Merge pull request 'Update Immich containers to v1.144.1' (#611) from renovate/immich-app-images into main

Reviewed-on: #611

.envrc

@@ -0,0 +1 @@
+use nix

.gitignore

@@ -3,4 +3,7 @@
 main.key
 
 # Helm Chart files
-charts/
+charts/
+
+# Nix and local environment files
+.direnv/

README.md

@@ -1,7 +1,7 @@
 # Kluster setup and IaaC using argoCD
 
 
-### Initial setup
+### Description
 #### Requirements:
 - A running k3s instance
 - `sealedsecrets` deployed
@@ -27,21 +27,61 @@ The app-of-apps will bootstrap a fully featured cluster with the following compo
     - immich
     - ...
 
-#### Recap
-- install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
+## Setup instructions
+1. install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
     ```bash
     kubectl apply -k infrastructure/sealedsecrets
     kubectl apply -f infrastructure/sealedsecrets/main.key
     kubectl delete pod -n kube-system -l name=sealed-secrets-controller
     ```
-- install argocd
+1. install argocd and the app-of-apps bundled with it
     ```bash
     kubectl apply -k infrastructure/argocd
     ```
-- wait...
+
+
+> NOTE: The argocd kustomization already mentions some CRDs available only after the full bootstrapping (traefik). Some might fail to apply right away. Since the argo application is managed through argo as well, they will become available as all kluster applications are rolled out.
 
 
 ### Adding an application
-todo
+1. todo
+1. Don't forget to add the status badge.
 
 
+
+### Status
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=authelia-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/authelia-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=backup-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/backup-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=external-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/external-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=external-dns-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/external-dns-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=gitea-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/gitea-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=metallb-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/metallb-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=monitoring-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/monitoring-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=nfs-provisioner-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/nfs-provisioner-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=pg-ha-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/pg-ha-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=renovate-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/renovate-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=sealedsecrets-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/sealedsecrets-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=traefik-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/traefik-application)
+
+
+---
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=adguard-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/adguard-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=audiobookshelf-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/audiobookshelf-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=code-server-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/code-server-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=files-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/files-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=finance-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/finance-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=grafana-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/grafana-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=homeassistant-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/homeassistant-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=immich-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/immich-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=kitchenowl-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/kitchenowl-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=linkding-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/linkding-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=media-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/media-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=minecraft-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/minecraft-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=ntfy-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/ntfy-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=paperless-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/paperless-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=recipes-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/recipes-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=rss-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/rss-application)
+---
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=journal-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/journal-application)
+[![App Status](https://argocd.kluster.moll.re/api/badge?name=physics-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/physics-application)
+

apps/adguard/configmap.yaml

@@ -27,7 +27,10 @@ data:
       ratelimit_whitelist: []
       refuse_any: true
       upstream_dns:
-        - https://dns10.quad9.net/dns-query
+        - tls://1.1.1.1
+        - tls://dns.google
+        - tls://p0.freedns.controld.com
+        - tls://dns.quad9.net
       upstream_dns_file: ""
       bootstrap_dns:
         - 9.9.9.10
@@ -35,8 +38,7 @@ data:
         - 2620:fe::10
         - 2620:fe::fe:10
       fallback_dns: []
-      all_servers: false
-      fastest_addr: false
+      upstream_mode: load_balance
       fastest_timeout: 1s
       allowed_clients: []
       disallowed_clients: []
@@ -72,6 +74,8 @@ data:
       dns64_prefixes: []
       serve_http3: false
       use_http3_upstreams: false
+      serve_plain_dns: true
+      hostsfile_enabled: true
     tls:
       enabled: false
       server_name: ""
@@ -88,12 +92,14 @@ data:
       private_key_path: ""
       strict_sni_check: false
     querylog:
+      dir_path: ""
       ignored: []
       interval: 2160h
       size_memory: 1000
       enabled: true
       file_enabled: true
     statistics:
+      dir_path: ""
       ignored: []
       interval: 24h
       enabled: true
@@ -110,6 +116,10 @@ data:
         url: https://someonewhocares.org/hosts/zero/hosts
         name: Dan Pollock's List
         id: 1684963532
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt
+        name: Peter Lowe's Blocklist
+        id: 1735824753
     whitelist_filters: []
     user_rules: []
     dhcp:
@@ -134,13 +144,36 @@ data:
       blocking_ipv6: ""
       blocked_services:
         schedule:
-          time_zone: UTC
-        ids: []
+          time_zone: Europe/Berlin
+          sun:
+            start: 18h
+            end: 23h59m
+          mon:
+            start: 18h
+            end: 23h59m
+          tue:
+            start: 18h
+            end: 23h59m
+          wed:
+            start: 18h
+            end: 23h59m
+          thu:
+            start: 18h
+            end: 23h59m
+          fri:
+            start: 18h
+            end: 23h59m
+          sat:
+            start: 18h
+            end: 23h59m
+        ids:
+          - reddit
       protection_disabled_until: null
       safe_search:
         enabled: false
         bing: true
         duckduckgo: true
+        ecosia: true
         google: true
         pixabay: true
         yandex: true
@@ -149,11 +182,13 @@ data:
       parental_block_host: family-block.dns.adguard.com
       safebrowsing_block_host: standard-block.dns.adguard.com
       rewrites: []
+      safe_fs_patterns:
+        - /opt/adguardhome/data/userfilters/*
       safebrowsing_cache_size: 1048576
       safesearch_cache_size: 1048576
       parental_cache_size: 1048576
       cache_time: 30
-      filters_update_interval: 24
+      filters_update_interval: 168
       blocked_response_ttl: 10
       filtering_enabled: true
       parental_enabled: true
@@ -168,6 +203,7 @@ data:
         hosts: true
       persistent: []
     log:
+      enabled: true
       file: ""
       max_backups: 0
       max_size: 100
@@ -179,4 +215,4 @@ data:
       group: ""
       user: ""
       rlimit_nofile: 0
-    schema_version: 27
+    schema_version: 29

apps/adguard/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: adguard/adguardhome
     newName: adguard/adguardhome
-    newTag: v0.107.53
+    newTag: v0.107.67
 
 namespace: adguard
 

apps/audiobookshelf/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
   - name: audiobookshelf
     newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.15.0"
+    newTag: "2.29.0"

apps/code-server/deployment.yaml

@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: code-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: code-server
+  template:
+    metadata:
+      labels:
+        app: code-server
+    spec:
+      containers:
+        - name: code-server
+          image: code-server
+          ports:
+            - containerPort: 8080
+          env:
+          - name: TZ
+            value: Europe/Berlin
+          - name: CONFIG_PATH
+            value: /data/config
+          - name: METADATA_PATH
+            value: /data/metadata
+          volumeMounts:
+            - name: data
+              mountPath: /home/coder
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "100Mi"
+            limits:
+              cpu: "6"
+              memory: "16Gi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: code-server-data
+

apps/code-server/ingress.yaml

@@ -1,18 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: dendrite-ingressroute
+  name: audiobookshelf-ingressroute
 
 spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`dendrite.kluster.moll.re`)
+  - match: Host(`code.kluster.moll.re`)
     kind: Rule
     services:
-    - name: dendrite
-      port: 8008
-      # scheme: https
+    - name: code-server-web
+      port: 8080
 
   tls:
     certResolver: default-tls 

apps/code-server/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+
+namespace: code-server
+
+images:
+  - name: code-server
+    newName: ghcr.io/coder/code-server
+    newTag: 4.104.3-fedora

apps/code-server/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: code-server-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

apps/code-server/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: code-server-web
+spec:
+  selector:
+    app: code-server
+  ports:
+  - port: 8080
+    targetPort: 8080
+  type: LoadBalancer

apps/dendrite/kustomization.yaml

@@ -1,16 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources: 
-  - namespace.yaml
-  - postgres.yaml
-  - postgres-user.secret.yaml
-  - ingress.yaml
-
-namespace: dendrite
-
-helmCharts:
-  - name: dendrite
-    releaseName: dendrite
-    version: 0.13.5
-    valuesFile: values.yaml
-    repo: https://matrix-org.github.io/dendrite/

apps/dendrite/postgres.yaml

@@ -1,25 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: dendrite-postgres
-spec:
-  instances: 1
-  imageName: ghcr.io/cloudnative-pg/postgresql:16.4
-  bootstrap:
-    initdb:
-      owner: dendrite
-      database: dendrite
-      secret:
-        name: postgres-password
-
-  # Persistent storage configuration
-  storage:
-    size: 2Gi
-    pvcTemplate:
-      accessModes:
-        - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi
-      storageClassName: nfs-client
-      volumeMode: Filesystem

apps/dendrite/values.yaml

@@ -1,287 +0,0 @@
-
-# signing key to use
-signing_key:
-  # -- Create a new signing key, if not exists
-  create: true
-
-persistence:
-  jetstream:
-    # -- PVC Storage Request for the jetstream volume
-    capacity: "1Gi"
-    # -- The storage class to use for volume claims.
-    storageClass: "nfs-client"
-  media:
-    # -- PVC Storage Request for the media volume
-    capacity: "1Gi"
-    # -- The storage class to use for volume claims.
-    storageClass: "nfs-client"
-  search:
-    # -- PVC Storage Request for the search volume
-    capacity: "1Gi"
-    # -- The storage class to use for volume claims.
-    storageClass: "nfs-client"
-
-
-
-dendrite_config:
-  version: 2
-  global:
-    # -- **REQUIRED** Servername for this Dendrite deployment.
-    server_name: "dendrite.kluster.moll.re"
-
-    # -- The server name to delegate server-server communications to, with optional port
-    # e.g. localhost:443
-    well_known_server_name: ""
-
-    # -- The server name to delegate client-server communications to, with optional port
-    # e.g. localhost:443
-    well_known_client_name: ""
-
-    # -- Lists of domains that the server will trust as identity servers to verify third
-    # party identifiers such as phone numbers and email addresses.
-    trusted_third_party_id_servers:
-      - matrix.org
-      - vector.im
-
-    # -- The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
-    # to old signing keys that were formerly in use on this domain name. These
-    # keys will not be used for federation request or event signing, but will be
-    # provided to any other homeserver that asks when trying to verify old events.
-    old_private_keys:
-    #  If the old private key file is available:
-    #  - private_key: old_matrix_key.pem
-    #    expired_at: 1601024554498
-    #  If only the public key (in base64 format) and key ID are known:
-    #  - public_key: mn59Kxfdq9VziYHSBzI7+EDPDcBS2Xl7jeUdiiQcOnM=
-    #    key_id: ed25519:mykeyid
-    #    expired_at: 1601024554498
-
-    # -- Disable federation. Dendrite will not be able to make any outbound HTTP requests
-    # to other servers and the federation API will not be exposed.
-    disable_federation: false
-
-    key_validity_period: 168h0m0s
-
-    database:
-      # -- The connection string for connections to Postgres.
-      # This will be set automatically if using the Postgres dependency
-      connection_string: "postgresql://dendrite:supersecretpassword!@dendrite-postgres-rw/dendrite"
-      # -- Default database maximum open connections
-      max_open_conns: 90
-      # -- Default database maximum idle connections
-      max_idle_conns: 5
-      # -- Default database maximum lifetime
-      conn_max_lifetime: -1
-
-    jetstream:
-      # -- Persistent directory to store JetStream streams in.
-      storage_path: "/data/jetstream"
-      # -- NATS JetStream server addresses if not using internal NATS.
-      addresses: []
-      # -- The prefix for JetStream streams
-      topic_prefix: "Dendrite"
-      # -- Keep all data in memory. (**NOTE**: This is overriden in Helm to `false`)
-      in_memory: false
-      # -- Disables TLS validation. This should **NOT** be used in production.
-      disable_tls_validation: true
-
-    cache:
-      # -- The estimated maximum size for the global cache in bytes, or in terabytes,
-      # gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or
-      # 'kb' suffix is specified. Note that this is not a hard limit, nor is it a
-      # memory limit for the entire process. A cache that is too small may ultimately
-      # provide little or no benefit.
-      max_size_estimated: 1gb
-      # -- The maximum amount of time that a cache entry can live for in memory before
-      # it will be evicted and/or refreshed from the database. Lower values result in
-      # easier admission of new cache entries but may also increase database load in
-      # comparison to higher values, so adjust conservatively. Higher values may make
-      # it harder for new items to make it into the cache, e.g. if new rooms suddenly
-      # become popular.
-      max_age: 1h
-
-    report_stats:
-      # -- Configures phone-home statistics reporting. These statistics contain the server
-      # name, number of active users and some information on your deployment config.
-      # We use this information to understand how Dendrite is being used in the wild.
-      enabled: false
-
-    presence:
-      # -- Controls whether we receive presence events from other servers
-      enable_inbound: false
-      # -- Controls whether we send presence events for our local users to other servers.
-      # (_May increase CPU/memory usage_)
-      enable_outbound: false
-
-    server_notices:
-      # -- Server notices allows server admins to send messages to all users on the server.
-      enabled: false
-      # -- The local part for the user sending server notices.
-      local_part: "_server"
-      # -- The display name for the user sending server notices.
-      display_name: "Server Alerts"
-      # -- The avatar URL (as a mxc:// URL) name for the user sending server notices.
-      avatar_url: ""
-      # The room name to be used when sending server notices. This room name will
-      # appear in user clients.
-      room_name: "Server Alerts"
-
-    # prometheus metrics
-    metrics:
-      # -- Whether or not Prometheus metrics are enabled.
-      enabled: false
-      # HTTP basic authentication to protect access to monitoring.
-      basic_auth:
-        # -- HTTP basic authentication username
-        user: "metrics"
-        # -- HTTP basic authentication password
-        password: metrics
-
-  app_service_api:
-    # -- Disable the validation of TLS certificates of appservices. This is
-    # not recommended in production since it may allow appservice traffic
-    # to be sent to an insecure endpoint.
-    disable_tls_validation: false
-    # -- Appservice config files to load on startup. (**NOTE**: This is overriden by Helm, if a folder `./appservices/` exists)
-    config_files: []
-
-  client_api:
-    # -- Prevents new users from being able to register on this homeserver, except when
-    # using the registration shared secret below.
-    registration_disabled: true
-
-    # Prevents new guest accounts from being created. Guest registration is also
-    # disabled implicitly by setting 'registration_disabled' above.
-    guests_disabled: true
-
-    # -- If set, allows registration by anyone who knows the shared secret, regardless of
-    # whether registration is otherwise disabled.
-    registration_shared_secret: "supersecretpassword"
-
-
-    # TURN server information that this homeserver should send to clients.
-    turn:
-      # -- Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
-      turn_user_lifetime: "24h"
-      turn_uris: []
-      turn_shared_secret: ""
-      # -- The TURN username
-      turn_username: ""
-      # -- The TURN password
-      turn_password: ""
-
-    rate_limiting:
-      # -- Enable rate limiting
-      enabled: true
-      # -- After how many requests a rate limit should be activated
-      threshold: 20
-      # -- Cooloff time in milliseconds
-      cooloff_ms: 500
-      # -- Users which should be exempt from rate limiting
-      exempt_user_ids:
-
-  federation_api:
-    # -- Federation failure threshold. How many consecutive failures that we should
-    # tolerate when sending federation requests to a specific server. The backoff
-    # is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds, etc.
-    # The default value is 16 if not specified, which is circa 18 hours.
-    send_max_retries: 16
-    # -- Disable TLS validation. This should **NOT** be used in production.
-    disable_tls_validation: false
-    prefer_direct_fetch: false
-    # -- Prevents Dendrite from keeping HTTP connections
-    # open for reuse for future requests. Connections will be closed quicker
-    # but we may spend more time on TLS handshakes instead.
-    disable_http_keepalives: false
-    # -- Perspective keyservers, to use as a backup when direct key fetch
-    # requests don't succeed.
-    # @default -- See value.yaml
-    key_perspectives:
-      - server_name: matrix.org
-        keys:
-          - key_id: ed25519:auto
-            public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
-          - key_id: ed25519:a_RXGa
-            public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
-
-  media_api:
-    # -- The path to store media files (e.g. avatars) in
-    base_path: "/data/media_store"
-    # -- The max file size for uploaded media files
-    max_file_size_bytes: 10485760
-    # Whether to dynamically generate thumbnails if needed.
-    dynamic_thumbnails: false
-    # -- The maximum number of simultaneous thumbnail generators to run.
-    max_thumbnail_generators: 10
-    # -- A list of thumbnail sizes to be generated for media content.
-    # @default -- See value.yaml
-    thumbnail_sizes:
-      - width: 32
-        height: 32
-        method: crop
-      - width: 96
-        height: 96
-        method: crop
-      - width: 640
-        height: 480
-        method: scale
-
-  sync_api:
-    # -- This option controls which HTTP header to inspect to find the real remote IP
-    # address of the client. This is likely required if Dendrite is running behind
-    # a reverse proxy server.
-    real_ip_header: X-Real-IP
-    # -- Configuration for the full-text search engine.
-    search:
-      # -- Whether fulltext search is enabled.
-      enabled: true
-      # -- The path to store the search index in.
-      index_path: "/data/search"
-      # -- The language most likely to be used on the server - used when indexing, to
-      # ensure the returned results match expectations. A full list of possible languages
-      # can be found [here](https://github.com/matrix-org/dendrite/blob/76db8e90defdfb9e61f6caea8a312c5d60bcc005/internal/fulltext/bleve.go#L25-L46)
-      language: "en"
-
-  user_api:
-    # -- bcrypt cost to use when hashing passwords.
-    # (ranges from 4-31; 4 being least secure, 31 being most secure; _NOTE: Using a too high value can cause clients to timeout and uses more CPU._)
-    bcrypt_cost: 10
-    # -- OpenID Token lifetime in milliseconds.
-    openid_token_lifetime_ms: 3600000
-    # - Disable TLS validation when hitting push gateways. This should **NOT** be used in production.
-    push_gateway_disable_tls_validation: false
-    # -- Rooms to join users to after registration
-    auto_join_rooms: []
-
-  # -- Default logging configuration
-  logging:
-  - type: std
-    level: info
-
-postgresql:
-  # -- Enable and configure postgres as the database for dendrite.
-  # @default -- See value.yaml
-  enabled: false
-
-ingress:
-  # -- Create an ingress for the deployment
-  enabled: false
-
-service:
-  type: ClusterIP
-  port: 8008
-
-prometheus:
-  servicemonitor:
-    # -- Enable ServiceMonitor for Prometheus-Operator for scrape metric-endpoint
-    enabled: false
-    # -- Extra Labels on ServiceMonitor for selector of Prometheus Instance
-    labels: {}
-  rules:
-    # -- Enable PrometheusRules for Prometheus-Operator for setup alerting
-    enabled: false
-    # -- Extra Labels on PrometheusRules for selector of Prometheus Instance
-    labels: {}
-    # -- additional alertrules (no default alertrules are provided)
-    additionalRules: []
-

apps/files/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: files
 images:
   - name: ocis
     newName: owncloud/ocis
-    newTag: "5.0.8"
+    newTag: "7.3.0"

apps/finance/actualbudget.deployment.yaml

@@ -21,6 +21,9 @@ spec:
           env:
             - name: TZ
               value: Europe/Berlin
+          envFrom:
+            - secretRef:
+                name: actualbudget-oidc
           volumeMounts:
             - name: data
               mountPath: /data

apps/finance/kustomization.yaml

@@ -9,8 +9,9 @@ resources:
   - actualbudget.deployment.yaml
   - actualbudget.service.yaml
   - actualbudget.ingress.yaml
+  - oidc.sealedsecret.yaml
 
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 24.10.1
+    newTag: 25.10.0

apps/finance/oidc.sealedsecret.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: actualbudget-oidc
+  namespace: finance
+spec:
+  encryptedData:
+    ACTUAL_OPENID_AUTH_METHOD: AgAhPqooAS/7R9S/X3KGfSfs3ClN38J9CEfkUTYAUvKGEehQ2Tz3thPNvhvnbz/gKRc7C172jgxoxaGMiVXi40Qa+I7Y8JVHefjoSd8NuubzQZU8ZK5KlYRgc5OnoPM3RLarHyZ2DFw5Q/ngv3sp1c5dSI4/604KSQPxVAFCnb/lnSkOsBggDRymWvYclx1NrLIClpLAFwHgCOm6g1kHCvtGIdBLxKOHsiRJm62+UyHt0GLkR0QFTDXBQxoBm9QR9kLjQqw/QqcOIVx1by0RHoHBI6HDEEIQVH3UgWqlMmIwm+a4KQeBEdEfWLn9YC8MGSdlQRlaZoi5ltFT2c/DWuMuRStnaOWbsMQVR+y6yJ2UNBe29uVQh6877iqfmAJvT6gXic73zI7Vkq6IFQ7veQPBaTi22HP/sxiElGI8rY0LtRHD4TctKSePaOPvsgrv8k8SpB5qYAft7UonbTPWzzRSSc4Y3Z4fQiD0x/uhtTqTTtukx39nzM2TjVGcJThWaxUGa07w1fjTafieFVwwreURBUpRK92X2NY3ovOdA9c1WrHfqIzVtpcnfQyCeA5D4XT2sBFk0+crwEm1GmtscjPkGnyctNMUSmkHd+QKw8EAmWxKge4+7rfOrZp5ZK7cBFJcB4gVQcxnm3bXr0qZyiA1udaxmSxVflQR2AjduvhKuE73AGPi0bJki5TvKJp6bavTotYfdMY=
+    ACTUAL_OPENID_CLIENT_ID: AgA6X0uYaU1n4XSXVntmT4+NgahYkkMVx61OZP8ExnSMkRPlwQfErhNHrwKsTsnD8OzP3svhxBe5bwaI8O1OKF0k5pQWG0DbRfmBrwiep9nBsKPt+fQm0AJUsZ2sQNShusmsSEumBKbMD0CMPklVMq18tLpOIh/YaXM34lsOutW0SIx7HWWQsyLmoolEoRVdkKvDhoh3FXjKqzGYlr1uKuqYG7pJPsxEpsTs2pZTUIlB2gVcEqb/ZXxgkj01GDYzB519swIOfYdISj7oCR8VG90M9iDrgmxsPkWozMDxFjNo5JR2dB9wvP7ptFex8JonbZZXYZD7tE+36U8iys6Cjh6JGwr9luN1AxYYSkRrNWJd2CuID+8ujWptoTvRSO0RwiVVp5LhXe1l2GxLsS2UVtO+nbWH6DGMJei4DQ+LAxDXFR8FAvi7615cneN0umQfF4ZMUJirvxHA3tFN42tbnRmSCbLAZLNLhQq8VbRmkYOAN6LCzSKYlyhSyA3NM2HjRTFkXGUhOPL+3tPZJB4v0QlEhlhy1Ffxh2mbUXgmQ+ZHGUsBXEHfc/Gba6gJhsj6S2DkiAeZUW6euY5/v4vpveWsS+YS+BxH441//8mOJnrpsWrcQbM5yCk4WMnmpETy/VFEkc3dqYfVWHDfvwAeqjVfXAovXBmwOoCASG6qDf0P7FdeLFTHUNuahyNhBzhBAQ/yNpOkbzKTJFBWwnM=
+    ACTUAL_OPENID_CLIENT_SECRET: AgAbJinP4E8rbGAw7BTfh/GB3XxQOfHiLFrgaikQbUIsmZu+Y6ktK7aJdcX2/g6yhHXX6z8p4xoYTaGgkpo8H0XWvUDT4ohqJVdJSWZgNx8MyzisVKi+51BEpslL4JvGo/ISjXT0hNeYGzFXlHnnr3LX+fuTVh3dKtk4t8nmR8SqaCCIyvKiBPmX/1QWo4Vrfw7OLpVlfGP0i3J7FrhjNgKMRWcQKQC4Ohk+NLHHghdtqzuFB8eKwcuBZmynKCVyblOhwZSL5WnyJPskWLMjNEizWuCubDdyHVY3ZqYLDe5dgoi7Gop5/xY7FEuEkmTL0g7LpKo4RkEKRLjsZwWtW+xN6HRRt7zGoUdIpo20ZnTtEH8C/qcxjHKUycFvzKLnk6ntq5rEdK2/MhBtMfd3a8pb4vpT9JNra1AWsB7zCUv4yc/FT0RpkL+1r1CVva4o+tzM8ojnm4o0ch6qsGb0IOYZvJx6sF7c6aj7c41YQK3ZrQF3bhhhEHYyWOBjy1V4T/GJPZ9CbhGG0PIsSvpW7d5pG5jNAwU/Xo6FL/vVUPwmSq/hCqYMSSSKNiMH/q/vzKyu5B5aQbNDAumzsLRqD/auJz8nAaUoLNBVHq+7zTs3wV7pEayY22teq/MN5PRtYOQLE5Ck60gv9Q70cfhgvTeK+eX4h9BbhfijCV/EiSYhLP7meeIpE80icdLUSkNROfW+0sf3RNbW5q3JX8PsW0h29VJgREJdlziLj2cCshe+ww==
+    ACTUAL_OPENID_DISCOVERY_URL: AgAQVZX6r8SPkwwBR1dmUF/ahuZKkGSsU/GULe5PF7Nm75UadtjPb5aHAZjWE59MdV61DQZDa4KJz1/fW4xDUrJBuUElIRQH4oyMTQG12MSMauQpLd25SVU8ex2NYyerbd85j521FSxujP0l3941KGsENLt5wCx/idXu47txhAHgS81mj3CLfWzT5yyG+V1i48a24xK905v+ft5ZKuNLOxvVb6yZSBt1j/3egx49eB49CRk/dxYQtPpSw8Zb6KgaN+skjq5HTH/Neb4J92nlJ1aFPVKbFLbtxyIHDSoO35U8ODHEJVGKBbZjjfrrjCpmQYnZPEWN9s+xj2NAXZ7qANcJfbFEF/3bOiKZhc0jLM5MyhiMZoytn4FvGM8zxINC3z8zqaWJm1wiMXEUH3/FLUa2UWeHKQB14h0f5XGwytb3s/nPCoBnHhtOK1y4utJ2APsQhRsxySZjgYNRaRCarp8PntY7yB7VHYlv5Mitx+qBWcAUmcKp1I4NTnm1LORRGzIFcrJJKtQfqcW7GNuZDA3AiLGyOMVigcA93GnPbppor5BItE9FK/BKqrR4Bz31jXSO8S7pjhi3JxBIKEMmMZRVbyelJ9o7gTpqrBvO7KZ5v/L+mlE0J8D2LZoEWPqxfa/BE+QZfwIS3wDWQl1GTruaAM4u0bp4i9GkyK3hPVXnml3dNMElSG3GvNqHhhy1Boo1cHXHbQ5YzbkGgzL9fLkigVQCi0FKItyBxdGsui9U0OU5LNi0EGKBibs22mdDkp6f051GWeMidtSwz9j5
+    ACTUAL_OPENID_SERVER_HOSTNAME: AgB+C31GqtPKbMifuTFYhwOgUwXph+RQYdnVQaVIaDiveE6Lydl/2HnTyFQIi2mhrbiCpDgegXuvGBoM7WHxlPepny5E66lY/cAdFaFDGMARqMXCRLVmvkt3U1IyNn9zPCPil0x+eAv2S/ETLm8Nj2OL9utxkdNBHub9xiGrE0d7qBeBfK1FNmainthYQUpnCsR7jowmmvYGuEyDwfG+suUooDdb5zaWmCJZRYk1jKD3zlu21N0sfciBJ/GpTdz/2V+NXqJJqs3r2zoB2GJPQ64pMuZHZ+yw8bYUkg7/QOHD2ofWmtzNOGGtiNRHAG8MtvF6ovc4Hgv5uu+4x413UP6pSIJsrHrXSHYP+mvu+ya3gNUn6YK2qymezrqbvUF/n7LoaDzTRqa0PmemtdskuABiwfqrdiOarxaWjomkXqnrBK6VkJ8PhOMDMv/j/c6zlXdhpnqlUyxMcjBjqicfNBWN8UByDIEw4D0rhibzOS4fIKjNHrmXHv39GNJsY90avhZqq42oTMJL0vcaj3v4pBZJdJ05TOvY7PQ/iUwnnczGqOtpAQtBKfCV2+PXp9o/64wOGc0Br322kSpzjIleWP9VWVgbqvwMjUGtlL+xTkCaOFpiYETxUim09c745WDc+YgU55rd5i/5t20wiKy7RSYnHvYOwvdjAlEgAnD0YZBXOQkL51nL9P+nOMAYBE0HiM1vYsd8R6h6Fk+G2gcs/2CLgwglqOtMwAm9A9+5qSqyMak6Z68=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: actualbudget-oidc
+      namespace: finance

apps/grafana/grafana-admin.sealedsecret.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: grafana-admin-secret
+  namespace: grafana
+spec:
+  encryptedData:
+    password: AgAU6g/CwKj+1gPpt4DLvLsS0YCvJdVHWw4W4bRhibE9brVvcJtGB3D9MTJrSLVVwusaE6OR59og7oW5ge3yTd/9bbclXYLrxEi7OwvkQjCvo8MfD8yhJO9nV4Xs9Mjk2Z4SHGYuq6wvcssuJrpz5f0XEC7ocTRA+u0UaE+/b4FrYF71uyKGvj8GSXgLZUjGPFsGfPzwJn7cLBmlclVHx1xGbFpUc042m5Mulpn0QolFQnOwZiW4PL8pQyz1MXVRwCsz0RJd5apZL3XJ4X7BLMoAp+diHQ2xi3zoU9VScp+J2QgvFdRKgDa6v7Jz1f+HCwq5W/DoegwFXBrcMIfF2YrnvTnc1PCVwD9IHOeylO7J2hfi8teQiqTvvRlVgdBTLqoqlVovemf5k6ke6JfjTwnsJjTNnL7MKN5Qt0o7N2XRZ3ba9jp8cKbI7fyFQKaU2QEf2PIkp82kEnixmpA1aATgeA3W4E5Km7sKHUEB81+pwnOe54tzD2ShgQX/+UiswhWYTT+gdZKL1udBBemUDC0z9PSJNTPTy+hq+G4CIzVQUYxlioM3c+3geF7YLU8yXisj84pk44GN9KX3z5x+M2+LZL7agAWPUjxtrP2V+id7dNJQfCm0aSMeo57dVfb4zlBUAAgKIKjX+j1KqCVqE9zEO2F/QX7mY6MJTP2me3wmY7JAVRJ7d6bbkyyoDhs8JErLYLp0A+Eh+qx8nWgM9ErPVSA0
+    user: AgB8ZLG2EuERjg1nKdH/xadbUuIR2c8a9gF5fE8ctrp4DNDLLuuqmjyoHRiWpkrtfnE1yKg1rPP+asV9Lj5iVmE9J+OB3QUOeFS4MHciBNj7pa68zfFgnHP4kxMX6aXyKRQrYruYjHwfzCpOM1zyTEphuGlnokjQXxjF/mZsoM2NWn7WGReqfxqH95tJXfs9AUC5vVv/PHqd+KKRZH7+G1AnWVJ7RFQHedR7wyftO4/rkm8deMuZWtOLl25fAOyOr7+hSqT69s9/uTKSLJXjobSqtulqsR+v5lkwx2ThNKzmcEcuoenKG6lk8XLRSIscccZH3JTPh6IknQWUOC4nmYj+XUxE8Go0RX/4eL+D/6FrYrtp0gr3HOCLAGU4vAHMeKfJoyqykJVnvY6QY6bFgaziyOlWaoEHpg6g0vHHDwyX7HIDcQfJZGOLH9dhrWJ2sOkzyuuxfqWEgz/M2eBW4EUAudHwfTLPocSMUI+D6fjeciMojet5uxWMP7ZHh/E061f5+Vfk6CKYd9Kpi69Xah8KEyyHYP5NImkdIwjgllaEAd/FBE2+QJyTVZlUQC7y9ObagDMCUFaFbTS5QOLh5BOJDL5buEYFWG0IhoH47SC/pKeEOQH//uvoo27K9zvxTOQN1YOTrxCozmexMOsTIdhvU0dOnJDBrThSHKYLCeIokDOgUUT52FqDH51RoLoK3UkyGbMoq+M=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: grafana-admin-secret
+      namespace: grafana
+    type: Opaque

apps/grafana/grafana-auth.sealedsecret.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: grafana-auth
+  namespace: grafana
+spec:
+  encryptedData:
+    client_secret: AgCEdC1/ERlPQyQP+bd9gcW33Yrvl4uRbx+RF5AY4vYAquOzxmLTygMl/WZlB5wlCE5idIHgto6/fUWVZrQbmfClRqsW2pFoddKQAtS9cQNXwMjLCm7e0lXk9GM9O3ZwktmklFbCu8XewHmefGHhoJ28vPxPMaINv1fM4zYKvNz5RHf0dJfTHgxb68wRYjAbE/eJpRcVE3a29Yw6Gfa8Mb+cFI7RTHvjuv9LBgWqM6b3qvvJ4wYR2WKuiQrnJ5xAtHpMAI/2R80qq151wlaZueDZ1PwjRBHURkmPTmwZnrMrmIugNge7Tpww+ArZlG9kDfSu1aTJidbXbcpN6fyt1qARTCYrBlbn60PTYLnPL/NObvMCpjS6DsYsYz7MJ7WoOupu46Ib5paZHmak+CilC6lb9LjJj4EKfRsagZmWT07JavhHBW/tqjB3GToccIz4fOAOdA9aU51J4wCL2ctp2SgzCEKe2EaBK/f9nDd9ASmmon9PDwRDVtG8yTukrNcZHNzodi09Af81DB0RNa36Z3Sjt5xu94paN+mjiOWGf2JduVEq+60NbPvDbPE9e1aVH3DdQcij2WGZaTE8dAGLSsLoOkIq3m2E+Mbk1Re1gI9H18xJM72ivb5uDe7pzReyvO5DY4Pfq8JgQhPxWcDq9ScmWS6Bb+jdCKytFq5NafSAl+akPbbwN+1GFu33if/P5D9I2TwOA8V1wyVU
+  template:
+    metadata:
+      creationTimestamp: null
+      name: grafana-auth
+      namespace: grafana
+    type: Opaque

apps/grafana/grafana.values.yaml

@@ -35,13 +35,17 @@ datasources:
   datasources.yaml:
     apiVersion: 1
     datasources:
-      - name: Thanos
-        type: prometheus
-        url: http://thanos-querier.prometheus.svc:10902
-        isDefault: true
       - name: Prometheus
         type: prometheus
-        url: http://prometheus.prometheus.svc:9090
+        url: http://prometheus.monitoring.svc:9090
+        isDefault: true
+      - name: Thanos
+        type: prometheus
+        url: http://thanos-querier.monitoring.svc:10902
+        isDefault: false
+      - name: Loki
+        type: loki
+        url: http://loki.monitoring.svc:3100
         isDefault: false
 
 dashboardProviders:
@@ -81,13 +85,15 @@ grafana.ini:
   auth.generic_oauth:
     name: Authelia
     enabled: true
-    allow_sign_up: true
+    icon: signin
     client_id: grafana
     client_secret: ${AUTH_GRAFANA_CLIENT_SECRET}
     scopes: openid profile email groups
+    empty_scopes: false
     auth_url: https://auth.kluster.moll.re/api/oidc/authorization
     token_url: https://auth.kluster.moll.re/api/oidc/token
-    api_url: https://auth.kluster.moll.re/api/oidc/authorization/userinfo
+    api_url: https://auth.kluster.moll.re/api/oidc/userinfo
     tls_skip_verify_insecure: true
     auto_login: true
-    use_pkce: true
+    use_pkce: true
+    role_attribute_path: contains(groups[*], 'apps_admin') && 'Admin' || 'Editor'

apps/grafana/kustomization.yaml

@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
-namespace: monitoring
+namespace: grafana
 
 resources: 
   - namespace.yaml
@@ -17,5 +17,5 @@ helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 8.5.4
+    version: 10.1.1
     valuesFile: grafana.values.yaml

apps/homeassistant/deployment.yaml

@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
         - name: homeassistant
-          image: homeassistant/home-assistant
+          image: homeassistant
           ports:
             - containerPort: 8123
           env:

apps/homeassistant/kustomization.yaml

@@ -13,6 +13,6 @@ resources:
 
 
 images:
-  - name: homeassistant/home-assistant
+  - name: homeassistant
     newName: homeassistant/home-assistant
-    newTag: "2024.10"
+    newTag: "2025.10"

apps/immich/immich.postgres.yaml

@@ -0,0 +1,39 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: immich-postgresql
+spec:
+  instances: 1
+  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:16-0.3.0
+
+  bootstrap:
+    initdb:
+      owner: immich
+      database: immich
+      secret:
+        name: postgres-password
+      dataChecksums: true
+      postInitApplicationSQL:
+        - ALTER USER immich WITH SUPERUSER;
+        - CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
+        - CREATE EXTENSION IF NOT EXISTS "cube";
+        - CREATE EXTENSION IF NOT EXISTS "earthdistance";
+
+  postgresql:
+    shared_preload_libraries:
+      - "vchord.so"
+
+  storage:
+    size: 5Gi
+    storageClass: nfs-client
+
+  monitoring:
+    enablePodMonitor: true
+
+  resources:
+    limits:
+      cpu: 2
+      memory: 1024Mi
+    requests:
+      cpu: 50m
+      memory: 512Mi

apps/immich/ingress.yaml

@@ -1,14 +1,5 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
-metadata:
-  name: stripprefix
-spec:
-  stripPrefix:
-    prefixes:
-      - /api
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
 metadata:
   name: websocket
 spec:
@@ -21,19 +12,18 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-    name: immich-ingressroute
+  name: immich-ingressroute
 
 spec:
-    entryPoints:
-        - websecure
-    routes:
-        - match: Host(`immich.kluster.moll.re`)
-          kind: Rule
-          services:
-              - name: immich-server
-                port: 3001
-                passHostHeader: true
-          middlewares:
-              - name: websocket
-    tls:
-        certResolver: default-tls
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`immich.kluster.moll.re`)
+      kind: Rule
+      services:
+        - name: immich-server
+          port: 2283
+      middlewares:
+        - name: websocket
+  tls:
+    certResolver: default-tls

apps/immich/kustomization.yaml

@@ -1,11 +1,12 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: 
+resources:
   - namespace.yaml
   - ingress.yaml
   - pvc.yaml
-  - postgres.yaml
+  - immich.postgres.yaml
   - postgres.sealedsecret.yaml
+  - servicemonitor.yaml
 
 
 namespace: immich
@@ -14,20 +15,20 @@ namespace: immich
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.8.1
+    version: 0.9.3
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.117.0
+    newTag: v1.144.1
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.117.0
+    newTag: v1.144.1
 
 
 patches:
   - path: patch-redis-pvc.yaml
     target:
       kind: StatefulSet
-      name: immich-redis-master
+      name: immich-redis-master

apps/immich/renovate.json

@@ -0,0 +1,10 @@
+{
+    "packageRules": [
+      {
+        "matchDatasources": ["docker"],
+        "matchPackagePrefixes": ["ghcr.io/immich-app/"],
+        "groupName": "Immich containers",
+        "groupSlug": "immich-app-images"
+      }
+    ]
+  }

apps/immich/servicemonitor.yaml

@@ -0,0 +1,14 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: immich-service-monitor
+spec:
+  endpoints:
+  - port: metrics-api
+    scheme: http
+  - port: metrics-ms
+    scheme: http
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: server
+      app.kubernetes.io/service: immich-server

apps/immich/values.yaml

@@ -6,8 +6,8 @@
 
 env:
   REDIS_HOSTNAME: '{{ printf "%s-redis-master" .Release.Name }}'
-  DB_HOSTNAME: "immich-postgres-rw"
-  DB_USERNAME: 
+  DB_HOSTNAME: "immich-postgresql-rw"
+  DB_USERNAME:
     valueFrom:
       secretKeyRef:
         name: postgres-password
@@ -37,10 +37,6 @@ immich:
       existingClaim: data
 
 # Dependencies
-
-postgresql:
-  enabled: false
-
 redis:
   enabled: true
   architecture: standalone
@@ -60,7 +56,7 @@ machine-learning:
   persistence:
     cache:
       enabled: true
-      size: 10Gi
+      size: 200Gi
       # Optional: Set this to pvc to avoid downloading the ML models every start.
       type: emptyDir
       accessMode: ReadWriteMany

apps/kitchenowl/deployment.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kitchenowl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kitchenowl
+  template:
+    metadata:
+      labels:
+        app: kitchenowl
+    spec:
+      containers:
+        - name: kitchenowl
+          image: kitchenowl
+          ports:
+            - containerPort: 8080
+          env:
+          - name: TZ
+            value: Europe/Berlin
+          envFrom:
+            - configMapRef:
+                name: kitchenowl-config
+            - secretRef:
+                name: kitchenowl-oauth
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "100Mi"
+            limits:
+              cpu: "100m"
+              memory: "1Gi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: kitchenowl-data
+

apps/kitchenowl/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kitchenowl-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`kitchen.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: kitchenowl-web
+      port: 8080
+
+  tls:
+    certResolver: default-tls 

apps/kitchenowl/kitchenowl-config.configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kitchenowl-config
+data:
+  FRONT_URL: https://kitchen.kluster.moll.re
+  DISABLE_USERNAME_PASSWORD_LOGIN: "true"

apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: kitchenowl-oauth
+  namespace: kitchenowl
+spec:
+  encryptedData:
+    JWT_SECRET_KEY: AgAclRIJS25ACVe4NqLQbAree6c6WpTBHnLpe3ZQJ0ScHG/EbW/ooABZj7y1ABAn/mCc+hBYXYHm81FNUfUtSuLKi2UlORbTCsfmisYH49WX0Lpku9LTM/8az9tjE0tjUUrJZcRUuJfdNJMDPQx7IPjUQ7sKk/exFnkPEbK98+AElXyHpPKXd9dxiCgll0n+ksbF9BDUR8KY8IB2Zvh4cXPww578qe/9XYnxLV8uY9K8KPvhl7NI40SIaL4PX8KmsDlBh1bpOR/OxhIwAGEZDQp/KROy6msrIOYW4SHM9nlSUSD4WvV8UjcbV1oNnYpE1usFOuxSfQlJ1zlFepKUv40JykyunvQv9nqVbEogsrS4o5N3gNEaB9yyFSHIlevp32LVpAuZu3cNplmT+Zg7+ODpCWIcVgmOAeapvB+X7H4ScbKVcYLAzrRFDtnS4Vo1M+RERhr0AuMU/tz0lGs99oRkCw2ZIg015R125u0VcRNqzgCtbBM5BFiKiP2kYrHn02Q6o5tRWxDQfrfb0mnfD5c/gM4+btlfM6DZMpr/l1kLlm8PDEpPGbkhK1XiAyJ4erHPDMLcmZXrSyxX9R1g8n7vnLnkqx5LkGmnltQI2FM7StxC6IrMlxY0nPnkq1lHhTz7yCpQJNXgfXZLVvov+f6jlD6WJhYHZCL/hIFfx3ybjGYZwJ0m84lH0OQJQw5dtsbPVqqoYZIPieqdRmHw7M7TTmFuQJXD94lZj5gsln1sMqs=
+    OIDC_CLIENT_ID: AgDOxWtGCiFrIP5aWHimrR6bu0uMS1/i1v1Kzo1lIR3j3zlw/Da2oCPNx1ZuhNAp9UMIs2euc8mtrWkyv4R6pcci+IxXiGzlQNBSkMfWu4DwhwlEdnVyCVehfE00t0ytBxX6NeLfS1b8JOtH9yo3e22fdaeTwn/iwGLNwi1BJxMmzk9pVp7jzXH09Zia8UvUmXw5GyGpIOIiGcIfaXkr1ZnY2l30jTw8eS7HaouzfWHWTpNXkMLN3qim4vs/B1Sgz/y9tUyVo/qMhWLdEcVklYHT7xHx03SPD7RtK+zdYZCqvDtj+tsdpYHt05zeGV+wflNQuiocjwP8TW7vhtbjKrf9lQIxB5CErju178ELOVrpsPBAYMgdEl7qZeKdSpydIwe3VbOg3XJ7O/Ps1KSnRYwrCvgE4ZCMm3geHyJxSiKRhBcuVYz5JkNd5ylD0Eq9NL5RCqJ4szL9NaGNPbzkvcdZzAnbTYFTzyqZ+XHX/BUFisXl5bKNHtaqAsOK8woGYnxJiawKRrwDUmHXU4RB3QiPCPhHSLU7OkvU+XDhyQqLa8bKEQzj9dUf4bX3Savk4noiRsXMYJznAlgMPo0Q4taxVIoyQHELYwIIdP5YRuw27B9wKUR7e2hhu4FTOEcyhwuFql3OuAjq8HJCDX6+COkL2WYFFxWBnbSCYEdzfbMBCHjrUUonijcQluU2VbaHODNMAvB16MRKapAW
+    OIDC_CLIENT_SECRET: AgAylnSUXwInlh/WvyCiFz+8asbCSZA6kk84Rt6l7bHVYw34c58lJHsZK2OvOIlHuaMe/ewnTqxVd0hI1Azl+wd/5NygMYlntKquq0vuzlhLrGc3u+0SOn9N2P6quA3slF9KR94CYsDx9ogy+EsEoA1yrsydB8S0g9W8syraR1MtpM0ZkcJ/D78OZ6qzyXUuBNAZc+iX/r96NvoMiGNYavgG7npOJh/pkKNYPuNkt4zpbAFjVyoCfgZd4V2nmZ6dhEVy8odW+jcsMn6OJ1OZVlPb1beq49lBEcaJqk83ZtKbq2evtBYHw9YAnENVq92ecenw/YL5LXUhOxeN0M9Amo99/O6pQwwrT1mtZqhTTeTIZTAxqmJKgyxGhE4DJUR/s71bc7K9hd2WvdAYnCyVC2uGa0MwXp4V7UuaN9GerldT8lcFxOpRnD7yroqVTqebjAJIkIinp5NNZ2ZP/LCiCwKKHHT19Pchn615WOPTofC6es/spIdQ8a1Nf2J5YzvRjsduFS55U6tMaC7cuV8kqKH9xTTf/sDHt+68wVEAO9koAe1zpO+zR2Pq3VuCnvcDGIwXopXjvyjfujEEhEWZl51PVJLZqtkP5Wg2wHvlgjJBbbIGTrqh4xa9pK7wLDM2hUFx1q/YKqwfP0EGVTc96G8Wermj0DtIqclqFLr54DtxVe+Rr8J4edG6YQ26/seYsrZ1Oq2PejHQt8u9EzQYAtYYlBsw2ujCWys6KrbhaVr3
+    OIDC_ISSUER: AgA2JPd5axkL5YIRA95qm/iH8wgM2J0AjKjgGClWabYJ3UKIk0hi/L/zR+1Pw9Z+6amYXj7Q0FxLqCcNYG+H5ABxnqUi7Gl8gvfVbegaO3q5QiO27g18RMDssNHDSun8PPaxHBvBD68hxgsaXntu8sZavCGdwEK0TzLJi7eH/4jtHlofzfYgaCsGqeOBgvs/q87PVJ/qxazXlY9e7abbRAKl9ZMY7Wga58/IU2HhWwYMvI53yQyGMcKf3XiI9iNHgIcj1+TmlgQo+PRKyopNfzgFbey7on8woQXphY+ioqQ0hyworpxAVoWlvzKKopt1xBDr4zxzkzbWyxtjwPVOOH3iyenZz8tZa/JkNYWxkWHbh0KCs9yUIji3D3shQOFM/NtE17THsQm3NgpZ2lg9ET1v6uXqwfOLiQ+J1JQLwNFnYeruH2lK4EGt2nDCq2VycOIjW4kMpiJ4LiT8gap9HwYjTpAn+opicYn5e9fmpgiHdMPvrsG1m9edg0cbwdSpEelliHnAUfKsxMV2e1fLsga6yrhBLSXIQs8rbURRa6wqVvGoLB86a9Q5Rm94Jfm0Sa9v5LMGRYvqO5LbLrjrR8e/2r17pHQE8ynMQCAW1yVTe09FcgRwYhDUohfThtjIh16sdoC97eUel7fo/POt3atP69JsCIBZstprhVtBIBssmavpIotVqi8F2/yUkhrZR26mH3gsOxkNTEk6XzHHtJRu0cU+BmObTvYgMi3DHg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: kitchenowl-oauth
+      namespace: kitchenowl
+    type: Opaque

apps/kitchenowl/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - pvc.yaml
+  - kitchenowl-oauth.sealedsecret.yaml
+  - kitchenowl-config.configmap.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+
+namespace: kitchenowl
+
+images:
+  - name: kitchenowl
+    newName: tombursch/kitchenowl
+    newTag: v0.7.4

apps/kitchenowl/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: kitchenowl-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/kitchenowl/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kitchenowl-web
+spec:
+  selector:
+    app: kitchenowl
+  ports:
+  - port: 8080
+    targetPort: 8080

apps/linkding/deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: linkding
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: linkding
+  template:
+    metadata:
+      labels:
+        app: linkding
+    spec:
+      containers:
+        - name: linkding
+          image: linkding
+          ports:
+            - containerPort: 9090
+          env:
+          - name: TZ
+            value: Europe/Berlin
+          envFrom:
+            - secretRef:
+                name: oauth-config
+
+          volumeMounts:
+            - name: linkding-data
+              mountPath: /etc/linkding/data
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "200Mi"
+            limits:
+              cpu: "1"
+              memory: "1Gi"
+      volumes:
+        - name: linkding-data
+          persistentVolumeClaim:
+            claimName: data

apps/linkding/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: linkding-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`linkding.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: linkding-web
+      port: 9090
+
+  tls:
+    certResolver: default-tls 

apps/linkding/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - ingress.yaml
+  - service.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - oauth.sealedsecret.yaml
+
+namespace: linkding
+
+images:
+  - name: linkding
+    newName: sissbruecker/linkding
+    newTag: "1.44.1"

apps/linkding/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/linkding/oauth.sealedsecret.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: oauth-config
+  namespace: linkding
+spec:
+  encryptedData:
+    LD_ENABLE_OIDC: AgBfiwAdh1RD8gpzzVnF6y3c8kn5NFbms0T74pmj1aaFD0uQd/dqIxrvZxiBMzgqdrrVUCxRlpG3tiJYMpDEVXQPwRj8uuAizYFEP4uuGFpCtErjb+Y+aOdXSPRCVPbIqROiE+qswNT5KkJm6rR3FPckWipiQdzfpoq+G00MARKqzo4sNrx8+JzgoBFbS/tVPej3VdmDy8iceeVCQ2dJs+roRw+jOfCxqiUjHH5SyoZPnCTlmTZcwr3F9gBGEWGyEl0FNVgL/ku7WEL2COeIIE/2r4RWPqZU4DkPtIv/J4Dosxuw7EQnC5kzTgJGB/TF9Mn/FcS7iYQZKATvWzjC/cTdwZ+aG1qZGz87wM4fxQ05GhgEUkVOlGgxlzxk9BUL3l9Xsaa1KTivaQ4dvB/jm3j12b9rPfO2CXB4jPK7Pk1vKbr5icPXa8dyFY4hiJ1PYh/295a7ZM02n3ao4uHw8KSaxK9GxsCFBxr59q+6ZpjOGnTHZvKGfJHn3jEcIT8k89J5gqrlWjLqR50TEJj3jPZ3QDPN/u1Bf0wAoIOGK7jpnwIXQpacudU2pxZNWC2KtdZbcF9QzuOqKVFABmabdCkBtLa34cyZdweBaCfLRg1Ic0yxrWGzctnwM0Rfd+OzsEpLB7GHKllV597znF5QiK3rQrl5TmgHf0jC1OmMsBkNYCRo2AhYsBN5nli0dgD1y028rsW6
+    OIDC_OP_AUTHORIZATION_ENDPOINT: AgBYHGF/D1tzWRy2issyi3oZjYK/m5cuwdlHuqboPBBHybfTwCkvSfWAL8FSGAgoLYWZEwwoGr5GDSCnAWfhoYwVgCxWw7y4IohCkUSrwbzTVwJxoRTeWIilzwAdH2zX3mZJVHTYCQiLTCjv+MPRsF5FZP4+STtgfecK5Fjgb3sIfZa/yazbN6jf7bdaR91yX2iddeZn7B80aQvu3jOkujPX9yCJz/H+1BN35CtC7KLhFrKgw6uvfQi3g90On5uBHwrC53ve4rEvcOgi575WBA3fDYW4RxNb8yxxocQOuqNRa3jUa/RIjOnX9tFoG/QIXY89DUSsgpAZFWIlV4np4KOe4V+xWT1khz2TPRDaakDumkNmE/sAjpYfGX13+88A0N/hO9o2aXJhEXOFZ5eulyAwDdIodMg6lQTG43OhdSZLFfR5TrnzkVR1pIzwPMutgf8jai4dyYK+SV+oyGeZosNpD484gzhjMGkz8Djs7/cADcvJVmGfWWYvjenlfvFC5lK7F+355o9L38fUeG2lhRw8NsPWuzsiH7m6GaSEfEPcdqj/AohArtUnf9cfF04tocPwCuNLeIgR42W+cfapD9g14sN9v4Z7g/5IQSqL2EhNR9xQMoIT9BkBEhI9JR518Yds/Z89Lg0HsMw6UCrkg6um1If80gjHyRa7JrfxzepKifWNn9/suHlhecaeXcSOKMCCFYDtHyvO4/gCe8/PXjyVc/SUZNBDJsDOikVvVJfKqDlEkimfl+BISzkMv5ALxGDHMRc=
+    OIDC_OP_JWKS_ENDPOINT: AgAg+6Ty8o++uc+UfaVNtJviu1A771rtazn9pj7KafqgIx1xNuPtUBwGEScfku8glUy0bS8r7MyMNlUe3sIYfnDKQmmHBVHFoiJ0IjLZP/pV51A4fT2DUrFv9pnIemqjFD2jew5ToXhuHwUc+Y3LvX8M8aPpB/J+DjIIvgKQe2faHyWt4c24jOZaH56xJhI114LIXD0A7Qvq4O7UfpIUNfYSMojTH7VURptL18Mh1YRKJmil1PmRIstX9Smr3ltAG9Rw032v9ISdDmV+OyuhPo1Wk3AU85RdOQ9hZGMSFXQXFEqQUp/N76n875KDUMT4W57//YGFRUrm8w4oB+PlkjGV2pG7DNYVxUZEmi5UXwY8fTI+KljAZHSk/YOSku+gc75hWYXX6s3g/R6/IWmr9sV5O5N0bc3guQ96nnRmjuzb3HebM0hPfPS+6/xn29erTDETs1bvfCQ9oWNMomDsH4FVz5gC+zwrUvUD3Af3TVsU5g+lfOE83+pmMMWcJFn8Z0uldud0jR27o/ftKgBDmUaGi3zCQWJrYxtXehBy9fo0K7QpbYnLHvNnXVX9fGQ0PZNMc8N0wYZUDuhOv114lqfbVR5dHYoger4iT0xC+SHcWGgvyjqb4YI7bfnY+bnh8TLfuI/ttw1l7/ev79/yvjrtgPuBwN9ygUxENLR2Ur1Cc/u72d+ST4NIg5esth+y9Z2JdP/3+nlYctnyakWhEkUyBPK+5Iyacv29t1bMXoesB6Ub5WsXaw==
+    OIDC_OP_TOKEN_ENDPOINT: AgBRpyDYbQlq7dcqJ2Gd+CfSRZRgvpuUsIngAXX85dt0dChYhQ/YvnFl9r3GqsXNBrWQBa0uE7t+uXxo+oobjgfSibq28kQBL92PM/s7OctINTJBN3q0Gdv43vnliS69/WR21kZkLuAmPne1nL+FZJXavIUF8N6CX3gKb4WMdv+Rl4AAmUo9vsB1C7mxDcS1CppUeJ8KdF5qkb8Xag28Lv2rDA7W9Ne+tNGFi4q/UWqdU76iUxrHu/Kfg6RD0rYlOaW+0b3A5Rvj5oU8ho1Z/eIsA9NaZNYBQjtGAk9fiD2EB9IcFi6kYv5zGZsRcPTzMv/35Wh+lV8I3mDRGcfkmzQsZ8Hcfx7c3zpemZqvY7LMgrvO5AatWKYZUFPsTcaT/mVFmAaVuq5PqeuCQhqekug3rdQxxf2n1cWMMnbptf4g19oTFKx3FtXImpPk97Iv9RbMATKHE/nnfin5/7PtQNn9VBBW785hzzB7cs+IiEzdjGu7MnFlKaGEoS94eZtgLSEmpIMeXFW6V0rXHQ6J+CUjBjiEpAh6LKsh4De+IrWFuzAYH0jwowuY2r4VX3jx+Yv8SFEJ5AfDYbvx8qX1zy1dGfsQvrAai298QCOTizLmeuJLMIC0qlNLZWrYhf8XzF2/N8/bC0R0Pyr+6Jxo8HrtHyFcnl8ckHycWosCOkQmQIbX+vOffOpQ6vYUkHM4MqIAiTl6G+bxjtxBZUTXvqX1sKCEO7pccL8gJZQ+ICN9nP785JAd4eW2JeGW
+    OIDC_OP_USER_ENDPOINT: AgBD4amxFPHYQR6JWjNTsPM63NNI+f9DgZ9+whv5f3bUo7KNtB05vAYYQtAdMYJR+5499S6t0BYwOi4cNxQVJyga1bKogqih3EI/QlJeLvoFvDFj2wEMmCkT5MS+qemtPJwXK7JTHzUFX74b+S/a30/mvWKkMRHzc+G+E678/RDIScFJFssfJVMJB4Kp9T4y+v9jJAKZRixkx2lOR48JR5umXwxm+xQGaexeJOv0MZY4Am4P/nJcWM+Gk1Ka/ih+VAJRLsu9dgvShytQ1OHaAPMRu6H7Wb2bLrzpz4rTcGbZA3aTgHfItjWQpBV3fhNvyNW8QRbRFSyxHBC4snqW5Bl77u4KdMicwL/0x1JhwP6cx+/TVEyZ2n+5Y5PyOW+E7LXtiZGZ/eRw3xVLxvrFDwY0EBMqAUWHyQjwlZLctjxgBud5XDtT4athaNq5hnCELMepRI05kF+o5ECxKWoFXN5rXrwrlcgftCV9PTZbP8pkxyau8O28C4YX07J65G9ntV3VIg9tAXww6X68YHIQEdAgjNOI1soWt15q582OlhXBTTKAf/QU7mrSCn5FH0Q4Z7VLIsJwMz0orGB69Qxo/lLF7z+pQEE4PArceoLi7cffQV/+VzUBOACDdfKFiN3LTDuoMm6lvkAOdmzXccmXlEGvNEwLR+8Ac26Ld4fAnEFSLIJpwQHheIQRY19qbN5+cOa+RmuOroxWWA2P/8uSlp4kXVvAmPJOt8PprI3h8iRG5zBv+J8kE8wpI1scJdDr
+    OIDC_RP_CLIENT_ID: AgCOGuVP8BVfAT5FRmmJLptdv+8vtppOgpzJ2LXU3vR3sjQE4MLKgWwoAyrnkAa2IMrsmkg5+pyHBDlp1AMba3OTVZmhyEVLrFe/vCiL45hEaW2l6kiwlIW3nZnoJlGG2Ugj4SX8YCQGlyr19vEFcPdieWlKpHfda/EP4xYhXMSzXCxFCtT7uGjgnBlrV0uXeFCezYGzvmA4SbDli7fvGv5H85cwgUlMdSn2ZIP3DAxQ8gP0ETF6KaOK5QVP0e/7kw9SK3oo4XHE2c8AjHLFFnmz/uf07+7LuOunSqunolbVy+Lm2mHHnzx+0PBmMYvl7FHY/TkBZaVjVaZtrELbFYaraop8iE6hFMvOYNa/1BFY1x0aeRfPb0jt5IPnuebllnEh4P7JUQxef4Bqbjp8u7P+uOBWnQbeMEp5F3rWE8qy09NnjsKPz87Jw9pb0aPgXWLKVHjJpArhcb6gTJLESCw9kgT+c0pYI0s3BYmwNkJ+6wxflvTLb5z3YyY5/+8/s3PgDz6Hj4tyA8tBru/KQwnBVMw0GhF5YwlZ4SYHPwVX+ZMj9UQc6swNsrxKLqs5Ci7KjvzEDUJ4/aW+rv8naoCiebIJrbmLB8iSqNGh90s1S9BJsQaWXbKYday3spt0eg+tH/iQgAnUAjd9RK3TxkkmWVjmeUc/rOltsbaIvy6/WdyKnF8/f9B03Pm5eal73yC7reFyGYiXvA==
+    OIDC_RP_CLIENT_SECRET: AgA+Q9osGcUgiGsyPfHph3vGiNBjmL7pK3JlaE4PoI+eGsvb+3Ozf9KnfHSMm2R0fq/eukFn6i25MZ/mKYliVSIcjWbnGDFSysiCAwirKTUXoFUo87zmguNUPr8Rr45m1AIaJb31T4MKeFQRHSg715rs/6fKlbejUWUBZuMTN1DXkWr+00atj0JmmZPScSfRmwKNsHnoZCUWFE/DaFChpoCU4fCp5vL9P2LcdzsY84vue8y7Trg0e/LpEi6+DzSoxurE9jwjoUauXmZnOSW3jFgy+u5c9Oa3RC+IB/UUsmHI8eUVOXGdQsSFufrAMd1uyPRa2g+aCX0zX5boZC9dTGqaT+D/6xXnMFsvw5K+K4Y/QZ+j9ZHx0232sPCFVi2HaYHV51c2Xi6tizy+/0J27/4gvaVREXw94pmsaI5rt9sNDHoKw6LwkPO8heqkYzfIWhAg5vKswDn/MWAVTIzIubdTvrDjVWxoJ2FM9sCUsai/X7rj6QUiVTgbWuYYO0hMrT2Q9y05n68hWOmpqmna4/JGIE+N48h0/wAHLsLeV4ZNLJdJhQovOSkYsB5FIYPTuihFASLhE+uf8VBwSfYlwcWORz7dssAYvCJAx3huYZCSHrT4WPtLt4Ok/IuplXvVbZ/d6NISqE/g+BiNmN7r4DZQ/QbN4TD9t6BQESKkTqPHYIiVtZHdalgPFFSS8JP2wv50mSh/imjlX51ruHGQbVbIfZnfJGwLEL0KN/Zn3BMrNtMgCqEs3itnGQQnBchQ
+  template:
+    metadata:
+      creationTimestamp: null
+      name: oauth-config
+      namespace: linkding
+    type: Opaque

apps/linkding/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/linkding/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: linkding-web
+  labels:
+    app: linkding
+spec:
+  selector:
+    app: linkding
+  ports:
+  - port: 9090
+    targetPort: 9090
+    name: http

apps/media/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
   - name: jellyfin/jellyfin
     newName: jellyfin/jellyfin
-    newTag: 10.9.11
+    newTag: 10.10.7

apps/minecraft/README.md

@@ -1,3 +1,11 @@
+## Setup
+Because minecraft is quite sensitive to io performance, we want the data to be stored on a local disk. But hostpath is not well supported in talos (and is not persistent), so we use an ephemeral volume instead. In order to do this, we create an emptyDir volume and mount it to the pod.
+
+We use an initContaier that copies the data to the local storage. Afterwards, copying from the local storage back to the persistent storage is handled by a preStop lifecycle event.
+
+This way, we can have the best of both worlds: fast local storage and persistent storage.
+
+
 ## Sending a command
 ```
 kubectl exec -it -n minecraft deploy/minecraft-server -- /bin/bash

apps/minecraft/curseforge.sealedsecret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: minecraft
 spec:
   encryptedData:
-    key: AgBYeAiejdmxDBorvgnxQX5YvUhR3NId2vfWybMKlc27e6D/bKglLNyZMk70xSnFAPjcDmZ20mYjFPYvDOr9T6IU/REJ8QlzoKAn0xW779R4SkIxRToT+dJv+OM2avgQ9uqp7vja29xeXMjYAnQML+QGZKcrT8mE04G/Ty8rdUiv3yUXK5HFAR3SUF35aVLdlthLjpRkv1s0R7GAP4L2pNzBJNV3i37viceUSSjU0zpOa23fsQOkPAs67AIukAJBqh/hyF/hR9H1GeYZNTI3OcHcvC2iNk/XGstvv0Zy6ApzoebsfWGdsbVn+QUI0EBw+mSTPqpl71cbkz0v4S4XAVndosxWpe6AIgm5MBTU0FXIyGyoFDe1aMPq8BXiQikYVwB48oVNh9KF0xXX5AOG0whB/FEsL3OJsiNQvQ3R/Hru43JBn64oxjVtLfM3E7u8v/xr1VQahX8dylDmb4s5EV01U6O4y19Ou4td1eEMlhpJb0fBPDRUYuWxZAEDGmp+U4tAakyPed11VkcZPPn9fKAAcv8sGs3TYAbbF18hqsBnv2Wd+i7ZEvKwmdmfR/T0r1TJGsvKI7jaW0QtH256XrSxQp7a52qMKMVQWOSKw2k27t/IkRhxT2Prw4GfJvaVr4RozUaBf3LV/hfDWlDfmM2zg3X9W8HkzjotGg021OLxsa0Wzmhffvb8h4bvZwxeq3U1xaJocqXui7z0rT2pF4z3wYHR/lPtexHcOA2M8gfBGKb1rBKh+kW+N+/ZfVLNI0mokg5vrTO2nR2rb4c=
+    key: AgDG6apUvB38rB9tH+/ya5Af/32IUJjHiEGZFdYYqesuqyPB/qf99EtC/7CwqD6bDQQPVycJVcxwZuF8QtYfPXzv//yMkqEUJ2G1/Q5J8I6bjNGLR636UhliUpCkH1QDOspWJUjwKDVxlFN9l0g9UajvxnqLyGzbWPeay0sJEBvAY8ltEZpLP21V+GD+HgPk3HIfSFFBMsULS6GPCjMaFxkxQb6cG3K4Ej4NHCHRGOmax+4Rk7lwMyAHlXLlrwj/ytxrnHDWrugLIJE9KKmJn6UVNTuk6olgkhleg2PixV7oOiDVyu9ZQP8wbdppzRix6dnIcFEYJ1ZDK1rNF5QErYO0gBytiJnSsdFO0jUMsdBrho2FgUc5GgIdmgXWJJz3lrGFqXaRVvbPsBZTUAsQRh2+4IfqfWmAkEjBcjs1K8WWJfS+rO9e02KoHBT4decdsd8Qfr5EFdPIzMrkUoRMI9CJnIa5u2nR08Hhd9iojbL64FZ26kXMODtEdKmlo+HwjufLX5rYJVSfOyZYzivd/kgKA87YTFaMLKej07w3ofGrPYSoCnmLfJyoQdNyJhdonBDsgM1GgRWQZDpgJ1df0SB02A5lZ4V7lHWr8KlANv9YLuMoZnVehsH1NZjNQHDInIRiTLahEBbjcJzQz4vU1UWG100ATszEYKOUVkzPnTgkqKYU99ZQ23bHP8z7iAWQeumb6V84NTi6jNITBvU4yTFLuAiI3nW34Vb1mFVLwfWqMjEYX8gBB4yMSaVshB/japfkyXU0pYg4mK9gsB4=
   template:
     metadata:
       creationTimestamp: null

apps/minecraft/job.yaml

@@ -4,14 +4,27 @@ metadata:
   name: start-server
 spec:
   template:
+    metadata:
+      labels:
+        app: minecraft-server
     spec:
       restartPolicy: OnFailure
+      initContainers:
+      - name: copy-data-to-local
+        image: alpine
+        command: ["/bin/sh"]
+        args: ["-c", "cp -r /data/* /local-data/"]
+        volumeMounts:
+        - name: local-data
+          mountPath: /local-data
+        - name: minecraft-data
+          mountPath: /data
       containers:
       - name: minecraft-server
         image: minecraft
         resources:
           limits:
-            memory: "10000Mi"
+            memory: "11000Mi"
             cpu: "5"
           requests:
             memory: "1500Mi"
@@ -29,13 +42,13 @@ spec:
               name: curseforge-api
               key: key
         - name: CF_PAGE_URL
-          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5413446"
+          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/6807187"
         - name: VERSION
           value: "1.18.2"
         - name: INIT_MEMORY
           value: "1G"
         - name: MAX_MEMORY
-          value: "8G"
+          value: "10G"
         - name: MOTD
           value: "VaultHunters baby!"
         - name: ENABLE_RCON
@@ -43,15 +56,37 @@ spec:
         - name: CREATE_CONSOLE_IN_PIPE
           value: "true"
         - name: ONLINE_MODE
-          value: "true"
+          value: "false"
         - name: ENABLE_AUTOSTOP
           value: "true"
-        
+        - name: AUTOSTOP_TIMEOUT_EST
+          value: "1800" # stop 30 min after last disconnect
         volumeMounts:
-        - name: minecraft-data
+        - name: local-data
           mountPath: /data
 
+      - name: copy-data-to-persistent
+        image: rsync
+        command: ["/bin/sh"]
+        # args: ["-c", "sleep infinity"]
+        args: ["/run-rsync.sh"]
+        volumeMounts:
+        - name: local-data
+          mountPath: /local-data
+        - name: minecraft-data
+          mountPath: /persistent-data
+        - name: rsync-config
+          mountPath: /run-rsync.sh
+          subPath: run-rsync.sh
+
+
       volumes:
       - name: minecraft-data
         persistentVolumeClaim:
           claimName: minecraft-data
+      - name: local-data
+        emptyDir: {}
+      - name: rsync-config
+        configMap:
+          name: rsync-config
+          defaultMode: 0777

apps/minecraft/kustomization.yaml

@@ -8,6 +8,7 @@ resources:
   - pvc.yaml
   - job.yaml
   - service.yaml
+  - rsync.configmap.yaml
   - curseforge.sealedsecret.yaml
 
 
@@ -15,3 +16,9 @@ images:
   - name: minecraft
     newName: itzg/minecraft-server
     newTag: java21
+  - name: alpine
+    newName: alpine
+    newTag: "3.22"
+  - name: rsync
+    newName: eeacms/rsync
+    newTag: "3.0"

apps/minecraft/rsync.configmap.yaml

@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rsync-config
+data:
+  run-rsync.sh: |-
+    #!/bin/sh
+    set -eu
+    echo "Starting rsync..."
+
+    no_change_count=0
+
+    while [ "$no_change_count" -lt 3 ]; do
+      # use the i flag to get per line output of each change
+      rsync_output=$(rsync -avzi --delete /local-data/ /persistent-data/)
+      # echo "$rsync_output"
+
+      # in this format rsync outputs at least 4 lines:
+      # ---
+      # sending incremental file list
+      #
+      # sent 145,483 bytes  received 717 bytes  26,581.82 bytes/sec
+      # total size is 708,682,765  speedup is 4,847.35
+      # ---
+      # even though a non-zero number of bytes is sent, no changes were made
+
+      line_count=$(echo "$rsync_output" | wc -l)
+
+      if [ "$line_count" -eq 4 ]; then
+        echo "Rsync output was: $rsync_output"
+        no_change_count=$((no_change_count + 1))
+        echo "No changes detected. Incrementing no_change_count to $no_change_count."
+      else
+        no_change_count=0
+        echo "Changes detected. Resetting no_change_count to 0."
+      fi
+
+      echo "Rsync completed. Sleeping for 10 minutes..."
+      sleep 600
+    done
+
+    echo "No changes detected for 3 consecutive runs. Exiting."

apps/monitoring/grafana-admin.sealedsecret.yaml

@@ -1,17 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: grafana-admin-secret
-  namespace: monitoring
-spec:
-  encryptedData:
-    password: AgAwMLnsYN1y8JQSqgGQbNG/8jKensTDsEw6ogITdkhDRlJcg8HQ5t7a6xLzNCrLHLJiQW8YOoyLT4lvFkBRMOa2EYcrDvBiRD0PjygWLIscKa7dA+jpAUf/icD9zsiDnTym2yf+VUANcmEgE6DiNvlcsrcmYqiR4pKVUTDlKPNOjOpTJ3nXETb3/sbt69E0JSGwtkvusYQSXKLU9KLbciihv+ycdkdlC9xy9myd4+vYZYXSh/eAvyZeb/hsmdSX7yaASmupMvet6Qsdt99PNzFQxtbQH+LQvYalVZ8bjWZQvCN/p0bA4H15otKBfe8rtEwVthgvyEvo6TK0Mg0pFY/b3AOGFmImnT3rDmgG6S8KTZH0Jce17ksFqvELQmHjqHuYpQsPDl44glM8kWRJ9Mf/Z424LRwZlJNVcOkuVl4qFqPUjzd2rWIyF0RaD0BE012C0ThJxKn2l17lVJbNtdUiR3qNpW01ot2m0CgKd2kXbjDmgRgAll4WgrukfCIn9ZnE0gVCFLJuK3MOQAaipFYy/bDO0izwl9T8nldgcI8OfiC3NTk2O+Es5jJRXu0oJGaC3HrTB7wXiwOoELvAsxLTPxKBiN9mCHCMtZX0PEtrio0dFRQ6Pi5xPng0KVT0I9dvGNsPdhPETNOB913WEvbgP8Gt3cj016nCzk51eUsYbXPpNL2B4kmbIhecqW/8kwKQPwYjVlBSXj3NxjzwMY6PvOl1
-    user: AgBqmjCYGMqy5zBE+vhtsynOvhWdHWDJDyl1D+laBtLjXTJwzRbNTdunHYo1ekwyqQ6Cr5pi4YMiLxAl1LIHF+Lfsp2QlY+ResAGzp9WgSBtNQDX3EmLDQofeWxMUDdMtMsE9wiKLCfNGDkRDsGquXTz+YFq03m1vH9cB8Bp+1ClWOTui+/Ce0MZlWsJZX1W8WXH7XTirtwUo0s53pc4AplUUH97ZEK3KSIxWa3gLCn0sAPDDLPX+JVA2xtpMq1XuVFiFifjzEtG2h0dejiF35FtSAR+rR4YmEfimk3QpRDfOqV5QUxvjCG+dTV49upSevF2mvbHW+o+lB6vEc6l9cZXvlbnMdaep3NmOsJcJ8wQIdFpFK4iVzFOTKSEbzLPlZ/J+sjS5vDXsfthorIO2faMA1iIf+I663zNxQU5btaK4TNYOZQlrFVjAmioRLkDhGZ6tDUPX/zMv+Crt+0HCwyEyhmvFZckDvezTZrxARSXXMKBVcvjHCyUNkz7ubZRiMU0PGM7fYuHr659e+XMRvj+LFA68ZaEIzCQpCFJenWWYAXgUdRG4LQ1LP2MwvRHpkOYSoRkHIpX7jOfhX82A60h/ta/CdbWifqNyL9OecvE3FKsZu/Kr0taw9W6nm6FBhQLgFkOnFrqp9dWnxfHruXuDBgcn0iE8nR7Ht2zS7hfQPeR4a3Y0xK3Plqbzdrb9HKnWQQhf14=
-  template:
-    metadata:
-      creationTimestamp: null
-      name: grafana-admin-secret
-      namespace: monitoring
-    type: Opaque

apps/monitoring/grafana-auth.sealedsecret.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: grafana-auth
-  namespace: monitoring
-spec:
-  encryptedData:
-    client_secret: AgCcKsnS3u2eI+fNVC9hAZ3QRFOHFErAzs5aQgX51CSdJwM03SZUoTyrDi5JPcHUVyS3MbevFH5piMhDTARMI3bLOjYlcwMbpf77JCPa7o95Y9asA/FW3lXicYt3biN9xBXJBz7Ws3fVRtEzyf6DmbGedT9gaX8aPwrUVbP19RdyJiuu76oB1A/jdUkX4K+X6kVvmoP/BWdypk/kdQJrzBNt00DIXF4NHfYey36AuhpBtqYZs4faA/tBXMXLE4RxPNtcHwNfVjnRj3v3qzNufD1fnweJvLq2UfLMrQjoR9XDVnM0zkpautylkI7yrvcoEH7ljnf6b1FMogOEZUfH1BIdqTd/WwrrlCqE58OPfJWthIfN+pQ8LvdHsGo3jc9gXvfXS2cStyhP06eTZ4D79kG+RtDQGOsD/Wpx7EcM6hbB3+dIjcs3wEAIGjpIVtY9JayW8YeRnFApMuhDST1+hscm+LdoGvaSTlAuGzv9BbVrPX/Fo9XKeYHlbG/x71Er+vF8WbW0wUa46MHLvbEy376XIdJDYi+vjl4eqznZ6YhvPbawhoKXT8ZcKUcUAjVcMue/O/jCSPZplbn3vdSCeqPTiqVqDw9PTMIeWFUepgPMxiGpFRAqdwIecFBnYItq0dXoGlFrZpo0S6AECgZjxzUR5EgdkdPlDDs2CN+d9yP7f2S+gmL7AIlQr74NW1GrTGw2x/rD4IJhunh7
-  template:
-    metadata:
-      creationTimestamp: null
-      name: grafana-auth
-      namespace: monitoring
-    type: Opaque

apps/ntfy/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: binwiederhier/ntfy
     newName: binwiederhier/ntfy
-    newTag: v2.11.0
+    newTag: v2.14.0

apps/paperless/deployment.yaml

@@ -55,7 +55,7 @@ spec:
               memory: "200Mi"
             limits:
               cpu: "2"
-              memory: "1Gi"
+              memory: "4Gi"
       volumes:
         - name: data
           persistentVolumeClaim:

apps/paperless/kustomization.yaml

@@ -14,14 +14,14 @@ namespace: paperless
 images:
   - name: paperless
     newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.12.1"
+    newTag: "2.18.4"
 
 
 helmCharts:
   - name: redis
     releaseName: redis
     repo: https://charts.bitnami.com/bitnami
-    version: 20.1.5
+    version: 22.0.7
     valuesInline:
       auth:
         enabled: false

apps/recipes/ingress.yaml

@@ -14,3 +14,4 @@ spec:
           port: 9000
   tls:
     certResolver: default-tls
+

apps/recipes/kustomization.yaml

@@ -13,5 +13,5 @@ resources:
 
 images:
   - name: mealie
-    newTag: v1.12.0
-    newName: ghcr.io/mealie-recipes/mealie
+    newTag: v3.3.2
+    newName: ghcr.io/mealie-recipes/mealie

apps/recipes/mealie-oauth.sealedsecret.yaml

@@ -7,17 +7,17 @@ metadata:
   namespace: recipes
 spec:
   encryptedData:
-    OIDC_ADMIN_GROUP: AgCTE4M54XEyKP1cHcsosZwIp5GYcvZPIzb7sgOpvVJb7mzKT9kYFOqUkwc1eyn4bjqaXu6SJyP3M4ss3K7CgkNWMsSjBVrYpP6yqsREoWqoETwwecSxRS7hrK8pJb6kRKBKyLDd2oaFMxeg0y1lm9+ul4HwNL+uPcNLSX7KRue1Hy5xqjDNlwL2mzU9JVVZGqEW8FyvPCRKMPliQtK7WpTUbadKbltN9RKrRa4PqFW9xyBrg8Al35Xj7HrNfwt8YAUDeq+73QMLtbP3y2orSck2I46h9DKW4foqYWGnVh/272fvQSXDr3tr8Il969o5M/IfVzpRS74f4zU0LeI4POxT9EgBL2sALoKhxil0EZGJ3dsPREvSS7eccCMY8n0AQE8rOT8AHyRDhd8RzsCoyPoDTAJJWf4oGS4aSH/N7f6CvsMF2EdOSCghBWC7klfRFxraWcbTiFRi5ICxlFL4GkiB9svNWpQlCkiduR9RZTop1DU+xJK2XgBmTampbjlEiS+yf9L7tXpCRvp+vRcxHwlvsMUncIxUzY3CPTST6FrVOL0BMtLeKI+MmgaCxgzo6BBAUKBZSCJbJKLTrcnhviLJnxYXKYPah5ozfk5XBzcz4C7dWuhN6N1Uwa08nDtHbuN9Mj0AWElT3HAqf3naowVBeXgLV6vRNTwYOIVoqGhyVG0O65DpwuxUdFZMUBpmhFz1QTpAZ6cbDZbL
-    OIDC_AUTH_ENABLED: AgAQ48wodtQ11peCbSpBL61n28GMeMJPq6cmb0a39x/n+AJGOZbjcE2e/xdFu06J+ahHTehi2QtwWxlRBi4Op6sbjdn5cXkTZ+8vGB3v/JQZQzJpGraFT1WTPZ9onYXTLl8iGsZSteF3iaxSOMzLswMahDvk/DCNrIY78mkTpqSC3Pggf9GnAWTQKOnuTFYyStBaL9ExyDBiJkbFahm/bC8h7QG9OXD93bDQrApS/W6LF+3CU6TOKj1VXmeVuMpxGdasC4B5ShL9kvBz66i5P7BJYjPfTEJfIACIFzZQmLJwxzfST1kV0urdQ9PZmcvQLapxGI4xUssD275hSPrUE6XXMLyo0BzVEBPq5QsMW5UZB1sOPQMcIajdzWagByFJWcBU1mFMwJXVUHQXlsMDEl1pDTGbSS660XCS1aAtmVb19ToXH/GIEkWlohiNpVqI+D8ypoAwMzF1FnHGvyxF6maHV4vZA4zDE7bT4S+E6dEmXM2cc0essUDlbwgOTLi/3fuqxIar3Dub857H0B9++SeriHrSUJD1A/9IOZQQNsAOwEOylK+9BuyhHYFVzk9l2lKnCRYqif75wusyoly+4yBS69LGzg4mc4Bk6LejZe91VnZLlZB3M6fZzS87qWoSKuEibxJ469KVrCPNc5mn33gfg5nW/05rSYcBnl1VazPmA18sZyX1nWnQUwwErg98jGn7Ft0q
-    OIDC_AUTO_REDIRECT: AgBuLoXhaCs86FfeiagJQg2bnz99Poebydj212AdXpt66Lx1nciFlJMzZ03ahJiF5T8lalxPLSzkHnc5VHBT8yRSrKe1lCisDmXVv9SBBoZHntu9zQdJeChkkHImxILlJVZk4steD2CyIBDj2xjbjUfRjFYJX4F1WrzSDXG4Vf5bal8tPXNuqbHEGfx7xw9CRetMD4cfDESyKl7FgbXi4vyLgGyNTnKTAvY1w72Y7WKminiScj7S39TZZIVH7wJyvvsNEv7MCgwaPeT+W5pNwpx34oqfumTHTeJUwQWccwCnZknhOl9jwNRJ4cHFAsVArT1yvjLCbMir9p1DvP2w0R/A8CzPgDQxbJno1QKeGnw02YVlsYH5KiOKkQQdT6/kT+kk444Mg0JLPbG7XZSUZXGmVl5n31DuDFvTGum5BQOwFzYfOim1MM1OJyFiM7XuaCZCzSMNUQHtLGv3kBHZFhIS5PXqMjfdV/RAv3QhZgAnJzGYLEDawOwy4KwIXTk9b55OX7AyEwQzwMlJUujg/+IJP28BH71tgVtgQsVDnWVT2GtWW+UMamXhqh+YK6VD2BZ/81D/p0BEGq8m/dweP/qv3MK/CGBjgtIFOHnEcNZkqMH4HhrxFeu6fabUpT6+C5cGNyYJSEFpbUqjJRb7vBPIu/ewb8Y43SNikzaSp3/1A2LtkGDyzcRckQYTuFIiIg5r3jcg
-    OIDC_CLIENT_ID: AgBQiUtbuXKJABinO8VfjQ+yIj0a4AEvKboHd544CxYdx1OfZd0DZLsKpkowZS+Wl5QiheC/+8HFqsRzzwKas2i4IyOpihhSW/xd6X7XjDtu2Tjwuol1oRel5AmBpBj6Kl6zTvgLbHE+iUaJi7u5f2Pw0w2vXAJWxg9nhOFVEfTVtKaafYqVVXPB1KTqRPzwR5zsTuIZToEx0BvA95yWM5oKRPnjlSLk1vHMBDPqdgUq+7u+7qhj7C+rvhI7nuTOWRk0NzsELBl3AyAg82w0r+I9H7buU8OHPEhVOID//UIc/wL/QuaJNxeFiU+rM6K0CD6MMGQanuUngaEr/ZpEdxe82hGSuaLik2mWfvG4J4328a1bmmTT/JgPPDQW8Xtg68Tsqj9zT4rfaVt/+TttMMgj4oAFkyVLGZkp1sfgIX5zT7gHc0fCusTR5gGNLJ5PmHyqCu9D2jP1ERLRltiyXH6wms8+aACj+wsmo1OKUjmqrtqtAWNwZz2bmOJhhUgkP1mPz4o2LeECjBPPv9uPWkMb67ZUI4+Qp8o7J0SgQt4ZlRqhg04Rh5MxCY9TvbhLxQD5QqTktmGYWo6cDVnIEIKd/XOSG9pBT6bTGsRLicgRxjDwm/0ZU1Y3stI6UhONKYA1HG8rso8ZfRLvDsgp1Zb8tH/GAw+bl2HkOw1DbyFXWeRxau3RPwTym3GYjFgWZhP5ScOu2Rjg
-    OIDC_CONFIGURATION_URL: AgBiXJGc7WugRqlUE58fVPkkKkka3G39lhajhuR7EQePZ1HdE1D02/XncXgRO0r7C4kPAX3oZ1Uczo0XAMxQxAZye9NNFNei7E4rlc3BTNOOxCc2Uj57DjuqFA74cHcjs0xRCJ1KVMEcGX8zdG85v/qEI9Oru7vQf8YT3giTKNHDZMgeyrbCMFNS0cyXniseMMVIkiX0ky6TfcFdn84bZiqJYwXwnNNzeM/kJe01NvEe3DuvxZTEme8LNkie7CTgaMHfEYeXZWIh+JqkIPW+48uDYe4ojf/Ts9P2jwzf6qW8XyqwlLti0MxoVH6IqbLbJ9JVJZ94WNMm2tcjigD1eSV2klNxXYZefyqqratQpfi7Ou/KXdfs9Reijj7dtfZDOnztVouS7ivBLlufqdxgyJrnQok1MxQloZs602CBPRDE+oSHGh5ean2wbJLqt/Vl9NxcsFZpWI4tazZ0DUhD5pgS4MXoG8D+RXIz4++nfn+XhYhv84vP4VJh6kCF84dKSYDFUKkAMGJSZRDCcs4jaORO/DZLUUnytnOHV8Mo2ypfC9KgETdnbXWT7OcdCQPesABE/l2lN9KDYHxL6DqE3GibmCqE7yk6TOF36pmVeEsECeBkmcl2DpHVu9PRBiwO0YVTGUr9AVmwO3vAR+2LAVHkDmU+jn/e5SFHg2dkEpWDORC7Zn4vZrjy3pmTJdxBthVwTYqmdnWk4uvppyKP2l6MBtaVPqtB35sDuYtLGSFV1FLBJGJueW+Kk2cGbNxJJEEhBUf6ZHCDWLrZEJPN
-    OIDC_GROUPS_CLAIM: AgBjsoq/VaSx/P7PnODa2TIiSy/noUFrVmPuIPAyjoZP/w62zmwTqy8Ln4yRKywmsy+n9CMGgauUzkEU8HSuWJ0Moxzt+NBRpuA3nL5R8b0hMsdQXCvY3L5zqyvPH7hfY1LRVcM5cVyzTR2CTVUNbO04EeGaFt8Mh8tsmyHk+Cf8VidbkeqgEpee8tNO638F4xQGx9aob7H7UVKOou8CdpOvH3zsNFzGmSbwv9qm1sgcTxkZkjt8cGH/c4k30p8szcMFQmUK7dzrZAma5bDPg5BuwspCnRXoGVWLYN02jHYDg/08qLpL/vL+pPpChf0DMB4j2M+s5EDHnbcfT7S7pf2NkHCnWINCJSKLMUIcBSFXXEkbmSrHo1Ft6aHf/i6JHld4CT0dQs5AyK68mCzkZTWoHU6MM8+/3/J3J/TWkSP8HOyBY3gWPOU4hYEQQQlJp3T+mnnua70mo/vMr4CuZFyxLjz872CDwG5WfZkzJxM69s0XRkHEmsXi7VYjn7NThrqhh2lqbiIIJNpAemjruRl49T3gtfstVdxfgp3dfz/H/4FWRy5KY5XDUjGwYBXDCpaEey42CFSiT1w9yXV67emahUwKekvq1vvuz2bWzaTYGtCW77WzCO1cC26hORPAYbZZxgSeDgWmxMIhJF6tVFNSAu11rMjcMUKErujC5cKWb8N4DuF0H4cQv36SESKBdVCOMPzPxDg=
-    OIDC_PROVIDER_NAME: AgBHYuK2JYedcaHwDca/c1RKzq8YgO9cJ0lXPY2+ain+lwFJwZ7oMOPevVOq3RoUHznEYbRxKw0CLE+110NFr16bav4bn4pXRD5CeqQDAWPIxxouu+w2NgWijnqfKnVYrtrprQlfGO9mYsZiEGj/sbftX2Wd73L7oXp/6Ab+28rnxtv3KF46wXo8yfqzOGf+QRQKdT+2pv58zjN3UCGrSANirLHvmY8+a73YiVW8/xuJZN4og3JbPW65FwBpgnvQCaHKFTbPyPIpILx7sKz2yxGzT6Jt2PeSjdwou/fT70tmrwOVucbHJkKUsd/jkI0gzRPLr9Fo5LcALAKQsn70hNQIRgTFgCy4ILurJMBKeYtHkNMdnBwKRh4NlTgJB2vNXq604480ta20Z3E2m3DUxW6XPFTQN9uC5/7IT0e/F4UgQai6HENwAqIPGuOM4eKeouw8pr+RoLMI76Z0B6xWhLRqxrZknzwzOngpaku8w9SeJPkifSFwxxFjacAqFrMwLGT1kg/KIJcBa3BUK8gVRLzqJd9hq1hQtavmm6T3W9PW8yCG3IP4b/Kxsm0+B1pXSaFC2a3elFu5lgw7JeJO22NwPmCUw3cX/zfYcn4u1MSsn2Wlr5tLNwjfpeGXb0w9eGStEZNKpj/OLo5W6sxdO1PIdCRd/IdxFuDd3q3G9cJTP7aMjeWSQhr7bzgzx1K78zZ9h4Qiw4YXrw==
-    OIDC_REMEMBER_ME: AgARqfhGDWYi0iqE//vNsJfgZBYJklJ7KUUHm3GkD27gNk0JtOobt/RlE3UV4cBGkstjGQkEGldkwshtQk/hAuuu8Qb9PpeDxQOUABAFX7NDcr2hWnDosFSShq724ycY6B63vjzahMBYEGo9tAB07VPy6RtvZDH5EGYcubfSe2GgX/P9VcKq64eO2NkOHJWc1A9cPqQGYqFi3YZkN1yaix7kRW7sL627Slv3nU/yLpFpEwUi9ayzDBCDxfiBZoRZh+Gy4VpD2S0XmTNYgr+uRTmFxEm0gL4qvualqahssswG6x+l6S+KizbLOkhNmLtZ12t166mZLWlzUPQKiJwEiWUK5DfJs2LtZCWyqVko9972df+buaQ4yPEBO212OoM1gF0P0JaTJ7TNzo0hhYxDIBZPIx9RnG7XzqI+sccj/OLQMeyB4p9gbbKHP4YJyyYQTSPK3dHG8BFdfUDyyq1tv5IkzKRHmy48xaumN6KCPsCqrpr8j1XL9oLPGPtDgf9VRjfp01FkTg9ujskxjnfAt6fNw8JThMyRUdInagos8Wh/qxPPV33yN+EvQaooXxq1FhvZtLVAXsErzqXnNbLBmQGx87IpBT4KMpXBWmQ7+XaiFCWXQ2pdXRtwL9IT7c6dtyCpUpYtlVjYuh8L64W8GJuRUjzg6pRbcw0205MFUZfWuOObAHK67K+ChNgzzsCCy4GHVtpp
-    OIDC_SIGNUP_ENABLED: AgBju2S3K1/i7oEsF+KyOIAyduYJMqA5c/spXNVDtFDgrf5+v8dIa25b1LyNZWctBPLZrcuviQtY3uJWgBbY4cKagheBlwN/eCijghdFLR5U9iFNJUv31zkmnVeOAZqkLKAmO1fmHfgqrZ8+UG5YlaRXcGsMjtuCuteKhF+/ss8VxWNwsWVcJc+xcfK11UG/ogrQ3+h/Ii1RCiS5WSMmQB3uNRvyNQEdDJHdtK6gifK5ZHboHN36Rx3DEzyr3eDeIJasyYgfDtepTBTyw5cb/7yFhRMSraHTpGy3uxJwzzNL1YdCi2EHyllJMea1/AvxUQXQAxD3zOSmNwQdroE8NU/Y+Y/vuCOLVrLeveHaTUWvI9PkIlIxbU1Xql7UGf7s+Y1PTnG7aXWNYNuTCgaw03TO5bhAPX1tBubVT9oVUZgjOH+XGY4nImtBOt/1bJ2xmciC6t2nt+8lUxLfNuFS/876vJokYtd22YHGqHuGSLhAdWg7LcwIilx4iCB3OY0ORBtdE0hDOu5KR282vRqGu5vi977k6kD7sL2far0fHjpb8rOaJqfy56UsF1CjClqQWB0F2vPh/ZNjecC87ei0ds3hCEhGtXxYYdJ1u9U3lZHyvA37NxKaagTHZCmhgs4M6Pdqm5YjsO0iDorv+aBnRkZysqzdG8LPuZNy7BkqxejW9icS5+b4TeJgCButl2Cb2RO77tda
-    OIDC_USER_CLAIM: AgCKYNaYTjJxEFBsijRDPNXRH2nodeUMG6SBa/emB6QKNh9jnQISn9poaZXZ8Tc/xwy1sLJ3m02x+Uh7/PE+A/jiQ26uc8FVvnjvzzUOaily9Hj+xgKZnjQHmNpxPBfj3pzomWZIEoEHybsWGrae1jDzIBxSeKbMYgTGfwJoWt9n4lnQ1Z++Z5/Texp7o+oV5ZJqsEqvjebTUT+nwWaDicKpDA/QbAjD+ysCim+gh8q8FXDCHZKNgD4OcXONTpDR185EpBYV0EKSMytlz5bdBSKHxVUACTATjf3WrFDG5NtckzmJA3bA85Xl39Jxi9pLP9D0SLk5cSOLkwNbLVL1EeQ4Q2FApXcPGhmEAgan11HQo2vJW3Dsn1R3G69zNC2ArMC6Dz6pH5f8nFId5lyTKsQQs25fCf/BV2we3910a9hGKAEPdkp27xGczu0mBdo3LLWeiFaQcDo326N2pqNm3119mdCdu5I7rhjGGvOLZ7z1c8XwS9NdE0Kb3iQZLqu1xr/FSeQZLd9NNF6qYtyFM3CtdqKSgdM4vpsRkqMEiZA84u7hdglXohuaVOjIaQD66bi0He1LemzyzRkRD57zxdVSvubKIQmedNpeG2yOT7pjZqVEk7FwWPaWZZiK61UhBZNvGXUKSMEWVJ1DIr9QBsK2E4/EGdqWKa/A5+75PKvv1TpINTw26z9schtduuPfaGO4Z/2ThfPlYFwD2eoVMZpAYjI=
-    OIDC_USER_GROUP: AgCTGx9h4At2lcx4tN5YUBN2PRHG9ex3curTTq4kid+kKQXRUOYckYC3LNzC7aIbJ8byhFHtJVF/T37olPkgJjWzPN6C16C9eGDv8bgq6JnG9faveeXr2zjcceZ9O3bSb4sRxlQ5Zke1Asc2olYP/H6br4VPDdKkDsJ5h5/B/W/dd9FDXuPAbTp32bK/l+3YStR4Zpmaldt4hostPu9TXfE+UxJqcLCFMtQuHsHEtFV3Pimt0XIkoNPsodpKKoAhje8vNwk5YYSlhzH13XgZvKcP43z8bfekicOgRNM6T27sVGRrFM4sE635406sOXWXbxJzwlBQJTqajCtX+tAtei3LHdr0l1sjjyMDzlREUq6RYt/6klMZrLW5gsdma769AFA76JX+e+wjekmv72/aqUVn9635IamFM1J6+jIWKdWo76vJwzR/EisO12vkSbocSoAEsUxc3rGMN2aLZEvo0LjsjENKlj8fNxog5i+4jO9Bc0AXEQaFhlQwPdIKlylQPhrSiW/cnDG1WemDn+e77a9NiOkDxMXGequzdC5KyIeIrSjITXpg1MQNa039yIKkjfVL0uMsH7OL7+qzKPSPm5LOABBxKducSHHK4t364YD+8e7KeQStHjaCTpcxgf43at4BKuQ31Ty2bWfpMRofGRBvJPusgjXrdutNEAIVrzFfW11o0Yx06U7CRF5198yXHCig3zKgxgQW
+    OIDC_ADMIN_GROUP: AgChDLTJLcQutEytCeipPcd9KOPQzh2LiObcGcqSBv54IojcwOSYrdKODrF3l8IR98L4PH7sAvS756vlZy+UxElgtwa951zqYGwf3SHoBMU8fl3QU7ZG44vGHKAZ8+gi1ybDaImUW6xH3TK24PSWH8bvwjLs2JAGCUQ1hPzOQ7yQQRPRTRk8jbhDkBefy718eSMqTSrxJqakIPgicZcIeMg16d7pFMkztEuo8iZCPTF8XgDbY0HVJ/pGxAf/rgerLCeOfdKF1tJRulUt1VzmX4A7Votyg521twa6RIN2NvgJHRYEmMPTosrBO/i70OwYcy8QI3PaWisoId0MFSSYk+n1iCU0EM3pXVal5rDoji4EVjazcuRjZ+TQ4SZh6jkRrHGyDNtrs1w7Hdw0GSwb8ONoGPiZF+qU34kDQH7tkNZ+iaG5in8kwSbZoLH2vrdUv/2yNXtHGFM4eJNwcfwMqs1wbS3zt2c73JQ0HgE2c4ocy4iTJbtd13fouNH+MPFl6BJXcMjvMdUaxerEFZQhhdvyx69ATMyLsUqgodr+vSFo+uA9gtv5JPyiA8HPJPJ05plSBAS/QxaV+F9NCbmI/XG2MM/i55dy5dX3lLaTehDtZ/TZK/mVHlkue+4lHisrtXFL2UGlqdX/QPNX+ccZ0qLKjnvobflBPqPr0y35KE+QNOVNlup2mVJjMr/dgNqi6Xm34UwX4GaW9y5Q
+    OIDC_AUTH_ENABLED: AgCC/9BtmP59y8keEx9z6f2ifXdatpR4BBSCpLlpELjSBPAk5QrZ5v50n8Raz6zUt7+HVL5CYsShGRPoVqTd+evEqDCbbY+0y8fu0Xrapcq2V0I+DBfOzob0V53HpIzHdcAEyGXEqhE9zTDoTlZszmUCQzB/ih7Jr8V0bq3AKh9n+y4REYsHoiecPPb1MeuJmp9mfuSU+dVqvW8GYwumLQmpH1+PrWeQvf94y48yMJ78wroR3MoUIrTPuVe0RCAK+A25ODrXSaT9et0qx4mzS+qW2Vjpyh7MiNQhJdaYrGHlcUcje9C/RRsqzFdwXQqONwAAQUfH21fxMjpyAD4O3pc5X31kZ216w4iTp5DlTYBH7Ci8sUySaweQT1XdCBTqZTd+Q1fkU9UJqkLFZZ0Vds6K0GSQlqxcL43t5jp96n5uCm4qgaEX7oBpz6CqYM0Zh1OsfFe3ju3IBaPLNpboY9BwXaOlnYIMS+BR7hZGWf45cyEjL5IyEQIfpCw9drTzwnQAkiHtWo/8gzgds9FcW0cVPNx8XQjlZYw/voYhFJZcpNkwk+wl4Vs6kHPwtYAhR7nHj7nyqyd72IEutd0LZSL2ICMFKQ3XbYKa7JZlKLeL0gy3YKm8D5I+BRDBR4AB8MrjzSkJR0C+FOHVMImxLIHblEtVoOla4xWbu9aa+fB5hUrJ9EpwSiBYJWQzKshHx6cvX7Zc
+    OIDC_AUTO_REDIRECT: AgB6K8H8eDmuaRhPeeKVtkPBzvtdEgNzBeqBLEPOW5tE0YiWT53mlQaW8eMtCUI/yvIKY8Tjcwg/CoiAgtboalS+HoJ5vUqfBBgeqYRE8xdRw6QJhLjKIViyg/wsTp0epmL50XX2qg6FINVWT6A8P3OXmVP+kxxr5dZDJ5jT7Af1j3XC0uGZWja9DWkfz7AXiUh89kekGqO4rkplQIBmPOUl9re1D5JFuL7mCmqBo4MNHV0baf451+XaOQF5jKT/luyHkvjs2V0+YZY7BvBqmqg3Dt+buAMyFnXAziVgcpSRzPQtGSCq9WJK5JsDfZltTVkzyJP83Vb3fPtOnBs+7ZWYshOh/1r84hbdEUOjTec9zcYQY/1MGc+4t6DsK0st03cNYWhKBBeN8nmUGMfca5kGWnRx5nJ6rjrF+Tw7yXJdjRiZ5Kom+VwcBtT7bXsxpoUYqAY1W4oUhpCrGGG6431DbUbjWMSaHPDiGdF6rIMD3OmbOaUxGTooCvesoRTdia9pO5Jk/c694N1MVKW+SNInuyZZ3BI8oxi74NV1zZYwTCADHSvWShuqCkZtnX1Rz1kNlI2e++HFnObvfbdXSyDymwJ0WX8rO8sXJYzEkJLv021Tdn64+1jBKviAi7m7FfS9/E07AR7OWyEjv2KYgxsZMC3KR8mEs9WZYYqkvCuKdWQofpLOTjkMVJ69X37EKUCGzUvr
+    OIDC_CLIENT_ID: AgBosCGO5L+/1WJIGaNA4Z6vbqJL57JtuRXQDEICAiTJns4YBqvpbiIg+LZ6b5DDwHi0uq/v1yd61TV0+A6U7t5LYjRsywryseP+vGycDQlPWIBAegs/gVzMspNOrJe+g00VEfbrkZl9U63WMKAVBJS4Qd+MHzgnSxZ0IFMP/vaSE7JQ25LqSMjWs/OOBF4EJbTf9RV35/6kk6VpYIOLlT9Y4FaFwilj1Fve7YROIms5RykrLeEhIw/XeKjviyZqbE+rRsM+3lo0FPwVTruTGNbqLBrYox2FSVK6y+xPp9IHREu+17gf7ROLSj8PIhG3Q0mWOSfdv2qbB7RxOfNf4eGwy1m4rL+DDwLU/g2rZNnIvxa2C+l927ADFj5fJCuBPV9o8PtJjD5zsE2wpdqJ/PJMpg0106LylewH662hvIYL3u5s3Pc3mW0jPElgygnZYihSRxzxvEYdfw7+gV4alhlU++X/C/qwbzw1g+ZqgbVYH/jZxixsAu7fOiFRW2G0qkvnKnwJstnjs/Q81R816dnRylETxtINTpyvSF5MAPE1g0HL2Ocs1rOqLsL68FpPnI9GgOD0bkStuYSq+6adMyPmJgyzOqa9sGjhQvrLI4AISx0YVDZLaG7UIp18UF9AFQhImkv6hh8jpOHR1sYmmWKBwbyBJHtEpDn4/RKGjb2v/AHvUtZcE9TAM7kQeP1fRWPXPcA3SfF7
+    OIDC_CLIENT_SECRET: AgAI7LDC9J+IQk6qPSxs5PSyr5fKAflxBxfCd2IcjQUKc4mCLzWdcQkyxXuOqLETCpT9yNFlRA+g0k3Bc+Sp+Y9rmF9nS9EyshezZOMT8/G5bacEBXgxxlqyTQUqXp7FpKK30lrBvxa56xDeatF5G6H68lLfJ86K2FH35f8IvRJv+GqFrOQ+PL1M9Kl+N6XpNihy70+jpDornbNpyr48yFawAone6zKg9qFxeJ4FHPL5wYrS0r++JoEoCGo4XZ34mPHQ1jiK3wPiiuGhf6dbAvh/wlCH2+ehiTnOQwKUY5C12gVwafOrA5BRI/TBjlTrAEG1qjxdff10fkkuFaa3Y07V+lz316H1+8xdzPVNDN5bG0hVVVWmj1jAuqUnOqPEfzPOc4jUFVom2wSXI1SS3n1oeDnTiO/5vkmTRcQZdGeuLM0+StTtXHmbtrfU6ZyfdtKoZ209jR997pYmNf8PrDbhKtcvJaxbT6RHqXpJwk4fKtQeLInY0Pl0HSg3f+OVLdikESgX8mJm/nGJxwN/y1cSjLawMoZhbvHP4aWKWokLxAvX4pfUfm9iv5fm2pwQ2eWWKAI0P9I1l9Dbbs0u2HC7QLI3EsJFQ/D1gkhall8cLPQmg9LnsXpnxnKXtIMLS8sNqE5TyXTX1AvFJz79dT7nezS20TLF2chZ1ch6tpM0n7JNYVaD5Rgxqc9XFpUvJrGHYjSR7twjXZd0XRVXCOBKWwe6aSdPi5OXtu1tBvvXTjoqMbQrGgk=
+    OIDC_CONFIGURATION_URL: AgCZnFFlMYEQgPBXanDrQRdfPad/xux4wIVXpPfOqsDGzWSYu0HYDuoO8cETdf0fI0dppwAb9167Iz+sz9t36b4jb5X4nXTVWa4Co90s3uDwRsvMcg1dNMK8EDABxlGS9XThwehs6qXyYSN06CF+SyrGZonDgVcXb0pEW5B/EHFc5TwRrvYvVe9z8v8JbNehQet3HxXZBepkuntI5CzCkCseTvOiKV6oohr9l1DaK8e0IHQdq7XZshdZ7/CmafVY87fGElC5J2nhAML10fXHwyJ8HA99mwLFIvBLnlAc4KnG3FS2uysvoKrUs+GPXRgXMBlsL67upV5jO2B7VKQRpy0VcO7oYiwMV7Lc9EkOOgVNghIKGkCVQqN3JOuaNg3vuJlutDjLlDk+oCBP0BvYkZ1U+1NmndKRG/7YNXJ+MOe3KZ2gWGZgQLzpbmQRq81FxTn2rSNhZyBsMHyviIZFqZJyXnln6xPRIi4uuxtRQY9PLVcwHd6Q9hi6n8QGBYNc+AEsGwy+9upkZ6hpyo4hcOCJi/e0aUH92+Y/feNGYAPFBHP1sTHP2sEbVFISQadDdsxQIvQvaJy0J9+UKghz/qAsipkBYc2mv/waJwlpnFqDoCTOIkIadutyBAehkXawNsDXcWPU52hGpQ6dQQKCIxsRKBO0JQsI5rFf4jc/PxfSUYu2Fps34mmMggAb00UBLDb2arNdI/OcSirZ04XSp6G7Eeqn6gfMfrrhnnqpg7zokXXNMcLPJcrV0jHflauahmft5+LnWHfYVa0uNAJP
+    OIDC_PROVIDER_NAME: AgBI3oFosMR5sPgr6JqFPJX8U8A2XNNYpZ7C4XIW9VPeczIU5NUNQaePowps509Y0ddHXPwASr0OeTgIVU2Z68Hg6Tpj8CehL+P+DaFMOqMOub0qmrakLBBaWcaXprQi2eys7mP9jqiC4iMx23w1Yen9lid9FSjLIEpfLE1VsPzAUcrvGMW8dbgwchrxKnb0HG0e/bsyaLubzEZWHfPaUo4cSWQf4KWAhYBlfZQAbNPkatOskzKw7nZ03X6RI5oub6hjcBclRjMh28MsExIRJDwWtB/inwLpWEAiPOU7xQmjQJdC2BqmKXHyTk6Z9rnwgUjG3pgH74mNH7/pF1ekOK220JYTbMa6Uga0r/v971AlC6RBEo8kuaJ/xptSdHp8lfg1spJ1sYobV782+zmJ0rc615BsYwef4lcFDBSXKnk42NhUNY6OORNbwD/tW/Mxac3o1OOoe3mSgRnFXJLqTh9i7D6kN7TiQ8HXNgkEfZKoqCloKo2TKW2gB++hXJTiZ1ItocaDPbPSIaq3LJsIw6YwwkXxBQeOmZhYLpaPI8dHjn1h8Jg2CPKNQJdAossrsHpBrEM+UXA1HxVmUCv/q5WIum+tO1d7sKeCuZ/g0JOcNK/tX2+tYY5fDT2G97GrXSGpgZgIfhYhWStYfkcOdB5ayqj0ncadZ0uJ3akFWBLHAr6sYemmVtW+BYbMLTTjlprGq8EIu3Kyqw==
+    OIDC_REMEMBER_ME: AgA0vxQG7k6gaMmviyTVccCkIl4r37YHX97gO8ZlFtZFhBNIXti7Ocn3R2paSf5J4A7xT5Ml5imfdn1jS6XXBM/z6oXA7kvyrh5V04vcueGXtOk6PSzdqMB+qsmZr8VuY+41CllUwXyXGDLMCzQ6tA9K1rdLEQoA8TYdDi3KI91vb4JgOTaAum+JHXI8N3ZguzXyF7nTR/nTtoqvKoD9b6/B69Gu7FDuef0AEAf/aFYQb6JSNeStKbYYyNjY30/MdECEf5Y5kl6mtAT54KwNiz/GF9JMKa3yAO4XVc0Pq3Fo4BoptW/8yyngnhrjB8c6/LydTbwQgrxXO6JJKOnLMMrNq+llBNFyBqUD3ZyVzY3CRAetL3loAdoA+zTQCAKMoRjL22m48yyxdBSC9Fwy9crb95DqJaEQa1M5UrDqt3uWsEoJhrT5dUUnC45N4Yk9/cTWLMf/xSqP9tRWVcw4wyU8b/ptuCTqq6WvMVeS+MCLCnQnZB6s/sdFQBm7x75P2llro7iwYp72YRAfV1jZavUXc6XxdVvvyFV8Q4bNRxLvXgjnuvD+6STTmqzlceVkxcv1KvDyvjxHtcy4qxr3dU0h+vmo7kkTFfcaJpmIP4CTVc+lkNvj6FvkXwtmiW/RMG7kW8ES7I+tHSD2hJle8FWciAwP9iZadszTVOSgyx+S7alOXGczUDAe0bpWqeNnIBkJYpX0
+    OIDC_SIGNUP_ENABLED: AgB/TkKgJ1GioaGCvyXVA+RRHJ64/KqBt19dNm3LUdxGrhQYOq0zDmNET26w8FneYXrP4zH3IY+ZvXkS3L5i9PNBXkUGhXaoNXPx2KYm6c6YeGkrW+sDlCVPFx2zypCIgXNpJHiTIb2vfZHTyVMvmpo1m9nlQVfdueFV5ToLwt4pWR04VYCzXoaSILqJAuX5IBkhac8hsr4yc6u+RuLhtDTmziB/3+/FWA+Gsv82U8CNDBCMAyLZ+439F9aiJv+scOzVzzmmIxfCz4GPzfiTmMcwlsAjqMs42C62x8m+yoPAs9/Ur7f0p7JYE8fjYQbWP2OliJic2Nm9KaS/o8akojIKlIN36Y1I/srimuH9LbuRJlwRQjTQ4qq3quiW7Z/7Tgsm71ISPqeLUHO2xR0714MnDMW+dOwRoQzBaNZepo2aEb2DhiVzT1OLsSeGCs6UOTau9sjd5ow+pCBZWUNPAzrcskw4cSfoHGfWiMf6wytCp6agiwnogM9wMAdjFXi9VnHxNmn4oViCmeg/y36z0RDyW1p8fU5fv68qWoqiPH5lbzJUcKDzW9HpfcuaGaAKJrr3RbEqdqxh6pc8hLwzzCo+FxiX/UAnMd+2BCFWzEQzWznyin2Z9vv4d7dYYiKRmoLxNQO5T6xSZvv0DYd9dhSxy8HB/viZuBh7AiprORuh26jCotcbKZq13/x5xC7qm7t4WQzO
+    OIDC_USER_CLAIM: AgA/FYOGrV1qHlvdlJd8HNOdG2VlAVTo6nEoAtJRn3G7z3OkexS3O51x3TsiIhpKliaFl2/ATZFk5okUnUSeoibqpxpLNVMpVF6VX6IrnjxdbtznGpyz7sIri9RvKZwTpuDT8wNrJ2q7t1xwvnK7QYxKzf+rIkQqcSzN9k0QF7XPE7ijeWSjqMpbjRya+vxjWR12L5BRmtUgjrm7J/8uRMkVQQtl3/Y0c99qMwj91v1F37RejoqOLC6OFdCOhVvwatq0C+y3F7BB6Zl2EQBYoinVuSfmlJ9rorSyAeNeeVb7s5vm+WflB4Dn+taJAFCuGiq7DK8n1XDvkW7kThlJckdXBfEiCOlzYCSdiJ33ToV2mWo0zSOZC5UrYslx5hhzwdb+Nw7/74c3g0TeV8doLWhczpd38eYEkYrFIZdQdBtwK+Lwlb7Bq2eT9X3l73uE2ho+u+o2o4RtQdCw00TouBJQBf/vhyEfk6eWuhHikIUVSQAOm8mCKaOseH+m0RMrpbDDRbl7pcrozSUJjP1eygTVPJwQF6uFjIbvNHsodP1ld83HTR3vMfwfwwngocEonnayUDeYfk2KOdWONUFmfh6k6miULhNr7QVnTit6b7EwsrLuu8UqJzih/pINELf/mA2oliD2TCQH6WwSu+G7W/BjECO2ANyJE/1UQxQxaw8NtmRtcuIU6cdHi7ow5ENYLnYb1GXQBH4TGGZgKBaBGUEz5gQ=
+    OIDC_USER_GROUP: AgBIMaa7sVROh0jXJQLrnKVKzCRg2Xg55d4Xp5sQFQ/hBlrFwSE+fj/Irx2hGx8TiuotN3wG0dIJgxLt2IGcXSZoO4iABz6tI88yJgP6InRjU83qxFusjxljOb7JI4Vz/OV4XpxMEibcv+TF2z2669p+6hBbdgGwWAO0luCYPKgwTZWDZr9J2KOqCK0rs2uVtR//UnfUNTM8IbEHDxKJ9aKmB3Xxpgo6xw5ydx2V5J6juXF7gZbthGapgerEMx0D+cdCQwyRmZZaA03IuZbNqgouYPpMJr15vCGsyZWM3mOJ1GOBSnZVTsubmd0WO199LDognEjKNTN+IPbTZUp53zMjcFf9bCfHNZe/+bTs3Jyb2IEH57OAjuMhiA8gU8oBPq9i+CI+NH76MTXrIKdiLtUAfQ0Br1bdR72AmWNpaIC2cGA60QVAtTvHtr/SZBkaQos+KpVXeHVG9WiK4ejfVkFX5r3EjVxPQFs7sGw4DCuytaNjSM66vWqsodC38bKqB5RACR2ApDJXGgQtA5L3jFHzV/Qb66S0I5WsX1+u3E8Sx53Q2/xI/MKnK0VrLy1Pnlrb7GWNyyOQJhB764D8UwA6ElTt29/IkJu6c378yOGsZSNMd689mfoPLeYhby9DMLgQOFMRx5euXIzojpuomtuclP80BzGUHBvLKLKZGLf8HiN8ko0X250MdAouFa3EhNvKjaQ6YYa5
   template:
     metadata:
       creationTimestamp: null

apps/stump/deployment.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: stump
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: stump
+
+  template:
+    metadata:
+      labels:
+        app: stump
+
+    spec:
+      containers:
+      - name: stump
+        image: stump
+
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "250m"
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        
+        ports:
+        - containerPort: 10801
+
+        envFrom:
+        - configMapRef:
+            name: stump-config
+
+        volumeMounts:
+        - name: stump-data
+          mountPath: /data
+        - name: stump-config
+          mountPath: /config
+        
+      volumes:
+      - name: stump-config
+        persistentVolumeClaim:
+          claimName: stump-config
+      - name: stump-data
+        persistentVolumeClaim:
+          claimName: stump-data

apps/stump/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: stump-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`stump.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: stump-web
+      port: 10801
+
+  tls:
+    certResolver: default-tls 

apps/stump/kustomization.yaml

@@ -0,0 +1,17 @@
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - pvc.yaml
+  - stump-config.configmap.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+
+namespace: stump
+
+images:
+  - name: stump
+    newName: aaronleopold/stump
+    newTag: "0.0.12"

apps/stump/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/stump/pvc.yaml

@@ -0,0 +1,23 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: stump-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: stump-config
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

apps/stump/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: stump-web
+spec:
+  selector:
+    app: stump
+  ports:
+  - port: 10801
+    targetPort: 10801

apps/stump/stump-config.configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stump-config
+data:
+  STUMP_ENABLE_UPLOAD: "true"
+  STUMP_CONFIG_DIR: /config
+  ENABLE_KOREADER_SYNC: "true"

apps/todos/deployment.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: todos
+  labels:
+    app: todos
+spec:
+  selector:
+    matchLabels:
+      app: todos
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: todos
+    spec:
+      containers:
+      - name: todos
+        image: todos
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+          limits:
+            cpu: 200m
+            memory: 200Mi
+
+        ports:
+        - containerPort: 3456
+          name: web
+        volumeMounts:
+        - name: data
+          mountPath: /db
+        - name: config
+          mountPath: /app/vikunja/config.yml
+          subPath: config.yml
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: data
+      - name: config
+        secret:
+          secretName: todos-config

apps/todos/ingress.yaml

@@ -7,15 +7,11 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`todos.kluster.moll.re`) && PathPrefix(`/api/v1`)
+
+    - match: Host(`todos.kluster.moll.re`)
       kind: Rule
       services:
-        - name: todos-api
+        - name: todos-web
           port: 3456
-    - match: Host(`todos.kluster.moll.re`) && PathPrefix(`/`)
-      kind: Rule
-      services:
-        - name: todos-frontend
-          port: 80
   tls:
     certResolver: default-tls

apps/todos/kustomization.yaml

@@ -6,13 +6,13 @@ namespace: todos
 resources:
   - namespace.yaml
   - pvc.yaml
+  - todos-config.sealedsecret.yaml
+  - deployment.yaml
+  - service.yaml
   - ingress.yaml
 
 
-# helmCharts:
-#   - name: vikunja
-#     version: 0.1.5
-#     repo: https://charts.oecis.io
-#     valuesFile: values.yaml
-#     releaseName: todos
-# managed by argocd directly
+images:
+  - name: todos
+    newName: vikunja/vikunja
+    newTag: 0.24.6

apps/todos/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: todos-web
+spec:
+  selector:
+    app: todos
+  ports:
+  - name: todos
+    port: 3456
+    targetPort: 3456

apps/todos/todos-config.sealedsecret.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: todos-config
+  namespace: todos
+spec:
+  encryptedData:
+    config.yml: AgBRKmf5GSn6EcCH4r+I/lJkNiwZp0Pa/TFloYlPzqJ1aQWrTRDCLiljHYs1n/PTBWWv5SdWj+3Uvx4M+tzTXpRTp1dWomJ1C8pUDpf4N7SSZeAMoJxz5/mSUpA1YsYwiy/jhOzSsaeC80JX9WTXhCE5cnox/OUjcDf62vVg/7kgy8tHYpCSRmTGMah82642gP0/rlLpp+ctb29oYttmL0fWafHMRHgZYwkO1Ol7tmfbVOfr/bQljTQD3h/f0+ef2s3kDNtAkXSBAwHo6TfukB5bZi+pj3q3TLHAWU/belC38RZtIYW7trJf20WzbxxWKcS7rnQ8GHJqpbNgoWdnBQgP5OGHzySnQrdIAWLvOxw3JdJ8S1ZMbZfWASGpeIdfTI1p99Bhu1MGE3nnAzUCM93sLySE/mjjGDPdA9+Q7orgLGX3ct+w4deu1ABLR/HWxFYvPah11xs+MyzBFVh2rRj+MMzSWwQmbo+widmHWnzx6fjTiLd8eyGmvz1M9hBwFjqUTjbAR70S4xx2ALlYqAtbmJUk07PmTdTMhvokvaY5NX7Ylahx2oFE2q/FxMBwvPZVyI9tSbrZHEK9a67QaXnnwyfSqj3nErNkpdAa/zSJ9M6SG5cJrJvZCBn5cFg6pxtY65wZoj0GWMZ5kF2oqxDuekdjitWGMTp5q6ROJYSs/o3Lc/Abga9pSZYEtNrHr68tJuSeO61s9TjUftbkxkJ97/dwTfVQOd7aJui2EDp8NVcZg0CkEOgI7tt0nOEsll30RWS46QJwUbJM34FD646bpEk50K/GsIvFovKjZjtoCjeKczGdMpYS2XFwEMb8UjgSATxcVYjSWwvx+7prEChvoyVcg8Bi8ZEGcBVxSAD9fJu8PtyPBeijs7ZVwVyGGxiSafd3gAPU8spSuvbEDl/VZAKy9k2vrI2c/gtTqwaIasnBHudIbbNqDHlTlH8dk0z+kuNg/AzqheZWireMvBvgQ3TlHan0RN6+vVpZCY5XbzWkj/DEmoor8UfeuYt3GD7/JHniAorMPj61n2od7TLXmLunPG/B/zNpJCgJ8LgtUriDDZno99IDCXaZ/MO2+jppMaKizl83axxrv9HUTYDDgtX4RqLLdutd4i/AsOe0GgayFrOjUtDVOL6MKhX7dRJfbNsL5IcGEVZ1cdzcjjazoDpSlDdMC6E1XNS1NWprqUpmfjFPtFk1FWW3oRF3iEYUimngYvy6oTx3d70EZ+eOdEvp6A+aHbmG6fyEQb3AKYhMIOsn4AbKpDLjTsHiqWNGwT9ummS5kOLhnWBBB4ohDpCl4UMCtP61+1lhtx//Jne8QFAoq31MMFcCO2X3b2JfD6egLDc8Vwju6NHNy7jrmkponKqKxQPSs0w9Aj2biUBuFkMCiAik0Cf1fPk59bjJqs2ypwURDPAs1ShPoSU=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: todos-config
+      namespace: todos
+    type: Opaque

apps/todos/values.yaml

@@ -1,51 +0,0 @@
-######################
-# VIKUNJA COMPONENTS #
-######################
-# You can find the default values that this `values.yaml` overrides, in the comment at the top of this file.
-api:
-  enabled: true
-  image:
-    tag: 0.22.1
-  persistence:
-    # This is your Vikunja data will live, you can either let
-    # the chart create a new PVC for you or provide an existing one.
-    data:
-      enabled: true
-      existingClaim: data
-      accessMode: ReadWriteOnce
-      size: 10Gi
-      mountPath: /app/vikunja/files
-
-  ingress:
-    main:
-      enabled: false
-
-  configMaps:
-    # The configuration for Vikunja's api.
-    # https://vikunja.io/docs/config-options/
-    config:
-      enabled: true
-      data:
-        config.yml: |
-          service:
-              frontendUrl: https://todos.kluster.moll.re
-          database:
-            type: sqlite
-            path: /app/vikunja/files/vikunja.db
-          registration: false
-  env:
-
-frontend:
-  enabled: true
-  image:
-    tag: 0.22.1
-  ingress:
-    main:
-      enabled: false
-
-postgresql:
-  enabled: false
-redis:
-  enabled: false
-typesense:
-  enabled: false

default.nix

@@ -0,0 +1,15 @@
+{ pkgs ? import <nixpkgs> {} }:
+pkgs.mkShell {
+  name = "infra-shell";
+
+
+  buildInputs = with pkgs; [
+    kubeseal
+    yq
+    jq
+  ];
+
+  env = {
+  };
+
+}

infrastructure/argocd/argocd-cmd-params.configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cmd-params-cm
+data:
+  # server.insecure: "true"
+  # DID NOT FIX RELOAD LOOPS
+  # application.namespaces: "*"

infrastructure/argocd/argocd-oauth.configmap.yaml

@@ -12,10 +12,11 @@ data:
     # If you want to store sensitive data in another Kubernetes Secret, instead of argocd-secret. ArgoCD knows to check the keys under data in your Kubernetes Secret for a corresponding key whenever a value in a configmap or secret starts with $, then your Kubernetes Secret name and : (colon).
     clientSecret: $argocd-oauth:client-secret
 
-    skipAudienceCheckWhenTokenHasNoAudience: true
 
     # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
     requestedScopes: ["openid", "profile", "email", "groups"]
 
     # Optional set of OIDC claims to request on the ID token.
     requestedIDTokenClaims: {"groups": {"essential": true}}
+
+  

infrastructure/argocd/argocd-oauth.sealedsecret.yaml

@@ -7,10 +7,12 @@ metadata:
   namespace: argocd
 spec:
   encryptedData:
-    client-secret: AgAGtwiMd6OOz2IT2QJJR6unSYgLqNVJCb63a6hHko749nK8Kx1WgLwCYT/UURQYUusqMMPkNqbkA+jLUgh92fa7MKhtj4GysSvWavB+j8oFWT3YZbNcYNoJsTxg8mIRKiMFmp5um703e5RtGCv7eiOWdVtHftVv1BycPVeVHUuLU5usc8lmgnTTEPiRUEUB8MjGd7bIEgJ9q5oAiRTiwefickS1NgC02K2K8hVAhG/VkP0lqYn0xYgsy4W4i/7Q7AxRxCwX3y23spjXNUCRJRYvgF7Cf+MHdBgk6xPtvJF3jDLJfw8H2ilUx0GaxkESCDIE/FSVlbhMXmUdVYB9SLVo9K/tzqHe536ufGWO+U7H92mhZl5oZcA7qP9iXLUy13sAY/slixbKT6y4BJ3Tnt/pK1IydASsOE/uuwuN5q6AHWvG++DSHEPfE8xOH3bRVph8aIJD9hi8UlH7KGlEDPIaY3twpaJDUweaGVRTEnjvxW/hKfp2SF8A0PtGDeKSSii/XBZjxjROdOvE2+xM/WTVdVqddvErzogEKfljMvb5Z4OQiNj7fFvFMVuRD55To8p/cYZu+KHx+D8tuUMH3zk6AdADs/0bjI0xAz3PJUAmVp4RE4k0vP8LAImF5rWkIyVUcvJmP8S90jf0d7usJaEFd1ZayFLyUnwGAkP8ua2RiupnNUrZ/49A31cGm1RCpw00DGEJ/5VK6VMP1+T4KOUP5pB90FUYVHUv6S8dAg==
+    client-secret: AgBmXMtAHgooKGgj3s/ndddVxxOXqUYyGev5BeUoAYL9IYYT3yB54cQp7v1suEwVGUJQQPOgc3YDUeS5kdOLcpYi7mOi7/aJYPmUHx1DU644JsebpeqJNMFt52SCynLjP9Vntlbkji9mPCQj0tHGhqleA+3y9mamuz3tZ+kaSY4+qUywXekMQz13YQgagQc+0BK2xzUzVedNj2AB0NmCIs8oOIL1ZL0iMi/+/a1VSh/pzm3Tv/ap3w5nqP6FUbZLcL0hU6+VTa6ZqoDcIIEm5x23tDXwgbHM7CJ5E/bHu+cNrvVO9XqI5x4KRIe/TDJGmO3oZ4bdeU2mtIxTXIHG3kKFCQzKPqteffctEusvdyqkpCqPsLUny8loOQKX8XjY6K6a7fMsYUsKkJ1Le3Zuif0AhzNvDCX69pz3uPEOf6ZR2pU0B0g3fc3gIwIuY97WiHzHg++pLJ6/yT32Ja9Ub6k72fJDA1HvvAOY0+fXoJdOwkJCfGFF/dXLp2M1/3xxDI05mJeFywE9NYBrb2yRNN9XAdwSJ5mpRnyiyBlMv/1W52yDBCavyMR+vLlyxaXGeVHvDSTdGCY8bCBEz2kbm3WEFxGR/LM3ls6d8WvvT5YJ+RxxEYSN/o0Zi233AK53toni+e2luBBIjUITa+QUIxpeWrz2aAe19PO+XiDHu8G2sErWxwE336USCnOiFIkqeJpBqtfOm0sWnxmQWhucMqTlGYdbus+DBkWWM23JLFuRsOI/VawqRg==
   template:
     metadata:
       creationTimestamp: null
+      labels:
+        app.kubernetes.io/part-of: argocd
       name: argocd-oauth
       namespace: argocd
     type: Opaque

infrastructure/argocd/argocd-rbac.configmap.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+data:
+  policy.csv: |
+    # use oidc group apps_admin as admin group in argocd
+    g, apps_admin, role:admin
+    g, argocd, role:readonly
+  # all other user that might have entered via oidc, are blocked: deny everything
+  policy.default: deny

infrastructure/argocd/argocd.configmap.yaml

@@ -3,4 +3,9 @@ kind: ConfigMap
 metadata:
   name: argocd-cm
 data:
-  kustomize.buildOptions: --enable-helm
+  # enable helm when using kustomize
+  kustomize.buildOptions: --enable-helm
+  # disable admin user - use oidc
+  admin.enabled: "false"
+  # show neat status badges in the UI or as embeds
+  statusbadge.enabled: "true"

infrastructure/argocd/ingress.yaml

@@ -1,19 +1,17 @@
----
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-    name: argocd-ingressroute
+  name: argocd-ingressroute
 
 spec:
-    entryPoints:
-        - websecure
-    routes:
-
-        - match: Host(`argocd.kluster.moll.re`)
-          kind: Rule
-          services:
-              - name: argocd-server
-                port: 443
-
-    tls:
-        certResolver: default-tls
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`argocd.kluster.moll.re`)
+      services:
+        - name: argocd-server
+          port: 443
+          scheme: https
+  tls:
+    certResolver: default-tls

infrastructure/argocd/kustomization.yaml

@@ -3,15 +3,18 @@ kind: Kustomization
 
 namespace: argocd
 resources:
-  - https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
   - namespace.yaml
+  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.1.8
   - ingress.yaml
   - argo-apps.application.yaml
   - bootstrap-repo.sealedsecret.yaml
   - argocd-oauth.sealedsecret.yaml
+  - servicemonitor.yaml
 
 
 patches:
-  - path: known-hosts.configmap.yaml
   - path: argocd.configmap.yaml
+  - path: known-hosts.configmap.yaml
   - path: argocd-oauth.configmap.yaml
+  - path: argocd-rbac.configmap.yaml
+  - path: argocd-cmd-params.configmap.yaml

infrastructure/argocd/namespace.yaml

@@ -2,3 +2,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: argocd
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 

infrastructure/argocd/servicemonitor.yaml

@@ -0,0 +1,77 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-metrics
+  endpoints:
+  - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-server-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-server-metrics
+  endpoints:
+  - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-repo-server-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-repo-server
+  endpoints:
+  - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-applicationset-controller-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-applicationset-controller
+  endpoints:
+  - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-dex-server
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-dex-server
+  endpoints:
+    - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: argocd-redis-haproxy-metrics
+  labels:
+    release: prometheus-operator
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-redis-ha-haproxy
+  endpoints:
+  - port: http-exporter-port

infrastructure/authelia/README.md

@@ -0,0 +1,8 @@
+### Adding clients
+
+Generate a new secret + hash:
+```
+k exec -it  -n authelia deployments/authelia -- authelia crypto hash generate pbkdf2
+```
+
+give the client the hash, store the secret in `authelia-oidc.secret.yaml` and seal it.

infrastructure/authelia/authelia-internal.sealedsecret.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: authelia-internal
+  namespace: authelia
+spec:
+  encryptedData:
+    identity_providers.oidc.hmac.key: AgBiAFMdVNGubsvfYu9oi6SE1AF8ZmiSbiSPjZhrSjpw8J8vN0Zjm/4TQX+I+qD7GQu0zO72D2hF/26fBZrLx2N1IJAj0va1NYEkmGgAaYa3lVC948n5OzyNPpOwfFCMBKo/BJwh0VeZ0wa7gm6L7+Gfk+YutGmkNa7Cuf+F/e8LxlT0MHlyoj+YGzeNEWkm2uUv73f74ND+a15AnBkvGMfm5A8vt/EdN3IOqD8EUCwRpf+lqhrJe9Mwp28kHp4NdO2W97I40BWA7LFXQco7CuhjNafHkpaNMZ1bkbYLjlpqyC6Xs7bCZU9wMIPOHL9cGt2QvfQG5gMWrJmJsyes9qadBk/TKmqPi3iPH2DzUYO2vMETI765RVrL6IVOwxXc663JxfpZVQTiCSXz8oCVYZ7Ka7gcjXSPTMSxwD2cBVG9KDwjntYaXTairO/Kyx0HiPbbXzhENYkqY7oZvJde/l83l5TvPi+M4/a0Pa8COq8voRw+Fkrfw/qhPDn4AZnuanceOLog3xfrXw0Z45rZ34unovKP+3NjTdBUX5YB8OgGd5tXc4Ur6oK8nxt5IhQ1EzJkh1VEUU8pbDaw9EX1xCKZxVk86MEzW7zqFZWRve5Sp34CJdwHcUk8hLs2PweEzyvibLJIACn1mQoM6nC+Wep5iYXjUzQ9qobItzKFpw/mGsceCu8VqNoBtQBws+I47EF2NkzT45szvxF9tvSzmgmRBHtzES11bqePopHvye4310pywFYJ/WeiWOLEn1IEd4rrTJ6zIoqU1QH9qHShT4SoT0uC5wqz+Tgl64OdMIHKwQLcWih7A5lcDMv+jPV1Xvd52g3EYx13epNTPHtHwi4sBlFi1VuDrwXgTAlnpvM6N5Ij0qNNK5NMcWHerbLyOaMzng1pOtRfYA5UKGG4KYQd49vh5Fw9mHsk9/lelT+iyTs4GhA=
+    identity_validation.reset_password.jwt.hmac.key: AgCOsW1JBwnAB7BEIkEwqTLNHX5N/HrqHoxz7axdr3ppES7BnPKGRak846aKHrUVEykAV470SCgdwomTh/KBVAvHtml9L8h+FBu24rDbqZjHnL/BVy+2SkukNoVq6A2vDQRI521HBZntQQljhG0XTFTMMyI7tUhhM/PwmzeyZpKsDPcw6EJAMk9ERxdYtM7iaYEIAAcn0N2NPI7+I/A7nMKYpx4oGr79tobQyM1aDQF2VFwlRq1vqCrkEzBtPUPa9SrfnFE2GrIJlIR3xh/h5SmXCaAjF0uZFjPBPMrHSU4XtZVqtmwIEXpXFqjf+M6N5LTA5rKEviHV5oSJ4sDbMC1GMzwYw8u1Z2gvi/sP87ncbtSbW6ereAXC/5i7/bkOiyBlwVbNV+YcY6RlHG6DzEO/4Fqx9ET6XJhms1TcNb8Cp/VA7NS79IYbtnnZozefHnZAKQa7k/SR8tUVcVET2LhW6/j4QhxhFsASbws/yaZkEKdQnDqCpDlMkXKWxAt/7wlu/URTKlYTtCV5tvhrDj14Hdvs2CtpbXsYuf9FEn6OkRjFFXtr2c8tlOgh63qLoDfgmc+NlfLmkOGEtfEi9KCt9UY4qBAh2bc0PkkKod5JhMoiBUCwc2H8WlXAeUj2v7UmB5fvaP+IbeNKGf6+v8adVW3m7tckFeARG71QHkv049EKVfNyIP+CvBhEFZwTMNtzYGhr280zpEuvKowVXYlLp9pSBA/3vEIFcsnNzQfg2eFzsETOVtHXd7KnPoRKk29fTXmgIKdMThaSgvs72LoGdiYpYPaVrRKgCeqCah697bsOo6q2gv/jAeofRkcoaUx3sMb8nZJ3fnijr5Z5DFq6PM2VyJy8PlgfoIKO/w1nkQ==
+    oidc.jwks.key: AgCuYKmdCv3LcmH8zpNAuS5oeHjf/cEmcAlGjRfv2CtfXmlYhcysDLeo2Cyn9kMUEPyRwxhQ/b9G6ZfkfuIh83v4j8PFBitoyaAmDNLmhn/tEjxUG4ddRZ+X1m+Skqs/QyGSt8w4iCBv2tzVV8v9mbbh0GSEk4Nz/tOi8oyUBF/RF0Pgan7JubQ9E7uT2c2rD+hVeWJx9dL6Vv6z/OdbNEjpDvlMNjpQBqMj7H0dMXSnMIxoQHXn2TduI/2qoc84qfNf8diGaG9DN/lrm4rebPwQZvwkidSKEGCCca8ICwXEN2b2q2TijiaVGJPtpd+R9n3BDa8SHi94ptwxuWwHEQBA5QlkK5TMUT8SGLzUIJK5Z/sX7QQcTxxSX2pySA+3eKveBIiHJeLjiuABkioo9uZMoWsp/piwZBQy5xB7yF2WIGz6cAg1Y098Khw8ZYrnYrJSHG35/Ai9270eiJOvdXDvOdiXEbxUhI6EGwypl1E18AevE3Pe6OcthEfwErbYdEevSNSfUNthC6gFh/PM8qCEi9ZpX1IrbDq/4lyPltKNbhev7OJuci2CF4kc/kMu9Swdih2p4UV/FOHk6z0hfpjxuqXBwdQYcNOZvyZgnGNjb0fqtrKN953A8Skb8+g1XeWzOVxRYGLi/M/oUaWiy2ksLgxlEhKgSzlQ2al0qMBTdr+I+W3bm1HjITocnEFHR54x7+i6V9LydtWXqy08xH1p4LXi56+PtoUQ6901nE8vyofVcuoV1tqqrnVv+L7XHqsM2qGgdvsYlYBttt3zBy/JbOTcUhVe0KIjRGtuAF2MPJWSxcyFc0crfC7dYmKllV3sKO+MowyDjDQ7OQ3MxgPufLKMRJUAB1XsX5BUE5HyQketKHE5hYWzLR+PmQPShq6wc/Er36jPBLkGUsNVJhUdPewbEzZEcqeBdDsncXUwZjcjAlclWpM1VYxT71BLBT0SUL6YyoeesW0RZ+LG/reD9klfYQM5vfhXTDax5crOcp5BIo8T7mJEYIFBvUU0ruAi3Ur7GqgSCCE8AAcILTeqex22KP6JcFUB7nzFsn3PlUv1lJ+TJutmUe3aGXjVMQGD2B3s5cMHCcqMD302gj39gLVsCV4gQo2hb+UeZcfz7X2ltJ0H6ch/CHeLZbBQoCreVVDWBcoMl4tncdbrkdFK0Bo1tCjY+MScsYATswn4/fbEIKALBVO4gS/WI4NcbGl6HXyNnJvbYv+6l48EHcTHtMqER1hur7Wkso3YpC5zHx7RVfnuCTXP9kWPcCCr1VMj4Uth86LB5xi4FIs3X8DvoyOTVgUyu4T9tedldhMurOh8qt/kqxdxjKkREFk80sH2kb61xPypY/779hLXG9PeDHLFyETYgdHiJWSv8UhizVVOBErjKUljWZ2y5zZam8DNKI6QRislPE++pYsqQw2Pe0iyjjcSWMAriCVJW1klkgmOkEoweFjD98CIUWJUcJx/as1YOIc+QqtVRKH/1AA/CuPrPJWfPXzGBfNFXveQB/G9lvJ4MNfVLNdAz5kUv6bGnGaAyR2LFTl/ficNZv8IFBQvHi91CLe0PjMoq32SO/wCJMX9f7yESWgFnCWS/HfuzWJR+f30hbsM/JbE8hXQQ8/VPgzgRkaKPz3XW9j4w6Wb2mBX3GAYtRtGUKfWsOJWIOjKDlqd73HiIM31MUsiDMgo4DdSV9ocEuH+Y8EiAgtK8P1nSUp2Y6wRVZ5dMz471GC/qAtZS2eYEYzbe57sX2i+pjmA790O28fZauEipPs4d8tbUyef+wPD+aJLyYLRX+R19IU5y+Hk7VdFoi/o+5roDyqAESYfOKhY2dRV6MjLvgbb0g4spJBPefFppKxEW46pi/zMniqUmel+czm704i9/Hr8LrZHUwHQqPN+iLqLTvQQo9Uj0xNzeM+fF4BG+QpYPPl8hNlRFcz/H486i7z1qIRjDvCHko5nQx6nMjJgY3DVyCV6w92NvWKsuWtJ5S+LyCe3Mt2z3R+l7JVntf0xPcAaUjruEnPC9jkpiD7GtZJaeqqm9X6NwanPrTD9KRw3czDyN00H51tmqut/St0O9ThpCNDDO06TrtvWIGmbO3zuBLawOnYniISNhpwpCO1jfV5J8zg8iv57LclG1O7LcwqAbLg6fdYNRnViIn3FRmwrIunSjcL+KbQP6sPQRHqiRxUbO0jp8v48wfzrxc1V4hzvrzlMQzIFRwqGKRjRaHzsBVjln1Ec8Bbg3bvVVCr60rVNVQEy40ldTz22nNjecAUp88v5DXqslHgwD1jEA7rDAmjAIpdN0fVOZBHKxalXVzq/cYssuAMg8NgJXCoLvi+mZj+iR8LsV4OtrSd8nJSCADrVrLJwccHjRo0GnPBD3jJFchy77gPN+8OnzRXPVVuuMSOjrxfAfrjwCUkj3KybOH3MMLu5NUFz27DcpLRxBqACQOtSOshkuuJuk1FXIexssFMZvO2StYecv5R880WX0LqZwKNTJRqQOXTGaV1VWNEexSu4iegOtaX0UZQNyDyHygNU9JXsve4u/2Sd6VyTy/i69XouFCY21DE/fonqBGuIen+TqxshpPJGy3HZJ7Y044rFCcWyTjzz8XH5s836CUWmwri+DsGeT/L/E3C+zR17ImU1Na4IA8f11ThR5aaomfTEwbNseFr8L51dJrgQl/QgRJrViHwowLDVClCbhszVKFg7i0ERRjSNNxZ9tUluOyCHSeg4wP1DOERumYwj5oV9I0isAOpG5cCDUDMrrZP831YmeUgJsH5aciRZmho9/p+Q0R+s7v0PA2HKtRNOfIm1VWSL7y185LKvYO6DPfZNDnOFobwg9ANP7H7kdE1GOlsnEQYWTFlc8wtRLfENNCHlBUwrIGJUoNPlSHVG3PXGz4vah6wwJD/QBH+9TKtLvdV1+2T4+cdCIn08MbdlHDKvWLraMtmSOTJKNJxtXOuXfdAuGYIoqyc1Em7nbV/Oo4de/n1zWkrwZPeTx7d9D1Io/ana8+2LlJEjrIltr4IzdnuCtImbANCDA45VFmlq87s+2lYdbKDvDMNUviw//s80G3qTT3VpGFnnyEF6TsJzpTJ7PrpE1A0PMufNbg8kJTMBifBU+XzoBDTqBwPzim4VqwazuScOqzwZDTgLdQhGzeo1bKIJKHrLOEgZm1KCp+tjPPhnhK0zIGUjqB+UL2+3IvHDmVr9ly7buGub+kuyBiXnoIr4B6bwa7cpFgNU9zmTng+hFlTDgfSLBlz+69knYDlEpgE6BsVfTcXFpfVgS/eRHH04OrYB0t7kwUD0Ku+Ljpn6nd/x7/gcDOGaiQH7TpW1qKTF8E5+sfbn7f8j6fGYRT7dDQ0n4ljZ8qAYsPw3k+hY1MBIiNqAfQKpwTc88yB6EmB7Ul1N28tsLTuEGCCHtXvhTaQLTFzTVoKdtn5B8eNJDqOdBc5+g0qPgp1W8cVESH9nc80pcGo382GND/QllOEmmaKEasYEzPeMJAcPM4UxMuXF7SnadQweoCTIPXuQyZW+eKlMW4RlC5DHQ1m4NymrN6GFptQtTiG5v182BR2ibp4NogkEyZhHeMCtGXZV6QgGbnoJ24ii0vY4iO/08YgXOxDLcH83vvdiya/WxO/75rRVH052z0doEC4jLUleLEs398o59LBEolHSyPYOemzHLOkSB7w6acxiuujb9nujMuE2im5httFXKhq0cu6ytxlVKtKbVwB1y5lZigpTAh9FZXki8OBNIEa1FwtrYsoLz4hJP2CyRqUrHCY9WmCDTOUFTq7NrltBL2+wFvbPAtJbrzM0ALJYNaOb7J5N8R8sP3voXaL5DEEFoS57+xSvtx+lIOCNweJqzzZMoxZ2p9JL6qaJxG+EJIGTeHhWMxX9UJTJJACgB2W/cZyCaD43E5XIxSC6czgdOgwii27fFAJKJabmj+FsSwYBMiyHiFE=
+    session.encryption.key: AgB6LuT3btnwlDtP19iS6TAA6hz5t2gtXn93/sKI+ANzRvDtAUEJf934pWS0xhWu8Zfqwe5YuPy6Hb7CYG1Xk76Z3IFAEKcENcAA4Ngl6f80yBPgaL+6pzkeHyouYhpuRFenPoCcoa60OuusnDBUvBO0v6Mtqd39nACDJwdrJH0VzoLiWlMPzNsqJSkX+qNumrFlahqEtpswgoQBFtgljfMh8jCfAiqtwwe4Gx77B3GHNDuRQ7tSKhq5pSPUfDE9i/a1fb5yd1z8mlDkbivb0/yhvBsUi7stV9TE7HpBcsxtd6vSzt+MgXsflFfHZ9HU7oVVS0PuDzeDEXac9r2XDA96eUdhz/9NF3d9BvBMZqsi4YlF9tvsODNR7BofF5axxuRb2sptVwM5HuexXhG6S2PPpjLWi0BnY2P4Y12rXUhtYTisKgk7J1H5kZ1XYdjySFIQpMnWvdQD4TDmvqCi2YbnDts5labuFPQmgdrguRbqb1W94Pwg3SOuhJdsNJkfvXFBOOPf2eJBdGsrv4hOFiWt87pNh5Idzi9DAsV9CHZyLwxchwSpNre3yb1TnrTUE9xuQexY/xviAKAc1XjLsKyapryyAtv1AF6UnZMECDyElyenWblPBlWyOYTAWk8yiYl11C/2cipP6+pv8/XpbHKaQKGVQLIQdixXVGKRZwChTo5b3wliSJD2FXiC7ZkWfjOHlgXa+1DNYEoAlUfIU+IMdTP+x82QIjeYRH5wmhujd0JrYu4AygU1Zg==
+    storage.encryption.key: AgBOR7VfqNstwSBQ3pZIuHUo6m6bcbqTRluZ+G52d2djiyYm2E6FEfzeNrVgPSyw/9CuWXnzzQRyyGVvwP9FwtF6wWqNByhtY4sHd4xoHLEv3L4ZNRvNCf/iCGw0yI46k7nGifvIGw7BNWMkzGVOY+926aa9CAahxh27nQf0dztuFM3DPX4ASKpJ7c3IRGbMi0x0gPTU+Z1/3JLlhn+WvM95UpbPq75LHSzo4A2YfdluZEOpvvo8M5NnPgvHIvRC3tjZuXsDJwRQhqLVa8oFdrjJ7DvMonScKyv4IF/fttd4K0h+g/WZqCRix1dw/7LburKVicYBLl4IQJDIDORKXIUqU1M7i28UVF6DBe/r6jBTGDJcqv9Zor5hoQHuswyC0p+2+sm0EGUvGJLGJ4aqq5UBSsZyD98vMwGT3H3sofIqESHJo4O6rOSo+NFag2P/E1Ij2PFN2+wJTMRJ467CPnzEC85/mm3Tii+NRRb4CKEuxh+zfmVB/Bpny+7zjL7atS3BFR95PbI1jM5yI4uu1uHaVJaXjI3nQKYKjYetS3POOdxae5YRs8CywtZWkv+wUnlbPlzB7XRObQ2yzwNj8tZL8/846TykafDsvPB51B4wAnY8w1LaxNYBTZHQGco/rO7fUNEbuwPyDcbDtUaNxbUD7Yfu1pUY2fay0YtTLDlm1FEZePm9LLKQVj2K703Hu4YA2F/wKhcWKfjtijaC6z8KTaPQiVpjhA==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: authelia-internal
+      namespace: authelia
+    type: Opaque

infrastructure/authelia/authelia-smtp.sealedsecret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: authelia
 spec:
   encryptedData:
-    smtp.yml: AgAHiNwse+aFYVoun500VoUTUKg22yDSn+cD9pLO4HKG26nqmOxkiTSi5BELpzWouqHXiHNwYLEKPv13ZFJX6AFfFskspBfe+svLvLSzEvtH8kNCSJar0G5jcACEk27xcCxTN0nhmjc6L9lmZF8UUth7l5Mrsl0EG+79pCNYhUtjy16g7HdbmYgmgrY6d7VWCen2R4HZK4A9zPx+8HEsoMzUD0mG+uKKKfmqYaxJ563Gzp7trDcQRXd4tmea9MM8t+bk9TYCDvBj9JbsNuIdzFk8MArlvlesDYqiJj/8wny49NoVyX8vvGVDF3Y5s+OmKA9+MoBIYNc4oT4FLcc14wpnMnk5WgbKtTYfExcGTdTWuTTVWPsF18dvbKTU3C6dnf2kh9T8CydIdu27jwrBbChWffxNbh5nlLlQT3Xvogai8o6qhMn+EqTnw/u93OIxNzPEooVP349VVW/mlhGX3od/IlVzXiIlQIxL5EP2pRCXL2T1KONvkpbClJ/BTuwfjRZTXz3ZaRhaTPdBAZ+bpkRkt+kEAecjqaf9EF+pHy+dOaR4tIrwBWBbrAy47iV4e/Q60B97bRHzgo9N1uaYonGmyzmyVc9TXIkhf7PIlu/cSyDaHKdobVx0AA0p2usi5D1QYMcS9fngXyM1U9imO6QiYopysxQ9gJL8rfuySRJ/YQ6JJ71fLdMxsiQ0r21D7v7LEdJK5SKLovpnmPgk4PBoL9E4ZPE6g5zRXZFj1IxpKkOqRMpyBzBvas9Q1OFFs0Y79kGtyWIXb7Z2HGYmMU1us9Pm95xVF/V34sAtMIEz7qi+SaXQHFvyqbaiJ48U8qHhHL5y+lt9e8PGmQo0tRWfHMejs5BCcFAEZKDiif6zUEsjV/WC9WKO9NUjvRiu0CYCq5z9QzKaZQqWo0LPeM6DMY8pT3w4OqpJ/OLyMfbdoWT/uQ1JW5npApGifL0lhWRIkQHCG7oZA/BkJfbiexV8jwtToS+UX/s9HkbkuQ/O4zDte8qg/Xzh5TOj5AxlAPN6wGCwd6t1RTSITSKVMnTpFabkEvPYnGeiyWU8TrckvaKmhRUNoj2ZWQCCffHKp/bimEHxRqFnW6B+cu35reTjFc2dqp12EhCBR727G0EARx3Gt/LSdPh8OYt+Bs0rLaHiUrCJh4HRBJPmg0PARVwDL7OWx6pwtclnrALmfELKKaopy6yFctDogOtkvxHbL8DNhJqNuQJo6ttzlHhz4bnQcWb2K92HIw==
+    smtp.yml: AgCfZqHvV3N/S7C3BCeBZv5erYNnbc3yuhYswXBxJUmvfWt/oyEi0VM9830cV740zF532ZteMaEC47Yer1dm1zwBb8degsSPOnivTU3HVN1MQKMxB0T9roN7ytXnS48dIVLlZAy5/7AqU/+F081zJeGW/8lsQKJ7QVa3zG7BDGJmaExxttrB5ZsSiVmFldSQap1FNIcPFU1O4N1w59r29IsUNbOVpnb4NqONBBh7Lt/RoUwYVmdMT8OxOAtgovft1z+KuZN2ZnvBlm3EgY70wAWTs/tSmZLWuDGa8yo0M6LPIjO9zlc+l1YuI25AqGHDuhGU+H+gQWZhtIglwKHtU8oUuDchWxQpb4tJSokpyegkWrpty8vBEEGK9CtLk13EmPUHTPicv9XYgwxvROeXB7+6/gQC8Yc/PzjjZwSrNo8SC/rF4VJY9jXMJ2nS7UkubcfdOY/bKhu1jZENrav7Zd/z5hiy2stg2LFJ2rnzIrSKeYWN3ygR24KRGh/7Bpwz6LhCkPdrfJJyymA+Azwq06CoyyPTLkYRMpTdkzx8zLNCvfQfmEKYRxRcXVBDfSr/Wn/9QNmCAG/rp1Ep23xRYegQRTUyGD2JVVSjE0WcMRRnqb70IYfEPk4w5TS14RcO2/59Lvs+1mF8g9JfLhrxOjLDAvnSKjN5KZ3PgLdpqbkcVjUb0Hs18SAilmZhs5cQtNR++LqYePIe1r7R3V9IPIvPudCs7/2BrLLpuREhTdQIiA3catZ6kLZgHuh/KswFEDAcZ1NisSNvZZLAKTHupIe7XjBp+0zGHLZ7hgbA/Ojf4e6M4RLjqR41Uix+stkKuwWwdoXs/YAf2GUl6+4fb/8iPVUwPA7XHf92ALxv5neNEDlo4awXvuBQG8XdmaCqkYXBe1GE+vgmzfQhr1gjcO1VxvpsAJXT9/Ak1whQbs8kLfwxDfGp3CYQxx+eaxxm4Q2xumeQYXHFyhNZ5d5XOpmlx9EovRwM/uGoZdslykZ27ZbKRMYcqwhJ16CS/y5ptMcEbB1RkqodM55UCslR/fo+9aJejX0x8V91U2bm8eFrDFhFJsM6Z6oClxOXeAbSoE8m4KclRWTtF4+CIXq+qszdWzwqrHBWvKAtVwGo3L08Sxw24ajT9Rw1Ay2kvb4xO2SVzIRhHdzIFpF6iSiDqBJsSH7SL0kP1C07j3vl95qZBp01BW8BUnVxFyqOVMvVnXMaNQZdFrsq4MVEsxDftgciF9oE8rVv4Q==
   template:
     metadata:
       creationTimestamp: null

infrastructure/authelia/authelia.values.yaml

@@ -1,4 +1,3 @@
-
 ingress:
   enabled: false
 
@@ -6,80 +5,302 @@ ingress:
 pod:
   kind: 'Deployment'
   replicas: 1
-  extraVolumes:
-    - name: config-ldap
-      secret:
-        secretName: authelia-ldap
-    - name: config-oidc
-      secret:
-        secretName: authelia-oidc
-    - name: config-smtp
-      secret:
-        secretName: authelia-smtp
 
-  extraVolumeMounts:
-    - name: config-ldap
-      mountPath: /extra-config/ldap.yml
-      readOnly: true
-    - name: config-oidc
-      mountPath: /extra-config/oidc.yml
-      readOnly: true
-    - name: config-smtp
-      mountPath: /extra-config/smtp.yml
-      readOnly: true
-      
+
 
 ##
 ## Authelia Config Map Generator
 ##
 configMap:
-
-  # Enable the configMap source for the Authelia config.
-  # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config.
-  disabled: false
-  key: 'configuration.yml'
-  # do not use a pre-existing configMap
-  # BUT, include sub-maps wich OVERRIDE the values generated by the helm chart
+  key: 'configuration.yaml'
+  # include sub-maps wich OVERRIDE the values generated by the helm chart
   extraConfigs:
-    - /extra-config/ldap.yml
-    - /extra-config/oidc.yml
-    - /extra-config/smtp.yml
-  
+    - /secrets/authelia-smtp/smtp.yml
+
+
+  # many of the values remain default from the helm chart
+  authentication_backend:
+    ldap:
+      enabled: true
+      implementation: 'custom'
+      address: 'ldap://lldap:3890'
+      base_dn: 'DC=moll,DC=re'
+      additional_users_dn: 'OU=people'
+      users_filter: "(&({username_attribute}={input})(objectClass=person))"
+      additional_groups_dn: 'OU=groups'
+      groups_filter: "(member={dn})"
+
+      ## The username of the admin user.
+      user: 'uid=authelia,ou=people,dc=moll,dc=re'
+      password:
+        # ## Disables this secret and leaves configuring it entirely up to you.
+        # disabled: false
+
+        # ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the
+        # ## secret_value option below.
+        # secret_name: ~
+
+        # ## The value of a generated secret when using the ~ secret_name.
+        # value: ''
+
+        # ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise
+        # ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath'
+        # ## value, '{secret_name}' is the secret_name above, and '{path}' is this value.
+        path: 'authentication.ldap.password.txt'
+        secret_name: authelia-ldap
+
+      attributes:
+        display_name: displayName
+        username: uid
+        group_name: cn
+        mail: mail
+    file:
+      enabled: false
+
+
   session:
+    inactivity: '2d'
+    expiration: '7d'
+    remember_me: '1M'
     cookies:
       - name: authelia_session
         domain: auth.kluster.moll.re
+    encryption_key:
+      secret_name: authelia-internal
+
+
   storage:
     encryption_key:
-      value: 'authelia-encryption-key'
+      secret_name: authelia-internal
+
     local:
       enabled: true
-      file: /config/db.sqlite3
+      path: /config/db.sqlite3
 
 
-##
-## Authelia Secret Configuration.
-##
-secret:
-
-  disabled: false
-
-  existingSecret: ''
+  identity_validation:
+    reset_password:
+      secret:
+        secret_name: authelia-internal
+        path: 'identity_validation.reset_password.jwt.hmac.key'
 
 
-certificates:
-  # don't use the pre-existing secret
-  existingSecret: ''
+  identity_providers:
+    oidc:
+      enabled: true
+      hmac_secret:
+        secret_name: authelia-internal
+        path: 'identity_providers.oidc.hmac.key'
+
+      # lifespans:
+      #   access_token: '1 hour'
+      #   authorize_code: '1 minute'
+      #   id_token: '1 hour'
+      #   refresh_token: '1 hour and 30 minutes'
+
+      jwks:
+        - algorithm: 'RS256'
+          key:
+            path: '/secrets/authelia-internal/oidc.jwks.key'
+
+      cors:
+        allowed_origins_from_client_redirect_uris: true
+
+      clients:
+        - client_id: 'grafana'
+          client_name: 'Grafana'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.grafana'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: true
+          pkce_challenge_method: 'S256'
+          redirect_uris:
+            - 'https://grafana.kluster.moll.re/login/generic_oauth'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'groups'
+            - 'email'
+          response_types:
+            - 'code'
+          grant_types:
+            - 'authorization_code'
+          access_token_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'recipes'
+          client_name: 'Recipes'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.recipes'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: true
+          pkce_challenge_method: 'S256'
+          redirect_uris:
+            - 'https://recipes.kluster.moll.re/login'
+          scopes:
+            - 'openid'
+            - 'email'
+            - 'profile'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'gitea'
+          client_name: 'Gitea'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.gitea'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://git.kluster.moll.re/user/oauth2/authelia/callback'
+          scopes:
+            - 'openid'
+            - 'email'
+            - 'profile'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'argocd'
+          client_name: 'Argo CD'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.argocd'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://argocd.kluster.moll.re/auth/callback'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_post'
+          consent_mode: 'implicit'
+        - client_id: 'paperless'
+          client_name: 'Paperless'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.paperless'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://paperless.kluster.moll.re/accounts/oidc/authelia/login/callback/'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'email'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'linkding'
+          client_name: 'LinkDing'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.linkding'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://linkding.kluster.moll.re/oidc/callback/'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_post'
+          consent_mode: 'implicit'
+        - client_id: 'todos'
+          client_name: 'Todos'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.todos'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://todos.kluster.moll.re/auth/openid/authelia'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'kitchenowl'
+          client_name: 'KitchenOwl'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.kitchenowl'
+          public: false
+          token_endpoint_auth_method: 'client_secret_post'
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://kitchen.kluster.moll.re/signin/redirect'
+            - kitchenowl:/signin/redirect
+            # mobile app as well
+          scopes:
+            - openid
+            - email
+            - profile
+        - client_id: 'actualbudget'
+          client_name: 'Actual Budget'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.actualbudget'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: false
+          pkce_challenge_method: ''
+          redirect_uris:
+            - 'https://actualbudget.kluster.moll.re/openid/callback'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'groups'
+            - 'email'
+          response_types:
+            - 'code'
+          grant_types:
+            - 'authorization_code'
+          access_token_signed_response_alg: 'none'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+        - client_id: 'vaultwarden'
+          client_name: 'VaultWarden'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.vaultwarden'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: false
+          pkce_challenge_method: ''
+          redirect_uris:
+            - 'https://passwords.kluster.moll.re/identity/connect/oidc-signin'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'groups'
+            - 'email'
+          response_types:
+            - 'code'
+          grant_types:
+            - 'authorization_code'
+          access_token_signed_response_alg: 'none'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+
+  # notifier
+  # is set through a secret
+
 
-##
-## Authelia Persistence Configuration.
-##
-## Useful in scenarios where you need persistent storage.
-## Auth Provider Use Case: file; we recommend you use the ldap provider instead.
-## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead.
-## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false).
-##
 persistence:
   enabled: true
   storageClass: 'nfs-client'
 
+
+secret:
+  mountPath: '/secrets'
+  additionalSecrets:
+    # the oidc client secrets referenced in the oidc config
+    authelia-oidc: {}
+    authelia-internal: {}
+    authelia-ldap: {}
+    authelia-smtp: {}

infrastructure/authelia/kustomization.yaml

@@ -14,6 +14,7 @@ resources:
   - authelia-ldap.sealedsecret.yaml
   - authelia-oidc.sealedsecret.yaml
   - authelia-smtp.sealedsecret.yaml
+  - authelia-internal.sealedsecret.yaml
   - ingress.yaml
 
 
@@ -26,6 +27,6 @@ images:
 helmCharts:
   - name: authelia
     releaseName: authelia
-    version: 0.9.9
+    version: 0.10.46
     repo: https://charts.authelia.com
     valuesFile: authelia.values.yaml

infrastructure/external-dns/cronjob.yaml

@@ -9,55 +9,15 @@ spec:
   jobTemplate:
     spec:
       backoffLimit: 0
-
       template:
         spec:
-          initContainers:
-            - name: git
-              image: git
-              command: ["git"]
-              args:
-                - clone
-                - https://git.kluster.moll.re/remoll/dns.git
-                - /etc/octodns
-              volumeMounts:
-                - name: octodns-config
-                  mountPath: /etc/octodns
           containers:
-            - name: octodns
-              image: octodns
+            - name: dns
+              image: dns
               env:
-                # - name: CLOUDFLARE_ACCOUNT_ID
-                #   valueFrom:
-                #     secretKeyRef:
-                #       name: cloudflare-api
-                #       key: CLOUDFLARE_ACCOUNT_ID
                 - name: CLOUDFLARE_TOKEN
                   valueFrom:
                     secretKeyRef:
                       name: cloudflare-api
                       key: CLOUDFLARE_TOKEN
-                # - name: CLOUDFLARE_EMAIL
-                #   valueFrom:
-                #     secretKeyRef:
-                #       name: cloudflare-api
-                #       key: CLOUDFLARE_EMAIL
-
-              command: ["/bin/sh", "-c"]
-              args:
-                - >-
-                  cd /etc/octodns
-                  &&
-                  pip install -r ./requirements.txt
-                  &&
-                  octodns-sync --config-file ./config.yaml --doit
-                  &&
-                  echo "done..."
-              volumeMounts:
-                - name: octodns-config
-                  mountPath: /etc/octodns
-
-          volumes:
-          - name: octodns-config
-            emptyDir: {}
           restartPolicy: Never

infrastructure/external-dns/kustomization.yaml

@@ -9,10 +9,6 @@ resources:
   - cronjob.yaml
 
 images:
-  - name: octodns
-    newName: octodns/octodns # has all plugins
-    newTag: "2024.09"
-
-  - name: git
-    newName: alpine/git
-    newTag: "v2.45.2"
+  - name: dns
+    newName: git.kluster.moll.re/remoll/dns
+    newTag: 0.0.1-31

infrastructure/gitea/gitea.values.yaml

@@ -1,3 +1,6 @@
+strategy:
+  type: Recreate
+
 
 ## @section Service
 service:
@@ -56,7 +59,8 @@ ingress:
 resources:
   limits:
     cpu: 1
-    memory: 1Gi
+    memory: 5Gi
+    # high memory should be allowed to handle package uploads
   requests:
     cpu: 100m
     memory: 128Mi
@@ -96,6 +100,7 @@ gitea:
     email: "gitea@delete.me"
   
   metrics:
+    # service monitor is configured manually
     enabled: true
 
   ## @param gitea.config  Configuration for the Gitea server,ref: [config-cheat-sheet](https://docs.gitea.io/en-us/config-cheat-sheet/)
@@ -116,6 +121,10 @@ gitea:
     indexer:
       ISSUE_INDEXER_TYPE: bleve
       REPO_INDEXER_ENABLED: false
+    service:
+      DISABLE_REGISTRATION: true
+    oauth2_client:
+      ENABLE_AUTO_REGISTRATION: true
 
   oauth:
     - name: authelia
@@ -125,7 +134,9 @@ gitea:
       existingSecret: gitea-oauth
       required-claim-name: groups
       required-claim-value: gitea
+      group-claim-name: groups
       admin-group: apps_admin
+  
 
   
   # since we want to reuse the postgres secret, we cannot directly use it in
@@ -159,5 +170,7 @@ postgresql:
   enabled: false
 postgresql-ha:
   enabled: false
-redis-cluster:
+valkey:
+  enabled: false
+valkey-cluster:
   enabled: false

infrastructure/gitea/kustomization.yaml

@@ -23,6 +23,6 @@ helmCharts:
   - name: gitea
     namespace: gitea # needs to be set explicitly for svc to be referenced correctly
     releaseName: gitea
-    version: 10.4.1
+    version: 12.3.0
     valuesFile: gitea.values.yaml
     repo: https://dl.gitea.io/charts/

infrastructure/gitea/postgres-password.sealedsecret.yaml

@@ -7,9 +7,9 @@ metadata:
   namespace: gitea
 spec:
   encryptedData:
-    database: AgB8FeAX7Dx/SO/deoqeIRNPMe7DwgKtwFznjntm9TNnEJQDLVVu+D80eolcrTTOhlZJZgtKvpM9xgw7DLtKG+ARACaPYgaMW2m4V/B87Z3xAU0DCF16sv9LVIfNA8KyQZWYthEcWLpqoB0zVFBrb2PxI8QIV22QkNG4oITMCv/Xjf7P+pTa6iWWSLdPcR2tQVfkHsdWWJvtLcrLkI7i+sWjQOW8tgV8QAcQr5JcxEjSgb3X1J3R1EEVHsPAqQcdpUB7eQ7T9SbIaIpTXw05Tant42GMgALVx2J5TAzqLPdaVaUlKVRoN26eVthYhY9qKbskXkXZp/0Sa/RxXoVHt1jMyZFicMzp5w5yC3DZd9gTtsZOrn21NS1QAVh6twB2bxtf7EHjpS5AyvhaF9qbbGkZtUh4IhFSOpd6bMGZLZqQMcH+Ih9b+jv0j3cLBLY0Bzsj4u5yLvoqhOBcxLoVnW3N3x248y3ZUWkO7hPwP+Lo5FOX/cmK9VHvn5ZhNWNNO9xv0LYSzhqnAvVyTgvAGLDTrZbnp36Q+JkqlhrhFQoQkXRQ2HHNU5CC+o59OL0RnshJg4UUed1ETmOPCJmcPZdKNvfUiW1PUB2AwDeWhRyN6wjwzreioSN6qHrxctXpEQohTwzGeG+rgG0tj9V3yHn1Er1j0pR6S9VJBkaQ0qnaInSthxSC5MkXTKXFmW8YfHQqXKmQcQ==
-    password: AgB+i/mSHnQJnBpRu1cGwKzqrqoSzKfbGkxWTv57ozmiVkEendzudwKu+3MJQh9fHrBwUa0Cu2OqIzGqMQIwDKC5+LDiYAnDOfacu/VBX6mWVABIeg8fqU/PRqym/sGxJtcmwPdo8H8zJm+/vyPpLv4dkYYjHFkAhF3QShq1qMhfeaB/vd6ZNjQEfvCWX14V2F/RTq8skuwQkVQJoz9OsaF+KiTmKC7R1aeZaTUUCFIWGGIq9V2k3O7VAITGJanAT5IYo+epQf2HLsC2xyIUs9prk1rF0yUishgc2bsb4joPULl/G2VUgafH9SKQ37TFqZi2z20gVutrkLyuCMk25tW7m+z4+YCC/dJ9aW/31sFUwSnVhdYh6gwsnNP5GzSguAoOq+6izVD8hV2QzfdIYPrIZyADI7HY9o4LK8YuRS5KgJdaCU3kWYY+tVTSvkGFCWu5q/pBihBG2bN83asTHZcnkocMEvCaTsbPq2CN8/WCRZJs84M6CEzCioNmuGAmUU+fEF/MVEZtTI+6yCrJkOEHdVywtdLufNPGFut97XF+YvJZ1UZ6AW546JGmlmEMFukNHi1XDBm/mWL8e1H6xwLe6I9rwL6YTDrji3IixdERS+a6tq2vcksU5EjW9x9WYt6ctZD/cfhEFAvpssJLCs2vmjNgMhmilPoTppvXyUYnE4bCZuVFRrO/a+ogjXUU2nkqnyKQsA==
-    username: AgCS0tZPssPP8LFwMdTWrXd64oYKb/vmEH8ir+fnc7MgnPkW9kop+hF2X7/KIWTVNe1MAkreW40DxZ6/T4UO7gGTGv52BItcQp87Rr+RMZ5Y720bhivBC33zmDXlWR7TQDMqo733cdcWRnMDvCSvzKV1Mn18iF0VqhOlDZITcyConmKIWcuzzElt90iYtC9o3UIYw6crBD6l9ikrFwU1wH9mL+FdvM8fWG83qkbJGoaqjxj5FEgMXwXFUWVzUqC8dEe8wiHcyq7eeFpyXrF7/WtAiZOwPBy6EG4zFQoRSihR+qme+pZdXP+fHVzGrcBsMxjW4l16R1MmyS9PLpA3r+LdX81K7XHPEctNihrV4U1Dmb2fkANcP2SV95Moftb160WRkfR1cElHxOJs0kaKbZ0P4k74U2UFaZSVIEw85fYm1TE0C5qnpFKktOhOhSKcia+XGG58TQLuosQCYH+P1OZ1LbFfj9O/NBmqWnH2dBIRCC5Ba6b+nNpOQaSztMeEOCSCdYmglS9MmP34zzFjusZ8hAj7ebe25gCo1UCSxYR/xEjrGQsyXY9VB9IPjVO8F7Ms9ex3KITYoib5HcMFCvDUOKl3SOmsJmzf/ahufHXRr/NdPFAoqLU6sehcNAx8LKp/795h3N3PBqol/y9Kv4xbAquz8/qY0giHJfaWcKP/LuVZ81s6MvQlnqn/UWXWzQgNo/RbZw==
+    database: AgDONZUiFyHQLH3lq7vBovX5fqIDdxViQr8PFAh3hnHM8PqJpZ5MCkBL65hVuKmQ6EgrMj+0smPbfk9Rfwq42wFw+i2cgTgN69G9iMwp47+ng5GADPiQ2tIJQNFfqz9VQP0mmu9VXnckoBU0HXQmV21jkK2AKk5YHVLmIhu++1g8LjjYSBMP8iYiritOuyHbOn8OP26FmqBvnTCGg4pFzd/WIhsj7Zz9BeP+AOP/BTA+VZCOqBJJDzztHp9xYamcWslDX2snQG1Iw/rs4zyBVx+sWWPJgkiLmY1aRDnVYmwkh9RC81usrtrC9FZ6VYoxsufGj+Ie25hbbUukqKFuwk3V0dbZTRGa+4xHr7535fDYSxFm8/dkAyh8yM03VUy/2dhrtv9qWM1Yu50tcEoe/YoBdwItyNk/AELjfCvfXzwDttzsl85QVtSil+V6WRhpiQlH5EGhqSMzH9eduAddMrIEMQiSqn9J/vME5j7fJhgFs0bP7kqB9UKT6yTIU8QchRRUUYZwEFevLox01dRtJDoa8DVuO1G2LDZVUEoHrfEvFwzRGhuBH9B2yXAZLXgXbOreoiPi76xI0fw9VNXJ90KYcpwuMv8MykdNWQLsyCraf/WJIXMpm+UEVMqArJnscky0K1YHX6eQeQx0BU5hEeIAZucOwimSv2jJLqlBK/heiMgfp0pWu2lIu+tQ4AarkFsWNdbiBA==
+    password: AgAp0473gvkk/8OFkxg59+LArAD7v8rRryOuYnScxkhJxSngXnnLXYr2iaeOMgjWryOPtWEWa0F6+hDaTtsp+vhg0X8rtdvyonV/I/I/K5rV70N/bao+kIf5LfcntZ6RjGaQtaeHjh15tY3LxmJ3PdJpDcLJXn1+iBsfTnEEsBFDKolD2RcXwH+74feX+Q8bG7KkAo4r0OfEaO/KC2FCC8vg/AHgzNUFL08mnK7DPgNjgNc3MYk/+Ey91LfvMD9NfuO1xrlsV6gy12gVwZV14kfAqHL4DvifmaHY14hScJC3tK6HqmSitKmNRcJZ3Ad2y7rS63X6DeaXmKFpDDYk69ubfVWBT5CWaBHfYHCWJqJITtoJq4PdLp7xRchRrZblqLUKnTrs8Dmry4qapa/uAma4k84ZSnFl6XeM8n8ZYpx3Tx91fwsYLCWiGX7AblFsEmzsT7jf0wTri7HYyNcF1s5YhL59ZO7iGzruAJRDA4BMrXWFrNjsDQrCR4FTYDIr4cR05mi9nPd2C5dAzZtARpBQZgr/lruE3GKgalYF0oxIJGYKcDbCO5pntAPpL/7rbhdjVtvpUg2d+wJYkVIn6zTaOmr0TCnMOzFPzwwbxrr7U8opfYcjep2XeVOfHKfitrgKwFCwO/CsbP+ao0b6PT7K9KGqrI5lVrEAO+pOU6s3Omgm3AJGzGEIzIXCnkeD2dYsRrfyHM0zQ23+iUyUk8x3XIItFe7cq34X935y+bbViqAQ
+    username: AgBInyjzij13Ea3HB2CPXENjd6g5dJ3j3p3hgbO7oT5ld/GFgcwgjkduq5D8edouDzKEcoPMrAAS0XX46d9l618ZMxxKGdNq+Yw8intpziaI5AB9xDPesP5+mjXw08Clf5GfTMQW9SqYbNVm+GGwIKo05P3Z+cLtv8l8jqqJbMmEMQ9Ir/gRgPVbpPKFC4zX4BTuIKpaRrPiyraD2hmGXrvDaFBIt8lSmLyEh3UclW5cTBJQIRnstBv8mbIRDf4zS/bJtQPknncVASBVVHynEauMTqd4+sPdG/8y7KYsrH3rfrXWLEecmiu9E7mgxw7M6qur8qoi88KX3Ydjngy56mj3nQQ8k1knc8I50cg6yT42Z6vaKeAoqtDzkxEvOlIzXZVwikPAuIf7B7VPZSE6qz7Xgo4QQ5FGONE5JnFGLosqSqEMnBtOXEZgHCrOerJo2f3Mw1fkaJ2OLnd93w97IODIM3LU8bVsRFbjiRYPbZiM2H5f6Rnsw3M7/qlkdmXyda4xnOeSp3i39UfSrtIAJO8HPo9lk+ANOBO7Q8SBAkFXH8V2Hva4NSKtPwmBZjtOGeUDB7Nfv2KT4jvQRBdlpfLtDMDzBmq2sL7ua2Uq5u6FDy0tAmWeU4m3GGSNlheVQZSfAW3+icvs/WlqotAloTy12Dq/H6DgcRI0W2V0bRxoIQ3z6N+cAHbL892g8wdPUFu9mSBZhA==
   template:
     metadata:
       creationTimestamp: null

infrastructure/gitea/postgres.yaml

@@ -4,7 +4,7 @@ metadata:
   name: gitea-postgres
 spec:
   instances: 1
-  imageName: ghcr.io/cloudnative-pg/postgresql:11
+  imageName: ghcr.io/cloudnative-pg/postgresql:16
   bootstrap:
     initdb:
       owner: gitea