Merge branch 'main' of ssh://git.kluster.moll.re:2222/remoll/k3s-infra

Reviewed-on: #54

.gitignore

@@ -1,2 +1,6 @@
+# Kubernetes secrets
 *.secret.yaml
-charts/
+main.key
+
+# Helm Chart files
+charts/

.gitmodules

@@ -1,3 +1,6 @@
 [submodule "infrastructure/external-dns/octodns"]
 	path = infrastructure/external-dns/octodns
 	url = ssh://git@git.kluster.moll.re:2222/remoll/dns.git
+[submodule "apps/monitoring/dashboards"]
+	path = apps/monitoring/dashboards
+	url = ssh://git@git.kluster.moll.re:2222/remoll/grafana-dashboards.git

README.md

@@ -1,7 +1,6 @@
 # Kluster setup and IaaC using argoCD
 
 
-
 ### Initial setup
 #### Requirements:
 - A running k3s instance
@@ -28,5 +27,21 @@ The app-of-apps will bootstrap a fully featured cluster with the following compo
     - immich
     - ...
 
+#### Recap
+- install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
+    ```bash
+    kubectl apply -k infrastructure/sealedsecrets
+    kubectl apply -f infrastructure/sealedsecrets/main.key
+    kubectl delete pod -n kube-system -l name=sealed-secrets-controller
+    ```
+- install argocd
+    ```bash
+    kubectl apply -k infrastructure/argocd
+    ```
+- wait...
+
 
 ### Adding an application
+todo
+
+

apps/adguard/ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRouteTCP
 metadata:
   name: adguard-tls-ingress

apps/adguard/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: adguard/adguardhome
     newName: adguard/adguardhome
-    newTag: v0.107.44
+    newTag: v0.107.46
 
 namespace: adguard
 

apps/files/README.md

@@ -1,8 +0,0 @@
-# File sync
-
-My personal cross-platform filesync. Using syncthing for my android and linux clients. And nextcloud for my ios clients.
-
-
-## Overview
-Both services share a common persistence which allows them to apply each their own logic for synching to other devices. The server acts as a relay.
-

apps/files/deployment.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: ocis-statefulset
+spec:
+  selector:
+    matchLabels:
+      app: ocis
+  serviceName: ocis-web
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: ocis
+    spec:
+      containers:
+      - name: ocis
+        image: ocis
+        resources:
+          limits:
+            memory: "1Gi"
+            cpu: "1000m"
+        env:
+        - name: OCIS_INSECURE
+          value: "true"
+        - name: OCIS_URL
+          value: "https://ocis.kluster.moll.re"
+        - name: OCIS_LOG_LEVEL
+          value: "debug"
+        ports:
+        - containerPort: 9200
+        volumeMounts:
+        - name: config
+          mountPath: /etc/ocis
+        # - name: ocis-config-file
+        #   mountPath: /etc/ocis/config.yaml
+        - name: data
+          mountPath: /var/lib/ocis
+      volumes:
+      # - name: ocis-config
+      #   persistentVolumeClaim:
+      #     claimName: ocis-config
+      - name: config
+        secret:
+          secretName: ocis-config
+      - name: data
+        persistentVolumeClaim:
+          claimName: ocis

apps/files/ingress.yaml

@@ -0,0 +1,18 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ocis-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`ocis.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: ocis-web
+      port: 9200
+      scheme: https
+
+  tls:
+    certResolver: default-tls 

apps/files/kustomization.yaml

@@ -1,11 +1,16 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+resources: 
+  - namespace.yaml
+  - ingress.yaml
+  - service.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - ocis-config.sealedsecret.yaml
 
 namespace: files
 
-resources:
-  - namespace.yaml
-  - pvc.yaml
-
-  - syncthing/
-  - nextcloud/
+images:
+  - name: ocis
+    newName: owncloud/ocis
+    newTag: "5.0"

apps/files/namespace.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: placeholder
+  name: placeholder

apps/files/nextcloud/ingress.yaml

@@ -1,16 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: nextcloud-ingress
-
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`nextcloud2.kluster.moll.re`)
-    kind: Rule
-    services:
-    - name: nextcloud
-      port: 8080
-  tls:
-    certResolver: default-tls 

apps/files/nextcloud/kustomization.yaml

@@ -1,15 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - pvc.yaml
-  - ingress.yaml
-  - postgres.yaml
-  - postgres-credentials.sealedsecret.yaml
-
-helmCharts:
-  - name: nextcloud
-    releaseName: nextcloud
-    version: 4.5.5
-    valuesFile: values.yaml
-    repo: https://nextcloud.github.io/helm/

apps/files/nextcloud/postgres-credentials.sealedsecret.yaml

@@ -1,17 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: postgres-credentials
-  namespace: files
-spec:
-  encryptedData:
-    database: AgBOgmqlfgiN2VqxNyYL6O+/jdzPmGg97zOXxZ7KiD07b4/2FdmlWgOZZp7oUpQ9RMV0WybC0jau2YVlgXB32afgJ3uinaAAhzZwvzy8dgapNpe8ClxnFINRhKKC9kxK7YeDwtptbDQn7YtEmVGHI66/71VyGy7NME4Pk0Y4FxxpF6KAZMAHNyez4JMa9V+XFtYV5G5bOkPY/ku4LcYntiMAlEaArF+re1m5nLQmZ4SVkWlOc41N4Hv1HrCv8qq2kj7zVR5/J2qW8NlzmdJJqv1AP1foELuITZZKxwNspxynNxhjXTX0fP6vzfJpxtzb2s/4Yh2uT/UPb2rOdcGaXjjHKxjSX23tG5ZT+z5lt0y9UEmUYytlcsYv9vsRqCmeFsB63S7aABeCRSOJyGLsuUc7xqSZ2ijDG38qLij+JPgoEIbSLfRYVGE5GMo9EbHt4N+ZIMpJYQXq0VhDip/r11SENfUa3XoautQ5uVR1D50FuSrN16t24bQXai9uifkBpDyvqbiqgv7s3qOjF9u8I0eyeJA0ZO1JO174B9SO3IcZYys8c87fSuWvFbGepLNqfneSIx93klDUdx3YEjqcrqib49+3/dn3RO9/puyhJ6O0TEZneToyauV3lxpR+XG/PDx7EQ88lELgD/AmtulsLHkYNgpoblFPbgDUeHhOgoBRAe22Hiy0Co4eh0SPVPyKhj8MyYhPtLEV+UY=
-    password: AgB2eY5aKJhEcJIgArGRrsqYf5pJJoXHRkplFpaqCCQW7X7WLREb+35HDijhnJSWRI2/LXDVy/8ArJe1LiiW+05aRY/9nvmjdpUmvsdQ6DK1mvirl8Py4JYueNrk2iUmI1h+ROyubBCvRBKxueQNkuwipKvk7nIlON6cwFnqp6GPcuWihSG/GZ2nSZmxmu+thdsM/S8DPaTW/N+Sut8DyarlCN94ZRiFVZIJialibfsJGQtL/uPX0W61GTkEU4m34IN9e+POdEdg3HuFMd3RvNQpndgPjaTv4A22TJRFs+rcHlcHr+5r8acVy1V+sZy97126Z7moeKDp1rFbG2/yMT1iS2oxQN4GJceTgMzSagqdn+KgD0N38OYvp+mRUQsl7+Fpglcq03vqbvxsc1fC78XpAAPMNA/pQDvtlS1qjuB7WCa5b3mkJxjc8efIuna9GAnDGh+djhlGHLEERnEfjlnpeDb/afRejUX+i6r00GnBxuRJfV+lKh4BJsnJm29nC4t10F6ff91Ngcjf+wCm5yWSFETZ9oFrPn10igGvoZwROJYABdtfMNjidGLkdKQnG1dj3EFu5XDn9vRqt8Iu/dEyoh7a2iGYDQ1lGpz+zxA/OZ9l/SuL6JUUwXq5W1/fSbtaBPdit4cwUTopq7AcpZkMuAQyVy6N9D0Hvjx432rCxmqyGU8PyjKHoAN+nuvTi79HtHR2wo4hJeIDoktdpxswSCe9VJEvqTFGQyCZtX3uEg==
-    username: AgATMaQ/BRCO9vx329YxGGUGl3E68Tm3coU6IO6pYm8f+Uf7ImH4l/P84mjGDLho1zBUfILPAvM4G5xG2qkkyW4mEuB8A7NNWAhXMOS5i1msNaV2oqLYNWCOG2lFO7unkYwPSyu9EyGn/Hq/kbGPAKfUf6dtDLEc+Y0S5Ue9YA2gYK4VYUec491+02EOoprGcfM1QdGPLBrunXn4krxtGm+eTsK8nd/lnm3DK+f5uGupO844i8T0mXE1xcliysBTZzxEVpmzPN8q4TMay6qcB2wOvEyngnGCfxJGTSjTrkydPFLcI4p6IONW5QAX9eQwo6ZDo56WVNgvyNW+ZJ6hmPP9nLeHnKb3rM91CIMM0GDRYc3VFsVXwBY/sj12hiompXEVQEp+EJUbgnDLK2lW+J602ZnzyHFgwGKnfdI8PHfKoxRVf06TXPdROu1mfXr5jOXc+++LoRotkVOuf2KXMip/7HlTkRlZXKkenhIqrTtQkENJ+aaxCKdQwgE8iDtmB6ZEBiMJq/dZgvn7qbcMc/SYF3l6YZKSU2L1359CRTeuQ6J6aDml+WHvgtwLH6sIgR9Sjgxid9XlhQ3/8f9UQdR6OpblsBZYn8gYEQ1WRr7H1R3IjENpA7LtburPYyogSk4eSFWR1hkwfiiTJrfwJCPEka28a7MqX0nCKZqzzUOQqXNGPX8W9rU8aA2HcnSPrzLoOV2av9h4icw=
-  template:
-    metadata:
-      creationTimestamp: null
-      name: postgres-credentials
-      namespace: files

apps/files/nextcloud/postgres.yaml

@@ -1,20 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: nextcloud-postgres
-spec:
-  instances: 1
-  imageName: ghcr.io/cloudnative-pg/postgresql:16
-  bootstrap:
-    initdb:
-      owner: nextcloud
-      database: nextcloud
-      secret: 
-        name: postgres-credentials
-
-  storage:
-    size: 1Gi
-    storageClass: nfs-client
-
-  monitoring:
-    enablePodMonitor: true

apps/files/nextcloud/pvc.yaml

@@ -1,11 +0,0 @@
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: nextcloud-config
-spec:
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi

apps/files/nextcloud/values.yaml

@@ -1,155 +0,0 @@
-## Official nextcloud image version
-## ref: https://hub.docker.com/r/library/nextcloud/tags/
-
-ingress:
-  enabled: false
-
-
-nextcloud:
-  host: nextcloud2.kluster.moll.re
-  username: admin
-  password: changeme
-  ## Use an existing secret
-  existingSecret:
-    enabled: false
-  update: 0
-  # If web server is not binding default port, you can define it
-  # containerPort: 8080
-  datadir: /var/www/html/data
-  persistence:
-    subPath:
-  mail:
-    enabled: false
-  # PHP Configuration files
-  # Will be injected in /usr/local/etc/php/conf.d for apache image and in /usr/local/etc/php-fpm.d when nginx.enabled: true
-  phpConfigs: {}
-  # Default config files
-  # IMPORTANT: Will be used only if you put extra configs, otherwise default will come from nextcloud itself
-  # Default confgurations can be found here: https://github.com/nextcloud/docker/tree/master/16.0/apache/config
-  defaultConfigs:
-    # To protect /var/www/html/config
-    .htaccess: true
-    # Redis default configuration
-    redis.config.php: true
-    # Apache configuration for rewrite urls
-    apache-pretty-urls.config.php: true
-    # Define APCu as local cache
-    apcu.config.php: true
-    # Apps directory configs
-    apps.config.php: true
-    # Used for auto configure database
-    autoconfig.php: true
-    # SMTP default configuration
-    smtp.config.php: true
-
-
-  extraVolumes:
-    - name: files-nfs
-      persistentVolumeClaim:
-        claimName: files-nfs
-
-  extraVolumeMounts:
-    - name: files-nfs
-      mountPath: /files
-
-
-  # Extra config files created in /var/www/html/config/
-  # ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
-  # configs:
-  #   config.php: |-
-
-  # For example, to use S3 as primary storage
-  # ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3
-  #
-  #  configs:
-  #    s3.config.php: |-
-  #      <?php
-  #      $CONFIG = array (
-  #        'objectstore' => array(
-  #          'class' => '\\OC\\Files\\ObjectStore\\S3',
-  #          'arguments' => array(
-  #            'bucket'     => 'my-bucket',
-  #            'autocreate' => true,
-  #            'key'        => 'xxx',
-  #            'secret'     => 'xxx',
-  #            'region'     => 'us-east-1',
-  #            'use_ssl'    => true
-  #          )
-  #        )
-  #      );
-
-nginx:
-  ## You need to set an fpm version of the image for nextcloud if you want to use nginx!
-  enabled: false
-
-internalDatabase:
-  enabled: false
-
-##
-## External database configuration
-##
-externalDatabase:
-  enabled: true
-  type: postgresql
-  host: nextcloud-postgres-rw
-
-  database: nextcloud
-  existingSecret:
-    enabled: true
-    secretName: postgres-credentials
-    usernameKey: username
-    passwordKey: password
-
-
-mariadb:
-  enabled: false
-postgresql:
-  enabled: false
-redis:
-  enabled: false
-
-
-cronjob:
-  enabled: false
-
-persistence:
-  # Nextcloud Data (/var/www/html)
-  enabled: true
-  annotations: {}
-
-  ## If defined, PVC must be created manually before volume will be bound
-  existingClaim: nextcloud-config
-
-  ## Use an additional pvc for the data directory rather than a subpath of the default PVC
-  ## Useful to store data on a different storageClass (e.g. on slower disks)
-  nextcloudData:
-    enabled: false
-
-
-resources:
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  limits:
-   cpu: 2000m
-   memory: 2Gi
-  requests:
-   cpu: 100m
-   memory: 128Mi
-
-livenessProbe:
-  enabled: false
-  # disable when upgrading from a previous chart version
-
-hpa:
-  enabled: false
-
-## Prometheus Exporter / Metrics
-##
-metrics:
-  enabled: false
-
-
-rbac:
-  enabled: false

apps/files/pvc.yaml

@@ -1,11 +1,11 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
-  name: files-nfs
+  name: ocis
 spec:
-  storageClassName: nfs-client
+  storageClassName: "nfs-client"
   accessModes:
-    - ReadWriteMany
+    - ReadWriteOnce
   resources:
     requests:
-      storage: 100Gi
+      storage: 150Gi

apps/files/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ocis-web
+spec:
+  selector:
+    app: ocis
+  ports:
+  - port: 9200
+    targetPort: 9200

apps/files/syncthing/deployment.yaml

@@ -1,40 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: syncthing
-spec:
-  selector:
-    matchLabels:
-      app: syncthing
-  template:
-    metadata:
-      labels:
-        app: syncthing
-    spec:
-      containers:
-      - name: syncthing
-        image: syncthing
-        resources:
-          limits:
-            memory: "256Mi"
-            cpu: "500m"
-        ports:
-        - containerPort: 8384
-          protocol: TCP
-          name: syncthing-web
-        - containerPort: 22000
-          protocol: TCP
-        - containerPort: 22000
-          protocol: UDP
-        volumeMounts:
-        - name: persistence
-          mountPath: /files
-        - name: config
-          mountPath: /var/syncthing/config
-      volumes:
-      - name: persistence
-        persistentVolumeClaim:
-          claimName: files-nfs
-      - name: config
-        persistentVolumeClaim:
-          claimName: syncthing-config

apps/files/syncthing/ingress.yaml

@@ -1,16 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: rss-ingressroute
-
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`syncthing2.kluster.moll.re`)
-      kind: Rule
-      services:
-        - name: syncthing-web
-          port: 8384
-  tls:
-    certResolver: default-tls

apps/files/syncthing/kustomization.yaml

@@ -1,15 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - pvc.yaml
-  - deployment.yaml
-  - service.yaml
-  - ingress.yaml
-  - servicemonitor.yaml
-  # - syncthing-api.sealedsecret.yaml
-
-images:
-  - name: syncthing
-    newName: syncthing/syncthing
-    newTag: "1.27"

apps/files/syncthing/pvc.yaml

@@ -1,11 +0,0 @@
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: syncthing-config
-spec:
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi

apps/files/syncthing/service.yaml

@@ -1,46 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: syncthing-web
-  labels:
-    app: syncthing
-spec:
-  selector:
-    app: syncthing
-  type: ClusterIP
-  ports:
-  - port: 8384
-    targetPort: 8384
-    name: syncthing-web
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: syncthing-listen
-  annotations:
-    metallb.universe.tf/allow-shared-ip: syncthing-service
-spec:
-  selector:
-    app: syncthing
-  type: LoadBalancer
-  loadBalancerIP: 192.168.3.5
-  ports:
-  - port: 22000
-    targetPort: 22000
-    protocol: TCP
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: syncthing-discover
-  annotations:
-    metallb.universe.tf/allow-shared-ip: syncthing-service
-spec:
-  selector:
-    app: syncthing
-  type: LoadBalancer
-  loadBalancerIP: 192.168.3.5
-  ports:
-  - port: 22000
-    targetPort: 22000
-    protocol: UDP

apps/files/syncthing/servicemonitor.yaml

@@ -1,16 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: syncthing-servicemonitor
-  labels:
-    app: syncthing
-spec:
-  selector:
-    matchLabels:
-      app: syncthing
-  endpoints:
-    - port: syncthing-web
-      path: /metrics
-      bearerTokenSecret:
-        name: syncthing-api
-        key: token

apps/files1/deployment.yaml

@@ -1,30 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: spacedrive
-spec:
-  selector:
-    matchLabels:
-      app: spacedrive
-  template:
-    metadata:
-      labels:
-        app: spacedrive
-    spec:
-      containers:
-      - name: spacedrive
-        image: spacedrive
-        resources:
-          limits:
-            memory: "128Mi"
-            cpu: "500m"
-        ports:
-        - containerPort: 80
-        volumeMounts:
-        - name: storage
-          mountPath: /data
-
-      volumes:
-      - name: storage
-        persistentVolumeClaim:
-          claimName: spacedrive-nfs

apps/files1/kustomization.yaml

@@ -1,15 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: files1
-
-resources:
-  - namespace.yaml
-  - pvc.yaml
-  - deployment.yaml
-
-
-images:
-  - name: spacedrive
-    newName: ghcr.io/spacedriveapp/spacedrive/server
-    newTag: 0.2.4

apps/files1/pvc.yaml

@@ -1,11 +0,0 @@
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: spacedrive-nfs
-spec:
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 100Gi

apps/finance/actualbudget.deployment.yaml

@@ -22,13 +22,13 @@ spec:
             - name: TZ
               value: Europe/Berlin
           volumeMounts:
-            - name: actualbudget-data-nfs
+            - name: data
               mountPath: /data
           ports:
             - containerPort: 5006
               name: http
               protocol: TCP
       volumes:
-        - name: actualbudget-data-nfs
+        - name: data
           persistentVolumeClaim:
-            claimName: actualbudget-data-nfs
+            claimName: data

apps/finance/actualbudget.ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: actualbudget

apps/finance/actualbudget.pvc.yaml

@@ -1,27 +1,11 @@
 apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: "actualbudget-data-nfs"
-spec:
-  capacity:
-    storage: "5Gi"
-  accessModes:
-    - ReadWriteOnce
-  nfs:
-    path: /export/kluster/actualbudget
-    server: 192.168.1.157
-
----
-apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: "actualbudget-data-nfs"
+  name: "data"
 spec:
-  storageClassName: ""
+  storageClassName: "nfs-client"
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
       storage: "5Gi"
-
-  volumeName: actualbudget-data-nfs

apps/finance/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 24.2.0
+    newTag: 24.3.0

apps/homeassistant/config.sealedsecret.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: config
+  namespace: homeassistant
+spec:
+  encryptedData:
+    configuration.yaml: AgBAcghv6dQYajqfwayHhfRIE2awjHYOw1h9vWkeM7GRWtaB61eGLbievEvDhKYYWbLCCwXEfFpk1NodWvf7fdmsIm+uXu+95VbAv7/uRGdO4VDB37fagXLqEceNRkOD4lBQxUaZM1kHkEIbMTSKaLZAUfDwNwqZzbVMNRkTCd15+DFQMVpO7wT8CJ+oRWqB4ISV+0NivxVABzqzp3djQMbLgJzxYAzYWJro+qAJnXUrr4Jmk/mwcoYKD6JEVQKFKnT6TArFU9zK9T2Uoyiye530d6yV64j+qEgRS85rSEfYvooW+8YqIWnVvwaRt0FzFDAy0ONB91TemWlidM55RYKURiOvYa3L2jH5oDfFTDil3zjTCY5/4JSi7WD0ceChRAtq881O+8iK6RiVLZfAL6N0fcm5LpGG0ug3Sn3CZKN85M70/agDhbz11ryGhPCBkuSUuT7HT1rbxzLy3wUFyD5MnTPbLZ+f88zCBUPIZk6UK9IdacOPYcn/dQzfJEeNoL2FouZbC/SWw6gxpNjcmk/ercwg4/g/WpPEeLZGpCt3gt5sbFi91+j0mocogY/DZ4Y6HC//v2KIZPy9nmLu4EDLjVzJnNcqW0t3aD9matxUiBbhOUSHmIfh3oGA4ZPr4e1UXOYRcihviD6OwNLfU337o86MOOTSLGPtUhERnHdPmz/X0n1oGMWffxcKKhS2m3WJtycAKbLwc4N/oeOFLbEAyc7xbfX0FUKlEskNJeH2toWfgOj8w7TunOi7MNCJN6zA1eclXa9axJozw7JTbAxZDPVyBr17yXgDJ0QymGxI7X0z7Vy8Y3yR4URlNaHgh2OQ1BKi4uEkrVz2lFtujPkfS9oiKYOaSJCBTFG4G9bx7QlTezlbNOeFPkilBSWhosCaLPhHKizRDOtDMu60XyvATEdKWeiFqvt69MNtETZPFfmzXYSAcwYIuMYu3twzMzEaFi3mk+wXN0fcrz/DAU3EJ+1zWr3WaDRXzVhesgf0BcfP+tRBm0zRlfS12AP7OHCTxxbR4KJzCegLcjWLqSHF4kRZgrCkfph1UKdwX+hHDNxWkPx6U/e4/4fhCuQZ7nDu62WysbDQO624Gsit4DsXFkfaX6rX98B5sjw8GYIhv53Pw5HetyjBHr/EFDeIKWmrEafrPRkzUgGq/pdDjZZ8FcfIi4SR6Yx7fHg4rKp2EA7NP0mEUEthqqpncHpE47pu0EFy1d9ZwwW8AjvXIWT+CjMEv8EPBNOJrzT36qXYWFzF3DWgf//MyUyO5IGSIhIBP6oy/3yit6Q4lNPlaxTclxATlbbf7T8OLaHc+4Tk4odRVXk6RSyrEHTphGQot5YhodlLYueZfeINOzKZ05+r/dGkoPwVKyLPV/g2YOjjtHNGEzVSjQgUnHk4rkRtaIJvWAiFQtUaiaJVQKGYlq+ARlKRJDAXk9jpuwiKoH/5zBou1jrfqaxTqstEAK8leNNZyIv8biFLipDf6xC6EoV58gMTdx20tFNGgVRgsWFHfuNW39Gn5LDRS+u9PQWVAqKxZXwJ/8pz/smki0qIWNKaa9LeNxPDHf/RPoU1PqxDt7FVzPhE7KjnpgsPxB+sv3qqOJ9H4oBdueMRWnpUdTuO6CzpvUuio19mhX3iLGToUaYyYxH0v29o8QQzLPrWdBjQ4+g3TQoDu/bJCaP/UdEmK/e73pFrZWo/jM2tdGiRi8Z+67k9RPdIAR/dJW0+mJN+w6rizxrdYMUu9iNgUCps9NZX6BB0D6fpcfbas+SzlrIBthi6s5qnJFGS+jJGn9s0KdgRrqQxyyHvYKdjreR0Y+3XcRXdYercKLILmF/LE3jPiFaDWV3rkbYyetjUx/KFO/f6m5er+tXiUZeznNvOIj8ppLivwpPbXbGBGRcYNyuSgRfPxLTDe2XSbSkROuqGPSLQc+XP6x9KeM3p6Gwq54bO2jkDVWGDjfndNz3J64ovV3ljZ1ON0AwB3i+3MTEkFpzzDXFgg1GMviVZPRT7ZWhDOCOKwJI1ylLoGrMkQQgnbm7qImG9fP7GC2J12TRzSYuxKdIjsdG3xg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: config
+      namespace: homeassistant
+    type: Opaque

apps/homeassistant/deployment.yaml

@@ -1,4 +1,3 @@
-
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -22,8 +21,11 @@ spec:
           - name: TZ
             value: Europe/Berlin
           volumeMounts:
-            - name: config
+            - name: config-dir
               mountPath: /config
+            - name: configuration
+              mountPath: /config/configuration.yaml
+              readOnly: true
           resources:
             requests:
               cpu: "100m"
@@ -32,6 +34,10 @@ spec:
               cpu: "2"
               memory: "1Gi"
       volumes:
-        - name: config
+        - name: config-dir
           persistentVolumeClaim:
-            claimName: homeassistant-nfs
+            claimName: config
+        - name: configuration
+          secret:
+            secretName: config
+

apps/homeassistant/ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: homeassistant-ingress
@@ -17,7 +17,7 @@ spec:
     certResolver: default-tls
 
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
   name: homeassistant-websocket

apps/homeassistant/kustomization.yaml

@@ -9,8 +9,10 @@ resources:
   - pvc.yaml
   - service.yaml
   - deployment.yaml
+  - servicemonitor.yaml
+  - config.sealedsecret.yaml
 
 images:
   - name: homeassistant/home-assistant
     newName: homeassistant/home-assistant
-    newTag: "2024.2"
+    newTag: "2024.1"

apps/homeassistant/pvc.yaml

@@ -1,28 +1,11 @@
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: homeassistant-nfs
-spec:
-  # storageClassName: slow
-  capacity:
-    storage: "1Gi"
-  # volumeMode: Filesystem
-  accessModes:
-    - ReadWriteOnce
-  nfs:
-    path: /kluster/homeassistant
-    server: 192.168.1.157
----
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: homeassistant-nfs
+  name: config
 spec:
-  storageClassName: ""
+  storageClassName: "nfs-client"
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
       storage: "1Gi"
-  volumeName: homeassistant-nfs

apps/homeassistant/servicemonitor.yaml

@@ -0,0 +1,13 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: homeassistant-servicemonitor
+  labels:
+    app: homeassistant
+spec:
+  selector:
+    matchLabels:
+      app: homeassistant
+  endpoints:
+    - port: homeassistant-web
+      path: /api/prometheus

apps/immich/ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
   name: stripprefix
@@ -7,7 +7,7 @@ spec:
     prefixes:
       - /api
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
   name: websocket
@@ -18,7 +18,7 @@ spec:
       # enable websockets
       Upgrade: "websocket"
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
     name: immich-ingressroute

apps/immich/kustomization.yaml

@@ -1,24 +1,25 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
-  - namespace.yaml
-  - ingress.yaml
-  - pvc.yaml
-  - postgres.yaml
-  - postgres.sealedsecret.yaml
+- namespace.yaml
+- ingress.yaml
+- pvc.yaml
+- postgres.yaml
+- postgres.sealedsecret.yaml
 
 namespace: immich
 
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.3.1
+    version: 0.4.0
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.95.1
+    newTag: v1.99.0
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.95.1
+    newTag: v1.99.0
+

apps/immich/postgres.yaml

@@ -10,7 +10,7 @@ spec:
     initdb:
       owner: immich
       database: immich
-      secret: 
+      secret:
         name: postgres-password
 
   postgresql:
@@ -19,7 +19,12 @@ spec:
 
   storage:
     size: 1Gi
-    storageClass: nfs-client
+    pvcTemplate:
+      storageClassName: ""
+      resources:
+        requests:
+          storage: "1Gi"
+      volumeName: immich-postgres
 
   monitoring:
     enablePodMonitor: true

apps/immich/pvc.yaml

@@ -24,3 +24,17 @@ spec:
     requests:
       storage: "50Gi"
   volumeName: immich-nfs
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: immich-postgres
+spec:
+  capacity:
+    storage: "1Gi"
+  accessModes:
+    - ReadWriteOnce
+  nfs:
+    path: /kluster/immich-postgres
+    server: 192.168.1.157
+# later used by cnpg

apps/matrix/kustomization.yaml

@@ -1,30 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml
-  - postgres.yaml
-  - synapse.deployment.yaml
-  - synapse.service.yaml
-  - synapse.configmap.yaml
-  - synapse.ingress.yaml
-  - postgres-credentials.secret.yaml
-
-  - mautrix.pvc.yaml
-  - mautrix-telegram.statefulset.yaml
-  - mautrix-telegram.configmap.yaml
-  - mautrix-whatsapp.statefulset.yaml
-
-
-namespace: matrix
-
-images:
-  - name: mautrix-telegram
-    newName: dock.mau.dev/mautrix/telegram
-    newTag: "v0.15.1"
-  - name: mautrix-whatsapp
-    newName: dock.mau.dev/mautrix/whatsapp
-    newTag: "v0.10.5"
-  - name: synapse
-    newName: ghcr.io/element-hq/synapse
-    newTag: "v1.100.0"

apps/matrix/mautrix-telegram.configmap.yaml

@@ -1,511 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: mautrix-telegram
-data:
-  config.yaml: |
-    # Homeserver details
-    homeserver:
-        # The address that this appservice can use to connect to the homeserver.
-        address: http://synapse:8448
-        # The domain of the homeserver (for MXIDs, etc).
-        domain: matrix.kluster.moll.re
-        # Whether or not to verify the SSL certificate of the homeserver.
-        # Only applies if address starts with https://
-        verify_ssl: false
-        # What software is the homeserver running?
-        # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
-        software: standard
-        # Number of retries for all HTTP requests if the homeserver isn't reachable.
-        http_retry_count: 4
-        # The URL to push real-time bridge status to.
-        # If set, the bridge will make POST requests to this URL whenever a user's Telegram connection state changes.
-        # The bridge will use the appservice as_token to authorize requests.
-        status_endpoint: null
-        # Endpoint for reporting per-message status.
-        message_send_checkpoint_endpoint: null
-        # Whether asynchronous uploads via MSC2246 should be enabled for media.
-        # Requires a media repo that supports MSC2246.
-        async_media: false
-    # Application service host/registration related details
-    # Changing these values requires regeneration of the registration.
-    appservice:
-        # The address that the homeserver can use to connect to this appservice.
-        address: http://mautrix-telegram:29318
-        # When using https:// the TLS certificate and key files for the address.
-        tls_cert: false
-        tls_key: false
-        # The hostname and port where this appservice should listen.
-        hostname: 0.0.0.0
-        port: 29317
-        # The maximum body size of appservice API requests (from the homeserver) in mebibytes
-        # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
-        max_body_size: 1
-        # The full URI to the database. SQLite and Postgres are supported.
-        # Format examples:
-        #   SQLite:   sqlite:filename.db
-        #   Postgres: postgres://username:password@hostname/dbname
-        database: sqlite:mautrix-telegram.db
-
-        # The unique ID of this appservice.
-        id: telegram
-        # Username of the appservice bot.
-        bot_username: telegrambot
-        # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
-        # to leave display name/avatar as-is.
-        bot_displayname: Telegram bridge bot
-        bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX
-        # Whether or not to receive ephemeral events via appservice transactions.
-        # Requires MSC2409 support (i.e. Synapse 1.22+).
-        # You should disable bridge -> sync_with_custom_puppets when this is enabled.
-        ephemeral_events: true
-        # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
-        as_token: "This value is generated when generating the registration"
-        hs_token: "This value is generated when generating the registration"
-
-    # Bridge config
-    bridge:
-        # Localpart template of MXIDs for Telegram users.
-        # {userid} is replaced with the user ID of the Telegram user.
-        username_template: "telegram_{userid}"
-        # Localpart template of room aliases for Telegram portal rooms.
-        # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} )
-        alias_template: "telegram_{groupname}"
-        # Displayname template for Telegram users.
-        # {displayname} is replaced with the display name of the Telegram user.
-        displayname_template: "{displayname} (Telegram)"
-        # Set the preferred order of user identifiers which to use in the Matrix puppet display name.
-        # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user
-        # ID is used.
-        #
-        # If the bridge is working properly, a phone number or an username should always be known, but
-        # the other one can very well be empty.
-        #
-        # Valid keys:
-        #   "full name"          (First and/or last name)
-        #   "full name reversed" (Last and/or first name)
-        #   "first name"
-        #   "last name"
-        #   "username"
-        #   "phone number"
-        displayname_preference:
-            - full name
-            - username
-            - phone number
-        # Maximum length of displayname
-        displayname_max_length: 100
-        # Remove avatars from Telegram ghost users when removed on Telegram. This is disabled by default
-        # as there's no way to determine whether an avatar is removed or just hidden from some users. If
-        # you're on a single-user instance, this should be safe to enable.
-        allow_avatar_remove: false
-        # Should contact names and profile pictures be allowed?
-        # This is only safe to enable on single-user instances.
-        allow_contact_info: false
-        # Maximum number of members to sync per portal when starting up. Other members will be
-        # synced when they send messages. The maximum is 10000, after which the Telegram server
-        # will not send any more members.
-        # -1 means no limit (which means it's limited to 10000 by the server)
-        max_initial_member_sync: 100
-        # Maximum number of participants in chats to bridge. Only applies when the portal is being created.
-        # If there are more members when trying to create a room, the room creation will be cancelled.
-        # -1 means no limit (which means all chats can be bridged)
-        max_member_count: -1
-        # Whether or not to sync the member list in channels.
-        # If no channel admins have logged into the bridge, the bridge won't be able to sync the member
-        # list regardless of this setting.
-        sync_channel_members: false
-        # Whether or not to skip deleted members when syncing members.
-        skip_deleted_members: true
-        # Whether or not to automatically synchronize contacts and chats of Matrix users logged into
-        # their Telegram account at startup.
-        startup_sync: false
-        # Number of most recently active dialogs to check when syncing chats.
-        # Set to 0 to remove limit.
-        sync_update_limit: 0
-        # Number of most recently active dialogs to create portals for when syncing chats.
-        # Set to 0 to remove limit.
-        sync_create_limit: 15
-        # Should all chats be scheduled to be created later?
-        # This is best used in combination with MSC2716 infinite backfill.
-        sync_deferred_create_all: false
-        # Whether or not to sync and create portals for direct chats at startup.
-        sync_direct_chats: false
-        # The maximum number of simultaneous Telegram deletions to handle.
-        # A large number of simultaneous redactions could put strain on your homeserver.
-        max_telegram_delete: 10
-        # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames)
-        # at startup and when creating a bridge.
-        sync_matrix_state: true
-        # Allow logging in within Matrix. If false, users can only log in using login-qr or the
-        # out-of-Matrix login website (see appservice.public config section)
-        allow_matrix_login: true
-        # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix.
-        public_portals: false
-        # Whether or not to use /sync to get presence, read receipts and typing notifications
-        # when double puppeting is enabled
-        sync_with_custom_puppets: false
-        # Whether or not to update the m.direct account data event when double puppeting is enabled.
-        # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
-        # and is therefore prone to race conditions.
-        sync_direct_chat_list: false
-        # Servers to always allow double puppeting from
-        double_puppet_server_map:
-            example.com: https://example.com
-        # Allow using double puppeting from any server with a valid client .well-known file.
-        double_puppet_allow_discovery: false
-        # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
-        #
-        # If set, custom puppets will be enabled automatically for local users
-        # instead of users having to find an access token and run `login-matrix`
-        # manually.
-        # If using this for other servers than the bridge's server,
-        # you must also set the URL in the double_puppet_server_map.
-        login_shared_secret_map:
-            example.com: foobar
-        # Set to false to disable link previews in messages sent to Telegram.
-        telegram_link_preview: true
-        # Whether or not the !tg join command should do a HTTP request
-        # to resolve redirects in invite links.
-        invite_link_resolve: false
-        # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552.
-        # This is currently not supported in most clients.
-        caption_in_message: false
-        # Maximum size of image in megabytes before sending to Telegram as a document.
-        image_as_file_size: 10
-        # Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 4096x4096 = 16777216.
-        image_as_file_pixels: 16777216
-        # Enable experimental parallel file transfer, which makes uploads/downloads much faster by
-        # streaming from/to Matrix and using many connections for Telegram.
-        # Note that generating HQ thumbnails for videos is not possible with streamed transfers.
-        # This option uses internal Telethon implementation details and may break with minor updates.
-        parallel_file_transfer: false
-        # Whether or not created rooms should have federation enabled.
-        # If false, created portal rooms will never be federated.
-        federate_rooms: true
-        # Should the bridge send all unicode reactions as custom emoji reactions to Telegram?
-        # By default, the bridge only uses custom emojis for unicode emojis that aren't allowed in reactions.
-        always_custom_emoji_reaction: false
-        # Settings for converting animated stickers.
-        animated_sticker:
-            # Format to which animated stickers should be converted.
-            # disable - No conversion, send as-is (gzipped lottie)
-            # png - converts to non-animated png (fastest),
-            # gif - converts to animated gif
-            # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
-            # webp - converts to animated webp, requires ffmpeg executable with webp codec/container support
-            target: gif
-            # Should video stickers be converted to the specified format as well?
-            convert_from_webm: false
-            # Arguments for converter. All converters take width and height.
-            args:
-                width: 256
-                height: 256
-                fps: 25 # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended)
-        # Settings for converting animated emoji.
-        # Same as animated_sticker, but webm is not supported as the target
-        # (because inline images can only contain images, not videos).
-        animated_emoji:
-            target: webp
-            args:
-                width: 64
-                height: 64
-                fps: 25
-        # # End-to-bridge encryption support options.
-        # #
-        # # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
-        # encryption:
-        #     # Allow encryption, work in group chat rooms with e2ee enabled
-        #     allow: false
-        #     # Default to encryption, force-enable encryption in all portals the bridge creates
-        #     # This will cause the bridge bot to be in private chats for the encryption to work properly.
-        #     default: false
-        #     # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
-        #     appservice: false
-        #     # Require encryption, drop any unencrypted messages.
-        #     require: false
-        #     # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
-        #     # You must use a client that supports requesting keys from other users to use this feature.
-        #     allow_key_sharing: false
-        #     # Options for deleting megolm sessions from the bridge.
-        #     delete_keys:
-        #         # Beeper-specific: delete outbound sessions when hungryserv confirms
-        #         # that the user has uploaded the key to key backup.
-        #         delete_outbound_on_ack: false
-        #         # Don't store outbound sessions in the inbound table.
-        #         dont_store_outbound: false
-        #         # Ratchet megolm sessions forward after decrypting messages.
-        #         ratchet_on_decrypt: false
-        #         # Delete fully used keys (index >= max_messages) after decrypting messages.
-        #         delete_fully_used_on_decrypt: false
-        #         # Delete previous megolm sessions from same device when receiving a new one.
-        #         delete_prev_on_new_session: false
-        #         # Delete megolm sessions received from a device when the device is deleted.
-        #         delete_on_device_delete: false
-        #         # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
-        #         periodically_delete_expired: false
-        #         # Delete inbound megolm sessions that don't have the received_at field used for
-        #         # automatic ratcheting and expired session deletion. This is meant as a migration
-        #         # to delete old keys prior to the bridge update.
-        #         delete_outdated_inbound: false
-        #     # What level of device verification should be required from users?
-        #     #
-        #     # Valid levels:
-        #     #   unverified - Send keys to all device in the room.
-        #     #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
-        #     #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
-        #     #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
-        #     #                           Note that creating user signatures from the bridge bot is not currently possible.
-        #     #   verified - Require manual per-device verification
-        #     #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
-        #     verification_levels:
-        #         # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix.
-        #         receive: unverified
-        #         # Minimum level that the bridge should accept for incoming Matrix messages.
-        #         send: unverified
-        #         # Minimum level that the bridge should require for accepting key requests.
-        #         share: cross-signed-tofu
-        #     # Options for Megolm room key rotation. These options allow you to
-        #     # configure the m.room.encryption event content. See:
-        #     # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
-        #     # more information about that event.
-        #     rotation:
-        #         # Enable custom Megolm room key rotation settings. Note that these
-        #         # settings will only apply to rooms created after this option is
-        #         # set.
-        #         enable_custom: false
-        #         # The maximum number of milliseconds a session should be used
-        #         # before changing it. The Matrix spec recommends 604800000 (a week)
-        #         # as the default.
-        #         milliseconds: 604800000
-        #         # The maximum number of messages that should be sent with a given a
-        #         # session before changing it. The Matrix spec recommends 100 as the
-        #         # default.
-        #         messages: 100
-        #         # Disable rotating keys when a user's devices change?
-        #         # You should not enable this option unless you understand all the implications.
-        #         disable_device_change_key_rotation: false
-        # Whether to explicitly set the avatar and room name for private chat portal rooms.
-        # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
-        # If set to `always`, all DM rooms will have explicit names and avatars set.
-        # If set to `never`, DM rooms will never have names and avatars set.
-        private_chat_portal_meta: default
-        # Disable generating reply fallbacks? Some extremely bad clients still rely on them,
-        # but they're being phased out and will be completely removed in the future.
-        disable_reply_fallbacks: false
-        # Should cross-chat replies from Telegram be bridged? Most servers and clients don't support this.
-        cross_room_replies: false
-        # Whether or not the bridge should send a read receipt from the bridge bot when a message has
-        # been sent to Telegram.
-        delivery_receipts: false
-        # Whether or not delivery errors should be reported as messages in the Matrix room.
-        delivery_error_reports: false
-        # Should errors in incoming message handling send a message to the Matrix room?
-        incoming_bridge_error_reports: false
-        # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
-        message_status_events: false
-        # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
-        # This field will automatically be changed back to false after it,
-        # except if the config file is not writable.
-        resend_bridge_info: false
-        # When using double puppeting, should muted chats be muted in Matrix?
-        mute_bridging: false
-        # When using double puppeting, should pinned chats be moved to a specific tag in Matrix?
-        # The favorites tag is `m.favourite`.
-        pinned_tag: null
-        # Same as above for archived chats, the low priority tag is `m.lowpriority`.
-        archive_tag: null
-        # Whether or not mute status and tags should only be bridged when the portal room is created.
-        tag_only_on_create: true
-        # Should leaving the room on Matrix make the user leave on Telegram?
-        bridge_matrix_leave: true
-        # Should the user be kicked out of all portals when logging out of the bridge?
-        kick_on_logout: true
-        # Should the "* user joined Telegram" notice always be marked as read automatically?
-        always_read_joined_telegram_notice: true
-        # Should the bridge auto-create a group chat on Telegram when a ghost is invited to a room?
-        # Requires the user to have sufficient power level and double puppeting enabled.
-        create_group_on_invite: true
-        # Settings for backfilling messages from Telegram.
-        backfill:
-            # Allow backfilling at all?
-            enable: true
-            # Whether or not to enable backfilling in normal groups.
-            # Normal groups have numerous technical problems in Telegram, and backfilling normal groups
-            # will likely cause problems if there are multiple Matrix users in the group.
-            normal_groups: false
-            # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Telegram.
-            # Set to -1 to let any chat be unread.
-            unread_hours_threshold: 720
-            # Forward backfilling limits.
-            #
-            # Using a negative initial limit is not recommended, as it would try to backfill everything in a single batch.
-            forward_limits:
-                # Number of messages to backfill immediately after creating a portal.
-                initial:
-                    user: 50
-                    normal_group: 100
-                    supergroup: 10
-                    channel: 10
-                # Number of messages to backfill when syncing chats.
-                sync:
-                    user: 100
-                    normal_group: 100
-                    supergroup: 100
-                    channel: 100
-            # Timeout for forward backfills in seconds. If you have a high limit, you'll have to increase this too.
-            forward_timeout: 900
-            # Settings for incremental backfill of history. These only apply to Beeper, as upstream abandoned MSC2716.
-            incremental:
-                # Maximum number of messages to backfill per batch.
-                messages_per_batch: 100
-                # The number of seconds to wait after backfilling the batch of messages.
-                post_batch_delay: 20
-                # The maximum number of batches to backfill per portal, split by the chat type.
-                # If set to -1, all messages in the chat will eventually be backfilled.
-                max_batches:
-                    # Direct chats
-                    user: -1
-                    # Normal groups. Note that the normal_groups option above must be enabled
-                    # for these to be backfilled.
-                    normal_group: -1
-                    # Supergroups
-                    supergroup: 10
-                    # Broadcast channels
-                    channel: -1
-        # Overrides for base power levels.
-        initial_power_level_overrides:
-            user: {}
-            group: {}
-        # Whether to bridge Telegram bot messages as m.notices or m.texts.
-        bot_messages_as_notices: true
-        bridge_notices:
-            # Whether or not Matrix bot messages (type m.notice) should be bridged.
-            default: false
-            # List of user IDs for whom the previous flag is flipped.
-            # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but
-            #      notices from users listed here will be bridged.
-            exceptions: []
-        # An array of possible values for the $distinguisher variable in message formats.
-        # Each user gets one of the values here, based on a hash of their user ID.
-        # If the array is empty, the $distinguisher variable will also be empty.
-        relay_user_distinguishers: ["\U0001F7E6", "\U0001F7E3", "\U0001F7E9", "⭕️", "\U0001F536", "⬛️", "\U0001F535", "\U0001F7E2"]
-        # The formats to use when sending messages to Telegram via the relay bot.
-        # Text msgtypes (m.text, m.notice and m.emote) support HTML, media msgtypes don't.
-        #
-        # Available variables:
-        #   $sender_displayname - The display name of the sender (e.g. Example User)
-        #   $sender_username    - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
-        #   $sender_mxid        - The Matrix ID of the sender (e.g. @exampleuser:example.com)
-        #   $distinguisher      - A random string from the options in the relay_user_distinguishers array.
-        #   $message            - The message content
-        message_formats:
-            m.text: "$distinguisher <b>$sender_displayname</b>: $message"
-            m.notice: "$distinguisher <b>$sender_displayname</b>: $message"
-            m.emote: "* $distinguisher <b>$sender_displayname</b> $message"
-            m.file: "$distinguisher <b>$sender_displayname</b> sent a file: $message"
-            m.image: "$distinguisher <b>$sender_displayname</b> sent an image: $message"
-            m.audio: "$distinguisher <b>$sender_displayname</b> sent an audio file: $message"
-            m.video: "$distinguisher <b>$sender_displayname</b> sent a video: $message"
-            m.location: "$distinguisher <b>$sender_displayname</b> sent a location: $message"
-        # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated
-        # users are sent to telegram. All fields in message_formats are supported. Additionally, the
-        # Telegram user info is available in the following variables:
-        #    $displayname - Telegram displayname
-        #    $username    - Telegram username (may not exist)
-        #    $mention     - Telegram @username or displayname mention (depending on which exists)
-        emote_format: "* $mention $formatted_body"
-        # The formats to use when sending state events to Telegram via the relay bot.
-        #
-        # Variables from `message_formats` that have the `sender_` prefix are available without the prefix.
-        # In name_change events, `$prev_displayname` is the previous displayname.
-        #
-        # Set format to an empty string to disable the messages for that event.
-        state_event_formats:
-            join: "$distinguisher <b>$displayname</b> joined the room."
-            leave: "$distinguisher <b>$displayname</b> left the room."
-            name_change: "$distinguisher <b>$prev_displayname</b> changed their name to $distinguisher <b>$displayname</b>"
-        # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and
-        # `filter-mode` management commands.
-        #
-        # An empty blacklist will essentially disable the filter.
-        filter:
-            # Filter mode to use. Either "blacklist" or "whitelist".
-            # If the mode is "blacklist", the listed chats will never be bridged.
-            # If the mode is "whitelist", only the listed chats can be bridged.
-            mode: blacklist
-            # The list of group/channel IDs to filter.
-            list: []
-            # How to handle direct chats:
-            # If users is "null", direct chats will follow the previous settings.
-            # If users is "true", direct chats will always be bridged.
-            # If users is "false", direct chats will never be bridged.
-            users: true
-        # The prefix for commands. Only required in non-management rooms.
-        command_prefix: "!tg"
-        # Messages sent upon joining a management room.
-        # Markdown is supported. The defaults are listed below.
-        management_room_text:
-            # Sent when joining a room.
-            welcome: "Hello, I'm a Telegram bridge bot."
-            # Sent when joining a management room and the user is already logged in.
-            welcome_connected: "Use `help` for help."
-            # Sent when joining a management room and the user is not logged in.
-            welcome_unconnected: "Use `help` for help or `login` to log in."
-            # Optional extra text sent when joining a management room.
-            additional_help: ""
-        # Send each message separately (for readability in some clients)
-        management_room_multiple_messages: false
-        # Permissions for using the bridge.
-        # Permitted values:
-        #   relaybot - Only use the bridge via the relaybot, no access to commands.
-        #       user - Relaybot level + access to commands to create bridges.
-        #  puppeting - User level + logging in with a Telegram account.
-        #       full - Full access to use the bridge, i.e. previous levels + Matrix login.
-        #      admin - Full access to use the bridge and some extra administration commands.
-        # Permitted keys:
-        #        * - All Matrix users
-        #   domain - All users on that homeserver
-        #     mxid - Specific user
-        permissions:
-            "matrix.kluster.moll.re": "full"
-            "@remy:matrix.kluster.moll.re": "admin"
-        # Options related to the message relay Telegram bot.
-        relaybot:
-            private_chat:
-                # List of users to invite to the portal when someone starts a private chat with the bot.
-                # If empty, private chats with the bot won't create a portal.
-                invite: []
-                # Whether or not to bridge state change messages in relaybot private chats.
-                state_changes: true
-                # When private_chat_invite is empty, this message is sent to users /starting the
-                # relaybot. Telegram's "markdown" is supported.
-                message: This is a Matrix bridge relaybot and does not support direct chats
-            # List of users to invite to all group chat portals created by the bridge.
-            group_chat_invite: []
-            # Whether or not the relaybot should not bridge events in unbridged group chats.
-            # If false, portals will be created when the relaybot receives messages, just like normal
-            # users. This behavior is usually not desirable, as it interferes with manually bridging
-            # the chat to another room.
-            ignore_unbridged_group_chat: true
-            # Whether or not to allow creating portals from Telegram.
-            authless_portals: true
-            # Whether or not to allow Telegram group admins to use the bot commands.
-            whitelist_group_admins: true
-            # Whether or not to ignore incoming events sent by the relay bot.
-            ignore_own_incoming_events: true
-            # List of usernames/user IDs who are also allowed to use the bot commands.
-            whitelist:
-                - myusername
-                - 12345678
-    # Telegram config
-    telegram:
-        # Get your own API keys at https://my.telegram.org/apps
-        api_id: 862555
-        api_hash: 7387a7b6ba71793d6f3fa98261117e4e
-        # (Optional) Create your own bot at https://t.me/BotFather
-        bot_token: disabled
-        # Should the bridge request missed updates from Telegram when restarting?
-        catch_up: true
-        # Should incoming updates be handled sequentially to make sure order is preserved on Matrix?
-        sequential_updates: true
-        exit_on_update_error: false

apps/matrix/mautrix-telegram.statefulset.yaml

@@ -1,32 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: mautrix-telegram
-spec:
-  selector:
-    matchLabels:
-      app: mautrix-telegram
-  serviceName: mautrix-telegram
-  replicas: 1
-  template:
-    metadata:
-      labels:
-        app: mautrix-telegram
-    spec:
-      containers:
-      - name: mautrix-telegram
-        image: mautrix-telegram
-        volumeMounts:
-        - name: config
-          mountPath: /data/config.yaml
-          subPath: config.yaml
-        - name: persistence
-          mountPath: /data
-        args:
-          - --no-update # disable overwriting config.yaml
-      volumes:
-      - name: config
-        configMap:
-          name: mautrix-telegram
-      - name: persistence
-        emptyDir: {}

apps/matrix/mautrix-whatsapp.configmap.yaml

@@ -1,428 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: mautrix-whatsapp
-data:
-  config.yaml: |
-    # Homeserver details.
-    homeserver:
-        # The address that this appservice can use to connect to the homeserver.
-        address: http://synapse:8448
-        # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
-        domain: matrix.kluster.moll.re
-
-        # What software is the homeserver running?
-        # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
-        software: standard
-        # The URL to push real-time bridge status to.
-        # If set, the bridge will make POST requests to this URL whenever a user's whatsapp connection state changes.
-        # The bridge will use the appservice as_token to authorize requests.
-        status_endpoint: null
-        # Endpoint for reporting per-message status.
-        message_send_checkpoint_endpoint: null
-        # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-        async_media: false
-
-        # Should the bridge use a websocket for connecting to the homeserver?
-        # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
-        # mautrix-asmux (deprecated), and hungryserv (proprietary).
-        websocket: false
-        # How often should the websocket be pinged? Pinging will be disabled if this is zero.
-        ping_interval_seconds: 0
-
-    # Application service host/registration related details.
-    # Changing these values requires regeneration of the registration.
-    appservice:
-        # The address that the homeserver can use to connect to this appservice.
-        address: http://mautrix-whatsapp:29318
-
-        # The hostname and port where this appservice should listen.
-        hostname: 0.0.0.0
-        port: 29318
-
-        # Database config.
-        database:
-            # The database type. "sqlite3-fk-wal" and "postgres" are supported.
-            type: sqlite3-fk-wal
-            # The database URI.
-            #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
-            #           https://github.com/mattn/go-sqlite3#connection-string
-            #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
-            #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
-            uri: file:/data/mautrix-whatsapp.db?_txlock=immediate
-            # Maximum number of connections. Mostly relevant for Postgres.
-            max_open_conns: 20
-            max_idle_conns: 2
-            # Maximum connection idle time and lifetime before they're closed. Disabled if null.
-            # Parsed with https://pkg.go.dev/time#ParseDuration
-            max_conn_idle_time: null
-            max_conn_lifetime: null
-
-        # The unique ID of this appservice.
-        id: whatsapp
-        # Appservice bot details.
-        bot:
-            # Username of the appservice bot.
-            username: whatsappbot
-            # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
-            # to leave display name/avatar as-is.
-            displayname: WhatsApp bridge bot
-            avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr
-
-        # Whether or not to receive ephemeral events via appservice transactions.
-        # Requires MSC2409 support (i.e. Synapse 1.22+).
-        ephemeral_events: true
-
-        # Should incoming events be handled asynchronously?
-        # This may be necessary for large public instances with lots of messages going through.
-        # However, messages will not be guaranteed to be bridged in the same order they were sent in.
-        async_transactions: false
-
-        # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
-        as_token: "This value is generated when generating the registration"
-        hs_token: "This value is generated when generating the registration"
-
-    # Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors.
-    analytics:
-        # Hostname of the tracking server. The path is hardcoded to /v1/track
-        host: api.segment.io
-        # API key to send with tracking requests. Tracking is disabled if this is null.
-        token: null
-        # Optional user ID for tracking events. If null, defaults to using Matrix user ID.
-        user_id: null
-
-    # Prometheus config.
-    metrics:
-        # Enable prometheus metrics?
-        enabled: false
-        # IP and port where the metrics listener should be. The path is always /metrics
-        listen: 127.0.0.1:8001
-
-    # Config for things that are directly sent to WhatsApp.
-    whatsapp:
-        # Device name that's shown in the "WhatsApp Web" section in the mobile app.
-        os_name: Mautrix-WhatsApp bridge
-        # Browser name that determines the logo shown in the mobile app.
-        # Must be "unknown" for a generic icon or a valid browser name if you want a specific icon.
-        # List of valid browser names: https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64
-        browser_name: unknown
-
-    # Bridge config
-    bridge:
-        # Localpart template of MXIDs for WhatsApp users.
-        # {{.}} is replaced with the phone number of the WhatsApp user.
-        username_template: whatsapp_{{.}}
-        # Displayname template for WhatsApp users.
-        # {{.PushName}}     - nickname set by the WhatsApp user
-        # {{.BusinessName}} - validated WhatsApp business name
-        # {{.Phone}}        - phone number (international format)
-        # The following variables are also available, but will cause problems on multi-user instances:
-        # {{.FullName}}  - full name from contact list
-        # {{.FirstName}} - first name from contact list
-        displayname_template: "{{or .BusinessName .PushName .JID}} (WA)"
-        # Should the bridge create a space for each logged-in user and add bridged rooms to it?
-        # Users who logged in before turning this on should run `!wa sync space` to create and fill the space for the first time.
-        personal_filtering_spaces: false
-        # Should the bridge send a read receipt from the bridge bot when a message has been sent to WhatsApp?
-        delivery_receipts: false
-        # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
-        message_status_events: false
-        # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
-        message_error_notices: true
-        # Should incoming calls send a message to the Matrix room?
-        call_start_notices: true
-        # Should another user's cryptographic identity changing send a message to Matrix?
-        identity_change_notices: false
-        portal_message_buffer: 128
-        # Settings for handling history sync payloads.
-        history_sync:
-            # Enable backfilling history sync payloads from WhatsApp?
-            backfill: true
-            # The maximum number of initial conversations that should be synced.
-            # Other conversations will be backfilled on demand when receiving a message or when initiating a direct chat.
-            max_initial_conversations: -1
-            # Maximum number of messages to backfill in each conversation.
-            # Set to -1 to disable limit.
-            message_count: 50
-            # Should the bridge request a full sync from the phone when logging in?
-            # This bumps the size of history syncs from 3 months to 1 year.
-            request_full_sync: false
-            # Configuration parameters that are sent to the phone along with the request full sync flag.
-            # By default (when the values are null or 0), the config isn't sent at all.
-            full_sync_config:
-                # Number of days of history to request.
-                # The limit seems to be around 3 years, but using higher values doesn't break.
-                days_limit: null
-                # This is presumably the maximum size of the transferred history sync blob, which may affect what the phone includes in the blob.
-                size_mb_limit: null
-                # This is presumably the local storage quota, which may affect what the phone includes in the history sync blob.
-                storage_quota_mb: null
-            # If this value is greater than 0, then if the conversation's last message was more than
-            # this number of hours ago, then the conversation will automatically be marked it as read.
-            # Conversations that have a last message that is less than this number of hours ago will
-            # have their unread status synced from WhatsApp.
-            unread_hours_threshold: 0
-
-        
-
-        # Should puppet avatars be fetched from the server even if an avatar is already set?
-        user_avatar_sync: true
-        # Should Matrix users leaving groups be bridged to WhatsApp?
-        bridge_matrix_leave: true
-        # Should the bridge update the m.direct account data event when double puppeting is enabled.
-        # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
-        # and is therefore prone to race conditions.
-        sync_direct_chat_list: false
-        # Should the bridge use MSC2867 to bridge manual "mark as unread"s from
-        # WhatsApp and set the unread status on initial backfill?
-        # This will only work on clients that support the m.marked_unread or
-        # com.famedly.marked_unread room account data.
-        sync_manual_marked_unread: true
-        # When double puppeting is enabled, users can use `!wa toggle` to change whether
-        # presence is bridged. This setting sets the default value.
-        # Existing users won't be affected when these are changed.
-        default_bridge_presence: true
-        # Send the presence as "available" to whatsapp when users start typing on a portal.
-        # This works as a workaround for homeservers that do not support presence, and allows
-        # users to see when the whatsapp user on the other side is typing during a conversation.
-        send_presence_on_typing: false
-        # Should the bridge always send "active" delivery receipts (two gray ticks on WhatsApp)
-        # even if the user isn't marked as online (e.g. when presence bridging isn't enabled)?
-        #
-        # By default, the bridge acts like WhatsApp web, which only sends active delivery
-        # receipts when it's in the foreground.
-        force_active_delivery_receipts: false
-        # Servers to always allow double puppeting from
-        double_puppet_server_map:
-            example.com: https://example.com
-        # Allow using double puppeting from any server with a valid client .well-known file.
-        double_puppet_allow_discovery: false
-        # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
-        #
-        # If set, double puppeting will be enabled automatically for local users
-        # instead of users having to find an access token and run `login-matrix`
-        # manually.
-        login_shared_secret_map:
-            example.com: foobar
-        # Whether to explicitly set the avatar and room name for private chat portal rooms.
-        # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
-        # If set to `always`, all DM rooms will have explicit names and avatars set.
-        # If set to `never`, DM rooms will never have names and avatars set.
-        private_chat_portal_meta: default
-        # Should group members be synced in parallel? This makes member sync faster
-        parallel_member_sync: false
-        # Should Matrix m.notice-type messages be bridged?
-        bridge_notices: true
-        # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
-        # This field will automatically be changed back to false after it, except if the config file is not writable.
-        resend_bridge_info: false
-        # When using double puppeting, should muted chats be muted in Matrix?
-        mute_bridging: false
-        # When using double puppeting, should archived chats be moved to a specific tag in Matrix?
-        # Note that WhatsApp unarchives chats when a message is received, which will also be mirrored to Matrix.
-        # This can be set to a tag (e.g. m.lowpriority), or null to disable.
-        archive_tag: null
-        # Same as above, but for pinned chats. The favorite tag is called m.favourite
-        pinned_tag: null
-        # Should mute status and tags only be bridged when the portal room is created?
-        tag_only_on_create: true
-        # Should WhatsApp status messages be bridged into a Matrix room?
-        # Disabling this won't affect already created status broadcast rooms.
-        enable_status_broadcast: true
-        # Should sending WhatsApp status messages be allowed?
-        # This can cause issues if the user has lots of contacts, so it's disabled by default.
-        disable_status_broadcast_send: true
-        # Should the status broadcast room be muted and moved into low priority by default?
-        # This is only applied when creating the room, the user can unmute it later.
-        mute_status_broadcast: true
-        # Tag to apply to the status broadcast room.
-        status_broadcast_tag: m.lowpriority
-        # Should the bridge use thumbnails from WhatsApp?
-        # They're disabled by default due to very low resolution.
-        whatsapp_thumbnail: false
-        # Allow invite permission for user. User can invite any bots to room with whatsapp
-        # users (private chat and groups)
-        allow_user_invite: false
-        # Whether or not created rooms should have federation enabled.
-        # If false, created portal rooms will never be federated.
-        federate_rooms: true
-        # Should the bridge never send alerts to the bridge management room?
-        # These are mostly things like the user being logged out.
-        disable_bridge_alerts: false
-        # Should the bridge stop if the WhatsApp server says another user connected with the same session?
-        # This is only safe on single-user bridges.
-        crash_on_stream_replaced: false
-        # Should the bridge detect URLs in outgoing messages, ask the homeserver to generate a preview,
-        # and send it to WhatsApp? URL previews can always be sent using the `com.beeper.linkpreviews`
-        # key in the event content even if this is disabled.
-        url_previews: false
-        # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552.
-        # This is currently not supported in most clients.
-        caption_in_message: false
-        # Send galleries as a single event? This is not an MSC (yet).
-        beeper_galleries: false
-        # Should polls be sent using MSC3381 event types?
-        extev_polls: false
-        # Should cross-chat replies from WhatsApp be bridged? Most servers and clients don't support this.
-        cross_room_replies: false
-        # Disable generating reply fallbacks? Some extremely bad clients still rely on them,
-        # but they're being phased out and will be completely removed in the future.
-        disable_reply_fallbacks: false
-        # Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration
-        # Null means there's no enforced timeout.
-        message_handling_timeout:
-            # Send an error message after this timeout, but keep waiting for the response until the deadline.
-            # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay.
-            # If the message is older than this when it reaches the bridge, the message won't be handled at all.
-            error_after: null
-            # Drop messages after this timeout. They may still go through if the message got sent to the servers.
-            # This is counted from the time the bridge starts handling the message.
-            deadline: 120s
-
-        # The prefix for commands. Only required in non-management rooms.
-        command_prefix: "!wa"
-
-        # Messages sent upon joining a management room.
-        # Markdown is supported. The defaults are listed below.
-        management_room_text:
-            # Sent when joining a room.
-            welcome: "Hello, I'm a WhatsApp bridge bot."
-            # Sent when joining a management room and the user is already logged in.
-            welcome_connected: "Use `help` for help."
-            # Sent when joining a management room and the user is not logged in.
-            welcome_unconnected: "Use `help` for help or `login` to log in."
-            # Optional extra text sent when joining a management room.
-            additional_help: ""
-
-        # End-to-bridge encryption support options.
-        #
-        # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
-        encryption:
-            # Allow encryption, work in group chat rooms with e2ee enabled
-            allow: false
-            # Default to encryption, force-enable encryption in all portals the bridge creates
-            # This will cause the bridge bot to be in private chats for the encryption to work properly.
-            default: false
-            # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
-            appservice: false
-            # Require encryption, drop any unencrypted messages.
-            require: false
-            # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
-            # You must use a client that supports requesting keys from other users to use this feature.
-            allow_key_sharing: false
-            # Should users mentions be in the event wire content to enable the server to send push notifications?
-            plaintext_mentions: false
-            # Options for deleting megolm sessions from the bridge.
-            delete_keys:
-                # Beeper-specific: delete outbound sessions when hungryserv confirms
-                # that the user has uploaded the key to key backup.
-                delete_outbound_on_ack: false
-                # Don't store outbound sessions in the inbound table.
-                dont_store_outbound: false
-                # Ratchet megolm sessions forward after decrypting messages.
-                ratchet_on_decrypt: false
-                # Delete fully used keys (index >= max_messages) after decrypting messages.
-                delete_fully_used_on_decrypt: false
-                # Delete previous megolm sessions from same device when receiving a new one.
-                delete_prev_on_new_session: false
-                # Delete megolm sessions received from a device when the device is deleted.
-                delete_on_device_delete: false
-                # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
-                periodically_delete_expired: false
-                # Delete inbound megolm sessions that don't have the received_at field used for
-                # automatic ratcheting and expired session deletion. This is meant as a migration
-                # to delete old keys prior to the bridge update.
-                delete_outdated_inbound: false
-            # What level of device verification should be required from users?
-            #
-            # Valid levels:
-            #   unverified - Send keys to all device in the room.
-            #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
-            #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
-            #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
-            #                           Note that creating user signatures from the bridge bot is not currently possible.
-            #   verified - Require manual per-device verification
-            #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
-            verification_levels:
-                # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix.
-                receive: unverified
-                # Minimum level that the bridge should accept for incoming Matrix messages.
-                send: unverified
-                # Minimum level that the bridge should require for accepting key requests.
-                share: cross-signed-tofu
-            # Options for Megolm room key rotation. These options allow you to
-            # configure the m.room.encryption event content. See:
-            # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
-            # more information about that event.
-            rotation:
-                # Enable custom Megolm room key rotation settings. Note that these
-                # settings will only apply to rooms created after this option is
-                # set.
-                enable_custom: false
-                # The maximum number of milliseconds a session should be used
-                # before changing it. The Matrix spec recommends 604800000 (a week)
-                # as the default.
-                milliseconds: 604800000
-                # The maximum number of messages that should be sent with a given a
-                # session before changing it. The Matrix spec recommends 100 as the
-                # default.
-                messages: 100
-
-                # Disable rotating keys when a user's devices change?
-                # You should not enable this option unless you understand all the implications.
-                disable_device_change_key_rotation: false
-
-        # Settings for provisioning API
-        provisioning:
-            # Prefix for the provisioning API paths.
-            prefix: /_matrix/provision
-            # Shared secret for authentication. If set to "generate", a random secret will be generated,
-            # or if set to "disable", the provisioning API will be disabled.
-            shared_secret: generate
-            # Enable debug API at /debug with provisioning authentication.
-            debug_endpoints: false
-
-        # Permissions for using the bridge.
-        # Permitted values:
-        #    relay - Talk through the relaybot (if enabled), no access otherwise
-        #     user - Access to use the bridge to chat with a WhatsApp account.
-        #    admin - User level and some additional administration tools
-        # Permitted keys:
-        #        * - All Matrix users
-        #   domain - All users on that homeserver
-        #     mxid - Specific user
-        permissions:
-            "*": relay
-            "example.com": user
-            "@admin:example.com": admin
-
-        # Settings for relay mode
-        relay:
-            # Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any
-            # authenticated user into a relaybot for that chat.
-            enabled: false
-            # Should only admins be allowed to set themselves as relay users?
-            admin_only: true
-            # The formats to use when sending messages to WhatsApp via the relaybot.
-            message_formats:
-                m.text: "<b>{{ .Sender.Displayname }}</b>: {{ .Message }}"
-                m.notice: "<b>{{ .Sender.Displayname }}</b>: {{ .Message }}"
-                m.emote: "* <b>{{ .Sender.Displayname }}</b> {{ .Message }}"
-                m.file: "<b>{{ .Sender.Displayname }}</b> sent a file"
-                m.image: "<b>{{ .Sender.Displayname }}</b> sent an image"
-                m.audio: "<b>{{ .Sender.Displayname }}</b> sent an audio file"
-                m.video: "<b>{{ .Sender.Displayname }}</b> sent a video"
-                m.location: "<b>{{ .Sender.Displayname }}</b> sent a location"
-
-    # Logging config. See https://github.com/tulir/zeroconfig for details.
-    logging:
-        min_level: debug
-        writers:
-        - type: stdout
-          format: pretty-colored
-        - type: file
-          format: json
-          filename: ./logs/mautrix-whatsapp.log
-          max_size: 100
-          max_backups: 10
-          compress: true

apps/matrix/mautrix-whatsapp.statefulset.yaml

@@ -1,30 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: mautrix-whatsapp
-spec:
-  selector:
-    matchLabels:
-      app: mautrix-whatsapp
-  serviceName: mautrix-whatsapp
-  replicas: 1
-  template:
-    metadata:
-      labels:
-        app: mautrix-whatsapp
-    spec:
-      containers:
-      - name: mautrix-whatsapp
-        image: mautrix-whatsapp
-        volumeMounts:
-        - name: persistence
-          mountPath: /data
-          # contains config.yaml
-      securityContext:
-        fsGroup: 1337
-
-
-      volumes:
-      - name: persistence
-        persistentVolumeClaim:
-          claimName: mautrix-whatsapp

apps/matrix/mautrix.pvc.yaml

@@ -1,23 +0,0 @@
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: mautrix-telegram
-spec:
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
----
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: mautrix-whatsapp
-spec:
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi

apps/matrix/postgres.yaml

@@ -1,20 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: matrix-postgres
-spec:
-  instances: 1
-  imageName: ghcr.io/cloudnative-pg/postgresql:16
-  bootstrap:
-    initdb:
-      owner: matrix
-      database: matrix
-      secret: 
-        name: postgres-credentials
-
-  storage:
-    size: 1Gi
-    storageClass: nfs-client
-
-  monitoring:
-    enablePodMonitor: true

apps/matrix/synapse.configmap.yaml

@@ -1,62 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: synapse
-data:
-  # matrix.kluster.moll.re.log.config: |
-  #   version: 1
-
-  #   formatters:
-  #     precise:
-  #       format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' 
-
-  #   handlers:
-  #     console:
-  #       class: logging.StreamHandler
-  #       formatter: precise
-
-  #   loggers:
-  #       # This is just here so we can leave `loggers` in the config regardless of whether
-  #       # we configure other loggers below (avoid empty yaml dict error).
-  #       _placeholder:
-  #           level: "INFO"
-        
-  #       synapse.storage.SQL:
-  #           # beware: increasing this to DEBUG will make synapse log sensitive
-  #           # information such as access tokens.
-  #           level: INFO
-        
-   
-
-  #   root:
-  #       level: INFO
-  #       handlers: [console]
-
-  homeserver.yaml: |
-    server_name: "matrix.kluster.moll.re"
-    report_stats: false
-    # enable_registration: true
-    # enable_registration_without_verification: true
-    listeners:
-      - port: 8448
-        tls: false
-        type: http
-        x_forwarded: true
-        bind_addresses: ['::1', '127.0.0.1']
-        resources:
-          - names: [client, federation]
-            compress: false
-    
-    # log_config: "./matrix.kluster.moll.re.log.config"
-    media_store_path: /media_store
-    trusted_key_servers:
-      - server_name: "matrix.org"
-    database:
-      name: psycopg2
-      args:
-        user: matrix
-        password: "0ssdsdsdM6vbxhs.kdjsdasd9Z0qK5bdTwM6vbxh9Z"
-        dbname: matrix
-        host: matrix-postgres-rw
-        cp_min: 5
-        cp_max: 10

apps/matrix/synapse.deployment.yaml

@@ -1,43 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: synapse
-spec:
-  selector:
-    matchLabels:
-      app: synapse
-  template:
-    metadata:
-      labels:
-        app: synapse
-    spec:
-      containers:
-      - name: synapse
-        image: synapse
-        resources:
-          limits:
-            memory: "128Mi"
-            cpu: "500m"
-        ports:
-        - containerPort: 8448
-        env:
-        - name: SYNAPSE_CONFIG_PATH
-          value: /config/homeserver.yaml
-        volumeMounts:
-        - name: config
-          mountPath: /config/homeserver.yaml
-          subPath: homeserver.yaml
-        - name: config-persistence
-          mountPath: /config
-        - name: media
-          mountPath: /media_store
-      securityContext:
-        fsGroup: 1001
-      volumes:
-      - name: config
-        configMap:
-          name: synapse
-      - name: config-persistence
-        emptyDir: {}
-      - name: media
-        emptyDir: {}

apps/matrix/synapse.ingress.yaml

@@ -1,29 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: synapse-federation
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`matrix.kluster.moll.re`)
-      kind: Rule
-      services:
-        - name: synapse
-          port: 8448
-      # auto route to the _matrix path
-      middlewares:
-        - name: matrix-redirect
-
-  tls:
-    certResolver: default-tls
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: matrix-redirect
-spec:
-  redirectRegex:
-    regex: "^https://matrix.kluster.moll.re/(.*)"
-    replacement: "https://matrix.kluster.moll.re/_matrix/$${1}"
-    permanent: true

apps/matrix/synapse.service.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: synapse
-spec:
-  selector:
-    app: synapse
-  ports:
-    - protocol: TCP
-      port: 8448
-      targetPort: 8448

apps/media/ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: jellyfin-vue-ingress
@@ -17,7 +17,7 @@ spec:
   tls:
     certResolver: default-tls
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: jellyfin-backend-ingress
@@ -37,7 +37,7 @@ spec:
   tls:
     certResolver: default-tls
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
   name: jellyfin-websocket
@@ -48,7 +48,7 @@ spec:
       Connection: keep-alive, Upgrade
       Upgrade: WebSocket
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
   name: jellyfin-server-headers

apps/media/pvc.yaml

@@ -1,39 +1,21 @@
-
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  namespace: media
-  name: jellyfin-config-nfs
-spec:
-  capacity:
-    storage: "1Gi"
-  accessModes:
-    - ReadWriteOnce
-  nfs:
-    path: /export/kluster/jellyfin-config
-    server: 192.168.1.157
----
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  namespace: media
-  name: jellyfin-config-nfs
+  name: config
 spec:
-  storageClassName: ""
+  storageClassName: "nfs-client"
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
       storage: "1Gi"
-  volumeName: jellyfin-config-nfs
 
 ---
 
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  namespace: media
-  name: jellyfin-data-nfs
+  name: media
 spec:
   capacity:
     storage: "1Ti"
@@ -46,8 +28,7 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  namespace: media
-  name: jellyfin-data-nfs
+  name: media
 spec:
   storageClassName: ""
   accessModes:
@@ -55,4 +36,4 @@ spec:
   resources:
     requests:
       storage: "1Ti"
-  volumeName: jellyfin-data-nfs
+  volumeName: media

apps/media/server.deployment.yaml

@@ -25,9 +25,9 @@ spec:
         - name: TZ
           value: Europe/Berlin
         volumeMounts:
-        - name: jellyfin-config
+        - name: config
           mountPath: /config
-        - name: jellyfin-data
+        - name: media
           mountPath: /media
         livenessProbe:
           httpGet:
@@ -36,10 +36,10 @@ spec:
           initialDelaySeconds: 100
           periodSeconds: 15
       volumes:
-      - name: jellyfin-config
+      - name: config
         persistentVolumeClaim:
-          claimName: jellyfin-config-nfs
-      - name: jellyfin-data
+          claimName: config
+      - name: media
         persistentVolumeClaim:
-          claimName: jellyfin-data-nfs
+          claimName: media
 

apps/monitoring/grafana-admin.sealedsecret.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: grafana-admin-secret
+  namespace: monitoring
+spec:
+  encryptedData:
+    password: AgBe8isrCWd5MuaQq5CpA+P3fDizCCDo23BVauaBJLuMRIYbVwpfahaJW7Ocj3LTXwdeVVPBrOk2D6vESUXu6I0EWc3y/NFN4ZezScxMcjmeaAb+z1zWwdH0FynTPJYOxv1fis1FDTkXDmGy3FXo5NDK9ET899TtulKFkh7UqSxdrRWbD3pegJgqKGPIqDCTAxZN/ssiccfWGS4lHqQBJkXn8DeampcKwjOCvgaBdilF03GoSfpgsqa2Iw2SfTDEobWBWVMMK/RB3/Oi/YJkGwMW3ECUxvTDam8gb0RFA1xjWXoYTLVVP5fK7q7x63ns51HebloxAP1GBrt138N/iDrfbGfjNP8Lx0NFl5y5bTgYN/z8DVTOFf90xxWe+YYERdwllg0Ci1JLNbA+NszXTD4L/HC7a8XuBfjRzxMTeymNjR76jzfPkH6v1EvesOduTfSrahPgS0qS+eGOier1rHxj3EBRhOScY1ut5Bq4oJMNId9nMVbVa6xyq2HyxuJHXV+j6h5FGHmEXn9gIR7wGp8RhtPhKgVGLrHcbHZ5Th2E7eomz1T2NK/ezNP8ZhcwOj/lyGywlW0vhU798zpWhMf57k2OPeuMlfs8Y8y74epBdyBjsrMR4EDctF8RZR3vraxENiMJ6kk1gqKj04ir6HwL7blqwiybIFFnJrp2j7MzgjS4SQ687qMX5Zf5XT03aEE+9W9Epy73tT7zVQKdENCQlcm5
+    user: AgAdiOivMn0d+nYjYycMZz9QSiS/9QqwHPJQMHkE7/IOou+CJtBknlETNtdv84KZgBQTucufYqu3LR3djOBpdnQsYbIXDxPFgRZQ11pwu/sO2EGifDk218yyzzfZMvx1FL7JL4LI1rKoiHycZowCwsAjEtlICVOOYv1/Plki+6MHXiAGG4r/yUhugGx3VLLX+Poq8oaTeHndgSsFXJege8SfgYR4TsC7pQgsM1UQEFncGIhJYTD2ashmUxFJ+7CJjHqPR0lFRrZXmFvPwTYTCMT+tnSHnCFWtTht8cEi1NxA4kD/eKEX0rOol15EUZnFUws2WqWI634TbyGwZ7km/Yw4XoDxiQR4ar6ulkqb/djcc3cWDYE7PF1m1c+r3iog85S5CSfZ5EvdCHHrbPN9uO2gmoRQWiR5qI70YMxBSnkeLZWN05O1vUuopdXFDTafY7YskxLEdIGHGqFUpUrJZOvBB0zNBdHGgYxFzb5pNmMCC5LPlOuoKjV4yskh9Tgovz06aAvsPxn2WWx6NOJambeziKB5OmSKvPsFofViyGBekVAWSWtt9yJe6lu5OKpBEiA6xhGhQ4ZryTXu9wvVALuPSIwBFITv85sIxjJb80qhJ51wb12QgzLLcPby0HSanyBI1M4jfsXWpK8gIAbDNO+eD7z3PhD9Y/5hPqYKXZ37Geyq23xiyxG8XDj6cL+Ie6k8XipayI4=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: grafana-admin-secret
+      namespace: monitoring
+    type: Opaque

apps/monitoring/grafana.ingress.yaml

@@ -1,5 +1,5 @@
 kind: IngressRoute
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 metadata:
   name: grafana-ingress
 spec:

apps/monitoring/grafana.values.yaml

@@ -1,4 +1,3 @@
-
 replicas: 1
 
 ## Create a headless service for the deployment
@@ -10,13 +9,6 @@ headlessService: false
 ##
 service:
   enabled: true
-  type: ClusterIP
-  port: 80
-  targetPort: 3000
-    # targetPort: 4181 To be used with a proxy extraContainer
-  annotations: {}
-  labels: {}
-  portName: service
 
 serviceMonitor:
   ## If true, a ServiceMonitor CRD is created for a prometheus operator
@@ -24,42 +16,42 @@ serviceMonitor:
   ##
   enabled: false
 
-
 ingress:
   enabled: false
-persistence:
-  type: pvc
-  enabled: true
-  # storageClassName: default
-  accessModes:
-    - ReadWriteOnce
-  size: 10Gi
-  # annotations: {}
-  finalizers:
-    - kubernetes.io/pvc-protection
-  # selectorLabels: {}
-  ## Sub-directory of the PV to mount. Can be templated.
-  # subPath: ""
-  ## Name of an existing PVC. Can be templated.
-  existingClaim: grafana-nfs
 
-  ## If persistence is not enabled, this allows to mount the
-  ## local storage in-memory to improve performance
-  ##
-  inMemory:
+# credentials
+admin:
+  existingSecret: grafana-admin-secret
+  userKey: user
+  passwordKey: password
+
+datasources:
+  datasources.yaml:
+    apiVersion: 1
+    datasources:
+      - name: Thanos
+        type: prometheus
+        url: http://thanos-querier.prometheus.svc:9090
+        isDefault: true
+
+dashboardProviders:
+  dashboardproviders.yaml:
+    
+## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value.
+## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both.
+## ConfigMap data example:
+##
+## data:
+##   example-dashboard.json: |
+##     RAW_JSON
+##
+dashboardsConfigMaps:
+  home-metrics: dashboard-home-metrics
+  proxmox: dashboard-proxmox
+  gitea: dashboard-gitea
+
+grafana.ini:
+  wal: true
+  default_theme: dark
+  unified_alerting:
     enabled: false
-    ## The maximum usage on memory medium EmptyDir would be
-    ## the minimum value between the SizeLimit specified
-    ## here and the sum of memory limits of all containers in a pod
-    ##
-    # sizeLimit: 300Mi
-
-initChownData:
-  ## If false, data ownership will not be reset at startup
-  ## This allows the prometheus-server to be run with an arbitrary user
-  ##
-  enabled: true
-
-# Administrator credentials when not using an existing secret (see below)
-adminUser: admin
-# adminPassword: strongpassword

apps/monitoring/kustomization.yaml

@@ -6,29 +6,27 @@ namespace: monitoring
 resources: 
   - namespace.yaml
   - grafana.pvc.yaml
-  - influxdb.pvc.yaml
+  # - influxdb.pvc.yaml
   - grafana.ingress.yaml
-  # prometheus-operator crds
-  - https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.70.0/bundle.yaml
-  - prometheus.yaml
-  - thanos-objstore-config.sealedsecret.yaml
+  - grafana-admin.sealedsecret.yaml
+  - dashboards/
 
 
 helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 7.3.0
+    version: 7.3.7
     valuesFile: grafana.values.yaml
 
-  - releaseName: influxdb
-    name: influxdb2
-    repo: https://helm.influxdata.com/
-    version: 2.1.2
-    valuesFile: influxdb.values.yaml
+  # - releaseName: influxdb
+  #   name: influxdb2
+  #   repo: https://helm.influxdata.com/
+  #   version: 2.1.2
+  #   valuesFile: influxdb.values.yaml
 
-  - releaseName: telegraf-speedtest
-    name: telegraf
-    repo: https://helm.influxdata.com/
-    version: 1.8.39
-    valuesFile: telegraf-speedtest.values.yaml
+  # - releaseName: telegraf-speedtest
+  #   name: telegraf
+  #   repo: https://helm.influxdata.com/
+  #   version: 1.8.39
+  #   valuesFile: telegraf-speedtest.values.yaml

apps/monitoring/thanos-objstore-config.sealedsecret.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: thanos-objstore-config
-  namespace: monitoring
-spec:
-  encryptedData:
-    thanos.yaml: AgCXlr7NO2DoH1R0ngtDFi8rgJaDnW5WSmOMjvXF4GMcEjnn1kwQMLkF0Xz1BUB5GlQkTAg+ZjCWGMlfycBmUnZb+koZK3X1YLsk1BxBxtuSqhj35iQYxKQ7rAlsz7FxUQjK2oiJkFeQmo/rwcw6l6vZJ73+THYSebR9mLQ/H0pnmJM3ldLX4iWL2H8BZ7ftOYdXO7Xv0lk2k2L4O4LgnB1Uedpyk0HLVxAv3VdVU/RFpHm5Q7kudrCMm9ENcJG7qIWuii8GkysvEefbo2phgKn1Zr5XR6SyekuW2e6FyHe9us5Pv5HnJ6Z2+ZyewygaGgHiRqtxRMaLbahICewfSHwyGzeAD2kdgwVyJYXxVPV9qKQvZmj0ZDCDZ5K548mSUq7nNXSI9M9AJBTKUoqb2FXK3pqn4yh9M1l+7Pmno5Fs22blAyGsRqO32GxrYvEXPpdSeqHRjOMYTnbPuteGRKcvmSEUSuHzkeoTzU1Jh4Sg0ygtQUNIKtbwhJm1XpbJ0oaR5ukWMxPfpDv+B5FmrDsU/I+o62+NtCLQLkK6MoRBFiJ1kymtKkM3vQ1CVg4Vtc5Gc2D6mMu5K8kEuUODweBb8qPnYH7ULfTYORldj3d+Fb2mGF5mAU6xHMzbocsdgZpbAzUP/FfJmMMDWf4aW3LJ1mBjUD06KAwPsQvbTm6VInrdXh2QVb4UIp41kbyK8sanHrvh3bprHloxt8OnTZ2HQl+XN+kxYirkVkL34lIlk7KdYCWqO7QqH0ncd9WF0f9mpPGbxo3J
-  template:
-    metadata:
-      creationTimestamp: null
-      name: thanos-objstore-config
-      namespace: monitoring
-    type: Opaque

apps/nextcloud/ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: nextcloud-ingressroute

apps/nextcloud/pvc.yaml

@@ -23,29 +23,3 @@ spec:
     requests:
       storage: "150Gi"
   volumeName: nextcloud-nfs
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: nextcloud-syncthing-shared
-spec:
-  capacity:
-    storage: "150Gi"
-  accessModes:
-    - ReadWriteOnce
-  nfs:
-    path: /kluster/syncthing
-    server: 192.168.1.157
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: nextcloud-syncthing-shared
-spec:
-  storageClassName: ""
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: "150Gi"
-  volumeName: nextcloud-syncthing-shared

apps/nextcloud/values.yaml

@@ -1,6 +1,9 @@
 ## Official nextcloud image version
 ## ref: https://hub.docker.com/r/library/nextcloud/tags/
 
+image:
+  tag: "28"
+
 ingress:
   enabled: false
 
@@ -46,15 +49,6 @@ nextcloud:
   # ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
   configs: {}
 
-  extraVolumes:
-    - name: my-volume
-      persistentVolumeClaim:
-        claimName: nextcloud-nfs
-
-  extraVolumeMounts:
-    - name: my-volume
-      mountPath: /var/www/html/my-volume
-
   # For example, to use S3 as primary storage
   # ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3
   #
@@ -80,7 +74,8 @@ nginx:
   enabled: false
 
 internalDatabase:
-  enabled: false
+  enabled: true
+  name: nextcloud
 
 ##
 ## External database configuration
@@ -94,7 +89,13 @@ externalDatabase:
   ## Database host
   host: postgres-postgresql.postgres
 
+  ## Database user
+  # user: nextcloud
 
+  # ## Database password
+  # password: test
+
+  ## Database name
   database: nextcloud
 
   ## Use a existing secret

apps/ntfy/ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
   name: websocket
@@ -9,7 +9,7 @@ spec:
       # enable websockets
       Upgrade: "websocket"
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
     name: ntfy-ingressroute

apps/ntfy/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: binwiederhier/ntfy
     newName: binwiederhier/ntfy
-    newTag: v2.8.0
+    newTag: v2.10.0

apps/recipes/deployment.yaml

@@ -34,4 +34,4 @@ spec:
       volumes:
       - name: mealie-data
         persistentVolumeClaim:
-          claimName: mealie-data
+          claimName: mealie

apps/recipes/ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: mealie-ingressroute

apps/recipes/kustomization.yaml

@@ -12,5 +12,5 @@ resources:
 
 images:
   - name: mealie
-    newTag: v1.2.0
+    newTag: v1.3.2
     newName: ghcr.io/mealie-recipes/mealie

apps/recipes/pvc.yaml

@@ -1,12 +1,12 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: mealie-data
+  name: mealie
 spec:
   resources:
     requests:
-      storage: 1Gi
+      storage: 5Gi
   volumeMode: Filesystem
-  storageClassName: nfs-client
+  storageClassName: "nfs-client"
   accessModes:
     - ReadWriteOnce

apps/rss/deployment.yaml

@@ -18,9 +18,9 @@ spec:
           ports:
             - containerPort: 7070
           volumeMounts:
-            - name: rss-data
+            - name: data
               mountPath: /data
       volumes:
-        - name: rss-data
+        - name: data
           persistentVolumeClaim:
-            claimName: rss-claim
+            claimName: data

apps/rss/ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: rss-ingressroute

apps/rss/pvc.yaml

@@ -1,9 +1,9 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
-  name: rss-claim
+  name: data
 spec:
-  storageClassName: nfs-client
+  storageClassName: "nfs-client"
   accessModes:
     - ReadWriteOnce
   resources:

apps/syncthing/ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: rss-ingressroute

apps/syncthing/pvc.yaml

@@ -1,11 +1,25 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: syncthing-data
+spec:
+  capacity:
+    storage: "50Gi"
+  accessModes:
+    - ReadWriteOnce
+  nfs:
+    path: /kluster/syncthing
+    server: 192.168.1.157
+---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: syncthing-claim
 spec:
-  storageClassName: nfs-client
+  storageClassName: ""
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
       storage: 10Gi
+  volumeName: syncthing

apps/todos/README.md

@@ -0,0 +1,6 @@
+### Adding a user
+```bash
+kubectl exec -it -n todos deployments/todos-vikunja -- /app/vikunja/vikunja user create -u <username> -e "<user-email>"
+```
+
+Password will be prompted.

apps/todos/ingress.yaml

@@ -0,0 +1,21 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: todos-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`todos.kluster.moll.re`) && PathPrefix(`/api/v1`)
+      kind: Rule
+      services:
+        - name: todos-api
+          port: 3456
+    - match: Host(`todos.kluster.moll.re`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: todos-frontend
+          port: 80
+  tls:
+    certResolver: default-tls

apps/todos/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: todos
+
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - ingress.yaml
+
+
+# helmCharts:
+#   - name: vikunja
+#     version: 0.1.5
+#     repo: https://charts.oecis.io
+#     valuesFile: values.yaml
+#     releaseName: todos
+# managed by argocd directly

apps/todos/namespace.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: placeholder
+  name: placeholder

apps/todos/pvc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: data
+spec:
+  resources:
+    requests:
+      storage: 5Gi
+  volumeMode: Filesystem
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce

apps/todos/values.yaml

@@ -0,0 +1,51 @@
+######################
+# VIKUNJA COMPONENTS #
+######################
+# You can find the default values that this `values.yaml` overrides, in the comment at the top of this file.
+api:
+  enabled: true
+  image:
+    tag: 0.22.1
+  persistence:
+    # This is your Vikunja data will live, you can either let
+    # the chart create a new PVC for you or provide an existing one.
+    data:
+      enabled: true
+      existingClaim: data
+      accessMode: ReadWriteOnce
+      size: 10Gi
+      mountPath: /app/vikunja/files
+
+  ingress:
+    main:
+      enabled: false
+
+  configMaps:
+    # The configuration for Vikunja's api.
+    # https://vikunja.io/docs/config-options/
+    config:
+      enabled: true
+      data:
+        config.yml: |
+          service:
+              frontendUrl: https://todos.kluster.moll.re
+          database:
+            type: sqlite
+            path: /app/vikunja/files/vikunja.db
+          registration: false
+  env:
+
+frontend:
+  enabled: true
+  image:
+    tag: 0.22.1
+  ingress:
+    main:
+      enabled: false
+
+postgresql:
+  enabled: false
+redis:
+  enabled: false
+typesense:
+  enabled: false

apps/whoami/base/ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   namespace: whoami

infrastructure/argocd/ingress.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
     name: argocd-ingressroute

infrastructure/backup/cronjobs-overlays/backup/kustomization.yaml

@@ -4,7 +4,7 @@ kind: Kustomization
 namespace: backup
 # nameSuffix: -backup
 resources:
-  - ../../base
+  - ../../cronjobs-base
   # - ./restic-commands.yaml
 
 

infrastructure/backup/cronjobs-overlays/prune/kustomization.yaml

@@ -3,7 +3,7 @@ kind: Kustomization
 
 namespace: backup
 resources:
-  - ../../base
+  - ../../cronjobs-base
 
 
 # patch the cronjob args field:

infrastructure/backup/kustomization.yaml

@@ -1,6 +1,14 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
+
 kind: Kustomization
+
+namespace: backup
+
 resources:
-  - rclone-config.sealedsecret.yaml
+  - namespace.yaml
+  - pvc.yaml
   - restic-password.sealedsecret.yaml
-  - pvc.yaml
+  - rclone-config.sealedsecret.yaml
+  - rclone-gcloud.deployment.yaml
+  - cronjobs-overlays/prune/
+  - cronjobs-overlays/backup/

infrastructure/backup/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

infrastructure/backup/postgres/pvc.yaml

@@ -1,3 +1,16 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pg-backup-data
+spec:
+  capacity:
+    storage: "50Gi"
+  accessModes:
+    - ReadWriteOnce
+  nfs:
+    path: /kluster/pg-backup
+    server: 192.168.1.157
+---
 kind: PersistentVolumeClaim
 apiVersion: v1
 
@@ -5,9 +18,10 @@ metadata:
   name: postgres-backup-claim
 
 spec:
-  storageClassName: nfs-client
+  storageClassName: ""
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
       storage: 10Gi
+  volumeName: pg-backup-data

infrastructure/external-dns/kustomization.yaml

@@ -11,7 +11,7 @@ resources:
 images:
   - name: octodns
     newName: octodns/octodns # has all plugins
-    newTag: "2024.02"
+    newTag: "2024.03"
 
   - name: git
     newName: alpine/git

infrastructure/external/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: external
+
+
+resources:
+  - namespace.yaml
+  - omv-s3.ingress.yaml
+  - openmediavault.ingress.yaml
+  - proxmox.ingress.yaml

infrastructure/external/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder