fix(huginn): lower agent replica count for debugging

.github/renovate.json5

@@ -15,17 +15,17 @@
   //"schedule": ["on saturday"],
   "flux": {
     "fileMatch": [
-      "(^|/)kubernetes/.+/.+\\.ya?ml(\\.j2)?$"
+      "(^|/)cluster/.+\\.ya?ml(\\.j2)?$"
     ]
   },
   "helm-values": {
     "fileMatch": [
-      "(^|/)kubernetes/.+/.+\\.ya?ml(\\.j2)?$"
+      "(^|/)cluster/.+\\.ya?ml(\\.j2)?$"
     ]
   },
   "kubernetes": {
     "fileMatch": [
-      "(^|/)kubernetes/.+/.+\\.ya?ml(\\.j2)?$"
+      "(^|/)cluster/.+\\.ya?ml(\\.j2)?$"
     ]
   },
   "kustomize": {

.gitignore

@@ -1 +0,0 @@
-.projectile

.taskfiles/Flux/Taskfile.yaml

@@ -3,20 +3,20 @@
 version: "3"
 
 vars:
-  CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTERS_DIR}}/common/bootstrap/flux/sops-key.sops.yaml"
-  GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTERS_DIR}}/common/bootstrap/flux/forgejo-deploy-key.sops.yaml"
+  CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/sops-key.sops.yaml"
+  GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/forgejo-deploy-key.sops.yaml"
 
 tasks:
   bootstrap:
     desc: Bootstrap Flux into a Kubernetes cluster
     cmds:
-      - kubectl apply --server-side --kustomize {{.CLUSTERS_DIR}}/common/bootstrap/flux
+      - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/bootstrap/flux
       - sops --decrypt {{.CLUSTER_SECRET_SOPS_FILE}} | kubectl apply --server-side --filename -
       - sops --decrypt {{.GITHUB_DEPLOY_KEY_FILE}} | kubectl apply --server-side --filename -
-      - kubectl apply --server-side --kustomize {{.CLUSTERS_DIR}}/{{.CLUSTER}}/flux/config
+      - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/flux/config
     preconditions:
       - { msg: "Missing cluster sops key", sh: "gpg -K 687802D4DFD8AA82EA55666CF7DADAC782D7663D" }
 
   reconcile:
-    desc: Force update Flux to pull in changes from the Git repository
+    desc: Force update Flux to pull in changes from your Git repository
     cmd: flux reconcile --namespace flux-system kustomization cluster --with-source

Taskfile.yaml

@@ -3,7 +3,7 @@
 version: "3"
 
 vars:
-  CLUSTERS_DIR: "{{.ROOT_DIR}}/kubernetes"
+  CLUSTER_DIR: "{{.ROOT_DIR}}/cluster"
 
 includes:
   flux: .taskfiles/Flux/Taskfile.yaml
@@ -11,8 +11,4 @@ includes:
 tasks:
   execPostgres:
     desc: Exec into the postgres pod as the postgres user
-    cmd: kubectl -n database exec -it postgresql-0 -- psql -d postgres -U postgres
-
-  execMysql:
-    desc: Exec into the mysql pod as the mysql user
-    cmd: kubectl -n database exec -it mysql-0 -- mysql -u root -p
+    cmd: kubectl -n database exec -it postgresql-0 -- psql -d postgres -U postgres

cluster/apps/authentik/helm-release.yaml

@@ -1,4 +1,3 @@
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -11,21 +10,18 @@ spec:
   chart:
     spec:
       chart: authentik
-      version: 2025.2.3
+      version: 2024.6.0
       sourceRef:
         kind: HelmRepository
         name: authentik-charts
         namespace: flux-system
-  dependsOn:
-  - name: redis
-    namespace: database
   values:
     global:
       env:
         - name: AUTHENTIK_HOST
-          value: http://authentik-server.authentik.svc
+          value: &host "auth.${SECRET_NEW_DOMAIN}"
         - name: AUTHENTIK_HOST_BROWSER
-          value: "https://auth.${SECRET_NEW_DOMAIN}"
+          value: *host
         - name: AUTHENTIK_SECRET_KEY
           valueFrom:
             secretKeyRef:
@@ -55,7 +51,7 @@ spec:
           cert-manager.io/cluster-issuer: letsencrypt-production
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
         hosts:
-          - &host "auth.${SECRET_NEW_DOMAIN}"
+          - *host
         paths:
           - /
         pathType: Prefix
@@ -88,7 +84,7 @@ spec:
         enabled: true
         environment: "k3s"
       postgresql:
-        host: "postgres16-rw.database.svc"
+        host: "postgresql.database"
         name: "authentik" # database name
         user: "authentik"
       redis:

cluster/apps/database/kustomization.yaml

@@ -3,8 +3,6 @@ kind: Kustomization
 resources:
 - ./namespace.yaml
 #- ./network_policy.yaml
-- ./postgresql/ks.yaml
+- ./postgresql
 - ./redis
-- ./minio
-- ./mysql
-- ./mariadb/ks.yaml
+- ./minio

cluster/apps/database/postgresql/helm-release.yaml

@@ -0,0 +1,42 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: postgresql
+  namespace: database
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: postgresql
+      version: 14.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami-charts
+        namespace: flux-system
+  values:
+    auth:
+      existingSecret: "pgsql-secrets"
+      secretKeys:
+        adminPasswordKey: "adminPassword"
+        replicationPasswordKey: "replicationPassword"
+
+    serviceMonitor:
+      enabled: true
+      labels:
+        release: kube-prometheus-stack
+
+    volumePermissions:
+      enabled: true
+
+    primary:
+      persistence:
+        existingClaim: "postgresql-pv-claim"
+
+      containerSecurityContext:
+        enabled: true
+        runAsUser: 10000
+
+    readReplicas:
+      containerSecurityContext:
+        enabled: true
+        runAsUser: 10000

cluster/apps/database/postgresql/kustomization.yaml

@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ./config.yaml
-- ./webhook-secrets.sops.yaml
+- ./pgsql-pv.yaml
+- ./pgsql.sops.yaml
 - ./helm-release.yaml
+#- ./pgadmin4

cluster/apps/database/postgresql/pgadmin4/helm-release.yaml

@@ -0,0 +1,47 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: pgadmin4
+  namespace: database
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: pgadmin4
+      version: "1.26.0"
+      sourceRef:
+        kind: HelmRepository
+        name: runix-charts
+        namespace: flux-system
+  values:
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-production
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+      hosts:
+        - host: &host pgadm.${SECRET_NEW_DOMAIN}
+          paths:
+            - path: "/"
+              pathType: Prefix
+      tls:
+        - hosts:
+            - *host
+
+#    securityContext:
+#      runAsUser: 10000
+#      runAsGroup: 10000
+#      fsGroup: 10000
+#
+#    containerSecurityContext:
+#      enabled: true
+#      allowPrivilegeEscalation: false
+
+#    envVarsFromConfigMaps:
+#    - pgadmin4-secret
+
+    persistentVolume:
+      enabled: false
+
+    volumePermissions:
+      enabled: true

cluster/apps/database/postgresql/pgadmin4/helm-repository.yaml

@@ -1,8 +1,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: piraeus
+  name: runix-charts
   namespace: flux-system
 spec:
   interval: 1m
-  url: https://piraeus.io/helm-charts/
+  url: https://helm.runix.net

cluster/apps/database/postgresql/pgadmin4/kustomization.yaml

@@ -1,6 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ./secret.sops.yaml
+- ./pgadmin4.sops.yaml
 - ./helm-repository.yaml
 - ./helm-release.yaml

cluster/apps/database/postgresql/pgsql-pv.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: postgresql-pv
+  namespace: database
+spec:
+  storageClassName: hostpath
+  persistentVolumeReclaimPolicy: Retain
+  capacity:
+    storage: 12Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/mnt/MainPool/Kubernetes/databases/postgresql"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgresql-pv-claim
+  namespace: database
+spec:
+  storageClassName: hostpath
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

cluster/apps/database/postgresql/pgsql.sops.yaml

@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: pgsql-secrets
+    namespace: database
+stringData:
+    adminPassword: ENC[AES256_GCM,data:gJ7rl2V/VlbIIRvRHcwMaZKN87t5n8bVWZCj/tRv8Uw=,iv:b/5eEnOrHzJrtnO+E2IGwJLHy2AdJQwv9WfUR5fUHY4=,tag:nTtaDNHVfYpChQX9UWwdKA==,type:str]
+    userPassword: ENC[AES256_GCM,data:gR7q508lUaRDRJ/z5lH99JLJSS9zWfg0O+TAm2B9uvo=,iv:9DDQxwd/BGtLQDacAH/crfT+qU4Pn5sGkWuEtmMprUI=,tag:tK3WoUd7729LQDVqU7pckQ==,type:str]
+    replicationPassword: ENC[AES256_GCM,data:BSA5IfYhhvN445yp2i3BI5zlIXgdj+LejCPzvlTMnVo=,iv:Qku2NAQPLxt+NUnk2dSx1+WAoyx3aEuA3+piU2mubYk=,tag:MnI+atK6VLZUc3eGS1OE1w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-10-22T16:25:15Z"
+    mac: ENC[AES256_GCM,data:uWVPfKwPpR212js7f2RnCzEsMnxk2JpGPcf2L5i4gJCddJCrRJkdhjWGyVVpp/ociP3JLRTI95+WSEUH0KkPZpY1ptQevCVsUemRytOCtBlR0yR4qsBwEisSu8m4B5dbAYsqlXAndrBNL2WGB7uBv+ILgNxkhlN58unseSWJBDM=,iv:e7QyZSlhpyQ+A8OmV4p1848itIUxyam6CJOI9/N7DDY=,tag:N28mfrAjUTTYkly1hu0OhA==,type:str]
+    pgp:
+        - created_at: "2023-06-19T18:35:15Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzKleRwoSoixAQ//aQdUERyq3G7V29F5rpY6LdDgo8+hqrrZvdI3JnON0VUM
+            Tj3AAYg+xvYh8aPQywF9fJvn6qNw8fqrb2GiuuNTa9ZPCFsD+WXbuYHmQ9z6tAtV
+            opXe3QLNBuo9zEtUfGPbaCp8EH7f1TxQsTJoe9iE/1B2S69cHNUdgXZtfQyhpmlG
+            iyAk/G04kPazweIuFNjOYaN/12J/s2Cf5AZUeROkMxg8/GTPO68LeEBz9v4vl/1z
+            JlxmZyXR/9IeoBlO63asDrR85fcvSDb31K4qE3WVkag20bXClv1lehLVKO4bxA/F
+            lW1tXDR3odC9Ozme884Znd05L0NWkzYKYRta198IV6JuSCeMdjTscGGlMM9wqqKz
+            SZgs81FHXT16YCVupfI22CqMiD0EzQXrGEtJ4NqaBvhZu+MDxszNRzIl73b0HANc
+            8JQqQqOJh7ltrWnf39Xlv73yVC/pYbaV1LWGnMfqWvOcksa9QjOH9Ysfj/RxdaMw
+            VQhydU+21+xeuEQBL7OsiJQUzgJjFREnTRPXcorCtWxocCn5zwdct1SFchFzCOTp
+            H0ubpD+MP4RTWxuYbZRhE5ty6GJU9liRH7dUJtVaQiv8V+G1DungTqq36AbbnHzd
+            9cy+4cM3wZx2VYElL7DBom8nqqm7Xhffr0UaaY8VFuV5bBry3BmM5rOr8vDYqf7U
+            aAEJAhC/4yiBMuhEB+fwXIq/dBjMzW+p8SotK2QK03yaTFQchnBDknwVdqcKQxIZ
+            di3kupnjB+KllWOZhl121tT9L35ymL53BUu1FKCTFdIS2wXxy6UlIS98n0bvWJYN
+            c5WTfk81xmbT
+            =UE14
+            -----END PGP MESSAGE-----
+          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
+        - created_at: "2023-06-19T18:35:15Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAy5t8IMoPu4VAQ/9G2JDsJw6YJMjstWPrv07tnU0ErWZx5WGcNUGhw6T5tOJ
+            kXCAuaZax8NxoTtZnQ9Cd+WgJr7R0FuVPEPTc4G2RsfntSZq5rBgCpT0fgwyASFX
+            64b6YTbLcCL+G6sg/FwIi9SRqqCsaljATjoU685vrjaxYYfAdhyUoM3qSNjMMaMl
+            zVjn0kbWrQn4GqfuRMqcr+zCIQdHNTTJ12+c6UUo/zJp4zzjA68Yur9aiw1iHtR1
+            rYCPHX2/ZmQjADTHXqwpuMdb5j0VDcd5JcZabdcJkhn/6MRJiN+XryZN/Neq9UbF
+            5WrMaZz5v0iRnMUCr8HMw29P0ttu5Sma+RyCOZuWlpsXj+C84pJ8CjBbFhzSJzGP
+            cKI8Syn0CPLN3X6vKs+LJXEHg1jxJ9kuN+RgW+SQRctUX3A0JtFg2tWplkptNtLl
+            hN5rW+fWxk7BV9dP7wouwVJiKcW3Y/OMCF5H8YHwL/KVHvANBwNM+nmFPrHaqN2s
+            0RghznmZMVG+9IYedSM6d8ZJLnO/QsNTE0QTGM/3dmBAn9jcndCLTgcgThAtvcmw
+            lFJYaMN3W455Cccaif93xnb44yn47actgEuM6GOuP15GGJaHD2iBQ2atHcaQhNQR
+            mxhIIouu+Kaa6g34MA/VGDNoN0eNYI5RZIUSSBl7bgaOXs9/3j1Uvap9yesCaOTU
+            aAEJAhDDqjX7RUazeEByAiKjv5TxpQzsi8gR4zyrhf6tTx34jHzQNoVjYEtLMEVl
+            ZlAJ06RoxOj8O6+8RGYd/ZUE+TQPQ4jx+PgWrZPUQx8TSxevuduw5XZ1lKytUSCZ
+            GFDjOxp0lMGV
+            =LHSB
+            -----END PGP MESSAGE-----
+          fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.0

cluster/apps/database/redis/helm-release.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: redis
-      version: 20.6.x
+      version: 19.5.x
       sourceRef:
         kind: HelmRepository
         name: bitnami-charts

cluster/apps/default/cdn/helm-release.yaml

@@ -0,0 +1,65 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: nginx-cdn
+  namespace: default
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    image:
+      repository: oci.seedno.de/seednode/nginx
+      tag: latest
+
+    args:
+    - -c
+    - /config/nginx.conf
+
+    service:
+      main:
+        ports:
+          http:
+            port: 6544
+
+    probes:
+      liveness:
+        enabled: false
+
+    ingress:
+      main:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        hosts:
+          - host: &host "cdn.${SECRET_NEW_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+            
+    persistence:
+      data:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/cdn/data
+        readOnly: true
+        mountPath: /data
+      config:
+        enabled: true
+        type: configMap
+        name: nginx-cdn-configmap
+
+    resources:
+      requests:
+        cpu: 1m

cluster/apps/default/fireflyiii/env-secret.sops.yaml

@@ -0,0 +1,123 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: firefly-env-secret
+    namespace: default
+stringData:
+    ALLOW_WEBHOOKS: ENC[AES256_GCM,data:qdisaso=,iv:rT7WID3kRMPEGmWJepNmrj1tutxsT5Arw5AN9oVFoXE=,tag:jkYkRaGLEB3iBEjEVIAVCg==,type:str]
+    APP_DEBUG: ENC[AES256_GCM,data:Jyo8QmI=,iv:Gq2Ldh+H+oturcglphQb7ERHX8jD/5j01qtEJDRPAn4=,tag:m96oouPtT9J5zQHPs2QaVw==,type:str]
+    APP_ENV: ENC[AES256_GCM,data:19kiyms=,iv:KLwsQOsDvg/7f18FEsg+e2rgnXSbsxwSNbItmgLGy8M=,tag:mUX/UeXFi0eeZ68bsJpq8Q==,type:str]
+    APP_KEY: ENC[AES256_GCM,data:PI70apm/K8/1el4lW3KR6wLgBDgj0YAQ6KwngqxSv2Y=,iv:S7xrpAeY3wM3moCL/i5R045yst7Zz8ahXbLyNfvacZ0=,tag:hOXR1kKdxVoQxZyjZu+ajg==,type:str]
+    APP_LOG_LEVEL: ENC[AES256_GCM,data:ZwJTcn8y,iv:wk+jX9Zp1TTn1EHv0OLgt+0alm5JBHdWcEtIn1dTI6o=,tag:gR1Ls7dFGyt4hKGiwLU5wQ==,type:str]
+    APP_NAME: ENC[AES256_GCM,data:yfd2OQk6NvjKcA==,iv:jLL2Dt0YlWODwCKSnqR1yuSWJsKySQNZY/pEfxi5jJM=,tag:XoHlMsMuRG6S4Wm0PVjtBA==,type:str]
+    APP_URL: ENC[AES256_GCM,data:+bveNLjanPPMkoMrDO4KsA==,iv:xQWHzRKBMBumi2bFCUKoWLRiuNNV3HQLv1WGEiZ6RRg=,tag:h9IF4XwIK2P8sB4V1Su5Ug==,type:str]
+    AUDIT_LOG_LEVEL: ENC[AES256_GCM,data:OA7nqw==,iv:9BcE5Bf9QDf3kzA4Xbf0XkbkFjGAv6id7vdSI12wRm8=,tag:QN7o1eEbGSTvrGGBzzouSg==,type:str]
+    AUTHENTICATION_GUARD: ENC[AES256_GCM,data:wsQZSzAP0hE4o9DAwNtwSEM=,iv:U6513HaOzDDlCehFuSs8ey0KFWup9S8tAYiSX89EyNg=,tag:i5q9W6uglFZ9bKc2f4QPvQ==,type:str]
+    AUTHENTICATION_GUARD_HEADER: ENC[AES256_GCM,data:0GfWuR+1RhLsED/T5iEDYV3tkmx2wA==,iv:x/6xxFAv5+J8e55a9JnIZ49v/FJRL066rSf2bBxhHHU=,tag:hAhhsDDMeM29b8iMx3xwqA==,type:str]
+    BROADCAST_DRIVER: ENC[AES256_GCM,data:2iYs,iv:5oeuA+08uDRSJyLwwkdFC2q4LZKNs2OSoQjsnIX0aYY=,tag:m2ybfxtY98j39sBnax7IVA==,type:str]
+    CACHE_DRIVER: ENC[AES256_GCM,data:2lv9YGE=,iv:xuk6ih2wApMuWJIlm9clwYCnMR973lG7EOHDUZtlDvc=,tag:cdEh6/zAZ+7IcQMvHojgXQ==,type:str]
+    CACHE_PREFIX: ENC[AES256_GCM,data:OS/jr/Qo5A==,iv:wLeRO4uAo+HHB/1tK3m4MEeefmMRTc0+aTYuUGGrYyg=,tag:8cv8oxfwMkTeZ8+JsCoWVA==,type:str]
+    COOKIE_PATH: ENC[AES256_GCM,data:pQ==,iv:5QR02hlvi9n/gl6LLdSR2HSybzohlCisq51+QzUJv1k=,tag:hpwUD0ctU0pX7S+V6UNz/w==,type:str]
+    COOKIE_SAMESITE: ENC[AES256_GCM,data:HNlS,iv:f/kbAOVyWFEH6yKr+N3zM+9tNQQCpQA7/iKAg8ejFdk=,tag:g1rmzfnWSYIzxFJA0l/uUA==,type:str]
+    COOKIE_SECURE: ENC[AES256_GCM,data:fxJkE2M=,iv:0JXgzyybtMtIgxh6VSwAS5oehpVMFkLKvJFOBDcwhVM=,tag:RAhNUuJKOho6bvXJyNT6cg==,type:str]
+    DB_CONNECTION: ENC[AES256_GCM,data:Y7b+kts=,iv:1vZBNoO4O0Z8LPH3ZPSDpx49jtbQOEl6+BitbKyat4A=,tag:eOUpSlZGZKM0LPHdZMjb+Q==,type:str]
+    DB_DATABASE: ENC[AES256_GCM,data:1rRtAXfMaA==,iv:vErtoqpi1KsHVL0nQ6x2MVNe6JCKxjCxivXXjtUT6Uw=,tag:AYxHWADlGq4NHbcVx8QcHg==,type:str]
+    DB_HOST: ENC[AES256_GCM,data:sjYDEi8q4bAgpdnxin6yDBtNJw==,iv:6rxqBNvXSsE+2oxWbwiztmlxtKP8C0aeYMdmuGTyF/g=,tag:lRB3EwV4vwa64CI3xqi2lQ==,type:str]
+    DB_PASSWORD: ENC[AES256_GCM,data:PeysFTbHeZHTnkn0XlJ58AMZbS3EzANUQ8UnhQXRIoU=,iv:NM8c3dx8TlQkPVJGECnyg2L6JM7CQwlx/LQ59x15dY0=,tag:xuLow/AXp+yOUm4hO2527g==,type:str]
+    DB_PORT: ENC[AES256_GCM,data:yXp98w==,iv:a/jbQI7/3QMKaSJRiZGhdYBzdIzyNA0M3sL83bD/1is=,tag:PxauXvxyQlNo8EaFMzdjKg==,type:str]
+    DB_USERNAME: ENC[AES256_GCM,data:UOz2K8KusA==,iv:75KRLL7F0mtzESvfvVaIJiBqAz1i8JIcS2VwAMm3KVE=,tag:HmjzrLg4hLuAjQ88U3CDbw==,type:str]
+    DEFAULT_LANGUAGE: ENC[AES256_GCM,data:U2qo/Z0=,iv:duSb5g58hXy+BjmU51cWVc2APmz/THtQrmfKyWJL8Xs=,tag:3578FhaZxtyLXjFOJA7sVQ==,type:str]
+    DEFAULT_LOCALE: ENC[AES256_GCM,data:DX3VePo=,iv:d3P66DEPoI3yiZj00YaYVEsu9zCSQ+Nz0vCOxJjfkNk=,tag:JNeGcODHleBBOJrewOWq2w==,type:str]
+    DISABLE_CSP_HEADER: ENC[AES256_GCM,data:mS45ZNE=,iv:7twp7yAggJfGDKnoqoi4OY97uMQuOq1Y3y6LFst9qFY=,tag:mselnIDI/OzNplWsdq2YlA==,type:str]
+    DISABLE_FRAME_HEADER: ENC[AES256_GCM,data:lIO+3IU=,iv:/jCBrh9pxsNouU+glpvXqEXI3veHsqaHWkSDEJcJzHI=,tag:JHWUyPl6Ir+XczlkEm/xsw==,type:str]
+    DKR_BUILD_LOCALE: ENC[AES256_GCM,data:43nBSlc=,iv:pylnsBF4HORItmtHxLxaXjojdyazm1rseMtqgTwwX8k=,tag:mi7eWamr3l/H+foZUJYsJg==,type:str]
+    DKR_CHECK_SQLITE: ENC[AES256_GCM,data:TssvPA==,iv:N6kVxo9w7pjUy5PSt0nF3yPS7imaKaWbizPZdMv7rKQ=,tag:DpWzkfkFbFaQpuLTirsP1g==,type:str]
+    DKR_RUN_MIGRATION: ENC[AES256_GCM,data:6+nNEA==,iv:TxFrPKxoaN/neoRK09F5SJswfh+ULHw/tFQz+ouOOsU=,tag:UsMPAYDhgccBtBUAXxTNaQ==,type:str]
+    DKR_RUN_PASSPORT_INSTALL: ENC[AES256_GCM,data:rA1uHQ==,iv:TKV5pRA65C8FNHOrpzx90qA7maX5ld3aLCv/PrQamII=,tag:bqtT9pqHILiV1AEzkkYk5Q==,type:str]
+    DKR_RUN_REPORT: ENC[AES256_GCM,data:bqE/+A==,iv:PWlGji8/zVoosDeoWaTG4f9rDJwKOilwENI1JtzatPA=,tag:cHCeTgnB7c0TZ+9bSxFW4A==,type:str]
+    DKR_RUN_UPGRADE: ENC[AES256_GCM,data:76w+1w==,iv:XZwFW5WoWRBhfgM8Jf71IAEsWJxaWj6nmzh4arjV9IY=,tag:wm49cS3mMPPj0l7rNRm7nA==,type:str]
+    DKR_RUN_VERIFY: ENC[AES256_GCM,data:GE3u0A==,iv:hZc9+yCN781Hm/M6UrzAnFELJopG/m0PTaHCwJuK4Ic=,tag:SwJ/ujTY9VsrS8payg5FbA==,type:str]
+    ENABLE_EXTERNAL_MAP: ENC[AES256_GCM,data:jwbL3WE=,iv:EmuPlxlldYIK57w44oeiOUx4dNUx88avn/MXGw0khqk=,tag:6UqgxY3eTE/DQ4znx5NNzw==,type:str]
+    ENABLE_EXTERNAL_RATES: ENC[AES256_GCM,data://NWaSg=,iv:l1k7TLg2d4impHiGyHtVmXFBpHSK1X+MIIMEvqHmFCc=,tag:7FX96H6R+ez0corFjpzoWA==,type:str]
+    FIREFLY_III_LAYOUT: ENC[AES256_GCM,data:KGo=,iv:xvBorcd8fPvlGYeomuexZBtORPc7LJRII9pYP1ZNBsg=,tag:ibFX6k0a12rXElxRODc1YA==,type:str]
+    IS_HEROKU: ENC[AES256_GCM,data:Ffu4Sro=,iv:Q5txv1a/DcH+Utlr12zQJUBy4vlcdxcHFsNDWuWVOeU=,tag:NTay0IKz6s7a9dFpx1BZ+w==,type:str]
+    LOG_CHANNEL: ENC[AES256_GCM,data:Njfav/E=,iv:xwccazZYrtARU7xKooAnBKJcCDJH5xUSN0C+nIs8Pos=,tag:jI3pelMMZQQ37uuUmUmENQ==,type:str]
+    MAIL_FROM: ENC[AES256_GCM,data:ILVOrph55Ku8pIfsHtU8DjMuUjo=,iv:c4wzRvDugyRUbKZKq/fgQ2eP3CJ1wJzkQo89tBCZ0WU=,tag:tx2lUsnCBbYIk0h4gL/CBA==,type:str]
+    MAIL_MAILER: ENC[AES256_GCM,data:rdoZ,iv:NBi4YtbtTkDJHQmXBu9lGUfCWhfRgtYLI3UCayMpq2k=,tag:o+cXYLXlJ0bWVQAPr85CJA==,type:str]
+    MAIL_PORT: ENC[AES256_GCM,data:lffjiQ==,iv:GsZWiMZGuhpPJfX6vPcr3PKuq2YXS3oQ8v8NojufyKk=,tag:rHcfDoLZdU5wCQR4g/qV6A==,type:str]
+    MAILGUN_ENDPOINT: ENC[AES256_GCM,data:rrw7Rwjo//tdEyxN98pE,iv:3aeAQM4RV5hDFfZ08voXgk7IrejoM8YACluo75AmRrE=,tag:cAmTiI0vPAnY7NX+YlM6Og==,type:str]
+    MAP_DEFAULT_LAT: ENC[AES256_GCM,data:i8I6LaPPLFoi,iv:sG6dP5GS2G6kGXEsn8P3KJmyEThJ73WIN2gkMJwNDBA=,tag:uefjbg5pZdIIONBklcsSyw==,type:str]
+    MAP_DEFAULT_LONG: ENC[AES256_GCM,data:+ESO4h6cGSE=,iv:hAFNmDfc6XWnQbpLQXjUsdZSOwPu964MlFBXYsNr9O0=,tag:iXfs5Z+Ojojzp2H2u1kHxA==,type:str]
+    MAP_DEFAULT_ZOOM: ENC[AES256_GCM,data:zw==,iv:soYKokimSKxSS0x9nM7GcZfpXtwxjuXVls+KFh61w30=,tag:ryX2Rj1TakKRfynh7bFEtw==,type:str]
+    MYSQL_SSL_CAPATH: ENC[AES256_GCM,data:Mo68CXbhV7kK5ZGi5MS8,iv:pVKSl5Tu8xzZVk4FX0DIA3vpVYZ9V0RXtfkoUTYeAAU=,tag:bez1DYHFlOn5TZ/oz7F6fQ==,type:str]
+    MYSQL_SSL_VERIFY_SERVER_CERT: ENC[AES256_GCM,data:DT7Jow==,iv:ZEOzfc0IepdvDNo2vWanOsYAT4EGLvFnSpL8qiiOwes=,tag:eEilJ8cwgCer7H/8qpDPgg==,type:str]
+    MYSQL_USE_SSL: ENC[AES256_GCM,data:rsKgGpE=,iv:nEJbHiaqOvVauAtCyL6uvfmkAmgvjjSFb28L3/j1PmU=,tag:6d5whsZ30buXkc0W4+5JIg==,type:str]
+    PGSQL_SCHEMA: ENC[AES256_GCM,data:pmFdRyiy,iv:mYXXlj7R7T3RTuK7QNRKiY6HwCezQYaMpn6de0st+FA=,tag:xFs7kAnFuRjDVRjKyyrJOw==,type:str]
+    PGSQL_SSL_MODE: ENC[AES256_GCM,data:/spE//X3,iv:qCBP7fJVFixBrB1ApGti1Nq0S87RcVxpHqmPBW9GuWU=,tag:MyCEseplfPX9PNdoqGLvmw==,type:str]
+    QUEUE_DRIVER: ENC[AES256_GCM,data:tTmRSg==,iv:2KdDPsJ9PlyHsVsFdknC7A4cShE5bBBpRxWslF/0wgY=,tag:7QN0MlfyoDyukmAgmgQvxg==,type:str]
+    REDIS_CACHE_DB: ENC[AES256_GCM,data:9w==,iv:MKfWJO941vxlJ0VP/0ob9JeFnHkI+okOkd/ifxkbKTA=,tag:PyyjVTRCUSvZxpHekP9ENQ==,type:str]
+    REDIS_DB: ENC[AES256_GCM,data:Bw==,iv:h3v/+cO1W7eGDAGjVtgeDh8UekMg+ZvIRkNZx+iE/Es=,tag:nF143FAtE181ZJfAjtau7A==,type:str]
+    REDIS_HOST: ENC[AES256_GCM,data:7hVDI2P+443UGlw/jyBFmNTDBM2p,iv:sbLD+/wdDEiKYpR3ttrey6HTlI5n76trH3wZjU7s3uQ=,tag:qZP1nb9+tOr7Lm4i9HR4wg==,type:str]
+    REDIS_PASSWORD: ENC[AES256_GCM,data:/i9UM5Cx6h61xbDQ//ocmW1BtmT0LILnwwemOwaTTkw=,iv:FINFRW1006Ljnb1JSi+Ctae3Jw9xR5EW73Ut8FCNfHI=,tag:+6raDqY1TgQQgbkcCcbCLg==,type:str]
+    REDIS_PORT: ENC[AES256_GCM,data:ME1O4Q==,iv:FhqTqv645wnhhQdGW0IsemeXOlJuCKjbMa3tBw0kueI=,tag:b7TdkDklkFwE/X3lE6XZGA==,type:str]
+    REDIS_SCHEME: ENC[AES256_GCM,data:puE6,iv:XvOpz9QO7Fn14bbHT8L2p0HquNxIzxomN3Bg3K2NOQY=,tag:qerZcGVGKXW+YAyj6RK9Tg==,type:str]
+    SEND_ERROR_MESSAGE: ENC[AES256_GCM,data:9xoXVw==,iv:m20IvyDsNzw7v3U8Ai34MhhxrIUGnU3OK9LHwZAdlJo=,tag:BgrhqBiqc9RYo9EzOCvSsw==,type:str]
+    SEND_REPORT_JOURNALS: ENC[AES256_GCM,data:+ErZjA==,iv:dcrc2+U7MoSBQ3b7w2qe0wIb50AbLDQ8/N9TK03ub5o=,tag:ub6+5g77qZxq8IjxDmk7og==,type:str]
+    SESSION_DRIVER: ENC[AES256_GCM,data:QlF9bSQ=,iv:I1cjDE4EFVG166ISZaNuM0eFMs6U55y7LUl2cVIONrI=,tag:VxKEC67A3Y0IRNKJ/nZV0g==,type:str]
+    SITE_OWNER: ENC[AES256_GCM,data:KbzTQ/QdlMmxnSDr1mCo4EG9,iv:287MEAzZFE3+zp3bWWA5Y2u3w7iQH+7AAZ812I4Elx0=,tag:TlljmsgLww7EJIBMdDrKvA==,type:str]
+    TRUSTED_PROXIES: ENC[AES256_GCM,data:cAU=,iv:MBL/z8pmM2CxlDT1sY4my2gC3jsDo6O1NSa11w3en5U=,tag:zqzHOR69HT3+U7tQOFQQSw==,type:str]
+    TZ: ENC[AES256_GCM,data:45gLKxH0OsAfMPkgnjKgWQ==,iv:P9CUovVI4WSfZi1nyFHVzHJ7Oioai1FUZRcgBNhQb64=,tag:S7IF8Oxg7hYNcT0mcgkg7Q==,type:str]
+    STATIC_CRON_TOKEN: ENC[AES256_GCM,data:1xck+8s3ifQmregeKU6891pErxZy86fO0I6XPE83l3o=,iv:XSsCSJkkGwG12f2lhd6IDl07OLVCW8J/945acFP99lA=,tag:XNxSQGyHvR/6/A3EVT69gg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-06-17T19:05:29Z"
+    mac: ENC[AES256_GCM,data:GWtQz5/wKpk38ZYLwn+kGyCT8hFo2SmoaI9vuEFju6N9ipJW1MNQONqTx/Qa8Cje8pT7xIxdoTf+23PaFG91v/gcilMCYjE+OFnVBk80d6ZBTXiSmoQ0DYO3hWiXyMfXTJ1OPqExOkY09QSAfXOrN0JphnWpPNZnaVuxMJZS/Og=,iv:/QbEi6hhsPpeSa5bOxPObP8UUpAwA/I6wU8VXQ6NcOc=,tag:FYYj1y/zTl82SVva0oauuA==,type:str]
+    pgp:
+        - created_at: "2023-06-19T18:36:01Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzKleRwoSoixAQ//So248m5bmfJG0gp5ZIAK2dVhH44xEg/6yzZ6TC9W4px2
+            SPqB+gmwswX64NGcGZQ8LQZExyy2poxh7lfQHIdsv2QSTbf0vmOZqG9L7Fv/DSU0
+            EnUpt04K1yyVyW09tlcE/SIyMy9HhWyH0vZfwqHc/pHnaAhZKEuBH+kFiNPz4Bfd
+            xtXeieOGYV9ois2vM2NFNohEagrkbpMb8ZEOrWlB8+ZJZhkIeNc2kA+w0n0TEEtR
+            WefrBwear6YloK89hEfWRdJYksfKvOsU7U+L6MKpMxqGBIpLIV5kTifRAt8pdrNX
+            m7MY/laTWcqTp1VXUMZQUq+tCa/jjIh4MDvmzGcrRfhSLDvkFz8W43yHvy/hTKgc
+            nes55vhrWK9ABcZ5sZ3xdfH3ys3tODUsUkaLALaCbXUdg15cQRwvdNkgHou/oY26
+            jAc38EpeBEtIpkH+nBHLgbflFkElqOcpcS/5OR4mL0dGQ0EhhYTzxES+jcVYg9ka
+            Na163uPvhNnFNMUACKsDU/u2WngU8B5ISjlsiX9EkbKqDgHrLSJywKcoYESgnU/K
+            q+24HIFH8cmghRYJZ7SXDahsEw8VrcqQEWTSMM4YnwJeBZH9pjeUK6RySLHxK9F7
+            rK2djzc6so2Lk/AhYot9FNNwXWqrBKQq7kjFF8Mr6ALydZgst/tSBPtpTxpADZDU
+            aAEJAhDuDefWmaUMfyK+B21JoUTJtAp1icQZrIFg+mTH+qDWPXdpM1qsaci59aq/
+            vkML3TwjiytUNRMVORlLPv2z8adUuXIgPx8yEclTxCDKM3bqIfVs1xj2GAItyO4K
+            XYBV8oIdHegO
+            =GI4b
+            -----END PGP MESSAGE-----
+          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
+        - created_at: "2023-06-19T18:36:01Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAy5t8IMoPu4VARAApwoZ01GS0soprXAf20Ye1XQVLIFvIuYjub01ibNZmb3m
+            uJiPyClzMqcjy6TKWvCc6sT1W5DQ3aY9E1ARhgwR/yaIZ31WvNcnLczaOACHPlaW
+            7e4o9tauN8CYpQqPmTxDyQehKe1EbWqq+63FRAUV0+9qEY/ACCwNtv1HCa2dgyto
+            0I6v/BmW+KJ10iGCsRv8g5IgPSjYT66a2fsDg24kjtqygHwZ5BPe6xUBJ7zxCmVT
+            z/3WKaNx5Rdv8l45QQcl2fe1qNNdljJNgowCq23uODcQPJPGEY4wOeYHOlGTKE+E
+            JojnysVUhILhZtTZ5/AcP36RCzMDGQX7wYtvwh6bgf4qf4InX8+O/WK3u+jOreUl
+            zbcy/lB7bsQ0usZNPsfy2Qh2LPlziBce9JtkPnWXBwS+lZUCXKDS8pizmj7DZnlo
+            +3L1f26rn21ye/iOyBArzVmqI4QLJzHJI7l6TZgvvv1dZKHyLW5jCHSq4f098roO
+            kIKxRThFvTZ9jqM7uDYGiAsGt1L7p+HJRY5WdAVGEaL8jWADW7jjF8qTF3BJ05A9
+            OgnRxIew6ofB5WeYSrU5dn5di6pTNI6bqHVHbZf3BTrGwdpqsAcniUtDM1FAdU/4
+            QtB7tXNAYV+ZTDez/MMm7l1xKS6FpPbM5ZUtrcv27I51e2HAyYSsj6FNWWyvXEbU
+            aAEJAhCfDkAnvink2rBria46BR0IPWSLaVEpnusa/OED/Xw4EEgiFq3XonPTHaqG
+            iXSfeD0XauMxpLan+YesEv9SRP3ef9iX5OGNwVPpIDlkOyUztBWtf3I7tP2LCf2p
+            /GKlxeQfAlpx
+            =zWYo
+            -----END PGP MESSAGE-----
+          fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

cluster/apps/default/fireflyiii/helm-release.yaml

@@ -60,7 +60,8 @@ spec:
               port: http
 
     persistence:
-      uploads:
-        existingClaim: fireflyiii
+      firefly-uploads:
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/fireflyiii-uploads
         globalMounts:
         - path: /var/www/html/storage/upload

cluster/apps/default/fireflyiii/kustomization.yaml

@@ -1,7 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../../../../common/templates/volsync
 - ./env-secret.sops.yaml
 - ./helm-release.yaml
 - ./daily-cronjob.yaml

cluster/apps/default/huginn/agent-helm-release.yaml

@@ -0,0 +1,41 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: huginn-agent
+  namespace: default
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.1.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    controllers:
+      main:
+        replicas: 1
+
+        pod:
+          securityContext:
+            runAsNonRoot: true
+
+        containers:
+          main:
+            image:
+              repository: ghcr.io/huginn/huginn-single-process
+              tag: 5a1509b51188e0d16868be893c983d6fcfd232a5
+
+            command:
+            - /scripts/init
+            - bin/threaded.rb
+
+            envFrom:
+              - secretRef:
+                  name: huginn-env
+              - configMapRef:
+                  name: huginn-env

cluster/apps/default/huginn/env-configmap.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: huginn-env
+  namespace: default
+data:
+  DATABASE_ADAPTER: postgresql
+  DATABASE_HOST: postgresql.database
+  DATABASE_PORT: "5432"
+
+  DATABASE_NAME: huginn
+  DATABASE_RECONNECT: "true"
+  # Specified in huginn-env secret
+  # DATABASE_USERNAME:
+  # DATABASE_PASSWORD:
+
+  #TIMEZONE: ${SERVER_TIMEZONE}
+  USE_GRAPHVIZ_DOT: dot
+  USE_EVERNOTE_SANDBOX: "false" # set to production
+  RAILS_ENV: production

cluster/apps/default/huginn/env-secret.sops.yaml

@@ -0,0 +1,83 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: huginn-env
+    namespace: default
+stringData:
+    DATABASE_USERNAME: ENC[AES256_GCM,data:A6RuH7pB,iv:4z8M69BoZYgqR59yjkrGVd0AUOh6NOW5ZGFbfGpvosc=,tag:HRRKFI1+mmhMkvuG61pdaw==,type:str]
+    DATABASE_PASSWORD: ENC[AES256_GCM,data:TO7uqOTgfzgJYxN3nTEA4JOEvERxUxW76yOi6Z9VsRc=,iv:4bkvJ0vif3XCUVx3JzorINMEbqKQYBPtgtVv/OmalJY=,tag:5eaWjHnAYRvI7MHHPXBIQA==,type:str]
+    APP_SECRET_TOKEN: ENC[AES256_GCM,data:GA3wu5hzEi2r1+6wexoUvcUQthGY5k3Kd+Z2n+lzV2g=,iv:S8QuYptftRCQC/RPbmXszjj0qRNKUV6Y5D7DN8rJWdI=,tag:hUpJmiV3URY0UtOQSyeJmQ==,type:str]
+    INVITATION_CODE: ENC[AES256_GCM,data:ezN29tOtIk/OJQ==,iv:Z+AqXtnXpWt3+9/L11iqmm8sc4GTgRcTgKKTUF9IYwE=,tag:zUpOCmye9OHNawXXTqLD9Q==,type:str]
+    EMAIL_FROM_ADDRESS: ENC[AES256_GCM,data:aeK0qY4i3uIBhVuuYLedbvr38Q==,iv:ZyxfaPbKlfb07iEFSnCMY+F5AifoVL8X7HM7Dvu23Qw=,tag:e2kILALAxYxaKTNeH1MQMg==,type:str]
+    SMTP_DOMAIN: ENC[AES256_GCM,data:8AMaSW7m4bHMqwSz,iv:DaLYKjFM9oTgTii00GMVF2Rlh/P5SPqAQuY2C/XMzxk=,tag:iu0sDbNKdLrBhudyAX/7hg==,type:str]
+    SMTP_USER_NAME: ENC[AES256_GCM,data:x2/Wog==,iv:Fc+QRTP92p6HxiOAy3nBdeMKoDobqGiR75ItrzAf2Ko=,tag:IG1WGpV+cgGqHMGvKLmiGw==,type:str]
+    SMTP_PASSWORD: ENC[AES256_GCM,data:O+bq0g==,iv:xjsFSVHbAWuNUqnDT3kb1XT5s4vPE1zrYm9FmV7FU8Y=,tag:V/grs3E3Fx/5jok/lf+JZA==,type:str]
+    SMTP_SERVER: ENC[AES256_GCM,data:sLVY5gUk7oY58xJl,iv:J7gcsjoyxFiJ0n+G11Fio6joQdASwZrz9vwdoRvEjLY=,tag:4cosvns1L6/HpcjTODDNDg==,type:str]
+    SMTP_PORT: ENC[AES256_GCM,data:9ZLrpg==,iv:xIK1TtgDLYFjkbqSHOvdYKmI7GtiUmJPiWt1WUcp9RI=,tag:GG3iWUgSTCv6qbZYxwstoQ==,type:str]
+    SMTP_AUTHENTICATION: ENC[AES256_GCM,data:arhdhg==,iv:iZSNOELFLCMDyVxNPibC+SvBddDoWIxD9lA0o8LAe08=,tag:t0W13mTb5VL8Nq+9w2iX3Q==,type:str]
+    SMTP_ENABLE_STARTTLS_AUTO: ENC[AES256_GCM,data:DsRGQ8c=,iv:KwCJe1KvZlrAk1alRkgFF/OvXfYlBBbM58cbNVfqEWU=,tag:cinvnnNsUfzBpWXHsHG/IQ==,type:str]
+    SMTP_SSL: ENC[AES256_GCM,data:x6JRGMg=,iv:jeTOarB4M2OZ7iQ5U8JHJ+FzURZ2LIeWdkhpcvnUH50=,tag:qC41c2KDTuJ4Cj8E8jhNmw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-06-05T22:05:10Z"
+    mac: ENC[AES256_GCM,data:Rv4NKArcUuSRcQiMTjE9WXfBgbXn8U+wt67V1AZ4p9k794PKR15GW43Tint8niiglo93cicIy0+JrnEK50s7R8JQFqu5tqmOstzXevfkMuHpwFaD8kPZ0OceNaY2U5zZxQcGhQ4rV+9wC1OTvjUyer6jhsiKzdqIu2akaq6RJQI=,iv:Ulf6if09b/XMgiO3oLvms89X1WbuC+4BLu1P7QHxg50=,tag:wRgwk/rscGOrwjnzfJ5c+w==,type:str]
+    pgp:
+        - created_at: "2024-06-05T22:05:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAyqlIeyoxYovAQ/5AQCRpokmeZfbBorMK8LJfZure8BAaJlD/p59X/p3vIm8
+            kXwcCY1/6QZwUhZBRELCPnXLYO3BcNQ+SA2xGhLTgs6GyBpkl8dlpijGq+Ve5ltH
+            iJnst0CDUUTD9/Ah0iSZir3zbdI95DxVCoI0UjAlkVYmwiy3P4ItcsCVJsaFVaWy
+            iaHuGKHMAdLPgGxFI8iWu6vyVTxNbclplUEdgd9TvsXe841+yukhEtRjl9DH2OTy
+            ptN8T2645wJ18K8T62kHHCxwl2AiV+olasOQ8S8K1iQF5OEyIZqm/rmu3Nm/6PW6
+            ahl+o57OQjdjUpV795777mFu3jegUzfiy4kVhhIy9lRdaGYHSNbO8L/LmpM5s23J
+            1PCYWVMJ57AT1gWAWNsaSmVS/kueyrp2B4mYFA5BvAQ7imXxs9K0v2AZgt+MGtLv
+            2goLzZ27r2p7yEA15F9GP78aL7ifUjk1D923Vyf2+HC4KCWfoNshYSMiCQsNKeAR
+            dmFOD0mIBa60QNceJBceN9ps9cWvtPKryz3pNfsvfEGyQTJg2cf2I60Bw7CSjnFR
+            aeyQRuUS8Zev7y3h/dNF1Ve2GWywnJ/ZAhKhG/Q4jlM8FXYi/zgYtPHjV6o668W2
+            uFi3we3AhVrh+vUhTR/ZAIg7NVlLVR1MVlwK4IbJNEL5RgBwf8B6XhitQC7KewaF
+            AgwDXjg0p2IN1X8BD/9ZDBYQJsOk07krlTuxU+oF+gg9kQk3FxiM8G9kCbuhvR5u
+            9LZd7tMI/NXWEyS6WLP2QbyJiErQvyqzPqyn/zcW6c1MypRg2nTMh5OKGAfotM7d
+            Dsd1DVs2I/TzoQqX2dl92lRuAFcjmi9LlW+05+z6tLZjm5yaB4rhQLD9tdtGukMO
+            zdNPJHmbxEWFxwnfUR9JREyWFsNjV4fSgtm0/XFnCULSyqVpdWLRWERw3BLNsmzw
+            /wEOkDd/JP0C0/xuAqw3HGI2R+p1adBGwfkhENKmqgO4XgCp/pVbkfUePuXxWn/e
+            55ff0iZPC1NnLfOhAt1FFXXZUAKhSpDPl5VDriahSEqMv41JmiU2woeUiuP01mb/
+            PZlXpszjJTu56BUSUbbDOQ3FUyQKrpy5NUz+sYA7YIHvVzyWDEv4Jzztr5XvLZcn
+            VBUa4bAcl7G3eiTQjIu+QoySQIjCMzFhplvjK4iwsXUAXTclqgJUPvQ2iOhywSko
+            BHGCfxmd2MXbpO6NCa7kVCUTbm4ePIRGQJe2K3+3Xx7pd0bg+PJHS61VxE5A5kN8
+            jev+wxE+Bl3HxprrSFiB7DtwAutaF569xqtAEfMAt8cax+hfY9i5xV4LSpjOotnR
+            OQ3wD0LNlfx65bv3+YpC0xCdOyUCgXOIrHihJwbIeYl33K0Mad4Ngznu0fiRdtRo
+            AQkCEPZOW52judqMFZnDZPir6sdNdPmYhk1czq4+zGONslvtGBKVH7LXEIBILfWF
+            vKDcauOEB7q3CGw+Ulvxb7k5niGXd4wOQVyy3XsseC9d9ySTly7GqadBnDlnPNA3
+            EhMj5jiT3Bg=
+            =7JSg
+            -----END PGP MESSAGE-----
+          fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
+        - created_at: "2024-06-05T22:05:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAy5t8IMoPu4VAQ//dfQv+1InUlRtaU4PNYAHjy2rLWBlC3oo9+wGgbYkvs9K
+            +10hx4dP7MMExPnDnTz9DHmwUg0rcxA3BfuvN+tdOTOZ1E0mTuwP+UMBKEayB4Fm
+            kFjzUKqxqW2hDmxK9FSmQkGZlan/A/kw4+atqRTO5hcMMl+OdCw2IjEuEAAHwNsN
+            hEK19PNqyLSWQUOWq2m38KpoFGEth+ZbbryRZF1ToZxfgBxHo3tCxUYmJaF/pVAB
+            vbAOHLrbWGnoKbfo7yShod5KRrdRMKIx/9YMmgscoy0aWDwXnpc04eq1Bn3TbUPi
+            AIWfIiyMTGAlLAw0TNZIrIu1KSdWicWFbJbI5Z7R6lPfjTj74u663jSA4NyhgCCz
+            hNyCTq43VymVybJRKC6RSdTL0QG7enPfAZVFIkXlA6klnzYlQCrxfAKA9OzKQ0ie
+            TshNKl6DRC4eZoWceIqLK1GUP3pWxXwhFLDdyORLtpN9n4+F6yl8prU+ht7dmjqD
+            n3PbFq07514f/0OHWNMxKa9efOS2cb6/ZsWiCK4lVxqdfoxe47wKd1A1SVOZEfRM
+            wo2Gvm8DDdZ6a0gUQ7QdPd48VFbkS50iLrWOd97Oc41xr/fquZvyC1Iux3UjvaAO
+            p1OHEmYabJtSmPDB2YMs5t2TDZ9gIMFfWSc7bf5bd12LQpIwOMH3YlMgVcWkL57U
+            aAEJAhAh7LtGGwat1OsXyJKaTzPuOrx/kbmeSYRrqRyHvKmP5IDjKYybBGnbl1el
+            MHB3rGpe4xdxLQERuTBMLNbH8CBJYPV1wXdT070gokaXZQ01dWto+bEY6Hy+yVF8
+            Q+Wg5cFPTmqK
+            =qs2t
+            -----END PGP MESSAGE-----
+          fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

cluster/apps/default/huginn/helm-release.yaml

@@ -2,7 +2,7 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: piwigo
+  name: huginn
   namespace: default
 spec:
   interval: 5m
@@ -18,9 +18,9 @@ spec:
   values:
     controllers:
       main:
-#        pod:
-#          securityContext:
-#            runAsNonRoot: true
+        pod:
+          securityContext:
+            runAsNonRoot: true
 #            runAsUser: 10000
 #            runAsGroup: 10000
 #            fsGroup: 10000
@@ -29,13 +29,14 @@ spec:
         containers:
           main:
             image:
-              repository: lscr.io/linuxserver/piwigo
-              tag: 15.5.0
+              repository: ghcr.io/huginn/huginn-single-process
+              tag: 5a1509b51188e0d16868be893c983d6fcfd232a5
 
-            env:
-              PUID: 9000
-              PGID: 9000
-              TZ: ${SERVER_TIMEZONE}
+            envFrom:
+              - secretRef:
+                  name: huginn-env
+              - configMapRef:
+                  name: huginn-env
 
     service:
       app:
@@ -43,28 +44,18 @@ spec:
 
         ports:
           http:
-            port: 80
+            port: 3000
 
     ingress:
       main:
         annotations:
           cert-manager.io/cluster-issuer: letsencrypt-production
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
-          #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
 
         hosts:
-        - host: "gallery.${SECRET_NEW_DOMAIN}"
+        - host: "huginn.${SECRET_NEW_DOMAIN}"
           paths:
           - path: /
             service:
               identifier: app
               port: http
-
-    persistence:
-      data:
-        existingClaim: piwigo
-        globalMounts:
-        - path: /config
-          subPath: config
-        - path: /gallery
-          subPath: gallery

cluster/apps/default/huginn/kustomization.yaml

@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../../../../common/templates/volsync
+- ./env-configmap.sops.yaml
 - ./env-secret.sops.yaml
-- ./helm-release.yaml
+- ./helm-release.yaml
+- ./agent-helm-release.yaml

cluster/apps/default/kustomization.yaml

@@ -1,6 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ./self-signed-issuer.yaml
-- ./ca-cert.yaml
-- ./ca-issuer.yaml
+- ./fireflyiii
+- ./cdn
+- ./trilium
+- ./mealie
+- ./huginn
+- ./exim

cluster/apps/default/mealie/helm-release.yaml

@@ -30,7 +30,7 @@ spec:
           main:
             image:
               repository: ghcr.io/mealie-recipes/mealie
-              tag: v2.8.0
+              tag: v1.9.0
 
             env:
               ALLOW_SIGNUP: true
@@ -46,7 +46,7 @@ spec:
               POSTGRES_USER: mealie
               # specified in mealie-env
               # POSTGRES_PASSWORD
-              POSTGRES_SERVER: postgres16-rw.database.svc
+              POSTGRES_SERVER: postgresql.database
               POSTGRES_PORT: 5432
               POSTGRES_DB: mealie
 
@@ -92,6 +92,7 @@ spec:
 
     persistence:
       data:
-        existingClaim: mealie
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/Mealie
         globalMounts:
         - path: /app/data

cluster/apps/default/mealie/kustomization.yaml

@@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ./env-secret.sops.yaml
-- ./ganymede-conf.yaml
 - ./helm-release.yaml

cluster/apps/default/trilium/helm-release.yaml

@@ -0,0 +1,50 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: trilium
+  namespace: default
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    image:
+      repository: ghcr.io/zadam/trilium
+      tag: 0.63.7
+
+    env:
+      TRILIUM_PORT: &port 8080
+
+    service:
+      main:
+        ports:
+          http:
+            port: *port
+
+    ingress:
+      main:
+        enabled: true
+        annotations:
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        hosts:
+          - host: &host "notes.${SECRET_NEW_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+
+    persistence:
+      storage:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/trilium
+        mountPath: /home/node/trilium-data

cluster/apps/dev/forgejo-runner/kustomization.yaml

@@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ./reg-token.sops.yaml
-- ./config.yaml
-- ./runner-dep.yaml
+- ./service-account.yaml
+- ./service.yaml
+- ./runner.yaml

cluster/apps/dev/forgejo-runner/reg-token.sops.yaml

@@ -0,0 +1,71 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: forgejo-runner-token
+    namespace: dev
+stringData:
+    token: ENC[AES256_GCM,data:9jDgV6FWMe0l6AL84CxgJbYQaaHeoFp4YokCaLiemRWp0gWIchi+7w==,iv:TfxHPiwKavl03AOn3O9EUsdeTGTSfhAISG51RB3lAMg=,tag:YbJ1ZrB2GLzQNTHpev5Qog==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-06-14T01:48:50Z"
+    mac: ENC[AES256_GCM,data:iYIQUl8hcNDgjvusqdA7VctAiqEI9qc9rtRsvlYieQHqm0ZsnZNmp3Am0uiBtRpnKOhgMQVimfVGQSeUp92FudbCLgKGCvnaEyDN9ejCRleGOWsyAmtsQIjJoNlkfYA98als0sKdK3OXtwSejof4hTdX83zHa6oul7Yo5+BAXzg=,iv:sMrCEVEHoe0B7G92XPGzKRIA8YBkguVN/XjiyWjCZGE=,tag:UzqPr464PwfyT7yZ1DbUyQ==,type:str]
+    pgp:
+        - created_at: "2024-06-14T01:48:50Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAyqlIeyoxYovAQ/+NoUJHW5bR2CXAsW8RFEn44duKfCf2zvk8xvvxeTRPFpy
+            osXhr9dtph9dCO/DiD1fO04qfdpcwUARwT+iUHxhXCMhh3YxK2WX3DrccDswCpVW
+            wx/8GVhRnVgD16A/joanGyNhE11bXE+pwTN+TletEbXa3o3sktiiSKLfIAD+lfQU
+            pR66u9SkgZk0hINw3Ubjj/BF2/y6rGPKOOqZniRc4sgJ3c/PWfKjzQBUT/4WwbBx
+            BwJaAAxkmZJTL944iqaP4lSLgqE5hckmtXSMlZcRSVBLidgWqF6zf+JmXa3Bu96s
+            r4br8XO2AR9BPLhbpTl5CcbvEiIkho9s+DLQt97t0efOlv/fTs1C+9TT9W8I1HMx
+            kB8bJQtX5uWV/2FPhgzwwQmRHMU3cRlfdv5b0nQgatMRMsEPsL65RYmQvakeYjb1
+            4sMAuSmlGSHBnbN4BZX6Bakt47onELADTe+8ECx6JVNMPxltnx3Q0gaEqfWx6tRU
+            EG8YEN/veEmNl2kGwi5hH1WaQIlioKh82FwxqRMHET3U+ru4osfFh4nEyHfsz0YF
+            ckG8h5CKCUZJ+BDZXTarHsa/d7U7FxAlfw6WnhekM6hvJghs2OpHBdJCkO4gL+VH
+            e/uva4MJV+Hq32pRgj5QvH3CvVI/fPe0b9D7kdmSeVBpXrkBeqkqlWDK7CR05auF
+            AgwDXjg0p2IN1X8BD/49nRK47AEuhvSqblkXFm1f3GJ8/KK3fpiB/OUVmgrkqV6E
+            iR6SPTufcfGBJIeMZBC99TFZWllZcDGybA5aFinI6c4fOIbfZAAO0JC4IXrYqWKg
+            5kB5QBjIkXD/7pELwbgiDXU/MuYu/spICY+AwciOowk8JTXV4OU9omTatC85GDFW
+            R131Ids5n5IYIofxiHr3hCuAg8n/pFzTzn6TITtAdVgDlPCdfY+dw2Nm8s1cu4by
+            mElpoVljNv6+SX/pGGxDs46ECZ83zLwr7h49fW1OKfb2tVFq1PvFj6YclxfDcVPp
+            GwSTjy6jELEyGYAWTwyLo3WaZO/iO0UKin1sWHeoPIYgGE2De/KamAr4iqpWXYC6
+            n1EU9bso2omFgZqmPvRt+z+b8yEttOeRmvIH+pXkJgM+Hva+qHBuU1oeYVA+32hm
+            nbxwutIHMX2tA+jOcG+MTjCqTtk0/JmD37Ulr1+KvFnlvidY1Lt7oa755kkpOi/h
+            6il1hpPR0h7pJ1zJceI7GwaUvaX/RCam5pQnPeQ2INUUl3DNiMaC9mjZcqjV5Cgt
+            s4F2WJsIkkZszMM0VCBzwpXYOLkUtX5OprXohqunq+CxfE8jnbS4OPvrFxzqcn9X
+            d4a8GQSUoXT9tbGWt23F1zcrihZJKVZQ1DzL6OXVsZBK8hoi5k3ahkxKZaRNRtRm
+            AQkCEJT2L4bU/KWwQjUQBInUaWWsElNZwy3f5axWXGTpdn3ZoRjjr6cQWCM9Xs1r
+            02fGSMADhLp+RCUuEvhcp71FKjgq+h2kC+z4QS0JT17M0nnlijnXXE4M3819KpmV
+            QXawwt7Y
+            =Bh7C
+            -----END PGP MESSAGE-----
+          fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
+        - created_at: "2024-06-14T01:48:50Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAy5t8IMoPu4VARAAp+DJIqWWFMWNaezrX85hHiuHZJjTWjnJIrQ0Bqvvv89d
+            hZENS3PbSN4gVz6NXmZ7obNcdFew2pcF8+zgZrM77DiPoKzpBrvJuy41fgSGYx3Z
+            QFE4w/FgzZ19Ad86AgvzALLNWH0bWZBZtkaPcsQBIdVp4xV9FzgnVOrE20OZgaVc
+            iucedMswCEPXHFbuBkeJZCmUNV06wQWANweZdJ/TC86PN+vKNML5dD7H6Mp6W9cK
+            97vznkxSgQALVWSkqV9KVQW3OuLn68xc2ewTy5ILDAUGrS+US9yz4EKwb6oBG8nF
+            EwEEbxV8sUHRfIp73ub4YD8IxDxdXGZFevZXggpTnZ0BcTyxHQmQ+ukKAn4W9ddI
+            VKq9oHOMgcn4IVvIsybCMoC1ieJSq+ZT+ebRQAgT9Z5f+OMndokBREhVHjBgRl7G
+            NQK/yGBsUTn04hvOW/6T+R4EC9HJCpASQBHfh+WYjBTRMl2icZburQPKZhDJOdzS
+            5YEMToYewqYhJ87/e1++vHsUE2PwAjT1R0zC0h4mpXQliyeYJ5jl3AAJR8YYtRui
+            q1fMgr1a4ZDDJk6abXObzHpEcUanxxD75GedCdmq4JOLdaI2m5c8pdpN3ecx0QbS
+            39jOJW/eAiWsnjWe2Rq9gucB0qRQmUG3338DtRh5W8JC722G20A5E6Txa40nI0fU
+            ZgEJAhA9ZwSEEY2K4+aIZb1+s6ZOQ++a6rC6ymIJRs/gmusw0rO5pfDwpq+8kQU3
+            oGF9VrmwGgSF3zO2Y9iWlPp58sEsNS54PJygBOabgD88W0SqTg490TXxtjIj6HLL
+            JACfvy57bQ==
+            =wTij
+            -----END PGP MESSAGE-----
+          fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

cluster/apps/dev/forgejo-runner/runner.yaml

@@ -0,0 +1,77 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.4/statefulset.json
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: forgejo-runner
+  namespace: dev
+spec:
+  serviceName: forgejo-runner
+  replicas: 5
+  revisionHistoryLimit: 0
+
+  volumeClaimTemplates:
+    - metadata:
+        name: runner-work
+      spec:
+        storageClassName: mainpool-hostpath
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 5Gi
+  
+  persistentVolumeClaimRetentionPolicy:
+    whenScaled: Delete
+    whenDeleted: Delete
+
+  selector:
+    matchLabels:
+      app: forgejo-runner
+
+  template:
+    metadata:
+      labels:
+        app: forgejo-runner
+
+    spec:
+      serviceAccountName: forgejo-runner
+
+      containers:
+        - name: runner
+          image: ghcr.io/christopherhx/gitea-actions-runner:v0.0.12
+          imagePullPolicy: Always
+          
+          env:
+            - name: ACTIONS_RUNNER_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: ACTIONS_RUNNER_CLAIM_NAME
+              value: runner-work-$(ACTIONS_RUNNER_POD_NAME)
+            - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
+              value: "true"
+            - name: ACTIONS_RUNNER_CONTAINER_HOOKS
+              value: /home/runner/k8s/index.js
+            - name: GITEA_INSTANCE_URL
+              value: https://git.${SECRET_NEW_DOMAIN}
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-runner-token
+                  key: token
+            - name: GITEA_RUNNER_LABELS
+              value: docker,cluster
+            - name: GITEA_RUNNER_NAME
+              value: cluster-$(ACTIONS_RUNNER_POD_NAME)
+          
+          volumeMounts:
+            - mountPath: /home/runner/_work
+              name: runner-work
+
+          resources:
+            requests:
+              cpu: "10m"
+              memory: "500Mi"
+            limits:
+              cpu: "1"
+              memory: "1Gi"

cluster/apps/dev/forgejo-runner/service-account.yaml

@@ -0,0 +1,43 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.4/role.json
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: forgejo-runner
+  namespace: dev
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get", "create"]
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get", "list", "watch",]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "delete"]
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.4/rolebinding.json
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: forgejo-runner
+  namespace: dev
+subjects:
+  - kind: ServiceAccount
+    name: forgejo-runner
+roleRef:
+  kind: Role
+  name: forgejo-runner
+  apiGroup: rbac.authorization.k8s.io
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.4/serviceaccount.json
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: forgejo-runner
+  namespace: dev

cluster/apps/dev/forgejo-runner/service.yaml

@@ -0,0 +1,11 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.4/service.json
+kind: Service
+apiVersion: v1
+metadata:
+  name: forgejo-runner
+  namespace: dev
+spec:
+  type: ClusterIP
+  clusterIP: None
+  selector:
+    app: forgejo-runner

cluster/apps/dev/kustomization.yaml

@@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ./namespace.yaml
-- ./wildcard-cert.yaml
+- ./woodpecker
+- ./forgejo-runner

cluster/apps/dev/woodpecker/helm-release.yaml

@@ -0,0 +1,83 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: woodpecker
+  namespace: dev
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: woodpecker
+      version: "1.5.0"
+      sourceRef:
+        kind: HelmRepository
+        name: woodpecker-charts
+        namespace: flux-system
+
+  values:
+    agent:
+      enabled: true
+      replicaCount: 4
+
+      extraSecretNamesForEnvFrom:
+      - woodpecker
+
+      # https://github.com/woodpecker-ci/helm/issues/154
+      secrets: {}
+
+      env:
+        WOODPECKER_BACKEND: kubernetes
+        WOODPECKER_SERVER: woodpecker-server.dev.svc.cluster.local:9000
+        WOODPECKER_BACKEND_K8S_NAMESPACE: dev
+        WOODPECKER_BACKEND_K8S_STORAGE_CLASS: mainpool-hostpath
+        WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 5G
+        WOODPECKER_BACKEND_K8S_STORAGE_RWX: false
+        WOODPECKER_BACKEND_K8S_POD_LABELS: ""
+        WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: ""
+        WOODPECKER_CONNECT_RETRY_COUNT: "1"
+
+    server:
+      enabled: true
+
+      env:
+        WOODPECKER_HOST: https://ci.${SECRET_NEW_DOMAIN}
+        WOODPECKER_BACKEND_K8S_NAMESPACE: dev
+
+      extraSecretNamesForEnvFrom:
+      - woodpecker
+
+      # https://github.com/woodpecker-ci/helm/issues/154
+      secrets: {}
+
+      persistentVolume:
+        enabled: true
+        size: 10Gi
+        mountPath: '/var/lib/woodpecker'
+        storageClass: mainpool-hostpath
+
+      prometheus:
+        podmonitor:
+          enabled: true
+          interval: 15s
+          labels:
+            release: kube-prometheus-stack
+        rules:
+          enabled: true
+          labels:
+            release: kube-prometheus-stack
+
+      ingress:
+        enabled: true
+        
+        annotations:
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+
+        hosts:
+          - host: &host ci.${SECRET_NEW_DOMAIN}
+            paths:
+              - path: /
+                pathType: Prefix
+        
+        tls:
+          - hosts:
+              - *host

cluster/apps/dev/woodpecker/helm-repository.yaml

@@ -1,8 +1,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: piraeus
+  name: woodpecker-charts
   namespace: flux-system
 spec:
   interval: 1m
-  url: https://piraeus.io/helm-charts/
+  url: https://woodpecker-ci.org/

cluster/apps/dev/woodpecker/secret.sops.yaml

@@ -0,0 +1,77 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: woodpecker
+    namespace: dev
+stringData:
+    WOODPECKER_ADMIN: ENC[AES256_GCM,data:xWrKbuFDdfI5AzEOqck=,iv:YgZku7F+agkzv7omfBdusHzK7hhwhsI3t6nuDxoz/i4=,tag:z/w/iBphuCwAEaKhQU22/Q==,type:str]
+    WOODPECKER_OPEN: ENC[AES256_GCM,data:qcSw8w==,iv:weQQxyIXn13EiVQmmm1wRBh9n5JQsPQAtGUVlaeGp3M=,tag:h20PUnyRXFMRw+duA70r9A==,type:str]
+    WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:pEKvYUdSIMHevkYWua4MEmK5wZcvR83heTkPLaEoUmR/TMz1uPSUGiHMFIlvI4SPjjK2ydM2zBK2YA/Qo50Xjg==,iv:B05Sc5/f/+pTeK07ch3aNi/B3JmKB6lett8EA1l0qpA=,tag:6rGKCPI5+D72sl40iZQKPA==,type:str]
+    WOODPECKER_GITEA: ENC[AES256_GCM,data:U+Xbdg==,iv:J/HN/XNJJhI3MLqSmlOS/TQ+vK55BuMY733WegKGV5g=,tag:WshRFIEQXBqY/wPHu+EvIg==,type:str]
+    WOODPECKER_GITEA_URL: ENC[AES256_GCM,data:wzf1qN/3bkBg/hP+b9Mz0AgaPrd2NmMpAA==,iv:MVxeEf8bPdP3LAwf5KUXAsIo0eKckQ9q1PkFBcNR3oc=,tag:F2YGLkMrDw34DlG/K0QX9Q==,type:str]
+    WOODPECKER_GITEA_CLIENT: ENC[AES256_GCM,data:mbIyNWL3Cqm0Cj7Zuu47r2HWe38bwMrl0domJC0jlG4Lp+7b,iv:hbRRhqSDfU1lb43VXb2hh+Gvdc5kZfl2BFVzgb8wjaM=,tag:RQl84DALRWy6WdioNyFEAg==,type:str]
+    WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:oQieT/aEaZTVyBkj4nVmpfUSqcJ2wwCH6B3+Gz8TcyCWYRDLZ0jtEO3XnEzQTS6k9nmSd0YoJqo=,iv:p0y+qp4592k2+UKTIeuC2l9+JdjciCkYZXGghoBK9Fo=,tag:xYSNxS2m1+L3ynpTSlQIDg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-05-23T00:59:04Z"
+    mac: ENC[AES256_GCM,data:YSuq3l6X98ck/VD6jFyuL/wKxpTj5m7nDcRGMov0TNVVo6nIHHwnIAoOUvP1nnDwbgszJO+DDC0Db+33mNpZ6YqUiZCdJ6iwIqeldherUIjwqBkGCZLtNZ76SlJQnMulqcFt3nMG5UiVyw5TUbLDxPEGIau1bXzCRF2j6Q51Fu4=,iv:lnJTWIqbh0l2POWkv773mUUy5sMIunvfs+ztBwus3Lk=,tag:p5KkaHWgRHDG1LVZxbxx8Q==,type:str]
+    pgp:
+        - created_at: "2024-05-23T00:59:04Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAyqlIeyoxYovAQ//Qi52py5A39dcBIHoz9VvM8mjUiRPbRroyURpG3KE+aT6
+            HbGyzo7OT2xTRKM+RLrV/nGBJHkdykvyTAv22M1qnH1GqeUzPKcPE9RKKppMmW07
+            EDMkyJtbXSZrO2/gRQ9XuLN9NRzniboetZPqIWx9iTuYZCUH7Vehm5i5KNHZO2ID
+            i/JkHJ4K6uJ3PwCEbxrYgE+ERj0IWCt1slythfrRuGx9zHPhYeHuNZBRGpqtjpeq
+            eMld88EZYNG8uwuuvYbArxdFTNg0RUBgi+sOYjH7ZiDfs1GKZgGZXWxq2JvpgzA9
+            vr4ssbASKY3NYcwBc9k/g8/n4QsRoYPzIwtTtOIStgfwz0COHXgBLhITZLEfs0TB
+            BzH0JJ++KZBCW+I4NUm6RDNdU2Ps80vxN2JGdRmXYvqtM8XPHSaKhZrbQkudAK7p
+            QdwFx5xJ/kIuGkepEwwLrZHhT9XTN6yGnkmb2yNiWHO2EfD3IcByNi2/DpDpvWL2
+            dQjfRGlTJC+XG3u2drSivYjfJT4JqEaukk3OJV+4Kt/zjPh46W/oQVfub/zv12cJ
+            R+Y4ynQyrlMkroYLDB4A9MzHRWxyvWxpuP59KlU4nVIKgQnQKiGLbn+xxo/TuiIV
+            KA4e9FnYKxXciOJ3egvX2gd4uv/XG/FmyRr+I+vjU4p60KYmP+tIODS8cZusTY+F
+            AgwDXjg0p2IN1X8BD/99maUVaC+WIw28AZ535oOkA/ommMGM0+y0E3pkqhGyp4fU
+            Yra0WsVMcGXVFokrs0lUMagu9htV/S6BtIERw6V3MappAm/+COVwZwuXGavNah1u
+            telD2URybiaB39DGx4tH+YSXtv5ejIj86j7xLsYqZlyPwRQikX8YxGG/lBJoVAy3
+            6l6Z3wDGNAZWMynebJGCAhTEpMO3FvSI/M5vyoupHT4MY580VDitK7379HlfSniu
+            a1sLsc8TxiC7zOkBy08Rix/7NYO1/PKXHxNX+3l7gtpncH87D58c9iLnIH1ozIst
+            CLgvV15BiiHHoHOIIvhYlZKu86fiLNgGQNx1fAS6ZWG8dLwU1+NPDcVJt36j2rcd
+            JQwCNsDloL5s2cdzIC6dtehNbK/zP1wRIL1+W3CCcZRjMPSHFrBb7Du1whhagcxI
+            /j9cV9kGpzSVyEp5xai+IAaIxasiM0Yk2pjgBC1PfoFjvCa0ZMe/L7dq/CTi5t29
+            YJBQNFhJosFuQIQk3zrwI7o41zsvH5aBAc3qL5L+57qLWB7urnzoDO1TSVCS0lBm
+            hH/e/1wNcX5/zlhe8D5Wj0Pd/culrrifLbNGTnk+pPDrPrF2qX7SIJphezurMWhl
+            bCxWpCMTKgR4hY8OXisNQkJNK23QD3Yv/d7Iyp1fgrKFARNEsUV6sbiaZtlN2NRo
+            AQkCEHhPePf6np/Pt9fcpwBhbXWxr2lX2aG2ZKXyo30KEhb4XMeDtrNfS2wCFm5G
+            hF7YAk2yjg3oO2+efBN+mU6B4j4PiCQBeoW8mg5kIT/8QBUv1DISw9x6Ogx1YWO3
+            Wl0MU3lk4hU=
+            =llh6
+            -----END PGP MESSAGE-----
+          fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
+        - created_at: "2024-05-23T00:59:04Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAy5t8IMoPu4VARAAhVkZCOiiicIA2RcjkF6ar4pzUeHSMes3fjn5GhEGILbQ
+            mzlEJ6P2Y6yJOd7oViE0BGx3UJVj/KtWUf8UCLVOjO8R9VpP63JX5PSTMmQjq/g1
+            oyxpbuUcBXyu3O5nk9vNv22o6RzAfAm6HKn9hPh/rJjy34XRI1SS/YkjozLA7Wg0
+            X9AOYoCLKiafpL2g4HVWELr21W3gJIkzQCouz92iYpmvFuK0iBR5juzxUBIRl5R8
+            cjgyRS8GIZX9hKrZuNtmFj2+MqalEyMBYDIwNG3CBWJsO+/kQJcj//J4p9Bvo4bp
+            fBkl37GcZHMTO/4Q9XaxDUoXp16hz1UR1NB/RhzjaU+FJ+8WNyCwPqzOaQKY4XXh
+            zQQ3HOVZGjKWLdVYECDCgPxzfAytANzl0OLWfG5hMm+yz9Rg7avBe8AXIvxS50dS
+            6ory/bH0dXwYAOjRRCNYnBbovHSKM0feZlZ+TIb32gAUnyp6B9+USa+Keur8hl05
+            vTZC2Qz+KAeWx+Lnlj81KeRYCpuh8WsEAiYOWUzYXJOFHYGtj7PrftakP0UafWak
+            qseyNhn8fIe/iZdT0z9vD85ab17FwHUkfW8teJruMLKAr+26riZx6mJ8oAqgvsJ7
+            /mFY1JQ+a/k+AyHjXg3DzWEM/w+JeteD++IgYhY0g2PvfsaGn9v234zLwnetoPzU
+            aAEJAhDQvADCSGFGXCLAmDOC10eauBgqkZDCnN5AYXVOV4VUryjRT4+PWhV7w5DF
+            MZrEAMsKh0EzxhNDigzzHCGbcrKoPgFSYoJ4QHIirezN9Veq6e/lMnZTVDzxYjuL
+            +Aju/WQgu2de
+            =XUMm
+            -----END PGP MESSAGE-----
+          fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

cluster/apps/download/bazarr/helm-release.yaml

@@ -16,8 +16,8 @@ spec:
 
   values:
     image:
-      repository: ghcr.io/home-operations/bazarr
-      tag: "1.5.1"
+      repository: ghcr.io/onedr0p/bazarr
+      tag: "1.4.3"
 
     env:
       TZ: America/New_York
@@ -67,4 +67,4 @@ spec:
         cpu: 5m
         memory: 175Mi
       limits:
-        memory: 750Mi
+        memory: 750Mi

cluster/apps/download/kapowarr/helm-release.yaml

@@ -1,4 +1,4 @@
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -9,14 +9,15 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.5.1
+      version: 3.1.0
       sourceRef:
         kind: HelmRepository
         name: bjws-charts
         namespace: flux-system
+
   values:
     controllers:
-      kapowarr:
+      main:
         pod:
           securityContext:
             runAsNonRoot: true
@@ -24,26 +25,29 @@ spec:
             runAsGroup: 10000
             fsGroup: 10000
             fsGroupChangePolicy: OnRootMismatch
+
         containers:
-          app:
+          main:
             image:
               repository: git.seanomik.net/seanomik/kapowarr
-              tag: devel-d973d45 #v1.1.0-python3.10-debug
+              tag: rolling-e74ec0e4
               pullPolicy: Always
 
     service:
       app:
-        controller: kapowarr
+        controller: main
+
         ports:
           http:
             port: 5656
 
     ingress:
-      app:
+      main:
         annotations:
           cert-manager.io/cluster-issuer: letsencrypt-production
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
           traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
+
         hosts:
         - host: "kapowarr.${SECRET_NEW_DOMAIN}"
           paths:
@@ -53,12 +57,14 @@ spec:
               port: http
 
     persistence:
-      data:
-        existingClaim: kapowarr
-        globalMounts:
-        - path: /data
       storage:
         type: hostPath
         hostPath: /mnt/MainPool/Media
         globalMounts:
         - path: /storage
+
+      config:
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/kapowarr
+        globalMounts:
+        - path: /app/db

cluster/apps/download/kustomization.yaml

@@ -3,18 +3,16 @@ kind: Kustomization
 resources:
 - ./namespace.yaml
 #- ./network_policy.yaml
-- ./qbittorrent/ks.yaml
-- ./qbit-manage/ks.yaml
-- ./radarr/ks.yaml
-- ./sonarr/ks.yaml
+- ./qbittorrent
+- ./qbit-manage
+- ./radarr
+- ./sonarr
 - ./prowlarr
 - ./bazarr
+- ./readarr
 #- ./mylar3
 - ./unpackerr
 - ./media-dashboard.yaml
 - ./flaresolverr
-- ./kapowarr/ks.yaml
-- ./sabnzbd
-- ./lazy-librarian/ks.yaml
-- ./autobrr/ks.yaml
-- ./manga-watch/ks.yaml
+- ./kapowarr
+- ./sabnzbd

cluster/apps/download/mylar3/helm-release.yaml

@@ -17,7 +17,7 @@ spec:
   values:
     image:
       repository: lscr.io/linuxserver/mylar3
-      tag: "0.8.2"
+      tag: "0.8.0"
 
     env:
       TZ: America/New_York

cluster/apps/download/namespace.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: traefik
+  name: download
   labels:
-    name: traefik
+    name: download

cluster/apps/download/prowlarr/helm-release.yaml

@@ -16,13 +16,13 @@ spec:
 
   values:
     image:
-      repository: ghcr.io/home-operations/prowlarr
-      tag: "1.33.1.4997"
+      repository: ghcr.io/onedr0p/prowlarr-develop
+      tag: "1.19.0.4568"
 
     # Metrics sidecar
     sidecars:
       exportarr:
-        image: ghcr.io/onedr0p/exportarr:v2.1.0
+        image: ghcr.io/onedr0p/exportarr:v2.0.1
         args:
         - prowlarr
         ports:
@@ -111,4 +111,4 @@ spec:
         cpu: 2m
         memory: 150Mi
       limits:
-        memory: 500Mi
+        memory: 500Mi

cluster/apps/download/qbit-manage/config.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: qbit-manage
+  namespace: download
 data:
   config.yml: |-
     commands:

cluster/apps/download/qbit-manage/helm-release.yaml

@@ -0,0 +1,77 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: qbit-manage
+  namespace: download
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    initContainers:
+      # this init container copies the read only config from the configmap volume, into
+      # an emptydir volume mount that the pod can write to.
+      copy-config:
+        image: alpine:3.20
+        command:
+        - /bin/sh
+        - -c
+        - "ls /tmp/config-ro
+          && cp -r /tmp/config-ro/. /tmp/config/
+          && chmod 777 /tmp/config/config.yml
+          && ls /tmp/config"
+        volumeMounts:
+        - name: config-ro
+          mountPath: /tmp/config-ro
+        - name: config
+          mountPath: /tmp/config
+
+    image:
+      repository: bobokun/qbit_manage
+      tag: "v4.1.6"
+
+    env:
+      QBT_STARTUP_DELAY: 45 # seconds
+      QBT_SCHEDULE: 720 # 720min = 12hr
+
+    service:
+      main:
+        enabled: false
+
+    persistence:
+      storage:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Media/Torrents
+        mountPath: /storage/Torrents
+
+      config:
+        enabled: true
+        type: emptyDir
+        defaultMode: 777
+        mountPath: /config
+
+      config-ro:
+        enabled: true
+        type: custom
+        mountPath: /config-ro
+        volumeSpec:
+          configMap:
+            name: qbit-manage
+            items:
+            - key: "config.yml"
+              path: "config.yml"
+
+    podSecurityContext:
+      runAsNonRoot: true
+      runAsUser: 10000
+      runAsGroup: 10000
+      fsGroup: 10000
+      fsGroupChangePolicy: OnRootMismatch

cluster/apps/download/qbittorrent/helm-release.yaml

@@ -9,51 +9,60 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.5.1
+      version: 3.1.0
       sourceRef:
         kind: HelmRepository
         name: bjws-charts
         namespace: flux-system
+
   values:
     controllers:
       main:
+
         pod:
           securityContext:
             fsGroup: 10000
             fsGroupChangePolicy: "OnRootMismatch"
+
         containers:
           app:
             image:
               repository: ghcr.io/onedr0p/qbittorrent
-              tag: 5.0.3
+              tag: 4.5.2
+
             env:
-              QBITTORRENT__PORT: &qbitPort 8080
+              QBITTORRENT__PORT: 8080
+
             securityContext:
               runAsGroup: 10000
               runAsUser: 10000
               fsGroup: 10000
               fsGroupChangePolicy: "OnRootMismatch"
-          
+
           gluetun:
             image:
               repository: qmcgaw/gluetun
-              tag: v3.39.1
+              tag: latest
+            
             env:
               FIREWALL_INPUT_PORTS: "8080,17871" # 17871 is the prometheus exporter
-              FIREWALL_VPN_INPUT_PORTS: "41500,50413" # for some reason qbit will randomly switch to 50413
+              FIREWALL_VPN_INPUT_PORTS: "41500"
               HEALTH_VPN_DURATION_INITIAL: "120s"
+            
             envFrom:
             - secretRef:
                 name: qbittorrent-secrets
+
             securityContext:
               capabilities:
                 add:
                 - NET_ADMIN
-          
+
           metrics:
             image:
               repository: caseyscarborough/qbittorrent-exporter
               tag: v1.3.5
+
             env:
               QBITTORRENT_BASE_URL: "http://localhost:8080"
               # safe to have in plain text since qbittorrent is exposed through authentik.
@@ -63,9 +72,11 @@ spec:
     service:
       app:
         controller: main
+
         ports:
           http:
-            port: *qbitPort
+            port: 8080
+
           metrics:
             port: 17871
             protocol: HTTP
@@ -74,8 +85,10 @@ spec:
       app:
         enabled: true
         serviceName: qbittorrent
+
         labels:
           release: kube-prometheus-stack
+        
         endpoints:
         - port: metrics
           scheme: http
@@ -89,13 +102,18 @@ spec:
           cert-manager.io/cluster-issuer: letsencrypt-production
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
           traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
+
         hosts:
-        - host: "qbit.${SECRET_NEW_DOMAIN}"
+        - host: &host "qbit.${SECRET_NEW_DOMAIN}"
           paths:
           - path: /
             service:
               identifier: app
               port: http
+        
+        tls:
+        - hosts:
+          - *host
 
     persistence:
       storage:
@@ -103,18 +121,21 @@ spec:
         hostPath: /mnt/MainPool/Media/Torrents
         globalMounts:
         - path: /storage/Torrents
+
       config:
-        existingClaim: qbittorrent
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/qbittorrent
         advancedMounts:
           main: # controller name
             app: # container name
             - path: /config
+
       gluetun-tmp:
         type: emptyDir
         advancedMounts:
           main: # controller name
             gluetun: # container name
-              - path: /tmp/gluetun
+              - path: /tmp/gluetun/
             port-manager:
-              - path: /tmp/gluetun
-                readOnly: true
+              - path: /tmp/gluetun/
+                readOnly: true

cluster/apps/download/qbittorrent/kustomization.yaml

@@ -1,7 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../../../../common/templates/volsync
 - ./qbittorrent-secrets.sops.yaml
 - ./helm-release.yaml
 #- ./qbittorrent-metrics.yaml

cluster/apps/download/qbittorrent/qbittorrent-secrets.sops.yaml

@@ -0,0 +1,79 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: qbittorrent-secrets
+    namespace: download
+stringData:
+    VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:DyL4u0gl,iv:PChVYvi9ROL+2L+W1Xm/RhZqt5BBbjv1DYF/73Ab98A=,tag:zfcDHCGBvB2L0Tn14knLYw==,type:str]
+    VPN_TYPE: ENC[AES256_GCM,data:G9+rhZPNIoYW,iv:aB12VEwY9RRecmf6izYrg52EHL1N5OukbxqaOxh/Frw=,tag:7FI24DGoz/zlHtEQwSnOTg==,type:str]
+    VPN_ENDPOINT_IP: ENC[AES256_GCM,data:kYHhv1gRNgphf/ibZVM=,iv:AGE+eQyxmneJdFY+GCATDIyabFbv3vt+TP2oKffYc+8=,tag:lHNiLbLIzF6yF0ag/BM/kQ==,type:str]
+    VPN_ENDPOINT_PORT: ENC[AES256_GCM,data:q/k5pBQ=,iv:9dRVgqEFnRZ6YAMAYsgZJ7nxrVpSE/jZiD0mj/Cc1qk=,tag:LC5Qjfh9ZzcrSp4aOtda6A==,type:str]
+    WIREGUARD_PUBLIC_KEY: ENC[AES256_GCM,data:TIAuTFXuA6uuUV2ZTNsTLSX8dFe9uQhtbGW1SQJv3/oTl+9Zr3ycDJWQHP8=,iv:D33e5nPNDl8iJ8eS+Xx9gUBGAokeofonhDNTAH8CJkk=,tag:pibbEFzpti/StfPFP/mQfA==,type:str]
+    WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:z9zB3tiMJ7ulYkHTUrAw49+teQohLujuU5229Texg2a6qpr0lbrMomVB4+Q=,iv:3Z7+irLRZtUsARa8eELUSZlHGg0eCufqBWmSFnzZBc8=,tag:zBJllUPVJcEsrj3vgFYAmg==,type:str]
+    WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:U3EWfBcTdquvD5Y=,iv:bVgQXe58b+Qyo8ITlwdkeN6VKBSX6rdL86kt3SWbwXw=,tag:pJupP5YAnV1oY3IPU8lc0Q==,type:str]
+    PUBLICIP_API: ENC[AES256_GCM,data:Xj2wWvGu,iv:RMu52TbPOY6ZbJZ31fdZ+5mriBp7Xx5E9edzyNqKy7w=,tag:Tk2Or32ewmg0wqAvK04zWg==,type:str]
+    PUBLICIP_API_TOKEN: ENC[AES256_GCM,data:gHIzaNQ+ym1q0HKh3zg=,iv:YBtXJ+tcCviAJi3HazfDg5MSRvxIegyYW+nRkW0DMWk=,tag:5tko/Mz1YTgPrx3Yxppygg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-06-14T19:01:52Z"
+    mac: ENC[AES256_GCM,data:pfrO+IfMsKOVDWJqjGIrN+GT7uIoUDSUTfgjL2goxwZHhlwba0jVsfWxIvFusVgIR2kGH3jUPoy1NnSNydMC78YgEN3zNkorDm9jJ7489tfyFw7zu6iEX58fcFRr1XKltPlDdQgNTFmULWuuD0GHHP7QsnYUcRBz+tYV4QheGC0=,iv:XpdrFmphX+3JtmjixRB64SPI7sDrAZD6rpk3ztKQZiE=,tag:yCl9FPVjRu0/SyiMrbsUzA==,type:str]
+    pgp:
+        - created_at: "2024-06-14T19:01:52Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAyqlIeyoxYovAQ//QOK5hJIQsB4QPfO6vQSRaffvCNXa/w7bcsZsIw782/2V
+            mp/D/y4cudM3TGuc7VDQa9Ldwa10dt88pLIjVfWL16uJ91chVco1NkB6elCGyW0B
+            Dn4qR4bluQ9KKNPB67aOCAItbz+DHl3gTGsnI5NUhuwxY+ArRc+ETeUfyI2FP2HI
+            I7K0M2z8Tt2Z97AiLgv09io2Dvfq1NAgZqZz1OGAJvjcZaAaJbCnG7wOi1huxDrP
+            bAZOe8x4+vBOUsYotR0TU3013kptl0307X0cSHYHI8hRd2Kuqv/Py9dBKLdfQsZ9
+            7sa0xfHcjQboeTS3iiTO05OfWiBp2dnh4Yie24olBmjBTlxQLVvUTNyEgWReHff5
+            bJkG1zwrltVI3756d6KqMgIXn/KJJy555Ef7roj9NfJPm4PpG9tvWH8mA5no1d8q
+            1+0GvoMDnqe4qjP69+Y2NfwbN5KE9kIW8TMkJgAA8qZewjantRhCw8f0R/4+SiNO
+            bTAsCKq160aeGQvuZtE5vh+3+5Ctb1fvrUDukyvAZjW00tZia1Geqmn6+Sg6C+IH
+            CXgFR3PLyr+Doz53rvVM4vD82YOV4Cvq+Zo5ppkLXFRSosHcMi70l6qA8x+If4VV
+            L+cx4nWmJaUIwgPmlbp/GyVahMhw8+sKTorVx6llQKvQxg2ufzv/n4TXPxjI2ReF
+            AgwDXjg0p2IN1X8BEACG6MlQinhjwNwsqXAkzPUL1A/kPTozBfCrI45hPz4iziGG
+            NFp4BKm8OxtNObankvvXEhaCq0lvNtvWSqSo7fO69xwSazBrocdNcf6uoe4wLQoA
+            B5ZRqXeuTmC6FuYu22OuQQJCSoBnitWqJBWcBWqpcw1oL2sKRM8/pX1QHk9UE0nE
+            UW3sAdwa2skgws5y9bwQlGoqv6/WDhW3WdpzE50AIHwqHFPqIlcYHbUph33K5ob3
+            vDm3Q8QVWDSR/jG0JUyPK3RpOnDAETir14VoTa8Cyqqhg8vE0gJgp521dcm4OU9o
+            6TtRh7jjzCOnl+Ld6mautegRNiQpVw3/GPPexiYRGuLtG2fgaE0iJhSBKtNiT7R3
+            XQUBDUgEFL2MmBzPBx6R8utPnJl01kUNmXLJoVrP07P1z4UxZ9b9oSaW90kGk5Jc
+            CfW8fxy57zb7x0Eo+mhsGcaNXKG2VpMNHbPgKE5XQRBg0oYZGzG/095ZRGBjFpgI
+            nTYJe9glkQg5y7bEWqK/PzzOHYOYEStJXqeiwD3v6ECYi88tR1zOuzJZC42nU01p
+            jI7s4bB6ifHp9OkbXQUd+hOCGw5K6O7HXvkFgxRBQidqr4slGUuKt7gWGZ0QDQuy
+            6zgoiLz2vRdXusD+sMT61U4PHHVQlVStjCv8Pn85KS6uklQeSr0exvZPsIT/DNRo
+            AQkCELOYT3DH9bRIIeC3MZw7bhEZQX4p7z5Fltxr6U8OWYmtNRq4u+A5Os9n5Lzv
+            mTAVwVt7iM/6UFVPZd4TulIsNTuTg0pHlKySCHqYz8rdu49x1oSXwvQQJ8l5qSHt
+            45FKb9Mbxa8=
+            =QPEw
+            -----END PGP MESSAGE-----
+          fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
+        - created_at: "2024-06-14T19:01:52Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAy5t8IMoPu4VAQ/+Pho6ggnn21ZFu5YWoebJemPY7+yDc1LaqrPMYlIrUxsK
+            tt8f/BQliG1IN/f7+PZ+2t3x1QenbVMoWZsPrUDRSgUUj59UjC2elEfgoM4deECo
+            vQlVGYw3vQl7thKpwyHxaGm/bX2bYFGqIikkTpWJq2bVuOQZBbeQcaqLZsK+8+ig
+            2cqCKCgimUJHTe6C8NHB9Xs0wWBqyhK+8hp7K5LuTTNPLTAxmWsAMZheWGE4YQrl
+            iu3uZwljxfK9MG8xgxyIOu5yLL0J1PhhM5oxK6ZT37VfwjnYaR6mOKMxc8eAMSbK
+            FC6ykObzXle/cZKM9hI1vGHBS47ePHC3xud4bIEEyUoG97e8CB6x0Keky11lKJeV
+            dWiaezXCWdhNvSBOR1E6kZNuMTNO8TKEa9WbDo6rUNq0BulP1nFTsXzB0KSCIkxg
+            oKrNQGuW+/COWS3dStKv/fWUOUYlJdQ6AXe/1GHhv30hMoX40cejq8BJS0FZDMNu
+            m4DAMm7gPO1UYSXLHHXne+VsEjCdXHMYuiGF5Qa21ahKZySPJlIvRu3Sj88QQRia
+            WeW5oitTfWp/8m7/tIcOyHYJA8tYSlmMxcPiuqH5zkQ1N6m0NwJGKjSUL6VustSH
+            KGcsRcSXG5IWJLZ84V+nfRvztItCfljZXAyNbHR7ZiOXxKMtIiKNnqMmHTv+GxPU
+            aAEJAhCNWB8Fjs65uS2Z8L6e2UdXVH421SvI6XqxDlu966GySrkwmkEpRMe82+hh
+            nPCRVozTG1QYlUXkGQXgvpStkUq2O/ZrOXMmhagkvUPH1WUBIv7hH6rXUGznFSUy
+            t3b3VGLuUjFr
+            =YH9k
+            -----END PGP MESSAGE-----
+          fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

cluster/apps/download/radarr/helm-release.yaml

@@ -0,0 +1,119 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: radarr
+  namespace: download
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    image:
+      repository: ghcr.io/onedr0p/radarr-develop
+      tag: "5.7.0.8882"
+
+    # Metrics sidecar
+    sidecars:
+      exportarr:
+        image: ghcr.io/onedr0p/exportarr:v2.0.1
+        args:
+        - radarr
+        ports:
+        - name: metrics
+          containerPort: 9000
+        env:
+        - name: URL
+          value: "http://localhost"
+        - name: CONFIG
+          value: "/config/config.xml"
+        - name: PORT
+          value: 9000
+        - name: ENABLE_ADDITIONAL_METRICS
+          value: "true"
+        - name: ENABLE_UNKNOWN_QUEUE_ITEMS
+          value: "true"
+        volumeMounts:
+        - name: config
+          mountPath: /config
+          readOnly: true
+      
+    env:
+      TZ: America/New_York
+
+    service:
+      main:
+        labels:
+          app: radarr-service
+
+        ports:
+          http:
+            port: 7878
+
+          metrics:
+            enabled: true
+            port: 9000
+            protocol: HTTP
+
+    probes:
+      liveness:
+        enabled: false
+#        custom: true
+#        spec:
+#          httpGet:
+#            path: /ping
+#            port: 7878
+#          initialDelaySeconds: 10
+#          periodSeconds: 10
+#          timeoutSeconds: 3
+#          failureThreshold: 3
+      startup:
+        enabled: false
+
+    ingress:
+      main:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+          traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
+        hosts:
+          - host: &host "radarr.${SECRET_NEW_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+
+    persistence:
+      config:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/radarr
+        mountPath: /config
+      storage:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Media
+        mountPath: /storage
+
+    podSecurityContext:
+      runAsNonRoot: true
+      runAsUser: 10000
+      runAsGroup: 10000
+      fsGroup: 10000
+      fsGroupChangePolicy: OnRootMismatch
+
+    resources:
+      requests:
+        cpu: 1m
+        memory: 350Mi
+      limits:
+        memory: 1500Mi

cluster/apps/download/radarr/kustomization.yaml

@@ -1,5 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ./conf-env.sops.yaml
 - ./helm-release.yaml
+- ./radarr-exportarr-metrics.yaml

cluster/apps/download/readarr/audiobook-helm.yaml

@@ -0,0 +1,120 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: readarr-audiobooks
+  namespace: download
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    image:
+      repository: ghcr.io/onedr0p/readarr-develop
+      tag: "0.3.28.2554"
+      pullPolicy: Always
+
+    # Metrics sidecar
+    sidecars:
+      exportarr:
+        image: ghcr.io/onedr0p/exportarr:v2.0.1
+        args:
+        - readarr
+        ports:
+        - name: metrics
+          containerPort: 9000
+        env:
+        - name: URL
+          value: "http://localhost"
+        - name: CONFIG
+          value: "/config/config.xml"
+        - name: PORT
+          value: 9000
+        - name: ENABLE_ADDITIONAL_METRICS
+          value: "true"
+        - name: ENABLE_UNKNOWN_QUEUE_ITEMS
+          value: "true"
+        volumeMounts:
+        - name: config
+          mountPath: /config
+          readOnly: true
+
+    env:
+      TZ: America/New_York
+
+    service:
+      main:
+        labels:
+          app: audiobook-readarr-service
+
+        ports:
+          http:
+            port: 8787
+
+          metrics:
+            enabled: true
+            port: 9000
+            protocol: HTTP
+
+    probes:
+      liveness:
+        enabled: true
+        custom: true
+        spec:
+          httpGet:
+            path: /ping
+            port: 8787
+          initialDelaySeconds: 0
+          periodSeconds: 10
+          timeoutSeconds: 1
+          failureThreshold: 3
+      startup:
+        enabled: false
+
+    ingress:
+      main:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+          traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
+        hosts:
+          - host: &host "readarr-audiobooks.${SECRET_NEW_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+
+    persistence:
+      config:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/readarr-audiobooks
+        mountPath: /config
+      storage:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Media
+        mountPath: /storage
+
+    podSecurityContext:
+      runAsNonRoot: true
+      runAsUser: 10000
+      runAsGroup: 10000
+      fsGroup: 10000
+      fsGroupChangePolicy: OnRootMismatch
+
+    resources:
+      requests:
+        cpu: 1m
+        memory: 150Mi
+      limits:
+        memory: 2000Mi

cluster/apps/download/readarr/audiobook-monitor.yaml

@@ -0,0 +1,16 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: audiobook-readarr-exportarr
+  namespace: download
+  labels:
+    release: kube-prometheus-stack
+spec:
+  selector:
+    matchLabels:
+      app: audiobook-readarr-service
+  endpoints:
+  - port: metrics
+    interval: 30s
+    scrapeTimeout: 20s
+    path: /metrics

cluster/apps/download/readarr/ebook-helm.yaml

@@ -0,0 +1,120 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: readarr-ebooks
+  namespace: download
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    image:
+      repository: ghcr.io/onedr0p/readarr-develop
+      tag: "0.3.28.2554"
+      pullPolicy: Always
+
+    # Metrics sidecar
+    sidecars:
+      exportarr:
+        image: ghcr.io/onedr0p/exportarr:v2.0.1
+        args:
+        - readarr
+        ports:
+        - name: metrics
+          containerPort: 9000
+        env:
+        - name: URL
+          value: "http://localhost"
+        - name: CONFIG
+          value: "/config/config.xml"
+        - name: PORT
+          value: 9000
+        - name: ENABLE_ADDITIONAL_METRICS
+          value: "true"
+        - name: ENABLE_UNKNOWN_QUEUE_ITEMS
+          value: "true"
+        volumeMounts:
+        - name: config
+          mountPath: /config
+          readOnly: true
+
+    env:
+      TZ: America/New_York
+
+    service:
+      main:
+        labels:
+          app: ebook-readarr-service
+
+        ports:
+          http:
+            port: 8787
+
+          metrics:
+            enabled: true
+            port: 9000
+            protocol: HTTP
+
+    probes:
+      liveness:
+        enabled: true
+        custom: true
+        spec:
+          httpGet:
+            path: /ping
+            port: 8787
+          initialDelaySeconds: 0
+          periodSeconds: 10
+          timeoutSeconds: 1
+          failureThreshold: 3
+      startup:
+        enabled: false
+
+    ingress:
+      main:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+          traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
+        hosts:
+          - host: &host "readarr-ebooks.${SECRET_NEW_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+
+    persistence:
+      config:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/readarr-ebooks
+        mountPath: /config
+      storage:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Media
+        mountPath: /storage
+
+    podSecurityContext:
+      runAsNonRoot: true
+      runAsUser: 10000
+      runAsGroup: 10000
+      fsGroup: 10000
+      fsGroupChangePolicy: OnRootMismatch
+
+    resources:
+      requests:
+        cpu: 1m
+        memory: 150Mi
+      limits:
+        memory: 2000Mi

cluster/apps/download/readarr/ebook-monitor.yaml

@@ -0,0 +1,16 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: ebook-readarr-exportarr
+  namespace: download
+  labels:
+    release: kube-prometheus-stack
+spec:
+  selector:
+    matchLabels:
+      app: ebook-readarr-service
+  endpoints:
+  - port: metrics
+    interval: 30s
+    scrapeTimeout: 20s
+    path: /metrics

cluster/apps/download/readarr/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./audiobook-helm.yaml
+- ./ebook-helm.yaml
+- ./audiobook-monitor.yaml
+- ./ebook-monitor.yaml

cluster/apps/download/sabnzbd/helm-release.yaml

@@ -30,7 +30,7 @@ spec:
           app:
             image:
               repository: lscr.io/linuxserver/sabnzbd
-              tag: 4.5.0
+              tag: 4.3.2
 
             env:
               PGID: 10000
@@ -39,7 +39,7 @@ spec:
           metrics:
             image:
               repository: msroest/sabnzbd_exporter
-              tag: 0.1.78
+              tag: 0.1.73
 
             env:
             - name: SABNZBD_BASEURLS

cluster/apps/download/sonarr/helm-release.yaml

@@ -0,0 +1,120 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: sonarr
+  namespace: download
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    image:
+      repository: ghcr.io/onedr0p/sonarr-develop
+      tag: "4.0.5.1778"
+
+    # Metrics sidecar
+    sidecars:
+      exportarr:
+        image: ghcr.io/onedr0p/exportarr:v2.0.1
+        args:
+        - sonarr
+        ports:
+        - name: metrics
+          containerPort: 9000
+        env:
+        - name: URL
+          value: "http://localhost"
+        - name: CONFIG
+          value: "/config/config.xml"
+        - name: PORT
+          value: 9000
+        - name: ENABLE_ADDITIONAL_METRICS
+          value: "true"
+        - name: ENABLE_UNKNOWN_QUEUE_ITEMS
+          value: "true"
+        volumeMounts:
+        - name: config
+          mountPath: /config
+          readOnly: true
+
+    env:
+      TZ: America/New_York
+      SONARR__AUTHENTICATION_METHOD: "External"
+
+    service:
+      main:
+        labels:
+          app: sonarr-service
+
+        ports:
+          http:
+            port: 8989
+
+          metrics:
+            enabled: true
+            port: 9000
+            protocol: HTTP
+
+    probes:
+      liveness:
+        enabled: true
+        custom: true
+        spec:
+          httpGet:
+            path: /ping
+            port: 8989
+          initialDelaySeconds: 0
+          periodSeconds: 10
+          timeoutSeconds: 1
+          failureThreshold: 3
+      startup:
+        enabled: false
+
+    ingress:
+      main:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+          traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
+        hosts:
+          - host: &host "sonarr.${SECRET_NEW_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+
+    persistence:
+      config:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/sonarr
+        mountPath: /config
+      storage:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Media
+        mountPath: /storage
+
+    podSecurityContext:
+      runAsNonRoot: true
+      runAsUser: 10000
+      runAsGroup: 10000
+      fsGroup: 10000
+      fsGroupChangePolicy: OnRootMismatch
+
+    resources:
+      requests:
+        cpu: 2m
+        memory: 350Mi
+      limits:
+        memory: 2500Mi