Update image ghcr.io/siderolabs/kubelet to v1.31.4

Reviewed-on: #823

.archive/default/matter-server/app/gatus.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: matter-server-gatus-ep
+  labels:
+    gatus.io/enabled: "true"
+data:
+  config.yaml: |
+    endpoints:
+      - name: matter-server
+        group: infrastructure
+        url: ws://matter-server.default.svc.cluster.local:5580
+        interval: 1m
+        ui:
+          hide-url: true
+          hide-hostname: true
+        conditions:
+          - "[CONNECTED] == true"
+        alerts:
+          - type: pushover

.archive/default/matter-server/app/helmrelease.yaml

@@ -0,0 +1,80 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app matter-server
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+      strategy: rollback
+  values:
+    controllers:
+      matter-server:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        containers:
+          app:
+            image:
+              repository: ghcr.io/home-assistant-libs/python-matter-server
+              tag: 6.6.1
+              pullPolicy: IfNotPresent
+            env:
+              TZ: "America/Chicago"
+              MATTER_SERVER__INSTANCE_NAME: *app
+              MATTER_SERVER__PORT: &port 5580
+              MATTER_SERVER__APPLICATION_URL: &host matter.jahanson.tech
+              MATTER_SERVER__LOG_LEVEL: debug
+            resources:
+              requests:
+                memory: "100Mi"
+              limits:
+                memory: "300Mi"
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 568
+        runAsGroup: 568
+        fsGroup: 568
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile: { type: RuntimeDefault }
+    service:
+      app:
+        controller: matter-server
+        type: LoadBalancer
+        annotations:
+          external-dns.alpha.kubernetes.io/hostname: *host
+          io.cilium/lb-ipam-ips: 10.1.1.40
+        ports:
+          http:
+            port: *port
+    ingress:
+      app:
+        className: internal-nginx
+        hosts:
+          - host: *host
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: *port
+        tls:
+          - hosts:
+              - *host
+    persistence:
+      data:
+        existingClaim: *app

.archive/default/matter-server/app/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./gatus.yaml
+  - ./helmrelease.yaml
+  - ../../../../templates/volsync

.archive/default/matter-server/ks.yaml

@@ -0,0 +1,24 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app matter-server
+  namespace: flux-system
+spec:
+  targetNamespace: default
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/default/matter-server/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: theshire
+  wait: false # no flux ks dependents
+  interval: 30m
+  timeout: 5m
+  postBuild:
+    substitute:
+      APP: *app
+      VOLSYNC_CAPACITY: 1Gi

.editorconfig

@@ -1,5 +1,3 @@
-; https://editorconfig.org/
-
 root = true
 
 [*]

.renovate/packageRules.json5

@@ -4,7 +4,7 @@
     {
       "description": ["Loose versioning for non-semver packages"],
       "matchDatasources": ["docker"],
-      "matchPackagePatterns": ["cross-seed", "plex"],
+      "matchPackagePatterns": ["plex"],
       "versioning": "loose"
     },
     {

.taskfiles/flux/Taskfile.yaml

@@ -18,6 +18,20 @@ tasks:
           | xargs -P 4 -L 1 bash -c \
             'kubectl -n $0 annotate kustomization/$1 reconcile.fluxcd.io/requestedAt="$(date +%s)" --field-manager=flux-client-side-apply --overwrite'
 
+  ks-suspend:
+    desc: Suspend all Flux Kustomizations
+    cmds:
+      - |
+        flux get kustomizations --all-namespaces --no-header | awk '{print $1, $2}' \
+          | xargs -L 1 bash -c 'flux -n $0 suspend kustomization $1'
+
+  ks-resume:
+    desc: Resume all Flux Kustomizations
+    cmds:
+      - |
+        flux get kustomizations --all-namespaces --no-header | awk '{print $1, $2}' \
+          | xargs -L 1 bash -c 'flux -n $0 resume kustomization $1'
+
   hr-sync:
     desc: Sync all Flux HelmReleases
     cmds:

.vscode/settings.json

@@ -15,7 +15,6 @@
     "hack": "scripts",
     "repositories": "database",
     "vars": "other",
-    // namespaces
     "cert-manager": "guard",
     "external-secrets": "keys",
     "kube-system": "kubernetes",

kubernetes/apps/ai/open-webui/app/helmrelease.yaml

@@ -14,8 +14,6 @@ spec:
         kind: HelmRepository
         name: bjw-s
         namespace: flux-system
-  dependsOn:
-    - name: ollama
   install:
     remediation:
       retries: 3
@@ -33,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/open-webui/open-webui
-              tag: v0.4.5
+              tag: v0.4.8
             env:
               - name: OLLAMA_BASE_URL
                 value: http://10.1.1.61:11434

kubernetes/apps/anime/radarr/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/radarr-develop
-              tag: 5.15.1.9463
+              tag: 5.16.1.9508
             env:
               RADARR__APP__INSTANCENAME: Radarr-Anime
               RADARR__APP__THEME: dark
@@ -66,11 +66,6 @@ spec:
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
-            resources:
-              requests:
-                cpu: 10m
-              limits:
-                memory: 6Gi
         pod:
           securityContext:
             runAsUser: 568
@@ -107,7 +102,7 @@ spec:
         type: emptyDir
       media:
         type: nfs
-        server: 10.1.1.13
+        server: 10.1.1.61
         path: /eru/media
         globalMounts:
           - path: /data/nas-media

kubernetes/apps/anime/sonarr/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/sonarr-develop
-              tag: 4.0.11.2697
+              tag: 4.0.11.2743
             env:
               SONARR__APP__INSTANCENAME: Sonarr-Anime
               SONARR__APP__THEME: dark
@@ -66,11 +66,6 @@ spec:
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
-            resources:
-              requests:
-                cpu: 10m
-              limits:
-                memory: 6Gi
         pod:
           securityContext:
             runAsUser: 568
@@ -107,7 +102,7 @@ spec:
         type: emptyDir
       media:
         type: nfs
-        server: 10.1.1.13
+        server: 10.1.1.61
         path: /eru/media
         globalMounts:
           - path: /data/nas-media
@@ -117,3 +112,14 @@ spec:
         path: /moria/media/
         globalMounts:
           - path: /data/moria-media
+      scripts:
+        type: configMap
+        name: sonarr-configmap
+        defaultMode: 0775
+        globalMounts:
+          - path: /scripts/pushover-notify.sh
+            subPath: pushover-notify.sh
+            readOnly: true
+          - path: /scripts/refresh-series.sh
+            subPath: refresh-series.sh
+            readOnly: true

kubernetes/apps/anime/sonarr/app/kustomization.yaml

@@ -6,3 +6,12 @@ resources:
   - ./externalsecret.yaml
   - ./helmrelease.yaml
   - ../../../../templates/volsync
+configMapGenerator:
+  - name: sonarr-configmap
+    files:
+      - pushover-notify.sh=./resources/pushover-notify.sh
+      - refresh-series.sh=./resources/refresh-series.sh
+generatorOptions:
+  disableNameSuffixHash: true
+  annotations:
+    kustomize.toolkit.fluxcd.io/substitute: disabled

kubernetes/apps/anime/sonarr/app/resources/pushover-notify.sh

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC2154
+set -euo pipefail
+
+# User defined variables for pushover
+PUSHOVER_USER_KEY="${PUSHOVER_USER_KEY:-required}"
+PUSHOVER_TOKEN="${PUSHOVER_TOKEN:-required}"
+PUSHOVER_PRIORITY="${PUSHOVER_PRIORITY:-"-2"}"
+
+if [[ "${sonarr_eventtype:-}" == "Test" ]]; then
+    PUSHOVER_PRIORITY="1"
+    printf -v PUSHOVER_TITLE \
+        "Test Notification"
+    printf -v PUSHOVER_MESSAGE \
+        "Howdy this is a test notification from %s" \
+            "${sonarr_instancename:-Sonarr}"
+    printf -v PUSHOVER_URL \
+        "%s" \
+            "${sonarr_applicationurl:-localhost}"
+    printf -v PUSHOVER_URL_TITLE \
+        "Open %s" \
+            "${sonarr_instancename:-Sonarr}"
+fi
+
+if [[ "${sonarr_eventtype:-}" == "Download" ]]; then
+    printf -v PUSHOVER_TITLE \
+        "Episode %s" \
+            "$( [[ "${sonarr_isupgrade}" == "True" ]] && echo "Upgraded" || echo "Downloaded" )"
+    printf -v PUSHOVER_MESSAGE \
+        "<b>%s (S%02dE%02d)</b><small>\n%s</small><small>\n\n<b>Quality:</b> %s</small><small>\n<b>Client:</b> %s</small>" \
+            "${sonarr_series_title}" \
+            "${sonarr_episodefile_seasonnumber}" \
+            "${sonarr_episodefile_episodenumbers}" \
+            "${sonarr_episodefile_episodetitles}" \
+            "${sonarr_episodefile_quality:-Unknown}" \
+            "${sonarr_download_client:-Unknown}"
+    printf -v PUSHOVER_URL \
+        "%s/series/%s" \
+            "${sonarr_applicationurl:-localhost}" \
+            "${sonarr_series_titleslug}"
+    printf -v PUSHOVER_URL_TITLE \
+        "View series in %s" \
+            "${sonarr_instancename:-Sonarr}"
+fi
+
+if [[ "${sonarr_eventtype:-}" == "ManualInteractionRequired" ]]; then
+    PUSHOVER_PRIORITY="1"
+    printf -v PUSHOVER_TITLE \
+        "Episode import requires intervention"
+    printf -v PUSHOVER_MESSAGE \
+        "<b>%s</b><small>\n<b>Client:</b> %s</small>" \
+            "${sonarr_series_title}" \
+            "${sonarr_download_client:-Unknown}"
+    printf -v PUSHOVER_URL \
+        "%s/activity/queue" \
+            "${sonarr_applicationurl:-localhost}"
+    printf -v PUSHOVER_URL_TITLE \
+        "View queue in %s" \
+            "${sonarr_instancename:-Sonarr}"
+fi
+
+json_data=$(jo \
+    token="${PUSHOVER_TOKEN}" \
+    user="${PUSHOVER_USER_KEY}" \
+    title="${PUSHOVER_TITLE}" \
+    message="${PUSHOVER_MESSAGE}" \
+    url="${PUSHOVER_URL}" \
+    url_title="${PUSHOVER_URL_TITLE}" \
+    priority="${PUSHOVER_PRIORITY}" \
+    html="1"
+)
+
+status_code=$(curl \
+    --silent \
+    --write-out "%{http_code}" \
+    --output /dev/null \
+    --request POST \
+    --header "Content-Type: application/json" \
+    --data-binary "${json_data}" \
+    "https://api.pushover.net/1/messages.json" \
+)
+
+printf "pushover notification returned with HTTP status code %s and payload: %s\n" \
+    "${status_code}" \
+    "$(echo "${json_data}" | jq --compact-output)" >&2

kubernetes/apps/anime/sonarr/app/resources/refresh-series.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC2154
+set -euo pipefail
+
+CURL_CMD=(curl -fsSL --header "X-Api-Key: ${SONARR__AUTH__APIKEY:-}")
+SONARR_API_URL="http://localhost:${SONARR__SERVER__PORT:-}/api/v3"
+
+if [[ "${sonarr_eventtype:-}" == "Grab" ]]; then
+    tba=$("${CURL_CMD[@]}" "${SONARR_API_URL}/episode?seriesId=${sonarr_series_id:-}" | jq --raw-output '
+        [.[] | select((.title == "TBA") or (.title == "TBD"))] | length
+    ')
+
+    if (( tba > 0 )); then
+        echo "INFO: Refreshing series ${sonarr_series_id:-} due to TBA/TBD episodes found"
+        "${CURL_CMD[@]}" \
+            --request POST \
+            --header "Content-Type: application/json" \
+            --data-binary '{"name": "RefreshSeries", "seriesId": '"${sonarr_series_id:-}"'}' \
+            "${SONARR_API_URL}/command" &>/dev/null
+    fi
+fi

kubernetes/apps/ci-runners/forgejo/app/helmrelease.yaml

@@ -30,7 +30,7 @@ spec:
           runner-register:
             image:
               repository: code.forgejo.org/forgejo/runner
-              tag: 5.0.2
+              tag: 5.0.3
             command:
               - "forgejo-runner"
               - "register"
@@ -63,7 +63,7 @@ spec:
           daemon:
             image:
               repository: docker
-              tag: 27.3.1-dind
+              tag: 27.4.0-dind
             securityContext:
               privileged: true
             env:
@@ -72,7 +72,7 @@ spec:
           app:
             image:
               repository: code.forgejo.org/forgejo/runner
-              tag: 5.0.2
+              tag: 5.0.3
             command:
               - "sh"
               - "-c"

kubernetes/apps/coder/coder/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: coder
-      version: 2.16.1
+      version: 2.18.0
       sourceRef:
         kind: HelmRepository
         name: coder
@@ -29,8 +29,6 @@ spec:
       env:
         - name: CODER_ACCESS_URL
           value: https://coder.hsn.dev
-        - name: CODER_WILDCARD_ACCESS_URL
-          value: "*.coder.hsn.dev"
         - name: CODER_PROMETHEUS_ENABLE
           value: "true"
       envFrom:
@@ -44,4 +42,3 @@ spec:
           external-dns.alpha.kubernetes.io/target: external.hsn.dev
 
         host: "coder.hsn.dev"
-        wildcardHost: "*.coder.hsn.dev"

kubernetes/apps/database/emqx/cluster/cluster.yaml

@@ -5,7 +5,7 @@ kind: EMQX
 metadata:
   name: emqx
 spec:
-  image: public.ecr.aws/emqx/emqx:5.8.2
+  image: public.ecr.aws/emqx/emqx:5.8.3
   config:
     mode: Merge
   coreTemplate:

kubernetes/apps/database/influxdb/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: docker.io/influxdb
-              tag: 2.7.10-alpine
+              tag: 2.7.11-alpine
               pullPolicy: IfNotPresent
             env:
               INFLUXDB_ADMIN_USER_PASSWORD: "admin"

kubernetes/apps/database/kustomization.yaml

@@ -10,4 +10,4 @@ resources:
   - ./dragonfly/ks.yaml
   - ./emqx/ks.yaml
   - ./influxdb/ks.yaml
-  - ./mariadb/ks.yaml
+  # - ./mariadb/ks.yaml

kubernetes/apps/default/autobrr/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/autobrr/autobrr
-              tag: v1.51.1@sha256:747c682d8d59e72a202ee4239bafbd7cfa10b0fc3a6220b61446de73dbd0c956
+              tag: v1.53.0@sha256:0c3f93c653cfc8a20e722bd26a5d597a496c9ba714300ba7974a5aeb19bd6e31
             env:
               AUTOBRR__CHECK_FOR_UPDATES: "false"
               AUTOBRR__HOST: 0.0.0.0

kubernetes/apps/default/kustomization.yaml

@@ -9,7 +9,6 @@ resources:
   - ./atuin/ks.yaml
   - ./autobrr/ks.yaml
   - ./excalidraw/ks.yaml
-  - ./home-assistant/ks.yaml
   - ./it-tools/ks.yaml
   - ./linkwarden/ks.yaml
   - ./maintainerr/ks.yaml
@@ -18,7 +17,7 @@ resources:
   - ./overseerr/ks.yaml
   - ./plex/ks.yaml
   - ./prowlarr/ks.yaml
-  - ./pterodactyl/ks.yaml
+  # - ./pterodactyl/ks.yaml
   - ./radarr/ks.yaml
   - ./recyclarr/ks.yaml
   - ./redlib/ks.yaml

kubernetes/apps/default/linkwarden/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/linkwarden/linkwarden
-              tag: v2.8.3@sha256:7f80a03d688c3e5d9ec6b34f5b65cd861ff8c9eb08d12932dc8fc7482991f238
+              tag: v2.8.4@sha256:8a8e6323508f97ddaa863281b9ff52949fc153eea1ec07cb84539436371caf28
             env:
               TIMEZONE: "America/Chicago"
               NEXTAUTH_URL: "https://{{ .Release.Name }}.jahanson.tech/api/v1/auth"

kubernetes/apps/default/prowlarr/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/prowlarr-develop
-              tag: 1.27.0.4852@sha256:6e1041a558cceee6356efe74cc9a9138909f4a8bac5eb714a420a37e4b478c77
+              tag: 1.28.0.4862@sha256:ff83bcd009f4556e5ee9a40e596dfaa3dd8313fe40246c1244416ffd8fc03ab5
             env:
               # Ref: https://github.com/Radarr/Radarr/issues/7030#issuecomment-1039689518
               # Ref: https://github.com/dotnet/runtime/issues/9336

kubernetes/apps/default/pterodactyl/app/kustomization.yaml

@@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../../../../templates/volsync
-  - ../../../../templates/gatus/external
+  # - ../../../../templates/gatus/external
   - ./externalsecret.yaml
   # - ./helmrelease.yaml
   - ./mariadb.yaml

kubernetes/apps/default/radarr/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/radarr-develop
-              tag: 5.15.1.9463
+              tag: 5.16.1.9508
             env:
               RADARR__APP__INSTANCENAME: Radarr
               RADARR__APP__THEME: dark
@@ -64,11 +64,6 @@ spec:
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
-            resources:
-              requests:
-                cpu: 10m
-              limits:
-                memory: 16Gi
         pod:
           securityContext:
             runAsUser: 568
@@ -105,7 +100,7 @@ spec:
         type: emptyDir
       media:
         type: nfs
-        server: 10.1.1.13
+        server: 10.1.1.61
         path: /eru/media
         globalMounts:
           - path: /data/nas-media

kubernetes/apps/default/redlib/app/helmrelease.yaml

@@ -38,7 +38,7 @@ spec:
           app:
             image:
               repository: quay.io/redlib/redlib
-              tag: latest@sha256:1f120c85fc33bdac67c97d5d1a6c84a920be40742fbf311c970ab2749a435778
+              tag: latest@sha256:d04e722091fe17424425499882a548507a70654f37aaf8cbc71081ef29b7b341
             env:
               REDLIB_DEFAULT_SHOW_NSFW: on
               REDLIB_DEFAULT_WIDE: on

kubernetes/apps/default/sabnzbd/app/helmrelease.yaml

@@ -36,7 +36,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/sabnzbd
-              tag: 4.3.3@sha256:86c645db93affcbf01cc2bce2560082bfde791009e1506dba68269b9c50bc341
+              tag: 4.4.0@sha256:d2dbde184900504bf3636d2df74e466e223d6b2474b4d21a58c72eadfffa7e99
             env:
               TZ: America/Chicago
               SABNZBD__PORT: &port 80
@@ -76,8 +76,6 @@ spec:
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
     defaultPodOptions:
-      nodeSelector: # ~~testing~~
-        kubernetes.io/hostname: gandalf-01
       securityContext:
         runAsNonRoot: true
         runAsUser: 568
@@ -120,7 +118,7 @@ spec:
           - readOnly: true
       media:
         type: nfs
-        server: 10.1.1.13
+        server: 10.1.1.61
         path: /eru/media
         globalMounts:
           - path: /data/nas-media

kubernetes/apps/default/sonarr/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/sonarr-develop
-              tag: 4.0.11.2697
+              tag: 4.0.11.2743
             env:
               SONARR__APP__INSTANCENAME: Sonarr
               SONARR__APP__THEME: dark
@@ -64,11 +64,6 @@ spec:
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
-            resources:
-              requests:
-                cpu: 10m
-              limits:
-                memory: 16Gi
         pod:
           securityContext:
             runAsUser: 568
@@ -105,7 +100,7 @@ spec:
         type: emptyDir
       media:
         type: nfs
-        server: 10.1.1.13
+        server: 10.1.1.61
         path: /eru/media
         globalMounts:
           - path: /data/nas-media
@@ -115,3 +110,14 @@ spec:
         path: /moria/media/
         globalMounts:
           - path: /data/moria-media
+      scripts:
+        type: configMap
+        name: sonarr-configmap
+        defaultMode: 0775
+        globalMounts:
+          - path: /scripts/pushover-notify.sh
+            subPath: pushover-notify.sh
+            readOnly: true
+          - path: /scripts/refresh-series.sh
+            subPath: refresh-series.sh
+            readOnly: true

kubernetes/apps/default/sonarr/app/kustomization.yaml

@@ -6,3 +6,12 @@ resources:
   - ./externalsecret.yaml
   - ./helmrelease.yaml
   - ../../../../templates/volsync
+configMapGenerator:
+  - name: sonarr-configmap
+    files:
+      - pushover-notify.sh=./resources/pushover-notify.sh
+      - refresh-series.sh=./resources/refresh-series.sh
+generatorOptions:
+  disableNameSuffixHash: true
+  annotations:
+    kustomize.toolkit.fluxcd.io/substitute: disabled

kubernetes/apps/default/sonarr/app/resources/pushover-notify.sh

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC2154
+set -euo pipefail
+
+# User defined variables for pushover
+PUSHOVER_USER_KEY="${PUSHOVER_USER_KEY:-required}"
+PUSHOVER_TOKEN="${PUSHOVER_TOKEN:-required}"
+PUSHOVER_PRIORITY="${PUSHOVER_PRIORITY:-"-2"}"
+
+if [[ "${sonarr_eventtype:-}" == "Test" ]]; then
+    PUSHOVER_PRIORITY="1"
+    printf -v PUSHOVER_TITLE \
+        "Test Notification"
+    printf -v PUSHOVER_MESSAGE \
+        "Howdy this is a test notification from %s" \
+            "${sonarr_instancename:-Sonarr}"
+    printf -v PUSHOVER_URL \
+        "%s" \
+            "${sonarr_applicationurl:-localhost}"
+    printf -v PUSHOVER_URL_TITLE \
+        "Open %s" \
+            "${sonarr_instancename:-Sonarr}"
+fi
+
+if [[ "${sonarr_eventtype:-}" == "Download" ]]; then
+    printf -v PUSHOVER_TITLE \
+        "Episode %s" \
+            "$( [[ "${sonarr_isupgrade}" == "True" ]] && echo "Upgraded" || echo "Downloaded" )"
+    printf -v PUSHOVER_MESSAGE \
+        "<b>%s (S%02dE%02d)</b><small>\n%s</small><small>\n\n<b>Quality:</b> %s</small><small>\n<b>Client:</b> %s</small>" \
+            "${sonarr_series_title}" \
+            "${sonarr_episodefile_seasonnumber}" \
+            "${sonarr_episodefile_episodenumbers}" \
+            "${sonarr_episodefile_episodetitles}" \
+            "${sonarr_episodefile_quality:-Unknown}" \
+            "${sonarr_download_client:-Unknown}"
+    printf -v PUSHOVER_URL \
+        "%s/series/%s" \
+            "${sonarr_applicationurl:-localhost}" \
+            "${sonarr_series_titleslug}"
+    printf -v PUSHOVER_URL_TITLE \
+        "View series in %s" \
+            "${sonarr_instancename:-Sonarr}"
+fi
+
+if [[ "${sonarr_eventtype:-}" == "ManualInteractionRequired" ]]; then
+    PUSHOVER_PRIORITY="1"
+    printf -v PUSHOVER_TITLE \
+        "Episode import requires intervention"
+    printf -v PUSHOVER_MESSAGE \
+        "<b>%s</b><small>\n<b>Client:</b> %s</small>" \
+            "${sonarr_series_title}" \
+            "${sonarr_download_client:-Unknown}"
+    printf -v PUSHOVER_URL \
+        "%s/activity/queue" \
+            "${sonarr_applicationurl:-localhost}"
+    printf -v PUSHOVER_URL_TITLE \
+        "View queue in %s" \
+            "${sonarr_instancename:-Sonarr}"
+fi
+
+json_data=$(jo \
+    token="${PUSHOVER_TOKEN}" \
+    user="${PUSHOVER_USER_KEY}" \
+    title="${PUSHOVER_TITLE}" \
+    message="${PUSHOVER_MESSAGE}" \
+    url="${PUSHOVER_URL}" \
+    url_title="${PUSHOVER_URL_TITLE}" \
+    priority="${PUSHOVER_PRIORITY}" \
+    html="1"
+)
+
+status_code=$(curl \
+    --silent \
+    --write-out "%{http_code}" \
+    --output /dev/null \
+    --request POST \
+    --header "Content-Type: application/json" \
+    --data-binary "${json_data}" \
+    "https://api.pushover.net/1/messages.json" \
+)
+
+printf "pushover notification returned with HTTP status code %s and payload: %s\n" \
+    "${status_code}" \
+    "$(echo "${json_data}" | jq --compact-output)" >&2

kubernetes/apps/default/sonarr/app/resources/refresh-series.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC2154
+set -euo pipefail
+
+CURL_CMD=(curl -fsSL --header "X-Api-Key: ${SONARR__AUTH__APIKEY:-}")
+SONARR_API_URL="http://localhost:${SONARR__SERVER__PORT:-}/api/v3"
+
+if [[ "${sonarr_eventtype:-}" == "Grab" ]]; then
+    tba=$("${CURL_CMD[@]}" "${SONARR_API_URL}/episode?seriesId=${sonarr_series_id:-}" | jq --raw-output '
+        [.[] | select((.title == "TBA") or (.title == "TBD"))] | length
+    ')
+
+    if (( tba > 0 )); then
+        echo "INFO: Refreshing series ${sonarr_series_id:-} due to TBA/TBD episodes found"
+        "${CURL_CMD[@]}" \
+            --request POST \
+            --header "Content-Type: application/json" \
+            --data-binary '{"name": "RefreshSeries", "seriesId": '"${sonarr_series_id:-}"'}' \
+            "${SONARR_API_URL}/command" &>/dev/null
+    fi
+fi

kubernetes/apps/default/stirling-pdf/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/stirling-tools/s-pdf
-              tag: 0.34.0@sha256:42ceaa84712f9271ca4af1c4d892899996424cbc5378f7dd168828091657c0f0
+              tag: 0.36.0@sha256:56a2a83fda76eb6a4fa21a03484d9cea9b2af25cce2c3bfdca45fcd1dafd6533
               pullPolicy: IfNotPresent
             env:
               TZ: America/Chicago

kubernetes/apps/default/unpackerr/app/helmrelease.yaml

@@ -76,7 +76,7 @@ spec:
     persistence:
       media:
         type: nfs
-        server: 10.1.1.13
+        server: 10.1.1.61
         path: /eru/media
         advancedMounts:
           unpackerr:

kubernetes/apps/default/zwave/app/helmrelease.yaml

@@ -36,7 +36,7 @@ spec:
           app:
             image:
               repository: ghcr.io/zwave-js/zwave-js-ui
-              tag: 9.27.7@sha256:b7327c74e9cb228af9fc2817330319d4e57e041767dc40e550fd6577a436ad7d
+              tag: 9.27.8@sha256:2299383f92f62bda3887d28375cb392d502326628cd2c8212b79cbe18788f019
             env:
               TZ: America/Chicago
               PORT: &port 80

kubernetes/apps/kube-system/cilium/app/helmrelease.yaml

@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: cilium
-      version: 1.16.3
+      version: 1.16.4
       sourceRef:
         kind: HelmRepository
         name: cilium

kubernetes/apps/kube-system/coredns/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: coredns
-      version: 1.36.1
+      version: 1.37.0
       sourceRef:
         kind: HelmRepository
         name: coredns

kubernetes/apps/kube-system/fstrim.yaml

@@ -7,7 +7,7 @@ spec:
   #  nodeName: nenya
   containers:
     - name: fstrim
-      image: ghcr.io/onedr0p/kubanetics:2024.11.1
+      image: ghcr.io/onedr0p/kubanetics:2024.12.0
       securityContext:
         privileged: true
       command: ["/bin/bash", "-c", "while true; do sleep 10; done"]

kubernetes/apps/kube-system/fstrim/app/helmrelease.yaml

@@ -33,7 +33,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/kubanetics
-              tag: 2024.11.1@sha256:875b7c22fbb046958ae0116b4a7e9ea81062cf60f54d5b27e53ebf29078bdcc4
+              tag: 2024.12.0@sha256:3766252a7011d870a4c24bb107c9aa505dde35f4baf8101466c623b052bdbb4f
             env:
               SCRIPT_NAME: fstrim.sh
             probes:

kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yml

@@ -1,2 +1,2 @@
 ---
-providerRegex: ^bilbo|^frodo|^sam|^merry|^pippin|^rosie|^gandalf-01$
+providerRegex: ^bilbo|^frodo|^sam|^merry|^pippin|^rosie$

kubernetes/apps/kube-system/reloader/app/helmrelease.yaml

@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: reloader
-      version: 1.1.0
+      version: 1.2.0
       sourceRef:
         kind: HelmRepository
         name: stakater

kubernetes/apps/observability/alertmanager/silencer/helmrelease.yaml

@@ -35,7 +35,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/kubanetics
-              tag: 2024.11.1
+              tag: 2024.12.0
             env:
               SCRIPT_NAME: alertmanager-silencer.sh
               ALERTMANAGER_URL: http://alertmanager.observability.svc.cluster.local:9093

kubernetes/apps/observability/gatus/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           init-config:
             image:
               repository: ghcr.io/kiwigrid/k8s-sidecar
-              tag: 1.28.0@sha256:4166a019eeafd1f0fef4d867dc5f224f18d84ec8681dbb31f3ca258ecf07bcf2
+              tag: 1.28.1@sha256:707875abfd38af450ff420c6f271e883fc28e9ce4d3742741af993b25ae93f85
             env:
               FOLDER: /config
               LABEL: gatus.io/enabled

kubernetes/apps/observability/grafana/app/helmrelease.yaml

@@ -239,7 +239,7 @@ spec:
         prometheus:
           # renovate: depName="Prometheus"
           gnetId: 19105
-          revision: 5
+          revision: 6
           datasource: Prometheus
         victoria-agent:
           # renovate: depName="VictoriaMetrics - vmagent"

kubernetes/apps/observability/smartctl-exporter/app/helmrelease.yaml

@@ -18,17 +18,6 @@ spec:
     controllers:
       smartctl-exporter:
         type: daemonset
-        pod:
-          affinity:
-            nodeAffinity:
-              requiredDuringSchedulingIgnoredDuringExecution:
-                nodeSelectorTerms:
-                  - matchExpressions:
-                      - key: kubernetes.io/hostname
-                        operator: NotIn
-                        values:
-                          - gandalf-01
-                          - shadowfax-01
         containers:
           app:
             image: &image
@@ -51,43 +40,12 @@ spec:
                     port: &port 9633
                     path: /
               readiness: *probes
-      smartctl-exporter-vms:
-        type: daemonset
-        pod:
-          affinity:
-            nodeAffinity:
-              requiredDuringSchedulingIgnoredDuringExecution:
-                nodeSelectorTerms:
-                  - matchExpressions:
-                      - key: kubernetes.io/hostname
-                        operator: In
-                        values:
-                          - gandalf-01
-                          - shadowfax-01
-        containers:
-          app:
-            image: *image
-            args:
-              - --smartctl.path=/usr/sbin/smartctl
-              - --smartctl.interval=120s
-              - --web.listen-address=0.0.0.0:9633
-              - --web.telemetry-path=/metrics
-              - --smartctl.device=/dev/nvme0
-            securityContext: *securityContext
-            probes:
-              liveness: *probes
-              readiness: *probes
     service:
       smartctl-exporter:
         controller: smartctl-exporter
         ports:
           exporter:
             port: *port
-      smartctl-exporter-vms:
-        controller: smartctl-exporter-vms
-        ports:
-          exporter:
-            port: *port
     persistence:
       dev:
         type: hostPath
@@ -105,15 +63,3 @@ spec:
             path: /metrics
             interval: 1m
             scrapeTimeout: 10s
-      smartctl-exporter-vms:
-        selector:
-          matchLabels:
-            app.kubernetes.io/instance: smartctl-exporter
-            app.kubernetes.io/name: smartctl-exporter
-            app.kubernetes.io/service: smartctl-exporter-smartctl-exporter-vms
-        endpoints:
-          - port: exporter
-            scheme: http
-            path: /metrics
-            interval: 1m
-            scrapeTimeout: 10s

kubernetes/apps/observability/vector-agent/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: vector
-      version: 0.37.0
+      version: 0.38.0
       sourceRef:
         kind: HelmRepository
         name: vector

kubernetes/apps/observability/vector-aggregator/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: vector
-      version: 0.37.0
+      version: 0.38.0
       sourceRef:
         kind: HelmRepository
         name: vector

kubernetes/apps/observability/victoria-metrics/cluster/kustomization.yaml

@@ -5,5 +5,4 @@ kind: Kustomization
 resources:
   - vmagent.yaml
   - vmalert.yaml
-  - vmscrapeconfig.yaml
   - vmsingle.yaml

kubernetes/apps/observability/victoria-metrics/cluster/vmscrapeconfig.yaml

@@ -1,16 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/operator.victoriametrics.com/vmscrapeconfig_v1beta1.json
-apiVersion: operator.victoriametrics.com/v1beta1
-kind: VMScrapeConfig
-metadata:
-  name: &name zfs-exporter
-spec:
-  staticConfigs:
-    - targets:
-        - "shadowfax.jahanson.tech:9134"
-        - "gandalf.jahanson.tech:9134"
-  path: /metrics
-  relabelConfigs:
-    - action: replace
-      targetLabel: job
-      replacement: *name

kubernetes/apps/qbittorrent/cross-seed/app/helmrelease.yaml

@@ -35,7 +35,7 @@ spec:
           app:
             image:
               repository: ghcr.io/cross-seed/cross-seed
-              tag: 6.1.0@sha256:91fbb2a6a411b7d63cccabffb5f623e6931579d2fd652512b6a3df0a9ba97066
+              tag: 6.1.1@sha256:5cb54b46a614f362c0332a91e5754d6998d45ae27ccc2c77b04b1a3493816331
             env:
               TZ: America/Chicago
             args: ["daemon"]
@@ -86,7 +86,7 @@ spec:
             readOnly: true
       media:
         type: nfs
-        server: 10.1.1.13
+        server: 10.1.1.61
         path: /eru/media
         globalMounts:
           - path: /data/nas-media

kubernetes/apps/qbittorrent/flood/app/helmrelease.yaml

@@ -43,7 +43,7 @@ spec:
           app:
             image:
               repository: jesec/flood
-              tag: master@sha256:04196de98223a193e4913c00e0ab1b48a27a370ef159989e52c29864afc2b2e4
+              tag: master@sha256:db3f3fb70d7ffb034183a78d0bfbfae270ae507202c2bad9e73af070440a61e4
             envFrom:
               - secretRef:
                   name: flood-secret

kubernetes/apps/qbittorrent/qbittorrent/app/helmrelease.yaml

@@ -34,7 +34,7 @@ spec:
             nameOverride: qbittorrent
             image:
               repository: ghcr.io/onedr0p/qbittorrent-beta
-              tag: 5.0.2@sha256:adfd625f9cc7226eabad8aa117a551d42d5818c914850ef7fa3be60111383107
+              tag: 5.0.2@sha256:2dab641cd7399c896db120f8f4b8c0e9fce2744810a391e89591c6ab546c922a
             env:
               UMASK: "022"
               QBT_WEBUI_PORT: &port 80
@@ -67,8 +67,6 @@ spec:
                 drop:
                   - ALL
     defaultPodOptions:
-      nodeSelector: # ~~testing~~
-        kubernetes.io/hostname: gandalf-01
       securityContext:
         runAsNonRoot: true
         runAsUser: 568
@@ -122,7 +120,7 @@ spec:
           - path: /tmp
       media:
         type: nfs
-        server: gandalf.jahanson.tech
+        server: 10.1.1.61
         path: /eru/media
         advancedMounts:
           qbittorrent:

kubernetes/apps/qbittorrent/qbittorrent/tools/helmrelease.yaml

@@ -39,7 +39,7 @@ spec:
           tagging: &container
             image:
               repository: ghcr.io/buroa/qbtools
-              tag: v0.19.9@sha256:f5405e3c00256d7911d2abb839084a5147c108586adb281e97587cf93729c89b
+              tag: v0.19.11@sha256:a133bd7f02ecb9ea0111a4016724f33404136c41295217f163991910e1d2784c
             env:
               TZ: *timeZone
               POD_NAMESPACE:
@@ -136,7 +136,7 @@ spec:
             readOnly: true
       media:
         type: nfs
-        server: 10.1.1.13
+        server: 10.1.1.61
         path: /eru/media
         advancedMounts:
           orphaned:

kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml

@@ -67,7 +67,7 @@ spec:
       storage:
         useAllNodes: true
         useAllDevices: false
-        deviceFilter: "nvme0n1"
+        deviceFilter: "nvme[0-9]+n1"
       resources:
         mgr:
           requests:

kubernetes/apps/security/external-secrets/app/helmrelease.yaml

@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: external-secrets
-      version: 0.10.7
+      version: 0.11.0
       interval: 30m
       sourceRef:
         kind: HelmRepository

kubernetes/bootstrap/helmfile.yaml

@@ -23,7 +23,7 @@ releases:
   - name: cilium
     namespace: kube-system
     chart: cilium/cilium
-    version: 1.16.3
+    version: 1.16.4
     values:
       - ../apps/kube-system/cilium/app/helm-values.yml
     needs:
@@ -31,7 +31,7 @@ releases:
   - name: coredns
     namespace: kube-system
     chart: coredns/coredns
-    version: 1.36.1
+    version: 1.37.0
     values:
       - ../apps/kube-system/coredns/app/helm-values.yml
     needs:

kubernetes/bootstrap/talos/talconfig.yaml

@@ -5,7 +5,7 @@ clusterName: theshire
 # renovate: datasource=github-releases depName=siderolabs/talos
 talosVersion: v1.8.3
 # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
-kubernetesVersion: 1.31.3
+kubernetesVersion: 1.31.4
 endpoint: "https://10.1.1.57:6444"
 
 additionalApiServerCertSans:
@@ -74,42 +74,6 @@ nodes:
     networkInterfaces:
       - interface: eno1
         dhcp: true
-  - hostname: gandalf-01
-    disableSearchDomain: true
-    ipAddress: 10.1.1.68
-    controlPlane: false
-    installDisk: /dev/sda
-    networkInterfaces:
-      - interface: enp5s0
-        dhcp: true
-
-  - hostname: shadowfax-01
-    disableSearchDomain: true
-    ipAddress: 10.1.1.69
-    controlPlane: false
-    installDiskSelector:
-      busPath: /pci0000:00/0000:00:01.1/0000:02:00.0/virtio6/host0/target0:0:0/0:0:0:1/
-    networkInterfaces:
-      - interface: enp5s0
-        dhcp: true
-    patches:
-      - |-
-        machine:
-          sysctls:
-            net.core.bpf_jit_harden: 1
-
-    kernelModules:
-      - name: nvidia
-      - name: nvidia_uvm
-      - name: nvidia_drm
-      - name: nvidia_modeset
-    schematic:
-      customization:
-        systemExtensions:
-          officialExtensions:
-            - siderolabs/amd-ucode
-            - siderolabs/nonfree-kmod-nvidia-production
-            - siderolabs/nvidia-container-toolkit-production
 
 worker:
   schematic:

kubernetes/flux/repositories/oci/grafana.yaml

@@ -12,4 +12,4 @@ spec:
     operation: copy
   url: oci://ghcr.io/grafana/helm-charts/grafana
   ref:
-    tag: 8.6.3
+    tag: 8.6.4

renovate.json5

@@ -2,6 +2,12 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:recommended",
+    ":automergeBranch",
+    ":dependencyDashboard",
+    ":disableRateLimiting",
+    ":skipStatusChecks",
+    ":timezone(America/Chicago)",
+    "docker:enableMajor",
     "local>jahanson/theshire//.renovate/autoMerge.json5",
     "local>jahanson/theshire//.renovate/commitMessage.json5",
     "local>jahanson/theshire//.renovate/customManagers.json5",

shell.nix

@@ -24,5 +24,6 @@ pkgs.mkShell {
     kustomize
     yq-go
     go-task
+    kubectl
   ];
 }