feat(plex): request intel gpu, use onedr0p plex image, switch to latest app-template chart

Taskfile.yaml

@@ -12,3 +12,7 @@ tasks:
   execPostgres:
     desc: Exec into the postgres pod as the postgres user
     cmd: kubectl -n database exec -it postgresql-0 -- psql -d postgres -U postgres
+
+  execMysql:
+    desc: Exec into the mysql pod as the mysql user
+    cmd: kubectl -n database exec -it mysql-0 -- mysql -u root -p

cluster/apps/database/kustomization.yaml

@@ -6,3 +6,4 @@ resources:
 - ./postgresql
 - ./redis
 - ./minio
+- ./mysql

cluster/apps/database/mysql/helm-release.yaml

@@ -0,0 +1,30 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mysql
+  namespace: database
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: mysql
+      version: 11.1.14
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami-charts
+        namespace: flux-system
+  values:
+    global:
+      defaultStorageClass: mainpool-hostpath
+
+    auth:
+      existingSecret: mysql
+
+    metrics:
+      serviceMonitor:
+        enabled: true
+        labels:
+          release: kube-prometheus-stack
+
+      prometheusRule:
+        enabled: true

cluster/apps/database/mysql/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./mysql.sops.yaml
+- ./helm-release.yaml

cluster/apps/database/mysql/mysql.sops.yaml

@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: mysql
+    namespace: database
+stringData:
+    mysql-root-password: ENC[AES256_GCM,data:8wAhBPa9CQTEj87SorjQj2GmY3E4jxbR0JAzOk0u7r8=,iv:6hv8qftod56M3udqao1MxADcrSlDMsfz2YtFLWzrzVM=,tag:kEXOtDAQg2xRzZz/csSatg==,type:str]
+    mysql-replication-password: ENC[AES256_GCM,data:cHdCVcP7+Y48e3SFzZCf9Q4peVGxhIVFFVuUwwFrGDA=,iv:GBNAFzvQUHtidYgpNKiEPWABIwVk9muEFRLaYBZbFDM=,tag:3B35mjWJV1MQ0ASZuoyyPQ==,type:str]
+    mysql-password: ENC[AES256_GCM,data:D/fW2cAMiurBixcJRCTJUmlvr0kEmTnMsgVM8xKTu18=,iv:bc+7P0cGJy+6YR1I6mzSAq6gGiEH6uOKdmSjYkdoWxs=,tag:hEDAyGpDQCKbgA9XvGeL4Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-08-05T15:30:54Z"
+    mac: ENC[AES256_GCM,data:ni1zA28zwCp6Fvqv5FtET/ylqOV6L/IXl4KtVo73aIDunlI29qD0cpTbFMPh4bxHqqYUsa/EBF+we5kglLQzP/9qnVrNXCNZnWbkCIsVlghMOLGqVFi7CJFc42ghNGQD9BVj5115VGSX3D05x1a9JI070AoEYQ+/OgLuZf0XxDE=,iv:bi33L8MotNRkg5+WAsXE8a0RlPWfu2rCnA/WaOnHsV0=,tag:7rTzgiDKtPsfCF+e7T5ABQ==,type:str]
+    pgp:
+        - created_at: "2024-08-05T15:30:54Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAyqlIeyoxYovAQ/8DqfstkJgwoIrbTVbVBQheBfPoNl+6iV1IxctfXsr+2CF
+            rY9gV1qxOVh/E0hHyOws8F6EE+oCdbHtsGBa/1KiN0HBY55HFRm9LXF5s5EKOEWg
+            bXg0Gyoqvfny31+UAGAIW91yAGJ07jp4u3oj8RGKHF7sLcuCrk5NfajK7ALzG6hp
+            vpbXenT2D4xxsWqdhkY7azwrqqPC0XyWx2XkFscED2PzwTpT1gPALrtdhknVlCtE
+            azyPtVIg2swt3kWm5bsYJgOHhnnnDTEX412XXJTqQUmmZCTAeKRIo0xtG9Kicujy
+            gzIhxQd14i7jniYzj8uNkNWEaIBfehSqQM+IWRSB6AgV5AnalDudgSyN2R7yDi2a
+            vLt+H1UuESlfuYmqQgG9pDrJG1nigWxMhexm6Ykdz3LnSbzcrkJ9/sCXg0ZCwFok
+            RYMajxB2nHTvQBCSCSqFPzgViDYlv83Vck6vHGma3Lyhe2YDBIGC8bXNmRS92xl+
+            FkbssELrtFdxj8cbQ3WTBU33CdTs6EglSmBSJ+E8SkU7Bok09k4uXK+ZdSkq2pdI
+            I7ZSJufUmKjhvR9l6nSX0/dOOkkvtyDVdB0pPCz5WdwJBS5lInbbUMB7sU71pXor
+            swpHeQaED/BlDcxFIRKAneAfTpBgVzhoPnDnN1xYriLdsZ9kND3KzsXNaT9JeqWF
+            AgwDXjg0p2IN1X8BEACtnlSJlSqalmdhXWD4lKMiz+uQVGaHJty5Rw7CHiFLI7rU
+            wIMnZXQNCiQY+boTaQNe8VqeZ91ptsaIr+2VTrs2gGFbWccQQHwdPN582V7BSQiv
+            mdkxJhE69TTXyu4R/ycDuIgAtXpRA8pLcWsSRWkYtjzKC9Um8y7S+yqsMKCGyTjd
+            gU1mUPrPCJeh6/bThMiowfkIT1GPh4udBSQp6aFW2MOzFySOgphxXPC866lW42T6
+            aCN3n8/kpkc9SKUklUlxt0SKuoghC9NF5pIKANpKWNLrpHv3Y+UXqQt5FIjQLJe0
+            eUGZEkOpihaldG5ObOY9ddRvbnGhaJiK6UXDa5PSCVYG9Fxk9Tw85TKJNbBqd18W
+            A0cj8+CL5eJo+WM91oVbsr4MwE3lKGogVd/9nnylvy8hamoD08A9EN3uf4aqbsTE
+            S5HvHca80WjjMo6LrwcBz6N0RFwQggNT998Mlvb/JRN0Km8EfgDKBbjABBvCHPg7
+            SALnnZNgQbb3Cg3JS7Z9Fe4pKHyUxf6zJsGui0rmFa4r8xrwIkrHSUGk5I431Nkk
+            RS+ppU+Y/Pew0tE7rc2PkzM6lYexphFnViwQZqpHc9EHy2QffN/YkqaFuvIsSbs/
+            fbnJFNgYyW3l2u4Iiaf1UKKkpHRTF6W8UPTblsec9USJperDADkk5aKMV3W0WNRo
+            AQkCEEpvhrTP6NE+ay6COZGVai/ESvAF7ovx14AS2sMwaB9JPEcUG/S+cbMByDmo
+            sc4vHi3BpDxLgltUyUHC2gGkFbc6s9afM8Bd3Ut8jiLPMayhGGpe0natHoo5xz6p
+            Qktw4dL+mCQ=
+            =jZC7
+            -----END PGP MESSAGE-----
+          fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
+        - created_at: "2024-08-05T15:30:54Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAy5t8IMoPu4VARAAuoptUmFjfyG7uDw42T68nvuetOcF/Zr8hvfcNOtZXFM3
+            L4tgIBc9H5dg1S+XeFM1QweMiJdRhzXsUmLXhIFC9Bj+jaVcS5xHQ4RGcHRYBbeV
+            ssoG7hbgESBAvXW7+AUySp9vyn97dasFlb67uuBeLhTl2NImh5OY1sLsrjBPIJVv
+            SU+LPQqSn37kdrN/Ui3llGv2mVPioMovCEJG2EWykFrk7ameLmkznYYysiJ5WIx2
+            PIavyLm/E4KG3EuV/6mCDnLMocQwLkIyVkOR/GGesaZPpI9OkeN42EXyPUKeWyc5
+            52CbiR8XeRjMuQSF6zqYfat0npz+hO8mdAJLTVcoTzP2BaA78dxg7kpYxVLNTS5b
+            8hv/ndIWQr6P3fi9lzIpQOqHQ5HU7SoZm8oZeXmZWejyn5+j9omTkKmIpzZ91SHW
+            c6eDCeG5Aq5s9Vp6CuQQ+vHpEEEiX8SNdqkEoDtcIVYd1/LZLBdN2JxW9zFi1yGJ
+            HW2Dcef+sN3ide7tIgZ4fHogV9WUaaJBcvXsbDcXxAZk5Kw/ejFwCznZry/u9PQP
+            uaAVKuD9q4XdI4sMBdbr1yqXnkUBVDRVnqNLu5Upu2S2CnPJlOYUvqkR+nqcRdwz
+            W+cGMCyzL+s/8wfi3JRrcrbmnp8aVR9aZEthZnn5M9LPF/PfVOIka9H7QArC+UHU
+            aAEJAhB5SM7t19txEM97n6VHwEYZ4ya9i7ntC1mPx3ORTGAToSQFVvNXtXfsZOYc
+            WRxBcRKBsWj/p1TCh66mvrSDE33bthrvZgWBJunXFOVwXDmVNbWEi20lgu6/IFUJ
+            fMdLui4jsCVY
+            =uQ7o
+            -----END PGP MESSAGE-----
+          fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

cluster/apps/default/kustomization.yaml

@@ -10,3 +10,4 @@ resources:
 - ./well-known-site
 - ./dendrite
 - ./ganymede
+- ./piwigo

cluster/apps/default/piwigo/helm-release.yaml

@@ -0,0 +1,74 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: piwigo
+  namespace: default
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.1.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    controllers:
+      main:
+#        pod:
+#          securityContext:
+#            runAsNonRoot: true
+#            runAsUser: 10000
+#            runAsGroup: 10000
+#            fsGroup: 10000
+#            fsGroupChangePolicy: OnRootMismatch
+
+        containers:
+          main:
+            image:
+              repository: lscr.io/linuxserver/piwigo
+              tag: 14.5.0
+
+            env:
+              PUID: 9000
+              PGID: 9000
+              TZ: ${SERVER_TIMEZONE}
+
+    service:
+      app:
+        controller: main
+
+        ports:
+          http:
+            port: 80
+
+    ingress:
+      main:
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+          #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
+
+        hosts:
+        - host: "gallery.${SECRET_NEW_DOMAIN}"
+          paths:
+          - path: /
+            service:
+              identifier: app
+              port: http
+
+    persistence:
+      config:
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/piwigo/config
+        globalMounts:
+        - path: /config
+
+      gallery:
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/piwigo/gallery
+        globalMounts:
+        - path: /gallery

cluster/apps/default/piwigo/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./helm-release.yaml

cluster/apps/media/jellyfin/helm-release.yaml

@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -8,63 +9,69 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 1.3.x
+      version: 3.3.2
       sourceRef:
         kind: HelmRepository
         name: bjws-charts
         namespace: flux-system
 
   values:
+    controllers:
+      main:
+        containers:
+          app:
             image:
               repository: linuxserver/jellyfin
-      tag: "10.9.9"
+              tag: 10.9.9
-
-    podLabels:
-      needsAuthentik: "yes"
             
             env:
               PUID: 10000
               PGID: 10000
               TZ: America/New_York
             
+            resources:
+#              requests:
+#                cpu: 100m
+              limits:
+                gpu.intel.com/i915: 1
+                memory: 16Gi
+
+    defaultPodOptions:
+      nodeSelector:
+        intel.feature.node.kubernetes.io/gpu: "true"
+    
     service:
-      main:
+      app:
+        controller: main
+
         ports:
           http:
             port: 8096
     
     ingress:
       main:
-        enabled: true
         annotations:
           cert-manager.io/cluster-issuer: letsencrypt-production
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        
         hosts:
-          - host: &host "watch.${SECRET_NEW_DOMAIN}"
+          - host: "watch.${SECRET_NEW_DOMAIN}"
             paths:
               - path: /
-                pathType: Prefix
+                service:
-        tls:
+                  identifier: app
-          - hosts:
+                  port: http
-              - *host
                   
     persistence:
       config:
-        enabled: true
         type: hostPath
         hostPath: /mnt/MainPool/Kubernetes/jellyfin
-        mountPath: /config
+        globalMounts:
+          - path: /config
     
-      storage:
+      media:
-        enabled: true
         type: hostPath
         hostPath: /mnt/MainPool/Media/Media
-        mountPath: /storage/Media
+        globalMounts:
-
+          - path: /storage/Media
-    resources:
+            readOnly: true
-      requests:
-        cpu: 3m
-        memory: 1500Mi
-        
-      limits:
-        memory: 4000Mi

cluster/apps/media/plex/helm-release.yaml

@@ -8,79 +8,129 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 1.3.x
+      version: 3.3.2
       sourceRef:
         kind: HelmRepository
         name: bjws-charts
         namespace: flux-system
 
   values:
-
+    controllers:
+      plex:
+        containers:
+          app:
             image:
-      repository: lscr.io/linuxserver/plex
+              repository: ghcr.io/onedr0p/plex
-      tag: "1.40.4"
+              tag: 1.40.4.8679-424562606
             
             env:
-      TZ: "America/New_York"
+              TZ: America/New_York
-      PUID: "1000"
+              PLEX_ADVERTISE_URL: https://kube-plex.${SECRET_NEW_DOMAIN}:443,http://192.168.10.71:32400
-      PGID: "1000"
+              PLEX_NO_AUTH_NETWORKS: 192.168.10.0/24,192.168.20.0/24,10.0.0.0/16,10.43.0.0/16
-      VERSION: "docker"
+            
+            probes:
+              liveness: &probes
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /identity
+                    port: 32400
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+              readiness: *probes
+              startup:
+                enabled: true
+                spec:
+                  failureThreshold: 30
+                  periodSeconds: 10
+
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+            
+            resources:
+#              requests:
+#                cpu: 100m
+              limits:
+                gpu.intel.com/i915: 1
+                memory: 16Gi
+
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 10000
+        runAsGroup: 10000
+        fsGroup: 10000
+        fsGroupChangePolicy: OnRootMismatch
+        #supplementalGroups: [44, 10000]
+        #seccompProfile: { type: RuntimeDefault }
+      nodeSelector:
+        intel.feature.node.kubernetes.io/gpu: "true"
     
     service:
-      main:
+      app:
-        type: LoadBalancer
+        controller: plex
-
+#        type: LoadBalancer
-        annotations:
+#        annotations:
-          metallb.universe.tf/loadBalancerIPs: "192.168.10.70"
+#          io.cilium/lb-ipam-ips: 192.168.10.71
-          metallb.universe.tf/allow-shared-ip: "main-ip-192.168.10.70"
-
         ports:
           http:
             port: 32400
-            targetPort: 32400
-
-    probes:
-      liveness:
-        enabled: false
     
     ingress:
-      main:
+      app:
-        enabled: true
         annotations:
           cert-manager.io/cluster-issuer: letsencrypt-production
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        className: external
         hosts:
-          - host: &host "plex.${SECRET_NEW_DOMAIN}"
+          - host: "kube-plex.${SECRET_NEW_DOMAIN}"
             paths:
               - path: /
-                pathType: Prefix
+                service:
-        tls:
+                  identifier: app
-          - hosts:
+                  port: http
-              - *host
                   
     persistence:
       config:
-        enabled: true
+        #existingClaim: plex
-        type: hostPath
+        # TODO: If setting up Plex for the first time, you'll want to add the globalMounts section
-        hostPath: /mnt/MainPool/Kubernetes/plex
+        type: persistentVolumeClaim
-        mountPath: /config
+        size: 15Gi
+        retain: true
+        storageClass: mainpool-hostpath
+        accessMode: ReadWriteOnce
+        globalMounts:
+          - path: /config/Library/Application Support/Plex Media Server
       
-      storage:
+      # Separate PVC for cache to avoid backing up cache files
-        enabled: true
+      cache:
+        type: persistentVolumeClaim
+        size: 15Gi
+        retain: true
+        storageClass: mainpool-hostpath
+        accessMode: ReadWriteOnce
+        globalMounts:
+          - path: /config/Library/Application Support/Plex Media Server/Cache
+
+      logs:
+        type: emptyDir
+        globalMounts:
+          - path: /config/Library/Application Support/Plex Media Server/Logs
+      
+      tmp:
+        type: emptyDir
+      
+      transcode:
+        type: emptyDir
+      
+      media:
         type: hostPath
         hostPath: /mnt/MainPool/Media/Media
-        mountPath: /storage/Media
+        globalMounts:
-
+          - path: /media
-#      transcodes:
+            readOnly: true
-#        enabled: true
-#        type: pvc
-#        accessMode: ReadWriteOnce
-#        size: 40Gi
-#        mountPath: /transcode
-
-    resources:
-      requests:
-        memory: 720Mi
-        
-      limits:
-        memory: 5000Mi

cluster/core/intel-gpu/files/gpu-plugin.yaml

@@ -0,0 +1,25 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: intel-gpu-plugin
+  namespace: intel-gpu
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: intel-device-plugins-gpu
+      version: 0.30.0
+      sourceRef:
+        kind: HelmRepository
+        name: intel
+        namespace: flux-system
+
+  dependsOn:
+  - name: intel-device-operator
+    namespace: intel-gpu
+
+  values:
+    name: intel-gpu-plugin
+    sharedDevNum: 3
+    nodeFeatureRule: true

cluster/core/intel-gpu/files/helm-repos.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: intel
+  namespace: flux-system
+spec:
+  interval: 1m
+  url: https://intel.github.io/helm-charts

cluster/core/intel-gpu/files/intel-device-plugins-operator.yaml

@@ -0,0 +1,23 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: intel-device-operator
+  namespace: intel-gpu
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: intel-device-plugins-operator
+      version: 0.30.0
+      sourceRef:
+        kind: HelmRepository
+        name: intel
+        namespace: flux-system
+
+  dependsOn:
+  - name: nfd
+    namespace: kube-system
+
+  values:
+    

cluster/core/intel-gpu/files/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- helm-repos.yaml
+- namespace.yaml
+- intel-device-plugins-operator.yaml
+- gpu-plugin.yaml

cluster/core/intel-gpu/files/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: intel-gpu

cluster/core/intel-gpu/ks.yaml

@@ -0,0 +1,21 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-secrets
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./cluster/core/intel-gpu
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+  - name: nfd
+    namespace: flux-system

cluster/core/kustomization.yaml

@@ -7,3 +7,5 @@ resources:
 - ./networking
 - ./storage
 - ./kube-replicator
+- ./nfd
+- ./intel-gpu

cluster/core/nfd/files/helm-repos.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: nfd-charts
+  namespace: flux-system
+spec:
+  interval: 1m
+  url: https://kubernetes-sigs.github.io/node-feature-discovery/charts

cluster/core/nfd/files/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- helm-repos.yaml
+- nfd.yaml

cluster/core/nfd/files/nfd.yaml

@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: nfd
+  namespace: kube-system
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: node-feature-discovery
+      version: v0.16.3
+      sourceRef:
+        kind: HelmRepository
+        name: nfd-charts
+        namespace: flux-system
+
+  values:
+    

cluster/core/nfd/ks.yaml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: nfd
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./cluster/nfd/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg