPNOjOpTJ3nXETb3/sbt69E0JSGwtkvusYQSXKLU9KLbciihv+ycdkdlC9xy9myd4+vYZYXSh/eAvyZeb/hsmdSX7yaASmupMvet6Qsdt99PNzFQxtbQH+LQvYalVZ8bjWZQvCN/p0bA4H15otKBfe8rtEwVthgvyEvo6TK0Mg0pFY/b3AOGFmImnT3rDmgG6S8KTZH0Jce17ksFqvELQmHjqHuYpQsPDl44glM8kWRJ9Mf/Z424LRwZlJNVcOkuVl4qFqPUjzd2rWIyF0RaD0BE012C0ThJxKn2l17lVJbNtdUiR3qNpW01ot2m0CgKd2kXbjDmgRgAll4WgrukfCIn9ZnE0gVCFLJuK3MOQAaipFYy/bDO0izwl9T8nldgcI8OfiC3NTk2O+Es5jJRXu0oJGaC3HrTB7wXiwOoELvAsxLTPxKBiN9mCHCMtZX0PEtrio0dFRQ6Pi5xPng0KVT0I9dvGNsPdhPETNOB913WEvbgP8Gt3cj016nCzk51eUsYbXPpNL2B4kmbIhecqW/8kwKQPwYjVlBSXj3NxjzwMY6PvOl1
-    user: AgBqmjCYGMqy5zBE+vhtsynOvhWdHWDJDyl1D+laBtLjXTJwzRbNTdunHYo1ekwyqQ6Cr5pi4YMiLxAl1LIHF+Lfsp2QlY+ResAGzp9WgSBtNQDX3EmLDQofeWxMUDdMtMsE9wiKLCfNGDkRDsGquXTz+YFq03m1vH9cB8Bp+1ClWOTui+/Ce0MZlWsJZX1W8WXH7XTirtwUo0s53pc4AplUUH97ZEK3KSIxWa3gLCn0sAPDDLPX+JVA2xtpMq1XuVFiFifjzEtG2h0dejiF35FtSAR+rR4YmEfimk3QpRDfOqV5QUxvjCG+dTV49upSevF2mvbHW+o+lB6vEc6l9cZXvlbnMdaep3NmOsJcJ8wQIdFpFK4iVzFOTKSEbzLPlZ/J+sjS5vDXsfthorIO2faMA1iIf+I663zNxQU5btaK4TNYOZQlrFVjAmioRLkDhGZ6tDUPX/zMv+Crt+0HCwyEyhmvFZckDvezTZrxARSXXMKBVcvjHCyUNkz7ubZRiMU0PGM7fYuHr659e+XMRvj+LFA68ZaEIzCQpCFJenWWYAXgUdRG4LQ1LP2MwvRHpkOYSoRkHIpX7jOfhX82A60h/ta/CdbWifqNyL9OecvE3FKsZu/Kr0taw9W6nm6FBhQLgFkOnFrqp9dWnxfHruXuDBgcn0iE8nR7Ht2zS7hfQPeR4a3Y0xK3Plqbzdrb9HKnWQQhf14=
-  template:
-    metadata:
-      creationTimestamp: null
-      name: grafana-admin-secret
-      namespace: monitoring
-    type: Opaque

apps/paperless/deployment.yaml

@@ -26,6 +26,8 @@ spec:
             value: deu+eng+fra
           - name: PAPERLESS_URL
             value: https://paperless.kluster.moll.re
+          - name: PAPERLESS_OCR_USER_ARGS
+            value: '{"invalidate_digital_signatures": true}'
           - name: PAPERLESS_SECRET_KEY
             valueFrom:
               secretKeyRef:
@@ -35,6 +37,15 @@ spec:
             value: /data
           - name: PAPERLESS_MEDIA_ROOT
             value: /data
+          - name: PAPERLESS_APPS
+            value: allauth.socialaccount.providers.openid_connect
+          - name: PAPERLESS_SOCIALACCOUNT_PROVIDERS
+            valueFrom:
+              secretKeyRef:
+                name: paperless-oauth
+                key: provider-config
+          # - name: PAPERLESS_DISABLE_REGULAR_LOGIN
+          #   value: "True"
           volumeMounts:
             - name: data
               mountPath: /data
@@ -44,7 +55,7 @@ spec:
               memory: "200Mi"
             limits:
               cpu: "2"
-              memory: "1Gi"
+              memory: "4Gi"
       volumes:
         - name: data
           persistentVolumeClaim:

apps/paperless/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: paperless-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`paperless.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: paperless-web
+      port: 8000
+
+  tls:
+    certResolver: default-tls 

apps/paperless/kustomization.yaml

@@ -7,20 +7,21 @@ resources:
   - service.yaml
   - ingress.yaml
   - paperless-secret-key.sealedsecret.yaml
+  - paperless-oauth.sealedsecret.yaml
 
 namespace: paperless
 
 images:
   - name: paperless
     newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.12.1"
+    newTag: "2.15.3"
 
 
 helmCharts:
   - name: redis
     releaseName: redis
     repo: https://charts.bitnami.com/bitnami
-    version: 20.1.5
+    version: 20.13.4
     valuesInline:
       auth:
         enabled: false

apps/paperless/paperless-oauth.sealedsecret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: paperless-oauth
+  namespace: paperless
+spec:
+  encryptedData:
+    provider-config: AgBI9IcNOfBevjUtIMwNTd0MTnr1WGxMKJ0cPnHzAS3cddmI+LTrkxxdRBuz2PFKTrhJ6/vh/2tiI9FBWMVm/YqTB64drbF3v13GfZMk/9c7W4SFyMoMcoE4xe6gs4SOm1ggTVxWT6O8IQ0gt7+FRUFaiLmwa08dxTkzrT0/zfQfYg+0aV8qS0eCJIrQk/IA1N31RpUoNV5Jl6vF7oE+cKIVyZ6LVMdecmFnuUgU+1qTC7ncgxxhWQekDQXJQnfYpgsQTF5GaHkGV8kvqJOa2Ohnk7MIeQEz5WuiKaXzU1ZMCYq3D8q/kaf/itLLBlL5MQh/hkuksCVG13aWxvulA/zIw3rSDujjZcSrD8LWH6oCMCn8zVcZjYQQBcTKUYEyYNvHLsmm0fOFIkUmFfBOS4WdHhjsBudz+941Wuc2EX5i6eLind7dk6gOlCL1HEyvbQRV6W50T104DQSNHslRG9CIjPh0BueGJ5fiaFoQa/UuM/JI8R/7cv3y5VkCG6j4gax9FVFgZKxPMtOTxB3gKolT25JHPDOqbDo996T4lsmiYRrYShni4JFZ8ALhcr7pKwlg+gVbDVaqMrVaSz1xzTP0MNxPMsojXVLtG3/Zv0/iXSVW4DPY67pFITEbZBWB3bHLvL9MiwKbWNwsDwPUylWkXTTFHsNbuRUnAXhRxcLn43uIv98JFTQcMVl2J9qrYkHm7w0FVImUr3oC+Ny/Z6j89ARposNx27B4FBgW7H7+yWMKRsAObC8cAjBOkBdXue0x5bEl7Al2BRRG7/WUKHXZvTOlvlj7GFTpLOQbPYjnBo8V8h42uOjGbiMLaCeN5sWlMtWD+7mpHV3XGdcGtPAZlIzgpUs2si/XIRNun2oDoUmJhb7YcGmugodcAK9+aYBThIkNU3guXdrM6Vc7CO2RP8PFpKBpcI9pUHgYA8dyYY+TaBqfYGrKFlGgoVcgh6oVkeOuctTX90XkojVFfqkCqab93faMh2pGCGcH4IZ81sdTYeWwNIvz1RGoi9GhUhQU5NfDeUBn2eHdOpfdsf4FkWe0kgE6TBPlQx7GQy56FldIc0G4QA8H8utL3E/MXYrao70ek/GHIxuev1/hzljJDk+5HJz5itBtKiW4s/5j2ZMD7MMBu/voDQW14XEK5pM9EbwmC6kRg6ljXvTlnUVmw1s04iUvIzF/dO6bCgaOEwFPjZj8oZs0dt64Ov+ZPLwTrmezFgHtfh4dyiRgHt4cO/WYFmzzYwd532p2De3JqjHUzT0iQIpkaz4jrF7+fdtDxtj7XgkJIg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: paperless-oauth
+      namespace: paperless

apps/recipes/deployment.yaml

@@ -21,12 +21,15 @@ spec:
         ports:
         - containerPort: 9000
         env:
-          - name: ALLOW_SIGNUP
-            value: "true"
           - name: TZ
             value: Europe/Paris
           - name: BASE_URL
             value: https://recipes.kluster.moll.re
+          - name: ALLOW_SIGNUP
+            value: "true"
+        envFrom:
+          - secretRef:
+              name: mealie-oauth
         volumeMounts:
         - name: mealie-data
           mountPath: /app/data

apps/recipes/ingress.yaml

@@ -14,3 +14,4 @@ spec:
           port: 9000
   tls:
     certResolver: default-tls
+

apps/recipes/kustomization.yaml

@@ -6,11 +6,12 @@ namespace: recipes
 resources:
   - namespace.yaml
   - deployment.yaml
+  - mealie-oauth.sealedsecret.yaml
   - pvc.yaml
   - service.yaml
   - ingress.yaml
 
 images:
   - name: mealie
-    newTag: v1.12.0
+    newTag: v2.8.0
     newName: ghcr.io/mealie-recipes/mealie

apps/recipes/mealie-oauth.sealedsecret.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: mealie-oauth
+  namespace: recipes
+spec:
+  encryptedData:
+    OIDC_ADMIN_GROUP: AgChDLTJLcQutEytCeipPcd9KOPQzh2LiObcGcqSBv54IojcwOSYrdKODrF3l8IR98L4PH7sAvS756vlZy+UxElgtwa951zqYGwf3SHoBMU8fl3QU7ZG44vGHKAZ8+gi1ybDaImUW6xH3TK24PSWH8bvwjLs2JAGCUQ1hPzOQ7yQQRPRTRk8jbhDkBefy718eSMqTSrxJqakIPgicZcIeMg16d7pFMkztEuo8iZCPTF8XgDbY0HVJ/pGxAf/rgerLCeOfdKF1tJRulUt1VzmX4A7Votyg521twa6RIN2NvgJHRYEmMPTosrBO/i70OwYcy8QI3PaWisoId0MFSSYk+n1iCU0EM3pXVal5rDoji4EVjazcuRjZ+TQ4SZh6jkRrHGyDNtrs1w7Hdw0GSwb8ONoGPiZF+qU34kDQH7tkNZ+iaG5in8kwSbZoLH2vrdUv/2yNXtHGFM4eJNwcfwMqs1wbS3zt2c73JQ0HgE2c4ocy4iTJbtd13fouNH+MPFl6BJXcMjvMdUaxerEFZQhhdvyx69ATMyLsUqgodr+vSFo+uA9gtv5JPyiA8HPJPJ05plSBAS/QxaV+F9NCbmI/XG2MM/i55dy5dX3lLaTehDtZ/TZK/mVHlkue+4lHisrtXFL2UGlqdX/QPNX+ccZ0qLKjnvobflBPqPr0y35KE+QNOVNlup2mVJjMr/dgNqi6Xm34UwX4GaW9y5Q
+    OIDC_AUTH_ENABLED: AgCC/9BtmP59y8keEx9z6f2ifXdatpR4BBSCpLlpELjSBPAk5QrZ5v50n8Raz6zUt7+HVL5CYsShGRPoVqTd+evEqDCbbY+0y8fu0Xrapcq2V0I+DBfOzob0V53HpIzHdcAEyGXEqhE9zTDoTlZszmUCQzB/ih7Jr8V0bq3AKh9n+y4REYsHoiecPPb1MeuJmp9mfuSU+dVqvW8GYwumLQmpH1+PrWeQvf94y48yMJ78wroR3MoUIrTPuVe0RCAK+A25ODrXSaT9et0qx4mzS+qW2Vjpyh7MiNQhJdaYrGHlcUcje9C/RRsqzFdwXQqONwAAQUfH21fxMjpyAD4O3pc5X31kZ216w4iTp5DlTYBH7Ci8sUySaweQT1XdCBTqZTd+Q1fkU9UJqkLFZZ0Vds6K0GSQlqxcL43t5jp96n5uCm4qgaEX7oBpz6CqYM0Zh1OsfFe3ju3IBaPLNpboY9BwXaOlnYIMS+BR7hZGWf45cyEjL5IyEQIfpCw9drTzwnQAkiHtWo/8gzgds9FcW0cVPNx8XQjlZYw/voYhFJZcpNkwk+wl4Vs6kHPwtYAhR7nHj7nyqyd72IEutd0LZSL2ICMFKQ3XbYKa7JZlKLeL0gy3YKm8D5I+BRDBR4AB8MrjzSkJR0C+FOHVMImxLIHblEtVoOla4xWbu9aa+fB5hUrJ9EpwSiBYJWQzKshHx6cvX7Zc
+    OIDC_AUTO_REDIRECT: AgB6K8H8eDmuaRhPeeKVtkPBzvtdEgNzBeqBLEPOW5tE0YiWT53mlQaW8eMtCUI/yvIKY8Tjcwg/CoiAgtboalS+HoJ5vUqfBBgeqYRE8xdRw6QJhLjKIViyg/wsTp0epmL50XX2qg6FINVWT6A8P3OXmVP+kxxr5dZDJ5jT7Af1j3XC0uGZWja9DWkfz7AXiUh89kekGqO4rkplQIBmPOUl9re1D5JFuL7mCmqBo4MNHV0baf451+XaOQF5jKT/luyHkvjs2V0+YZY7BvBqmqg3Dt+buAMyFnXAziVgcpSRzPQtGSCq9WJK5JsDfZltTVkzyJP83Vb3fPtOnBs+7ZWYshOh/1r84hbdEUOjTec9zcYQY/1MGc+4t6DsK0st03cNYWhKBBeN8nmUGMfca5kGWnRx5nJ6rjrF+Tw7yXJdjRiZ5Kom+VwcBtT7bXsxpoUYqAY1W4oUhpCrGGG6431DbUbjWMSaHPDiGdF6rIMD3OmbOaUxGTooCvesoRTdia9pO5Jk/c694N1MVKW+SNInuyZZ3BI8oxi74NV1zZYwTCADHSvWShuqCkZtnX1Rz1kNlI2e++HFnObvfbdXSyDymwJ0WX8rO8sXJYzEkJLv021Tdn64+1jBKviAi7m7FfS9/E07AR7OWyEjv2KYgxsZMC3KR8mEs9WZYYqkvCuKdWQofpLOTjkMVJ69X37EKUCGzUvr
+    OIDC_CLIENT_ID: AgBosCGO5L+/1WJIGaNA4Z6vbqJL57JtuRXQDEICAiTJns4YBqvpbiIg+LZ6b5DDwHi0uq/v1yd61TV0+A6U7t5LYjRsywryseP+vGycDQlPWIBAegs/gVzMspNOrJe+g00VEfbrkZl9U63WMKAVBJS4Qd+MHzgnSxZ0IFMP/vaSE7JQ25LqSMjWs/OOBF4EJbTf9RV35/6kk6VpYIOLlT9Y4FaFwilj1Fve7YROIms5RykrLeEhIw/XeKjviyZqbE+rRsM+3lo0FPwVTruTGNbqLBrYox2FSVK6y+xPp9IHREu+17gf7ROLSj8PIhG3Q0mWOSfdv2qbB7RxOfNf4eGwy1m4rL+DDwLU/g2rZNnIvxa2C+l927ADFj5fJCuBPV9o8PtJjD5zsE2wpdqJ/PJMpg0106LylewH662hvIYL3u5s3Pc3mW0jPElgygnZYihSRxzxvEYdfw7+gV4alhlU++X/C/qwbzw1g+ZqgbVYH/jZxixsAu7fOiFRW2G0qkvnKnwJstnjs/Q81R816dnRylETxtINTpyvSF5MAPE1g0HL2Ocs1rOqLsL68FpPnI9GgOD0bkStuYSq+6adMyPmJgyzOqa9sGjhQvrLI4AISx0YVDZLaG7UIp18UF9AFQhImkv6hh8jpOHR1sYmmWKBwbyBJHtEpDn4/RKGjb2v/AHvUtZcE9TAM7kQeP1fRWPXPcA3SfF7
+    OIDC_CLIENT_SECRET: AgAI7LDC9J+IQk6qPSxs5PSyr5fKAflxBxfCd2IcjQUKc4mCLzWdcQkyxXuOqLETCpT9yNFlRA+g0k3Bc+Sp+Y9rmF9nS9EyshezZOMT8/G5bacEBXgxxlqyTQUqXp7FpKK30lrBvxa56xDeatF5G6H68lLfJ86K2FH35f8IvRJv+GqFrOQ+PL1M9Kl+N6XpNihy70+jpDornbNpyr48yFawAone6zKg9qFxeJ4FHPL5wYrS0r++JoEoCGo4XZ34mPHQ1jiK3wPiiuGhf6dbAvh/wlCH2+ehiTnOQwKUY5C12gVwafOrA5BRI/TBjlTrAEG1qjxdff10fkkuFaa3Y07V+lz316H1+8xdzPVNDN5bG0hVVVWmj1jAuqUnOqPEfzPOc4jUFVom2wSXI1SS3n1oeDnTiO/5vkmTRcQZdGeuLM0+StTtXHmbtrfU6ZyfdtKoZ209jR997pYmNf8PrDbhKtcvJaxbT6RHqXpJwk4fKtQeLInY0Pl0HSg3f+OVLdikESgX8mJm/nGJxwN/y1cSjLawMoZhbvHP4aWKWokLxAvX4pfUfm9iv5fm2pwQ2eWWKAI0P9I1l9Dbbs0u2HC7QLI3EsJFQ/D1gkhall8cLPQmg9LnsXpnxnKXtIMLS8sNqE5TyXTX1AvFJz79dT7nezS20TLF2chZ1ch6tpM0n7JNYVaD5Rgxqc9XFpUvJrGHYjSR7twjXZd0XRVXCOBKWwe6aSdPi5OXtu1tBvvXTjoqMbQrGgk=
+    OIDC_CONFIGURATION_URL: AgCZnFFlMYEQgPBXanDrQRdfPad/xux4wIVXpPfOqsDGzWSYu0HYDuoO8cETdf0fI0dppwAb9167Iz+sz9t36b4jb5X4nXTVWa4Co90s3uDwRsvMcg1dNMK8EDABxlGS9XThwehs6qXyYSN06CF+SyrGZonDgVcXb0pEW5B/EHFc5TwRrvYvVe9z8v8JbNehQet3HxXZBepkuntI5CzCkCseTvOiKV6oohr9l1DaK8e0IHQdq7XZshdZ7/CmafVY87fGElC5J2nhAML10fXHwyJ8HA99mwLFIvBLnlAc4KnG3FS2uysvoKrUs+GPXRgXMBlsL67upV5jO2B7VKQRpy0VcO7oYiwMV7Lc9EkOOgVNghIKGkCVQqN3JOuaNg3vuJlutDjLlDk+oCBP0BvYkZ1U+1NmndKRG/7YNXJ+MOe3KZ2gWGZgQLzpbmQRq81FxTn2rSNhZyBsMHyviIZFqZJyXnln6xPRIi4uuxtRQY9PLVcwHd6Q9hi6n8QGBYNc+AEsGwy+9upkZ6hpyo4hcOCJi/e0aUH92+Y/feNGYAPFBHP1sTHP2sEbVFISQadDdsxQIvQvaJy0J9+UKghz/qAsipkBYc2mv/waJwlpnFqDoCTOIkIadutyBAehkXawNsDXcWPU52hGpQ6dQQKCIxsRKBO0JQsI5rFf4jc/PxfSUYu2Fps34mmMggAb00UBLDb2arNdI/OcSirZ04XSp6G7Eeqn6gfMfrrhnnqpg7zokXXNMcLPJcrV0jHflauahmft5+LnWHfYVa0uNAJP
+    OIDC_PROVIDER_NAME: AgBI3oFosMR5sPgr6JqFPJX8U8A2XNNYpZ7C4XIW9VPeczIU5NUNQaePowps509Y0ddHXPwASr0OeTgIVU2Z68Hg6Tpj8CehL+P+DaFMOqMOub0qmrakLBBaWcaXprQi2eys7mP9jqiC4iMx23w1Yen9lid9FSjLIEpfLE1VsPzAUcrvGMW8dbgwchrxKnb0HG0e/bsyaLubzEZWHfPaUo4cSWQf4KWAhYBlfZQAbNPkatOskzKw7nZ03X6RI5oub6hjcBclRjMh28MsExIRJDwWtB/inwLpWEAiPOU7xQmjQJdC2BqmKXHyTk6Z9rnwgUjG3pgH74mNH7/pF1ekOK220JYTbMa6Uga0r/v971AlC6RBEo8kuaJ/xptSdHp8lfg1spJ1sYobV782+zmJ0rc615BsYwef4lcFDBSXKnk42NhUNY6OORNbwD/tW/Mxac3o1OOoe3mSgRnFXJLqTh9i7D6kN7TiQ8HXNgkEfZKoqCloKo2TKW2gB++hXJTiZ1ItocaDPbPSIaq3LJsIw6YwwkXxBQeOmZhYLpaPI8dHjn1h8Jg2CPKNQJdAossrsHpBrEM+UXA1HxVmUCv/q5WIum+tO1d7sKeCuZ/g0JOcNK/tX2+tYY5fDT2G97GrXSGpgZgIfhYhWStYfkcOdB5ayqj0ncadZ0uJ3akFWBLHAr6sYemmVtW+BYbMLTTjlprGq8EIu3Kyqw==
+    OIDC_REMEMBER_ME: AgA0vxQG7k6gaMmviyTVccCkIl4r37YHX97gO8ZlFtZFhBNIXti7Ocn3R2paSf5J4A7xT5Ml5imfdn1jS6XXBM/z6oXA7kvyrh5V04vcueGXtOk6PSzdqMB+qsmZr8VuY+41CllUwXyXGDLMCzQ6tA9K1rdLEQoA8TYdDi3KI91vb4JgOTaAum+JHXI8N3ZguzXyF7nTR/nTtoqvKoD9b6/B69Gu7FDuef0AEAf/aFYQb6JSNeStKbYYyNjY30/MdECEf5Y5kl6mtAT54KwNiz/GF9JMKa3yAO4XVc0Pq3Fo4BoptW/8yyngnhrjB8c6/LydTbwQgrxXO6JJKOnLMMrNq+llBNFyBqUD3ZyVzY3CRAetL3loAdoA+zTQCAKMoRjL22m48yyxdBSC9Fwy9crb95DqJaEQa1M5UrDqt3uWsEoJhrT5dUUnC45N4Yk9/cTWLMf/xSqP9tRWVcw4wyU8b/ptuCTqq6WvMVeS+MCLCnQnZB6s/sdFQBm7x75P2llro7iwYp72YRAfV1jZavUXc6XxdVvvyFV8Q4bNRxLvXgjnuvD+6STTmqzlceVkxcv1KvDyvjxHtcy4qxr3dU0h+vmo7kkTFfcaJpmIP4CTVc+lkNvj6FvkXwtmiW/RMG7kW8ES7I+tHSD2hJle8FWciAwP9iZadszTVOSgyx+S7alOXGczUDAe0bpWqeNnIBkJYpX0
+    OIDC_SIGNUP_ENABLED: AgB/TkKgJ1GioaGCvyXVA+RRHJ64/KqBt19dNm3LUdxGrhQYOq0zDmNET26w8FneYXrP4zH3IY+ZvXkS3L5i9PNBXkUGhXaoNXPx2KYm6c6YeGkrW+sDlCVPFx2zypCIgXNpJHiTIb2vfZHTyVMvmpo1m9nlQVfdueFV5ToLwt4pWR04VYCzXoaSILqJAuX5IBkhac8hsr4yc6u+RuLhtDTmziB/3+/FWA+Gsv82U8CNDBCMAyLZ+439F9aiJv+scOzVzzmmIxfCz4GPzfiTmMcwlsAjqMs42C62x8m+yoPAs9/Ur7f0p7JYE8fjYQbWP2OliJic2Nm9KaS/o8akojIKlIN36Y1I/srimuH9LbuRJlwRQjTQ4qq3quiW7Z/7Tgsm71ISPqeLUHO2xR0714MnDMW+dOwRoQzBaNZepo2aEb2DhiVzT1OLsSeGCs6UOTau9sjd5ow+pCBZWUNPAzrcskw4cSfoHGfWiMf6wytCp6agiwnogM9wMAdjFXi9VnHxNmn4oViCmeg/y36z0RDyW1p8fU5fv68qWoqiPH5lbzJUcKDzW9HpfcuaGaAKJrr3RbEqdqxh6pc8hLwzzCo+FxiX/UAnMd+2BCFWzEQzWznyin2Z9vv4d7dYYiKRmoLxNQO5T6xSZvv0DYd9dhSxy8HB/viZuBh7AiprORuh26jCotcbKZq13/x5xC7qm7t4WQzO
+    OIDC_USER_CLAIM: AgA/FYOGrV1qHlvdlJd8HNOdG2VlAVTo6nEoAtJRn3G7z3OkexS3O51x3TsiIhpKliaFl2/ATZFk5okUnUSeoibqpxpLNVMpVF6VX6IrnjxdbtznGpyz7sIri9RvKZwTpuDT8wNrJ2q7t1xwvnK7QYxKzf+rIkQqcSzN9k0QF7XPE7ijeWSjqMpbjRya+vxjWR12L5BRmtUgjrm7J/8uRMkVQQtl3/Y0c99qMwj91v1F37RejoqOLC6OFdCOhVvwatq0C+y3F7BB6Zl2EQBYoinVuSfmlJ9rorSyAeNeeVb7s5vm+WflB4Dn+taJAFCuGiq7DK8n1XDvkW7kThlJckdXBfEiCOlzYCSdiJ33ToV2mWo0zSOZC5UrYslx5hhzwdb+Nw7/74c3g0TeV8doLWhczpd38eYEkYrFIZdQdBtwK+Lwlb7Bq2eT9X3l73uE2ho+u+o2o4RtQdCw00TouBJQBf/vhyEfk6eWuhHikIUVSQAOm8mCKaOseH+m0RMrpbDDRbl7pcrozSUJjP1eygTVPJwQF6uFjIbvNHsodP1ld83HTR3vMfwfwwngocEonnayUDeYfk2KOdWONUFmfh6k6miULhNr7QVnTit6b7EwsrLuu8UqJzih/pINELf/mA2oliD2TCQH6WwSu+G7W/BjECO2ANyJE/1UQxQxaw8NtmRtcuIU6cdHi7ow5ENYLnYb1GXQBH4TGGZgKBaBGUEz5gQ=
+    OIDC_USER_GROUP: AgBIMaa7sVROh0jXJQLrnKVKzCRg2Xg55d4Xp5sQFQ/hBlrFwSE+fj/Irx2hGx8TiuotN3wG0dIJgxLt2IGcXSZoO4iABz6tI88yJgP6InRjU83qxFusjxljOb7JI4Vz/OV4XpxMEibcv+TF2z2669p+6hBbdgGwWAO0luCYPKgwTZWDZr9J2KOqCK0rs2uVtR//UnfUNTM8IbEHDxKJ9aKmB3Xxpgo6xw5ydx2V5J6juXF7gZbthGapgerEMx0D+cdCQwyRmZZaA03IuZbNqgouYPpMJr15vCGsyZWM3mOJ1GOBSnZVTsubmd0WO199LDognEjKNTN+IPbTZUp53zMjcFf9bCfHNZe/+bTs3Jyb2IEH57OAjuMhiA8gU8oBPq9i+CI+NH76MTXrIKdiLtUAfQ0Br1bdR72AmWNpaIC2cGA60QVAtTvHtr/SZBkaQos+KpVXeHVG9WiK4ejfVkFX5r3EjVxPQFs7sGw4DCuytaNjSM66vWqsodC38bKqB5RACR2ApDJXGgQtA5L3jFHzV/Qb66S0I5WsX1+u3E8Sx53Q2/xI/MKnK0VrLy1Pnlrb7GWNyyOQJhB764D8UwA6ElTt29/IkJu6c378yOGsZSNMd689mfoPLeYhby9DMLgQOFMRx5euXIzojpuomtuclP80BzGUHBvLKLKZGLf8HiN8ko0X250MdAouFa3EhNvKjaQ6YYa5
+  template:
+    metadata:
+      creationTimestamp: null
+      name: mealie-oauth
+      namespace: recipes
+    type: Opaque

apps/stump/deployment.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: stump
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: stump
+
+  template:
+    metadata:
+      labels:
+        app: stump
+
+    spec:
+      containers:
+      - name: stump
+        image: stump
+
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "250m"
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        
+        ports:
+        - containerPort: 10801
+
+        envFrom:
+        - configMapRef:
+            name: stump-config
+
+        volumeMounts:
+        - name: stump-data
+          mountPath: /data
+        - name: stump-config
+          mountPath: /config
+        
+      volumes:
+      - name: stump-config
+        persistentVolumeClaim:
+          claimName: stump-config
+      - name: stump-data
+        persistentVolumeClaim:
+          claimName: stump-data

apps/stump/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: stump-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`stump.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: stump-web
+      port: 10801
+
+  tls:
+    certResolver: default-tls 

apps/stump/kustomization.yaml

@@ -0,0 +1,17 @@
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - pvc.yaml
+  - stump-config.configmap.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+
+namespace: stump
+
+images:
+  - name: stump
+    newName: aaronleopold/stump
+    newTag: "0.0.10"

apps/stump/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/stump/pvc.yaml

@@ -0,0 +1,23 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: stump-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: stump-config
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

apps/stump/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: stump-web
+spec:
+  selector:
+    app: stump
+  ports:
+  - port: 10801
+    targetPort: 10801

apps/stump/stump-config.configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stump-config
+data:
+  STUMP_ENABLE_UPLOAD: "true"
+  STUMP_CONFIG_DIR: /config
+  ENABLE_KOREADER_SYNC: "true"

apps/todos/deployment.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: todos
+  labels:
+    app: todos
+spec:
+  selector:
+    matchLabels:
+      app: todos
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: todos
+    spec:
+      containers:
+      - name: todos
+        image: todos
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+          limits:
+            cpu: 200m
+            memory: 200Mi
+
+        ports:
+        - containerPort: 3456
+          name: web
+        volumeMounts:
+        - name: data
+          mountPath: /db
+        - name: config
+          mountPath: /app/vikunja/config.yml
+          subPath: config.yml
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: data
+      - name: config
+        secret:
+          secretName: todos-config

apps/todos/ingress.yaml

@@ -7,15 +7,11 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`todos.kluster.moll.re`) && PathPrefix(`/api/v1`)
+
+    - match: Host(`todos.kluster.moll.re`)
       kind: Rule
       services:
-        - name: todos-api
+        - name: todos-web
           port: 3456
-    - match: Host(`todos.kluster.moll.re`) && PathPrefix(`/`)
-      kind: Rule
-      services:
-        - name: todos-frontend
-          port: 80
   tls:
     certResolver: default-tls

apps/todos/kustomization.yaml

@@ -6,13 +6,13 @@ namespace: todos
 resources:
   - namespace.yaml
   - pvc.yaml
+  - todos-config.sealedsecret.yaml
+  - deployment.yaml
+  - service.yaml
   - ingress.yaml
 
 
-# helmCharts:
-#   - name: vikunja
-#     version: 0.1.5
-#     repo: https://charts.oecis.io
-#     valuesFile: values.yaml
-#     releaseName: todos
-# managed by argocd directly
+images:
+  - name: todos
+    newName: vikunja/vikunja
+    newTag: 0.24.6

apps/todos/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: todos-web
+spec:
+  selector:
+    app: todos
+  ports:
+  - name: todos
+    port: 3456
+    targetPort: 3456

apps/todos/todos-config.sealedsecret.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: todos-config
+  namespace: todos
+spec:
+  encryptedData:
+    config.yml: AgBRKmf5GSn6EcCH4r+I/lJkNiwZp0Pa/TFloYlPzqJ1aQWrTRDCLiljHYs1n/PTBWWv5SdWj+3Uvx4M+tzTXpRTp1dWomJ1C8pUDpf4N7SSZeAMoJxz5/mSUpA1YsYwiy/jhOzSsaeC80JX9WTXhCE5cnox/OUjcDf62vVg/7kgy8tHYpCSRmTGMah82642gP0/rlLpp+ctb29oYttmL0fWafHMRHgZYwkO1Ol7tmfbVOfr/bQljTQD3h/f0+ef2s3kDNtAkXSBAwHo6TfukB5bZi+pj3q3TLHAWU/belC38RZtIYW7trJf20WzbxxWKcS7rnQ8GHJqpbNgoWdnBQgP5OGHzySnQrdIAWLvOxw3JdJ8S1ZMbZfWASGpeIdfTI1p99Bhu1MGE3nnAzUCM93sLySE/mjjGDPdA9+Q7orgLGX3ct+w4deu1ABLR/HWxFYvPah11xs+MyzBFVh2rRj+MMzSWwQmbo+widmHWnzx6fjTiLd8eyGmvz1M9hBwFjqUTjbAR70S4xx2ALlYqAtbmJUk07PmTdTMhvokvaY5NX7Ylahx2oFE2q/FxMBwvPZVyI9tSbrZHEK9a67QaXnnwyfSqj3nErNkpdAa/zSJ9M6SG5cJrJvZCBn5cFg6pxtY65wZoj0GWMZ5kF2oqxDuekdjitWGMTp5q6ROJYSs/o3Lc/Abga9pSZYEtNrHr68tJuSeO61s9TjUftbkxkJ97/dwTfVQOd7aJui2EDp8NVcZg0CkEOgI7tt0nOEsll30RWS46QJwUbJM34FD646bpEk50K/GsIvFovKjZjtoCjeKczGdMpYS2XFwEMb8UjgSATxcVYjSWwvx+7prEChvoyVcg8Bi8ZEGcBVxSAD9fJu8PtyPBeijs7ZVwVyGGxiSafd3gAPU8spSuvbEDl/VZAKy9k2vrI2c/gtTqwaIasnBHudIbbNqDHlTlH8dk0z+kuNg/AzqheZWireMvBvgQ3TlHan0RN6+vVpZCY5XbzWkj/DEmoor8UfeuYt3GD7/JHniAorMPj61n2od7TLXmLunPG/B/zNpJCgJ8LgtUriDDZno99IDCXaZ/MO2+jppMaKizl83axxrv9HUTYDDgtX4RqLLdutd4i/AsOe0GgayFrOjUtDVOL6MKhX7dRJfbNsL5IcGEVZ1cdzcjjazoDpSlDdMC6E1XNS1NWprqUpmfjFPtFk1FWW3oRF3iEYUimngYvy6oTx3d70EZ+eOdEvp6A+aHbmG6fyEQb3AKYhMIOsn4AbKpDLjTsHiqWNGwT9ummS5kOLhnWBBB4ohDpCl4UMCtP61+1lhtx//Jne8QFAoq31MMFcCO2X3b2JfD6egLDc8Vwju6NHNy7jrmkponKqKxQPSs0w9Aj2biUBuFkMCiAik0Cf1fPk59bjJqs2ypwURDPAs1ShPoSU=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: todos-config
+      namespace: todos
+    type: Opaque

apps/todos/values.yaml

@@ -1,51 +0,0 @@
-######################
-# VIKUNJA COMPONENTS #
-######################
-# You can find the default values that this `values.yaml` overrides, in the comment at the top of this file.
-api:
-  enabled: true
-  image:
-    tag: 0.22.1
-  persistence:
-    # This is your Vikunja data will live, you can either let
-    # the chart create a new PVC for you or provide an existing one.
-    data:
-      enabled: true
-      existingClaim: data
-      accessMode: ReadWriteOnce
-      size: 10Gi
-      mountPath: /app/vikunja/files
-
-  ingress:
-    main:
-      enabled: false
-
-  configMaps:
-    # The configuration for Vikunja's api.
-    # https://vikunja.io/docs/config-options/
-    config:
-      enabled: true
-      data:
-        config.yml: |
-          service:
-              frontendUrl: https://todos.kluster.moll.re
-          database:
-            type: sqlite
-            path: /app/vikunja/files/vikunja.db
-          registration: false
-  env:
-
-frontend:
-  enabled: true
-  image:
-    tag: 0.22.1
-  ingress:
-    main:
-      enabled: false
-
-postgresql:
-  enabled: false
-redis:
-  enabled: false
-typesense:
-  enabled: false

infrastructure/argocd/argocd-cmd-params.configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cmd-params-cm
+data:
+  # server.insecure: "true"
+  # DID NOT FIX RELOAD LOOPS
+  # application.namespaces: "*"

infrastructure/argocd/argocd-oauth.configmap.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  url: https://argocd.kluster.moll.re
+
+  oidc.config: |
+    name: Authelia
+    issuer: https://auth.kluster.moll.re
+    clientID: argocd
+    # If you want to store sensitive data in another Kubernetes Secret, instead of argocd-secret. ArgoCD knows to check the keys under data in your Kubernetes Secret for a corresponding key whenever a value in a configmap or secret starts with $, then your Kubernetes Secret name and : (colon).
+    clientSecret: $argocd-oauth:client-secret
+
+
+    # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
+    requestedScopes: ["openid", "profile", "email", "groups"]
+
+    # Optional set of OIDC claims to request on the ID token.
+    requestedIDTokenClaims: {"groups": {"essential": true}}
+
+  

infrastructure/argocd/argocd-oauth.sealedsecret.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: argocd-oauth
+  namespace: argocd
+spec:
+  encryptedData:
+    client-secret: AgBmXMtAHgooKGgj3s/ndddVxxOXqUYyGev5BeUoAYL9IYYT3yB54cQp7v1suEwVGUJQQPOgc3YDUeS5kdOLcpYi7mOi7/aJYPmUHx1DU644JsebpeqJNMFt52SCynLjP9Vntlbkji9mPCQj0tHGhqleA+3y9mamuz3tZ+kaSY4+qUywXekMQz13YQgagQc+0BK2xzUzVedNj2AB0NmCIs8oOIL1ZL0iMi/+/a1VSh/pzm3Tv/ap3w5nqP6FUbZLcL0hU6+VTa6ZqoDcIIEm5x23tDXwgbHM7CJ5E/bHu+cNrvVO9XqI5x4KRIe/TDJGmO3oZ4bdeU2mtIxTXIHG3kKFCQzKPqteffctEusvdyqkpCqPsLUny8loOQKX8XjY6K6a7fMsYUsKkJ1Le3Zuif0AhzNvDCX69pz3uPEOf6ZR2pU0B0g3fc3gIwIuY97WiHzHg++pLJ6/yT32Ja9Ub6k72fJDA1HvvAOY0+fXoJdOwkJCfGFF/dXLp2M1/3xxDI05mJeFywE9NYBrb2yRNN9XAdwSJ5mpRnyiyBlMv/1W52yDBCavyMR+vLlyxaXGeVHvDSTdGCY8bCBEz2kbm3WEFxGR/LM3ls6d8WvvT5YJ+RxxEYSN/o0Zi233AK53toni+e2luBBIjUITa+QUIxpeWrz2aAe19PO+XiDHu8G2sErWxwE336USCnOiFIkqeJpBqtfOm0sWnxmQWhucMqTlGYdbus+DBkWWM23JLFuRsOI/VawqRg==
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/part-of: argocd
+      name: argocd-oauth
+      namespace: argocd
+    type: Opaque

infrastructure/argocd/argocd-rbac.configmap.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+data:
+  policy.csv: |
+    # use oidc group apps_admin as admin group in argocd
+    g, apps_admin, role:admin
+    g, argocd, role:readonly
+  # all other user that might have entered via oidc, are blocked: deny everything
+  policy.default: deny

infrastructure/argocd/argocd.configmap.yaml

@@ -4,3 +4,7 @@ metadata:
   name: argocd-cm
 data:
   kustomize.buildOptions: --enable-helm
+  # switch to annotation based resource tracking as per
+  # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_tracking/
+  application.resourceTrackingMethod: annotation+label
+  admin.enabled: "false"

infrastructure/argocd/ingress.yaml

@@ -1,19 +1,17 @@
----
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-    name: argocd-ingressroute
+  name: argocd-ingressroute
 
 spec:
-    entryPoints:
-        - websecure
-    routes:
-
-        - match: Host(`argocd.kluster.moll.re`)
-          kind: Rule
-          services:
-              - name: argocd-server
-                port: 443
-
-    tls:
-        certResolver: default-tls
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`argocd.kluster.moll.re`)
+      services:
+        - name: argocd-server
+          port: 443
+          scheme: https
+  tls:
+    certResolver: default-tls

infrastructure/argocd/kustomization.yaml

@@ -3,13 +3,20 @@ kind: Kustomization
 
 namespace: argocd
 resources:
-  - https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
   - namespace.yaml
+  - https://raw.githubusercontent.com/argoproj/argo-cd/v2.13.3/manifests/install.yaml
   - ingress.yaml
   - argo-apps.application.yaml
   - bootstrap-repo.sealedsecret.yaml
+  - argocd-oauth.sealedsecret.yaml
+  - servicemonitor.yaml
+  # DID NOT FIX RELOAD LOOPS
+  # - github.com/argoproj/argo-cd/examples/k8s-rbac/argocd-server-applications?ref=master
 
 
 patches:
-  - path: known-hosts.configmap.yaml
   - path: argocd.configmap.yaml
+  - path: known-hosts.configmap.yaml
+  - path: argocd-oauth.configmap.yaml
+  - path: argocd-rbac.configmap.yaml
+  - path: argocd-cmd-params.configmap.yaml

infrastructure/argocd/namespace.yaml

@@ -2,3 +2,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: argocd
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 

infrastructure/argocd/servicemonitor.yaml

@@ -0,0 +1,77 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-metrics
+  endpoints:
+  - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-server-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-server-metrics
+  endpoints:
+  - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-repo-server-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-repo-server
+  endpoints:
+  - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-applicationset-controller-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-applicationset-controller
+  endpoints:
+  - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-dex-server
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-dex-server
+  endpoints:
+    - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-redis-haproxy-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-redis-ha-haproxy
+  endpoints:
+  - port: http-exporter-port

infrastructure/authelia/README.md

@@ -0,0 +1,10 @@
+### Adding clients
+
+Generate a new secret + hash:
+```
+k exec -it  -n authelia deployments/authelia -- authelia crypto hash generate pbkdf2
+```
+
+give the client the hash, store the secret in `authelia-oidc.secret.yaml` and seal it.
+
+}cnnhzH|Mf/yLn(v4rF#>KnGMgUS+TY

infrastructure/authelia/authelia-internal.sealedsecret.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: authelia-internal
+  namespace: authelia
+spec:
+  encryptedData:
+    identity_providers.oidc.hmac.key: AgBiAFMdVNGubsvfYu9oi6SE1AF8ZmiSbiSPjZhrSjpw8J8vN0Zjm/4TQX+I+qD7GQu0zO72D2hF/26fBZrLx2N1IJAj0va1NYEkmGgAaYa3lVC948n5OzyNPpOwfFCMBKo/BJwh0VeZ0wa7gm6L7+Gfk+YutGmkNa7Cuf+F/e8LxlT0MHlyoj+YGzeNEWkm2uUv73f74ND+a15AnBkvGMfm5A8vt/EdN3IOqD8EUCwRpf+lqhrJe9Mwp28kHp4NdO2W97I40BWA7LFXQco7CuhjNafHkpaNMZ1bkbYLjlpqyC6Xs7bCZU9wMIPOHL9cGt2QvfQG5gMWrJmJsyes9qadBk/TKmqPi3iPH2DzUYO2vMETI765RVrL6IVOwxXc663JxfpZVQTiCSXz8oCVYZ7Ka7gcjXSPTMSxwD2cBVG9KDwjntYaXTairO/Kyx0HiPbbXzhENYkqY7oZvJde/l83l5TvPi+M4/a0Pa8COq8voRw+Fkrfw/qhPDn4AZnuanceOLog3xfrXw0Z45rZ34unovKP+3NjTdBUX5YB8OgGd5tXc4Ur6oK8nxt5IhQ1EzJkh1VEUU8pbDaw9EX1xCKZxVk86MEzW7zqFZWRve5Sp34CJdwHcUk8hLs2PweEzyvibLJIACn1mQoM6nC+Wep5iYXjUzQ9qobItzKFpw/mGsceCu8VqNoBtQBws+I47EF2NkzT45szvxF9tvSzmgmRBHtzES11bqePopHvye4310pywFYJ/WeiWOLEn1IEd4rrTJ6zIoqU1QH9qHShT4SoT0uC5wqz+Tgl64OdMIHKwQLcWih7A5lcDMv+jPV1Xvd52g3EYx13epNTPHtHwi4sBlFi1VuDrwXgTAlnpvM6N5Ij0qNNK5NMcWHerbLyOaMzng1pOtRfYA5UKGG4KYQd49vh5Fw9mHsk9/lelT+iyTs4GhA=
+    identity_validation.reset_password.jwt.hmac.key: AgCOsW1JBwnAB7BEIkEwqTLNHX5N/HrqHoxz7axdr3ppES7BnPKGRak846aKHrUVEykAV470SCgdwomTh/KBVAvHtml9L8h+FBu24rDbqZjHnL/BVy+2SkukNoVq6A2vDQRI521HBZntQQljhG0XTFTMMyI7tUhhM/PwmzeyZpKsDPcw6EJAMk9ERxdYtM7iaYEIAAcn0N2NPI7+I/A7nMKYpx4oGr79tobQyM1aDQF2VFwlRq1vqCrkEzBtPUPa9SrfnFE2GrIJlIR3xh/h5SmXCaAjF0uZFjPBPMrHSU4XtZVqtmwIEXpXFqjf+M6N5LTA5rKEviHV5oSJ4sDbMC1GMzwYw8u1Z2gvi/sP87ncbtSbW6ereAXC/5i7/bkOiyBlwVbNV+YcY6RlHG6DzEO/4Fqx9ET6XJhms1TcNb8Cp/VA7NS79IYbtnnZozefHnZAKQa7k/SR8tUVcVET2LhW6/j4QhxhFsASbws/yaZkEKdQnDqCpDlMkXKWxAt/7wlu/URTKlYTtCV5tvhrDj14Hdvs2CtpbXsYuf9FEn6OkRjFFXtr2c8tlOgh63qLoDfgmc+NlfLmkOGEtfEi9KCt9UY4qBAh2bc0PkkKod5JhMoiBUCwc2H8WlXAeUj2v7UmB5fvaP+IbeNKGf6+v8adVW3m7tckFeARG71QHkv049EKVfNyIP+CvBhEFZwTMNtzYGhr280zpEuvKowVXYlLp9pSBA/3vEIFcsnNzQfg2eFzsETOVtHXd7KnPoRKk29fTXmgIKdMThaSgvs72LoGdiYpYPaVrRKgCeqCah697bsOo6q2gv/jAeofRkcoaUx3sMb8nZJ3fnijr5Z5DFq6PM2VyJy8PlgfoIKO/w1nkQ==
+    oidc.jwks.key: AgCuYKmdCv3LcmH8zpNAuS5oeHjf/cEmcAlGjRfv2CtfXmlYhcysDLeo2Cyn9kMUEPyRwxhQ/b9G6ZfkfuIh83v4j8PFBitoyaAmDNLmhn/tEjxUG4ddRZ+X1m+Skqs/QyGSt8w4iCBv2tzVV8v9mbbh0GSEk4Nz/tOi8oyUBF/RF0Pgan7JubQ9E7uT2c2rD+hVeWJx9dL6Vv6z/OdbNEjpDvlMNjpQBqMj7H0dMXSnMIxoQHXn2TduI/2qoc84qfNf8diGaG9DN/lrm4rebPwQZvwkidSKEGCCca8ICwXEN2b2q2TijiaVGJPtpd+R9n3BDa8SHi94ptwxuWwHEQBA5QlkK5TMUT8SGLzUIJK5Z/sX7QQcTxxSX2pySA+3eKveBIiHJeLjiuABkioo9uZMoWsp/piwZBQy5xB7yF2WIGz6cAg1Y098Khw8ZYrnYrJSHG35/Ai9270eiJOvdXDvOdiXEbxUhI6EGwypl1E18AevE3Pe6OcthEfwErbYdEevSNSfUNthC6gFh/PM8qCEi9ZpX1IrbDq/4lyPltKNbhev7OJuci2CF4kc/kMu9Swdih2p4UV/FOHk6z0hfpjxuqXBwdQYcNOZvyZgnGNjb0fqtrKN953A8Skb8+g1XeWzOVxRYGLi/M/oUaWiy2ksLgxlEhKgSzlQ2al0qMBTdr+I+W3bm1HjITocnEFHR54x7+i6V9LydtWXqy08xH1p4LXi56+PtoUQ6901nE8vyofVcuoV1tqqrnVv+L7XHqsM2qGgdvsYlYBttt3zBy/JbOTcUhVe0KIjRGtuAF2MPJWSxcyFc0crfC7dYmKllV3sKO+MowyDjDQ7OQ3MxgPufLKMRJUAB1XsX5BUE5HyQketKHE5hYWzLR+PmQPShq6wc/Er36jPBLkGUsNVJhUdPewbEzZEcqeBdDsncXUwZjcjAlclWpM1VYxT71BLBT0SUL6YyoeesW0RZ+LG/reD9klfYQM5vfhXTDax5crOcp5BIo8T7mJEYIFBvUU0ruAi3Ur7GqgSCCE8AAcILTeqex22KP6JcFUB7nzFsn3PlUv1lJ+TJutmUe3aGXjVMQGD2B3s5cMHCcqMD302gj39gLVsCV4gQo2hb+UeZcfz7X2ltJ0H6ch/CHeLZbBQoCreVVDWBcoMl4tncdbrkdFK0Bo1tCjY+MScsYATswn4/fbEIKALBVO4gS/WI4NcbGl6HXyNnJvbYv+6l48EHcTHtMqER1hur7Wkso3YpC5zHx7RVfnuCTXP9kWPcCCr1VMj4Uth86LB5xi4FIs3X8DvoyOTVgUyu4T9tedldhMurOh8qt/kqxdxjKkREFk80sH2kb61xPypY/779hLXG9PeDHLFyETYgdHiJWSv8UhizVVOBErjKUljWZ2y5zZam8DNKI6QRislPE++pYsqQw2Pe0iyjjcSWMAriCVJW1klkgmOkEoweFjD98CIUWJUcJx/as1YOIc+QqtVRKH/1AA/CuPrPJWfPXzGBfNFXveQB/G9lvJ4MNfVLNdAz5kUv6bGnGaAyR2LFTl/ficNZv8IFBQvHi91CLe0PjMoq32SO/wCJMX9f7yESWgFnCWS/HfuzWJR+f30hbsM/JbE8hXQQ8/VPgzgRkaKPz3XW9j4w6Wb2mBX3GAYtRtGUKfWsOJWIOjKDlqd73HiIM31MUsiDMgo4DdSV9ocEuH+Y8EiAgtK8P1nSUp2Y6wRVZ5dMz471GC/qAtZS2eYEYzbe57sX2i+pjmA790O28fZauEipPs4d8tbUyef+wPD+aJLyYLRX+R19IU5y+Hk7VdFoi/o+5roDyqAESYfOKhY2dRV6MjLvgbb0g4spJBPefFppKxEW46pi/zMniqUmel+czm704i9/Hr8LrZHUwHQqPN+iLqLTvQQo9Uj0xNzeM+fF4BG+QpYPPl8hNlRFcz/H486i7z1qIRjDvCHko5nQx6nMjJgY3DVyCV6w92NvWKsuWtJ5S+LyCe3Mt2z3R+l7JVntf0xPcAaUjruEnPC9jkpiD7GtZJaeqqm9X6NwanPrTD9KRw3czDyN00H51tmqut/St0O9ThpCNDDO06TrtvWIGmbO3zuBLawOnYniISNhpwpCO1jfV5J8zg8iv57LclG1O7LcwqAbLg6fdYNRnViIn3FRmwrIunSjcL+KbQP6sPQRHqiRxUbO0jp8v48wfzrxc1V4hzvrzlMQzIFRwqGKRjRaHzsBVjln1Ec8Bbg3bvVVCr60rVNVQEy40ldTz22nNjecAUp88v5DXqslHgwD1jEA7rDAmjAIpdN0fVOZBHKxalXVzq/cYssuAMg8NgJXCoLvi+mZj+iR8LsV4OtrSd8nJSCADrVrLJwccHjRo0GnPBD3jJFchy77gPN+8OnzRXPVVuuMSOjrxfAfrjwCUkj3KybOH3MMLu5NUFz27DcpLRxBqACQOtSOshkuuJuk1FXIexssFMZvO2StYecv5R880WX0LqZwKNTJRqQOXTGaV1VWNEexSu4iegOtaX0UZQNyDyHygNU9JXsve4u/2Sd6VyTy/i69XouFCY21DE/fonqBGuIen+TqxshpPJGy3HZJ7Y044rFCcWyTjzz8XH5s836CUWmwri+DsGeT/L/E3C+zR17ImU1Na4IA8f11ThR5aaomfTEwbNseFr8L51dJrgQl/QgRJrViHwowLDVClCbhszVKFg7i0ERRjSNNxZ9tUluOyCHSeg4wP1DOERumYwj5oV9I0isAOpG5cCDUDMrrZP831YmeUgJsH5aciRZmho9/p+Q0R+s7v0PA2HKtRNOfIm1VWSL7y185LKvYO6DPfZNDnOFobwg9ANP7H7kdE1GOlsnEQYWTFlc8wtRLfENNCHlBUwrIGJUoNPlSHVG3PXGz4vah6wwJD/QBH+9TKtLvdV1+2T4+cdCIn08MbdlHDKvWLraMtmSOTJKNJxtXOuXfdAuGYIoqyc1Em7nbV/Oo4de/n1zWkrwZPeTx7d9D1Io/ana8+2LlJEjrIltr4IzdnuCtImbANCDA45VFmlq87s+2lYdbKDvDMNUviw//s80G3qTT3VpGFnnyEF6TsJzpTJ7PrpE1A0PMufNbg8kJTMBifBU+XzoBDTqBwPzim4VqwazuScOqzwZDTgLdQhGzeo1bKIJKHrLOEgZm1KCp+tjPPhnhK0zIGUjqB+UL2+3IvHDmVr9ly7buGub+kuyBiXnoIr4B6bwa7cpFgNU9zmTng+hFlTDgfSLBlz+69knYDlEpgE6BsVfTcXFpfVgS/eRHH04OrYB0t7kwUD0Ku+Ljpn6nd/x7/gcDOGaiQH7TpW1qKTF8E5+sfbn7f8j6fGYRT7dDQ0n4ljZ8qAYsPw3k+hY1MBIiNqAfQKpwTc88yB6EmB7Ul1N28tsLTuEGCCHtXvhTaQLTFzTVoKdtn5B8eNJDqOdBc5+g0qPgp1W8cVESH9nc80pcGo382GND/QllOEmmaKEasYEzPeMJAcPM4UxMuXF7SnadQweoCTIPXuQyZW+eKlMW4RlC5DHQ1m4NymrN6GFptQtTiG5v182BR2ibp4NogkEyZhHeMCtGXZV6QgGbnoJ24ii0vY4iO/08YgXOxDLcH83vvdiya/WxO/75rRVH052z0doEC4jLUleLEs398o59LBEolHSyPYOemzHLOkSB7w6acxiuujb9nujMuE2im5httFXKhq0cu6ytxlVKtKbVwB1y5lZigpTAh9FZXki8OBNIEa1FwtrYsoLz4hJP2CyRqUrHCY9WmCDTOUFTq7NrltBL2+wFvbPAtJbrzM0ALJYNaOb7J5N8R8sP3voXaL5DEEFoS57+xSvtx+lIOCNweJqzzZMoxZ2p9JL6qaJxG+EJIGTeHhWMxX9UJTJJACgB2W/cZyCaD43E5XIxSC6czgdOgwii27fFAJKJabmj+FsSwYBMiyHiFE=
+    session.encryption.key: AgB6LuT3btnwlDtP19iS6TAA6hz5t2gtXn93/sKI+ANzRvDtAUEJf934pWS0xhWu8Zfqwe5YuPy6Hb7CYG1Xk76Z3IFAEKcENcAA4Ngl6f80yBPgaL+6pzkeHyouYhpuRFenPoCcoa60OuusnDBUvBO0v6Mtqd39nACDJwdrJH0VzoLiWlMPzNsqJSkX+qNumrFlahqEtpswgoQBFtgljfMh8jCfAiqtwwe4Gx77B3GHNDuRQ7tSKhq5pSPUfDE9i/a1fb5yd1z8mlDkbivb0/yhvBsUi7stV9TE7HpBcsxtd6vSzt+MgXsflFfHZ9HU7oVVS0PuDzeDEXac9r2XDA96eUdhz/9NF3d9BvBMZqsi4YlF9tvsODNR7BofF5axxuRb2sptVwM5HuexXhG6S2PPpjLWi0BnY2P4Y12rXUhtYTisKgk7J1H5kZ1XYdjySFIQpMnWvdQD4TDmvqCi2YbnDts5labuFPQmgdrguRbqb1W94Pwg3SOuhJdsNJkfvXFBOOPf2eJBdGsrv4hOFiWt87pNh5Idzi9DAsV9CHZyLwxchwSpNre3yb1TnrTUE9xuQexY/xviAKAc1XjLsKyapryyAtv1AF6UnZMECDyElyenWblPBlWyOYTAWk8yiYl11C/2cipP6+pv8/XpbHKaQKGVQLIQdixXVGKRZwChTo5b3wliSJD2FXiC7ZkWfjOHlgXa+1DNYEoAlUfIU+IMdTP+x82QIjeYRH5wmhujd0JrYu4AygU1Zg==
+    storage.encryption.key: AgBOR7VfqNstwSBQ3pZIuHUo6m6bcbqTRluZ+G52d2djiyYm2E6FEfzeNrVgPSyw/9CuWXnzzQRyyGVvwP9FwtF6wWqNByhtY4sHd4xoHLEv3L4ZNRvNCf/iCGw0yI46k7nGifvIGw7BNWMkzGVOY+926aa9CAahxh27nQf0dztuFM3DPX4ASKpJ7c3IRGbMi0x0gPTU+Z1/3JLlhn+WvM95UpbPq75LHSzo4A2YfdluZEOpvvo8M5NnPgvHIvRC3tjZuXsDJwRQhqLVa8oFdrjJ7DvMonScKyv4IF/fttd4K0h+g/WZqCRix1dw/7LburKVicYBLl4IQJDIDORKXIUqU1M7i28UVF6DBe/r6jBTGDJcqv9Zor5hoQHuswyC0p+2+sm0EGUvGJLGJ4aqq5UBSsZyD98vMwGT3H3sofIqESHJo4O6rOSo+NFag2P/E1Ij2PFN2+wJTMRJ467CPnzEC85/mm3Tii+NRRb4CKEuxh+zfmVB/Bpny+7zjL7atS3BFR95PbI1jM5yI4uu1uHaVJaXjI3nQKYKjYetS3POOdxae5YRs8CywtZWkv+wUnlbPlzB7XRObQ2yzwNj8tZL8/846TykafDsvPB51B4wAnY8w1LaxNYBTZHQGco/rO7fUNEbuwPyDcbDtUaNxbUD7Yfu1pUY2fay0YtTLDlm1FEZePm9LLKQVj2K703Hu4YA2F/wKhcWKfjtijaC6z8KTaPQiVpjhA==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: authelia-internal
+      namespace: authelia
+    type: Opaque

infrastructure/authelia/authelia-ldap.sealedsecret.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: authelia-ldap
+  namespace: authelia
+spec:
+  encryptedData:
+    authentication.ldap.password.txt: AgA+MKR3OQQyrnroueYPamFH16HxlenRWc4ysREC6bsQYPq3FwjW1sJbz1yPxVywpi7BkClS/8i6oMxPBcl3amefYQd4aK9FeXFCy+oknhM6ml4r7lk8gIVNiUKIbt8XluGwg5SRc+I1x+5TBsinAsfwVZDpz1TYEvTbfpi5xrijlC0KY1UW9tkkt5Cp7sr0NDdk1hzwQWW+7JlpOYlVqvs2o02xT+C+wncV/3RYtKqT/OCC5SKbR+DVjDxG97CHahF6DC4o5rzFlPl5JD0yUPenbXCzuGmfQmfuqRSekJBZJ99fykwRf82eeOao/hPJ5MzCf4otorPh3/UZk57D5nnWe1cWGsLz5RIp3lmZfEn4vKICauuJK8mFIbnZMeR0lsP5prbNU+gwF1N+VHcUl39Ob1y83XowQzIynMQuJhcnP1e02/HwIl6uqNG0XsWWw57K/z289yCid8woeStvteFL9vL1i1JiaQsVuriOjIh7nZVFgUvHXfGaMQp58O5qlLQ0EDApMjuBDsZ31acFHqoR4RSw14up6GMpw7lXbOANFi9KmiDe6ugZ2TXzm1GU6lcqUMX4SXIVwAsbf8BhRZb28sJ3z2e7rfRGoAqOdxFKLYaX4+ENnN/tk971Es8IE/lM2Ylqj1oBCceEC+YSkRNBe2B+n9rpe10T/F7sq3K+8wH0axMvesRkCY1coUoKVkx7cw5bEZ9Z/oHnTuw=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: authelia-ldap
+      namespace: authelia
+    type: Opaque

infrastructure/authelia/authelia-oidc.sealedsecret.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: authelia-oidc
+  namespace: authelia
+spec:
+  encryptedData:
+    client.argocd: AgBWKTgzqy1UjMClw8+9MKCZAM53ErvunxeIMkyPkOvioGN5+QuvtT3rSCNJentXEhIK3V1mt0kYNb0yLei+W8o2Vgr/wqvPfA+JbtgfPKuHg1eayTXDB7TPXG8MzONM75pPEq6nTSz7YOfu5AU0OjX/3D4E8lBD3hCfEteAA6tbxplD0P17yEzQTspPbXh+YNRY8/BmRr4xbp3aDdekeYfrZ8HQaYOCs6vl3JH4SvYoPGxrsSS2muZEPESmWBBC72NcFVnpNG4i106qxwvMlfOwKz4+FQsHMZAdRYmXayefwMWTxOC4MN1VUE3S6FDZlU5Zds52qOF1bO8w0cLyFaILtcPkjV0w+7eCUhrYx3CzyaCnVAHBBwvUt3VZ+g7RESI+Qc0CDV5IwTpj0R0Z4K8ieGMr/gEU83Wm5Hv66aneZppAJV5E8BixIdFTAoZlLNXg3Q6R6I8PrcnTlF9IzBbrWBrE1MuYgvzIIZm4+lohV+jhJcOPgRANxVkDwAz1Sk3AfHFwKtxtzwjvpOyr+R49+I14GGyKtUcZjHioSUSiTqV4JOYvFmSDXsy5CrzFdO4zCn5jMhkGRWztBJY9nN1Ui5yODag2S7TVsCgcYNF0tItaNMHmhkez/NoWFDUvcNwr/+hGC+DQN0xoZTO3vskyW0RGKjBSnoI5QUnuJqFJsRymh7VpRvMr2C+0Tvk1nEoOoRmA65aRJScgp/acZl4UXhwOjyIpSNzai9kvIj5PVVf6+78z11h5c9w+vF1IDKCDGGgjrnXBeHFGoty35UVGOGOXQoQbLXyYu9ZWN6i6garwl5ATwea8oaUB1h1xweoqSz6xrHcLmjqWLbm8Me4eSA3TjvsD8gtnhAfnVAETxBT3UQ==
+    client.gitea: AgBEIzadyU5+RT5nKUII3EPXfi4yl52FzvQQxEfX8T5845fAQh0/8ay/E3oXKjH/MvsnPWvIwBfAG3DZ6LBVt39SOA3+5csbcwgQn8ZSigfriowkGJKiSu/UhqloiCuIvzZwu7CrTUaAdrWdMOpYvVPts0TYUUdA5tcPGYyw4Sd4Z5hi22+NeMoCdMl67iag31I0PLEWl92WQcQ/V/sOKuLm0p8TEIZaPyCHLBwUPbD7Hvka6JhrkmkybnOJfmQLrHAblPptVlIOVwER3e3Wrzvh6YfOq3KUtFboeyLRRafOy4j5j0dWXj21WLznomH644ioUeysAG6gP/HZthuNMTUydz2dsWtIu5J82jP9bbjUibZeQIHjS1Y1eqPSd9lJWNjWBb69xuDIewLZ75rfOuTdVp83+iGkha2yhc8OEHBaXRFO3zDL/eYSuBGxLRtSR30WSHD6sgGmrGzSShAlM7MnuSU8tqeHtmLuKH85ls89HvVvgn6ZVj5+P6dmHctFM1tp8Q97nUeZZGbThT0DztKExNTdb1yCsb9m8lDxX7avGfBYvx7ntqBdxz5CurbFvEYi/9C98EYZycaurjUIRBjEgbT7vHkIIvJBy1JDVZYDFzNGkvZ0oOhehANvx9UNKeb32iCV3ypGE7oXF0/WFdFImSZWfTHVpqOUN+LJTnZylkwcyByp8Ut4R7xS5by/bBV846LK985fzCRWldHk0U7xli1FUvqHMvocOTsrwVjWtE0C9X+GDQMAJEP7z5xWlMCEePjEZq2/OPHXiRlDZ/rQfQS5zpkIZAK/vaiRCZ/arpN0RslwOzIDnnyFJB0jqhIsXf1JUDZUis7yLtnyaVh3I9a0EXrPu49ItBk7XdSNMYJ9Hg==
+    client.grafana: AgAuT9f75mVVegFb5kC7v0wq/myoG6JlN8DLvY2tBqqCJ3pDMaFkVSALustQvUxpQ3UDFndKk3vF3rL/ot2h4R5dQO82guqR5rnyi7dGgf4+guV31V+Pz+cMKMNGDzvP6gq1+ePuGgR8Q70OKKk28Neiv1zd0quzKNY+Fmi3nYVonnKt7SDRrMgHdrak1jTyyBCDCl3k1S/kCjSsBUOfZuPDWxbSyKi8UvizwEm7QmK4ifsdA4IyaO6R5u/B9aQP4/eeb9uXaoBZVDWsrqi0ZHBavCnyJ79rYwDx+6ThsEbwYYsJ00omGts/1EPZL+1EpdJ97biIzapXpvlTRQwcxOZ0sXnA+5ig0Bs25u+T012HNZndYLcqmRsgKk+Iz7YjPRddaIFFEhttgubxCk/dMvzcchkOFI36gEC2TQCX7B7EcBAi6lQG7I7BVV0UrqmNhrzYCeY8AyNd9k6dNj+NslHfxM9QFIJmK8UnX4tx3OSJQJLaXN2ZG7TcPxv+Hn5z6A+PTE8+iwJ4mZmjxoVbyN+PYwz0m+uDqS4iDrd689NjFNy2lUxoCTtoYHs/U+GNOFD67YjT7DE9PbuS5zWlHCYM/W+5Hfasqs3/NgpbX6P44ZIMUBSdcgD/TEKyjP/ttjXG3FKVO/RkrJCNyUSHQKRlMJrzwEfwze3YQ1XKw5xLzDN8dTb1fkeDSE0EuGCtqH2S7cZE/3/w16PJ/ba5WR3v3CC99WQMMdeXLGP6C8PGq7Z/WErXlNLLPCsQKIMqlhoupm/r65SEcgf+OBI1iUG2dFNdB4VwFIU9UwHm2t3gcnU9Lq3DGQaOQusIHJgVF7UuamogkTfmCt6vxxIxXyPodiebZ520TeGgKIxvwTftxl+miw==
+    client.kitchenowl: AgAb9vWFHkiFgsHs+1nrq65n+kT03igRLq3KWIvDg6EokA2TDXYb4KwYBZa1xcFwgT1iiLge71Y6spMRVkJdLAjRCaPCtSTGygzlZ7z9NFkn5O9YuWgkp+cPr62ElHpx9umKEx+Ug4vgyvrBk9eLWxdZZsiJZL6GcjUbMe/Mx2429mveg0kyfKg3XjraeU7xcHWwAj9PbjeRnhEewvr+9sdv3H1wA45E2+pZ9cZ+ETl9wXXNquUzUFSp8IOxzXwx34aDqjdnMbEgU3k2TEe3N9wU+r9vuzn4kesh0zEGkEfXhKtnGNSXFheU+aa/5cTfIp/GPfx3+dJ54LLWfVGU9X+COI70zvTEtAhgJptkWqJ7dVp6SLgQotvg3bTNohof1/6JDPKQvGvkQ3ALYMXYDd27NrmP3ZSJYdNGev0yDr6MXyNlv8SglnsRIpfMmPyl913/10DbvB5b0Tiy2xzmmODpG6Gk6EQquaJ2g+imaV8VPSdDOoRK+rDg2AH5KKRn8vxH7d/NRsmOmCxadqmyyWBbl9onu+TzSnjnPxyc2cl3EeqaaciXyh/eu3Ar27DVu1l6Iorv+N34Bttdti0TZgeeMD6/Y7eAXTry482ix26UOYmTH5+mGoGVAkh5BuWO2fR52vuEHV1T1VYVRK3+PX1OIeWEoEdPMvDokELc4W1Av4lVDKcacvNzuMZ1gpiXmdCNnYfDq9CbW00rS1/LPPUIdIyOfHg2q/OgxtkjiPUwWQCTc5NO8FPlQ2B4ZsJ51vfxl2zx19w9tgQVi7C7T7Iek/2Svz8QMiZtf9N3W8CoUp2RXktV+Z2yI3FWG55IzicRbVLWpeidRxuJTEdm8emgHSiMpDM9Uejv7pAs3QkLRX2+og==
+    client.linkding: AgChIcLDfhCZshqJgG+H5exbWt29ms882BkAgDAopvbhbXE/e+I0tVw2FNDZWmKbI+i/Hlrvj4Bputn7pUcoAZf5W8FUJ2nOMhJjtjwMF6O0QzBje0Xrzi9eK91XWA3PRxbPOzBZYWlmWvwelYw0hCgfp1XRn3aXkPcpsZFV8Bb2KSXDSk39+UqIm1I4rR9hCXPMkorTUZOa/NYpDr4ieenbRS8PeeWATPzSxn0hN+RnXHnoUrKdO03px/2mYS4SYJrgZ2DrkGN7uz3/ARwqxxKcMBQeQCe0S3Udsw0tvvJbjeHJIQ3fzIz+BZdbKLgVuJa0ZNQxmuDVBFY+60d89nR6wKsyoRgC8y/sEHRpztUjiJC7WBiiJ/g80luMuo/7ZTIvu6u1I/eugsopJKUONv23cowdqthyzlsnKCsBTgfdzXuFy5YYoL7GPcybdpUcOA8upr15dE8vsN3UJEYJCZkw1V4iedzHVGPpo6tts4sewnzplH93QpwbVywMcSl1k8oeHqbdmh0srJ54hBFboyNRr2eQT+b43oFJZtQb3hhuZyO/uXKx44jeBoVYkmKCVldBBDE0FdQpAk2m6dtvXae37Eu7xHiWxY/KDzVxBzJn4NWboQRiTM9HQ7pLuAKgG+Ec1+nwfBgq3G9jZrdIN4/tWNvuBRuPrUTt7pwGJ7RCbMgSz9xbVFCxwBx8GwaNRFOH3/RoMdVwlUntRELYN7+pU9S0FS/VPnbVxOZbJI3ZHFj9n8qZ3lBD3SiHB4rNnirQf34CuEfnLigpSdskKdOsekXQybxVq68T63Ntf/yn/t0+nV5VdqpW0stqRBQaUq3yEqfAn0/HQ7nTgSbHf4ZsTMsAU+CSAewnig6qKTcS7a7Lrw==
+    client.paperless: AgA4weCcn9z4H2WIqADKRpOMkCmA/6pci0SCKsTcS2nf6XuRG0pFufVqrVTe5jYIfAymKJs+Yzlf6V5ViE+3U/PhtBgHC1zifYBVkC0lSUUKx2YWkmrnSylAZZIYArC+kdNXU7pwIS4i8eCxeB8NhTtHBMXdfPig5kH/G6/FaL5RZ52Ly3jf3h2UP3JrWbk4dYijZbjvHsGNJMyDJ5cW2DtgMmFNMte2ScBuGpgF2tDiVKW7Zq2aEpVtVXvWjF2euuL39EFvLzPAIXeG4TaagBCnFfMVVxyrS8Dk63CiWQzTSaeBDbUhRuOGAYD0GELhSxpsKjOgm5AaOk/sJBjoAliFtSyejO30tP+5PBC+FE4RlJM5dMjHU8/9T/tBSOus3k7xWmExc5Eavf8yeXVmNeTJfC+Sji6QZxG5P9xisKXgn7EX+T4aKpeJ2FxAtL7NKgnrKeoztiHV2vJH6TepGjFejf5VJRjOP2QAJkX0ApnUVfhww4CjhBFo20zRYyI591ZMbw8PxlRFmAsXhL9XeaXQcl7nq2P2N0IdodtR9xMVlvpkuv11AZnzXjC8GfWgPE9vmDz5RW7Eo4WzWDaFVBL8Sjx+NZllV/qVHlJfbGgqgKmtzJWUZUATE9y9YwOG8PSKmw7fbIHccJ1o1HOG7BWIOQ/QIo94uQQWI0Z5ESRgaCsbf2oBX8HyYFdMA0s9sS9OdD1NWDTb1mVnhA8Pjq4XatA2PGlRPWBVD8YpjbeuNQXR4RuSuUvuKGOOO4Jsv0/ZXc4cUmPB3VWNzQO/0iNt8MOsZWjtQNiDBLZ3xVjRWo/p+Q7P+o1YCThuLxwdmyvAxkioRfR0DJY+ZrkErVnTv1CfLdS4ejf7ZYXcgsh5ZC8Kww==
+    client.recipes: AgC3w8qEgD9fru8tJRi3mYSDbJVq5oG++x8XfeRKAQPXFtMKdFYAvn3zGPc4viavPnvE1mkHWSn0ECC+YKEThiXlI9ok1CKnspLrzi6oQlReCUnyJdu9e49xgV7kb5/SQsZbDlVmtluTi8j8y9AIUows/HsMjXgoNrG6RodAsWp5cauCgLBrqMk9nPuQVH1jTNFm27rMrJahLTjr/z/5chdiU6sjPH9EIDnaLEP3o8/ACpPTtwF4PYQszUVT3Uhn4YlekqAYMfEolBYsPLSDQyiDr1fwO3/4YUHNSO/+bN+7vscS+x8zozb750Oi9c1ARc8ENn6AiM3ZEd32ZJKqfqJ3+CxsXsuG7VjfHu3+gc4uqLTbwZ+BVacSoA7JObsoQEbWdCGWTNo5FMXrhIv+BKDB59eLKXTOlBfVTLlbh0P7tSR57fhSpBomcvvnQ+MtfSS9hDFMNiPhb135c8hjJcbMZ6xdQz6HARVtP5nVuPyDafbez6A+VT9sUDt29+oNf5qpk25526Q4GI/YlyvXH+3RT5q8syYuSIZsmh92qD5ZltffW5kRooCeskAryiyWdgyqjMAekR1dZR9wqvzRraDpY/neLvrpUAPl7U6kdlzuIdaJFTnXmNKc1wK5NaeAEf4wwO6H/ibWEzIJKQJcTlmi+0J1SfHcCULYZ5ASeAkSRUxpdVk16LCTHWbyHYFOYmGsmeMmRTYylB/FdOuUEZWrO5B99xw5baSvLN842v2JnwR27Mha3RvS0teSgbuXgG5kWWGGZs9oibsNaaNz9p1MPw/HR4M6PmfEJRsaz+cX02bVUVzdaXhoTZ/D0DoNe8lB+Ofupjl7jAGzEJpGbwK7cB1gnITa4blqyszrKg1dg2L+ZA==
+    client.todos: AgBaZOU3D5ZEi2iZud0kLIgZVVNwWjreEDMiadtgZ99S236SOckGlqTes+6gcTcMUQe6CFcxatx8sXamGd9xtIwyZa/5jns4Ju0L4Tozf57uQS1CPY10wyLlPc/a/thn6dItfh5l0Fr+vQBmV0dlEJ12UM9iIH/w9raaf0VkDP/XbZw6PZ0lVoJp6u8LrjMIf5+pdlPOSytFNzB0EbWfQYGObD/zgt45V48+gE9jLolLIEz7QPMrUg0dj1RjWJE+dWXzv+4gCsRi/64gPUdkOZS4YWIlFP08jcDChzbqhVkqUXz3AOQOxF7+2NpD966dxWiYRQfDfFwb+V4vK8C4+DlQL8p22MxWt6iOhxpSoXVVlCInYxxhjpk/gpECqfu6gKlEexg+ekccAvkKVmBX9TbOjsurYFjL3JfuL057fjWIpvZhkQjJCQJiCgVGPtyVhoCzsKeyVDNJvXs6dYp8CMrRAcn/fdo4wI0/tva723ub++AsKSsXCRT+d+03FnBbjRrxSQdDiP4xYY6BqNfjwHGYSoULxtop5t2qt7PzFlpCxNjRe4NrkENCw8xDDSRrg4CLmazPi1Xs+MDeEP3cpi9sRzQx9u2JrvvHmsTeHjVY/MQHb072nLa6xAiUQoXQLMlzxJuwx0U5DmsMe6o8FfKaLikcS4CDKEAddLDI25z2XUBA9J7BTXdhtHB012S1COhouRqn333uKF/BnABI32/Afj9qsDy8VQ3iZyTKpLQUOrOzKKTenXy0b3VV9Vw3DoDPhEb9//fGrVoLdbXDpYaJScza9qg7QWmLqO8Cbk/83t1C28LWqZKWyMtq+QFQ1ANIbi53BopX8zBQargctEVielkpN5HqVCAIow0nQcGmZdZClg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: authelia-oidc
+      namespace: authelia
+    type: Opaque

infrastructure/authelia/authelia-smtp.sealedsecret.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: authelia-smtp
+  namespace: authelia
+spec:
+  encryptedData:
+    smtp.yml: AgCfZqHvV3N/S7C3BCeBZv5erYNnbc3yuhYswXBxJUmvfWt/oyEi0VM9830cV740zF532ZteMaEC47Yer1dm1zwBb8degsSPOnivTU3HVN1MQKMxB0T9roN7ytXnS48dIVLlZAy5/7AqU/+F081zJeGW/8lsQKJ7QVa3zG7BDGJmaExxttrB5ZsSiVmFldSQap1FNIcPFU1O4N1w59r29IsUNbOVpnb4NqONBBh7Lt/RoUwYVmdMT8OxOAtgovft1z+KuZN2ZnvBlm3EgY70wAWTs/tSmZLWuDGa8yo0M6LPIjO9zlc+l1YuI25AqGHDuhGU+H+gQWZhtIglwKHtU8oUuDchWxQpb4tJSokpyegkWrpty8vBEEGK9CtLk13EmPUHTPicv9XYgwxvROeXB7+6/gQC8Yc/PzjjZwSrNo8SC/rF4VJY9jXMJ2nS7UkubcfdOY/bKhu1jZENrav7Zd/z5hiy2stg2LFJ2rnzIrSKeYWN3ygR24KRGh/7Bpwz6LhCkPdrfJJyymA+Azwq06CoyyPTLkYRMpTdkzx8zLNCvfQfmEKYRxRcXVBDfSr/Wn/9QNmCAG/rp1Ep23xRYegQRTUyGD2JVVSjE0WcMRRnqb70IYfEPk4w5TS14RcO2/59Lvs+1mF8g9JfLhrxOjLDAvnSKjN5KZ3PgLdpqbkcVjUb0Hs18SAilmZhs5cQtNR++LqYePIe1r7R3V9IPIvPudCs7/2BrLLpuREhTdQIiA3catZ6kLZgHuh/KswFEDAcZ1NisSNvZZLAKTHupIe7XjBp+0zGHLZ7hgbA/Ojf4e6M4RLjqR41Uix+stkKuwWwdoXs/YAf2GUl6+4fb/8iPVUwPA7XHf92ALxv5neNEDlo4awXvuBQG8XdmaCqkYXBe1GE+vgmzfQhr1gjcO1VxvpsAJXT9/Ak1whQbs8kLfwxDfGp3CYQxx+eaxxm4Q2xumeQYXHFyhNZ5d5XOpmlx9EovRwM/uGoZdslykZ27ZbKRMYcqwhJ16CS/y5ptMcEbB1RkqodM55UCslR/fo+9aJejX0x8V91U2bm8eFrDFhFJsM6Z6oClxOXeAbSoE8m4KclRWTtF4+CIXq+qszdWzwqrHBWvKAtVwGo3L08Sxw24ajT9Rw1Ay2kvb4xO2SVzIRhHdzIFpF6iSiDqBJsSH7SL0kP1C07j3vl95qZBp01BW8BUnVxFyqOVMvVnXMaNQZdFrsq4MVEsxDftgciF9oE8rVv4Q==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: authelia-smtp
+      namespace: authelia
+    type: Opaque

infrastructure/authelia/authelia.values.yaml

@@ -0,0 +1,259 @@
+ingress:
+  enabled: false
+
+
+pod:
+  kind: 'Deployment'
+  replicas: 1
+
+
+
+##
+## Authelia Config Map Generator
+##
+configMap:
+  key: 'configuration.yaml'
+  # include sub-maps wich OVERRIDE the values generated by the helm chart
+  extraConfigs:
+    - /secrets/authelia-smtp/smtp.yml
+
+
+  # many of the values remain default from the helm chart
+  authentication_backend:
+    ldap:
+      enabled: true
+      implementation: 'custom'
+      address: 'ldap://lldap:3890'
+      base_dn: 'DC=moll,DC=re'
+      additional_users_dn: 'OU=people'
+      users_filter: "(&({username_attribute}={input})(objectClass=person))"
+      additional_groups_dn: 'OU=groups'
+      groups_filter: "(member={dn})"
+
+      ## The username of the admin user.
+      user: 'uid=authelia,ou=people,dc=moll,dc=re'
+      password:
+        # ## Disables this secret and leaves configuring it entirely up to you.
+        # disabled: false
+
+        # ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the
+        # ## secret_value option below.
+        # secret_name: ~
+
+        # ## The value of a generated secret when using the ~ secret_name.
+        # value: ''
+
+        # ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise
+        # ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath'
+        # ## value, '{secret_name}' is the secret_name above, and '{path}' is this value.
+        path: 'authentication.ldap.password.txt'
+        secret_name: authelia-ldap
+
+      attributes:
+        display_name: displayName
+        username: uid
+        group_name: cn
+        mail: mail
+    file:
+      enabled: false
+
+
+  session:
+    inactivity: '2d'
+    expiration: '7d'
+    remember_me: '1M'
+    cookies:
+      - name: authelia_session
+        domain: auth.kluster.moll.re
+    encryption_key:
+      secret_name: authelia-internal
+
+
+  storage:
+    encryption_key:
+      secret_name: authelia-internal
+
+    local:
+      enabled: true
+      file: /config/db.sqlite3
+
+
+  identity_validation:
+    reset_password:
+      secret:
+        secret_name: authelia-internal
+        path: 'identity_validation.reset_password.jwt.hmac.key'
+
+
+  identity_providers:
+    oidc:
+      enabled: true
+      hmac_secret:
+        secret_name: authelia-internal
+        path: 'identity_providers.oidc.hmac.key'
+
+      # lifespans:
+      #   access_token: '1 hour'
+      #   authorize_code: '1 minute'
+      #   id_token: '1 hour'
+      #   refresh_token: '1 hour and 30 minutes'
+
+      jwks:
+        - algorithm: 'RS256'
+          key:
+            path: '/secrets/authelia-internal/oidc.jwks.key'
+
+      cors:
+        allowed_origins_from_client_redirect_uris: true
+      
+      clients:
+        - client_id: 'grafana'
+          client_name: 'Grafana'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.grafana'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: true
+          pkce_challenge_method: 'S256'
+          redirect_uris:
+            - 'https://grafana.kluster.moll.re/login/generic_oauth'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'groups'
+            - 'email'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_post'
+          consent_mode: 'implicit'
+        - client_id: 'recipes'
+          client_name: 'Recipes'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.recipes'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: true
+          pkce_challenge_method: 'S256'
+          redirect_uris:
+            - 'https://recipes.kluster.moll.re/login'
+          scopes:
+            - 'openid'
+            - 'email'
+            - 'profile'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'gitea'
+          client_name: 'Gitea'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.gitea'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://git.kluster.moll.re/user/oauth2/authelia/callback'
+          scopes:
+            - 'openid'
+            - 'email'
+            - 'profile'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'argocd'
+          client_name: 'Argo CD'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.argocd'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://argocd.kluster.moll.re/auth/callback'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_post'
+          consent_mode: 'implicit'
+        - client_id: 'paperless'
+          client_name: 'Paperless'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.paperless'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://paperless.kluster.moll.re/accounts/oidc/authelia/login/callback/'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'email'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'linkding'
+          client_name: 'LinkDing'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.linkding'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://linkding.kluster.moll.re/oidc/callback/'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_post'
+          consent_mode: 'implicit'
+        - client_id: 'todos'
+          client_name: 'Todos'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.todos'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://todos.kluster.moll.re/auth/openid/authelia'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'kitchenowl'
+          client_name: 'KitchenOwl'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.kitchenowl'
+          public: false
+          token_endpoint_auth_method: 'client_secret_post'
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://kitchen.kluster.moll.re/signin/redirect'
+            - kitchenowl:///signin/redirect
+            # mobile app as well
+          scopes:
+            - openid
+            - email
+            - profile
+
+
+  # notifier
+  # is set through a secret
+
+
+persistence:
+  enabled: true
+  storageClass: 'nfs-client'
+
+
+secret:
+  mountPath: '/secrets'
+  additionalSecrets:
+    # the oidc client secrets referenced in the oidc config
+    authelia-oidc: {}
+    authelia-internal: {}
+    authelia-ldap: {}
+    authelia-smtp: {}

infrastructure/authelia/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authelia-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`auth.kluster.moll.re`)
+      kind: Rule
+      services:
+        - name: authelia
+          port: 80
+
+  tls:
+    certResolver: default-tls

infrastructure/authelia/kustomization.yaml

@@ -0,0 +1,32 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: authelia
+
+resources:
+  - namespace.yaml
+  # # As a user management tool, we use LDAP, more specifically, ligh ldap
+  - lldap-credentials.sealedsecret.yaml
+  - lldap.pvc.yaml
+  - lldap.deployment.yaml
+  - lldap.service.yaml
+  # Authelia itself is installed as a helm chart
+  - authelia-ldap.sealedsecret.yaml
+  - authelia-oidc.sealedsecret.yaml
+  - authelia-smtp.sealedsecret.yaml
+  - authelia-internal.sealedsecret.yaml
+  - ingress.yaml
+
+
+images:
+  - name: lldap
+    newName: nitnelave/lldap
+    newTag: latest
+
+
+helmCharts:
+  - name: authelia
+    releaseName: authelia
+    version: 0.10.6
+    repo: https://charts.authelia.com
+    valuesFile: authelia.values.yaml

infrastructure/authelia/lldap-credentials.sealedsecret.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: lldap-credentials
+  namespace: authelia
+spec:
+  encryptedData:
+    base-dn: AgBC27VFLsDFHQ6qMN3kbyilhgRwa++hJ5uDsBOqtemO4mOj3nw3/79SJRrO4201zeFq54WJaG5tRHS4SaB5+hYMjdZKqtgTE5Cl9amKIXsfZOzHQ8bKj//WJZYgfmfPxDm5tVdElvF0CGJQMf4SbN52F4V5ujnl2x/j2Qu6gyoJdTaa8lRRIOewXrgOc16lGuAmgVIFB3KR9SEOiSQb2sJxi4tbBPvu0qcLnnfq8/roWouqlfNycanf+Smgc23P112U4ZcirF/oSoeYjUxSy/yxRMrfSzrcxjLPMeb0hyHgsKpFc17YghBt6Ofqx/JOeb4rCZUAGe2PJYoNg6EvGNlgiL02h5TqPF0GfZ02QLiEVK+jUkrEZGMEqEl97iw8juVW3fFJQpcZxyA4eZWAN2ocH7LjDg/UaPvjaZzXbkkva92X1g9LXFCukbMXYoR6QrRI4AyjLWdAHRlBm1M/7w0x5SH3uh05MR3Su0uhRgwreKxJGndd02SsWYs3I9+xM4RjzIs//aNYvhoUgeMzvhIjda8Jut4HzCTqcycIwxkE9aIUlSAgcS+0HrLuvMb236F5OROz2kwx187KlZn6FlK5vDO3m1pWQwmq2E2q0oRhg2mOJDSexzKwzaTkvOdtNiEOWgitYkML93L9I+9scDd3RbIfA5ejOKu5+JR+8cxpwvO5puURvyzI4BTZcTSj+Jnm6MK0pl6tJgfHtgt/
+    jwt-secret: AgCI0LA/Y2ZTUl1VZax9Wqd5DxC9OFDe3NfWH9Mr85N5xbF6X5oe49fjW0GTjBE2cytN4aCUy+Gu5kAuo2qgfF1p5XyFY42Tg8q8fyF+LMN0Uu3JlgyA1D3ql0ePc5kNKxD8TRsfcWZOX/KtIWiZxceQ4YJi+OY/7llso3ZiGRCwzV1pXPoFd7A9dSA0qbUklpFI/58VkAUJ1HSel5oCx0JUfxZZAHQaCo72ZPqhbAskOZ4ofH1hzq66NJG5VbOhtBWkPDi4e82OOgT1VqiOiVOUC3w0GAvt6S1SD5P3N2FRqUbRag02rETnja/uahRKDHvLJG82zHXDVGxt5aZQ7bKRYe93gizCaZ4mTfAgrEaz9ys3ywRNr8UL7Cda18YWghvyOqDJSNePn6tUsntc2wA5rRhkPV3NKEhi0Tskqalc8zKXTf4MrX1WJSKw2D8i2l1B6Z7/UhjncAZKaAz7pky33QlitaDtp4Jg4k/ERcqcODB8jG+7oW17At96tXpiqCu6LUki4gkMrtsojRyaVHhl12w4XjVUHW9DyyzELlUT3CluF42wN9zyqDuyhPsuuIr4JrrhNrjvhFU6dcWppvjOvaZMIBvHH5A77F7LDVoCcLwYlrqmpnpxmateeIQHC8IId2JcFlg5CbD3abN9CjtUpoK8ZDRiEt3ULNkyOZ7z1hSfwa9TpJ//HkpWoXsO1b16+ZcNUdM=
+    ldap-user-pass: AgBX8ryuZX2fr6CZDaYOR54I445RNY123jp5LpyYLtB4QQljzmD6CC9BIOP5eju46cu5q/GoMSRdz5OthSLXfUB+I0iRrq+yI4bWpckpcrecNa0eJn0PAbWoI+T4gfAbkOxLLz1+yfG8J2PKqwZGVmpBqSBaqw1PQnkj8HggP05YtU8kfmH8W+Gi6c5mOBOL6RtIOgWW0pHgz1OZRKLKgyb70D+suvK1Xw9cKehkNoWtbmS9YvB+2lXZpWPW96Bw1mYnilEWr5WgMRz5aYYShe7/yf9OaFHfHpORgH42dpt+nvMSb5fY8nYVjEm6cYyS/mRm7H5cuBYwj5XnghAAoSIhX1B2KxIhbLh+yvFo+y1tdZB+q7sbJHFTegqRXi/eVvM3qkqTxksxhw9kGvCT/v7vRlS6jXHNTk1wS/Ka40Sv2AHaKlg/cMLQGZZur2LJcCZW6UVZwc2uqpJuszm1RwNX7hiTe+Pj1nCE+Iu/nHJrsk4SVEVcsRGOCAQjXwCXqbkuCz8dqZvCHVYBa2qIZTEd4gTXPjabaabudUzAXRiBg1SHLTVwz4HszUY3yfKASNdpYSxZwHTDt/BTENC8NJyT0Y48Daw26uS3U+87Ntsoe0gruccamhoKPdZlzA9Pl1hoD/GEryhVCLbuUhHC02qGo7WhjPaDZ/Cguu906e6qR4bq78PqBMiz6XllZgrZ0QMshT8/ubo9Bh7HxUD0aw==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: lldap-credentials
+      namespace: authelia
+    type: Opaque

infrastructure/authelia/lldap.deployment.yaml

@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: lldap
+  name: lldap
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: lldap
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: lldap
+    spec:
+      containers:
+        - env:
+            - name: GID
+              value: "1001"
+            - name: LLDAP_JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: lldap-credentials
+                  key: jwt-secret
+            - name: LLDAP_LDAP_BASE_DN
+              valueFrom:
+                secretKeyRef:
+                  name: lldap-credentials
+                  key: base-dn
+            - name: LLDAP_LDAP_USER_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: lldap-credentials
+                  key: ldap-user-pass
+            - name: TZ
+              value: Europe/Berlin
+            - name: UID
+              value: "1001"
+          image: lldap
+          name: lldap
+          ports:
+            - containerPort: 3890
+            - containerPort: 17170
+          volumeMounts:
+            - mountPath: /data
+              name: lldap-data
+      restartPolicy: Always
+      volumes:
+        - name: lldap-data
+          persistentVolumeClaim:
+            claimName: lldap-data

infrastructure/authelia/lldap.pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: lldap-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

infrastructure/authelia/lldap.service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: lldap
+spec:
+  selector:
+    app: lldap
+  ports:
+  - port: 3890
+    targetPort: 3890

infrastructure/authelia/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

infrastructure/backup/README.md

@@ -1,15 +1,8 @@
-# How to restore
+# How to initialize a new target
+I used multiple targets for backup. Each target needs to be initialized with a repository.
 
-1.  Port forward the rest api for gcloud
-    ```bash
-    kubectl port-forward -n backup service/rclone-gcloud 8000
-    ```
-
-2. Load the snapshots locally
-    ```bash
-    restic -r rest:http://127.0.0.1:8000/kluster mount /mnt/restic
-    ```
-    (The password is in a secret)
-
-3. Copy relevant files to the correct location on the NAS
+After the target (bucket or other) is created, run the following command **locally** to initialize the target:
 
+```bash
+restic -r <target> init
+```

infrastructure/backup/backblaze-credentials.sealedsecret.yaml

@@ -7,10 +7,10 @@ metadata:
   namespace: backup
 spec:
   encryptedData:
-    bucket-id: AgBwwjlkGjskxMXXpXrnfcT9fJGgDXtbOO/6WcpqsX0exoADw31dADjLTHztiddsGYipiGFf2DBWge69UEnL04NXIzh/xTwWtWaqlz6yOJm/89FMQE1mfbrrLc7tk98TO3oS8i+IDAnkUiYyvDXJexgJg56QLY595PXkpplYit2bAk43mAB02yUZAK0gMs3KRDIvhHFsMq8Uiqx78En5KGGXwEg6KbVDyNvI2k8suEyy+C0yNO/M6dlczoUQiIJbllQzbqIzuxbOp609PfvGFAYHuPlz1kwsg+feZJ3kNsHYi4hWvpd64BWb30iO9J3dAYfW6d7C61t3S5uabmnd9E7bMYZA/OppD8SCknBFalXF91BUiJao9qBVd/BB7TCZOzhdzhxTW+FhgARcA+GIfg+nIzgBqHfAfQQmAOO2RZnsWrvMysyZaUpODvU8kSsLWZJ3CESVRVU3BHmJZpyxjX/s6QEXShQXZaLq54zoFJULZU/kbom5yFNNDWW5sKbURPvbKJcf/J9QabY5toO4yOwDk96Sr/FI+CHHvMh8/amigva0Upq6naiTHXMf4BR6+w3VKP5ALn5cbD5jG7EpUA/j1roMoLn68GMAtTJDLvSq2BGeJENWrUpOmjWZHDKZy8DEKorJk/Wbp46ksteSALE8eXpi4DRKXYDPvDb57EhzoJGQ9NMXgAvU9+1vw2nyTZE4gAWKpg0JkiHglu4Om79HfuGuewzJXlY=
-    key-id: AgBe4Iytjw9CkT7CqqNLHWyG4F8F+R6m8W1fnQZdGJvLy7D81+nB2ZDMCUZgUQV/mppGnXCkSxHyelcyTYCswQ9bD8hZsAIiQACq39v2UFxdORFEgNMj4bTWPo65fwhSK2giozPqN/4lzPopP91uyq1Z0gQaiqn/HDtbfNjq+Nu9kPmV06O1NUj1f7QqvfsMK+Xadv0G+DAA+ClGaq1q3fZPDkl2MSDdbEPGq+fLPK2DSdYu9fr1bc9TPyaU5JDFvGrCg8Nyigugi4wVGjQFtVwR1QsHAADmnoDAdXoj1Sz65QO5F+zNaDZWvnLnVFxAFrXJHihilc4ilAc8hSpE6YHQm7dGO5gGejLRNaaCspb/fPJD1g2XlnkckhFCSwd9sHNrXb07BZk8gFTHfndEC0t2UyUNloYpXsfap6fvehPK91ey35jbxDk9zYdgKZ7bz/tY0450CkofSbhisf2DwS3prt5YCEDaXasrpUqlk4dSbmLaGm6aee8lM5VpO8qYE56nvXY7qr0yB6z/NGWuLX3oH3fV+C8hH1P4mxDjvVEFdtewlF50Bf9WFoE7KpboSvmChZhBfjOkbtsGmQE41ZuNoYVupetXn6IfvYo6MzGoG6dTRVpJ5S2KLQDtsUljQfXJDFCSYwo87DD2dGBEn/z9GFCIPAYNO2ewzU4RUgcXPuDD4I2tdNIC+xdEBZq7BaWn/46Yfc1+FAWUA9VWEL/9kz5tK6hFD3Ww
-    key-secret: AgBcKSHdXHeNBzkZRtbaOEZra7AAWVlzmubaQoklECr14gKNL7rTReqX87qQObjQjmGKXtnJlKXIVHGDuiuHGkqfxQ9PCxccvpA3/7LdbFZnZtlFDWpAv+VB6Tp7H7Quho/GeAo8u6de0BXz85lz7+RyDCssBpuuzpchMgOlcEmhhfgQM5E6ye7bD6LpAZWcay3PV6FW2xTrJvLobpCcJordye6iTdSySPKdk6zflkon9h1KuQT+njmW4cfTQg/u7iS/NDQYcHdCpDHRLCor4GkVmi7NW8q+WuYhUSGWBy55SGvcUobhUL7GEHFJZpKmyrBOwSbwiWUDoN+NjI2TR5xvG0Ldjd/Hj32Vk29I+xSnj/O7pZj5ho35qExlZ/WCe42i0VHjzHFbOoU1MkqB+Skm24L1cLufhyNBtA8NNN3GWZhkcozpe164gpx4H/Vfe0UyzxUn4VJIws/IXYiLb4DgDkGrV+wzigN2QfSgTgs6syQkSs4UJ4gUZeN0jsyq0YHIhq1VZ8qPtLH310d8LZLxpTjZdO0obBwJfnHkg3blwSABEt5756C5DvjKmvO1pjG+JX/PJ0yAINL9Sc+FsY7TnGlItVzD830NcZ3Gg9C4Tg4xBEHybUWCSl1rJjwMvmUvVKNcIzLBHPAOyle1VLTZ37zb13MnhwNwdUtBu7+RZTy9wVO26iqemXTtFVj13kgZkJsyLjM6bo2y2wvFmjBCV9EKQtm87ROStM7iKB46
-    repository-string: AgAEYSqT6VR4OKW9/ZDgjYV+rm4tK3uucZsQG2u7W+8rRO0Rowkuba1AbybjgTE+G3q8si/GtlgsB1J8suvztHcVLNxg0y0Olb40pn2sZjKd85Q8AzsM0pFMkzme1lvnwu1Bcgd6Ck+FCr4CuUnh+UvJM5iWhAoSHJtdBb/EKw2F1BhewAqMXSX4oWM7V/T8RTtW2wBUk4wgX4ia+gCBPMpTo6i00ZtSpRB3Ub9VfGJfRmiXZA7oh5j3yN9nJlXonbJYBp4DNWod76CF7s35HBnSzS7YfIV80R4lH4xAPgRbZ0tvPWkTLMhSBX8rJCEnxT7DjL2lS7WfyboLdL4Uy8WmP7n2difZSr7p2iic6SCP44YgQ8JY5UgXh2QZENQ6oLvjK/PpFTjQ4bfw3E1/dakg1EdCYc/6DPyK3YekccUe/pXvVBrazpgObxXWeKKT6RMDeYWLUXTBHWhJ5OaJHHePD5t9IM65FlFTtkuUFbxExTi/u+RczBlWWcy10Yow3I3LGrDPJ/PfBy4RPfHCeQDQ+WoLJkNT20nu5mBXEYYKgNvgdn4yogifSiNG8vsNpo4dO89aHppbnHdmdp7F9asfbn27btEoFoHzIFku/mEnY5srs+Smrhhzy0+iPKge9LOuW33Gi4oJban1UYFvLAjq8YsZGkbIO82r2p+v15UjwU3girWPl1KBUc8WzLJtnqBvRPWS1ul6/X9JIdmmrHJjC0KlcGiVMU/Ls9ljnQj7dgLXuDW7JzuK3MhTWV3Y2kS39ze3TskCKcbL
+    bucket-id: AgBZ4U2eKOmIy5oj7KLvDy7LYi41KtyZLYhMsxRcKYeQVW0lYetrsHbnsCTsw1u3kqI6pSrjUVQslpOupAlwmEdwpT5pSfAvgmLpl8NV8JFLSf1vv4cd0yBe3raFxTtTjmt9BPrEaZY1NrvW2l9SeK1JsRBJoVo9+NOlNmMWAsABi2iK/r2O9bTr9e9sOKH1DQZrvxgZKYRH40CosaQL7eBJR9EZcxSvCCp5mjZISuVI0FSgA+Xj1pXODvnf7cXkDMRg6mDDOkdYCZsQ+3a7/YZkoDBEcrO734WojHDDMLVq8lEOqzepJZJnje0jLjz5vn2pDYKGe7j3cbmMPUsNpSnUDmjFFuXTIS70RIoHUAVaPvdRpWlhYYeZiwecc+Y8gKramApCYKuUUzu8opIcckpGd/qzHCaKPyKL7qwtm9aA1rkaKLkrYjJkIhF32gp6E1qiea2L4QQD3ww/2r3UryLHygNeiNbey22covJsABA15B7LbGBaNCHhj1sqaboYvDg+FWK+Nu09UYuIvvQYw2vhKWREILbtRbyHq5J46mWtekSA0B4JU/mZL/GKwGIyS32pSZGo8gFnNzpJUDC5aNSpOPdE0FyeuJ8o+XVA43Rs6DE6885uAYMGTZhNWLZtsgOIs45ly0o8Phg02P1KvWmZzyitHWpWyAW9TXADh4GETJbFOcH7AjrrAVC5+bqI6Dx8O3qM8wnN/5MTo3EnL/lxg1wBf2c1SQU=
+    key-id: AgCPco6/scrq+3BDVimLOssVYG78vAmNOLgo4ZM9k+ayfy9morHOBQRflAJDrLO+F/2fJFM0WvZ+8gd+NnR7W6i7R3wGImN5xr115sCsBWUAM7ued7QunyrumB+Sw/o1FDcW4+S5bqwONtr07bS/M5dYM7l8Uy1zO3BOxtvWOMqdEzSrmyW/j2Kg3tQq1lEze/TOPjS4LgXqqWMWHVCyzJTpfImS3u73EUisVQBPqO7y1m3fEUvZuqVeJVK9hT3PPGuX2HUAVcIMMKWIhsA2/aMYhHQ/J0UOgc/YrGzU6DWVQoaetAHPPrt+fFQXL+MbDVaLQwk18AaRe8vhMXMwWakQEzK3fGtwPeklJB78OV4HNwpGXGFQWr1wU+T1evMJ5mv8O4VvWg7pu6blwjLCEseaCuwib5tPghIFT+LXpl2jPuyRveD5Qdl4seDZwoE9joaTWlcPreQYfuCwsQnBX25Owf4uo3XzVuVrHHRfm4O7g2VqhI5W3NcVwKhfXKuqUKDfsAmbX/RlwcihmlX6UySL42EIO5Z3xcFqEtQzba3IYgLOP8yRjGzRKUklcKFjrtoa+ZQjewKjS5x685Ffjgb4PCmpearUlVeboqH34zQBiflnecZQrwdhntVRfd3F0tkbtA/Th550IqYwezBv3AqVwZZPm+q3jeM7i0HDu6JzVYsUVpxe2MTVSKncy2p6wihhdbJeTO0gnHHydlUsyd2C2P2pXUppgjoY
+    key-secret: AgAQ9GBMK/sXev8MKfCeYYgtf3tW93xvDn2jjTHaO/trAoU2OgWMS3kWKme/E+ONOxVOA3qonHhUgXcWxyut4OgMFJj2yBGRb+TqD+e0fE0KCqAwRKuYhXgFFl5SgAPZiWOAnYIJM16xu5Ci3UbrM8a8QAXAVV9aH3eT5HMF+GeqgSvhEVEQO1C8KOjVkawoqIHmDmr5KUbK4SFnIut+zCz/2HQLApNkZhPUY2whZOZjz4rwMtu2NDu8k08lI3Zl03OAw38rsbcNfZC8KbENsf1vthn5YpVJomcJKp/prgEp+/C64ZexgBWzZysq1WHs96F8R/ZmgD/Hu1Am/VjvHoFrfbLvXYUZzXGhyCBjhSwqcysm08uI5FvCs9F7WGVbYe5M/sYUMMJwLP5iILd2fkodm/+GWgl/p3EzQ76aCH85FqFhL3/9zA69bM8mZUpVG85i2yNJ9HvLe8z2EnZrh4BTgMRod/DsP9qN5NlofP0dJhK4SyXvy6M+ZO2V7CE4ksLvdWWXcJFmzuiG35DC/dQYHu8tcgywYyFVOw6uAetXSVrIzgGSCche1PZ7RKz2N4CqV5eTe6zUAgNPf4IxPne86f2AGKkivh+QcsIqfXkkR4OzcMslaKskkCniKD0IMf2aFHniSWzivi07gk5PYDxjwpa9AM2yUGRXYTcDSZquNXAt4SxE1YLDb5twZ8JyPP1Q884dwJ3+/M1DwTJj4CewO+zhH4MIURfRaGvipwsV
+    repository-string: AgBuD/n5Pnz2AwkFUR6ChGSPMTahm5fdStTay2dD12g+IJC+zNKGlY96rxy1RRLpGJi9sj5UzqIjWd2ke+BB9Xx3RfNygh+hjQEqwb15Z5w8Vo2j7iNRYdjqm/q/ug337Ycc+p2AAxEaA4GZln+Ujq7Xh0m0mOg58N640A+zuav5Xg8dQvUoO5vrqcx8lKzUwZuEayjubZPOZDtED14bTj8FWp6a8A88PjvH+xX9ZCi+omuplHFD8+iJyHewMaPq8CPxsa90J/jHR0FyEzkPcx3/zxryeodQFSiCtvMEb4TZsABMYGlFWOdJwqTcPvqSLRZH9Emx7NmaapknERxuoozDegl/KYF8GpshizBcHaV2YEPxNFiAcPMAqmLTJc0E8SbtGcWeilVdqz2z0+Ezqs0VL5DRICBVFg+HT01bYg3yL8FYd3dfeXepijXurMJodL+pORy0y6NeS9dSvOTqoGr7mf/SeaXSMG+cdHw1+V88CVozqFgV7yLe3NzoOPSIgjyoHckpprZSZHfYF9bgX4r8tT1vrlZqN/KlBcbyYsexYK9+s866b9rpZppvgYx1I50sWm+bAeMEYrVBy2sm6fAbpb1U+3+j9CICVnJ0E1VRyOCRCvh3ncpCRgDhvXAfZTMujxGWR6m9nAi6ixp6nLx3oWsgnszK0kAoxKoHTFiNGzdpr9M092ziBnjPosmLp4fV/HdmWKlldWMsbo0HkdMmPQlKQXmtzZ09WgeSHRh1T/3rSybzwXfukh1tj1IcVIM=
   template:
     metadata:
       creationTimestamp: null

infrastructure/backup/cronjobs-base/cronjob.yaml

@@ -1,7 +1,7 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
-  name: restic-rclone-gdrive
+  name: restic-backblaze
   
 spec:
   successfulJobsHistoryLimit: 2
@@ -12,7 +12,7 @@ spec:
       template:
         spec:
           restartPolicy: Never
-          hostname: restic-k3s-pod
+          hostname: restic-kluster
           # used by restic to identify the host
           containers:
           # run after completion of initContainers
@@ -62,7 +62,7 @@ spec:
                   secretKeyRef:
                     name: backblaze-credentials
                     key: key-id
-              - name: AWS_ACCESS_KEY
+              - name: AWS_SECRET_ACCESS_KEY
                 valueFrom:
                   secretKeyRef:
                     name: backblaze-credentials

infrastructure/backup/cronjobs-overlays/applying.md

@@ -1,8 +0,0 @@
-```
-k kustomize backup/overlays/backup | k apply -f -
-> secret/restic-credentials-backup created
-> cronjob.batch/restic-backblaze-backup created
-k kustomize backup/overlays/prune | k apply -f -
-> secret/restic-credentials-prune created
-> cronjob.batch/restic-backblaze-prune created
-```

infrastructure/backup/cronjobs-overlays/backup/kustomization.yaml

@@ -13,12 +13,12 @@ patches:
   - path: restic-commands.yaml
     target:
       kind: CronJob
-      name: restic-rclone-gdrive
+      name: restic-backblaze
   - target:
       kind: CronJob
-      name: restic-rclone-gdrive
+      name: restic-backblaze
       # replace the name of the cronjob
     patch: |-
       - op: replace
         path: /metadata/name
-        value: restic-gdrive-backup
+        value: restic-backblaze-backup

infrastructure/backup/cronjobs-overlays/backup/restic-commands.yaml

@@ -1,7 +1,7 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
-  name: restic-gdrive-backup
+  name: restic-backblaze-backup
 spec:
   schedule: "0 2 * * *"
   # at 2:00, every day
@@ -27,4 +27,4 @@ spec:
           - name: ntfy-command-send
             env:
               - name: OPERATION
-                value: "Restic backup to gdrive"
+                value: "Restic backup to backblaze"

infrastructure/backup/cronjobs-overlays/prune/kustomization.yaml

@@ -11,12 +11,12 @@ patches:
   - path: restic-commands.yaml
     target:
       kind: CronJob
-      name: restic-rclone-gdrive
+      name: restic-backblaze
   - target:
       kind: CronJob
-      name: restic-rclone-gdrive
+      name: restic-backblaze
       # replace the name of the cronjob
     patch: |-
       - op: replace
         path: /metadata/name
-        value: restic-gdrive-prune
+        value: restic-backblaze-prune

infrastructure/backup/cronjobs-overlays/prune/restic-commands.yaml

@@ -1,7 +1,7 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
-  name: restic-gdrive-prune
+  name: restic-backblaze-prune
 spec:
   schedule: "0 0 1/15 * *"
   # at midnight, the first and 15. of every month
@@ -28,4 +28,4 @@ spec:
           - name: ntfy-command-send
             env:
               - name: OPERATION
-                value: "Restic prune on gdrive"
+                value: "Restic prune on backblaze"

infrastructure/backup/postgres/cronjob.yaml

@@ -1,32 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: postgres-backup
-spec:
-  # Backup the database every day at 1AM
-  schedule: "0 1 * * *"
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-          - name: postgres-backup
-            image: postgres:15
-            command: ["/bin/sh"]
-            args:
-              - '-c'
-              - 'pg_dumpall -U postgres -h postgres-postgresql.postgres > /backup/backup-$(date +"%m-%d-%Y-%H-%M").sql'
-            env:
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: postgres-password
-                  key: password
-            volumeMounts:
-            - mountPath: /backup
-              name: postgres-backup-claim
-          restartPolicy: Never
-          volumes:
-          - name: postgres-backup-claim
-            persistentVolumeClaim:
-              claimName: postgres-backup-claim

infrastructure/backup/postgres/kustomization.yaml

@@ -1,9 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: backup
-
-resources:
-  - postgres.sealedsecret.yaml
-  - pvc.yaml
-  - cronjob.yaml

infrastructure/backup/postgres/postgres.sealedsecret.yaml

@@ -1,21 +0,0 @@
-{
-  "kind": "SealedSecret",
-  "apiVersion": "bitnami.com/v1alpha1",
-  "metadata": {
-    "name": "postgres-password",
-    "namespace": "backup",
-    "creationTimestamp": null
-  },
-  "spec": {
-    "template": {
-      "metadata": {
-        "name": "postgres-password",
-        "namespace": "backup",
-        "creationTimestamp": null
-      }
-    },
-    "encryptedData": {
-      "password": "AgBZViaCuD8Zm/nkDe95xVZXgeRVJ0zE64e8efigBrkM+XUT9ber034QY5USZWalJ8nC930FB5t4N96D+LyWWXiLrYQvnYHpsi+wxJd3H/EimQo1IJ7XKNHxRC226NGX8ugb9Lez71IZaldyK3tAX0yoQ5/j304+mzetP/535EKYjZ7NucYE7KMUDsb5JsAaswd2H5fIl61PK/lEVN9AJLIo9MKL0zbGDOJCh1WNG6bUn0oi825R9AT80QulXFl/qxBHQT8R/u1AIqJDnrhLf8CiMBCs60K4D/A/F3uFwzsfGF4t2tDrowbPnGL7abAfe+DeHW8WSQoiMQWe/rTb4mnaErRNWSWmSwOcFNtUt9QQG4LvH44RTLaXKxbNfZphsNtBYk+F8SPngOok8FxoyycwUwDbA5clCt/Kh9bMOfUQpXrPc/rfXR5FO23kxM8h2pfC7QYNej0k3LexcikdQrpqRj9yMAVMSI7xF35Tfc5buqasIDlgRxTSi2Pn/fAFIK3QqY7YQWZOYzuD3w6aTUx0trmHNTycmotKV/kbni/ZOMmf6NMGbZs5R3VbmA1vFtdp9YVD5dJ0t0aTXTdNuWjeC0+vQF0lnXPWonRYf65e8KOwcuDjTYU6ghDfQPngJ01FFoTgiF+X/1iZ+7uvIeIULak8dMIQz6CqfrCkahkimz5u2c+b3ZPlNnXRyPmZE/1JscLXaKuXvg=="
-    }
-  }
-}