feat(helm): update chart pgadmin4 to 1.35.0

This reverts commit 15ef935a88.

kubernetes/thin/apps/database/postgresql/app/helm-release.yaml

@@ -1,42 +1,35 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: postgresql
+  name: cloudnative-pg
   namespace: database
 spec:
-  interval: 5m
+  interval: 30m
   chart:
     spec:
-      chart: postgresql
+      chart: cloudnative-pg
-      version: 14.3.x
+      version: 0.23.0
       sourceRef:
         kind: HelmRepository
-        name: bitnami-charts
+        name: cloudnative-pg
         namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  dependsOn:
+    - name: openebs
+      namespace: openebs
   values:
-    auth:
+    crds:
-      existingSecret: "pgsql-secrets"
+      create: true
-      secretKeys:
+    monitoring:
-        adminPasswordKey: "adminPassword"
+      podMonitorEnabled: false
-        replicationPasswordKey: "replicationPassword"
+      grafanaDashboard:
-
+        create: true
-    serviceMonitor:
-      enabled: true
-      labels:
-        release: kube-prometheus-stack
-
-    volumePermissions:
-      enabled: true
-
-    primary:
-      persistence:
-        existingClaim: "postgresql-pvc"
-
-      containerSecurityContext:
-        enabled: true
-        runAsUser: 655
-
-    readReplicas:
-      containerSecurityContext:
-        enabled: true
-        runAsUser: 655

kubernetes/thin/apps/database/postgresql/app/helm-repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cloudnative-pg
+  namespace: flux-system
+spec:
+  interval: 2h
+  url: https://cloudnative-pg.io/charts

kubernetes/thin/apps/database/postgresql/app/kustomization.yaml

@@ -1,7 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ./pgsql-pv.yaml
+- ./secret.sops.yaml
-- ./pgsql.sops.yaml
+- ./helm-repository.yaml
 - ./helm-release.yaml
-#- ./pgadmin4

kubernetes/thin/apps/database/postgresql/app/secret.sops.yaml

@@ -0,0 +1,76 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cloudnative-pg-secret
+    namespace: database
+    labels:
+        cnpg.io/reload: "true"
+stringData:
+    username: ENC[AES256_GCM,data:+rcROvnLUkE=,iv:9/iJnvFrGpJVeaudylxzbopKJG/bgF3X8BOWMGGx3O8=,tag:9dSm9nOnXxT4OnYVmgMjlw==,type:str]
+    password: ENC[AES256_GCM,data:VWqq1xpYEgm7HlyqbwdU9jIb+EiE7+IU4CgW2HrpsoM=,iv:YW7XD8RCSTo2f7COYDwP+bzsbXR79TJkkr6/BtlquxQ=,tag:muNMiMnDQjSfZ+sG+gQI0Q==,type:str]
+    minioAccessKey: ENC[AES256_GCM,data:qF/qzRRETaszWb1kz8JTIg==,iv:q2gHGMu/CsjdXcZM2BohFwqVdzQ7rkfn2tDJ1YqMxcc=,tag:+2kg6bkvDNzTdUMtshadpQ==,type:str]
+    minioSecretKey: ENC[AES256_GCM,data:HhHdmxJKlkF2FEyyWPVpihN6Bcv0fViD4corxDhkTnY=,iv:IhczTpr9MlspwjciGoj4EmYDlyan5UgphhLOFLrRi0A=,tag:HC2XPxhwyCj3Dy1+tH5o3A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2025-02-20T03:30:36Z"
+    mac: ENC[AES256_GCM,data:L68jmZTT1PiBRo8Uec7fkPgt+uMP+n37/aM1LzrZ3RNUBdvsh9ih9GbdN9Lx+YdI0fS5YzBtB6ho7X8a7QHAxDyYr6B7iUiRvBpYIOXrKwssgHSuZs3e9v8bhkHCYsMgPOfFpWmZTATYgTb5KFHlB5CE5F7JisvYqtX5N+He8as=,iv:OLZu4dj4tppvjKynqc+h6kNGqHecxuNm6KsyZpUnJFM=,tag:E9AalIgW+Kt4XoH242ldow==,type:str]
+    pgp:
+        - created_at: "2025-02-20T03:30:36Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAyqlIeyoxYovAQ/+Nl9LC0XPqccrXVMaQSBMORQKp1eclU5TCwIb1TnMeh1b
+            4i0OiXqdxGhmr5+s5PY8ns1hswYJkkR87ArlwI3kigErQqlw+R8uXhwGjgTTbLEl
+            u9pJPwQqfVA+H82/2JOpG+FZMzMK94U+I6F6A5hF/f+OANDm9fGO56ydCjZk6lp8
+            vmYq/ufYhn7tz9vN9dXvqNbYjoTXA2tCq66k9qeng3jZOp79EFJr/jhRsc0DEaoR
+            E8oQdGeN7K0BRDSdRpxa0ZXRYherUA41aAVyCqsD+1YynHEwPkxLIK2qJ4Y9Q5HF
+            +TDCi8ujg2NbeY+Z9WjpNEYB4Q7ppOZ0Uktv60ZLFc5Sbjmr8O8ojjkVN5rkQhMh
+            l3RWrJj4JQkg2U/sWim+dqjR1BIUN4hXu2+3s4u3vQnyATA1ep2LdEgWAI/XsdB4
+            z8Rpe4Ul38HvbLpxWnkFDyavwCI57fKN/IpQazu7N6aeYnVuZZ5xR/DY0hwe7R+q
+            FRY5P3xgu3LTF/edKiyG2j2aS1HUUe06gYUilaIjSL3yS9zf/5g8H8p53uLh/qZQ
+            TGmLNuXJ2r3yF8XNbsRhz2nTKrKZKIYJvpAx0yVvkvUSOgib+4g/97r70drXutju
+            /yNJNnjicbbZqdLQ+ivqbjiPq436C2gohfL37c1S1yNJcUgXFJd2bnahtwvj2GCF
+            AgwDXjg0p2IN1X8BEAC+B45dkZQ9RM1P3+0PHre5Zg4uam89/LJX1nk2ExAtEizX
+            BKZO950ImNg52u0ptIBcg4iZRGjoWOGmDS3hK6bh1x84fZArvBOFsM6UDB6CFthM
+            Ly+sphRT72RQZvOdmi8QGIU/f4DKurpHQYFBwIHzTTa3URCYC2/Ov/8Jmzojuuqy
+            DLyIulkcnWtBMyFV1scfXEULeqQ+nqEOoTFcSqF4sYKjVFIm/GC9JTbuYR15Ou6A
+            vo6iCyMcY6pYfP0FkHhosA468OgtMSkmBqVHJ8QFbbHKR+lb4nMYcSqvvOM3hQil
+            9yn6UNOwc3QM6w0sWIPriEiO/68GGj6h5BlG0hf/W/4iYW9Qrn0HaTTpmYRshRO/
+            CZM1sOFpscChoRXbiZEmSjqzGzAhko8uHmeQQzsKJbM+RcK1ByFquMwa7qZWQX6l
+            DpbnU8pUci7gPxXy5i3guSYg/2T7ZhY1y7MXz5Qj3zBkup9nxEC1lY+TG3QPRDdR
+            r8kk2wBemk31XYbWUi1yuNB6nD4LUUSxt71XpRz5lrAKbtx0zF1Hn8cjiBG0lxVY
+            66GwE4HPkPBPiS72OMrZBeK9+psrCu6RKMUfSd2Agx+RSOfen0po3yaoOYPXxlz2
+            CGKKkp4X8nczrBvQBmzAeEwGJ2woZPKBQr9xw/6KhB6TbiT/feZNWtWhPP6tndRo
+            AQkCEK3IWRscYRHutaqYrIhamhWIianbcCxRsR9WWbhHp+1DceYMdiqFVEUfoIIa
+            wlsmeKXm09YEudhsQ04PsxzdtLWSnw8ChqasGyW1R8/s7VBe04CobdsiosQpPl6g
+            WVZjq+H94q0=
+            =OCD4
+            -----END PGP MESSAGE-----
+          fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
+        - created_at: "2025-02-20T03:30:36Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAy5t8IMoPu4VAQ/7BvkTIPU/SK3rQ/c4FLyFKSCk/UKB9he62yc1/skp71UU
+            1wRuzmJkKO67vJvBbnszgaK4KfJHbNK1613cY+KqmqmwcXX2OpOrPoYa8BWzte76
+            lVVtmvXLvsCkVgtaIIcjeH+3ByEbiv7KDTtgSrv+hWuv0r2XuC+PcOKDUQo0qwW+
+            ntZb5fr4v+t6xWMHxxQTDNfGLfYwhwHAwaMtr6kiMQyYyxH/7Grj6zwG70spggM6
+            aH5go/1onBYfArDqr0mbimbclGRh2Xw7g7Uk4+Q4Tj6K/NNA9k0g+M1ktrCQGiHi
+            y1a36POPUkcGpuSzurmRDvlpKaXPyr7HbyHk467INl8eYT/O0H6jqGrrzUF1J2sA
+            MCy09WzzE8RV4mg59Sv47UO7YKbHB9/jhyr2eNWP7qTMN2ohq/zTjw10qyOuypgi
+            DYYtCHOh0DHTuFkEkWO9XWaXMGctQQazwtvZBvkjp2Hcg1DODG6NADdKqBoxdSsd
+            SyslogaXn+nCG/7V3RNALnoDKYHJF58aeVsQb9C1XJjPqIwW9125ok/J9EvROL00
+            Ai3gtzFDF/psQr2F8Igm/NWd3L2Fed2lOrIE6iKLXGIAZIPDNTvr21gpXPeeHuQB
+            dWCTBcoxe84w370ZRp+uE2DEPMz7Ne520jQPWvnGrRRWfx+DWkJUXIRCFZo0z6bU
+            aAEJAhCH4W4w0SC3oVcCWRW9vZPqsHeqoiJ8jKVRXojoxr0Pfm3AWaWpQ8vW23RW
+            0fDXbyVSNCQYLXL+OMEHyvMcJD/e6/9aoqhJvlvINf/YS9ZihlgPKH0LU5Zh1E+n
+            lm0AcJjp4usR
+            =cLbD
+            -----END PGP MESSAGE-----
+          fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1

kubernetes/thin/apps/database/postgresql/cluster/cluster16.yaml

@@ -0,0 +1,83 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/postgresql.cnpg.io/cluster_v1.json
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgres16
+  namespace: database
+spec:
+  instances: 1
+  enablePDB: false # NOTE: enable when instances > 1
+  imageName: ghcr.io/tensorchord/cloudnative-pgvecto.rs:16.4 #ghcr.io/cloudnative-pg/postgresql:16.4-28
+  primaryUpdateStrategy: unsupervised
+  storage:
+    size: 20Gi
+    storageClass: openebs-dual
+  superuserSecret:
+    name: cloudnative-pg-secret
+  enableSuperuserAccess: true
+  postgresql:
+    shared_preload_libraries:
+      - "vectors.so"
+    parameters:
+      max_connections: "400"
+      shared_buffers: 256MB
+    enableAlterSystem: true # must be set to true to enable pgvecto.rs
+  resources:
+    requests:
+      cpu: 20m
+    limits:
+      memory: 4Gi
+  monitoring:
+    enablePodMonitor: true
+  backup:
+    retentionPolicy: 30d
+    barmanObjectStore: &barmanObjectStore
+      data:
+        compression: bzip2
+      wal:
+        compression: bzip2
+        maxParallel: 4
+      destinationPath: s3://thin-cloudnative-pg/
+      endpointURL: https://s3.seanomik.net
+      # Note: serverName version needs to be inclemented
+      # when recovering from an existing cnpg cluster
+      serverName: &currentCluster postgres16-v2
+      s3Credentials:
+        accessKeyId:
+          name: cloudnative-pg-secret
+          key: minioAccessKey
+        secretAccessKey:
+          name: cloudnative-pg-secret
+          key: minioSecretKey
+
+  # Note: previousCluster needs to be set to the name of the previous
+  # cluster when recovering from an existing cnpg cluster
+  bootstrap:
+    recovery:
+      source: &previousCluster postgres16-v1
+    #   import:
+    #     type: monolith
+    #     databases:
+    #       - "*"
+    #     roles:
+    #       - "*"
+    #     source:
+    #       externalCluster: old-cluster
+
+  # Note: externalClusters is needed when recovering from an existing cnpg cluster
+  externalClusters:
+    - name: *previousCluster
+      barmanObjectStore:
+        <<: *barmanObjectStore
+        serverName: *previousCluster
+    # - name: old-cluster
+    #   connectionParameters:
+    #     # Use the correct IP or host name for the source database
+    #     host: postgresql.database.svc
+    #     user: postgres
+    #     dbname: postgres
+    #     #sslmode: require
+    #   password:
+    #     name: cloudnative-pg-secret
+    #     key: password

kubernetes/thin/apps/database/postgresql/cluster/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./cluster16.yaml
+- ./scheduledbackup.yaml
+- ./prometheusrule.yaml

kubernetes/thin/apps/database/postgresql/cluster/prometheusrule.yaml

@@ -0,0 +1,74 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/prometheusrule_v1.json
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: cloudnative-pg-rules
+  namespace: database
+spec:
+  groups:
+    - name: cloudnative-pg.rules
+      rules:
+        - alert: LongRunningTransaction
+          annotations:
+            description: Pod {{ $labels.pod }} is taking more than 5 minutes (300 seconds) for a query.
+            summary: A query is taking longer than 5 minutes.
+          expr: |-
+            cnpg_backends_max_tx_duration_seconds > 300
+          for: 1m
+          labels:
+            severity: warning
+        - alert: BackendsWaiting
+          annotations:
+            description: Pod {{ $labels.pod }} has been waiting for longer than 5 minutes
+            summary: If a backend is waiting for longer than 5 minutes
+          expr: |-
+            cnpg_backends_waiting_total > 300
+          for: 1m
+          labels:
+            severity: warning
+        - alert: PGDatabase
+          annotations:
+            description: Over 300,000,000 transactions from frozen xid on pod {{ $labels.pod }}
+            summary: Number of transactions from the frozen XID to the current one
+          expr: |-
+            cnpg_pg_database_xid_age > 300000000
+          for: 1m
+          labels:
+            severity: warning
+        - alert: PGReplication
+          annotations:
+            description: Standby is lagging behind by over 300 seconds (5 minutes)
+            summary: The standby is lagging behind the primary
+          expr: |-
+            cnpg_pg_replication_lag > 300
+          for: 1m
+          labels:
+            severity: warning
+        - alert: LastFailedArchiveTime
+          annotations:
+            description: Archiving failed for {{ $labels.pod }}
+            summary: Checks the last time archiving failed. Will be < 0 when it has not failed.
+          expr: |-
+            (cnpg_pg_stat_archiver_last_failed_time - cnpg_pg_stat_archiver_last_archived_time) > 1
+          for: 1m
+          labels:
+            severity: warning
+        - alert: DatabaseDeadlockConflicts
+          annotations:
+            description: There are over 10 deadlock conflicts in {{ $labels.pod }}
+            summary: Checks the number of database conflicts
+          expr: |-
+            cnpg_pg_stat_database_deadlocks > 10
+          for: 1m
+          labels:
+            severity: warning
+        - alert: ReplicaFailingReplication
+          annotations:
+            description: Replica {{ $labels.pod }} is failing to replicate
+            summary: Checks if the replica is failing to replicate
+          expr: |-
+            cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up
+          for: 1m
+          labels:
+            severity: warning

kubernetes/thin/apps/database/postgresql/cluster/scheduledbackup.yaml

@@ -0,0 +1,13 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/postgresql.cnpg.io/scheduledbackup_v1.json
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: postgres
+  namespace: database
+spec:
+  schedule: "@daily"
+  immediate: true
+  backupOwnerReference: self
+  cluster:
+    name: postgres16

kubernetes/thin/apps/database/postgresql/ks.yaml

@@ -2,10 +2,9 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: postgresql
+  name: cloudnative-pg
   namespace: flux-system
 spec:
-  targetNamespace: database
   timeout: 5m
   interval: 10m
   path: ./kubernetes/thin/apps/database/postgresql/app
@@ -18,10 +17,39 @@ spec:
     secretRef:
       name: sops-gpg
   dependsOn:
+    - name: openebs
     - name: openebs-sc
-      namespace: flux-system
   postBuild:
-    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cloudnative-pg-cluster
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/thin/apps/database/postgresql/cluster
+  prune: true
+  targetNamespace: database
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+    - name: openebs
+    - name: openebs-sc
+    - name: cloudnative-pg
+  postBuild:
     substituteFrom:
       - kind: ConfigMap
         name: cluster-settings

kubernetes/thin/apps/database/postgresql_old/app/helm-release.yaml

@@ -0,0 +1,42 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: postgresql
+  namespace: database
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: postgresql
+      version: 14.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami-charts
+        namespace: flux-system
+  values:
+    auth:
+      existingSecret: "pgsql-secrets"
+      secretKeys:
+        adminPasswordKey: "adminPassword"
+        replicationPasswordKey: "replicationPassword"
+
+    serviceMonitor:
+      enabled: true
+      labels:
+        release: kube-prometheus-stack
+
+    volumePermissions:
+      enabled: true
+
+    primary:
+      persistence:
+        existingClaim: "postgresql-pvc"
+
+      containerSecurityContext:
+        enabled: true
+        runAsUser: 655
+
+    readReplicas:
+      containerSecurityContext:
+        enabled: true
+        runAsUser: 655

kubernetes/thin/apps/database/postgresql_old/app/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./pgsql-pv.yaml
+- ./pgsql.sops.yaml
+- ./helm-release.yaml
+#- ./pgadmin4

kubernetes/thin/apps/database/postgresql_old/app/pgadmin4/helm-release.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: pgadmin4
-      version: "1.34.0"
+      version: "1.35.0"
       sourceRef:
         kind: HelmRepository
         name: runix-charts

kubernetes/thin/apps/database/postgresql_old/ks.yaml

@@ -0,0 +1,29 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: postgresql
+  namespace: flux-system
+spec:
+  targetNamespace: database
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/thin/apps/database/postgresql/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+    - name: openebs-sc
+      namespace: flux-system
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml

@@ -20,6 +20,14 @@ spec:
   values:
     controllers:
       main:
+        initContainers:
+          init-db:
+            image:
+              repository: ghcr.io/onedr0p/postgres-init
+              tag: 16
+            envFrom: &envFrom
+            - secretRef:
+                name: home-assistant
         containers:
           app:
             image:
@@ -31,9 +39,7 @@ spec:
               HASS_HTTP_TRUSTED_PROXY_2: 10.0.0.0/8
               HASS_SECRET_URL: &hassHost "hass.thin.seanomik.net" #${SECRET_NEW_DOMAIN}
               HOME_ASSISTANT__HACS_INSTALL: "true"
-            envFrom:
+            envFrom: *envFrom
-            - secretRef:
-                name: home-assistant
             securityContext:
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true

kubernetes/thin/apps/default/home-assistant/files/secret.sops.yaml

@@ -5,71 +5,76 @@ metadata:
     namespace: default
 type: Opaque
 stringData:
-    HASS_SECRET_ELEVATION: ENC[AES256_GCM,data:+dg6fw==,iv:8YPS3cD/qnZcQCwjdSVYJ5x/z0rSR8jplZfxr1EPqJk=,tag:2S0JTIYBvxN5tAnLMLMwtQ==,type:str]
+    HASS_SECRET_ELEVATION: ENC[AES256_GCM,data:3No=,iv:Q7puC0tfSGFypeVpZ7wG6IMqFLWFvxeI6AcApzTJlYI=,tag:bmaj2NcInaWgX8CzJDrnAQ==,type:str]
-    HASS_SECRET_LATITUDE: ENC[AES256_GCM,data:Kgq3N7fRG8Dn2g==,iv:7m7RQM1WcIKTLfMr1cjcFxqnYJ+7llKNY6Mdl9MdVmI=,tag:wtgsJsCov1BxN0LW3bn2cg==,type:str]
+    HASS_SECRET_LATITUDE: ENC[AES256_GCM,data:c03acwN1Vle96Q==,iv:nP/oMffkdUm2eJtEb6aMmesFOcFV9W1NWH9xBMGFnyI=,tag:qoWyC0vb9/ZiA8W03ns1tQ==,type:str]
-    HASS_SECRET_LONGITUDE: ENC[AES256_GCM,data:fBTv0J7rNN6Tt5I=,iv:lU0J2Qd1rRzrIKhYUDeqcQfRidGvsBzby7a/9UiCKYU=,tag:Lyh1QS3WIpP0tl0g9NEQMg==,type:str]
+    HASS_SECRET_LONGITUDE: ENC[AES256_GCM,data:eQUp0yIGZYUbckI=,iv:DUjs+fpJZoUMyBCF0VG/vYn/EYGpurqzfLDsyrtQuMU=,tag:UIma9ZCh8Soo4yHxg24gMg==,type:str]
-    HASS_SECRET_DB_URL: ENC[AES256_GCM,data:YXk+YKDlqnrn7hxGe4Q5cTaafK2ijRWf2NtAltdeJmQ3sAL3Z8N7yV3VwSUkL9Re181JRXeiIebEoIMx2DDlTaYMcnGPQyqjSWBMSt4/+WgmZ0Q=,iv:5N/dbYht2ts26GAh14BxNA3zq7US+s8WbmNWFJtO+jk=,tag:6sqa0kufUdkyMVdJ9rVCdA==,type:str]
+    HASS_SECRET_DB_URL: ENC[AES256_GCM,data:BjOqf0BTMhBJZgokpECUGndwj56veNtTnvyfP0qGwWq8hLg783PpfbCY++B47sJSnOUk6ZbMGdzPOfaOOF/RYDCyr9fV8pjw8I7MvJRXcBaW6ejBv6Y=,iv:NezKv/hJR5Clolezmy2+bEMWHIxkK3w+AZAngKzZEhk=,tag:X7/LhvazHma+vBaIw0yGMg==,type:str]
+    INIT_POSTGRES_HOST: ENC[AES256_GCM,data:JNlqet8psIAeinYa5uSESglNJpiCHgOzx6I=,iv:VvR8+aRh1BHTO0eOhPRL+4OTHSu/12yHDz8PMtz1Vnk=,tag:M1Jx1No8hO/acJwJwo6vvQ==,type:str]
+    INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:38Qe1mXCJIFCkb1klQ0W3rSHaAJ6eRX4Am2eNl4xkqLnFnM=,iv:dtipdKE0bOV1ZqOa3l8tV4BTFsA3jGLIPGKoUSNnNyc=,tag:xs/BbAF6RRCKq3NpVjywuw==,type:str]
+    INIT_POSTGRES_USER: ENC[AES256_GCM,data:/L3CrKQTzX8wjwzc9WY=,iv:8ubjoBoNjJm5GyYSfgnx+O5ERWw+PP0fzDzb0I3EFc0=,tag:jV+E9AtpwB1UlbGiIDpwOA==,type:str]
+    INIT_POSTGRES_PASS: ENC[AES256_GCM,data:QuX8K/oDvd0CalRUOftexQ==,iv:i+h3HP8m8PCwE1xnfkYhUcQ3dwxrwiNAmC5JBeM6qnM=,tag:Cxk0Y4d1Xd19aBRJ5wzW/g==,type:str]
+    INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:za3BJX5POZvfyv7clp8=,iv:uIyr1ALDVnCQfLZCrOvolTE2QzPMLaBFbwxruoIMDdU=,tag:mheg+QjmVEVXdox7LD4J5A==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-09-16T00:34:28Z"
+    lastmodified: "2025-02-20T05:40:26Z"
-    mac: ENC[AES256_GCM,data:zoW6fr1LbCpxj+47BS7YSJtT8CF3QLdkYR+JsNmVNv+NZ5229TC+RGWbSwjyHtqb7Xxzhwzuna8kVR9Jg8dnJOZhEJM2uY7rTx0z0tpakdvUggxDiBH3W8nIc//DzxgbGZwtP9/LNpzE0ucvTKrqJsUW6/Idu815bLknNbeaPxo=,iv:KbbWZ17JQNsCuSI26nGKwKjoP4aULua3GBCJbQgNpyI=,tag:PvEhlwCpYMtJB8lx5vmVfQ==,type:str]
+    mac: ENC[AES256_GCM,data:qh8umMzD62ApXWRpn7wq661z8P+F8ymfYZdr2Gt6jl1Xn2RtGt1QoCz5AfX7Rep3KJLvwylk0Z7niJAs2GpYRXzTz4IxpEYNGn/Z07GYggscudKmt8M/VAJCAKkYaBN3C4W9giWaQFULvwyt0W8bcSCzaFT0jq8ILRICkULD860=,iv:JGaiaxjWvmJ5v/wsFD6x98nkzCd7YGPCF7SVzMTzQlo=,tag:V07JoTHHvF9DCgZj2wlQsg==,type:str]
     pgp:
-        - created_at: "2024-09-16T00:34:28Z"
+        - created_at: "2025-02-20T05:40:26Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAyqlIeyoxYovAQ//WFv9Y/YWKUUEV7ymMAqVpCdiVp1DiRBbsNVlBCi+x2lF
+            hQIMAyqlIeyoxYovARAApjivFKBRsnZ1Loxkjmnzjc3QAk4bfKr/m1thGaq3KbLr
-            NO/AHTeTvJL+9uyavQsSQVuuIhCMG9R7uwTAQaLgZat8Q3ToC4ntEjoxQQfKsUTl
+            /H1orkwib2qp5AjOEbHcIt/GRmTe3/MXgsM4ZWslIJvGXQ8ZPi06oG83qtQeMO5P
-            1qfsFTTGW8PJbekkvZmufTMTzmJ+8j0TGnQeCcI9D/XmE/fDP+P551YLCXJm/MtC
+            J46dj5z1AuoZm6d3tF5zvoT2tDjMWVmFXH/B2ZqkZqlAXjx8MbDnDSUY/Wd45dGO
-            xGo1Wz27n0YYseWRjO6hAOU0/z3tQxgEYU40uWt/Wego3XaXVIAOC7E+uxbVIGfW
+            PeglhoYNXB9dsNXWzNbSJ4PtlafP51bV/l61RpuKOUyz0ApjD7awJdGcvhgadg4+
-            DsQQQi3E5mKGdWB6VvzozstneZuDNU+GiNCCHsYYCCSMwT4z1FFPTl3T4Qr+yRbQ
+            ZH2Hmjs9CrMn/CP6l+bW1xWc/tnZ3zv57Wt4p2sMdkCS8U0xLpXnWt8p3JXHWwbp
-            Ylh5y7LQsVmHnwzC2eDatxL2v7chSoYWczZMKTmNCcppZ1Lvas14Cd9MdC/yt2yD
+            0E/gUbNlTg9K4ATuy/ddwr/Pwze8e/yr+OULquCyqtpiNZbeeJLUiRGGIXWSCVt8
-            jDrXtyw1jPho+A688EvB7E/nCEXnchL0xqCcCqa7IE3+hhZzxLWysfz4QM0Mg2rv
+            95aZO5Fs6f77+5S0sJRaaN5d5pFivC43/bqvfYJsrWPKal+hPbTIAWMkpyXKN99S
-            j7QLP2/ssuB9K2dOrudkE0MUzQyf5tu9Av7YD+KR0SEcuQ/Y2yvnScLf4SS/NEgG
+            USaILhekPPe1MxvOM8IIcxbWK+I6KS6UKyC6CiMOVkYdRN/ujO+pT/7B/tLAm6lU
-            erB8e44M/NG/CN38YOxPGtK9FcxjJKyDfk5S//TPteZBgtKwf18H5SDonu3E6WUU
+            lFOk1R4oLpFOclsmza0uuub5BAXxJc+9VGT3LQnjXjGwoU4e54Rje/qo6uuGR/iJ
-            Z61U/Vw31xtIuFVRPAQc5qzfCVQ9N0zJx28F3QJXcgMzmEVHQKyJ+/u9ytfTQpg5
+            Hywq4f8XykF2Jm1UInnNUrXVPvExOK4NtuAfvZJ+zVhur0K7rmZtXQLn3Vikb6JW
-            CPfexvgNg9CR++p6MY0tie07iLkmoT23hq1A36Q+pnyqR1bZVu0vVIVtOIANG3qF
+            UNiAsAl1x1uWrWulSOtvmeEWvL3nt5gmVxj18NESmBQ9aQK+J63XqhFW9O1mNNOF
-            AgwDXjg0p2IN1X8BD/4oBsOiwYJYAPdsxtQyMoj92r6NUl+STRdvalSyweJqf9xK
+            AgwDXjg0p2IN1X8BEAC8+2iXJQpbgMcI+CnW7pZ5LtqGqDJRHxjH0USV401SKNe7
-            RfQzlNtdN6ADTD7p6PKZxg/Bb9HGJe7eUto78Eqn9Uqu67pGPCUiaVk7JUUayGHd
+            X+PCRnR88o1sCYc8K52f7lZKFFRLSoD2+4j/05DqfcvyzCNVRH0YVPHLKGGFUisP
-            Fay3OJYuLEgukEo1okq+yBDjj+dGwTJ17Cl8hYgNSyeGCAiXqUkktkRXkjvhI55X
+            Fn8CmOVb4Q4C+K7lUZIHAvzmg78p6nVrUX1m7u85pDP2hYhLUkNi188pl57WdDhV
-            lgOc3wiaRqcuLFG5h00qo3Wy4ESzuQSKFEimpSec8CSxuY/vTg8CFjekkmUerNmd
+            SVSQvB97Axjtv6EBKUiLlMj6Cq6Yh97Rw/FJ7wwLyU6Q3Wzs3KMyKRqnc4jnKrDt
-            eKKW6q0IB2WUrxbvG4moF+4pK6F8zOgF1B94cFuFHoDQ1sOFkUI95v0/mEi6qIX4
+            oEekDqBQ9cbxsdr38CJIzClDtAimtant4TtOgrDecdu8+tmPBAE9l14YaVjFZUoc
-            gTD6DAbgmZCyFWrfH1ogU7vpa2aDrFDHYLFyjESX6zhMVnQwetQsgdQ3C2Q5HpD5
+            hIvt0neCg4trHswD4OZOe2XVHvbJTdl8epf1ReSGoyRcF+6ETrBrJRiV5SXZuxH3
-            uWuzbVSOVpUzwOsgwP1bUn6Layxnk3cVtgLj5ODdUYSBJZ6/ReQ/aQjhUpNVQIUA
+            +6MjkldWb5O5d6kBPKCyRgrZMIzlm8nXwqj9Dr8omnGpVq4nwboOm8Rgrw3HTv/5
-            inqCuL6dSFDTKKwDpzdVTX105knBNP5pHaDVdFN+iUu9pbFGSqWAZQ/XtfznBSbl
+            xAFDmRas5BNvffVVJ+KnIw9Sidy6dn5qIhK4NtCGx/Nqe04pD3E70y22aEZHj/fh
-            QntMp70zVe5TlMtB7DCpkRcgI/oOLjciM+ITVW3mh7nX0tbBUZ/2T/KKPwFHNI/4
+            PChyfs8fp/DErfJK6xuHZ6fGF9zmxB7PWsQ6H6hlV0WPgH23l7t64OUgxKyWJk9C
-            wU/TH13RW0l92eJRXYarYsOqsDsYzlkOoPupNQFK8UVu44cVe/jPJNNi9yU8EN5r
+            iIk1BCbu5JbexnYXOoAPvz0UvdDFNzZGwLpYQLSTioxcLE4LOkA9QwprKz4lPrlW
-            2VoKr2F7sYprbSunhFrOXFGngCs0pgk6lKcWKE6mP8b2AmmX0FHBjojTDRu3D9Rm
+            8NaBtsTz/Eq09rwU3vTfVqJ3LZS9E9jqM6a66drfz6BCGWK+jJbr4xbvdlca79Ro
-            AQkCEHK/1D/N2aQA8WZBnz87r51MTQ+dqxTu9tAOjCGX2jP1NvQqnS2vL+iqsvlo
+            AQkCECVCenYj7hs+LfDacPONXgQFkZyL18O7w77GzlMExa20+qF6/Jp/glt3K0QI
-            CxojBsFhFZXLpd/op2N+4nFMA0HAPl4pKj5hi6tUEzkXr9ltfvnIMdv0ZoZoM61r
+            lj/2dF4+jhVS1qb4UZZxBP9ztdwrpaJ8a9iMzsnYWmCjFzNqVjyDwtqHlBIS9pIW
-            B1xdW8jX
+            ZvRcfieyidU=
-            =HAf4
+            =46wf
             -----END PGP MESSAGE-----
           fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
-        - created_at: "2024-09-16T00:34:28Z"
+        - created_at: "2025-02-20T05:40:26Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAy5t8IMoPu4VAQ//S4pP46cksxK/sNjHKP8A8uY3KNewuTd9URB605mXlaAA
+            hQIMAy5t8IMoPu4VARAAu6PlHiZmgtasv9J5ZIL09IRKKZMM/GhDGhqdKkepTkza
-            iTMnujsimRREiYoxkcgCIuxoYgpXoi30XrlrSbdKwSt1flGRjVBtW62uvgFRn/Ya
+            yg1QsZgD4hxtXuotKXDqN40DCf3lrPx2PApxBsx3acGqKjjkaLutKfnqlN9oZ1va
-            qmZimGRyhSr0NWMZdsCoOGECCd21lGOwGeTmZzcsvYtzT0fgpYoRtQv0L44eBuFy
+            FLQDPhrgMmuW/Q2Wnowv1tLldff+RR47mtNOay0V2rUQhklbZq4dEv3E0oc4lTPG
-            uzNIvDw7SvvjM2nGWI6VAlAg6CnAz3Fo9JbccZINqgfRTNhtkHU5R6M0M6EjmN6M
+            p2uXTEuFyDpIQGcBJaftaYAd9Yg/iQ93DqxGz95lRVXlj/UWZm55vGEHLWDBa40J
-            xkcr280dOdV3dWKfAtZld2aPb9QLj2vxYxcSqaqQ3jLpmy5JrCT+E4fxt6THyg4R
+            ur2Z7luTg4rPs96+hgIIm84x8fU47oKf6I1g3hcrP5TMsTJ+aUWuKjVmIXqHMjbU
-            x9EGds30zUOUwB5hOJGF+dPPdb3M1imZZymDYZ65WDt6nttRVz9p1Vxu8BiMzMef
+            b5scAKOAUSlWVDU6DwAbc/B32gmZ+3AXe/KodyDkF10kUiYixfL6jjpChHaudFIc
-            CPcrArf5ic+TDp4QydwAb3UjkT+b8/iHGLrFLn7E7s9xaWN8Y8wHxhABjEMKia/8
+            Dwqrxiwvw5BpSoAtAU5VQWxJHRl1O/V1AwUWjJwLuZtf9Lqg1mFrgdz5GWFotgrY
-            hhZozgapC7EIK10Qq4S+mce+pQrLdPrz++/jEL5enuh3vo8s6PSCAbM7sxjoNUV0
+            NIrAP8MYTFV4eOR1j4KLxHxvBKbPq65Pp0udsZQDT1R6fjiJAOLtED55HIPzGH+m
-            Sjbl3lOlbvRLMRJoxMgeHCYKR8HBKYX3lbPSOl0+D2rwibdrbuk1N4NMq0z9YU3O
+            l/4riB2yoKUFSk+EDhDPuqCqJstoIyWw5pZmOvEtArUkwLCJzSzTOwlv5NXntxuf
-            PCEDpGxzj469yss1XbpoANG7EpS9uMdTN+ONE1Xx7AvsADMrNvdJeLvku93bknZw
+            f63NAMDiqlT4mByQ/d1vNLazyCO7ugCqI/T5oY8qT1f8Zh6hxqiGWoszoJazGVYU
-            6rD1aSBau98H/WGM1XGu0nOzQgxtfCoaFRnXf03lMldWlkQnwYuhZPs+3mwg8vfU
+            1IjBWVQzx0WcYAT+f+pTM+nWluy0mMaO/G36TB7XaeZPtrn1SgSQXQ04/SKFSA3U
-            ZgEJAhD4mf23O6K9MUJFjoHABoZAQqX2UEc7TRjIc+YHGg8PekuK4yTWIKkHIvUL
+            aAEJAhDz4MfOe6QAOUSi+ys6CvBhoNKWJmSqQoPppJAM0TaC3nbs/h9fJQewYOJZ
-            WdiWaO8gB+QmoyHt6bg4+di1iqTujnKTPqPF6ehpoDlqWHXWs2mxl2UiC6DGUHlm
+            UZU5whshTW4diKf96OzqDDiuz2/PKBaArzXwp8ySTT292KgVWWKPAW2M0QsiGezf
-            oIfC9MKtDA==
+            kGulp26F+Rg3
-            =uXt0
+            =CXcB
             -----END PGP MESSAGE-----
           fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
     encrypted_regex: ^(data|stringData)$
-    version: 3.9.0
+    version: 3.9.1

kubernetes/thin/apps/default/home-assistant/ks.yaml

@@ -19,7 +19,7 @@ spec:
   dependsOn:
     - name: openebs-sc
       namespace: flux-system
-    - name: postgresql
+    - name: cloudnative-pg-cluster
       namespace: flux-system
   postBuild:
     substitute: {}

kubernetes/thin/apps/kube-system/cilium/app/helm-release.yaml

@@ -17,15 +17,16 @@ spec:
   values:
     l2announcements:
       enabled: true
-      leaseRetryPeriod: 5s
+      # leaseRetryPeriod: 5s
-      leaseDuration: 300s
+      # leaseDuration: 300s
-      leaseRenewDeadline: 10s
+      # leaseRenewDeadline: 10s
     k8sClientRateLimit:
       qps: 43
       burst: 86
     kubeProxyReplacement: true
-    k8sServiceHost: 10.96.0.1
+    kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
-    k8sServicePort: 443
+    k8sServiceHost: 192.168.1.20
+    k8sServicePort: 6443
     devices: enp+ #0s31f6
     enableRuntimeDeviceDetection: true
     externalIPs:
@@ -33,7 +34,7 @@ spec:
     rollOutCiliumPods: true
     ipam:
       mode: kubernetes
-    ipv4NativeRoutingCIDR: 10.42.0.0/16
+    ipv4NativeRoutingCIDR: 10.244.0.0/16 # pod cidr
     autoDirectNodeRoutes: true
     routingMode: native
     localRedirectPolicy: true
@@ -45,3 +46,24 @@ spec:
         enabled: true
       ui:
         enabled: true
+    # Required by talos
+    securityContext:
+      capabilities:
+        ciliumAgent:
+          - CHOWN
+          - KILL
+          - NET_ADMIN
+          - NET_RAW
+          - IPC_LOCK
+          - SYS_ADMIN
+          - SYS_RESOURCE
+          - PERFMON
+          - BPF
+          - DAC_OVERRIDE
+          - FOWNER
+          - SETGID
+          - SETUID
+        cleanCiliumState:
+          - NET_ADMIN
+          - SYS_ADMIN
+          - SYS_RESOURCE

kubernetes/thin/apps/monitoring/kustomization.yaml

@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+- ./namespace.yaml
 - ./victoria-metrics/ks.yaml
 - ./kube-prometheus-stack/ks.yaml
 - ./grafana/ks.yaml

kubernetes/thin/apps/monitoring/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring

kubernetes/thin/apps/nginx/external/helm-release.yaml

@@ -29,8 +29,6 @@ spec:
       service:
         annotations:
           io.cilium/lb-ipam-ips: 192.168.1.50
-        ports:
-          https: 8443
 
       ingressClassResource:
         name: external

kubernetes/thin/apps/nginx/wildcard-cert/kustomization.yaml

@@ -1,4 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+- ./namespace.yaml
 - ./wildcard-cert.yaml

kubernetes/thin/apps/nginx/wildcard-cert/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nginx

kubernetes/thin/apps/openebs/app/helm-release.yaml

@@ -37,17 +37,22 @@ spec:
       nodeSelector:
         kubernetes.io/arch: amd64
         openebs.io/engine: mayastor
+      io_engine:
+        # https://github.com/canonical/microk8s-core-addons/issues/25#issuecomment-1144333851
+        envcontext: "iova-mode=pa"
       csi:
         node:
           initContainers:
-            enabled: true
+            # These init containers check for the nvme_tcp kernel module.
+            # However, talos includes that module built into the kernel, so it will fail.
+            enabled: false
       etcd:
         localpvScConfig:
           enabled: true
           reclaimPolicy: Retain
         clusterDomain: cluster.local
       crds:
-        enabled: false
+        enabled: true
       monitoring:
         enabled: false
       loki-stack:
@@ -63,9 +68,9 @@ spec:
     engines:
       local:
         lvm:
-          enabled: true
+          enabled: false
         zfs:
-          enabled: true
+          enabled: false
       replicated:
         mayastor:
           enabled: true

kubernetes/thin/apps/openebs/app/namespace.yaml

@@ -2,3 +2,6 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: openebs
+  labels:
+    # openebs needs to run as privileged
+    pod-security.kubernetes.io/enforce: privileged

kubernetes/thin/apps/openebs/storage-class/pool.yaml

@@ -1,39 +1,39 @@
 apiVersion: "openebs.io/v1beta2"
 kind: DiskPool
 metadata:
-  name: pool-dorm-controller-d52ycbgv
+  name: pool-thin-cp-1
   namespace: openebs
 spec:
-  node: dorm-controller-d52ycbgv
+  node: thin-cp-1
   disks:
-  - /dev/disk/by-id/nvme-SAMSUNG_MZVLB256HAHQ-000H1_S425NX1MA23444
+  - /dev/disk/by-id/ata-SPCC_Solid_State_Disk_AAAA0000000000001393
 ---
 apiVersion: "openebs.io/v1beta2"
 kind: DiskPool
 metadata:
-  name: pool-dorm-worker-3ssgwrlx
+  name: pool-thin-wk-1
   namespace: openebs
 spec:
-  node: dorm-worker-3ssgwrlx
+  node: thin-wk-1
   disks:
-  - /dev/disk/by-id/nvme-KXG60ZNV256G_TOSHIBA_69CA70CIK34N
+  - /dev/disk/by-id/ata-SPCC_Solid_State_Disk_AA000000000000001143
 ---
 apiVersion: "openebs.io/v1beta2"
 kind: DiskPool
 metadata:
-  name: pool-dorm-worker-hklqhcrv
+  name: pool-thin-wk-2
   namespace: openebs
 spec:
-  node: dorm-worker-hklqhcrv
+  node: thin-wk-2
   disks:
-  - /dev/disk/by-id/nvme-SAMSUNG_MZVLW256HEHP-000L7_S35ENX0K125956
+  - /dev/disk/by-id/ata-SPCC_Solid_State_Disk_AAAA0000000000005262
 ---
 apiVersion: "openebs.io/v1beta2"
 kind: DiskPool
 metadata:
-  name: pool-dorm-worker-kgoutccb
+  name: pool-thin-wk-3
   namespace: openebs
 spec:
-  node: dorm-worker-kgoutccb
+  node: thin-wk-3
   disks:
-  - /dev/disk/by-id/nvme-SAMSUNG_MZVLW256HEHP-000L7_S35ENX0K173346
+  - /dev/disk/by-id/ata-SPCC_Solid_State_Disk_AAAA0000000000005266