Update image ghcr.io/siderolabs/kubelet to v1.31.3

.archive/default/matter-server/app/gatus.yaml

@@ -1,21 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: matter-server-gatus-ep
-  labels:
-    gatus.io/enabled: "true"
-data:
-  config.yaml: |
-    endpoints:
-      - name: matter-server
-        group: infrastructure
-        url: ws://matter-server.default.svc.cluster.local:5580
-        interval: 1m
-        ui:
-          hide-url: true
-          hide-hostname: true
-        conditions:
-          - "[CONNECTED] == true"
-        alerts:
-          - type: pushover

.archive/default/matter-server/app/helmrelease.yaml

@@ -1,80 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: &app matter-server
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.5.1
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-      strategy: rollback
-  values:
-    controllers:
-      matter-server:
-        annotations:
-          reloader.stakater.com/auto: "true"
-        containers:
-          app:
-            image:
-              repository: ghcr.io/home-assistant-libs/python-matter-server
-              tag: 6.6.1
-              pullPolicy: IfNotPresent
-            env:
-              TZ: "America/Chicago"
-              MATTER_SERVER__INSTANCE_NAME: *app
-              MATTER_SERVER__PORT: &port 5580
-              MATTER_SERVER__APPLICATION_URL: &host matter.jahanson.tech
-              MATTER_SERVER__LOG_LEVEL: debug
-            resources:
-              requests:
-                memory: "100Mi"
-              limits:
-                memory: "300Mi"
-    defaultPodOptions:
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 568
-        runAsGroup: 568
-        fsGroup: 568
-        fsGroupChangePolicy: OnRootMismatch
-        seccompProfile: { type: RuntimeDefault }
-    service:
-      app:
-        controller: matter-server
-        type: LoadBalancer
-        annotations:
-          external-dns.alpha.kubernetes.io/hostname: *host
-          io.cilium/lb-ipam-ips: 10.1.1.40
-        ports:
-          http:
-            port: *port
-    ingress:
-      app:
-        className: internal-nginx
-        hosts:
-          - host: *host
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: *port
-        tls:
-          - hosts:
-              - *host
-    persistence:
-      data:
-        existingClaim: *app

.archive/default/matter-server/app/kustomization.yaml

@@ -1,8 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./gatus.yaml
-  - ./helmrelease.yaml
-  - ../../../../templates/volsync

.archive/default/matter-server/ks.yaml

@@ -1,24 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app matter-server
-  namespace: flux-system
-spec:
-  targetNamespace: default
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/default/matter-server/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: theshire
-  wait: false # no flux ks dependents
-  interval: 30m
-  timeout: 5m
-  postBuild:
-    substitute:
-      APP: *app
-      VOLSYNC_CAPACITY: 1Gi

.editorconfig

@@ -1,3 +1,5 @@
+; https://editorconfig.org/
+
 root = true
 
 [*]

.renovate/packageRules.json5

@@ -4,7 +4,7 @@
     {
       "description": ["Loose versioning for non-semver packages"],
       "matchDatasources": ["docker"],
-      "matchPackagePatterns": ["plex"],
+      "matchPackagePatterns": ["cross-seed", "plex"],
       "versioning": "loose"
     },
     {

.taskfiles/flux/Taskfile.yaml

@@ -18,20 +18,6 @@ tasks:
           | xargs -P 4 -L 1 bash -c \
             'kubectl -n $0 annotate kustomization/$1 reconcile.fluxcd.io/requestedAt="$(date +%s)" --field-manager=flux-client-side-apply --overwrite'
 
-  ks-suspend:
-    desc: Suspend all Flux Kustomizations
-    cmds:
-      - |
-        flux get kustomizations --all-namespaces --no-header | awk '{print $1, $2}' \
-          | xargs -L 1 bash -c 'flux -n $0 suspend kustomization $1'
-
-  ks-resume:
-    desc: Resume all Flux Kustomizations
-    cmds:
-      - |
-        flux get kustomizations --all-namespaces --no-header | awk '{print $1, $2}' \
-          | xargs -L 1 bash -c 'flux -n $0 resume kustomization $1'
-
   hr-sync:
     desc: Sync all Flux HelmReleases
     cmds:

.vscode/settings.json

@@ -15,6 +15,7 @@
     "hack": "scripts",
     "repositories": "database",
     "vars": "other",
+    // namespaces
     "cert-manager": "guard",
     "external-secrets": "keys",
     "kube-system": "kubernetes",

kubernetes/apps/ai/open-webui/app/helmrelease.yaml

@@ -14,6 +14,8 @@ spec:
         kind: HelmRepository
         name: bjw-s
         namespace: flux-system
+  dependsOn:
+    - name: ollama
   install:
     remediation:
       retries: 3
@@ -31,7 +33,7 @@ spec:
           app:
             image:
               repository: ghcr.io/open-webui/open-webui
-              tag: v0.4.8
+              tag: v0.4.5
             env:
               - name: OLLAMA_BASE_URL
                 value: http://10.1.1.61:11434

kubernetes/apps/anime/radarr/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/radarr-develop
-              tag: 5.16.1.9508
+              tag: 5.15.1.9463
             env:
               RADARR__APP__INSTANCENAME: Radarr-Anime
               RADARR__APP__THEME: dark
@@ -66,6 +66,11 @@ spec:
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 10m
+              limits:
+                memory: 6Gi
         pod:
           securityContext:
             runAsUser: 568
@@ -102,7 +107,7 @@ spec:
         type: emptyDir
       media:
         type: nfs
-        server: 10.1.1.61
+        server: 10.1.1.13
         path: /eru/media
         globalMounts:
           - path: /data/nas-media

kubernetes/apps/anime/sonarr/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/sonarr-develop
-              tag: 4.0.11.2743
+              tag: 4.0.11.2697
             env:
               SONARR__APP__INSTANCENAME: Sonarr-Anime
               SONARR__APP__THEME: dark
@@ -66,6 +66,11 @@ spec:
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 10m
+              limits:
+                memory: 6Gi
         pod:
           securityContext:
             runAsUser: 568
@@ -102,7 +107,7 @@ spec:
         type: emptyDir
       media:
         type: nfs
-        server: 10.1.1.61
+        server: 10.1.1.13
         path: /eru/media
         globalMounts:
           - path: /data/nas-media
@@ -112,14 +117,3 @@ spec:
         path: /moria/media/
         globalMounts:
           - path: /data/moria-media
-      scripts:
-        type: configMap
-        name: sonarr-configmap
-        defaultMode: 0775
-        globalMounts:
-          - path: /scripts/pushover-notify.sh
-            subPath: pushover-notify.sh
-            readOnly: true
-          - path: /scripts/refresh-series.sh
-            subPath: refresh-series.sh
-            readOnly: true

kubernetes/apps/anime/sonarr/app/kustomization.yaml

@@ -6,12 +6,3 @@ resources:
   - ./externalsecret.yaml
   - ./helmrelease.yaml
   - ../../../../templates/volsync
-configMapGenerator:
-  - name: sonarr-configmap
-    files:
-      - pushover-notify.sh=./resources/pushover-notify.sh
-      - refresh-series.sh=./resources/refresh-series.sh
-generatorOptions:
-  disableNameSuffixHash: true
-  annotations:
-    kustomize.toolkit.fluxcd.io/substitute: disabled

kubernetes/apps/anime/sonarr/app/resources/pushover-notify.sh

@@ -1,85 +0,0 @@
-#!/usr/bin/env bash
-# shellcheck disable=SC2154
-set -euo pipefail
-
-# User defined variables for pushover
-PUSHOVER_USER_KEY="${PUSHOVER_USER_KEY:-required}"
-PUSHOVER_TOKEN="${PUSHOVER_TOKEN:-required}"
-PUSHOVER_PRIORITY="${PUSHOVER_PRIORITY:-"-2"}"
-
-if [[ "${sonarr_eventtype:-}" == "Test" ]]; then
-    PUSHOVER_PRIORITY="1"
-    printf -v PUSHOVER_TITLE \
-        "Test Notification"
-    printf -v PUSHOVER_MESSAGE \
-        "Howdy this is a test notification from %s" \
-            "${sonarr_instancename:-Sonarr}"
-    printf -v PUSHOVER_URL \
-        "%s" \
-            "${sonarr_applicationurl:-localhost}"
-    printf -v PUSHOVER_URL_TITLE \
-        "Open %s" \
-            "${sonarr_instancename:-Sonarr}"
-fi
-
-if [[ "${sonarr_eventtype:-}" == "Download" ]]; then
-    printf -v PUSHOVER_TITLE \
-        "Episode %s" \
-            "$( [[ "${sonarr_isupgrade}" == "True" ]] && echo "Upgraded" || echo "Downloaded" )"
-    printf -v PUSHOVER_MESSAGE \
-        "<b>%s (S%02dE%02d)</b><small>\n%s</small><small>\n\n<b>Quality:</b> %s</small><small>\n<b>Client:</b> %s</small>" \
-            "${sonarr_series_title}" \
-            "${sonarr_episodefile_seasonnumber}" \
-            "${sonarr_episodefile_episodenumbers}" \
-            "${sonarr_episodefile_episodetitles}" \
-            "${sonarr_episodefile_quality:-Unknown}" \
-            "${sonarr_download_client:-Unknown}"
-    printf -v PUSHOVER_URL \
-        "%s/series/%s" \
-            "${sonarr_applicationurl:-localhost}" \
-            "${sonarr_series_titleslug}"
-    printf -v PUSHOVER_URL_TITLE \
-        "View series in %s" \
-            "${sonarr_instancename:-Sonarr}"
-fi
-
-if [[ "${sonarr_eventtype:-}" == "ManualInteractionRequired" ]]; then
-    PUSHOVER_PRIORITY="1"
-    printf -v PUSHOVER_TITLE \
-        "Episode import requires intervention"
-    printf -v PUSHOVER_MESSAGE \
-        "<b>%s</b><small>\n<b>Client:</b> %s</small>" \
-            "${sonarr_series_title}" \
-            "${sonarr_download_client:-Unknown}"
-    printf -v PUSHOVER_URL \
-        "%s/activity/queue" \
-            "${sonarr_applicationurl:-localhost}"
-    printf -v PUSHOVER_URL_TITLE \
-        "View queue in %s" \
-            "${sonarr_instancename:-Sonarr}"
-fi
-
-json_data=$(jo \
-    token="${PUSHOVER_TOKEN}" \
-    user="${PUSHOVER_USER_KEY}" \
-    title="${PUSHOVER_TITLE}" \
-    message="${PUSHOVER_MESSAGE}" \
-    url="${PUSHOVER_URL}" \
-    url_title="${PUSHOVER_URL_TITLE}" \
-    priority="${PUSHOVER_PRIORITY}" \
-    html="1"
-)
-
-status_code=$(curl \
-    --silent \
-    --write-out "%{http_code}" \
-    --output /dev/null \
-    --request POST \
-    --header "Content-Type: application/json" \
-    --data-binary "${json_data}" \
-    "https://api.pushover.net/1/messages.json" \
-)
-
-printf "pushover notification returned with HTTP status code %s and payload: %s\n" \
-    "${status_code}" \
-    "$(echo "${json_data}" | jq --compact-output)" >&2

kubernetes/apps/anime/sonarr/app/resources/refresh-series.sh

@@ -1,21 +0,0 @@
-#!/usr/bin/env bash
-# shellcheck disable=SC2154
-set -euo pipefail
-
-CURL_CMD=(curl -fsSL --header "X-Api-Key: ${SONARR__AUTH__APIKEY:-}")
-SONARR_API_URL="http://localhost:${SONARR__SERVER__PORT:-}/api/v3"
-
-if [[ "${sonarr_eventtype:-}" == "Grab" ]]; then
-    tba=$("${CURL_CMD[@]}" "${SONARR_API_URL}/episode?seriesId=${sonarr_series_id:-}" | jq --raw-output '
-        [.[] | select((.title == "TBA") or (.title == "TBD"))] | length
-    ')
-
-    if (( tba > 0 )); then
-        echo "INFO: Refreshing series ${sonarr_series_id:-} due to TBA/TBD episodes found"
-        "${CURL_CMD[@]}" \
-            --request POST \
-            --header "Content-Type: application/json" \
-            --data-binary '{"name": "RefreshSeries", "seriesId": '"${sonarr_series_id:-}"'}' \
-            "${SONARR_API_URL}/command" &>/dev/null
-    fi
-fi

kubernetes/apps/ci-runners/forgejo/app/helmrelease.yaml

@@ -30,7 +30,7 @@ spec:
           runner-register:
             image:
               repository: code.forgejo.org/forgejo/runner
-              tag: 5.0.3
+              tag: 5.0.2
             command:
               - "forgejo-runner"
               - "register"
@@ -63,7 +63,7 @@ spec:
           daemon:
             image:
               repository: docker
-              tag: 27.4.0-dind
+              tag: 27.3.1-dind
             securityContext:
               privileged: true
             env:
@@ -72,7 +72,7 @@ spec:
           app:
             image:
               repository: code.forgejo.org/forgejo/runner
-              tag: 5.0.3
+              tag: 5.0.2
             command:
               - "sh"
               - "-c"

kubernetes/apps/coder/coder/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: coder
-      version: 2.18.0
+      version: 2.16.1
       sourceRef:
         kind: HelmRepository
         name: coder
@@ -29,6 +29,8 @@ spec:
       env:
         - name: CODER_ACCESS_URL
           value: https://coder.hsn.dev
+        - name: CODER_WILDCARD_ACCESS_URL
+          value: "*.coder.hsn.dev"
         - name: CODER_PROMETHEUS_ENABLE
           value: "true"
       envFrom:
@@ -42,3 +44,4 @@ spec:
           external-dns.alpha.kubernetes.io/target: external.hsn.dev
 
         host: "coder.hsn.dev"
+        wildcardHost: "*.coder.hsn.dev"

kubernetes/apps/database/emqx/cluster/cluster.yaml

@@ -5,7 +5,7 @@ kind: EMQX
 metadata:
   name: emqx
 spec:
-  image: public.ecr.aws/emqx/emqx:5.8.3
+  image: public.ecr.aws/emqx/emqx:5.8.2
   config:
     mode: Merge
   coreTemplate:

kubernetes/apps/database/influxdb/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: docker.io/influxdb
-              tag: 2.7.11-alpine
+              tag: 2.7.10-alpine
               pullPolicy: IfNotPresent
             env:
               INFLUXDB_ADMIN_USER_PASSWORD: "admin"

kubernetes/apps/database/kustomization.yaml

@@ -10,4 +10,4 @@ resources:
   - ./dragonfly/ks.yaml
   - ./emqx/ks.yaml
   - ./influxdb/ks.yaml
-  # - ./mariadb/ks.yaml
+  - ./mariadb/ks.yaml

kubernetes/apps/default/autobrr/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/autobrr/autobrr
-              tag: v1.53.0@sha256:0c3f93c653cfc8a20e722bd26a5d597a496c9ba714300ba7974a5aeb19bd6e31
+              tag: v1.51.1@sha256:747c682d8d59e72a202ee4239bafbd7cfa10b0fc3a6220b61446de73dbd0c956
             env:
               AUTOBRR__CHECK_FOR_UPDATES: "false"
               AUTOBRR__HOST: 0.0.0.0

kubernetes/apps/default/kustomization.yaml

@@ -9,6 +9,7 @@ resources:
   - ./atuin/ks.yaml
   - ./autobrr/ks.yaml
   - ./excalidraw/ks.yaml
+  - ./home-assistant/ks.yaml
   - ./it-tools/ks.yaml
   - ./linkwarden/ks.yaml
   - ./maintainerr/ks.yaml
@@ -17,7 +18,7 @@ resources:
   - ./overseerr/ks.yaml
   - ./plex/ks.yaml
   - ./prowlarr/ks.yaml
-  # - ./pterodactyl/ks.yaml
+  - ./pterodactyl/ks.yaml
   - ./radarr/ks.yaml
   - ./recyclarr/ks.yaml
   - ./redlib/ks.yaml

kubernetes/apps/default/linkwarden/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/linkwarden/linkwarden
-              tag: v2.8.4@sha256:8a8e6323508f97ddaa863281b9ff52949fc153eea1ec07cb84539436371caf28
+              tag: v2.8.3@sha256:7f80a03d688c3e5d9ec6b34f5b65cd861ff8c9eb08d12932dc8fc7482991f238
             env:
               TIMEZONE: "America/Chicago"
               NEXTAUTH_URL: "https://{{ .Release.Name }}.jahanson.tech/api/v1/auth"

kubernetes/apps/default/prowlarr/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/prowlarr-develop
-              tag: 1.28.0.4862@sha256:ff83bcd009f4556e5ee9a40e596dfaa3dd8313fe40246c1244416ffd8fc03ab5
+              tag: 1.27.0.4852@sha256:6e1041a558cceee6356efe74cc9a9138909f4a8bac5eb714a420a37e4b478c77
             env:
               # Ref: https://github.com/Radarr/Radarr/issues/7030#issuecomment-1039689518
               # Ref: https://github.com/dotnet/runtime/issues/9336

kubernetes/apps/default/pterodactyl/app/kustomization.yaml

@@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../../../../templates/volsync
-  # - ../../../../templates/gatus/external
+  - ../../../../templates/gatus/external
   - ./externalsecret.yaml
   # - ./helmrelease.yaml
   - ./mariadb.yaml

kubernetes/apps/default/radarr/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/radarr-develop
-              tag: 5.16.1.9508
+              tag: 5.15.1.9463
             env:
               RADARR__APP__INSTANCENAME: Radarr
               RADARR__APP__THEME: dark
@@ -64,6 +64,11 @@ spec:
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 10m
+              limits:
+                memory: 16Gi
         pod:
           securityContext:
             runAsUser: 568
@@ -100,7 +105,7 @@ spec:
         type: emptyDir
       media:
         type: nfs
-        server: 10.1.1.61
+        server: 10.1.1.13
         path: /eru/media
         globalMounts:
           - path: /data/nas-media

kubernetes/apps/default/redlib/app/helmrelease.yaml

@@ -38,7 +38,7 @@ spec:
           app:
             image:
               repository: quay.io/redlib/redlib
-              tag: latest@sha256:d04e722091fe17424425499882a548507a70654f37aaf8cbc71081ef29b7b341
+              tag: latest@sha256:1f120c85fc33bdac67c97d5d1a6c84a920be40742fbf311c970ab2749a435778
             env:
               REDLIB_DEFAULT_SHOW_NSFW: on
               REDLIB_DEFAULT_WIDE: on

kubernetes/apps/default/sabnzbd/app/helmrelease.yaml

@@ -36,7 +36,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/sabnzbd
-              tag: 4.4.0@sha256:d2dbde184900504bf3636d2df74e466e223d6b2474b4d21a58c72eadfffa7e99
+              tag: 4.3.3@sha256:86c645db93affcbf01cc2bce2560082bfde791009e1506dba68269b9c50bc341
             env:
               TZ: America/Chicago
               SABNZBD__PORT: &port 80
@@ -76,6 +76,8 @@ spec:
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
     defaultPodOptions:
+      nodeSelector: # ~~testing~~
+        kubernetes.io/hostname: gandalf-01
       securityContext:
         runAsNonRoot: true
         runAsUser: 568
@@ -118,7 +120,7 @@ spec:
           - readOnly: true
       media:
         type: nfs
-        server: 10.1.1.61
+        server: 10.1.1.13
         path: /eru/media
         globalMounts:
           - path: /data/nas-media

kubernetes/apps/default/sonarr/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/sonarr-develop
-              tag: 4.0.11.2743
+              tag: 4.0.11.2697
             env:
               SONARR__APP__INSTANCENAME: Sonarr
               SONARR__APP__THEME: dark
@@ -64,6 +64,11 @@ spec:
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 10m
+              limits:
+                memory: 16Gi
         pod:
           securityContext:
             runAsUser: 568
@@ -100,7 +105,7 @@ spec:
         type: emptyDir
       media:
         type: nfs
-        server: 10.1.1.61
+        server: 10.1.1.13
         path: /eru/media
         globalMounts:
           - path: /data/nas-media
@@ -110,14 +115,3 @@ spec:
         path: /moria/media/
         globalMounts:
           - path: /data/moria-media
-      scripts:
-        type: configMap
-        name: sonarr-configmap
-        defaultMode: 0775
-        globalMounts:
-          - path: /scripts/pushover-notify.sh
-            subPath: pushover-notify.sh
-            readOnly: true
-          - path: /scripts/refresh-series.sh
-            subPath: refresh-series.sh
-            readOnly: true

kubernetes/apps/default/sonarr/app/kustomization.yaml

@@ -6,12 +6,3 @@ resources:
   - ./externalsecret.yaml
   - ./helmrelease.yaml
   - ../../../../templates/volsync
-configMapGenerator:
-  - name: sonarr-configmap
-    files:
-      - pushover-notify.sh=./resources/pushover-notify.sh
-      - refresh-series.sh=./resources/refresh-series.sh
-generatorOptions:
-  disableNameSuffixHash: true
-  annotations:
-    kustomize.toolkit.fluxcd.io/substitute: disabled

kubernetes/apps/default/sonarr/app/resources/pushover-notify.sh

@@ -1,85 +0,0 @@
-#!/usr/bin/env bash
-# shellcheck disable=SC2154
-set -euo pipefail
-
-# User defined variables for pushover
-PUSHOVER_USER_KEY="${PUSHOVER_USER_KEY:-required}"
-PUSHOVER_TOKEN="${PUSHOVER_TOKEN:-required}"
-PUSHOVER_PRIORITY="${PUSHOVER_PRIORITY:-"-2"}"
-
-if [[ "${sonarr_eventtype:-}" == "Test" ]]; then
-    PUSHOVER_PRIORITY="1"
-    printf -v PUSHOVER_TITLE \
-        "Test Notification"
-    printf -v PUSHOVER_MESSAGE \
-        "Howdy this is a test notification from %s" \
-            "${sonarr_instancename:-Sonarr}"
-    printf -v PUSHOVER_URL \
-        "%s" \
-            "${sonarr_applicationurl:-localhost}"
-    printf -v PUSHOVER_URL_TITLE \
-        "Open %s" \
-            "${sonarr_instancename:-Sonarr}"
-fi
-
-if [[ "${sonarr_eventtype:-}" == "Download" ]]; then
-    printf -v PUSHOVER_TITLE \
-        "Episode %s" \
-            "$( [[ "${sonarr_isupgrade}" == "True" ]] && echo "Upgraded" || echo "Downloaded" )"
-    printf -v PUSHOVER_MESSAGE \
-        "<b>%s (S%02dE%02d)</b><small>\n%s</small><small>\n\n<b>Quality:</b> %s</small><small>\n<b>Client:</b> %s</small>" \
-            "${sonarr_series_title}" \
-            "${sonarr_episodefile_seasonnumber}" \
-            "${sonarr_episodefile_episodenumbers}" \
-            "${sonarr_episodefile_episodetitles}" \
-            "${sonarr_episodefile_quality:-Unknown}" \
-            "${sonarr_download_client:-Unknown}"
-    printf -v PUSHOVER_URL \
-        "%s/series/%s" \
-            "${sonarr_applicationurl:-localhost}" \
-            "${sonarr_series_titleslug}"
-    printf -v PUSHOVER_URL_TITLE \
-        "View series in %s" \
-            "${sonarr_instancename:-Sonarr}"
-fi
-
-if [[ "${sonarr_eventtype:-}" == "ManualInteractionRequired" ]]; then
-    PUSHOVER_PRIORITY="1"
-    printf -v PUSHOVER_TITLE \
-        "Episode import requires intervention"
-    printf -v PUSHOVER_MESSAGE \
-        "<b>%s</b><small>\n<b>Client:</b> %s</small>" \
-            "${sonarr_series_title}" \
-            "${sonarr_download_client:-Unknown}"
-    printf -v PUSHOVER_URL \
-        "%s/activity/queue" \
-            "${sonarr_applicationurl:-localhost}"
-    printf -v PUSHOVER_URL_TITLE \
-        "View queue in %s" \
-            "${sonarr_instancename:-Sonarr}"
-fi
-
-json_data=$(jo \
-    token="${PUSHOVER_TOKEN}" \
-    user="${PUSHOVER_USER_KEY}" \
-    title="${PUSHOVER_TITLE}" \
-    message="${PUSHOVER_MESSAGE}" \
-    url="${PUSHOVER_URL}" \
-    url_title="${PUSHOVER_URL_TITLE}" \
-    priority="${PUSHOVER_PRIORITY}" \
-    html="1"
-)
-
-status_code=$(curl \
-    --silent \
-    --write-out "%{http_code}" \
-    --output /dev/null \
-    --request POST \
-    --header "Content-Type: application/json" \
-    --data-binary "${json_data}" \
-    "https://api.pushover.net/1/messages.json" \
-)
-
-printf "pushover notification returned with HTTP status code %s and payload: %s\n" \
-    "${status_code}" \
-    "$(echo "${json_data}" | jq --compact-output)" >&2

kubernetes/apps/default/sonarr/app/resources/refresh-series.sh

@@ -1,21 +0,0 @@
-#!/usr/bin/env bash
-# shellcheck disable=SC2154
-set -euo pipefail
-
-CURL_CMD=(curl -fsSL --header "X-Api-Key: ${SONARR__AUTH__APIKEY:-}")
-SONARR_API_URL="http://localhost:${SONARR__SERVER__PORT:-}/api/v3"
-
-if [[ "${sonarr_eventtype:-}" == "Grab" ]]; then
-    tba=$("${CURL_CMD[@]}" "${SONARR_API_URL}/episode?seriesId=${sonarr_series_id:-}" | jq --raw-output '
-        [.[] | select((.title == "TBA") or (.title == "TBD"))] | length
-    ')
-
-    if (( tba > 0 )); then
-        echo "INFO: Refreshing series ${sonarr_series_id:-} due to TBA/TBD episodes found"
-        "${CURL_CMD[@]}" \
-            --request POST \
-            --header "Content-Type: application/json" \
-            --data-binary '{"name": "RefreshSeries", "seriesId": '"${sonarr_series_id:-}"'}' \
-            "${SONARR_API_URL}/command" &>/dev/null
-    fi
-fi

kubernetes/apps/default/stirling-pdf/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/stirling-tools/s-pdf
-              tag: 0.36.0@sha256:56a2a83fda76eb6a4fa21a03484d9cea9b2af25cce2c3bfdca45fcd1dafd6533
+              tag: 0.34.0@sha256:42ceaa84712f9271ca4af1c4d892899996424cbc5378f7dd168828091657c0f0
               pullPolicy: IfNotPresent
             env:
               TZ: America/Chicago

kubernetes/apps/default/unpackerr/app/helmrelease.yaml

@@ -76,7 +76,7 @@ spec:
     persistence:
       media:
         type: nfs
-        server: 10.1.1.61
+        server: 10.1.1.13
         path: /eru/media
         advancedMounts:
           unpackerr:

kubernetes/apps/default/zwave/app/helmrelease.yaml

@@ -36,7 +36,7 @@ spec:
           app:
             image:
               repository: ghcr.io/zwave-js/zwave-js-ui
-              tag: 9.27.8@sha256:2299383f92f62bda3887d28375cb392d502326628cd2c8212b79cbe18788f019
+              tag: 9.27.7@sha256:b7327c74e9cb228af9fc2817330319d4e57e041767dc40e550fd6577a436ad7d
             env:
               TZ: America/Chicago
               PORT: &port 80

kubernetes/apps/kube-system/cilium/app/helmrelease.yaml

@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: cilium
-      version: 1.16.4
+      version: 1.16.3
       sourceRef:
         kind: HelmRepository
         name: cilium

kubernetes/apps/kube-system/coredns/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: coredns
-      version: 1.37.0
+      version: 1.36.1
       sourceRef:
         kind: HelmRepository
         name: coredns

kubernetes/apps/kube-system/fstrim.yaml

@@ -7,7 +7,7 @@ spec:
   #  nodeName: nenya
   containers:
     - name: fstrim
-      image: ghcr.io/onedr0p/kubanetics:2024.12.0
+      image: ghcr.io/onedr0p/kubanetics:2024.11.1
       securityContext:
         privileged: true
       command: ["/bin/bash", "-c", "while true; do sleep 10; done"]

kubernetes/apps/kube-system/fstrim/app/helmrelease.yaml

@@ -33,7 +33,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/kubanetics
-              tag: 2024.12.0@sha256:3766252a7011d870a4c24bb107c9aa505dde35f4baf8101466c623b052bdbb4f
+              tag: 2024.11.1@sha256:875b7c22fbb046958ae0116b4a7e9ea81062cf60f54d5b27e53ebf29078bdcc4
             env:
               SCRIPT_NAME: fstrim.sh
             probes:

kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yml

@@ -1,2 +1,2 @@
 ---
-providerRegex: ^bilbo|^frodo|^sam|^merry|^pippin|^rosie$
+providerRegex: ^bilbo|^frodo|^sam|^merry|^pippin|^rosie|^gandalf-01$

kubernetes/apps/kube-system/reloader/app/helmrelease.yaml

@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: reloader
-      version: 1.2.0
+      version: 1.1.0
       sourceRef:
         kind: HelmRepository
         name: stakater

kubernetes/apps/observability/alertmanager/silencer/helmrelease.yaml

@@ -35,7 +35,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/kubanetics
-              tag: 2024.12.0
+              tag: 2024.11.1
             env:
               SCRIPT_NAME: alertmanager-silencer.sh
               ALERTMANAGER_URL: http://alertmanager.observability.svc.cluster.local:9093

kubernetes/apps/observability/gatus/app/helmrelease.yaml

@@ -31,7 +31,7 @@ spec:
           init-config:
             image:
               repository: ghcr.io/kiwigrid/k8s-sidecar
-              tag: 1.28.1@sha256:707875abfd38af450ff420c6f271e883fc28e9ce4d3742741af993b25ae93f85
+              tag: 1.28.0@sha256:4166a019eeafd1f0fef4d867dc5f224f18d84ec8681dbb31f3ca258ecf07bcf2
             env:
               FOLDER: /config
               LABEL: gatus.io/enabled

kubernetes/apps/observability/grafana/app/helmrelease.yaml

@@ -239,7 +239,7 @@ spec:
         prometheus:
           # renovate: depName="Prometheus"
           gnetId: 19105
-          revision: 6
+          revision: 5
           datasource: Prometheus
         victoria-agent:
           # renovate: depName="VictoriaMetrics - vmagent"

kubernetes/apps/observability/smartctl-exporter/app/helmrelease.yaml

@@ -18,6 +18,17 @@ spec:
     controllers:
       smartctl-exporter:
         type: daemonset
+        pod:
+          affinity:
+            nodeAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                nodeSelectorTerms:
+                  - matchExpressions:
+                      - key: kubernetes.io/hostname
+                        operator: NotIn
+                        values:
+                          - gandalf-01
+                          - shadowfax-01
         containers:
           app:
             image: &image
@@ -40,12 +51,43 @@ spec:
                     port: &port 9633
                     path: /
               readiness: *probes
+      smartctl-exporter-vms:
+        type: daemonset
+        pod:
+          affinity:
+            nodeAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                nodeSelectorTerms:
+                  - matchExpressions:
+                      - key: kubernetes.io/hostname
+                        operator: In
+                        values:
+                          - gandalf-01
+                          - shadowfax-01
+        containers:
+          app:
+            image: *image
+            args:
+              - --smartctl.path=/usr/sbin/smartctl
+              - --smartctl.interval=120s
+              - --web.listen-address=0.0.0.0:9633
+              - --web.telemetry-path=/metrics
+              - --smartctl.device=/dev/nvme0
+            securityContext: *securityContext
+            probes:
+              liveness: *probes
+              readiness: *probes
     service:
       smartctl-exporter:
         controller: smartctl-exporter
         ports:
           exporter:
             port: *port
+      smartctl-exporter-vms:
+        controller: smartctl-exporter-vms
+        ports:
+          exporter:
+            port: *port
     persistence:
       dev:
         type: hostPath
@@ -63,3 +105,15 @@ spec:
             path: /metrics
             interval: 1m
             scrapeTimeout: 10s
+      smartctl-exporter-vms:
+        selector:
+          matchLabels:
+            app.kubernetes.io/instance: smartctl-exporter
+            app.kubernetes.io/name: smartctl-exporter
+            app.kubernetes.io/service: smartctl-exporter-smartctl-exporter-vms
+        endpoints:
+          - port: exporter
+            scheme: http
+            path: /metrics
+            interval: 1m
+            scrapeTimeout: 10s

kubernetes/apps/observability/vector-agent/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: vector
-      version: 0.38.0
+      version: 0.37.0
       sourceRef:
         kind: HelmRepository
         name: vector

kubernetes/apps/observability/vector-aggregator/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: vector
-      version: 0.38.0
+      version: 0.37.0
       sourceRef:
         kind: HelmRepository
         name: vector

kubernetes/apps/observability/victoria-metrics/cluster/kustomization.yaml

@@ -5,4 +5,5 @@ kind: Kustomization
 resources:
   - vmagent.yaml
   - vmalert.yaml
+  - vmscrapeconfig.yaml
   - vmsingle.yaml

kubernetes/apps/observability/victoria-metrics/cluster/vmscrapeconfig.yaml

@@ -0,0 +1,16 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/operator.victoriametrics.com/vmscrapeconfig_v1beta1.json
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMScrapeConfig
+metadata:
+  name: &name zfs-exporter
+spec:
+  staticConfigs:
+    - targets:
+        - "shadowfax.jahanson.tech:9134"
+        - "gandalf.jahanson.tech:9134"
+  path: /metrics
+  relabelConfigs:
+    - action: replace
+      targetLabel: job
+      replacement: *name

kubernetes/apps/qbittorrent/cross-seed/app/helmrelease.yaml

@@ -35,7 +35,7 @@ spec:
           app:
             image:
               repository: ghcr.io/cross-seed/cross-seed
-              tag: 6.1.1@sha256:5cb54b46a614f362c0332a91e5754d6998d45ae27ccc2c77b04b1a3493816331
+              tag: 6.1.0@sha256:91fbb2a6a411b7d63cccabffb5f623e6931579d2fd652512b6a3df0a9ba97066
             env:
               TZ: America/Chicago
             args: ["daemon"]
@@ -86,7 +86,7 @@ spec:
             readOnly: true
       media:
         type: nfs
-        server: 10.1.1.61
+        server: 10.1.1.13
         path: /eru/media
         globalMounts:
           - path: /data/nas-media

kubernetes/apps/qbittorrent/flood/app/helmrelease.yaml

@@ -43,7 +43,7 @@ spec:
           app:
             image:
               repository: jesec/flood
-              tag: master@sha256:db3f3fb70d7ffb034183a78d0bfbfae270ae507202c2bad9e73af070440a61e4
+              tag: master@sha256:04196de98223a193e4913c00e0ab1b48a27a370ef159989e52c29864afc2b2e4
             envFrom:
               - secretRef:
                   name: flood-secret

kubernetes/apps/qbittorrent/qbittorrent/app/helmrelease.yaml

@@ -34,7 +34,7 @@ spec:
             nameOverride: qbittorrent
             image:
               repository: ghcr.io/onedr0p/qbittorrent-beta
-              tag: 5.0.2@sha256:2dab641cd7399c896db120f8f4b8c0e9fce2744810a391e89591c6ab546c922a
+              tag: 5.0.2@sha256:adfd625f9cc7226eabad8aa117a551d42d5818c914850ef7fa3be60111383107
             env:
               UMASK: "022"
               QBT_WEBUI_PORT: &port 80
@@ -67,6 +67,8 @@ spec:
                 drop:
                   - ALL
     defaultPodOptions:
+      nodeSelector: # ~~testing~~
+        kubernetes.io/hostname: gandalf-01
       securityContext:
         runAsNonRoot: true
         runAsUser: 568
@@ -120,7 +122,7 @@ spec:
           - path: /tmp
       media:
         type: nfs
-        server: 10.1.1.61
+        server: gandalf.jahanson.tech
         path: /eru/media
         advancedMounts:
           qbittorrent:

kubernetes/apps/qbittorrent/qbittorrent/tools/helmrelease.yaml

@@ -39,7 +39,7 @@ spec:
           tagging: &container
             image:
               repository: ghcr.io/buroa/qbtools
-              tag: v0.19.11@sha256:a133bd7f02ecb9ea0111a4016724f33404136c41295217f163991910e1d2784c
+              tag: v0.19.9@sha256:f5405e3c00256d7911d2abb839084a5147c108586adb281e97587cf93729c89b
             env:
               TZ: *timeZone
               POD_NAMESPACE:
@@ -136,7 +136,7 @@ spec:
             readOnly: true
       media:
         type: nfs
-        server: 10.1.1.61
+        server: 10.1.1.13
         path: /eru/media
         advancedMounts:
           orphaned:

kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml

@@ -67,7 +67,7 @@ spec:
       storage:
         useAllNodes: true
         useAllDevices: false
-        deviceFilter: "nvme[0-9]+n1"
+        deviceFilter: "nvme0n1"
       resources:
         mgr:
           requests:

kubernetes/apps/security/external-secrets/app/helmrelease.yaml

@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: external-secrets
-      version: 0.11.0
+      version: 0.10.7
       interval: 30m
       sourceRef:
         kind: HelmRepository

kubernetes/bootstrap/helmfile.yaml

@@ -23,7 +23,7 @@ releases:
   - name: cilium
     namespace: kube-system
     chart: cilium/cilium
-    version: 1.16.4
+    version: 1.16.3
     values:
       - ../apps/kube-system/cilium/app/helm-values.yml
     needs:
@@ -31,7 +31,7 @@ releases:
   - name: coredns
     namespace: kube-system
     chart: coredns/coredns
-    version: 1.37.0
+    version: 1.36.1
     values:
       - ../apps/kube-system/coredns/app/helm-values.yml
     needs:

kubernetes/bootstrap/talos/talconfig.yaml

@@ -5,7 +5,7 @@ clusterName: theshire
 # renovate: datasource=github-releases depName=siderolabs/talos
 talosVersion: v1.8.3
 # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
-kubernetesVersion: 1.31.4
+kubernetesVersion: 1.31.3
 endpoint: "https://10.1.1.57:6444"
 
 additionalApiServerCertSans:
@@ -74,6 +74,42 @@ nodes:
     networkInterfaces:
       - interface: eno1
         dhcp: true
+  - hostname: gandalf-01
+    disableSearchDomain: true
+    ipAddress: 10.1.1.68
+    controlPlane: false
+    installDisk: /dev/sda
+    networkInterfaces:
+      - interface: enp5s0
+        dhcp: true
+
+  - hostname: shadowfax-01
+    disableSearchDomain: true
+    ipAddress: 10.1.1.69
+    controlPlane: false
+    installDiskSelector:
+      busPath: /pci0000:00/0000:00:01.1/0000:02:00.0/virtio6/host0/target0:0:0/0:0:0:1/
+    networkInterfaces:
+      - interface: enp5s0
+        dhcp: true
+    patches:
+      - |-
+        machine:
+          sysctls:
+            net.core.bpf_jit_harden: 1
+
+    kernelModules:
+      - name: nvidia
+      - name: nvidia_uvm
+      - name: nvidia_drm
+      - name: nvidia_modeset
+    schematic:
+      customization:
+        systemExtensions:
+          officialExtensions:
+            - siderolabs/amd-ucode
+            - siderolabs/nonfree-kmod-nvidia-production
+            - siderolabs/nvidia-container-toolkit-production
 
 worker:
   schematic:

kubernetes/flux/repositories/oci/grafana.yaml

@@ -12,4 +12,4 @@ spec:
     operation: copy
   url: oci://ghcr.io/grafana/helm-charts/grafana
   ref:
-    tag: 8.6.4
+    tag: 8.6.3

renovate.json5

@@ -2,12 +2,6 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:recommended",
-    ":automergeBranch",
-    ":dependencyDashboard",
-    ":disableRateLimiting",
-    ":skipStatusChecks",
-    ":timezone(America/Chicago)",
-    "docker:enableMajor",
     "local>jahanson/theshire//.renovate/autoMerge.json5",
     "local>jahanson/theshire//.renovate/commitMessage.json5",
     "local>jahanson/theshire//.renovate/customManagers.json5",

shell.nix

@@ -24,6 +24,5 @@ pkgs.mkShell {
     kustomize
     yq-go
     go-task
-    kubectl
   ];
 }